Professional Documents
Culture Documents
Basics of Networking: Computer Network Design
Basics of Networking: Computer Network Design
Basics of Networking: Computer Network Design
com
Basics of Networking
Linking of computer devices is called networking. Both hardware and software play a
crucial role in establishing contact between computers. There are various computer
network designs. The network is divided according to its geographic coverage. Setting up
a computer network is different from connecting to the internet. Read on.
The article covers
• Basics of Networking
• Computer Network Design
• Computer Hardware Required to Setup a Network
• TCP/IP Suite and Member Protocols
• Peer-to-peer networks are where all the computers support the same functions.
These are found more in homes and for connecting two or a small number of
computers.
• Client-Server is more common in business and consists of a centralized computer
that distributes and stores resources for other network users. This centralized
computer is called the server and the user's computer that accesses the server for
resources is called a client.
• Servers are important to all users and management of its resources is required for
better service to clients (some important clients and other not so important
clients). The server software therefore directs the different uses of its resources by
granting access rights to some users and preventing others. It prevents users from
using resources that are not meant for them. Thus it performs the role of
administration and security as well.
• Network Topology is a pattern of links connecting nodes (node can be any
device) of a network. The pattern of connection can be a simple one way link or a
two way link between two nodes. The interconnection of various nodes can be
done in a variety of ways; for example bus, ring, star or mesh.
• Geographic coverage of the network gives us names like Local Area Network
(LAN), Metropolitan Area Network (MAN), Wide Area Network ( WAN) or
interconnection of all the networks( Internet, which envelops the whole world and
is also termed as the world-wide-web www)
The Hardware components you obtain need depends on the type of network and the
various additions to the network. The most important aspect is the specifications of the
various components, since they need to be compatible (be able to connect and work in
tandem) with each other. Setting up a computer network should not be confused with
connecting to the internet.
Good
Average
Bad
Terrible
Current Rating
TCP/IP Suite
The layer structure is built in a manner such that each layer treats all of the information it
receives from the upper layer as data and adds control information (header) in the front of
that data and passes it on to the lower layer. When data is received the opposite process
takes place. Functions of the layers are
Firewalls, gateways, authentication, encryption and the use of VPN technologies make
security and performance on public services better.
Extranet is an extension of the intranet over the World Wide Web such that limited
access of the intranet is provided to the public. The access can be for customers, partners,
suppliers or others outside the company. The part that access has been granted to
becomes the extranet. This can provide access to research inventories and internal
databases. Some portions may be free, others portions of information may require a
payment. What is needed is privacy of information both to the company and of the
ComputerNetworkingNotes.com
• VPN Essentials
• VPN Configuration you may need
• VPN Hardware Accessories
• Other VPN Accessories
• HOw to set up VPN Setup and its Working
What is VPN? This question has many answers to it. Most commonly we define VPN as
a private network over a public network. Virtual Private Network (VPN) is a means of
having a secure channel between your local computer and a computer at a remote
location. Private networks rely on leased lines to transfer data. This can be very costly.
Virtual Private Network is like a Wide area Network that relies on the internet to transfer
data. For security it uses features like encryption, encapsulation, authorization and
tunnels. This enables any user to access a Private Network securely from anywhere in the
world as long as an internet connection is available and the private network provides the
user the access to its resources. The only problem is how to install vpn on the client end.
This can be a problem if hardware is the choice or if client software has to be configured
to set up a VPN
VPN Essentials
You may already have the basic equipment needed to set up a VPN. All you have to do is
get a VPN account from your Internet service Provider (ISP) and configure your PC.
Most of the latest Operating systems will not require additional software for your VPN
setup. In case you have windows95/98 you may need to buy client software. The machine
configuration you may need is:
Hardware
• Any Personal Computer with processor clock speed of 300 MHz (Mega Hertz) or
more
• RAM: 128 MB(Mega Byte) or higher, 64 MB is for minimum support and may
limit features and performance
ComputerNetworkingNotes.com
Software
Any VPN client software
VPN client software is incorporated in some operating systems (Windows NT/2000/XP )
Internet Account
You need a VPN account with your ISP. You will have a password and a dedicated
public IP number for encryption and connection purposes.
VPN Accessories
An increasing number of enterprises are opting for VPN and the vendors come out with
hardware which comes along with software , such as added support for hardware based -
encryptors. Some have enhanced the server capabilities to accommodate VPN related
functionalities such as security in firewall based VPN's. Most specialized VPN products
are hardware (packaged with software), standalone software application packages or
firewall based packages.
The choice of equipment is both POP (point of Presence) and CPE (customer premise
equipment) to build your VPN solution. POP equipment is more costly and depends on a
number of factors like desired throughput (rate of sending and receiving data on a
computer or network), number of users, scalability, routing, security and quality of
service. CPE equipment is more varied with products like Internet appliances, specialized
gateways, VPN enhanced routers and even VPN client software. CPE equipment caters to
needs of small business and remote branch offices. Large CPE's behave like POP
equipment so it really depends on the environment in which a VPN is setup.
Hardware Accessories
VPN enable/optimized routers are required since they have an added level of security.
Many companies provide products, a few of them are Linksys BEFSX41, Netgear
FV318, CyberGuard SG300, Cisco PIX firewalls series and CISCO VPN concentrator
series. These VPN routers sometime come bundled with VPN based software. If you are
connected to a high speed, large bandwidth network, the broadband VPN routers can pass
more than one VPN session from the Vpn local network to the outside network. The
disadvantage is that routers are not as flexible as software based systems especially when
the VPN end points are not of the same organization.
For those who do not know much about routers this brief could enlighten you. Router is a
hardware device that forwards packets on the internet. These are simple and easy to use
equipment that acts like a switch at a junction connecting devices on a network. A router
uses protocols, routing table and routing metrics to communicate with other routers and
route packets on the network. These routers are also known as gateways. A computer too
can perform the action of a router.
ComputerNetworkingNotes.com
Software Accessories
VPN software creates a secure connection between two computers. This is like a tunnel
through the existing firewall of these computers. You can buy various low cost routers
and other accessories. If it is a hardware device then does the routing and takes care of
security as the software comes with it. Install the given VPN software and use your VPN.
For large corporations setting up the server for VPN can be hard. Software's available in
the market cater to VPN client, VPN server and VPN appliances (hardware with software
application) Netgears - ProSafe™ VPN Client Software Models VPN01L & VPN05L,
Sonicwall -Global VPN Client, Nortel VPN client are for the client end. Actual VPN
server software is rather rare. Operating systems such as Windows 2000 Server,
Windows Server 2003, Small Business Server 2003, Mac OS X Server 10.2, Windows
2003 Server, Sun solaris server, Linux server etc. come along with VPN software. A few
other software's for VPN in the market are Mergic VPN which uses PPTP Protocol,
Movian by Certicom which supports the IPSec protocol. Server software is not a
compulsion as a VPN client can communicate through routers.
How VPN works is a common question. Working of a VPN can be compared to that of a
network with leased lines to individual computers so that these systems can gain access to
the organization's facilities and network. Leased lines are expensive and so VPN uses
public lines.
Secure access and privacy is provided by the various security procedures like encryption,
authentication procedures, Firewalls and other protocols.
Purposes that protocols involve:
Setup VPN
The types of VPN determines it setup. VPN can be a client initiated 'remote access VPN'
or 'site to site' based VPN that is either intranet or extranet. You may want to know how
to install VPN? There are a variety of methods depending on the hardware, software and
protocols adopted. There are no standards in the industry and therefore for any setup you
would need to find out if the hardware and software of the senders and receivers are
ComputerNetworkingNotes.com
compatible to set up a VPN. Most of the users that have trouble are the clients on a
remote access VPN.
• The VPN router comes with software. All you need to do is install the given
software and follow the procedure. You need to have a VPN account with the ISP
provider. You also need to know your IP address as well as that of the other
computer with which you want secure communication. A word of caution with
regard to this approach is that the sender may have to use the same
software/hardware you are using.
• Many operating systems have incorporated VPN client software. A wizard will
guide you through the various steps in some operating systems. You need to have
a little knowledge of protocols (PPTP, L2F, IPSec etc.) and port addresses as
these determine your type of connection and level of security.
• At the server side the VPN server configuration depends on whether you want to
have a separate server or use the same server that you use for other tasks in the
organization. In case you use the same server you may not get a good throughput
even though you have a broadband connection since the server is loaded. A server
setup is a more professional task but isn't difficult if you have proper knowledge
of processes.
Encryption and Protocols are a technical subjects and choice of these is related to costs
and security. Whatever you choose remember that security is a daily issue and you need
to constantly monitor it.
alternative cost effective medium was subjected to risks of hacking, spying, viruses etc
The VPN provides cost effective, secured communication channels between global
employees. Read more.
The article covers
Globalization has brought about decentralization and outsourcing. . WAN has helped
corporates with a means of effective and timely running of various offices situated all
over the globe Data was secure over these private networks and large corporations started
using computer networks rather than the then courier services. It is untenable for Small
business and SOHO-small-office-home-office to have private leased lines. The
alternative cost effective medium was the internet but this was subject to risks for
spoofing and eavesdropping. Hacking, spying, viruses and worms have been a major loss
to business.
Virtual Private Networks (VPN) the answer to WAN is now attracting many
organizations, small and large alike, to establish cost effective, secure communication
channels between global offices or employees. The savings on communication for many
corporations, who have switched to VPN, is around 30% to 80%. Quality of service
(priority to critical information over general emails or web browsing) being paramount
for VPN is now being offered by some ISP's. By rising to the occasion they are providing
quality VPN services such that businesses migrate from WAN to VPN.
VPN use in financial sector has increased due to business management and a variety of
its concepts requiring information technology and computers.
Enterprise Resource Planning has resulted in many specific software applications that
require interconnectivity to maintain the ever growing enterprise. ERP's business needs
are
Earlier Implementation was WAN with leased lines, frame relays and T1 lines for
connection. IP VPN has a better performance over and ISDN infrastructure providing
VoIP and a flexible architecture of implementation that takes the load of the corporate
server for client to client connections. VPN's Class of service agreement assigns priority
to the information transferred across it network and so business critical information is
transferred first at a faster rate when compared to other information.
ComputerNetworkingNotes.com
VPN use in banking sector is registering a growth due to personalized banking and e-
banking. With authentication, encryption and different data communication methods
banking grew to accept online secure transactions. The growing needs of the banking
sector is
IP VPN has brought about a range of encryption and authentication techniques that the
bank can use. It has also brought voice over the internet, which is a merging of
technologies making it easier to implement and better in performance.
Necessities of Business
Security
Security of a business is important and VPN in the internet infrastructure is providing
security with its protocols that authenticate and encrypt the communications taking place
over the end points in the network.
Convergence
Business enterprises that are CRM based require voice and data networks. Voice, video
and network security are now being bundled together on VPN networks.
Scalability
Every business grows and the infrastructure should be able to meet its growing demands.
With increase in the bandwidth traffic performance of VPN is met. Also the security and
other complexities related to hardware and software's are changed. VPN is adapting to
the growth though rather slowly
Cost Effectiveness
Since the infrastructure is shared and it is not a private leased line cost dramatically
decreases when VPN technologies are used.
Reliability
The network has to provide a reliable redundant and fault tolerance service for it to
become popular
Flexibility
The approach to setting up a network of different topologies according to your needs for
voice and data are now provided with VPN networks
Class of service
ComputerNetworkingNotes.com
The ability to provide the user customized service according to his requirement has
prompted many IP VPN service providers to offer advanced Class of Services appropriate
to specific traffic patterns and business.
Types of Services
• IPSec
• Layer 2 tunneling protocol (L2TP)
• Layer 2 forwarding (L2F) protocol
• generic routing encapsulation (GRE)
• Frame Relay
• ATM protocols
Latency
This is the time lag between initiating a request for data and the beginning of the actual
data transfer. For a remote access VPN this could be large if the traffic on the network is
large. Then the network latency would delay the packet as it is momentarily stored
analyzed and forwarded to the next router on the internet.
Packet Loss
Poor connectivity between two end points results in loss of packets of data. This might
affect the performance of the VPN. Packet loss may also be due to internal problems of
protocol and encryption/decryption standards.
Jitter
ComputerNetworkingNotes.com
Since the routes are variable on the internet the arrival of bits or packets can be variable
and not according to order (dependent on timing of the clock cycle). Some network
systems are not optimized for jitter. This aspect is crucial for voice and video
conferencing as quality if data is decreased.
Future of VPN
The future of VPN depends mainly on performance for real time services. VPN in
financial sector for business like ERP, CRM and VPN in the banking sector need to
provide security for all users. IP VPN and the booming network industry have
contributed to two categories. One is 'Managed VPN's' where a company gives you
Customer Premise Equipment (CPE) gives network connectivity and 24X7 manages the
VPN. In other words these companies operate your IP VPN for you. The second category
is turnkey products which is either a rent or purchase of equipment from providers of
networks. You will have to build your own VPN. They will provide backbone network
connectivity and local access facilities.
With an annual projected growth of 20% forecasted for the next 5 years, VPN may be
next gene ration WAN.
VPN technology uses internet as its backbone for communication. The internet was
designed to provide communication even if a part of the network was damaged or
destroyed. This was possible due to routers that would direct traffic on alternative routes
when the direct route was not available. The earliest users were scientists and librarians.
No home or office computers used the internet. Today almost everyone uses the net and
with the increase in the users many nefarious characters started hacking and creating
viruses.
Present concerns of security and performance were not there when the internet started.
The TCP/IP and the internet were not designed for this and are still evolving to issues of
security and performance. VPN technology is now serving as a reliable substitute to
dedicated leased lines or WAN. Standards for network security on IP networks are now
evolving to create virtual private networks. Yet for all these processes are not deployed to
a great extent.
The technology to ensure security on the internet has to address concerns like
Private Networks that are not VPN based, use leased lines. These connections were for
communication of information related only to a given corporate. WAN was widespread
even if it were a branch office or few users outside the centralized network. With
globalization, enterprises are expanding beyond vistas ever imagined. The traditional
Private networks are unable to cope with the growth. Public Networks are rising to the
challenge with password based systems and challenge response systems such as CHAP-
Challenge Handshake Authentication Protocol, RADIUS - Remote Authentication Dial-
In User Service, hardware tokens and digital certificates. These systems are used to
authenticate users on a VPN and provide access control to network resources. Privacy of
data is achieved through the various encryption algorithms like RSA, DES/3DES,
BLOWFISH, IDEA, SEAL, and RC4.
VPN Tunnel
Private leased line networks had hard-wired dedicated connections from single corporate
customers. Extending the idea of dedicated connection to the internet, a number of
protocols have sprung up. These create tunnels, allowing users to encapsulate their data
ComputerNetworkingNotes.com
in IP packets, which hide routing and switching information from both the sender and
receiver. Snooping is thus prevented using encryption.
Any communication involves two end points and usually in VPN technology it is
between 'Client-to-LAN' and 'LAN-to-LAN'. In a 'client-to-LAN' case the client has a
special client VPN software that they run to communicate with the gateway, protecting
the receivers LAN. In case of 'LAN-to-LAN' connections security gateways at each end
point is the interface between the tunnel and the LAN. A security gateway is either a
VPN router or a firewall.
WAN hardware equipment consists of modem banks and multiple frame relay circuits
which can use any transport medium for transmission of data. There is a reduction of
equipment needed for a VPN when compared to a WAN. VPN hardware and software
setup and maintenance cost is also reduced and many companies now outsource VPN to
service providers.
VPN protocols
Internet uses the PPP-point-to-point protocol for remote access. VPN technology has
incorporated additional functionality into PPP creating different protocols like PPTP-
Point-to-point tunneling protocol,
L2TP-Layer-2 tunneling protocol and IPSec- IP security protocol. The diversity in VPN
protocols is to cater to different requirements. Some protocols cater to remote access
VPN connections from mobile users or branch offices that use a local ISP. Other
protocols cater to communication between 'LAN-to-LAN'. PPTP, L2TP and L2F-Layer
two forwarding have been developed for dial-up VPN's where as IPSec caters to 'LAN-
to-LAN' solutions
IPSec's strong security measures are designed mainly for IP packets and cannot handle
multi-protocol non-IP network environments like NetBEUI or IPX.
VPN is a virtual environment and its advantage is that it is not dependent entirely on
physical setup for its organizational needs but on its logical setup. This is its boon and its
bane as well.
your application and the server. Complete end-to-end security is not a guarantee. System
patches, Antivirus software's with firewalls, additional encryption of data between user
application and server application and vigilance on the part of the administrator is
needed.
For any computer user there are innumerous attacks on his system. These may be a probe
or a scan. Possibilities are account compromise or root compromise when having
multiple users or a server user accounts. It can also be packet sniffing, denial of service,
exploitation of trust (phishing), malicious code, and Internet infrastructure attacks.
The potential problems that can lead to a security problem in case of a client server setup
of an organizations is
their respective patches. (MS-outlook has been vulnerable before). Another major
factor is the amount of time a given system is actively connected to a network.
(Cable modems or Ethernet connections have been more vulnerable to port
scanner intruders where as dial-up users are less prone to virus infections or file
access related risks)
• The Intermediate Network
The ISP has to route data from a site or IP address to you and vice versa in case of
a two way communication. Your information can be intercepted and decrypted
information read by a DNS-(Domain Name System) Server if your packet is
routed through their system
• The Destination Network
The network that you are communicating with may not be secure. If this happens,
you cannot be assured of security to your system and privacy of your data.
• The Server
Server operating system and applications are constantly under threats of new
viruses, intrusions, and worms. Administrators are always checking for security
risks due to compromised usernames and passwords.
Good
Average
Bad
Terrible
ComputerNetworkingNotes.com
Current Rating
The Server
The end point-to-end point of communication is not a completely secure if at the
destination end the application does not receive the decrypted data. This happens when
the VPN server is not the same machine as the application server and then data has to be
sent to the application through the LAN which may not be secure. VPN split tunnel
security becomes important if the server handles both intranet and internet traffic.
Security at the endpoints is necessary and cannot be ignored. Antivirus software's with
Firewall and other intrusion detection systems are necessary. VPN's security deals mainly
in the transit of information from one end point to the other. In this scenario the major
technique that ensures safety is the VPN encryption technology and the VPN protocols
that are used. A new technology that is gaining popularity is SSL VPN, which is an
altogether a different type of VPN. It cannot be compared with other IP VPN protocols.
Encryption
VPN Protocols
ComputerNetworkingNotes.com
VPN creates a secure “ tunnel ” through the public network and protocols establish this
tunnel. Security could depend on a number of factors like Client-server systems, Level of
security, performance issues and network resources accessed.
PPTP
• PPTP uses the same types of authentication as PPP (PAP, SPAP, CHAP, MS-
CHAP, EAP).
• PPTP establishes the tunnel but does not provide encryption. It is used in
conjunction with the Microsoft Point-to-Point Encryption (MPPE) protocol to
create a secure VPN.
• PPTP client are available for Linux, Macintosh OS 9.x
• Firewall appliance and other enterprise level software including ISA Server,
Cisco PIX, SonicWall and some models of WatchGuard support PPTP
L2TP
IPSec
Virtual private networking is often the best and the most cost effective way to provide
remote access to your company network. Know the protocols and their implementation to
make a decision. This affects both performance and security.
ComputerNetworkingNotes.com
• The layers of IP
• IPSec VPN
• Advantages of IPSec VPN
• Disadvantages of IPSec VPN
• All you need to know of SSL
Internet Protocol security is evolving and a discussion of IPSec or SSL should be relative
to the version of IP. IPv4 did not offer many secure features to IPSec VPN software when
compared to IPv6. Internet protocol operates on the TCP/IP model which can be
compared to the OSI model of 7 layers. A major difference it that of the transport layer of
TCP/IP, which does not always guaranteed reliable delivery of packets when compared to
that of OSI. The layers of IP are
IPSec protocol provides authentication, verification and encryption between the VPN
IPSec server and the VPN IPSec client at the IP networking layer. IPSec was developed
by the internet engineering task force for security at packet level so as to transmit data
over public insecure networks. IPsec VPN provides data authentication, integrity and
confidentially with AH- authentication header, ESP-Encapsulation security payload and
IKE-internet key exchange. IPSec VPN tunnel protects packets from being tampered or
retransmitted along the Ipsec VPN route. This is done through the concept of security
association (SA is a logical connection between two devices transferring data). Key
management protocols are not a part of IPSec. The services that IPSec is designed to
provide at the Network layer is Access control, Connectionless integrity, Origin
authentication, Replay protection, and Privacy/confidentiality. The quality of these
services depends upon the 'Security administrator'. Several different security technologies
to implement confidentiality, integrity, and authenticity are combined into IPSec.
• Public key cryptography to guarantee the identity of the two parties and avoid
intermediate attacks
ComputerNetworkingNotes.com
IPSec must be combined with security measures like well configured firewalls, intrusion
detection systems, and many others. The future demands scalability and flexibility.
Compatibility with NAT from this protocol is an issue. Its weakness lies in using other
encryption methods. Inbuilt intrusion detection and prevention should be made possible.
• VPN Setup
• VPN Software Setup
• Requirements for VPN setup
• Configuration of VPN setup
Remote users have been able to connect servers using a variety of applications like
outlook web access connection through the Exchange server. Wireless users connecting
over the internet are more susceptible to security problems. VPN in a wireless
environment provides the necessary security for wireless data transfer as the information
sent is encrypted. VPN technologies have brought about a secure logical connection
between two end points in a network. Setup for VPN may not require you to buy any
extra hardware device or software. You may already have the technology that makes it
possible to setup a VPN service. Sometimes you may just have to purchase a few
accessories like VPN routers.
Hardware VPN vendors vouch that their products are safer and the software VPN
vendors are not far behind. Whatever are the claims VPN is growing steadily and many
attempts at increasing it security and performance is making it a lucrative solution to
adapt. VPN solutions can either be hardware oriented or software oriented. The
difference is very basic. It depends upon where the protocols are executed in the
hardware device or on the computer system (where the operating system software of
VPN client-server software is used). SSL VPN is a relative new clientless VPN
technology that is come up as a challenge to IPSec VPN technology.
VPN setup depends upon a number of factors like what systems are involved in the end-
to-end connection, servers or clients. Big corporations have a number of servers to
improve on performance in various tasks that are carried out. Implementation of VPN for
them will depend on the amount of work and the administrator's solution offered to them.
For client buy a software that the server is compatible with and setup VPN service. Some
operating systems already give you the ability for VPN and all you need to know is how
to setup VPN. Microsoft is a market leader and has monopoly over the market. It has
ComputerNetworkingNotes.com
incorporated VPN requirements into its operating systems or has provided service packs
that could help you optimize your PC for VPN.
In every setup you look at the requirements first and see whether it is possible to
implement it with the available resources. If not ask yourself, what are the additional
resources? For a windows based client-server system; the requirements would be a server
(running server software, example Windows 2003) and a client (running client software,
example Windows XP). For large corporations that have a secure network you would
require additional servers.
Good
Average
Bad
Terrible
Current Rating
• Go to the certificate services of the windows component from the control panel
• A warning message telling you that you will not be able to rename the machine or
change its group membership after the certificates are installed will appear
• Click yes in the next window
• Choose 'Enterprise Root CA' as the certificate authority you want to install
• While entering the common name for certificate authority you must select a
validity period (1 or 2 years depending on your corporate security policy)
• The default period for a certificate to be valid is 5years
• Windows will generate the cryptographic keys and will ask you to give a location
for the certificate database
• Dependent on the performance and fault tolerance you can choose a different
location or just go ahead with the default location
• 'Restart the IIS services' to install the necessary components.
• For configuration of IAS you need to select this option from the administrative
tools
• Registering the IAS server in the active Directory is the first step
• For this right click on the Internet Authentication service(local) container
• Select 'register server I active directory'
• Complete the registration and right click on RADIUS client's container to enter
new RADIUS clients by giving the IP address or the DNS name of the client
machine
• Click next and you will be asked for a shared secret (the encryption key used by
RADIUS Server and the client
• Set the client vendor option to RADIUS standard to finish the configuration
process.
• The remote access policies container is to be right clicked to get the new remote
access policy option
• Select 'Typical policy for a common scenario' option
• Enter 'VPN access' as the policy name and continue
• Select the VPN option and continue to apply policy to users or groups
• The next option will be the Authentication Methods screen on which select MS
CHAPV2
• The next screen will give you options of encryption, confirm the strongest
encryption option and finish configuring the remote access policy.
This it to configure the VPN server with the RADIUS server, DHCP server and the
Remote client
If you have a Windows XP based client then configure it by opening Network and
Internet connections option from the control panel.
• Select create a connection to the Network at your work place' and next select the
VPN connection option.
• Give the name of company of any name to describe your connection.
• Next you will be asked for an external IP address. This IP address is the address
of the connection that is connected to the VPN server.
• Enter this and your VPN connection is ready.
• Test the connection once it is ready by connecting to the server.
• When you dial-up set the type of VPN to PPTP VPN.
• There are variations in the VPN client connection due to various encryption and
authentication technique. Only some have been outlined above.
VPN routers are sold by many companies. Their set up is dependent on the product of the
respective company. In any case the required software and instructions of the setup are
provided along with the purchase. Many of these companies also offer service to setup
and configure your VPN connection.
VPN setup is a process that needs to be discussed with the Network administrator. Many
a time you are guided by the network administrator in the setup at your remote access
client network. VPN may be setup but always be on the safe side. Get a good antivirus
and install a good firewall to protect your computer from unwanted attacks.
Remote PC is away of using a computer remotely. The remote PC dials the host PC and
takes over the operation of the host PC. No one else can use the host PC as long as the
remote user is using the host PC. There are various software's that enable and establish
connections like, Computer Associates-Control IT, NetOp, Symantec's (ex-Quartedeck)-
ProComm Plus, Symantec's-PC Anywhere and LapLink.
ComputerNetworkingNotes.com
RAS- Remote Access Service is similar to remote PC. It allows remote users to
dial/connect to a LAN and utilize the LAN like any other local user. All of the major
operating systems offer some form of RAS service. Remote access is possible using a
dedicated line between a computer and the central Network. Dial up connections can be
very slow. ISDN is more secure and offers faster data transfer. ISDN and DSL-(Digital
subscriber lines) offer possibilities for a remote access. Remote access server is a
communication server to help remote access users connect to the network. It is dedicated
hardware RAS boxes with multiple lines for concurrent access of various remote users to
the LAN. Firewalls and routers are used to ensure security and forward the remote users
request to specific computers in the network. Wide Area Networks having dedicated lines
also allow secure remote connectivity for users. A remote access server can also be a part
of a virtual private network that provides remote access to users like a LAN does. The
difference being the data carrier is not leased lines but a public carrier like internet.
Remote Access VPN's can be simple using fundamental software and hardware or
complex requiring special hardware and software.
• A host computer (server) at the central office which has an operating systems that
can establish and a run a remote Access service ( Windows NT or Server models,
Novell NetWare or Linux)
• Client computers that are configured to dial into the RAS server computer.
Modem is necessary.
• A connection and line for each incoming connection at the server is needed. It is
here that router and other hardware components are used.
• The server must be properly configured to accept the connections and provide
implementation of RAS.
• The phone number of the Server connection must be known to remote users.
• The clients dial the RAS server which is preconfigured to receive request from the
particular client.
• Pass word authentication takes place and the RAS Server answers the call and
grants the clients access pertaining to the privilege they enjoy.
• You can have multiple incoming lines with a hardware VPN router to manage the
incoming and outgoing traffic
ComputerNetworkingNotes.com
• If volumes of traffic is not large than you can use a single broad band connection
and configure a VPN with NAT- Network address translation. This permits PC's
on the LAN to share the single connection to the internet and also provides more
security as only known remote users know the IP address of computers within the
network.
Good
Average
Bad
Terrible
Current Rating
The server needs to have a network interface card or network adaptor to help connect the
computers within the LAN and connect these individual users to the internet. Network
protocols must be installed and routing and remote access information is needed when
setting up the connections. Firewalls can be setup during setting up connections and other
firewalls can be turned off. Server roles for the VPN connections need to be set up.
Knowledge of DHCP-Dynamic Host configuration Protocol and RADIUS is needed to
configure your server. You can configure remote access VPN Server to be a part of the
active directory domain of the network with DNS and DHCP servers. Another setup is
for a VPN server with NAT. Depending on the hardware and architectural choices you
make you need to configure the VPN server to authenticate, encrypt and route data from
remote users to individual PC on the LAN. Setting up routing for the remote access
involves the following steps
• Setting up the VPN connection through the network interface card. Enabling the
security and firewalls.
• IP Address needed for the remote computers are generated and assigned.
• Name and Address Translation Services are configured. This process is automatic
and also configures the forward name resolution to the DNS Server on the
internet.
• Address Assignment Range displays the range of addresses that is defined for
assignment of any computer on the network that accesses the internet and is
defined by the network adaptor.
ComputerNetworkingNotes.com
• Carefully review all the remote access policies to make sure that the users are
given the needed access and not more.
There are some additional task you may need to address like configuring static packet
filters, ports and services, log details for routing protocols, addition or removal of VPN
ports (PPTP or L2TP). For the server add certificate rules for encryption like Certification
authority or Public Key infrastructure. Remote user's security can also be improved by
enabling better authentication methods and higher levels of encryption.
The need to pass crucial information in enterprise network for successful implementation
of the ERP network made remote access necessary. Network layer connectivity solutions
The nature of remote access is continuously evolving and is a critical asset in strategic
objectives of ERP and CRM. Internet access alternatives are broadening to locations like
home, public kiosks, hotels and mobiles and include devices like laptops, smart phones,
PDA's etc. The major hassle in promoting and advancing remote access between diverse
end points was security and administrative efforts. VPN's seems to be the rapidly
evolving answer to WAN's and remote users. Enterprise application software's are also
evolving to cater to more complex, business critical, performance demands. Security
threats on the network is not limited but becoming more sophisticated and dangerous.
Many devices stand between the Internet and corporate VPNs to enhance security
features. Also available are many types of machines trying to access VPNs.
VPN vendors are adding many security features to the existing appliance making remote
access a more viable option for future enterprise solutions. IPSec is being installed on
handheld devices. Wireless remote access VPN is presently a solution for Wi-Fi security.
Mobile technologies with broadband capacity are changing the market scenario. EV-
DO,EDGE and WiMAX are being adopted by businesses. Mobility of users will increase
the issues of security of the mobile and the network (LAN or VPN ). Future enhancement
in these wireless technologies would be SSL access to corporate VPN.
Remote Access has been around for a long time. Its use was limited due to security
issues. With VPN and associated improvements in security remote access in enterprise
business and other business is set for a major boost.
More and more enterprises are following a distributed business model. Branch offices
extend an enterprise's reach into key markets. Communication between the central office
and branch office is vital to applications that support the business. Security between
branch office, point of sales or remote locations and the central office is important. In the
past leased lines was a secure but a costly option. Virtual private networks create VPN
tunnels on the internet for the secure transportation of data. VPN technologies is a
cheaper alternative to dedicated leased lines WAN. Many technologies are invading the
market and making a choice is difficult. There options among VPN technology are varied
and differ based upon VPN hardware and VPN software.
Traditional site to site connections were between to intranets or two Local area networks.
These connections were leased, dedicated lines. These required constant management and
its deployment was difficult. Affordable site to site VPN solutions have brought about
secure broadband connections via the internet. The ubiquitous internet and VPN has
brought cheer to ERP, CRM and many other businesses. As alternatives to the WAN
infrastructure site to site VPN's does not change the private WAN requirements. It meets
WAN requirements like support of multiple protocols, high reliability and scalability at a
lesser cost.
Security of a general purpose computer cannot be guaranteed now days. New viruses and
worms and malware spread via the internet. Many of those who use the internet are
unaware of the threats to which their system is exposed. Large corporations cannot put up
with these as they cause a huge loss to business. The options VPN's offer toward this
threat is based on software and hardware.
integrated circuits which have powerful onboard processors handling the demands or
firewall and VPN processing.
Good
Average
Bad
Terrible
ComputerNetworkingNotes.com
Current Rating
VPN solutions are provided dependent on the platform and operating system of the
machine.
• Microsoft has brought out the ISA-Internet security and Acceleration server
software to cater to the growing needs of enterprises using the internet as a
medium of communication. The step by step set up and configuration of the ISA
server and the remote access to the ISA server is available on the Microsoft
website. Many other VPN consultants have online articles on the connection and
configuration process.
• Companies that offer specific products like hardware provide the necessary
support on their websites so that you can configure the software you have for
optimum security and performance.
• CISCO offers Cisco PIX 500 series security appliances (PIX 515E, PIX 525, and
PIX 535) and the Cisco ASA 5500 series security appliances (ASA 5510, ASA
5520, and ASA 5540) for VPN
• Firewall/VPN Appliances offered by Sonic wall use ICSA deep packet inspection
firewall and IPSec for encryption The many devices offered are PRO 5060, PRO
4100, PRO 4060, PRO 3060, PRO 2040, PRO 1260, TZ 170 SP Wireless, TZ 170
Wireless, TZ 170 SP, TZ 170, TZ 150 Wireless and TZ 150.
• AEP Systems delivers hardware security and acceleration solutions which include
SSL VPNs,high-security VPN encryptors and SSL acceleration hardware.These
are SureWare NEt, SureWare Keyper, and SureWare A-Gate. Netilla Networks,
Inc. is a leader in secure application access solutions along with AEP systems it
offers solutions for VPN. Its Security Platform-NSP suite is for SSL VPN
solutions, Netilla Secure Gateway Appliance (SGA) is for midsize business that
need SSL VPN solutions.
• SonicWALL site to site VPN along with Internet security appliances offer
traditional site-to-site connections to securely communicate with their multiple
locations.
Site to site VPN solutions can adopt any protocol for its security and authentication.
PPTP,L2TP,IPSec, SSL all differ in areas of implementation. The choice of VPN
network connection for intranet or extranet based site to site VPN's should not
compromise the security of the sister network.
good example of this is the common Linksys VoIP VPN problems that are addressed by
SSL VPN.
What is VoIP?
VoIP stands for Voice over Internet Protocol. It is a relatively new technology that allows
a person to make phone calls using a high speed Internet connection. While some VoIP
services require people to call somebody availing of the same service, there are also other
VoIP service providers that allows an individual to call another person through his land-
based phone or mobile number locally, long distance, or internationally. There are VoIP
services that require the use of special phones while others will work with any regular
phone provided it is connected with service provided VoIP adapter.
What is VPN?
VPN is virtual private network. It allows for a private, secure, and steady connection
between a corporate network and its clients through the Internet. Because of this
technology, accessing your company network is made possible wherever you may be - at
home, traveling, or in an entirely different country. With VPN, corporate intranets are
expanded and all distant offices and branches can possibly connect to one main network.
SSL, or Secure Socket Layer, is the protocol used by E-commerce Internet sites. Because
it mainly handles secured transactions like credit card purchases and online banking, SSL
had proven itself in terms of data protection and integrity. And now, the SSL concept
integrated into a VPN connection is now being applied on VoIP. And it proves to be a
good alternative to the traditional IPSec solutions.
problem associated with corporate networks requiring secure lines for their online
meetings and
SSL VoIP VPN tunneling is definitely worth trying. If you are company experiencing
VoIP VPN problems, maybe it is high time to switch to this newer technology. It pays to
be ahead with the times!
ComputerNetworkingNotes.com
• Software ports
• IP Addresses
• VPN ports and Hardware Ports
Software ports
The network port is usually number and standard network protocols like TCP, IP, UDP
attaches a port number to the data it sends. A port number is to be assigned to each
message according to the TCP layer requirements. This port (logical reference) number
determines the type of service provided. This software network port (address in the form
of a number) is assigned to a service for communicating between a program and another
program/communication system. This naming system is logical and pertains to the
services that carry on long term conversation. A list that specifies the port used by the
server process is known as its contact port. A service contact port is defined to provide
specific service to unknown callers. These software network ports also connect internal
programs on the same computer. Numbers from 0 to 1023 are used to identify a network
service on the internet (Internet Protocol). Each IP packet contains a TCP or UDP header
which directs applications to the appropriate application in the server. Reserved port
numbers and unassigned numbers can be used by application programs.
The Internet Assigned Numbers Authority (IANA) registers ports 1024 to 49151 for the
convenience of internet continuity. Port numbers from 49151 to 65535 are called
dynamic ports and are private. You could look up IANA for more details on assigned port
numbers. The most well-known port is 80, which identifies HTTP traffic for a Web
server. The Well Known Ports are assigned by the IANA and on most systems can only
be used by system (or root) processes or by programs executed by privileged users. Port
numbers are straight unsigned integer values which range up to a value of 65535. Below
is a list of well known ports and their services.
Port Service
20,21 FTP (File transfer)
22 SSH (Remote login secure)
25 SMTP (Internet mail)
53 DNS (Host naming)
80 HTTP (Web)
88 Kerberos (computer authentication protocol)
110 POP3 (Client access)
119 NNTP (Usenet newsgroups)
123 NTP (Network time)
ComputerNetworkingNotes.com
IP Addresses
TCP/IP stands for Transmission Control Protocol and IP for Internet Protocol. These
protocols are responsible for transporting and managing the data across the network. The
IPv4 requires a 4 byte address to be assigned to each network interface card that exists on
all the computers in the network where as the Ipv6 assigns a 6 byte address. IP Addresses
works almost like a house address without which determining where data packets go
would be impossible. This assignment of address can be done automatically by network
software's such as the DHCP which is the dynamic host configuration protocol or by
manually entering static addresses into the computer. The part of the IP address that
defines the network is the network ID, and the latter part of the IP address defining the
host address is the host ID.
Using this port and addressing scheme, the networking system can pass data, addressing
information, and type of service information through the hardware, from one computer to
another.
VPN Ports
As every program on the computer is given a port number so too services that connect to
the internet are given port numbers. These port numbers for the various VPN services are
dependent on the software and the protocols that are being used.
Good
Average
Bad
Terrible
ComputerNetworkingNotes.com
Current Rating
• PPTP encapsulates packets using GRE- Generic routing protocol which uses IP
port 47, The IANA list 1723 as the port for VPN. A common mistake in
configuring firewalls for use with PPTP is to open port 1723 and close IP port 47.
This allows connections to be established but denies the actual data from passing
through the tunnel to the machine. Some software utilities verify if both the ports
are open for GRE in PPTP to be used.
• L2TP protocol is assigned 115 as its port number.
• IPSec VPN ports assignments for uses of Encapsulation Security payload
(protocol 50) and Authentication Header (protocol 51). Port 88 for Kerberos
authentication in TCP/UDP and port 500 for Internet Security Association and
Key Management Protocol in TCP/UDP.
• SSL VPN for secure HTTP application uses port 443.
• MPLS-in IP uses port 137
• For the systems that use VPN hardware normally port 500,4500,10000 &smp
10001 are used. One for outgoing traffic and the other for incoming traffic.
Hardware ports
Hardware ports are an entirely different concept compared to software based network
ports. In computer hardware terminology a port is a hardware connection through which
the computer communicates with external devices. These are an electrically wired outlet
into which and external devices are plugged. These ports come in different shapes and
sizes. They connectors we use are called male and female connectors and have standards
for its properties and functions. A keyboard is connected to a keyboard port; a printer is
connected to the printer port and so on. Plug and play devices are connected to the
Universal Serial Bus- USB port. Ports are basically divided into two groups' serial ports
and parallel ports. A serial port sends and receives only one bit of data at a time where as
parallel ports sends and receives multiple bits over a group of wires.
All processors use assembly instructions to access the ports on the mother board or any
add on boards. The methods for mapping these ports are either hardware I/O or memory-
mapped I/O. The hardware I/O is a concept where separate numbers are given to the ports
and the devices they connect to. Intel processors generally send one byte of
instruction/data to the port which is used to gain access to the resources of the processor.
In memory-mapped I/O there is not separate numbering for the ports but they are
accessed by the processor as if it were another part of the memory of the computer. The
number of devices that can be attached to a computer can be increased by various add on
cards. These cards use the various bus interfaces available on the motherboard to increase
the number of devices attached to a computer. One such card is the Peripheral
Component Interconnect-PCI card. A technology to combine hardware ports into a single
ComputerNetworkingNotes.com
group to enhance bandwidth and fault tolerance is known as hardware port trunking. This
is similar to software port trunking that combines two agents which may be websites or
channels.
In the many hardware devices in the VPN market if we hear of number of ports being
many these are referring to the number of simultaneous hardware connections that can be
made. This enhances the speed and performance of the system especially those of huge
enterprises that want video conferencing and voice over the VPN.
VPN ports for network setting is a bit complex when you have no knowledge of the
protocols, the encryption and authentication techniques they use. Some software's allow
you to configure them properly sometimes you may not be able to configure them
properly, for example Microsoft VPN port. When VPN hardware is used for a client the
process is easy like that for a Cisco VPN port. For a LAN and huge networks the
administrator then has to set privileges and configure the firewall as well. This process is
necessary for proper security.
• Router
• Various routing protocols
• VPN Router
Router
• Within a LAN network routers separate local area networks into sub networks and
balance traffic between workgroups as well filter traffic for security purposes.
ComputerNetworkingNotes.com
Many times they are used at the edge of the network to connect to remote offices
or to connect to an ISP.
• For Enterprise networks these serve as a connector of all internal networks via the
Ethernet. These also connect to the outside network via T3, ATM, Cable modem
or other links. There fore they act as a major switching point for all packets within
the network as well as outside.
Even if the network architecture (token ring or Ethernet) differs routers can connect them.
However routers cannot transform information from one data format to another (TCP/IP
to IPX/SPX). If the routing table does not indicate proper address of a packet then the
packet is discarded. If a routers is configured manually and the information in the router
table is fixed then it is called a static router. If the routing tables are automatically
decided (routers exchange routing tables) depending on algorithms then it is a dynamic
router. Distance Vector algorithm is based on hop count of satellites, and periodically
broadcast routing tables to other routers. Link state algorithm is another algorithm with
broadcast routing tables at only at the start up. Multi protocol routers support more than
one protocol. The various routing protocols are
Software for VPN router functions or normal router functions can be added to a server or
a specialized computer is optimized for communication. Routers in older Novell
terminology were called 'network layer bridges'; they are also called gateways.