Chapter 1 - Introduction

CHAPTER 1 INTRODUCTION
In the past, organizations or enterprises would physically install lines over large distances to
ensure secure data transfer. However, this system is impractical for every enterprise and
everyday users due to the cost, space, and time required for such installations. The concept
of Virtual Private Network (VPN) is not new – technologies such as Frame Relay (FR) or
Asynchronies Transfer Mode (ATM) have been used over the last decades as a basis for the
implementation of this concept. Whatever the format or the technology behind it, a VPN
provides a service functionally equivalent to a private network using resources of a public
network.

In recent years, with the exponential growth of the Internet, the landscape of
telecommunications has changed radically and the Internet has become part of almost every
aspect of the developed world including education, banking, business, and politics. Over the
past two decades the Internet has been found to be vulnerable to attackers seeking sensitive
information. The most recent solution to this problem has been IP-based Virtual Private
Network (IPVPN) [1].

1.1 BACKGROUND

VPN can be defined as a way to provide secure communication between members of a group
through use of the public telecommunication infrastructure, maintaining privacy through the
use of a tunneling protocol and security procedures. VPN systems provide users with the
illusion of a completely private network [2].

An IP Virtual Private Network (IPVPN) can be defined as a VPN implementation that

uses public or shared IP network resources to emulate the characteristics of an IP-based
private network. Since the focus of this thesis is IP-based VPNs, the term VPN is used as a
reference to the IPVPN.

1.1.1 Tunneling Basics

Tunneling is a method of using an internetwork infrastructure to transfer data for one

network over another network. The data to be transferred can be the frames (or packets) of
another protocol. Instead of sending a data as it is produced by the originating node, the
tunneling protocol encapsulates the frame in an additional header. The additional header
provides routing information so that the encapsulated data can traverse the intermediate

1
Chapter 1 - Introduction

internetwork. Then the encapsulated data is routed between tunnel endpoints. The logical
path through which the encapsulated data travels through the internetwork is called a tunnel.
Once the encapsulated data reaches their destination on the internetwork, the data is
decapsulated and forwarded to its final destination. Tunneling includes this entire process
(encapsulation, transmission, and decapsulation of packets) as shown in Figure (1.1) [3].

Tunnel endpoints

Internetwork

Payload Payload

Internetwork header Tunneled payload Tunnel

Figure (1.1) Tunneling Basics

1.1.2 Benefits of VPN

The main purpose of a VPN is to give enterprises the same capabilities, or even better in
some cases as the list below shows, as in private networks, but at a much lower cost.
Enterprises benefit from VPN in the following ways [4]:

 When using VPN, cost is reduced in many ways. Most importantly, VPN eliminate
the fixed monthly charge of dedicated leased lines. The cost is even higher if the lines
are purchased.

 VPN offers better scalability. An enterprise with only two branch offices can connect
the two offices with just one leased line. But as the enterprise grows, full-mesh
connectivity might be required between the different offices. This means that the
number of leased lines, and the total cost associated with deploying them, increases
exponentially. In addition, if an enterprise wants to scale globally, the cost associated
with deploying leased lines will be even higher, if it is even possible to reach the same
global connectivity with leased lines. VPN that utilizes the Internet avoid this problem
by simply using the infrastructure already available.

2
Chapter 1 - Introduction

 Security is not impaired when using VPN since transmitted data is either encrypted or,
if sent unencrypted, forwarded through trusted networks.

 In addition to cost savings, VPN increases profits by improving productivity. The

improved productivity results from the ability to access resources from anywhere at
anytime (i.e. more business can be conducted).

1.1.3 Security of VPN

The ability to guarantee the privacy and protection of data is of the utmost importance when
deploying services over the Internet where points of illegal entry can threaten sensitive
communications. A VPN should provide the following critical functions to ensure security of
the data [5]:

 Authentication ensures that the data is coming from the source from which it claims to
come.

 Access Control concept relates to the accepting or rejecting of a particular requester to

have access to some service or data in any given system. A service could be a
program, a device such as a printer or a file system. It is therefore necessary to define
a set of access rights, privileges, and authorizations, and assign these to appropriate
people within the domain of the system under analysis.

 Confidentiality ensures the privacy of information by restricting unauthorized users

from reading data carried on the public network.

 Data Integrity verifies that a data has not been altered during its travel over the public
network.

1.1.4 Architecture of VPN

A VPN should typically support the following architecture as shown in Figure (1.2). A main
LAN at the headquarters of an enterprise, other LANs at remote offices, partner or customer
company LANs or employees, and individual users connecting from out in the field.

There are basically two types of VPNs, remote access VPN and site-to-site VPN. Site to
site VPN can be further divided into intranet VPN and extranet VPN. Often, enterprises have
to implement a solution covering all these types.

3
Chapter 1 - Introduction

A. Remote Access

The remote access VPN is a user-to-LAN connection used by enterprises that have
employees who need to connect to their private network from various remote locations (e.g.
homes, hotel rooms, airports). Since users access the network over the Internet, the remote
access VPN is a low-cost solution, compared to the dial-up solution which often results in
costly phone bills [5].

Internet

Main
Site

Branch
Site

Home
Office Mobile
Supplier Partner Worke
Site Site

Figure (1.2) VPN Architecture

B. Site To Site

By using dedicated equipment, enterprises can connect multiple sites over a public network
such as the Internet, thus creating a site-to-site VPN. Site-to-site VPNs can be one of two
types:

Intranet Site-to-Site VPN: If an enterprise has one or more branch offices that they wish to
join in a single private network, they can create an intranet VPN. This is a low-cost solution
compared to maintaining dedicated leased lines [5].

Extranet Site-to-Site VPN: When an enterprise has a close relationship with another
enterprise (for example, a partner, supplier or customer), it can build an extranet VPN which
connects LANs together. By doing so, the partner companies can work in a shared
environment.

4
Chapter 1 - Introduction

C. VPN within an Intranet

Intranets can also utilize VPN technology to implement controlled access to subnets on the
private network. Even though a public network is not involved in this case, the security
features (e.g. encryption, authentication) of secure VPN technology will protect sensitive
internal communications from attacks that is originated within an enterprise.

1.1.5 Requirements of VPN

Each enterprise has different requirements on their VPN, but usually, the requirements listed
below are generally included [4]:

 The services offered by the WAN need to be available. This requirement is best met
by a reliable network where redundancy is provided. Enterprises should choose
service providers that can offer their customers guarantees for network up time and
performance, regulated in Service Level Agreements (SLAs). SLA is a formal
agreement made between a service provider and an enterprise (service recipient)
defining a specified level of service.

 The users might require a certain QoS for certain VPN connections. As a result, some
traffic is prioritized based on its type. These requirements often depend on the
applications running over the connection. If this is the case, the service provider
backbone must support the provisioning of QoS-constrained tunnels, and the VPN
solution must be able to make use of these tunnels.

 If sensitive data is to be sent across the backbone between VPN sites, The VPN
solution must support the encryption, authentication, and integrity checking or, if not,
must support the separation of the traffic from different VPNs through trusted
network.

 The cost for different VPN solutions can vary tremendously. Some solutions natively
differ in cost, some allow the reuse of existing software and hardware. In reality, the
chosen solution will most probably be based on cost considerations.

 Some VPN solutions require more maintenance and support than others. These
solutions require skilled IT-personnel to perform these tasks. Manageability can thus
also be seen as a cost issue since the costs associated with deploying a WAN based on
VPN technology can be additionally reduced if the chosen solution is easy to

5
Chapter 1 - Introduction

configure and maintain. This is only an issue if an in-house secure VPN solution is
chosen.

 Enterprise networks often need to change over time. The changes might result from
the addition of new sites, the increased need for remote access (by telecommuters), or
the extranet connectivity. The chosen VPN solution should thus have the ability to
scale to accommodate these changes.

1.2 PREVIOUS WORK

It is important to point out that our work was driven by the fact that there are no models
available that could be used to choose the proper VPN solution. However, there are some
works that related to the classification of VPN solutions. VPN Consortium [6] supported the
classification of VPN solutions into trusted, secure, and hybrid VPNs. Positive Networks
study [7] divided remote access VPN solutions into client-based and web-based VPNs.
Popoviciu, Levy-Abegnoli, and Grossetete [8] categorized the VPN solutions according to
the VPN processing place into CE-based and PE-based VPNs. Miller and Yonek [9] divided
VPN solutions according to the VPN implementation into hardware-based VPNs and
software-based VPNs. S. Majumder [10] classified VPN solutions according to the VPN
management into outsourced and in-house VPN solutions. Our work aimed to integrate these
classifications with the customer requirements to develop logical modules that support the
process of choosing the proper VPN solution.

In addition, there are some works that related to the performance evaluation of VPN
solutions. Khanvilkar and khokhar [11] have studied the performance of some VPN
solutions in terms of overhead, bandwidth utilization, latency, and jitter on red hat 9
platform. Although all the mentioned aspects are important, we feel that packet losses aspect
could be used to characterize the performance of the VPN solution. Also, there are other
software and hardware platforms available that mainly differ in their capabilities to provide
safe and secure VPN solutions. Our work is comprehensive in terms of the number of
platforms considered (windows server 2003, fedora core 6, and e-Live IP-8000VPN
broadband router) and the number of performance aspects compared. Also, Yu and Liu [12]
have evaluated the throughput of the VPN traffic (PPTP and L2TP/IPSec) over a wireless
windows server 2003 platform. The study concluded that VPN traffic does not significantly
impact the performance of a wireless network. In contrast to this study, our objective

6
Chapter 1 - Introduction

included comparing the throughput, latency, jitter, and packet losses of the VPN traffic
(PPTP, L2TP/IPSec, and OpenVPN) on a wireless windows server 2003, fedora core 6, and
e-Live IP-8000VP broadband router platforms.

1.3 PROBLEM STATEMENT

Due to the different requirements and capabilities for each enterprise, choosing a proper
VPN solution when creating an enterprise WAN might not be as simple as it sounds. There
are many different VPN solutions out there, and just deciding which one to choose can be
difficult since they all have advantages and disadvantages.

Therefore the main goal of this work is to address the available VPN solutions, providing
the basis which helps an enterprise to select the proper VPN solution in order to build a
WAN which connects different sites and users together, and proposing a VPN solution for
the Libyan industrial sector case study.

1.4 RESEARCH OBJECTIVES

This thesis aims to achieve the following research objectives:

 Introducing the different VPN protocols.

 Identifying the available VPN solutions.

 Identifying enterprise’s requirements.

 Providing the proper VPN logic formulas that are used as a basis which helps an en -
terprise to select the proper VPN solution.

 Comparing the Performance of some VPN solutions on windows server 2003, fedora
core 6, and e-Live IP-8000VPN Router VPN servers experimentally.

 Proposing a proper VPN solution for the Libyan industrial sector (LISVPN).

1.5 RESEARCH MEHODOLOGY

This section presents different steps that form the methodological framework relevant for
our study.

1.5.1 Pre-study

The pre-study consists of studying available information within the areas of VPN concept,
tunneling protocols, network security, VPN requirements and various VPN solutions, their

7
Chapter 1 - Introduction

advantages and disadvantages. Most of the information is found in books, scientific

magazines and journals. Also some web-pages contain valuable information sources were
considered.

1.5.2 Development of VPN Formulas

This thesis has developed the remote access VPN formula that depends on remote access
connections requirements (access, security, protocols support, and cost) and remote access
VPN solutions (client-based VPNs and web-based VPNs). This formula will help an
enterprise to choose the proper remote access VPN solution that best meets the requirements
of the remote access connections of the enterprise.

This thesis also developed the site-to-site VPN formula that depends on site-to-site
connections requirements (QoS, topology, security, and protocols support) and site-to-site
VPN solutions (secure VPNs, trusted VPNs, and hybrid VPNs). This formula will help an
enterprise to choose the proper site-to-site VPN solution that best meets the requirements of
the site-to-site connections of the enterprise.

1.5.3 Performance Evaluation of Some VPN Solutions

Testbeds have been built to evaluate the performance of some VPN solutions (PPTP,
L2TP/IPSec, and OpenVPN) on windows server 2003 VPN server, fedora core 6 VPN
server, and e-Live IP-8000VPN Router VPN server. Performance metrics (Throughput,
RTT, Jitter, and packet loss) have been measured in both TCP and UDP mode. These
metrics are used in our experiments as they have a direct impact on the ultimate performance
perceived by end user applications.

1.5.4 Case Study

Libyan industrial sector as a case study is introduced, the situation of the sector is analyzed,
and proper VPN solution has been proposed to create LISVPN which connects sites and
users together using VPN technology. The purpose of creating such a WAN is to allow the
resources of the Libyan industrial sector to be remotely accessed.

1.6 THESIS STRUCTURE

This thesis consists of eight chapters. This chapter provides an introduction to the research
and gives a general background about the research problem, objectives, and research
methodology. Chapter 2 focuses on VPN tunneling protocols. It discusses VPN tunneling

8
Chapter 1 - Introduction

protocols corresponding to the OSI Reference Model. These protocols based on layer 2 such
as PPTP and L2TP, layer 3 such as IPSec, layer 5 such as SSL, or label switching tunneling
protocol such as MPLS.
Chapter 3 provides a brief introduction to the cryptography. This chapter covers briefly
block and stream symmetric ciphers, asymmetric ciphers, cryptographic hash functions,
digital signatures, message authentication codes, and certificates. Classifications of VPN
technologies are carried out in Chapter 4. The technologies can be classified in several ways.
Some of these ways are described in this chapter such as secure or trusted VPNs, client-
based or web-based VPNs, customer edge-based or provider edge-based VPNs, hardware-
based or software-based VPNs, and outsourced or in-house VPNs.
Chapter 5 discusses a proper VPN solution for an enterprise. This chapter provides the
remote access VPN formula which helps an enterprise to choose the proper remote access
VPN solution that best meets the requirements of the remote access connections. This
chapter also provides the site-to-site VPN formula which helps an enterprise to choose the
proper site-to-site VPN solution that best meets the requirements of the site-to-site
connections. Chapter 6 covers the performance evaluation of some VPN solutions (PPTP,
L2TP/IPSec, and OpenVPN) on windows server 2003, fedora core 6, and e-Live IP-
8000VPN Router VPN servers. In this chapter testbeds are built to measure the performance
metrics (Throughput, RTT, Jitter, and packet loss) in both TCP and UDP mode.
Chapter 7 applies VPN formulas to choose proper VPN solution for the Libyan industrial
sector. In this chapter, the situation of the sector are analyzed, remote access VPN solution
and site-to-site VPN solution are proposed depending on the requirements and capabilities of
the sector. Also, this chapter covers the prototype VPN implementation of the Libyan
industrial sector WAN that is allowing the connection of the Industrial Information Center
and Higher Institute of Industry and remote users to the Industrial Research Center. Finally
in Chapter 8, a summary, conclusion remarks, and future work are included.