ROLE OF VPN IN NETWORK SECURITY

PRESENTED BY: V.BABI KIRAN (06761A0504)

EMAIL:bobby_kiran1987@yahoo.co.in CONTACT NO: 9948190939

M.B.S.S.PRASAD (06761A0523)
EMAIL:friendsssprasad@gmail.com CONTACT NO: 9989756226

NAME OF COLLEGE : LAKI REDDY BALI REDDY COLLEGE OF ENGG. MYLAVARAM, KRISHNA (D.T)-521230

ABSTRACT:

INTRODUCTION:
Virtual private networks (VPNs) offer low-cost, secure, dynamic access to private networks. Such access would otherwise only be possible by using an expensive leased line solution or by dialling directly into the local area network (LAN). VPN really means Virtual means that the connection is dynamic. It can change and adapt to different circumstances using the internet's fault tolerant capabilities. When a connection is required it is established and maintained regardless of the network infrastructure between endpoints. When it is no longer required the connection is terminated, reducing costs and the amount of redundant infrastructure. Private means that the transmitted data is always kept confidential and can only be accessed by authorised users. This is important because the internet's original protocols TCP/IP (transmission control protocol/internet protocol) were not designed to provide such levels of privacy. Therefore, privacy must be provided by other means such as additional VPN hardware or software. Network is the entire infrastructure between the endpoints of users, sites or nodes that carries the data. It is created using the private, public, wired, wireless, internet or any other appropriate network resource available.

NEED FOR VPN:

Because of following threats in network security we need Virtual Private Network. Denial of service - You have probably heard this phrase used in news reports on the attacks on major Web sites . This type of attack is nearly impossible to counter. What happens is that the hacker sends a request to the server to connect to it . When the server responds with an acknowledgement and tries to establish a session , it cannot find the system that made the request . By inundating a server with these unanswerable session requests , a hacker causes the server to slow to a crawl or eventually crash. E-mail bombs - An e-mail bomb is usually a personal attack . Someone sends you the same e-mail hundreds or thousands of times until your e-mail system cannot accept any more messages . Redirect bombs - Hackers can use ICMP to change ( redirect ) the Path information takes by sending it to a different router . This is one of the ways that a denial of service attack is set up. Viruses - Probably the most well-known threat is computer viruses. A virus is a small program that can copy itself to other computers . This way it can spread quickly from one system to the next. Viruses range from harmless messages to erasing all of your data . Spam - Typically harmless but always annoying , spam is the electronic equivalent of junk mail . Spam can be dangerous though. Quite often it contains links to Web sites. Be careful of clicking on these because you may accidentally accept a cookie that provides a backdoor to your computer. Application backdoors - Some programs have special features that allow for remote access . Others contain bugs that provide a backdoor , or hidden access , that provides some level of control of the program. Operating system bugs - Like applications, some operating systems. Have backdoors. Others provide remote access with insufficient security controls or have bugs that an experienced hacker can take advantage of .

PROVIDING NETWORK SECURITY:

It can be done in 4 ways. They are VPN. (Virtual Private Network) Firewalls. IPSec. (Internet Protocol Security Protocol) AAA Server. (Authentication, Authorization & Accounting)

VPN (Virtual Private Network):

A virtual private network ( VPN ) is a way to use a public telecommunication infrastructure , such as the Internet , to provide remote offices or individual users with secure access to their organization's network. A virtual private network can be contrasted with an expensive system of owned or leased lines that can only be used by one organization. The goal of a VPN is to provide the organization with the same capabilities , but at a much lower cost. Firewalls: A firewall provides a strong barrier between your private network and the Internet. You can set firewalls to restrict the number of open ports , what type of packets are passed through and which protocols are allowed through . You should already have a good firewall in place before you implement a VPN , but a firewall can also be used to terminate the VPN sessions . IPSec (Internet Protocol Security Protocol): Internet Protocol Security Protocol (IPSec) provides enhanced security features such as better encryption algorithms and more comprehensive authentication. IPSec has two encryption modes: tunnel and transport. Tunnel encrypts the header and the payload of each packet while transport only encrypts the payload. Only systems that are IPSec compliant can take advantage of this Protocol. Also , all devices must use a common key and the firewalls of each network must have very similar security policies set up. IPSec can encrypt data between various devices, such as: Router to router Firewall to router PC to router PC to server

A software firewall can be installed on the computer in your home that has an Internet connection .This computer is considered a gateway because it provides the only point of access between your home network and the Internet .

AAA Server. (Authentication, Authorization & Accounting): Servers are used for more secure access in a remote-access VPN environment . When a request to establish a session comes in from a dial up client , the Request is proxies to the AAA server . AAA then checks the following: Who you are? (authentication) What you are allowed to do? (authorization) What you actually do? (accounting)

The accounting information is especially useful for tracking client. Use for security auditing, billing or reporting purposes.

Implementation of network security by VPN:

Step 1. - The remote user dials into their local ISP and logs into the ISPs network as usual.

Step 2. - When connectivity to the corporate network is desired, the user initiates a tunnel request to the destination Security server on the corporate network. The security server authenticates the user and creates the other end of tunnel.

Step 3. - The user then sends data through the tunnel which encrypted by the VPN software before being sent over the ISP connection.

Step 4. - The destination Security server receives the encrypted data and decrypts. The Security server then forwards the decrypted data packets onto the corporate network. Any information sent back to the Remote user is also encrypted before being sent over the Internet.

TYPES OF VPN:

There are many variations of virtual private networks, with the majority based on two main models: 1.Remote access, virtual private dial-up network (VPDN) or client-to-site: A remote access VPN is for home or travelling users who need to access their central LAN from a remote location. They dial their ISP and connect over the internet to the LAN. This is made possible by installing a client software program on the remote users laptop or PC that deal with the encryption and decryption of the VPN traffic between itself and the VPN gateway on the central LAN. Working: A remote access solution works by the remote user first establishing an internet connection to an ISP in the normal way. The user activates the VPN client software to create a tunnel over the internet and to connect to the central LANs VPN gateway. The VPN client software then passes its authorisation to the VPN gateway. The VPN gateway checks that the user is authorised to connect and then ensures the encryption key from the remote client is valid. All VPN data is encrypted using the key before being transmitted over the internet using a tunnelling protocol. It is decrypted at the other end by the VPN gateway, which has an identical set of keys to decrypt the data. Data sent from the central LAN to the remote user is encrypted by the VPN gateway before transmission and decrypted by the remote users VPN client software.
a remote access VPN solution

2.Fixed, intranet and extranet or site-to-site A fixed VPN is normally used between two or more sites allowing a central LAN to be accessed by remote LANs over the internet or private communication lines using VPN gateways. VPN gateways (normally a VPN-enabled router) are placed at each remote site and at the central site to allow all encryption and decryption and tunnelling to be carried out transparently.

Working: A fixed solution works by first establishing a VPN gateway at each site. Each VPN gateway has the same key to encrypt/decrypt data and knows the IP addresses of the other sites, so they know where to transmit the data to, and where to expect secure VPN transmissions from. This flow of data is transparent to the users and requires little actual configuration on the PCs. a fixed VPN solution

The choice of ISP is very important when implementing a VPN solution as it can have a major impact on VPN performance. It may be advisable for all VPN users and sites, including the central LAN, to use the same ISP for their internet connections. This will lessen the amount of data that needs to cross into the networks of other ISPs, which could degrade performance. Most ISPs will offer a service level agreement (SLA) that agrees network uptime, latency, security and other functions. It is important to read the SLAs carefully before deciding which ISP will give the fastest and most reliable service.

ADVANTAGES OF VPN:

VPNs authenticate all packets of data received, ensuring that they are from a trusted source. Encryption ensures that the data remains confidential.

Most VPNs connect over the internet so call costs are minimal, even if the remote user is a great distance from the central LAN.

Multiple telephone lines and banks of modems at the central site are not required. A reduction in the overall telecommunication infrastructure as the ISP provides the bulk of the network.

Reduced cost of management, maintenance of equipment and technical support Simplifies network topology by eliminating modem pools and a private network infrastructure VPN functionality is already present in some IT equipment. VPNs are easily extended by increasing the available bandwidth and by licensing extra client software.

If a LAN uses NetBeui or IPX/SPX (both incompatible with the internet) instead of TCP/IP to transmit data to its clients, the VPN gateway can encapsulate these languages into an IP packet and transmit it over the web to another VPN gateway.

DISADVANTAGES:

If the ISP or internet connection is down, so is the VPN.

The central site must have a permanent internet connection so that remote clients and other sites can connect at anytime.

VPNs may provide each user with less bandwidth than a dedicated line solution. Existing firewalls, proxies, routers and hubs may not support VPN transmissions. The internet connection of the central site must have sufficient bandwidth to cope with VPN traffic, the internet connections originating from the central site and any other traffic such as email and FTP (file transfer protocol).

VPN equipment from different manufacturers may comply with different standards.