CHAPTER ONE

GENERAL INTRODUCTION

1.1 INTRODUCTION
The Internet holds a lot of promise in terms of connection and communication between
two remote locations and its role as an enabler of e-Business in the world today. It still
comes with its own stumbling blocks that must be addressed if an organization is to
conduct its business over the internet. The internet’s major assets are its openness and
ubiquity. These are also its greatest limitations.

In the past organizations built and deployed its private business through local and wide
area networks (LANs and WANs), where the infrastructure was a known entity and
access was tightly controlled. The end result was a private data communications
infrastructure that had a predictable application availability performance and security.

Then the Internet was invented. The types of applications deployed over regular Internet
channels today are getting increasingly critical, whereby success of business can be
jeopardized by poor application performance. For instance Internet traders in the event of
a drop in price cannot reduce or unload their stock easily if markets drop due to
bandwidth constraints. Reliability and consistency is required for businesses to perform
consistently. The internet does not offer this consistency because of the unpredictable
nature of Internet traffic today.

Also in terms of security, any connection to the internet increases exposure and therefore
constitutes a potential security risk. For instance a disconnected stand alone computer
with sensitive information can only be compromised by people who have physical access
to it. The moment it is connected to the internet its vulnerability and exposure is
drastically increased. Also data in transit across the internet is also subject to such threat
as spoofing, session hijacking, sniffing, and man-in-the middle attacks. (Virtual Private
Networks, An Overview, 2003)

1
Virtual Private Networks (VPNs) provide a means of utilizing the robustness and
openness of the Internet without compromising security.

The desire to use the Internet for business and the risks associated with it has given rise to
the technology we refer to as Virtual Private Networks (VPN). VPNs are basically IP-
based networks (usually the public internet) that use encryption and tunneling to achieve
the following goals:

1. connect users securely to their own corporate network (remote access)

2. link branch offices to an enterprise network (intranet)
3. extend organizations' existing computing infrastructure to include
partners, suppliers and customers (extranet).

The idea is to extend trust relationships across an economical public network without
sacrificing security. Ideally, a VPN should behave similarly to a private network; it
should be secure, highly available and have predictable performance. (IP Virtual Private
Networks, 2000.)

1.2 DEFINITION
A Virtual Private Network is a concealed network, which uses a public network (usually
the Internet) to connect remote sites or users. Virtual Private Networks do not offer
network services already offered through alternative mechanisms. Rather, a unique mix
of technologies (tunneling and encryption) permits organizations to establish secure,
private, end-to-end network connections over third-party networks. Thus, instead of using
a dedicated, real-world connection, such as a leased line, a Virtual Private Network uses
virtual connections routed through the Internet from the company'
s private network to the
remote site thus reducing the in-house requirements for equipment and support. (Building
an ISP, 2004)

1.3 PROBLEM DEFINITION

In the past organizations intending to extend their local area network to remote branches
do so by means of wide area networks, these networks make used of hi-speed dedicated
leased lines to connect these branches. These dedicated lines cost a lot to maintain, this
means setting up a WAN requires a lot of capital both as set-up and maintenance costs.

2
Virtual Private Networks eliminate this expense by providing a network that utilizes a
public network, to achieve connectivity between two or more remote locations using
affordable hardware. It also provides assured security integrated into these hardware.
(Privacy issues in virtual private networks, 2004.)

1.4 OBJECTIVES OF STUDY

A small scale enterprise is an economic activity in the private sector undertaken by
individuals who hope to realize a profit from their activities and who bear any risk
associated with such activities. These small scale enterprises have limitations as to the
number of staff they employ and their capital base.
In this world today where small and medium scale enterprises are springing up daily,
these businesses are getting increasingly mobile and penetrating far reaching
geographical areas. This makes it necessary to find an economical way of communicating
with these remote branches in a secure and cheap way. This project aims at defining a
way whereby information can be sent over the Internet without facing or rather with
guaranteed security from hackers. The project also emphasizes the required technology to
protect against attacks since most of the business of an organization implementing VPNs
will be conducted over the Internet thereby exposing it to attack. (Virtual Private
Networks: Technologies and Solutions, 2001.)

The project mainly uses the following encryption technologies to ensure data
security and integrity

1. Confidentiality

The main objective of this project is to model a cost effective generic architecture for
establishing WAN connections through the use of VPNs. The main advantages of
VPN are cost effectiveness and security. Towards this end, every VPN solution
provides encryption of some sort using either secret key cryptography or public key
cryptography. Secret (or private) key cryptography uses a shared key which is used to
encrypt and decrypt messages. The major problem with private key cryptography is
key exchange. Sending secret keys across the Internet unencrypted is not an option
for obvious reasons. This is where public key cryptography can help. Public key
cryptography uses a mathematically linked key pair for each communicating party.
This means that data encrypted with one key can be decrypted with the other key in
the pair.

3
 2. Integrity

Integrity is also ensured i.e. information being transmitted over the public Internet is
not altered in any way during transit. VPNs typically use one of three technologies to
ensure integrity:

i. One-way hash functions - A hash function generates a fixed-length output value based
on an arbitrary-length input file. The idea is that it'
s easy to calculate the hash value of a
file but mathematically difficult to generate a file that will hash to that value.
ii. Message-authentication codes (MACs) simply add a key to hash functions. A sender
would create a file, calculate a MAC based on a key shared with the recipient, and then
append it to the file. When the recipient receives the file, it is easy to calculate the MAC
and compare it to the one that was appended to the file.
iii. Digital signatures can also be used for data integrity purposes. A digital
signature is essentially public key cryptography in reverse. A sender digitally
"signs" a document with their private key and the recipient can verify the
signature via the sender'
s public key.

3. Authentication

Authentication ensures the identity of all communicating parties. To correctly identify an

individual or computing resource, VPNs typically use one or more forms of
authentication. These methods are usually based on password authentication (shared
secrets) or digital certificates. (Tackling security vulnerabilities in VPN-based wireless
deployments, 2004.)

1.5 SCOPE OF STUDY

This project will be limited to the basics and fundamentals of VPNs such as
i. Architectures
ii. Protocols
iii. Types
iv. Procedures and Methods
v. Hardware and Software used

4
1.6 MOTIVATION OF STUDY
Several motivations exist for building VPNs but a common characteristic is that they all
share the requirement to virtualise some portion of an organization’s communications
i.e. they make some portion of communications essentially invisible to an external
observer although taking advantages of the efficiencies of a common communications
infrastructure.
ECONOMICS: The primary motivation for VPNs lies in the economics of
communications. Communications systems today exhibit the characteristics of a high
fixed cost component and smaller variable cost component that varies with the transport
capacity or bandwidth of the system. The aggregation of communications requirement
leads to a more cost effective communications infrastructure, so all these services into a
single public communications system.

PRIVACY: The second motivation for VPNs is that of communicating privacy in which
the characteristic and integrity of communications services within one environment are
isolated from all other environments that serve the common underlying plant. The level
of privacy depends greatly on the risk assessment performed by the subscriber
organization. If the requirement for privacy is low then the simple abstraction of
discretion and network obscurity may serve the purpose. However if the requirement for
privacy is high then there is a corresponding requirement for strong security applied to
data passed over the common network. (Building an ISP, 2004)

1.7 RESEARCH METHODOLOGY

Due to the descriptive nature of this project, data collection will be through materials
from the internet, white paper reports, library, books, published or unpublished articles
etc. These are mainly secondary data. The modeling will be through the use of visual aids
to show how connections are established; screen shots of the set-up process will also be
shown.

5
1.8 ARRANGEMENT OF PROJECT

Chapter one: Deals with the introduction, definition, aim and objectives, scope of study,
motivation and methodology.

Chapter two: deals with the literature review and the introduction of some essential
components

Chapter Three: it focuses on the various types of VPNs and ways VPNs can be
established and also the various protocols involved
Chapter Four: it discusses the system design and implementation, components and
firewalls
Chapter five: this contains the summary, recommendation and the conclusion.

6
 CHAPTER TWO

LITERATURE REVIEW

2.0 SMALL AND MEDIUM SCALE ENTERPRISES

A small and medium scale enterprise is a private organization or business concern born
out of the desire of business men and women to be independent and be their own boss.
This motivation for independence has led thousands of entrepreneurs or enterprising
persons to become owners of small businesses. Many of today’s successful enterprises
started small as one-man businesses. Small and medium scale enterprises typically have a
maximum capital base of N200, 000,000 and the number of staff employed is not greater
than 300. This limitations in size and capital has segregated small and medium scale
enterprises from large scale technological advancements such as Wide area networks e.t.c

2.1.0 HISTORY OF VIRTUAL PRIVATE NETWORKS

WAN has enabled the communication between corporate all over the world. It was not possible
for the small offices to have a private leased line. The internet which came as the alternative cost
effective medium was subjected to risks of hacking, spying, viruses etc The VPN provides cost
effective, secured communication channels between global employees.

Globalization has brought about decentralization and outsourcing. . WAN has helped
corporate bodies with a means of effective and timely running of various offices situated
all over the globe Data was secure over these private networks and large corporations
started using computer networks rather than the then courier services. It is untenable for
Small and medium scale enterprises to have private leased lines. The alternative cost
effective medium was the internet but this was subject to risks for spoofing and
eavesdropping. Hacking, spying, viruses and worms have been a major loss to business.

Virtual Private Networks (VPN) the answer to WAN is now attracting many
organizations, small and large alike, to establish cost effective, secure communication
channels between global offices or employees. The savings on communication for many

7
corporations, who have switched to VPN, is around 30% to 80%. Quality of service
(priority to critical information over general emails or web browsing) being paramount
for VPN is now being offered by some ISP'
s. By rising to the occasion they are providing
quality VPN services such that businesses migrate from WAN to VPN.

VPN use in financial sector has increased due to business management and a variety of
its concepts requiring information technology and computers.

Enterprise Resource Planning has resulted in many specific software applications that
require interconnectivity to maintain the ever growing enterprise. ERP'
s business needs
are

• Inventory control, resource planning, customer service departments

• Integrate the various departments of business including CRM.

• Rapid exchange of information between the various departments

• Effective project planning and execution depending on the current information.

Earlier Implementation was WAN with leased lines, frame relays and T1 lines for
connection. IP VPN has a better performance over and ISDN infrastructure providing
VoIP and a flexible architecture of implementation that takes the load of the corporate
server for client to client connections. VPN'
s Class of service agreement assigns priority
to the information transferred across it network and so business critical information is
transferred first at a faster rate when compared to other information.
VPN used in banking sector is registering a growth due to personalized banking and e-
banking. With authentication, encryption and different data communication methods
banking grew to accept online secure transactions. The growing needs of the banking
sector is

• Internet Access to account information

• Wireless and Mobile money transactions

8
 • Account transaction between companies using internet as a means of
communication

IP VPN has brought about a range of encryption and authentication techniques that the
bank can use. It has also brought voice over the internet, which is a merging of
technologies making it easier to implement and better in performance. (Banking on the
Internet and Its Applications, 2004)

2.1.1 NECESSITIES OF BUSINESS

1) Security: Security of a business is important and VPN in the internet infrastructure is

providing security with its protocols that authenticate and encrypt the communications
taking place over the end points in the network.

2) Convergence: Business enterprises that are CRM based require voice and data
networks. Voice, video and network security are now being bundled together on
VPN networks.

3) Scalability: Every business grows and the infrastructure should be able to meet its
growing demands. With increase in the bandwidth traffic performance of VPN is met.
Also the security and other complexities related to hardware and software'
s are changed.
VPN is adapting to the growth though rather slowly.

4) Cost Effectiveness: Since the infrastructure is shared and it is not a private leased line
cost dramatically decreases when VPN technologies are used.

5) Reliability: The network has to provide a reliable redundant and fault tolerance service
for it to become popular

6) Flexibility: The approach to setting up a network of different topologies according to

your needs for voice and data are now provided with VPN networks

7) Class of service: The ability to provide the user customized service according to his
requirement has prompted many IP VPN service providers to offer advanced Class of
Services appropriate to specific traffic patterns and business. (What is a VPN? , 2001.)

2.1.2 APPLICATIONS REQUIRING SECURE COMMUNICATIONS

i. B2B-Business-to-business applications with customers, suppliers and

partners
ii. VoIP for enterprises looking for converged services rather than having a
separate PSTN-Public switched telephone network.
iii. Teleworkers who work from outside the office premises.
iv. Wireless VPN
v. Storage Area Networks setup by large corporations

9
 vi. EAI - Enterprise Application Integration for web based CRM. (Network
Security: Private Communication in a Public World, 2002.)

2.1.3 NETWORK

Network is a system used to link two or more computers. Network users are able to share
files, printers, and other resources; send electronic messages; and run programs on other
computers.

A network has three layers of components: application software, network software, and
network hardware. Application software consists of computer programs that interface
with network users and permit the sharing of information, such as files, graphics, and
video, and resources, such as printers and disks. One type of application software is
called client-server. Client computers send requests for information or requests to use
resources to other computers, called servers that control data and applications. Another
type of application software is called peer-to-peer. In a peer-to-peer network, computers
send messages and requests directly to one another without a server intermediary.

Network software consists of computer programs that establish protocols, or rules, for
computers to talk to one another. These protocols are carried out by sending and
receiving formatted instructions of data called packets. Protocols make logical
connections between network applications, direct the movement of packets through the
physical network, and minimize the possibility of collisions between packets sent at the
same time.

Network hardware is made up of the physical components that connect computers. Two
important components are the transmission media that carry the computer'
s signals,
typically on wires or fiber-optic cables, and the network adapter, which accesses the
physical media that link computers, receives packets from network software, and
transmits instructions and requests to other computers. Transmitted information is in the
form of binary digits, or bits (1s and 0s), which the computer'
s electronic circuitry can
process.

10
2.1.4 NETWORK CONNECTIONS

A network has two types of connections: physical connections that let computers directly
transmit and receive signals and logical, or virtual, connections that allow computer
applications, such as e-mail programs and the browsers used to explore the World Wide
Web, to exchange information. Physical connections are defined by the medium used to
carry the signal, the geometric arrangement of the computers (topology), and the method
used to share information. Logical connections are created by network protocols and
allow data sharing between applications on different types of computers, such as an
Apple Macintosh or a personal computer (PC) running the Microsoft Corporation
Windows operating system, in a network. Some logical connections use client-server
application software and are primarily for file and printer sharing. The Transmission
Control Protocol/Internet Protocol (TCP/IP) suite, originally developed by the United
States Department of Defense, is the set of logical connections used by the Internet, the
worldwide consortium of computer networks. TCP/IP, based on peer-to-peer application
software, creates a connection between any two computers.
2.1.5 NETWORK ARCHITECTURE

A. Media

The medium used to transmit information limits the speed of the network, the effective
distance between computers, and the network topology. Copper wires and coaxial cable
provide transmission speeds of a few thousand bits per second for long distances and
about 100 million bits per second for short distances. (A million bits is equal to one
megabit, and one megabit per second is abbreviated Mbps.) Optical fibers carry 100
million to 40 billion bits of information per second over long distances. (A billion bits is
equal to one gigabit, and a billion bits per second is abbreviated Gbps.) Wireless
networks, often used to connect mobile, or laptop, computers, send information using
infrared or radio-frequency transmitters. Infrared wireless local area networks (LANs)
work only within a room, while wireless LANs based on radio-frequency transmissions
can penetrate most walls. Wireless LANs using Wi-Fi technology have capacities of
around 54 Mbps and operate at distances up to a few hundred meters. Wireless

11
communications for wide area networks (WANs) use cellular radio telephone networks,
satellite transmissions, or dedicated equipment to provide regional or global coverage.
Although transmission speeds continue to improve, today’s wide area cellular networks
run at speeds ranging from 14 to 230 kilobits per second. (A kilobit is equal to 1,000 bits,
and one kilobit per second is abbreviated Kbps.) Some networks use a home’s existing
telephone and power lines to connect multiple machines. HomePNA networks, which use
phone lines, can transmit data as fast as 128 Mbps, and similar speeds are available on
Power Line or HomePlug networks.

B. Topology

Common topologies used to arrange computers in a network are point-to-point, bus, star,
ring, and mesh. Point-to-point topology is the simplest, consisting of two connected
computers. The bus topology is composed of a single link connected to many computers.
All computers on this common connection receive all signals transmitted by any attached
computer. The star topology connects many computers to a common hub computer. This
hub can be passive, repeating any input to all computers similar to the bus topology, or it
can be active, selectively switching inputs to specific destination computers. The ring
topology uses multiple links to form a circle of computers. Each link carries information
in one direction. Information moves around the ring in sequence from its source to its
destination. On a mesh network, topology can actually change on the fly. No central
device oversees a mesh network, and no set route is used to pass data back and forth
between computers. Instead, each computer includes everything it needs to serve as a
relay point for sending information to any other computer on the network. Thus, if any
one computer is damaged or temporarily unavailable, information is dynamically
rerouted to other computers—a process known as self-healing. LANs commonly use bus,
star, or ring topologies. WANs, which connect distant equipment across the country or
internationally, often use special leased telephone lines as point-to-point links.

C. Sharing Information

12
When computers share physical connections to transmit information packets, a set of
Media Access Control (MAC) protocols are used to allow information to flow smoothly
through the network. An efficient MAC protocol ensures that the transmission medium is
not idle if computers have information to transmit. It also prevents collisions due to
simultaneous transmission that would waste media capacity. MAC protocols also allow
different computers fair access to the medium. One type of MAC is Ethernet, which is
used by bus or star network topologies. An Ethernet-linked computer first checks if the
shared medium is in use. If not, the computer transmits. Since two computers can both
sense an idle medium and send packets at the same time, transmitting computers continue
to monitor the shared connection and stop transmitting information if a collision occurs.
When used on local area networks, Ethernet typically transmits information at a rate of
either 10 or 100 Mbps, but newer wide-area technologies are capable of speeds as high as
10 gigabits per second (Gbps). Computers also can use Token Ring MAC protocols,
which pass a special message called a token through the network. This token gives the
computer permission to send a packet of information through the network. If a computer
receives the token, it sends a packet, or, if it has no packet to send, it passes the token to
the next computer. Since there is only one token in the network, only one computer can
transmit information at a time. Token Ring networks are now quite rare. Most LANs now
use Ethernet technology. International Business Machines Corporation (IBM), the
company that invented Token Ring in the early 1980s, no longer promotes the
technology.

In the mid-1990s a new protocol called Asynchronous Transfer Mode (ATM) was
introduced. This protocol encodes data in fixed-sized packets called cells rather than
variable-sized packets used on an Ethernet network. It was designed as a way of merging
old, circuit-switched telephone networks with more modern packet-switched computer
networks in order to deliver data, voice, and video over the same channel. This can now
be done with other protocols as well. Capable of speeds of nearly 10 Gbps, ATM is often
used in wide area networks, but never really caught on with LANs. (Microsoft Encarta
Student DVD, 2007)

2.1.6 NETWORK OPERATION AND MANAGEMENT

13
Network management and system administration are critical for a complex system of
interconnected computers and resources to remain operating. A network manager is the
person or team of people responsible for configuring the network so that it runs
efficiently. For example, the network manager might need to connect computers that
communicate frequently to reduce interference with other computers. The system
administrator is the person or team of people responsible for configuring the computer
and its software to use the network. For example, the system administrator may install
network software and configure a server'
s file system so client computers can access
shared files.

Networks are subject to hacking, or illegal access, so shared files and resources must be
protected. A network intruder could eavesdrop on packets being sent across a network or
send fictitious messages. For sensitive information, data encryption (scrambling data
using mathematical equations) renders captured packets unreadable to an intruder. Most
servers also use authentication schemes to ensure that a request to read or write files or to
use resources is from a legitimate client and not from an intruder.

2.1.7 CLASSIFICATIONS OF NETWORK

Computer networks may be classified according to the scale: Personal area network
(PAN), Local Area Network (LAN), Campus Area Network (CAN), Metropolitan area
network (MAN), or Wide area network (WAN). As Ethernet increasingly is the standard
interface to networks, these distinctions are more important to the network administrator
than the end user. Network administrators may have to tune the network, based on delay
that derives from distance, to achieve the desired Quality of Service (QoS). The primary
difference in the networks is the size.

Computer networks can also be classified according to the hardware technology that is
used to connect the individual devices in the network such as Optical fiber, Ethernet,
Wireless LAN, HomePNA, or Power line communication. Ethernets use physical wiring
to connect devices. Often, they employ the use of hubs, switches, bridges, and routers.
Wireless LAN technology is built to connect devices without wiring. These devices use a

14
radio frequency to connect. (Privacy and Security on Internet: Virtual Private Networks,
2002)

2.1.8 TYPES OF NETWORK

2.1.8.1 LOCAL AREA NETWORK (LAN)

A LAN is a collection of two or more computers that are located within a limited distance of each
other and that are connected to each other, directly or indirectly. LANs differ in the way the
computers are connected, in how information moves around the network, and in what machine (if
any) is in charge of the network. ( , 2008)

2.1.8.2 VIRTUAL NETWORK

A virtual network provides the virtual links between nodes in a physical computer
network to form a virtual network. The implementation of these virtual links may or may
not correspond to physical connections between nodes. The terms VLAN, VPN, VPLS
are all used to describe different types of virtual network. A VLAN is a partitioning of a
network into multiple subnets using a VLAN ID. The partitioned network can be on a
single router, can be on multiple routers that would otherwise form a single network, or
can be on a VPN.A VPN is multiple remote routers (or networks) joined by some sort of
tunnel over another network, usually a third party network. Two such routers constitute a
'
Point to Point Virtual Private Network'(or a PTP VPN). Connecting more than two
routers by putting in place a mesh of tunnels creates a '
Multipoint VPN'
.A VPLS is a
specific type of Multipoint VPN. VPLS are divided into Transparent LAN Services
(TLS) and Ethernet Virtual Connection Services. A TLS sends what it receives, so it
provides geographic separation, but not VLAN subnetting. An EVCS adds a VLAN ID,
so it provides geographic separation and VLAN subnetting. (Building an ISP, 2004)

2.1.9 WIDE AREA NETWORK (WAN)

A WAN is a network whose elements may be separated by distances great enough to
require telephone communications. The WAN supports communications between such

15
elements. For most WANs, the long distance bandwidth is relatively slow: on the order of
kilobits per second (kbps) as opposed to megabits per second (Mbps) for local-area
networks (LANs). For example, an Ethernet LAN has a 10 Mbps bandwidth; a WAN
using part or all of a T1 carrier has a bandwidth determined by the number of 64kbps
channels the WAN is using—up to 24 such channels for a maximum T1 bandwidth of
1.544 Mbps (including control bits). There is no specified upper limit to the radius of a
WAN, but in practice, machines distributed over areas larger than a state almost certainly
belong to different networks that are connected to each other. Such a setup is known as
an internetwork. Thus, although they are simply called WANs, these are more accurately
wide-area internetworks (WAIs). One of the oldest, best-known, and most widely used
examples of a WAI is the Department of Defense’s ARPAnet, from which we have
inherited many of the important concepts and protocols used in networking.
(Encyclopedia of Networking, 1996)

2.1.9.1 TYPES OF WIDE AREA NETWORKS

Internetwork

Two or more networks or network segments connected using devices that operate at layer
3 (the '
network'layer) of the OSI Basic Reference Model, such as a router. Any
interconnection among or between public, private, commercial, industrial, or
governmental networks may also be defined as an internetwork.

In modern practice, the interconnected networks use the Internet Protocol. There are at
least three variants of internetwork, depending on who administers and who participates
in them:

• Intranet
• Extranet
• "The" Internet

Intranets and extranets may or may not have connections to the Internet. If connected to
the Internet, the intranet or extranet is normally protected from being accessed from the

16
 Internet without proper authorization. The Internet itself is not considered to be a part of
the intranet or extranet, although the Internet may serve as a portal for access to portions
of an extranet.

I. Intranet

An intranet is a set of interconnected networks, using the Internet Protocol and uses IP-
based tools such as web browsers, that is under the control of a single administrative
entity. That administrative entity closes the intranet to the rest of the world, and allows
only specific users. Most commonly, an intranet is the internal network of a company or
other enterprise

II. Extranet

An extranet is a network or internetwork that is limited in scope to a single organization

or entity but which also has limited connections to the networks of one or more other
usually, but not necessarily, trusted organizations or entities (e.g. a company'
s customers
may be given access to some part of its intranet creating in this way an extranet, while at
the same time the customers may not be considered '
trusted'from a security standpoint).
Technically, an extranet may also be categorized as a CAN, MAN, WAN, or other type
of network, although, by definition, an extranet cannot consist of a single LAN; it must
have at least one connection with an external network.

III. Internet

Research on dividing information into packets and switching them from computer to
computer began in the 1960s. The U.S. Department of Defense Advanced Research
Projects Agency (ARPA) funded a research project that created a packet switching
network known as the ARPANET. ARPA also funded research projects that produced
two satellite networks. In the 1970s ARPA was faced with a dilemma: Each of its
networks had advantages for some situations, but each network was incompatible with
the others. ARPA focused research on ways that networks could be interconnected, and
the Internet was envisioned and created to be an interconnection of networks that use

17
TCP/IP protocols. In the early 1980s a group of academic computer scientists formed the
Computer Science NETwork, which used TCP/IP protocols. Other government agencies
extended the role of TCP/IP by applying it to their networks: The Department of
Energy’s Magnetic Fusion Energy Network (MFENet), the High Energy Physics
NETwork (HEPNET), and the National Science Foundation NETwork (NSFNET).

In the 1980s, as large commercial companies began to use TCP/IP to build private
internets, ARPA investigated transmission of multimedia—audio, video, and graphics—
across the Internet. Other groups investigated hypertext and created tools such as Gopher
that allowed users to browse menus, which are lists of possible options. In 1989 many of
these technologies were combined to create the World Wide Web. Initially designed to
aid communication among physicists who worked in widely separated locations, the Web
became immensely popular and eventually replaced other tools. Also during the late
1980s, the U.S. government began to lift restrictions on who could use the Internet, and
commercialization of the Internet began. In the early 1990s, with users no longer
restricted to the scientific or military communities, the Internet quickly expanded to
include universities, companies of all sizes, libraries, public and private schools, local and
state governments. (Encyclopedia of Networking, 2005)

2.0.10 NETWORK HARDWARE

Connections that link LANs to external resources, such as other LANs or remote
databases, are called bridges, routers, and gateways. A bridge creates an extended LAN
by passing information between two or more LANs. A router is an intermediary device
that connects a LAN to a larger LAN or to a WAN by interpreting protocol information
and selectively forwarding packets to different LAN or WAN connections through the
most efficient route available. A gateway connects and translates between networks that
use different communications protocols. LAN computers use a gateway or router to
connect to a WAN such as the Internet, the worldwide consortium of computer networks.
Such connections are a security risk because the LAN has no control over users on the
Internet. Applications transferred from the Internet to the LAN may contain computer
viruses that can harm the components of the LAN, or external and unauthorized users

18
may gain access to sensitive files or erase or alter files. A special type of gateway called a
firewall keeps external users from accessing resources on the LAN while letting LAN
users access the external information. (Networking Essentials, 1998)

2.2 DEFINITION OF TERMS

2.2.1 CLIENT/SERVER ARCHITECTURE

Internet applications, such as the Web, are based on the concept of client/server
architecture. In client/server architecture, some application programs act as information
providers (servers), while other application programs act as information receivers
(clients). The client/server architecture is not one-to-one. That is, a single client can
access many different servers, and a single server can be accessed by a number of
different clients. Usually, a user runs a client application, such as a Web browser, that
contacts one server at a time to obtain information. Because it only needs to access one
server at a time, client software can run on almost any computer, including small
handheld devices such as personal organizers and cellular telephones. To supply
information to others, a computer must run a server application. Although server software
can run on any computer, most companies choose large, powerful computers to run
server software because the company expects many clients to be in contact with its server
at any given time. A faster computer enables the server program to return information
with less delay. (http://www.vpntools.com, 2008)

2.2.2 OSI MODEL

The OSI (Open Systems Interconnection) Reference Model is a seven-layer model

developed by the ISO (International Standardization Organization) to describe how to
connect any combination of devices for purposes of communications. This model
describes the task in terms of seven functional layers, and specifies the functions that
must be available at each layer. The seven layers form a hierarchy from the applications
at the top to the physical communications medium at the bottom. The functions and
capabilities expected at each layer are specified in the reference model; however, the
model does not prescribe how this functionality must be implemented. The focus in this

19
model is on the “interconnection” and on the information that can be passed over this
connection. The OSI model does not concern itself with the internal operations of the
systems involved. (Encyclopedia of Networking, 2005)

application
upper-level layers
presentation

session

transport (TCP, UDP)

lower-level layers
network (IP)

data link (Ethernet)

physical

Figure 1: The OSI model ( Privacy and Security on Internet: Virtual Private Networks,
2002 )

2.2.3 PORTS
A port is a location for passing data in and out of a computing device. Microprocessors
have ports for sending and receiving data bits; these ports are usually dedicated locations
in memory. Full computer systems have ports for connecting peripheral devices such as
printers and modems.
The network port refers to the number assigned to each message. The standard network
portals like TCP, IP, UDP usually attaches port number to the data it sends. The type of
service provided is based on this port number. This assignment is usually based on logic.
(Encyclopedia of Networking, 2005)

2.2.3.1 SOFTWARE PORTS

The network port is usually number and standard network protocols like TCP, IP, UDP
attaches a port number to the data it sends. A port number is to be assigned to each
message according to the TCP layer requirements. This port (logical reference) number

20
determines the type of service provided. This software network port (address in the form
of a number) is assigned to a service for communicating between a program and another
program/communication system. This naming system is logical and pertains to the
services that carry on long term conversation. A list that specifies the port used by the
server process is known as its contact port. A service contact port is defined to provide
specific service to unknown callers. These software network ports also connect internal
programs on the same computer. Numbers from 0 to 1023 are used to identify a network
service on the internet (Internet Protocol). Each IP packet contains a TCP or UDP header
which directs applications to the appropriate application in the server. Reserved port
numbers and unassigned numbers can be used by application programs.
The Internet Assigned Numbers Authority (IANA) registers ports 1024 to 49151 for the
convenience of internet continuity. Port numbers from 49151 to 65535 are called
dynamic ports and are private. The most well-known port is 80, which identifies HTTP
traffic for a Web server. The Well Known Ports are assigned by the IANA and on most
systems can only be used by system (or root) processes or by programs executed by
privileged users. Port numbers are straight unsigned integer values which range up to a
value of 65535. Below is a list of well known ports and their services. (Encyclopedia of
Networking, 2005)
Port Service
20,21 FTP (File transfer)
22 SSH (Remote login secure)
25 SMTP (Internet mail)
53 DNS (Host naming)
80 HTTP (Web)
88 Kerberos (computer authentication protocol)
110 POP3 (Client access)
119 NNTP (Usenet newsgroups)
123 NTP (Network time)
137-139 NetBIOS (DOS/Windows naming)
143 IMAP (Client access)
161,162 SNMP (Network management)
163,164 CMIP (Network management)
443 HTTPS (Web secure)
514 Syslog (Event logging)
563 NNTPS (Usenet newsgroups secure)

21
993/tcp IMAP4 over SSL, Internet Message Access Protocol
995/tcp POP3 over SSL, Post Office Protocol
989,990 FTPS (File transfer secure)
1723 Virtual private network (VPN)

Table 1: Software Ports

2.2.4 IP Addresses
TCP/IP stands for Transmission Control Protocol and IP for Internet Protocol. These
protocols are responsible for transporting and managing the data across the network. The
IPv4 requires a 4 byte address to be assigned to each network interface card that exists on
all the computers in the network where as the Ipv6 assigns a 6 byte address. IP Addresses
works almost like a house address without which determining where data packets go
would be impossible. This assignment of address can be done automatically by network
software'
s such as the DHCP which is the dynamic host configuration protocol or by
manually entering static addresses into the computer. The part of the IP address that
defines the network is the network ID, and the latter part of the IP address defining the
host address is the host ID.
Using this port and addressing scheme, the networking system can pass data, addressing
information, and type of service information through the hardware, from one computer to
another. (http://www.vpntools.com, 2008)

2.3 OTHER EXAMPLES OF PRIVATE NETWORKS

2.3.1 PUBLIC DATA NETWORK

Historically one of the precursors of the VPN was the public data network and the
current familiar instance of the PDN is the global internet. The internet creates a
ubiquitous connectivity paradigm where the network permits any connected network
entity to exchange data with any other connected entity. The PDN has no inherent
policy of traffic segregation and any modification to this network policy of admitting
ubiquitous connectivity is the responsibility of connecting the entity to define and
enforce. The network environment is constructed using a single addressing scheme

22
 and a synchronized routing hierarchy. This allows the switching elements of the
network to determine the location of all connected entities all these connected entities
also share access to a common infrastructure of circuit and switching.
However the model of ubiquity in the internet PDN does not match all potential
requirements especially the need for data privacy. For organizations that want to use
this public network for private purposes within a closed set of participants e.g.
connecting a set of geographically separated offices. The internet is not always a
palatable possibility. A number of factors are behind this mismatch including:
i. Quality of Service (QoS)
ii. Availability and Reliability
iii. Use of public addressing schemes
iv. Use of public protocols
v. Site Security
vi. Data Integrity ( admitting the possibility of traffic interception) (Building
an ISP, 2004)

2.3.2 PBX (Private Branch Exchange)

A telephone switching system configured for communications in a private network but
with possible access to a public telephone system. A PBX may use analog or digital
signaling, and the switching may be done automatically or manually (for example,
through an operator).

2.3.3 PSTN (Public Switched Telephone Network)

A public switched telephone network is a public network that provides circuit switching
for users. In circuit switching, a hardware path is set up to establish a connection between
two devices. This path stays in effect until the communication is finished, as when one
party hangs up the telephone to end a telephone call. Examples of circuit-switching
services include the following Switched 56, Switched T1. ISDN (Integrated service
digital network). (Encyclopedia of Networking, 2005)

2.4 PAST PROJECTS

23
CHARGING AND ACCOUNTING TECHNOLOY FOR THE INTERNET (CATI)
VIRTUAL PRIVATE NETWORK ARCHIECTURE
This project proposes a solution that enables VPNs with QoS support such as guaranteed
services, assured services e.t.c. by making use of certain VPN features. This project
makes use of certain protocols to achieve its primary goals and aims. It makes use of
protocols such as Resource Reservation Setup Protocol (RSVP) which is a part of
Integrated services (Interserv) and is used to request QOS levels. It also makes use of
Differentiated Services (DiffServ) approach which can provide two or more QOS levels
without maintaining per flow state at very router, it also provides enhanced scalability
compare to InterServ

Similarities
It makes use of IPSec(internet protocol Security) to carry out encapsulation which s one
of the tunneling protocols discussed in this project, it was designed mainly for IP-based
networks.

DIFFERENCES
It deals with the use of VPN as a way of providing accountability on the Internet. It also
uses VPN to filter Internet traffic on a network.

WIRELESS LAN SECURITY: RESEARCH TRENDS AND ISSUES

It discusses how VPN can be deployed over a wireless infrastructure to enhance the
security of such networks. It proposes using remote access VPNs to secure wireless
networks. It makes use of IEEE 802.11b 2.4GHz WLAN to connect clients operating on
windows 2000 operating system. It makes use of IPSec protocol for tunnel creation.

24
 CHAPTER THREE
SYSTEM DESIGN
3.0 INTRODUCTION
In designing a virtual private network, a lot of factors need to be considered especially
when choosing an optimal arrangement for the required connection tasks. Factors to be
considered include the number of clients to be connected, the level of security required,
and the financial capabilities of the organization. The aim of this chapter is to evaluate
the design options available and determine which will be implemented or modeled.

3.1 FACTORS TO BE CONSIDERED WHEN CHOOSING A VPN

1) Cost factors – Erstwhile methods like dial-ups and leased lines have proven to be
costly means to provide remote access to corporate users. Favorable cost implications
are suggested through the use of Internet for remote access.
2) Scalability – With increasing number of remote users, the need to add physical ports
to remote access servers (RASs) to scale to the needs is a problem. Internet access
mitigates this requirement.
3) Security – Remote users should be able to access the corporate resources
securely. This includes authentication, confidentiality, anti-replay (Anti-replay
mechanism involves matching sequence numbers of arriving packets, and
discarding invalid packets when a mismatch is detected.) and data integrity.
4) IP Address Management - Not only are the numbers of remote users
increasing rapidly, but the need to manage and differentiate remote users is
also on the rise. Enterprises increasingly want IP address management
solutions, where they can meet their needs to differentiate different sets of
remote users, be able to provide priority access and/or bandwidth to some
users, and exclusive privileges to others.

25
3.1.1 TOTAL COST OF OWNERSHIP
Your budget for any security and VPN solution must take into account not only the initial
cost of the product, but also the total cost of ownership over the life of the product. These
costs include installation, service and support, IT resources for ongoing management, and
the often “hidden” costs of software upgrades required to keep the product up-to-date.
One of the biggest budgetary items associated with any security solution is the cost of IT
resources. Savings in the amount of time needed for installation and maintenance can
significantly reduce the total cost of ownership. The total cost of ownership includes
One-time costs
Equipment costs
Installation costs
Annual costs
Software maintenance
Technical Support Fees
IT Labour Estimate. (Deploying IPSec VPN, 2002)

3.1.2 UP-TO-DATE PROTECTION

Just as the Internet is a dynamic, changing environment, security threats are also
constantly changing. Any security product should easily adapt to the changing threats by
providing the ability to update the software that provides protection against the latest
attacks. The cost, if any, of these software updates over the life of the product should be
factored into the total cost of the solution. In addition, these updates should be automatic
so that the security product can keep pace with the latest threats.

3.1.3 SCALABILITY
To protect your security and VPN investment, consideration must be made for future
growth of the organization. For the security solution to be able to grow with the
organization, it must be able to scale in terms of the number of users or size of the
network it supports. Any security platform you choose should provide an upgrade path
for supporting more users as well as integrating new security services, such as VPN, virus

26
protection, and content filtering. Choosing a security platform that is unable to scale
means expensive upgrades or deploying multiple devices where a single device would
have been sufficient. (Scalability implications of virtual private networks, 2002)

3.1.4 SECURITY
Of the above named factors security is of the utmost priority because apart from reduced
costs it is the main advantage VPNs have over normal private networks because it
operates over a public resource (Internet). Thus security in VPN cannot be undermined
since it serves as a means of transmitting critical data. What VPN really does is to create
a tunnel of information between the application and the server. Complete end-to-end
security is not a guarantee. System Patches, Antivirus Software, Firewalls, additional
encryption of data between data and application and server application and vigilance on
the part of both administrator and user is very important. (Secure Remote Access VPN
whitepaper, Intoto Inc., 2002)

3.2 CATEGORIES TO CONSIDER WHEN SECURING VPNs

As has been mentioned earlier security is the primary aim of VPNs in the exchange and
transmission of data. Therefore security has to be ensured in four categories of VPN
operations discussed below.

3.2.1 CONFIDENTIALITY

Confidentiality protects the privacy of information being exchanged between

communicating parties. Towards this end, every VPN solution provides encryption of
some sort.

The two primary cryptographic systems in use today are secret key cryptography and
public key cryptography. Secret (or private) key cryptography uses a shared key which is
used to encrypt and decrypt messages. The major problem with private key cryptography
is key exchange. Sending secret keys across the Internet unencrypted is not an option for

27
obvious reasons. This is where public key cryptography can help. Public key
cryptography uses a mathematically linked key pair for each communicating party. This
means that data encrypted with one key can be decrypted with the other key in the pair. A
sender can encrypt a message with the recipient'
s public key, which as the name implies
is publicly available (on a server, for example). The recipient can then decrypt the
message using his or her own private key.

Public key systems enable encryption over an unsecured network as well as a mechanism
to exchange secret keys. On the downside, public key cryptography is computationally
intensive, and therefore often combined with secret key cryptography to get the best
blend of performance and functionality. For example, the Diffie-Hellman public key
algorithm can be used in conjunction with the DES secret key algorithm-Diffie-Hellman
to produce the secret key and DES to encrypt the traffic.

3.2.2 INTEGRITY

Integrity ensures that information being transmitted over the public Internet is not altered
in any way during transit. VPNs typically use one of three technologies to ensure
integrity:

ONE-WAY HASH FUNCTIONS - A hash function generates a fixed-length output value

based on an arbitrary-length input file. The idea is that it'
s easy to calculate the hash value of a
file but mathematically difficult to generate a file that will hash to that value. To validate the
integrity of a file, a recipient would calculate the hash value of that file and compare it to the hash
value sent by the sender. Thus, the recipient can be assured that the sender had the file at the time
he or she created the hash value. Examples of hash algorithms are MD5, SHA-1 and RIPE-MD-
160.

MESSAGE-AUTHENTICATION CODES (MACs) - simply add a key to hash functions.

A sender would create a file, calculate a MAC based on a key shared with the recipient, and then
append it to the file. When the recipient receives the file, it is easy to calculate the MAC and
compare it to the one that was appended to the file.

28
Digital signatures can also be used for data integrity purposes. A digital signature is
essentially public key cryptography in reverse. A sender digitally "signs" a document
with their private key and the recipient can verify the signature via the sender'
s public
key.

3.2.3 AUTHENTICATION

Authentication ensures the identity of all communicating parties. To correctly identify an

individual or computing resource, VPNs typically use one or more forms of
authentication.

These methods are usually based on password authentication (shared secrets) or digital
certificates. Password authentication is the most prevalent form of user authentication
used in computer systems today, but it is also one of the weakest because passwords can
be guessed or stolen. Multi-factor authentication is generally a stronger form of
authentication and is based on the premise of utilizing something you have in conjunction
with something you know. This process is similar to how most ATM cards are used; a
user possesses the physical ATM card and "unlocks" it with a password.

For example, many VPNs support SecurID by Security Dynamics, a token card that
combines secret key encryption with a one-time password. The password is automatically
generated by encrypting a timestamp with the secret key. This one-time password will be
valid for a short interval, usually 30 to 60 seconds.

Digital certificates are also becoming more prevalent as an authentication mechanism for
VPNs. A digital certificate (based on the X.509 standard) is an electronic document that
is issued to an individual by a "Certificate Authority" that can vouch for an individual'
s
identity. It essentially binds the identity of an individual to a public key. A digital
certificate will contain a public key, information specific to the user (name, company,

29
etc.), information specific to the issuer, a validity period and additional management
information. This information will be used to create a message digest which is encrypted
with the Certificate Authority'
s private key to "sign" the certificate.

By utilizing the digital signature verification procedure described above, participants in a

conversation can "mutually authenticate" each other. Although this process sounds
simple, it involves a complex system of key generation, certification, revocation and
management, all part of a Public Key Infrastructure (PKI). A PKI is a broad set of
technologies that are utilized to manage public keys, private keys and certificates. The
deployment of a PKI solution should not be taken lightly as there are major issues
involved with scalability and interoperability. (Privacy and Security on Internet: Virtual
Private Networks, 2002)

3.3 WAYS OF SECURING TRANSMISSIONS IN VPN

Security at the endpoints is necessary and cannot be ignored. Antivirus software' s with
Firewall and other intrusion detection systems are necessary. VPN' s security deals mainly
in the transit of information from one end point to the other. In this scenario the major
technique that ensures safety is the VPN encryption technology and the VPN protocols
that are used. A new technology that is gaining popularity is SSL VPN, which is an
altogether a different type of VPN. It cannot be compared with other IP VPN protocols.
(Privacy issues in virtual private networks, 2004.)

3.3.1 ENCRYPTION
Encryption of data and secure authentication is a way of providing security. Kerberos,
S/Key and DESlogin are some methods used in authentication. In encryption the various
methods used are

• RSA- (Ron Shamir Adleman), which is a popular method in public key encryption and
digital signatures.

• DES- (Data Encryption standard) is an official standard and forms the basis for ATM'
s-
(Automatic Teller Machines) PIN authentication.

• Blowfish is a symmetric block cipher and is gaining popularity as a strong encryption

algorithm.

30
 • IDEA-(International Data Encryption Algorithm) is being implemented in hardware
chipsets making the algorithm even faster than the others.

• SEAL- (Software-optimized Encryption Algorithm) is a Stream-Cipher (encryption is

in continuous streams rather than blocks of data) and so is faster.

• RC4 is useful when a new key is chosen for each message. (Tackling security
vulnerabilities in VPN-based wireless deployments, 2004.)

3.4 TUNNELING
This is the process of placing an entire packet within another packet and sending it over
the network, this is done to avoid protocol restrictions. One type of packet is encapsulated
within the datagram (packet in TCP/IP or UDP containing source and destination
address) of a different protocol.

Figure 2: A Tunnel
The protocol of the outer packet is understood by the network and both points, called
tunnel interfaces, where the packet enters and leaves the network. Since multiple
protocols are pushed through a give network it is said to tunnel. Multiple protocols that
support encryption and authentication make up a Virtual Network. Basically tunneling is
used to transport a network protocol through a network it normally does not support.
Tunneling requires three protocols namely;
• Carrier Protocol – This is the protocol used by the network that the information is
traveling over

31
• Encapsulation Protocol – the protocol wrapped around the original data (GRE, IPSec,
SSL, L2F, PPTP, L2TP, SOCKS),
• Passenger Protocol – the original data ( IPX, NetBeui, IP) carried.
The above protocols work at different layers of the OSI model. In the OSI model, data
communication stars at the top layer at the sender’s side, travels down to the bottom
layer, then crosses the network connection to the bottom layer on the receiver side and
then goes back up. The upper layers represent software that implements network services
such as encryption and connection management. The lower layers implement more
primitive, hardware related functions such as routing, addressing, and flow control
3.4.1 BASIC FUNCTIONS OF A TUNNEL
1. It creates and maintains a virtual link.
2. encrypts and decrypts data to reduce snooping by others
3. It guarantees the authenticity of the sender and receiver

3.4.2 TYPES OF TUNNEL

There are basically two types of tunnels;

3.4.2.1 VOLUNTARY TUNNEL

In voluntary tunnels a client or user issues the VPN a request to configure and create a
tunnel. In this case the user’s computer is the end point and acts as a VPN client.
Voluntary tunnels require and IP connection either a LAN or a dial-up connection. In a
LAN case there is already a network that routes the encapsulated payloads (packets) to
the tunnel server. For a dial-up connection the computer must be connected to the internet
to establish a voluntary tunnel. The initial establishing of IP connectivity is not part of
VPN and the client needs VPN tunnel client software to create a voluntary tunnel.

3.4.2.2 COMPULSORY TUNNEL

A VPN remote access server configures and creates a tunnel where the user computer is
not the end point. The end points are therefore the VPN remote access server and the
VPN tunneling (LAN) server. The server (NAS-Network Access Server) creating and
providing the tunnel for the client is known as the FEP- Front End Processor for PPTP
(Point to Point tunneling protocol) and LAC- L2TP Access Concentrator (Layer 2

32
Tunneling Protocol). The Front end Processor must have the appropriate VPN tunneling
software protocol and should be capable of establishing the tunnel when the client
requires. The client is compulsorily availing the service of the FEP hence the name
compulsory tunneling. Separate tunnels are created for Multiple voluntary Dial up clients
where as a single compulsory tunnel can be used to multiple clients. The tunnel is
existent as long as there is some client using the tunnel. (Research on tunneling
techniques in virtual private networks, 2000.)

3.4.3 TUNNELING PROTOCOLS

Internet uses the PPP (point-to-point protocol) for remote access. VPN technology has
incorporated additional functionality into PPP creating different protocols like PPTP-
Point-to-point tunneling protocol, L2TP – Layer-2 tunneling protocol and IPSec- IP
security protocol. The diversity in VPN protocols is to cater to different requirements.
Some protocols cater to remote access VPN connections from mobile users or branch
offices that use a local ISP. Other protocols cater to communication between ‘LAN-to-
LAN’, PPTP, L2TP and L2F have been developed for dial-up VPNs whereas IPSec
caters to ‘LAN-to-LAN’ solutions. Below are the different protocols and their distinct
characteristics;

3.4.3.1 Generic Routing Encapsulation (GRE) is usually the encapsulating protocol

that provides the framework in a LAN-to-LAN VPN. It specifies how to package the
passenger protocol for transport over the carrier protocol (typically IP-based ) This
includes information on what type of packet is encapsulated and about the connection
between the client and server. Instead of GRE, IPSec (in Tunnel mode) is sometimes used
as the encapsulating protocol.

3.4.3.2 PPTP- Point-to-Point Tunneling Protocol

PPTP is one of VPN'
s first protocols built on PPP to provide remote access for VPN
solutions. PPTP encapsulates PPP packets using GRE-Generic routing Protocol. This had

33
been modified to give PPTP the flexibility of handling protocols other than IP like IPX-
Internet Packet Exchange, and NetBEUI- Network basic input/output system extended
user interface. PPTP uses authentication mechanisms within PPP, i.e. PAP-Password
Authentication Protocol. Various other authentication and security mechanism have been
developed by Microsoft and is utilized in its Operating System software.

3.4.3.3 L2F- Layer Two Forwarding Protocol

This was designed to tunnel data from corporate sites to their respective users. A protocol
primarily implemented in CISCO products, it differs from PPTP in a way that it does not
depend on IP. This could work on alternate media like frame relays or ATM-
Asynchronous transfer Mode. L2F accepts other authentication mechanisms and allows
tunnels to support more than one connection. L2F uses PPP for authentication of remote
user. The authentication is done twice, one at the ISP and the second at the gateway to the
connecting LAN. It is also a Layer-2 protocol and handles IPX and NetBEUI as well.

3.4.3.4 L2TP - Layer Two Tunneling Protocol

The best features of PPTP and L2F were combined to form L2TP. It exists in the
second layer (data link) of the OSI-Open Systems Interconnect model and so its name
L2TP. Approved by IETF L2TP transport is defined for packet media, Frame relay, ATM
and X.25 (Standard for packet switching networks defining layers 1, 2 and 3 of the OSI
model). It has its own tunneling protocol and uses PPP'
s PAP and other advanced
mechanisms for authentication. It fully supports IPSec hence encryption method is based
on that of IPSec. L2TP carries the PPP through networks that are not point-to-point and
simulates a point-to-point connection by encapsulating PPP data grams for transportation
through routed networks or inter-networks. Upon arrival at their intended destination, the
encapsulation is removed, and the PPP datagrams are restored to their original formats.

3.4.3.5 The Network Security Protocol (SOCKS) functions at the session layer (layer
five) in OSI unlike all of the other VPN protocols that work at layer two or three. Such an
implementation has both advantages and disadvantages when compared with other
protocol choices. Operating at this higher level, SOCKS allows administrators to limit

34
VPN traffic to certain applications. To use SOCKS, however, administrators must
configure SOCKS proxy servers within the client environments as well as SOCKS
software on the clients themselves.

3.4.3.6 Internet Protocol Security (IPSec)

IPSec is a complete VPN protocol solution. Existing in the third layer of the OSI model it
uses the IKE-Internet Key Exchange to exchange and manage cryptographic keys used in
a data encryption session. IPSec uses a number of encryption technologies to provide
confidentiality and data integrity. It should be noted that only IPSec compliant system
can make use of this protocol. Also all devices must use a common key and the firewall
of each network must have different policies. IPSec extends standard IP for the purpose
of supporting more secure Internet-based services. It specifically protects against “Man in
the Middle Attacks” by hiding IP addresses that would otherwise appear. IPSec allows
the sender to authenticate/encrypt or authenticate and encrypt each IP packet. For this it
uses two modes either of which can be chosen dependent of situations of security and
traffic.

a. Transport mode for authentication and encryption of the transport segment of an IP

packet

b. Tunnel mode authenticates and encrypts the whole IP packet i.e. header and payload.

IPSec'
s strong security measures are designed mainly for IP packets and cannot handle
multi-protocol non-IP network environments like NetBEUI or IPX. It must be noted that
IPSec must be supported at both tunnel interfaces.

3.4.3.7 Secure Sockets Layer (SSL)

It is an application layer protocol used most often to secure web-based communications

over the Internet. SSL uses encryption and authentication much like IPSec. Originally
SSL protocol encrypted the traffic between two applications that wished to speak to each
other but did not encrypt all the traffic from one host to another. However, with the
progress in technology SSL VPNs now can be used to encrypt all traffic between a client
and a server with SSL VPNs similar to IPSec client’s encryption, except that with SSL

35
VPNs there is no requirement for a “fat client”. Any client-side software that may needed
to support Network Layer Encryption is downloaded on the fly using ActiveX technology
or Java after the user has been successfully authenticated and authorized. This makes it a
“touchless” technology allowing for centralized management and control since the light-
weight clients are intelligent and are driven by the centralized access control gateway.
This also extends the client support beyond those applications that are “SSL aware” to
applications, such as Web browsers like Internet Explorer and Netscape or email
applications such as Outlook and Eudora and allows any IP based application including
TCP, UDP, ICMP etc. Thus enabling a wide range of applications from web browsing to
video conferencing over this ubiquitous tunneling mechanism. (IP Virtual Private
Networks, 2000)

3.5.0 FIREWALLS
Firewall is security schemes on the computer preventing unauthorized access from a
network to any application or service on the computer also protects networks from
backdoor attacks from hackers on the organization’s network. Hackers can access
information off a remote computer to find their way into the corporate network via the
VPN. Network firewall allows and blocks traffic into and out of a computer or the
network. A firewall protects the network against Internet based theft, destruction, or
modification of data by examining all data traffic from the Internet or Wide Area
Network to the Local Area Network. This can be done by software on the same machine
or in the router or in case of large networks on a standalone machine. More complicated
systems could be a number of routers or a number of systems that block unwanted access
to a private network. The International Computer Security Association (ICSA) classifies
firewalls into three categories:
1) Packets filter firewalls. Typically implemented on DSL routers, they examine data passing
to and from a network using rules to block access according to information located in each
packet'
s addressing information. While many router vendors promote their router'
s packet
filtering capabilities as a firewall, in reality packet filter firewalls are vulnerable to a number
of hacker attacks, not to mention difficult to set up and maintain.
2) Proxy servers or session-level firewalls. These firewalls go beyond basic packet filtering by
also examining the data within IP packets to verify their authenticity. A proxy server accepts

36
 or rejects data traffic based on the entire set of IP packets associated with an entire
application session to the same IP address. This upper level examination, however, causes
significant performance degradation on your Internet connection. Also, proxy servers are
more difficult to set up and maintain. Each client on your network must also have client
software installed and one computer on your network with two network adapters must act as
the proxy server. Proxy servers come in the form of either stand-alone boxes or as software
products.
3) Stateful Packet Inspection. Because of their shortcomings, both packet filters and proxy
servers have fallen from favor with many network security experts, being replaced by stateful
packet inspection as the most trusted firewall technology. Stateful packet inspection is a
sophisticated firewall technology found in large enterprise firewalls. It'
s based on advanced
packet-filtering technology that is transparent to users on the LAN, requires no client
configuration, and secures the widest array of IP protocols. Instead of just checking addresses
in incoming packets headers, the stateful packet inspection firewall intercepts packets until it
has enough to make a determination as to the secure state of the attempted connection.
Stateful packet inspection is also well suited to protect networks against the growing threat of
Denial of Service attacks.

4) Network Address Translation allows only one IP address to be shown to the outside
world. Implemented in a router, firewall or PC it connects private addresses of a
machine to one or more public addresses on the internet. Reverse connections are
made for packets that come from the internet to private machines. Public IP addresses
are conserved as well as private IP addresses remain a secret thus preventing some of
the first level attacks that can occur on the net. (Internet Security, The Next
Generation, When Software Encryption is not enough, Web Techniques, 2003)

3.5.1 WHAT DOES A FIREWALL PROTECT?

Hackers have used ingenuity to abuse unprotected computers. Firewalls block out these
unscrupulous elements from achieving their ends. These elements try many methods and
security is designed to prevent these methods. These methods include:

37
 I. Remote Login is where a person is able to connect to your computer and control it in
some way. The control may be accessing files on your computer or even running
programs on your computer.

II. Application Backdoor is using a feature of remote access granted by some application
programs. (This is because some programs allow some level of control or it is some
bug or hidden access that you are unaware of).

III. SMTP session hijacking is one of the methods used by spammers. They redirect junk
e-mail through the SMTP server of an unsuspecting host (gaining unauthorized access
to a list of email addresses). This makes it difficult to find the actual sender of the
spam.

IV. Operating systems sometimes provide insufficient security controls or have bugs that
experienced hackers use; to gain remote access to a computer or network.

V. Denial of Service is an attempt to slow the web server down and eventually make it
crash. The hacker achieves this by sending the server a request to connect to it. The
server responds with an acknowledgement and starts to establish the connection by
creating a session. The session requires connecting to the computer system that made
the request but the system that made the request is not found by the session. This is
because the path the information takes is redirected to a different router using ICMP-
(Internet Control Message Protocol). The hacker inundates the server with these
unanswerable session requests causing it to slow down and eventually crash causing a
denial of service to the many legitimate users who are attempting to connect to the
web server.

VI. E-mail bombs are more personal than denial of service. Hundreds or thousands of the
same mail is sent to you so that your inbox cannot accept any more messages. Thus
preventing others from sending you mail.

VII. Macros are simple procedures that are run within an application program. The script
of the procedure is called a macro. Hackers write scripts in an application program to
destroy data or prevent the application from working properly.

38
VIII. Computer Viruses are the most well known threat to computers. They are of different
types from harmless messages to very harmful programs that copies itself onto
computers and spreads to other computers. These can even erase all your data.

IX. Spam is electronic equivalent of junk mail. These often contain links to websites.
Sometimes if you click on these mails you may accept a cookie that provides a
backdoor entry to your computer.

X. Source Routing is done by a router arbitrarily specifying the route a packet takes over
a network. Private networks look at the source IP address of the source before it
routes the packet to the desired destination within the network. Hackers use this IP
Address to make information appear as though it has come from a trusted source.
(Tackling security vulnerabilities in VPN-based wireless deployments, 2004)

3.5.2 FIREWALL ARCHITECTURES AND CONFIGURATIONS

An appropriate firewall strategy is necessary for VPN technology. Firewalls provide the
effective security and VPN'
s provide secure access past the firewall through the internet.
There is risk associated with user authentication and eavesdropping on sensitive data.
Firewall configuration VPN; only increases the security and is more secure form of
internet communication. There are various types of architecture

• A firewall is between the VPN server and the Internet.

• The VPN server is connected to the Internet and the firewall is between the VPN
server and the intranet.

3.5.2.1 VPN server behind a firewall

A firewall is between the VPN Server and the internet for this configuration. In the
intranet the VPN server is another resource connected to the perimeter network (screened
subnet or DMZ-De Militarized Zone). The perimeter network is usually an IP network
segment that connects to the Web servers and FTP servers. In addition to

39
PPTP/L2TP/IPSec packet filters on the perimeter interface (described as VPN Server in
front of Firewall) is needed. The filtration process is two fold

• Filters between the intranet computers and VPN server

• Filters between the internet and VPN server

3.5.2.2 VPN Server in Front of a Firewall

The VPN server is connected directly to the internet. The firewall exists between the
Intranet and the VPN server. Inbound traffic is decrypted and then forwarded to the
firewall for filtering. Here firewall filtering is used to restrict VPN users from accessing
specific intranet resources and non VPN users can be prevented from accessing these
resources. The inbound and outbound packet filters need to be configured to allow only
VPN traffic to and from the IP Address of the VPN server'
s internet interface. You can
also place an additional firewall between the VPN server and internet.

3.6 AAA Server - AAA (authentication, authorization and accounting) servers are used
for more secure access in a remote-access VPN environment. When a request to establish
a session comes in from a dial-up client, the request is proxied to the AAA server. AAA
then checks the following:

Who you are (authentication)

What you are allowed to do (authorization)
What you actually do (accounting)

The accounting information is especially useful for tracking client use for security auditing,
billing or reporting purposes. (Privacy and Security on Internet: Virtual Private Networks,
2002)

3.7 SECURITY PLATFORMS

There are two main types of security and remote access options available today: software
and hardware.
The hardware based security and VPN solutions, typically embodied in security
appliances, protect the entire network and offload all the security and VPN processing off

40
computers. Because security appliances protect the network at the Internet gateway, they
provide a platform for seamless local or remote management of all security and remote
access services. A security appliance is a solid-state platform with a powerful onboard
processor to handle the demands of security and VPN processing. This architecture
allows the integration of multiple security features – firewall, VPN, anti-virus, and other
services without sacrificing performance. Security appliances are also designed for easy
management and security upgrades. Software based security and VPN gateways running
a computer or server have inherent problems.

1. A general-purpose computer is not the most reliable device for the processing
demands of security. Security and VPN applications are data intensive, and
placing these processing demands on a computer or processor can slow down the
network.

2. A general-purpose computer’s operating system isn’t designed with bulletproof

security in mind. Configuring computer-based security and VPN gateways require
that you harden the operating system. This means ensuring the operating system
always has the latest security patches to fix new security flaws.

3. The complexity of current software configurations has been problematic;

particularly ease of use and management.

3.8 Overview of VPN security

I. The Users System

A VPN client is a secure path of communication between the client and the server.
Applications that need to communicate use the computers resources and do not
supplement it at all.
Antivirus, File sharing and Network Security are dependent on the operating system
software and the application software. Any intrusion or virus that has come past the
existing security system may cause the damage that it was intended to cause.

II. The Intermediate Network

41
 VPN security is most beneficial in this segment. All communications VPN client to VPN
server is encrypted and encapsulated and the intermediate machines that route the packets
only can read the source and destination IP addresses.
III. The Destination Network
Encrypted Data that reaches the server is decrypted and sent to the required destination
within the network. The protection of data by the VPN connection ends here and any
further protection of the data is the responsibility of the server and the LAN security
systems.

IV. The Server

The end point-to-end point of communication is not a completely secure if at the
destination end the application does not receive the decrypted data. This happens when
the VPN server is not the same machine as the application server and then data has to be
sent to the application through the LAN which may not be secure. VPN split tunnel
security becomes important if the server handles both intranet and internet traffic.

3.9 Security Breaches and Considerations in VPN

Due to the fact that Virtual Private Networks make use of the public internet to transfer
information it is necessary to consider security and the way it can be breached when
setting up a VPN. The following are issues to be considered when thinking of security in
VPN.

i.) User Authentication: There are various ways of of verifying and ensuring
user authentication they are through the use of User IDs and passwords,
Digital Certificates and Public Key Infrastructure (PKI). It must be noted
that if user authentication is weak then encryption is ineffective because
malicious encrypted traffic does the same damage as malicious
unencrypted traffic.
ii.) Encryption of Data Packets: Encryption is the conversion of data packets
into a form that cannot be read without decrypting or deciphering it. VPN

42
 makes use of various cryptographic algorithms. This ensures that only the
intended recipient is able to read the message.
iii.) Client Security: This involves security on the part of the end user or client
which could be a member of staff working in the office or a remote user
connected to the network
3.9.1 SOLUTIONS
Using user IDs and passwords to gain access to critical resources of VPN is ineffective.
Stronger mechanisms should be used such as digital certificates and two factor
authentication. Digital certificates are almost impossible to forge thus they are safer and
better to use to establish a user’s identity compared to using passwords. Also, using two
factor authentication schemes, access is granted based on what you have and what you
know. A popular two-factor authentication device is key fob based one time password
generator, the key fob generates a password every few seconds and the password is valid
for those few seconds. The user needs a PIN number (something he knows) and a current
password from the key fob (something he has) to authenticate.
The cryptographic merits of encryption protocols employed by the VPN solution should
be employed before implementation. From a security perspective, IPSec and SSL based
VPNs are more secure and more resistant to hacks than PPTP, L2F.
A remote user connecting from home is extending he boundary of the company network
to his home therefore remote user’s machines need to be protected from attacks by
installing firewalls and antivirus software. (Design, implementation and performance
evaluation of IP-VPN, 2003)
3.10 VPN SET-UP AND CONFIGURATIONS
3.10.1 SETTING UP A VPN
VPN setup depends upon a number of factors like what systems are involved in the end-
to-end connection, servers or clients. Big corporations have a number of servers to
improve on performance in various tasks that are carried out. Implementation of VPN for
them will depend on the amount of work and the administrator'
s solution offered to them.
For client it is advisable to buy a software that the server is compatible with and setup
VPN service. Some operating systems already give you the ability for VPN and all you
need to know is how to setup VPN. Microsoft is a market leader and has monopoly over

43
the market. It has incorporated VPN requirements into its operating systems or has
provided service packs that could help you optimize your PC for VPN.
3.10.2 REQUIREMENTS
In every setup you look at the requirements first and see whether it is possible to
implement it with the available resources. If not, find out what the additional resources
are. For a windows based client-server system; the requirements would be a server
(running server software, example Windows 2003) and a client (running client software,
example Windows XP). For large corporations that have a secure network you would
require additional servers.

• A server is required to support the infrastructure of your network. It will act as a

domain controller, DNS server, Certificate authority and DHCP-(Dynamic Host
Configuration Protocol) server. Most networks already have this and the next step
is setting up a certificate authority which is described in this article.

• A server that separately acts as your VPN server can prevent attacks or disruption
of services within the network. It is best to place a firewall in front of the VPN
server such that only VPN traffic is allowed into this server. The specific
hardware that this server needs is two network interface cards; one to connect to
the internet and the second to connect to the private corporate network.

• A server is needed to authenticate all the remote users attempting to access the
private corporate network. RADIUS- Remote Authentication Dial In User Service
is one mechanism, IAS-Internet Authentication Service is another mechanism that
comes with the Server operating system. In other cases you could purchase
additional software for authentication purpose. This is in case it does not come
with the operating system you purchased. Authentication is done by VPN
hardware products as well. These usually come bundled with software that does
the work.

3.11 CONFIGURATION OF COMPONENTS

3.11.1 SERVER CONFIGURATION

44
This it to configure the VPN server with the RADIUS server, DHCP server and the Remote client

• Open the server'

s networks connection folder. Go to administrative tools, select routing and
remote access. Right click the VPN server console tree and launch “Routing and Remote
Access'by enabling it to open the server wizard. After selection of Remote Access (Dial-up
or VPN) mark the checkbox for VPN. This shows you the connections to the internet via
VPN. Enable the '
Security'checkbox. Select '
automatically'and proceed to setup the server to
work with a RADIUS server by entering the IP Address of the RADIUS server and the shared
secret between the VPN server and the RADIUS server.

• Associate the VPN server with the DHCP server by navigating through the console tree to the
option '
IP routing - DHCP Relay Agent'
. Right click on the DHCP Relay Agent and select
properties. Now enter the IP Address of the DHCP server and click '
Add'
.

• This is done by creating a special security group for any user who is accessing the network
over VPN connections. This is done when configuring VPN connections

3.11.2 VPN CLIENT CONFIGURATION

If you have a Windows XP based client then configure it by opening Network and Internet
connections option from the control panel.

• Select create a connection to the Network at your work place'and next select the VPN
connection option.

• Give the name of company of any name to describe your connection.

• Next you will be asked for an external IP address. This IP address is the address of the
connection that is connected to the VPN server.

• Enter this and your VPN connection is ready.

• Test the connection once it is ready by connecting to the server.

• When you dial-up set the type of VPN to PPTP VPN.

• There are variations in the VPN client connection due to various encryption and
authentication technique. Only some have been outlined above.
(http://www.vpntools.com, 2008)

45
3.11.3 PROCEDURES AND SCREENSHOTS

1. Open Network Connections.

2. Under Network Tasks, click Create a new connection, and then click Next.

3. Click Set up an advanced connection, and then click Next.

4. Click Accept incoming connections, click Next, and then follow the instructions
in the New Connection Wizard.

Figure 3: Network Connections Window

46
Figure 4: Create New Connection Window

Figure 5: Select Connection Type

47
Figure 6: Advanced Connection Options

Figure 7: Select Connection Device

48
 Figure 8: Allow Incoming Connections

CHAPTER FOUR

4.0 SYSTEM MODELLING

4.1 COMPONENTS OF THE NETWORK

I. Routers: A router is an intermediary device that connects a LAN to a larger LAN
or to a WAN by interpreting protocol information and selectively forwarding
packets to different LAN or WAN connections through the most efficient route
available. The routers in this model are able to act as a security gateway providing
encryption, authentication and tunneling on transmitted data packets this is to
ensure that no unauthorized user has access to the company network. Normally
routers don’t come with the above mentioned facilities or functions but these
functions can be integrated by installing extra software and circuit boards. The
routers used in this model will be dedicated VPN routers with embedded
software. Examples are Sonicwall SOHO3 Internet security appliance, Sonicwall

49
 TELE3, Sonicwall PRO100, other router models that could be used include
CISCO 2600 series WAN router, and CISCO 7500 series WAN router.

Figure 9: Sonicwall Routers

II. Firewalls: A firewall is a device that blocks unauthorized access to an
organization'
s local area network (LAN). A firewall could be software installed
on an organization’s gateway (server) to the Internet or it could reside on a
computer between the LAN and the Internet or it could be a piece of hardware. A
firewall operates on configurations relating to specific ports and protocols it
should accept packets from. Examples of firewalls used in this model are the
CISCO PIX (Private Internet Exchange) firewall which combines network
address translation, packet filtration and proxy server and VPN capabilities in a
single piece of hardware. It focuses only on IP traffic. The Windows firewall is
also used to secure remote clients.

III. The Internet: The various local networks connected over the Internet as a public
network to create a cheap means of connecting to each other. Security has to be
enhanced at the transmitting and receiving ends to secure against viruses and
other malicious threats. This is done because the user has no control over the
users of the Internet the only way of having a guaranteed protection against these
users is through the use of firewalls and other security measures

4.2 MODELLING SCENARIOS

4.2.1 SCENARIO 1:

50
The first scenario to be modeled is that of a small office which has 8 computers
connected together with a hi-speed always on DSL, three people at the firm have
broadband internet access at home while four have dialup internet access that they use at
home and on the road. Below is a description of what equipment will be used at which
location.

Office: For an office as small as this we use the Sonicwall TELE3 appliance with IPSec
VPN, it provides firewall security for the network it supports up to 5 users and is able to
create at most five tunnels, this is just right for an office as small as this but in the event
of expansion the equipment doesn’t enhance scalability i.e. addition of more users, to
enable this we use the Sonicwall SOHO3 appliance, this allows between 10 and 50 users
and can generate up to 50 tunnels. This allows for expansion up to ten times the current
maximum size.

Remote Broadband users: For the three broadband users the Sonicwall TELE3 internet
appliance delivers firewall security plus VPN support for up to 5 users, but this is also
limited to the number of mobile workers, expanding this will require installation of the
SOHO3 appliance.
Remote Dial-Up users: The four dial-up users make use of the Sonicwall VPN client
software which will be installed on their respective computers, the four of them can then
make use of a single tunnel to secure their connections to the company’s network.

51
 TELE3 INTERNET
SECURITY APPLIANCE

Figure10: Scenario 1 Model

4.2.2 SCENARIO 2:
The next scenario to be modeled is that of a medium sized organization with two small
remote offices and several broadband and dial-up users.

52
Figure 11: SCENARIO 2 ARCHITECTURE

The Main Office: The main office includes up to 100 people working on the network
and requires VPN support for 2 remote offices and 50 remote users (30 broadband and 20
dial-up). The company expects the number of broadband VPN users to grow to 50 in the
near future. The Sonicwall PRO 100 internet security software provides access security
support for an unlimited number of users and up to 50 VPN tunnels. The 2 remote
officers will each use a single VPN tunnel for LAN-LAN connections, this allows for all
the members of the LAN sharing one tunnel, each of the 30 broadband users will use one
VPN tunnel each because of the compatibility this brings the total to 32 tunnels. As the
organization grows, there is built-in scalability to support more VPN users.

53
Figure 12: MAIN OFFICE

Remote Office 1: This small office has 9 users in the office. It needs one VPN
connection to the main office and the other remote office, as well as VPN support for 5
remote users (2 broadband and 3 dial-up). The SonicWALL SOHO3 10 user model will
support this office for Internet access security and the 5 tunnels required for remote user
VPN support.

54
Figure 13: REMOTE OFFICE 1

Remote Office 2: This mid-size office has 35 users in the office expects to add more
broadband remote users to the network. It needs one VPN connection to the main office
and the other remote office, as well as VPN support for 20 remote users (10 broadband
and 10 dial -up). The SonicWALL PRO 100 supports an unlimited number of users for
Internet access security and up to 50 VPN tunnels. The number of VPN tunnels required
for this office is 13.

55
Figure 14: REMOTE OFFICE 2
Remote Broadband Users: For the 42 broadband users, the SonicWALL TELE3
Internet security appliance delivers access security plus VPN support for up to 5 users at
each location.

Remote Dial-Up Users: Each of the 33 dial-up users wanting secure access to the office
network will need the SonicWALL VPN Client.

4.3 PROCEDURES FOR CONFIGURING THE ROUTERS

There are essentially three steps to configuring VPN connections on a SonicWALL
router, they are first configuring the SonicWALL firewall next is to create the VPN user
accounts, next is to install and configure the group client feature of SonicWALL.
Configuring the router SonicWALL’s GroupVPN service simplifies configuring secure
remote connections.

56
4.3.1 Procedure for enabling SonicWALL Group VPN
To enable the Group VPN feature, the following processes should be carried out on the
router using the SonicWALL VPN wizard:

• Log in to the SonicWALL device.

• Click on the VPN button.
• Click the VPN Policy Wizard button; the Welcome To The SonicWALL VPN
Wizard screen will appear.
• Click Next.
• Specify whether you wish to create a Site-to-Ste VPN (such as you might wish to
do when connecting a SonicWALL wireless router to another SonicWALL
device) or a WAN GroupVPN (to enable incoming VPN connections to the
SonicWALL firewall). In this example we’re creating VPN connections to
enable remote employee access, so we need to select the WAN GroupVPN radio
button and click the Next button. (Figure 14) Administrators must specify whether
a site-to-site or WAN GroupVPN policy is to be created.

Figure 15: ENABLING SONICWALL GROUP VPN

57
 • The IKE Phase 1 Key Method screen appears. Specify whether you wish to use a
default key or use a pre-shared key. Make a note of the pre-shared key if you
select that option, then click Next.
• The Security Settings menu appears. In addition to specifying the encryption and
authentication methods, drop-down boxes appear for specifying the DH (Diffie-
Hellman) key group SonicWALL devices support groups 1, 2 and 5) and Life
Time. Typically SonicWALL’s default settings work well for most organizations.
After clicking Next, the User Authentication menu appears.
• Administrators must specify whether user authentication should be implemented.
Ensure the Enable User Authentication box is checked and select Trusted Users to
ensure only the trusted users you specify later can connect to the organization’s
network using the SonicWALL VPN. Then, click Next.
• The Configure Virtual IP Adapter menu appears next. The Virtual IP Adapter is
used to obtain special IP addresses when connecting to the SonicWALL device,
enabling the client to appear to be on the internal LAN. Check the box if you wish
to enable the Virtual IP Adapter and click Next.
• The WAN GroupVPN Configuration Summary menu appears. The confirmation
screen reviews the settings that will be implemented upon clicking the Apply
button.
• Click the Apply button to finish enabling the VPN settings.
The SonicWALL device will store the SonicWALL configuration, then display a
congratulatory message stating the SonicWALL VPN Wizard completed successfully.
While the SonicWALL creates the VPN, it doesn’t enable it by default. Log back in to
the SonicWALL device and click the SonicWALL’s VPN button, and then check the
Enable box to activate the VPN. Then enable VPN policies from the VPN | Settings
screen on the SonicWALL device.
You can edit a VPN’s settings and configuration at any time by logging in to the
SonicWALL router, clicking VPN and clicking the Configure icon (the pencil and paper
symbol) associated with each VPN entry

58
Figure 16: SECURITY SETTINGS

4.3.2 Specifying authorized VPN users

The next step is to specify those users authorized to access the VPN. To do so:
• Log in to the SonicWALL device.
• Click the Users button.
• Click the Local Users button.
• Click the Add button.
• Within the Settings tab, enter the user’s name, a password and any comments to help
identify the user account. (Figure 17). Supply user information on the Settings tab.
• From the Groups tab, specify group memberships for the user.
• From the VPN Access tab, specify the networks you wish the user to access.

59
Figure 17: SPECIFYING AUTHORISED USERS

Figure 18: SPECIFYING CLIENT ACCESS

A wide variety of network options exists; make your selections by highlighting entries and
clicking the corresponding arrow buttons.
• Click OK to complete the user configuration.
• Once a user account is created, the entry will appear within the SonicWALL’s
Users | Local Users screen, as shown here.

60
 You can make edits to the user’s account (Figure 19 ) at any time by clicking the Configure
icon (the pencil and paper symbol) associated with each user’s account within the
SonicWALL’s Users | Local Users menu.

Figure 19: CREATING LOCAL USER ACCOUNT

4.3.3 Installing the SonicWALL Global VPN Client
Now you’re ready to install the SonicWALL Global VPN Client software on the end user’s
system. Follow these steps to configure the end user client:
• Download (from www.mysonicwall.com or the CD-ROM supplied with the SonicWALL
device) the SonicWALL Global VPN Client executable.
• Once you’ve downloaded the file, double-click it to begin installing the VPN client.
• The Preparing Setup window will appear. When it completes, the Welcome To
TheSonicWALL Installshield Wizard menu will display. Click Next.
• Next you’ll see a warning message indicating that antivirus and firewall programs must
be disabled to install the SonicWALL Global VPN Client. Disable any such programs
and click Next.
• Read the license agreement, then select the I Accept The Terms Of The License
Agreement radio button and click Next.

61
 • Specify the location of the SonicWALL Global VPN Client. By default, SonicWALL’s
Installshield will place the files in the C:\Program Files\SonicWALL Global VPN Client
directory. Click Next to proceed (or click the Browse button, specify the directory you
wish to use, and then click Next).
• Click Install to install the SonicWALL Global VPN Client in the directory you specified
in the last step. The Setup program will install the VPN client, tracking its progress as it
completes. When it finishes, it will display the SonicWALL Global VPN Client Setup
Complete screen, which will include two checkboxes (Figure 20). Check the respective
boxes if you wish to start the VPN client automatically when users log in and launch the
program immediately upon completing the wizard. Then, click Finish.
• Check the supplied boxes to automatically start the VPN connection when users log in
and to launch the program immediately upon completing setup.

Figure 20: INSTALLING GLOBAL VPN CLIENT

• Windows Firewall may block the SonicWALL Global VPN Client. If Windows Firewall
presents a warning message, click Unblock. The New Connection Wizard will appear.
Click Next.

62
 • The Choose Scenario menu displays next. Specify whether you wish to implement
Remote Access or an Office Gateway.
• Choose Office Gateway if you’re connecting two SonicWALL devices. Choose Remote
Access if you wish to enable secure connectivity for remote staff. As we’re enabling
remote access, we’ll choose that option and click Next.

Figure 21: CHOOSING VPN SCENARIO

• Specify whether the VPN connection is being used to provide remote access or to connect
two SonicWALL devices (Office Gateway). Specify the SonicWALL’s IP address or
domain name, provide a connection name and click Next.
• The Completing The New Connection Wizard menu appears next. Check the
appropriate boxes to create a desktop shortcut for the new connection and automatically
enable the connection whenever the end user launches the SonicWALL Global VPN
Client. Then, click Finish.

63
• The SonicWALL Global VPN Client is then created. To connect to the VPN, end users
need only double-click the SonicWALL Global VPN Client and enter any required
credentials. As with configuring VPNs and end users, the end user can edit a VPN
connection’s settings and configuration at any time by right-clicking it from within the
SonicWALL Global VPN Client window and selecting Properties.

REASONS FOR USING IPSec PROTOCOL

IPSec protocol was used in this model because of certain features stated below
• Universally applicable as it can protect a mixture of applications protocols
running over a complex combination of media such as Voice over Internet
Protocol (VoIP), Video On Demand (VOD) and other multimedia applications. It
can provide security and communicate with different types of networks from
around the world.
• It is Scalable as IPSec can be applied in networks of all sizes.
• Its security is in the Network Layer. IPSec'
s goal is to develop something with the
OS at Layer3 which means no changes are required to applications to provide
security for diverse range of protocols. Also it is not affected by lower level data
carrying protocols and higher level applications.
• IPSec is not limited to specific applications but is application independent.
Whatever be the application the data will traverse the network, routed by IP
making it IPSec compatible.
• It is readily available and supported by the routers used in this model.

64
 CHAPTER FIVE

5.0 SUMMARY

Wide area networks have been around for a while now and they have been used to
achieve various goals such as long distance calling, data exchange and remote access.
The problem associated with wide area networks are mainly efficiency and cost
effectiveness. Wide area networks are beyond the reach of most small and medium scale
companies because of their budget. Companies such as Software companies with support
personnel, Maintenance companies, and most companies that have mobile workers who
require real-time on-the spot access to company resources.

This project proposes a cost efficient model that takes into consideration the basic
requirements of this small companies and their working capital. It makes use of IPSec
tunneling protocol in a windows based environment, this is because Windows is the most
common Operating System in Nigeria today, and since we are trying to save costs, it is
the wisest option because it only requires minimal upgrade and installation. It also
suggests a range of SonicWall routers designed especially for Small and Medium Scale
routers. It doesn’t make use of CISCO routers because the minimum number of users for
a CISCO VPN router is 100. These Sonicwall routers cost between 150,000 and 200,000
naira. Below is a breakdown of costs to implement the models proposed in this project. It
costs about 437,000 to set-up scenario 1 model and 1.2 million naira to set-up the VPN
connections for the scenario 2 models proposed in this project. This is relatively
affordable and it could be cheaper depending on the size of the organization

! "#$
"%"""

&'&% #($
"""

)* *% (($
"""

Table 2: Breakdown of costs for Scenario 1

65
 ! "#$
"%"""

+ "" ,""$
"""

&'&% #($
"""

)* *% (($
"""

Table 3: Breakdown of costs for Scenario 2

5.1 CONCLUSION

In recent times there have been rapid advancements in the development of Wide area
networking, these advancements are getting increasingly available affordable and secure.
These technologies are being used to develop more applications that further increase
connectivity and improve communications and shareability of resources. Some of these
applications include Voice Over Internet Protocol (VoIP). Many more readily available
technologies are also available such as the Secure Sockets Layer (SSL) Protocol which is
often referred to as clientless technology because it only needs a web browser to operate.
Virtual Private Networks are also used as a secure way of providing access to wireless
networks securely and providing a platform for charging and accountability over the
Internet.
Despite all these advancements, Virtual Private Networks still have a long way to
go in terms of quality of service and provisions for mobile users running the Symbian OS
to connect to VPNs via GPRS using various devices such as Smart phones and PDAs.
This is another subject for further research.

5.2 RECOMMENDATION

Most organizations today such as banks, oil companies make use of VPNs to enhance
customer satisfactions and improve working conditions of their remote workers. Banks
use VPNs to ensure personalized banking services for their customers while oil
companies make use of VPNs to connect their off-shore workers. The caliber and

66
complexity of these VPN applications make it appear difficult for small companies to
aspire to achieve such connectivity.

This project discusses a cheap means of creating a Virtual private network which should
be adopted by small organizations. The model discussed in this project is affordable and
within the scope of their maximum asset base for an average company

5.3 CONTRIBUTION TO KNOWLEDGE

This project further enlightens readers to the possibilities of enabling and empowering
Small and Medium Scale Enterprises with the ability to establish connections with their
remote offices and teleworkers. It proposes a model which if adopted will eventually
ensure efficient communications and data exchange with minimal upgrade of existing
network infrastructure.

5.4 LIMITATIONS OF THE STUDY

This study is limited to model creation, because implementation of any VPN model
requires a lot of resources which is not readily available to an undergraduate.

67