Virtual Private Network (VPN) Framework And Technologies

This is an elective unit out of a total of 12 units in the Master of Networking (MNet). This unit addresses the MNet course learning outcomes  and  complements  other  courses  in  a  related  field  by  developing  students’  specialised  knowledge  in  Virtual  Private Networks  (VPN) and applying critical  skills in  networking equipment  such as  routers,  switches and  servers. For  further course information  refer  to:. This unit  is  part  of  the  AQF  level  9.

This subject provides students with the knowledge and advanced professional skills to manage and maintain VPN. It also provides students with the knowledge and skills to deal with both MPLS and MPLS VPN architectures. Students will also obtain relevant knowledge and experience in building, implementing and managing VPN architecture and security. 
? Overview of VPN in security contexts, its characteristics, requirements, and architecture 
? SSL VPN protocols and configurations 
? Internet Key Exchange Protocol version 1 and 2 
? IKE v1 & 2 and ISAKMP 
? Site?to?Site IPsec VPN Operations  
? VPN routes management/handling at gateways  
? Overview of MPLS VPN Technology 
? Case Studies

It is expected that students complete all assessments including the final examination. Students must obtain a mark of at least in Task A (Assignments, Labs and tutorials) and 40% in the final examination. In addition students must obtain at least overall to pass this Unit.

Late assignments / exercises: 
Late assignments will be penalised at the rate of 10% per day, that is, an assignment is marked out of 90% for 1 day late, 80% for 2 days late, etc., and after 5 working days assignments will attract zero marks. Special Consideration: 
In the case of serious illness, loss or bereavement, hardship or trauma students may be granted special consideration. A completed Application for Special Consideration and supporting documentation must be submitted online on AMS. This application must be submitted no later than three working days after the due date of the specific piece of assessment or the examination for whichthe student is seeking Special Consideration. Further information is available 

Available Grades: 
A list of the available grades, a description of the corresponding required student performance and the required percentages for the unit is also given in the MIT Handbook and the MIT website.

SSL VPN protocol and Configurations

The virtual private network is used as an extension of a private network for the establishment of a secure link between the public and the shared network. With the use of VPN a user can send data between the public and the shared networks for creating a point to point link. For the emulation of the point to point link in the virtual private network the data packets are encapsulated with a header file for attaching the routing information to reach the destination address.

The main requirement of the organization is to create a VPN connection with the branch offices such that a secure communication is maintained with between the offices located at different geographical location. For the development of the network solution an analysis is made on the requirement and the available types of VPN connection and applied for the development of the virtual private network framework. For connecting the branch offices a site to site VPN connection is used and the protocols PPTP, L2TP, IPSec protocol is used. 

SSL VPN protocol and Configurations

There are some unique features available in the secure socket layer VPN and it helps in establishment of the site to site VPN connections between the two sites. It uses the Transport layer Security (TLS) for establishment of a secure connection between the internal and the external users. The internet is used for the transportation of the encrypted SSL traffic and for this a SSL VPN server is required to be configured for authentication of the client. The routers installed in the network should be configured with the SSL VPN service enabled using the webvpn gateway command.

The router should be configured with a gateway, port number for carrying the HTTPS traffic. Trust points and crypto encryption should also be configured and the gateway should be configured such that the HTTP traffic is redirected to the HTTPS port. The command ‘SSL encryption’ and ‘SSL trustpoint’ is used for configuring the specific certification authority certificate where with enabling the SSL VPN gateway a self-signed certificate is generated automatically.

 Internet Key exchange protocol version 1 and 2

The internet key exchange protocol is used for increasing the security using the IPSec protocol and the IKE protocol is developed based on the Oakley protocol and the ISAKMP protocol. The x.509 certification is used for the authentication and distribution of the shared key. There are two versions of the internet key exchange protocol the problems identified in the IKE v 1 is rectified for the development of IKE v2.

Internet Key exchange protocol version 1 and 2

The main role of IKE v1 is to create a secure communication channel with the application of Diffie–Hellman key exchange algorithm that generates a shared secret key for the encryption of the IKE communications. Pre shared key, public keys or signatures can be used for authenticating the user and it can operate in two different modes i.e. the main or the aggressive mode. The main mode have the ability to protect the identity of the peers by hashing the shared key. IPSec protocol is used for the establishment of the secure link but it have different problems such as lacking the automatic negotiation. Both the sender and the receiver need to use the same security association for the establishment of the secure connection.

The IKE version 2 was developed for removal of the problems in its earlier version such as reducing the RFCs by combining them and improving them to support the NAT and the firewall traversal. It also enables support for the mobile platform and the multihomed users. It is also used for enabling NAT traversal with the encapsulation of the ESP and IKE for the UDP port 4500 such that the protocols can pass the firewall or the different device configured with NAT. It is uses cryptographic mechanism for the protection of the data packets as the Encapsulating Security Payload and protecting the data packets. 

ISAKMP is the procedure used of authenticating or establishment of the connection for communicating with the peers. It is used for the management of the security authentication. Generation of keys and mitigation of the threats acting on the network. It defines the format of the data packets and the procedures for the establishment, modification, negotiation and deleting the security associations. It also defines the payloads for key generation exchange and data authentication.

Site?to?Site IPsec VPN Operations

Cisco IOS routers can be used for the configuration of the IPSec policy and it is necessary to define the interesting traffics. The routers should be configured with extended access list for encrypting specific type of data in the network traffic. The permitted packets on the extended access list are used as a definition for the IPsec traffic and checking the configuration. The packet that are not included in the extended access list are sent to the receiver without encrypting it.  The IKE policies should be enabled for the implementation of the IPsec parameters and establishment of the internet security association and key management protocol. The ISAKMP policy is used for allowing the IKE v1 negotiation and defining the encryption algorithm used for controlling the data traffic. A pre shared key should also be configured with the IPsec transform set and life times. 

Site-to-Site IPsec VPN Operations

VPN routes management/handling at gateways

Management server are used for establishing a secure connection with the client and a VPN gateway is used for establishing the connection with the client. The gateway device connected with the VPN server is represented as a VPN gateway element. The same VPN gateway can be used for the establishment of different VPN connections and the several gateway can be created for its representation to the same firewall. For the management of the routes VLANs are created in the switch and default gateway is assigned to each of the VLAN for enabling them communicate with the other VLANs.

Overview of MPLS VPN Technology

The MPLS solution acts as a modular suite for the management of service and application that uses the virtual private network. It is used for the management of the extranet and intranet VPNs. The different services are audited for the management of flow of the network traffic by analysing the service level agreement of the MPLS VPN framework. The application of the MPLS VPN solution is used for simplification of the service, provisioning and billing the processes for reducing the deployment cost and different VPN service operation. The MPLS VPN containing different site sets used for interconnecting using the MPLS core network.

The MPLS technology works on the IP, ATM and frame relay protocol. It creates a specific path for the sequence of packets and identifies each of the packet by the label attached with each of the packet for saving the time for the router needed to find the information and forwarding the data packets.  

Case Studies

The VPN network is developed for a medium sized organization that have two remote branches in different geographical location. The organization to establish a secure communication with the remote sites and secure the organizational information. The organization currently uses a firewall in each of the branches for filtering the data packets and it is essential to increase the reliability of the network.

The company needs to provide access to its employees the organizational network such the employees can connect with the organizational server from remote location to access the resources and improve their productivity. The company is expected to grow in the b recent years and the network solution developed for the organisation should be able to withstand the growth of the organization supporting the increased number of user request without affecting the performance of the network. 

 [1]X. Wang and X. Peng, "VPN Gateway Research in Wireless Network Based on SSL Technology", International Journal of u- and e-Service, Science and Technology, vol. 8, no. 4, pp. 17-26, 2015.

[2]G. Zhang, "The Solution and Management of VPN Based IPSec Technology", Applied Mechanics and Materials, vol. 686, pp. 210-219, 2014.