Principles Digital Communication System & Computer Networks (Charles River Media Computer Engineering)

2017-07-07 02:10:07

< Day Day Up >

24.6 VIRTUAL PRIVATE NETWORKS

If an organization has many offices, these offices are connected through a private network wherein the organization builds its own infrastructure for wide area networking. For example, if an organization has offices spread throughout the country, it can develop its own corporate network, perhaps using VSATs with a hub at the corporate headquarters. Such a network provides the necessary security and is fully within the administrative control of the organization. Since it is a dedicated network, the network can be optimized for the requirements of the organization. However, this approach has many disadvantages, which are as follows:

High installation and maintenance costs: The cost of training the employees and having a dedicated workforce, particularly when the core business of the organization is not communications, is enormous. For instance, a pharmaceutical company does not like to keep a large workforce to maintain its communication network—their business is pharmaceuticals, not computer networks!

Lack of flexibility and scalability: When new sites have to be added (when a new branch is opened) or when a new customer is to be provided access to the organization's information, additional network equipment has to be installed. Also, the operational costs go up.

The recurring communication costs will be high as the organization has to pay for the communication facilities on a monthly or yearly basis.

A virtual private network (VPN) is a network of corporate sites using the existing infrastructure of the Internet. VPN provides a cost-effective solution as compared to having a dedicated corporate network.

With the Internet having spread itself globally, an alternative approach to interconnecting corporate sites is through virtual private networks (VPNs). A VPN can be defined as a network of corporate sites using the open, distributed infrastructure of the Internet. The VPN has many advantages:

It is economical because the Internet's existing infrastructure will be used. The organization need not invest in costly communication equipment. In addition, the recurring expenditure also will be less—the expenditure will be based on the usage.

Minimal training costs: there is no need for special training for users, because the Internet tools will be extensively used, and users are already familiar with the technology.

Increased flexibility and scalability: expansion of the network or reconfiguration of the sites will be easier.

Minimal maintenance costs: there is no need for a dedicated team of professionals for maintenance of the network because the Internet service provider will take care of maintenance issues.

Value added service provisioning: employees, suppliers, and customers can be provided with access to the intranet/extranet resources very easily. Mobility can be supported very easily—an employee on the move can always be in touch with the corporate office.

On-demand bandwidth: as the communication requirements vary from time to time, the ISP can provide on-demand bandwidth, so there is no need to decide on the capacities of the communication system at the beginning.

However, the TCP/IP architecture does not take care of two important issues: security and performance. In VPNs, these two issues need to be addressed to provide a communication facility that is comparable to that of a dedicated network, but with additional functionality and flexibility. Lots of work is presently being carried out on performance issues. For providing security, a number of protocols have been defined, which are discussed in the next section.

The advantages of a virtual private network are low infrastructure costs, flexibility, expandability at low incremental cost, low maintenance cost, and availability of on-demand bandwidth.

Note

Security remains a major issue for virtual private networks. Banks, security agencies, and transportation agencies continue to have their own dedicated networks precisely due to this reason. Things are likely to change, though, in the future.

24.6.1 VPN Security Requirements

To provide secure communications in a VPN, the following are the requirements:

Authentication: to ensure that the originator of data is genuine.

Access control: to restrict unauthorized entry to access the network.

Confidentiality: to ensure that data is received by the intended recipient only.

Data integrity: to ensure that the data is not tampered/modified while it is traveling on the public Internet.

For authentication and access control, a number of mechanisms are available, such as password-based systems, Challenge Handshake Authentication Protocol (CHAP), Remote Authentication Dial-in User Service (RADIUS), and digital certificates. Encryption is used to achieve confidentiality.

Authentication, access control, confidentiality, and data integrity are the main issues related to security in virtual private networks. Security products need to implement these features.

Note

For authentication and access control, biometric techniques such as fingerprint recognition are being used. In the past, fingerprint recognition was used to verify the authenticity of the illiterate!

24.6.2 VPN Architecture and Protocols

A simplified VPN architecture is shown in Figure 24.4. Each corporate LAN will be connected to the ISP's point of presence (PoP). In VPN, permanent links are not maintained between two end points—the links are created dynamically based on the requirement. When leased lines are used to interconnect sites, these connections are dedicated to the traffic from a single corporate customer; this is called tunneling. To extend the concept of tunneling to the Internet-based VPN, protocols are defined to create tunnels. Tunneling allows senders to encapsulate their data in the IP packets that hide the underlying routing and switching infrastructure of the Internet. These packets can be encrypted to achieve end-to-end confidentiality. The concept of tunneling is illustrated in Figure 24.5. Even though network A and network B are interconnected through a large internet, a virtual link is created between the two routers.

Figure 24.4: Virtual private network.

Figure 24.5: Tunneling.

If a host on network A wants to send data to a host on network B, the host will send each packet (containing the destination address of the host on network B) to router P. Router P will create an IP datagram that will have the source address P and destination address Q, and the data portion will be the packet sent by the host on network A. This IP datagram will reach router Q in the normal fashion. Router Q will take out the encapsulated packet, obtain the destination address of the host on network B, and then forward it to the host. This encapsulation of the IP datagram is equivalent to creating a tunnel between router P and router Q.

To provide security in a VPN, IP Security (IPSec) protocol is used extensively.

IPSecurity (IPSec): IPSec is a layer 3 protocol. IPSec is the outcome of work on IPv6, but it can be used on IPv4 as well. It allows the sender (a client or a router) to authenticate and/or encrypt each IP packet. IPSec can be used in two modes.

IPSec is a layer 3 protocol used in VPNs to provide security. IPSec works in two modes: transport mode and tunnel mode. In transport mode, only the transport layer segment is encrypted. In tunnel mode, the entire IP packet including header is encrypted.

Transport mode: In this mode, only the transport layer segment of the IP packet is encrypted.

Tunnel mode: In this mode, the entire IP packet including the header is encrypted. Hence, this mode gives better protection because the source and destination addresses can be decoded only when the encryption key is available.

IPSec is considered the best protocol for VPN implementation because it provides a complete solution for providing the required security. IPSec is based on standard encryption mechanisms such as:

Data Encryption Standard (DES) for encryption.

Digital certificates for validating public keys.

Key exchange using both manual and the Internet Key Exchange (IKE) automatic method.

However, at this time security remains a major issue for VPNs; commercial security products are very costly. Standards are evolving for various aspects of security and, in the future VPNs will provide the most cost-effective means of corporate networking.

Summary

The wired Internet, within a span of about 30 years, has become an excellent platform for a wide variety of services such as e-mail, file transfer, remote login, and the World Wide Web. Interesting applications such as audio/video broadcasting, audio/video conferencing, Web-based learning, and e-commerce are being supported, which makes the Internet a global marketplace and a global learning center. Though the present mechanism of accessing the Internet through dial-up or leased lines limits the access speed, with the availability of very high speed digital subscriber lines (VDSL), speeds up to nearly 50Mbps can be achieved in due course.

Major corporations can now use the Internet infrastructure to build virtual private networks (VPNs), which result in major cost savings. However, security is a major issue to be tackled for VPNs to become widespread.

References

M.D. Nava and C. Del-Toso. "A Short Overview of the VDSL System Requirements". IEEE Communications Magazine, Vol. 40, No. 12, December 2002.

http://www.techonline.com Web site for online learning on hardware-oriented topics.

http://www.webCT.com Portal for e-learning.

http://www.w3.org Web site of the World Wide Web Consortium.

Questions

Explain the architecture of the public Internet.

Explain the Domain Name System.

What are the advantages of a virtual private network? How is the security aspect addressed in VPNs?

Explain the concept of tunneling.

List the various services and applications supported by the Internet.

Exercises

1.	If you want to start your own organization, you need to have a Web presence. To have Web presence, you need to have a domain name registered. Go to a domain name registration site (for instance, http://www.register.com) and determine if the domain name you want is available.
2.	For an already registered Web site (e.g., http://www.iseeyes.com), find out who is the owner.
3.	Create a Web site with multimedia content (text, graphics, voice clippings, and video clippings) using XHTML.
4.	Make a comparison of the various search engines. What are the criteria based on which search engines can be compared?
5.	Make a list of the Web-based learning portals.

Answers

When you start your own organization, you need to have a Web address. To obtain a unique URL for your organization, you can go to a site such as http://www.register.com or http://www.networksolutions.com and find out whether the required URL is already registered by someone or is available. If it is available, you can pay the registration charges (about US$70 for two years). Then you can develop your Web site and host it on a Web-hosting service provider's server by paying the hosting charges (about US$10 per month).

When you go to http://www.register.com, and give a URL, you will get information about the owner of the URL.

XHTML code for displaying text, playing audio and video clips, and displaying images in the background and foreground is given below. You need to have the necessary audio clip, video clips, or the image files in your directory before running this code. The names of these files are indicated in the code itself.

Listing C.8: XHTML code to display text.

Listing C.9: XHTML code to play an audio file.

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional// EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1- transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml1" xml:lang="en" lang="en"> <head> <title>Audio Sample</title> </head> <body> <a href="sample.mid">Audio</a> </body> </html> using embed tag: <embed src ="sample.mid" autostart="true" width="200" height="100" hidden="true" /> using object tag: <object data ="sample.mid" type="audio/midi" autostart="true" width="400" height="400" hidden="true" /> Listing C.10 XHTML code to play a video file. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional// EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1- transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml1" xml:lang="en" lang="en"> <head> <title>Video Sample</title> </head> <body> <a href="search.avi">Video</a> </body> </html> using embed tag: <embed src ="search.avi" autostart="true" width="200" height="200" loop="true" /> using object tag: <object data ="search.avi" type="video/x-msvideo" autostart="true" width="400" height="400" hidden="true" />

Listing C.11: XHTML Code to display an image in the background.

Listing C.12: XHTML code to display an image in the foreground.

Search engines can be compared based on the number of Web pages searched, the amount of time it takes to present the results, and the relevance of information presented to the user. You can search for your name using different search engines the engine that gives the highest number of results is the best! Intelligent search engines are now being developed, and they will be able to present more relevant information.

Some of the Web-based learning portals are:

http://www.techonline.com

http://www.elearn.cdacindia.com

http://www.gurukulonline.co.in

Projects

Develop an intranet for your department/organization. Any authorized user of the LAN should be able to access the information provided on the intranet. The user has to log in to the intranet and access a home page. The home page should contain the links for a syllabus, examination schedules, information about the professors, information about the project, works done by earlier batch students, and so on.

Develop an e-learning portal. The portal should contain the lecture material, study material for a few topics (such as compiler design and database management system) and also an online examination using objective (multiple choice) tests.

Prepare a technical report on the various digital subscriber line technologies.