INFORMATION INTERCHANGE IN VIRTUAL PRIVATE NETWORKS : Key Considerations for Efficient Implementation

Chowdavarapu, Pradeep Kumar, Kati, Pramod, Opoku, Williams

January 2011

This thesis identifies some key Considerations to be considered to create an efficient virtual private network and also investigates to understand some efficiency problems affecting the interchange of information in such networks. It then outlines some possible solutions to manage such problems.The ICT and the telecommunications have been advancing at a rapid rate. This has been seen in the exchange of information in virtual networks such as the social networks like Facebook, Skype, Google talk, Yahoo messenger, Twitter etc. The need for maximum security, privacy and cost effectiveness in different organizations, institutions and private sectors etc makes it useful and needful to have efficient virtual private networks.Understanding the problems affecting the information interchange in such networks and suggesting some probable solutions will both help the provider and the user. / Program: Magisterutbildning i informatik

efficiency

network

virtual private networks

computer

information

interchange

Engineering and Technology

Teknik och teknologier

同步選擇派翠網路在虛擬私人網路上的應用 / Application of Synchronized Choice Petri Nets to Virtual Private Networks

李滎澤, Ying-tse Lee

Unknown Date

The Synchronize Choice Petri net, a subclass of Petri nets that is constructed based on special structural objects, can improve analytical power to make solving the behavioral problems of Petri nets practically possible. The fact that proving liveness and verifying reachability of a Synchronize Choice Petri net are feasible may lead to several applications. This thesis contributes to one of the applications: building a dynamic key exchange mechanism embedded in Virtual Private Network products by applying Synchronize Choice Petri nets. 　　Based on modern symmetric-key algorithms, such as DES, the dynamic key exchange mechanism enables two communicating sides to use the changing keys to encrypt or decrypt messages correctly without requiring any key transmission during the communication session after the initiation. A proper use of the mechanism is to be integrated with Virtual Private Network products to make the information transmitting between two peers more confidential.

Synchronized Choice Petri Nets

Dynamic Key Exchange

One Time Pads

Virtual Private Networks

Impact of Queuing Schemes and VPN on the Performance of a Land Mobile Radio VoIP System

Ballapuram, Vijayanand Sreenivasan

23 July 2007

Land mobile radio (LMR) systems are used for communication by public safety and other government and commercial organizations. LMR systems offer mission-critical or even life-critical service in the day-to-day activities of such organizations. Traditionally, a variety of different LMR systems have been deployed by different organizations, leading to a lack of radio interoperability. A voice application that connects LMR systems via a packet-switched network is called an LMR Voice over IP (LMRVoIP) system and is a potential solution to the interoperability problem. LMRVoIP systems are time critical, i.e., are delay and jitter sensitive. Transmission of LMRVoIP traffic in a congested packet-switched network with no quality of service (QoS) or priority mechanisms in place could lead to high delays and extreme variations in delay, i.e., high jitter, thus resulting in poor application performance. LMRVoIP systems may also have performance issues with the use of virtual private networks (VPNs). To the best of our knowledge, there has been no prior thorough investigation of the performance of an LMRVoIP system with different queuing schemes for QoS and with the use of VPN. In this thesis, we investigate the performance of an LMRVoIP system with different queuing schemes and with the use of VPN. An experimental test bed was created to evaluate four QoS queuing schemes: first-in first-out queuing (FIFO), priority queuing (PQ), weighted fair queuing (WFQ), and class-based weighted fair queuing (CBWFQ). Quantitative results were obtained for voice application throughput, delay, jitter, and signaling overhead. Results show that, compared to a baseline case with no background traffic, LMRVoIP traffic suffers when carried over links with heavy contention from other traffic sources when FIFO queuing is used. There is significant packet loss for voice and control traffic and jitter increases. FIFO queuing provides no QoS and, therefore, should not be used for critical applications where the network may be congested. The situation can be greatly improved by using one of the other queuing schemes, PQ, WFQ, or CBWFQ, which perform almost equally well with one voice flow. Although PQ has the best overall performance, it tends to starve the background traffic. CBWFQ was found to have some performance benefits over WFQ in most cases and, thus, is a good candidate for deployment. The LMRVoIP application was also tested using a VPN, which led to a modest increase in latency and bandwidth utilization, but was found to perform well. / Master of Science

Quality of Service

Voice Over IP

Land Mobile Radio

Virtual Private Networks

A Study On Privacy Over Security And Privacy Enhancing Networks

Conway, Everett Lee

01 June 2024

With rapid developments in communication technologies and awareness of security and privacy risks online, Security and Privacy Enhancing Networks (SPENs) have become increasingly popular. Especially during the COVID-19 pandemic, workplaces encouraged employees to take additional security measures, such as VPNs. In this work, we conduct a comprehensive study on website fingerprinting attacks. A comprehensive system model and threat model based on two types of SPENs (Virtual Private Networks and Tor Networks) are presented. Moreover, we demonstrate a website fingerprinting attack by ethically collecting website fetch data and analyzing the collected data using five different machine learning classification models including k nearest neighbors, decision tree, ada boost, and random forest. We find that SPENs are still vulnerable to website fingerprinting attacks which enable attackers to violate users’ behavioral privacy. However, it is not easy to get accurate results, especially over a large number of websites. Furthermore, we discuss a series of recommendations for SPENs to increase behavioral privacy for their customers. Finally, we cover a variety of directions that future work could take.

Behavioral Privacy

Virtual Private Networks

Machine Learning

Network Security

Computer and Systems Architecture

Digital Communications and Networking

Validity and accuracy issues in electronic commerce with specific reference to VPN's

13 August 2012

M.Comm. / Business have traditionally relied on private leased lines to link remote office together so that distant workers could share information over a Wide Area Network (WAN). However, while providing a high degree of privacy, leased lines are expensive to set up and maintain. The Internet is fast becoming a requirement for supporting business operations in the global economy. The major concern in using a public network, like the Internet, for data exchange is the lack of security. The Internet was designed to be an "open" network, accessible to anyone with low or none security consideration. Virtual Private Networks (VPN) using Point-to-Point Tunneling Protocol (PPTP) has emerged as a relatively inexpensive way to solve this problem. The primary objective of this dissertation is to evaluate validity and accuracy issues in electronic commerce using VPN as a secure medium for data communication and transport over the Internet. The inherent control features of PPTP were mapped to data communication control objectives and the control models show how these address validity, completeness and accuracy. After analysing and evaluating the inherent control features of PPTP, the overall result is that: PPTP enables a valid communication link to be established with restricted access (validity); the PPTP communication link remains private for the full time of the connection (validity); data can be sent accurately and completely over the PPTP connection and remains accurate during transmission (accuracy); and all data sent is completely received by the receiver (accuracy). By deploying a Point-to-Point Tunneling Protocol for virtual private networking, management can mitigate the risk of transmitting private company and business data over the Internet. The PPTP analysis and evaluation models developed intend to give the auditor a control framework to apply in practice. If the auditor needs to perform a data communication review and finds that a virtual private network has been established using PPTP, the control models can assist in providing knowledge and audit evidence regarding validity and accuracy issues. The auditor should however, not review PPTP in isolation. Validity and accuracy control features inherent to TCP/IP and PPP should also be considered as well as controls on higher levels, e.g. built-in application controls.

Electronic commerce-Security measures.

Extranets (Computer networks)

Electronic commerce-Auditing.

Virtual Private Networks

Point-to-Point Tunneling Protocol

Enhancing security and scalability of Virtual Private LAN Services

Liyanage, M. (Madhusanka)

21 November 2016

Abstract Ethernet based VPLS (Virtual Private LAN Service) is a transparent, protocol independent, multipoint L2VPN (Layer 2 Virtual Private Network) mechanism to interconnect remote customer sites over IP (Internet Protocol) or MPLS (Multiprotocol Label Switching) based provider networks. VPLS networks are now becoming attractive in many Enterprise applications, such as DCI (data center interconnect), voice over IP (VoIP) and videoconferencing services due to their simple, protocol-independent and cost efficient operation. However, these new VPLS applications demand additional requirements, such as elevated security, enhanced scalability, optimum utilization of network resources and further reduction in operational costs. Hence, the motivation of this thesis is to develop secure and scalable VPLS architectures for future communication networks. First, a scalable secure flat-VPLS architecture is proposed based on a Host Identity Protocol (HIP). It contains a session key-based security mechanism and an efficient broadcast mechanism that increase the forwarding and security plane scalability of VPLS networks. Second, a secure hierarchical-VPLS architecture is proposed to achieve control plane scalability. A novel encrypted label-based secure frame forwarding mechanism is designed to transport L2 frames over a hierarchical VPLS network. Third, a novel Distributed Spanning Tree Protocol (DSTP) is designed to maintain a loop free Ethernet network over a VPLS network. With DSTP it is proposed to run a modified STP (Spanning Tree Protocol) instance in each remote segment of the VPLS network. In addition, two Redundancy Identification Mechanisms (RIMs) termed Customer Associated RIMs (CARIM) and Provider Associated RIMs (PARIM) are used to mitigate the impact of invisible loops in the provider network. Lastly, a novel SDN (Software Defined Networking) based VPLS (Soft-VPLS) architecture is designed to overcome tunnel management limitations in legacy secure VPLS architectures. Moreover, three new mechanisms are proposed to improve the performance of legacy tunnel management functions: 1) A dynamic tunnel establishment mechanism, 2) a tunnel resumption mechanism and 3) a fast transmission mechanism. The proposed architecture utilizes a centralized controller to command VPLS tunnel establishment based on real-time network behavior. Hence, the results of the thesis will help for more secure, scalable and efficient system design and development of VPLS networks. It will also help to optimize the utilization of network resources and further reduction in operational costs of future VPLS networks. / Tiivistelmä Ethernet-pohjainen VPLS (Virtual Private LAN Service) on läpinäkyvä, protokollasta riippumaton monipisteverkkomekanismi (Layer 2 Virtual Private Network, L2VPN), jolla yhdistetään asiakkaan etäkohteet IP (Internet Protocol)- tai MPLS (Multiprotocol Label Switching) -yhteyskäytäntöön pohjautuvien palveluntarjoajan verkkojen kautta. VPLS-verkoista on yksinkertaisen protokollasta riippumattoman ja kustannustehokkaan toimintatapansa ansiosta tullut kiinnostavia monien yrityssovellusten kannalta. Tällaisia sovelluksia ovat esimerkiksi DCI (Data Center Interconnect), VoIP (Voice over IP) ja videoneuvottelupalvelut. Uusilta VPLS-sovelluksilta vaaditaan kuitenkin uusia asioita, kuten parempaa tietoturvaa ja skaalautuvuutta, optimaalista verkkoresurssien hyödyntämistä ja käyttökustannusten pienentämistä entisestään. Tämän väitöskirjan tarkoituksena onkin kehittää turvallisia ja skaalautuvia VPLS-arkkitehtuureja tulevaisuuden tietoliikenneverkoille. Ensin väitöskirjassa esitellään skaalautuva ja turvallinen flat-VPLS-arkkitehtuuri, joka perustuu Host Identity Protocol (HIP) -protokollaan. Seuraavaksi käsitellään istuntoavaimiin perustuvaa tietoturvamekanismia ja tehokasta lähetysmekanismia, joka parantaa VPLS-verkkojen edelleenlähetyksen ja tietoturvatason skaalautuvuutta. Tämän jälkeen esitellään turvallinen, hierarkkinen VPLS-arkkitehtuuri, jolla saadaan aikaan ohjaustason skaalautuvuus. Väitöskirjassa kuvataan myös uusi salattu verkkotunnuksiin perustuva tietokehysten edelleenlähetysmekanismi, jolla L2-kehykset siirretään hierarkkisessa VPLS-verkossa. Lisäksi väitöskirjassa ehdotetaan uuden Distributed Spanning Tree Protocol (DSTP) -protokollan käyttämistä vapaan Ethernet-verkkosilmukan ylläpitämiseen VPLS-verkossa. DSTP:n avulla on mahdollista ajaa muokattu STP (Spanning Tree Protocol) -esiintymä jokaisessa VPLS-verkon etäsegmentissä. Väitöskirjassa esitetään myös kaksi Redundancy Identification Mechanism (RIM) -mekanismia, Customer Associated RIM (CARIM) ja Provider Associated RIM (PARIM), joilla pienennetään näkymättömien silmukoiden vaikutusta palveluntarjoajan verkossa. Viimeiseksi ehdotetaan uutta SDN (Software Defined Networking) -pohjaista VPLS-arkkitehtuuria (Soft-VPLS) vanhojen turvallisten VPLS-arkkitehtuurien tunnelinhallintaongelmien poistoon. Näiden lisäksi väitöskirjassa ehdotetaan kolmea uutta mekanismia, joilla voidaan parantaa vanhojen arkkitehtuurien tunnelinhallintatoimintoja: 1) dynaaminen tunnelinluontimekanismi, 2) tunnelin jatkomekanismi ja 3) nopea tiedonsiirtomekanismi. Ehdotetussa arkkitehtuurissa käytetään VPLS-tunnelin luomisen hallintaan keskitettyä ohjainta, joka perustuu reaaliaikaiseen verkon käyttäytymiseen. Tutkimuksen tulokset auttavat suunnittelemaan ja kehittämään turvallisempia, skaalautuvampia ja tehokkaampia VLPS järjestelmiä, sekä auttavat hyödyntämään tehokkaammin verkon resursseja ja madaltamaan verkon operatiivisia kustannuksia.

Host Identity Protocol

Software Defined Networking

Spanning Tree Protocol

Virtual Private LAN Services

Virtual Private Networks

network security

scalability

Host Identity Protocol

Software-defined Networking (SDN)

Spanning Tree Protocol

VPLS

VPN-verkot

skaalautuvuus

verkon tietoturva

Implementace OpenVPN na platformě Windows CE / Porting OpenVPN to Windows CE Platform

Ešner, Oldřich

January 2008

The motivation for inception of this MSc. thesis which follows on from a term project of the same name was the transfer of the application for building private virtual OpenVPN networks from Windows XP operating system to Windows CE Embedded 6.0 platform. The project deals with virtual private networks in general and looks more closely at its implementation - OpenVPN. It also introduces the basic features of the Windows CE operating system. The project goes on to describe device drivers in NT-based Windows operating systems, the Windows Driver Model used, the NDIS network interface model and also the model of Windows CE drivers - the Stream Interface Model. The project continues with a~description of communication in OpenVPN application and primarily the role of TUN/TAP virtual network interfaces. This is followed by a proposal for transfer of TUN/TAP adapter drivers together with a description of limitations and necessary modifications between both platforms. As a result a TAP network device driver is implemented whose function is verified by test application that emulates the behaviour of a TUN adapter. The project concludes with an evaluation of the achieved results, the possibilities for further work on this theme and with the overall contribution of this project.