The concept of Virtual Private Networks (VPNs) provides an economical and efficient solution on communicating private information securely over public network infrastructure. VPNs make use of tunneling, security mechanisms and other networking devices, e.g. firewalls. It is believed to be an important technology in the 21st century....[ Read more ]

The concept of Virtual Private Networks (VPNs) provides an economical and efficient solution on communicating private information securely over public network infrastructure. VPNs make use of tunneling, security mechanisms and other networking devices, e.g. firewalls. It is believed to be an important technology in the 21st century.

There are a number of VPN products on the commercial market. However, none of them guarantees the establishment of VPN connections as none of them reserves public network resources during the set up of VPNs. In this thesis, we propose a VPN solution that carries out bandwidth reservation during the VPN establishment. The discussion is divided into two parts - the networking aspects and the security aspects.

In the first part, we discuss the three-layered logical architecture of our VPN solution and classify the VPN components into three categories -VPN members, VPN managers and VPN administrator. In order for these components to perform VPN functions, a specialized software ("Customer Sited Security Processor") is installed. We discuss the architecture of this software in details. We also discuss the mandatory VPN operations implemented in the processor and the VPN protocol stack that handles the VPN requests/responses.

In the second part, we turn to the security aspects. We carry out analysis on three kinds of security attacks - 1) tricking a VPN member to accept an invalid VPN message (message spoofing), 2) acquiring extra public network resources illegally (bandwidth stealing) and 3) interrupting the VPN service (denial of service). The success rates of (1) and (2) depend on the choices of encryption schemes, authentication schemes and accuracy of local clocks. The success rate of (3) depends on security of intermediate routers/ATM switches, VPN managers and security of ATM control plane. We also suggest a simple method to detect these attacks.