Presentation

Intro:

I am Subhodeep Ghosh , and today I am going to present a seminar on Virtual Private Networks (VPNs). In today’s digital world,
secure communication over the internet is a major concern, especially for businesses, remote workers, and organizations that
handle sensitive data. VPNs play a crucial role in ensuring secure, encrypted connections across public and private networks.

In this presentation, I will cover two key types of VPNs: Remote Access VPN and Site-to-Site VPN, along with an explanation of
Layer 2 and Layer 3 VPN protocols. We will also discuss how VPNs work, their advantages and disadvantages, industry use cases,
and security features like confidentiality, integrity, authentication, and anti-replay.

Slide 1 - Traditional Connectivity

"In this slide, we see a representation of traditional network connectivity used before VPNs became widespread. Here, the
headquarters is connected to multiple regional offices, and these offices further connect to mobile users, home offices, and
telecommuters.

Traditionally, businesses relied on dedicated leased lines, frame relay, or ATM (Asynchronous Transfer Mode) networks to
establish secure connections between their different locations. These methods provided reliable communication but came with
significant challenges.

1.​ High Cost – Leased lines and frame relay connections were expensive to set up and maintain.
2.​ Limited Scalability – Expanding the network required installing additional physical lines, which was both time-consuming
and costly.
3.​ Lack of Flexibility – Remote users and telecommuters had difficulty securely accessing corporate resources without
dedicated infrastructure.

Because of these limitations, organizations started shifting to Virtual Private Networks (VPNs), which offer a more cost-effective,
scalable, and secure way to connect remote locations and users over the internet. In the next slide, we will see how VPNs solve
these challenges."

Slide 2 - VPN

What does the term virtual private network really mean?

Virtual:

It means that the connection is dynamic. It can change and adapt to different circumstances using the internet's fault tolerant
capabilities. When a connection is required it is established and maintained regardless of the network infrastructure between
endpoints. When it is no longer required the connection is terminated, reducing costs and the amount of redundant infrastructure.

Private:

It means that the transmitted data is always kept confidential and can only be accessed by authorised users. This is important
because the internet's original protocols –TCP/IP (transmission control protocol/internet protocol) – were not designed to provide
such levels of privacy. Therefore, privacy must be provided by other means such as additional VPN hardware or software.

Network:

It is the entire infrastructure between the endpoints of users, sites or nodes that carries the data. It is created using the private,
public, wired, wireless, internet or any other appropriate network resource available.

Slide 3- features

"In this slide, we will discuss four key security features of a VPN: Confidentiality, Integrity, Authentication, and Anti-Replay—all
essential for ensuring secure communication over a public network.
 1.​ Confidentiality – VPNs use encryption protocols like IPSec, L2TP, and SSL/TLS to protect data from being intercepted
by unauthorized users. This ensures that even if data is captured, it remains unreadable.
2.​ Integrity – Data integrity ensures that information sent over the VPN is not altered during transmission. VPNs use
hashing algorithms like SHA (Secure Hash Algorithm) to verify that the received data is the same as the sent data.
3.​ Authentication – Before granting access, VPNs verify the identity of users and devices through user credentials,
certificates, or multi-factor authentication (MFA). This prevents unauthorized users from accessing private networks.
4.​ Anti-Replay Protection – VPNs prevent attackers from capturing and reusing old data packets to mimic legitimate
communication. Techniques like sequence numbering and timestamping ensure that duplicate or outdated packets are
rejected.

These security measures together make VPNs a trusted solution for secure remote access and site-to-site connections. Now, let’s
move on to the next slide and understand how VPNs differ from traditional private networks."

Slide4 - private vs vpn

we will compare a Private Network and a Virtual Private Network (VPN) to understand why VPNs are widely used today.

1.​ Private Network – A private network is a dedicated network infrastructure owned and maintained by an organization. It
uses leased lines, MPLS, or other dedicated connections to ensure security and reliability. While private networks offer
high security and performance, they are expensive and not easily scalable for remote access.
2.​ Virtual Private Network (VPN) – A VPN simulates a private network over a public network (the internet). It uses encryption
and tunneling protocols to create a secure, private connection between users and organizational resources, without
needing dedicated physical infrastructure. This makes VPNs cost-effective, flexible, and scalable.

Slide5 - A typical vpn

"This slide illustrates how a typical VPN works by securely connecting a head office and a branch office over a public network
(the internet) using VPN tunnels and gateways.

1.​ Head Office & Branch Office – These are the two locations that need secure communication. Instead of using expensive
private leased lines, they use a VPN tunnel over the internet.
2.​ VPN Gateways – Both the head office and branch office have VPN gateways (firewalls or routers with VPN
functionality). These gateways encrypt outgoing data and decrypt incoming data to ensure security.
3.​ Public Network (Internet) – The data travels through the public internet but remains protected inside an encrypted
VPN tunnel, preventing unauthorized access.
4.​ VPN Tunnel – This is the secure, encrypted path that connects the branch office to the head office. VPN protocols like
IPSec, L2TP, or GRE are used to establish and maintain the tunnel.

In simple terms, a VPN allows secure communication between offices and remote users over the internet, just like a private
network but at a much lower cost.

Slide6: What is Tunneling?

"This slide explains the concept of tunneling, which is a core technology behind VPNs.

1.​ What is Tunneling? – Tunneling is a method of encapsulating data packets from one protocol within another protocol to
securely transmit the data over an untrusted network, like the internet.
2.​ How It Works – The data is first encapsulated into a packet at the sender’s end and sent to a tunnel endpoint. At the
receiving end, the packet is decapsulated to retrieve the original data.
3.​ Common Tunneling Protocols – Protocols such as GRE, IPSec, L2TP, PPTP, and SSL are commonly used for tunneling.
These protocols ensure secure data transmission through encryption.
4.​ Tunneling Provides Security – By encrypting data during transmission, tunneling ensures confidentiality and integrity,
preventing unauthorized access and data tampering.
5.​ Virtual Private Networks (VPNs) – Tunneling is a foundational technique in VPNs, allowing them to create secure
connections between devices or networks over public networks.
6.​ Applications – Tunneling is widely used in scenarios like remote access VPNs, site-to-site VPNs, and even for bypassing
geo-restrictions in streaming services.

Slide7: Types of VPN – Remote Access and Site-to-Site

"This slide focuses on the two main types of VPNs: Remote Access VPN and Site-to-Site VPN.

1.​ Remote Access VPN – This type connects individual users, such as remote employees or telecommuters, to a company’s
private network over the internet. It is commonly used for secure access to organizational resources and is supported by
encryption and tunneling protocols like SSL and IPSec.
2.​ Site-to-Site VPN – This type connects entire networks, such as a company’s headquarters and branch offices, over the
internet. It establishes secure tunnels between gateways at each location and is ideal for organizations with
geographically distributed offices.

In summary, Remote Access VPNs secure individual connections, while Site-to-Site VPNs connect entire networks seamlessly."

Slide8: Remote Access VPN (Diagram)

"This slide illustrates the architecture of a Remote Access VPN, showcasing two primary connection types: client-based and
clientless connections.

1.​ Client-Based Connections – In this setup, the user’s PC or device uses a dedicated VPN client software to connect
securely to the corporate network. The client authenticates and establishes an encrypted tunnel between the device and
the corporate servers through the router.
2.​ Clientless Connections – Here, users access the VPN via a web browser without the need for dedicated client software.
This is particularly useful for occasional or temporary users who require access to specific corporate resources.

The router acts as the VPN gateway, handling encryption, authentication, and tunneling protocols, ensuring secure communication
with the corporate servers.

Slide9: Site-to-Site VPN (Diagram)

"This slide illustrates the architecture of a Site-to-Site VPN, which connects two LANs, labeled Site 1 and Site 2, over the internet.

1.​ How it Works – A VPN gateway at each site establishes a secure connection through encrypted tunnels over the public
internet. These tunnels ensure that data remains confidential and secure during transmission between the two sites.
2.​ Modes of Operation –
○​ Tunnel Mode: In this mode, the entire IP packet is encrypted and encapsulated into a new packet before being
sent through the VPN tunnel. This mode is used for communication between two networks, as it provides full
encryption of the transmitted data.
○​ Transport Mode: In transport mode, only the payload (data) of the packet is encrypted, while the header
remains intact. This mode is typically used for end-to-end communication between specific devices.

Site-to-Site VPNs are ideal for organizations with multiple offices in different locations, as they enable secure, seamless
communication between their networks without the need for individual user authentication."

Slide10: VPN Protocols – Layer 2 and Layer 3

"This slide briefly explains VPN protocols at Layer 2 and Layer 3 of the OSI model.

1.​ Layer 2 Protocols:

○​ PPTP (Point-to-Point Tunneling Protocol): One of the earliest VPN protocols, easy to set up but less secure.
○​ L2TP (Layer 2 Tunneling Protocol): Often combined with IPSec for encryption, offering stronger security
compared to PPTP.
2.​ Layer 3 Protocols:
○​ IPSec (Internet Protocol Security): A widely used protocol for encrypting data and establishing secure
tunnels, offering robust authentication and encryption.
○​ GRE (Generic Routing Encapsulation): A tunneling protocol that encapsulates a variety of data types but
lacks encryption, so it’s often paired with IPSec for security.

Layer 2 focuses on encapsulating data frames, while Layer 3 handles the encryption and secure transport of IP packets over
networks."
Slide11: PPTP

1.​ Developed by Microsoft

○​ PPTP was introduced by Microsoft in Windows NT 4.0 for remote access VPNs.
○​ It became widely used due to its integration with Windows operating systems.
2.​ Encapsulates PPP Frames
○​ PPTP encapsulates PPP (Point-to-Point Protocol) frames, allowing support for authentication and encryption.
○​ However, the encryption methods used (like MS-CHAPv2) are considered weak by modern standards.
3.​ Uses GRE Tunneling
○​ Data is encapsulated using Generic Routing Encapsulation (GRE), which allows it to be transported over an IP
network.
○​ Unlike L2TPv3, which supports multiple Layer 2 protocols, PPTP primarily works with PPP.
4.​ Ports Used
○​ TCP port 1723 is used for session control and setup.
○​ GRE (IP protocol 47) is used for data transmission.
○​ Many firewalls block PPTP due to GRE usage, causing connectivity issues.
5.​ Fast but Insecure
○​ PPTP has minimal encryption overhead, making it faster than other VPN protocols.
○​ However, it is highly vulnerable to attacks, including brute force and man-in-the-middle (MITM) attacks.
6.​ Limited to Layer 2.5
○​ While PPTP works with Layer 2 (PPP), it depends on IP (Layer 3) for transport, making it a Layer 2.5 protocol.
○​ Unlike L2TPv3 or VPLS, it cannot transport raw Layer 2 frames transparently.
7.​ Obsolete & Replaced
○​ PPTP is deprecated due to weak encryption and security vulnerabilities.
○​ Modern VPNs use L2TP/IPSec, OpenVPN, WireGuard, or IKEv2/IPSec, which offer better security and
flexibility.

Slide12: L2TP

Developed by Cisco & Microsoft

●​ L2TP (Layer 2 Tunneling Protocol) was introduced as a combination of PPTP (by Microsoft) and L2F (by Cisco).
●​ It was designed to provide a more flexible and secure tunneling solution than PPTP.

Encapsulates Layer 2 Frames

●​ Unlike PPTP, L2TP supports multiple Layer 2 protocols such as PPP, Frame Relay, ATM, and Ethernet.
●​ This makes it more versatile for different network environments.

Uses UDP for Transport

●​ L2TP uses UDP port 1701 for both control and data transfer.
●​ Unlike PPTP, which relies on GRE, L2TP can traverse firewalls more easily.

No Built-in Encryption

●​ L2TP does not provide encryption on its own.

●​ It is almost always used with IPSec (L2TP/IPSec) to provide confidentiality and authentication.

Supports Multiprotocol Transport

●​ Unlike PPTP, which primarily supports PPP, L2TP can transport multiple Layer 2 protocols.
●​ This makes it useful for enterprise and ISP-level VPN services.

More Secure Than PPTP

●​ When combined with IPSec, L2TP/IPSec provides AES encryption and strong authentication.
 ●​ Unlike PPTP, which has known security flaws, L2TP/IPSec is considered safe for most VPN use cases.

Widely Used for VPNs

●​ L2TP/IPSec is supported by Windows, macOS, Linux, iOS, and Android.

●​ Many VPN providers offer L2TP/IPSec as an alternative to OpenVPN and WireGuard.

SLIDE 13 - IPSEC

Operates at Layer 3

●​ Unlike SSL VPNs, which work at the Application Layer, IPSec works at the Network Layer (Layer 3).
●​ It secures entire IP packets, making it ideal for site-to-site VPNs.

Provides Confidentiality, Integrity, and Authentication

●​ Confidentiality: Encrypts data to prevent eavesdropping.

●​ Integrity: Ensures data is not altered in transit using hashing algorithms (e.g., SHA-256).
●​ Authentication: Verifies sender and receiver using pre-shared keys or digital certificates.

Two Main Modes: Tunnel Mode & Transport Mode

●​ Tunnel Mode: Encrypts the entire IP packet, including headers. Used in site-to-site VPNs.
●​ Transport Mode: Encrypts only the payload, leaving headers intact. Used in host-to-host communication.

Uses Two Core Protocols: AH & ESP

●​ AH (Authentication Header): Ensures integrity and authentication, but does not encrypt data.
●​ ESP (Encapsulating Security Payload): Provides encryption, authentication, and integrity for secure communication.

Supports IKE (Internet Key Exchange)

●​ IKEv1 & IKEv2 help establish secure key exchange between VPN endpoints.
●​ They dynamically negotiate encryption keys and security policies.

Commonly Used in Site-to-Site & Remote Access VPNs

●​ Site-to-Site VPNs: Secure communication between offices over the internet.

●​ Remote Access VPNs: Securely connects remote users to corporate networks.

Stronger Security Than PPTP & L2TP

●​ Uses AES (Advanced Encryption Standard) for strong encryption.

●​ Unlike PPTP, which is vulnerable to attacks, IPSec is widely used in enterprise environments.

SLIDE 14- GRE

Tunneling Protocol at Layer 3

●​ GRE is a Layer 3 protocol that encapsulates network layer packets inside another IP packet.
●​ It is often used for VPNs and network interoperability.

Protocol Number 47
 ●​ Unlike TCP (port 6) and UDP (port 17), GRE uses IP protocol number 47.
●​ Since it is not a TCP/UDP-based protocol, firewalls may block it unless explicitly allowed.

Encapsulates Various Protocols

●​ GRE can transport IPv4, IPv6, MPLS, AppleTalk, and other non-IP traffic over an IP network.
●​ This makes it useful in scenarios requiring cross-protocol communication.

No Built-in Security

●​ GRE does not offer encryption or authentication by itself.

●​ To enhance security, it is often used with IPSec (GRE over IPSec), which encrypts the GRE tunnel.

Used in Site-to-Site VPNs

●​ GRE tunnels are commonly used to connect two remote sites over the internet.
●​ Internet Service Providers (ISPs) and enterprises use it for network expansion and interoperability.

Simple and Lightweight

●​ GRE has minimal overhead, making it a fast tunneling solution.

●​ However, because it lacks encryption, it should not be used for secure communications without IPSec.

Multipoint Support via mGRE (Multipoint GRE)

●​ Standard GRE requires one tunnel per remote site (point-to-point).

●​ mGRE (Multipoint GRE) allows multiple remote sites to connect using a single tunnel interface, reducing
configuration complexity.

SLIDE 15- ADV VS DISADV

Enhanced Security & Privacy

●​ VPNs use encryption (AES-256, IPSec, etc.) to protect data from hackers and cybercriminals.
●​ Prevents man-in-the-middle (MITM) attacks and unauthorized access.

Bypasses Geo-Restrictions

●​ Allows users to access streaming services, websites, and apps that are blocked in certain countries.
●​ Commonly used to access Netflix, BBC iPlayer, and region-restricted content.

Secure Remote Access

●​ Employees can work from anywhere securely by connecting to a corporate VPN.

●​ Ensures data confidentiality in remote work environments.

Anonymity & IP Masking

●​ VPNs replace the user’s real IP address with a VPN server's IP.
●​ Helps protect identity from websites, advertisers, and government tracking.

Prevents ISP Throttling

●​ ISPs sometimes slow down (throttle) certain traffic types like streaming or gaming.
●​ A VPN hides your activity, preventing ISPs from limiting bandwidth.
Protects Data on Public Wi-Fi

●​ Public Wi-Fi networks (e.g., cafes, airports) are vulnerable to cyberattacks.

●​ A VPN encrypts data, preventing eavesdropping and hacking attempts.

Supports Multiple Protocols

●​ Users can choose between different VPN protocols:

○​ IPSec for security,
○​ WireGuard for speed,
○​ OpenVPN for flexibility.

Disadvantages—

1.​ Reduces Internet Speed

○​ VPN encryption and rerouting of traffic can slow down internet speed.
○​ High-quality VPNs minimize this with optimized servers and protocols like WireGuard.
2.​ Can Be Blocked by Websites & ISPs
○​ Some services (e.g., Netflix, banking websites) detect and block VPN traffic.
○​ ISPs in some countries also block VPN access to control internet use.
3.​ Not Always 100% Secure
○​ Some free VPNs log user data and sell it to advertisers.
○​ Poorly configured VPNs can leak DNS/IP information, reducing anonymity.
4.​ Legal & Compliance Issues
○​ Some countries (China, Russia, UAE) restrict or ban VPNs.
○​ Businesses must comply with data protection laws when using VPNs.
5.​ Setup & Configuration Complexity
○​ Corporate VPNs require firewall rules, authentication, and encryption setup.
○​ Misconfigurations can lead to security vulnerabilities.
6.​ Subscription Costs
○​ Reliable VPN services (ExpressVPN, NordVPN, etc.) require monthly or yearly payments.
○​ Free VPNs often have data limits and security risks.
7.​ Limited Device Compatibility
○​ Smart TVs, gaming consoles, and IoT devices may not support VPNs directly.
○​ Users need router-based VPNs or smart DNS alternatives.