Why
Use VPN?
By using
VPN, enterprises can use the same un-trusted public networks
operated by the Internet Service Provider without the need
of any additional expensive private communication link to
securely connect remote users' computers to the corporate
network. Moreover, as the remote computer will be authenticated
and data encrypted before being sent through the tunnel, hence,
once a VPN connection has been established, the remote computer
can be trusted and logically be treated as a local computer
on the corporate LAN. In fact, the remote client will even
be allocated with an IP address from the corporate's IP address
space once successfully authenticated.
How
Will CityU Implement its VPN?
Initially
two Cisco's VPN servers will be installed between the perimeter
firewall and the campus network. Each VPN server is a dedicated
network device that can handle hundreds of VPN connections
in client/server mode simultaneously.
What
is needed to Remote Access the Campus Network Through VPN?
To remote
access CityU's Intranet through VPN, the remote PC must have
the VPN client software installed. For most users of Windows,
they can simply use the VPN Client software that comes with
the operating system.
Under
Windows, the VPN tunnel is facilitated by one of two protocols,
namely, the PPTP or L2TP. PPTP is developed by Microsoft while
L2TP is jointly developed by Microsoft and Cisco. Under UNIX
or Linux environment, SSH is used for VPN.
PPTP uses
the same authentication protocols as PPP (a communication
protocol for making connection between two parties through
dial-up), such as EAP, CHAP, PAP, and SPAP to authenticate
the identity of the remote user. For encryption purposes,
however, it is best to use EAP or MS-CHAP for authentication
because it allows link encryption (see below) via MPPE.
L2TP,
like PPTP, provides user authentication and data encryption.
In addition, it provides mutual computer authentication, and
data integrity (which ensures no data will be changed without
undetected during transmission or transit). L2TP is also more
secure as it provides end-to-end encryption through IPSec
while PPTP provides only link encryption through MPPE. Link
encryption is data encryption between VPN client and the VPN
server while end-to-end encryption is data encryption between
the client application and the server hosting the resource
or service being accessed by the client application. However,
VPN using L2TP is more difficult and complex to configure
than using PPTP.
As the
encapsulation and encryption process can add around 20-30
percent additional overhead, therefore, if you access campus
services through VPN using a low speed dial-up connection,
you can expect a slower delivery of service. Nevertheless,
reliable file transfer and other basic remote access functions
will still be provided.
When
Will CityU's VPN Be Available?
The Computing
Services Centre (CSC) is currently conducting a trial run
on the VPN. Should you be interested in joining it, please
visit the URL below for instructions on how to configure the
VPN client software:
http://www.cityu.edu.hk/csc/deptweb/facilities/ctnet/vpn/vpn.htm
It is
expected that the VPN service will be available in mid-January
2003.
Acronyms:
VPN: |
Virtual
Private Network |
TCP/IP: |
Transfer
Control Protocol/Internet Protocol |
PPTP: |
Point
to Point Tunneling Protocol |
L2TP: |
Layer
2 Transfer Protocol |
SSH: |
Secure
Shell |
EAP: |
Extensible
Authentication Protocol |
MS-CHAP: |
Microsoft
Challenge Handshake Authentication Protocol |
CHAP: |
Challenge
Handshake Authentication Protocol |
PAP: |
Password
Authentication Protocol |
SPAP: |
Shiva
Password Authentication Protocol |
MPPE: |
Microsoft
Point-to-Point Encryption |
IPSec: |
Internet
Protocol Security |