12 Understanding V P Ns

1,111 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,111
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • 12 Understanding V P Ns

    1. 1. Module 12: Understanding Virtual Private Networks
    2. 2. Agenda <ul><li>What Are VPNs? </li></ul><ul><li>VPN Technologies </li></ul><ul><li>Access, Intranet, and Extranet VPNs </li></ul><ul><li>VPN Examples </li></ul>
    3. 3. What Are VPNs? <ul><li>Virtual Private Networks (VPNs) extend the classic WAN </li></ul><ul><li>VPNs leverage the classic WAN infrastructure, including Cisco’s family of VPN-enabled routers and policy management tools </li></ul><ul><li>VPNs provide connectivity on a shared infrastructure with the same policies and “performance” as a private network with lower total cost of ownership </li></ul>Service Provider Shared Network VPN Internet, IP, FR, ATM
    4. 4. <ul><li>Extends private network through public Internet </li></ul><ul><li>Lower cost than private WAN </li></ul><ul><li>Relies on tunneling and encryption </li></ul>Virtual Private Networks Internet Hong Kong Paris IP Packet (Private, Encrypted) IP Header (Public)
    5. 5. Why Build a VPN? <ul><li>Company information secured </li></ul><ul><li>Lower costs </li></ul><ul><ul><li>Connectivity costs </li></ul></ul><ul><ul><li>Capital costs </li></ul></ul><ul><ul><li>Management and support costs </li></ul></ul><ul><li>Wider connectivity options </li></ul><ul><li>Speed of deployment </li></ul>
    6. 6. What’s Driving VPN Offerings? Reduced Networking Costs Increased Network Flexibility Mobile Users Telecommuters Organizational Changes Mergers/ Acquisitions Extranets Intranets
    7. 7. Who Buys VPNs? <ul><li>Organizations wishing to: </li></ul><ul><ul><li>Implement more cost- effective WAN solutions </li></ul></ul><ul><ul><li>Connect multiple remote sites </li></ul></ul><ul><ul><li>Deploy intranets </li></ul></ul><ul><ul><li>Connect to suppliers, business partners, and customers </li></ul></ul><ul><ul><li>Get back to their core business, and leave the WAN to the experts </li></ul></ul><ul><ul><li>Lower operational and capital equipment costs </li></ul></ul><ul><li>Businesses with: </li></ul><ul><ul><li>Multiple branch office locations </li></ul></ul><ul><ul><li>Telecommuters </li></ul></ul><ul><ul><li>Remote workers </li></ul></ul><ul><ul><li>Contractors and consultants </li></ul></ul>
    8. 8. Networked Applications <ul><li>Traditional applications </li></ul><ul><ul><li>E-mail </li></ul></ul><ul><ul><li>Database </li></ul></ul><ul><ul><li>File transfer </li></ul></ul><ul><li>New applications </li></ul><ul><ul><li>Videoconferencing </li></ul></ul><ul><ul><li>Distance learning </li></ul></ul><ul><ul><li>Advanced publishing </li></ul></ul><ul><ul><li>Voice </li></ul></ul>
    9. 9. Example of a VPN <ul><li>Private networking service over a public network infrastructure </li></ul>Munich Main Office New York Office Milan Office Paris Office Internet Mobile Worker Dials to Munich over Internet
    10. 10. VPN Technologies © 1999, Cisco Systems, Inc. www.cisco.com
    11. 11. VPN Technology Building Blocks Security QoS
    12. 12. Security <ul><li>Tunnels and encryption </li></ul><ul><li>Packet authentication </li></ul><ul><li>Firewalls and intrusion detection </li></ul><ul><li>User authentication </li></ul>
    13. 13. Tunneling: L2F/L2TP SP Network/ Internet POP Corporate Intranet <ul><li>Mobile users </li></ul><ul><li>Telecommuters </li></ul><ul><li>Small remote offices </li></ul>1. User identification 2. Tunnel to home gateway Security Server 3. User authentication 4. PPP negotiation with user 5. End-to-end tunnel established Home GW LAC
    14. 14. Tunneling: Generic Route Encapsulation (GRE) <ul><li>Mesh of virtual point- to-point interfaces </li></ul><ul><li>Encapsulates multiprotocol packets in IP tunnels </li></ul><ul><li>Application-level QoS </li></ul><ul><li>Value-added platform (new services) </li></ul><ul><li>Encryption-optional tunneling </li></ul><ul><li>Standard architecture for service providers with IP infrastructures </li></ul>Service Provider Backbone Enterprise A Enterprise A Enterprise A Enterprise B Enterprise B
    15. 15. What Is IPSec? <ul><li>Network-layer encryption and authentication </li></ul><ul><li>Open standards for ensuring secure private communications over any IP network, including the Internet </li></ul><ul><li>Provides a necessary component of a standards-based, flexible solution for deploying a network-wide security policy </li></ul><ul><li>Data protected with network encryption, digital certification, and device authentication </li></ul><ul><li>Scales from small to very large networks </li></ul>
    16. 16. <ul><li>Automatically negotiates policy to protect communication </li></ul><ul><li>Authenticated Diffie-Hellman key exchange </li></ul><ul><li>Negotiates (possibly multiple) security associations for IPSec </li></ul>What is Internet Key Exchange (IKE)? 3DES, MD5, and RSA Signatures, OR IDEA, SHA, and DSS Signatures, OR Blowfish, SHA, and RSA Encryption IDEA, SHA, and DSS Signatures IKE Policy Tunnel
    17. 17. IPSec VPN Client Operation Remote User with IPSec Client Home Gateway Router Home Network Certificate Authority/ AAA Public Network Exchange X.509 or One-Time Password Secure Tunnel Established Encrypted Data flows Dial Access to Corporate Network IKE Negotiation Authentication Approved
    18. 18. L2TP and IPSec Are Complementary <ul><li>IPSec creates the remote tunnel </li></ul><ul><li>L2TP provides tunnel end-point authentication </li></ul><ul><li>IPSec maintains encryption </li></ul><ul><li>L2TP provides tunnels for non-IP traffic </li></ul><ul><li>AAA services and dynamic address like DHCP </li></ul>IPSec L2TP AAA Server
    19. 19. <ul><li>Widely adopted standard </li></ul><ul><li>Encrypts plain text, which becomes cyphertext </li></ul><ul><li>DES performs 16 rounds </li></ul><ul><li>Triple DES (3DES) </li></ul><ul><ul><li>The 56-bit DES algorithm runs three times </li></ul></ul><ul><ul><li>112-bit triple DES includes two keys </li></ul></ul><ul><ul><li>168-bit triple DES includes three keys </li></ul></ul><ul><li>Accomplished on a VPN client, server, router, or firewall </li></ul>Encryption: DES and 3DES
    20. 20. <ul><li>All traffic from inside to outside and vice versa must pass through the firewall </li></ul><ul><li>Only authorized traffic, as defined by the local security policy, is allowed in or out </li></ul><ul><li>The firewall itself is immune to penetration </li></ul>Firewalls
    21. 21. User Authentication <ul><li>Centralized security database (AAA services) </li></ul><ul><li>High availability </li></ul><ul><li>Same policy across many access points </li></ul><ul><li>Per-user access control </li></ul><ul><li>Single network login </li></ul><ul><li>Support for: TACACS+, RADIUS (IETF), Kerberos, one-time password </li></ul>TACACS+ RADIUS TACACS+ RADIUS ID/User Profile ID/User Profile ID/User Profile AAA Server Dial-In User Network Access Server Campus Internet User Gateway Router Firewall Intercept Connections Public Network Internet
    22. 22. VPNs and Quality of Service Voice Premium IP Best Effort Tunnel Conforming Traffic Packet Classification CAR Traffic Policing CAR Congestion Avoidance WRED Tunnel Layer 2TP IPSec, GRE AAA CA PBX
    23. 23. Access, Intranet, and Extranet VPNs © 1999, Cisco Systems, Inc. www.cisco.com
    24. 24. Three Types of VPNs Type Remote access VPN Application Mobile users Remote connectivity Alternative To Dedicated dial ISDN Intranet VPN Extranet VPN Site-to-site Internal connectivity Leased line Business-to-business External connectivity Fax Mail EDI Time Ubiquitous access, lower cost Benefits Extend connectivity, lower cost Facilitates e-commerce
    25. 25. Access VPNs Enterprise DMZ Web Servers DNS Server STMP Mail Relay AAA CA Service Provider A Small Office Mobile User or Corporate Telecommuter <ul><li>Ubiquitous Access </li></ul><ul><li>Modem, ISDN </li></ul><ul><li>xDSL, Cable </li></ul>Potential Operations and Infrastructure Cost Savings Client Initiated or NAS Initiated
    26. 26. Access VPN Operation Overview SP Network/ Internet POP Corporate Intranet Mobile Users and Telecommuters 1. VPN identification 2. Tunnel to home gateway Security Server 3. User authentication 4. PPP negotiation with user 5. End-to-end tunnel established Home Gateway NAS
    27. 27. Access VPN Basic Components Dial Client (PPP Peer) AAA Server (RADIUS/TACACS+) ISDN ASYNC L2TP Access Concentrator AAA Server (RADIUS/TACACS +) L2TP Network Server ( Home Gateway)
    28. 28. <ul><li>Encrypted tunnel from the remote client to the corporate network </li></ul><ul><li>Independent of access technology </li></ul><ul><li>Standards compliant </li></ul><ul><ul><li>IPSec encapsulated tunnel </li></ul></ul><ul><ul><li>IKE key management </li></ul></ul>Client-Initiated Access VPN Internet Corporate Network Encrypted IP
    29. 29. Client-Initiated VPNs <ul><li>Pros: </li></ul><ul><ul><li>Use same hardware for dedicated access </li></ul></ul><ul><ul><li>Dedicated encryption hardware in firewall for performance </li></ul></ul><ul><li>Cons: </li></ul><ul><ul><li>Management of IPSec PC client </li></ul></ul><ul><ul><li>Security must be initiated by user </li></ul></ul>
    30. 30. NAS-Initiated Access VPN NAS [email_address] Home Gateway IP Network
    31. 31. NAS-Initiated VPNs <ul><li>Pros: </li></ul><ul><ul><li>No PC client software to manage </li></ul></ul><ul><ul><li>Premium services </li></ul></ul><ul><ul><li>VPN and Internet access at the NAS </li></ul></ul><ul><ul><li>More scalable and manageable </li></ul></ul><ul><li>Cons: </li></ul><ul><ul><li>Users can connect only to certain POPs </li></ul></ul>
    32. 32. The Intranet VPN Enterprise DMZ Web Servers DNS Server STMP Mail Relay AAA CA Remote Office Service Provider A Regional Office Potential Operations and Infrastructure Cost Savings Extends the Corporate IP Network Across a Shared WAN
    33. 33. The Extranet VPN Business Partner Enterprise DMZ Web Servers DNS Server STMP Mail Relay AAA CA Service Provider A Service Provider B Extends Connectivity to Business Partners, Suppliers, and Customers Security Policy Very Important Supplier
    34. 34. Intranet and Extranet VPNs <ul><li>Multiple users, multiple sites, and potentially multiple companies or multiple communities of interest </li></ul><ul><li>Dedicated connections </li></ul><ul><li>Flexible architecture options </li></ul><ul><ul><li>IP tunnels with IPSec or GRE </li></ul></ul><ul><ul><li>Managed router service with Frame Relay or ATM virtual circuits </li></ul></ul><ul><ul><li>Tag Switching/MPLS </li></ul></ul>
    35. 35. Comparing the Types Intranet Access VPN NAS-Initiated Extranet Type Client-Initiated Router-Initiated X X X X X X X X
    36. 36. VPN Examples © 1999, Cisco Systems, Inc. www.cisco.com
    37. 37. Health Care Company Intranet Deployment Challenge—Low-cost means for connecting remote sites with primary hospital Primary Hospital Remote Centers Remote Center Public Network Private Network
    38. 38. <ul><li>IPSec encrypts traffic from remote sites to the enterprise using any application </li></ul><ul><li>IPSec may be combined with other tunnel protocols, e.g., GRE </li></ul><ul><li>Telecommuters can gain secure, transparent access to the corporate network </li></ul>Branch Office or Telecommuters Public Network Challenge—Cost-effective means for connecting branch offices and telecommuters to the corporate network
    39. 39. Traditional Dialup Versus Access VPN Monthly long-distance charges per minute Avg. use per day, per user (min) Traditional Dialup Access VPN Number of users Remote access server One-time installation fee: 10 phone lines 20 $4,600 $1,000 $5,000 20 $3,000 $1,000 Number of users Access router, T1/E1, DSU/CSU, firewall VPN client software ($50/user) T1/E1 installation $0.10 90 Central site T1/E1 Intranet access Monthly ISP access ($20/user) $2,500 $400
    40. 40. Traditional Dialup Versus Access VPN Traditional Dial-Up Access VPN Number of users Remote access server One-time installation fee-10 phone lines 20 $4,600 $1,000 $5,000 20 $3,000 $1,000 Number of users Access router, T1/E1, DSU/CSU, firewall VPN client software ($50/user) T1/E1 installation One-time capital cost $4,000 One-time capital cost $10,600 Recurring cost $5,400 Recurring cost $2,900 Monthly long distance charges per minute Avg. use per day per user (min) $0.10 90 Central site T1/E1 Intranet access Monthly ISP access ($20/user) $2,500 $400
    41. 41. VPN Payback 0 $20,000 $40,000 $60,000 $80,000 1 2 3 4 5 6 7 8 9 10 11 12 Month Payback in 3 months!! Total Cost Traditional VPN
    42. 42. Summary <ul><li>VPNs reduce costs </li></ul><ul><li>VPNs improve connectivity </li></ul><ul><li>VPNs maintain security </li></ul><ul><li>VPNs offer flexibility </li></ul><ul><li>VPNs are reliable </li></ul>
    43. 43. Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com

    ×