VPNs are a common topic today. Just about everyone is talking about implementing one. This module explains what a VPN is and covers the basic VPN technology. We’ll also go through some examples of VPNs including a return on investment analysis.
So, what is a VPN? Simply defined, a VPN is an enterprise network deployed on a shared infrastructure employing the same security, management, and throughput policies applied in a private network. A VPN can be built on the Internet or on a service provider’s IP, Frame Relay, or ATM infrastructure. Businesses that run their intranets over a VPN service enjoy the same security, QoS, reliability, and scalability as they do in their own private networks. VPNs based on IP can naturally extend the ubiquitous nature of intranets over wide-area links, to remote offices, mobile users, and telecommuters. Further, they can support extranets linking business partners, customers, and suppliers to provide better customer satisfaction and reduced manufacturing costs. Alternatively, VPNs can connect communities of interest, providing a secure forum for common topics of discussion.
Building a virtual private network means you use the “public” Internet (or a service provider’s network) as your “private” wide-area network. Since it’s generally much less expensive to connect to the Internet than to lease your own data circuits, a VPN may allow to you connect remote offices or employees who wouldn’t ordinarily justify the cost of a regular WAN connection. VPNs may be useful for conducting secure transactions, or transferring highly confidential data between offices that have a WAN connection. Some of the technologies that make VPNs possible are: Tunneling Encryption QoS Comprehensive security
Why should customers consider a VPN? Company information is secured VPNs allow vital company information to be secure against unwanted intrusion Reduce costs Internet-based VPNs offer low-cost connectivity from anywhere in the world, and can be considered a viable replacement for leased-line or Frame Relay services Using the Internet as a replacement for expensive WAN services can cut costs by as much as 60 percent, according to Forrester Research Also lower remote costs by connecting a mobile user over the Internet. (Often referred to as a virtual private dial-up networking, or VPDN). Wider connectivity options for users A VPN can provide more connectivity options (for example, over cable, DSL, telephone, or Ethernet) Increased speed of deployment Extranets can be created more easily (you don’t wait for suppliers). This keeps the customer in control of their own destiny. However, for an Internet-based VPN to be considered as a viable replacement for leased-line or Frame Relay service, it must be able to offer a comparable level of security, quality of service, and reliability.
The strain on today's corporate networks is greater than ever before. Network managers must continually find ways to connect geographically dispersed work groups in an efficient, cost-effective manner. Increasing demands from feature-rich applications used by a widely dispersed workforce are causing businesses of all sizes to rethink their networking strategies. As companies expand their networks to link up with partners, and as the number of telecommuters and remote users continues to grow, building a distributed enterprise becomes ever more challenging. To meet this challenge, VPNs have emerged, enabling organizations to outsource network resources on a shared infrastructure. Access VPNs in particular appeal to a highly mobile work force, enabling users to connect to the corporate network whenever, wherever, or however they require.
Scores of network managers are faced with a daunting task: connect a growing number of geographically dispersed sites to their enterprise networks while working within a limited budget. VPNs can help companies reap benefits such as dramatically lower WAN costs, improved global connectivity, and better reliability, while enabling capabilities such as secure extranet communications. Remote dial, Internet, intranet, and extranet access can all be consolidated over a single WAN connection to the Internet. VPNs are attractive to networking managers because they provide easy access to intranets, the in-house communication tools that companies are using increasingly to run their mission-critical applications. Because intranets are built on IP-based Web browsers, VPNs based on IP are required to extend their capabilities transparently, over wide-area links to remote offices, mobile workers, and telecommuters within a company, or to suppliers, business partners, and customers outside an organization. Managers are considering VPNs for other compelling reasons, too: reduced long-distance phone charges for remote access, lower operational and capital equipment costs, faster and easier connectivity, and simplified WAN administration.
The traditional drivers of network deployment are also driving the deployment of VPNs. New networked applications, such as videoconferencing, distance learning, advanced publishing, and voice applications, offer businesses the promise of improved productivity and reduced costs. As these networked applications become more prevalent, businesses are increasingly looking for intelligent services that go beyond transport to optimize the security, quality of service, management and scalability/reliability of applications end to end.
This what a VPN might look like for a company with offices in Munich, New York, Paris, and Milan.
Let’s take a look at some of the technologies that are integral to virtual private networks.
Business-ready VPNs rely on both security and QoS technologies. Let’s take a look at both of these in more detail.
Deploying WANs on a shared network makes security issues paramount. Enterprises need to be assured that their VPNs are secure from perpetrators observing or tampering with confidential data passing over the network and from unauthorized users gaining access to network resources and proprietary information. Encryption, authentication, and access control guard against these security breaches. Key components of VPN security are as follows: Tunnels and encryption Packet authentication Firewalls and intrusion detection User authentication These mechanisms complement each other, providing security at different points throughout the network. VPN solutions must offer each of these security features to be considered a viable solution for utilizing a public network infrastructure. Let’s start by looking at tunnels and encryption. We’re going to look in detail at Layer 2 Tunneling Protocol (L2TP), Generic Routing Encapsulation (GRE), for tunnel support, as well as the strongest standard encryption technologies available--- IPSec, DES and 3DES.
Layer 2 Forwarding (L2F) enables remote clients to gain access to corporate networks through existing public infrastructures, while retaining control of security and manageability. Cisco has submitted this new technology to the IETF for approval as a standard. It supports scalability and reliability features as discussed in later sections of this document. L2F achieves private network access through a public system by building a secure &quot;tunnel&quot; across a public infrastructure to connect directly to a home gateway. The service requires only local dialup capability, reducing user costs and providing the same level of security found in private networks. Using L2F tunneling, service providers can create a virtual tunnel to link customer remote sites or remote users with corporate home networks. In particular, a network access server at the POP exchanges PPP messages with the remote users and communicates by L2F requests and responses with the customer's home gateway to set up tunnels. L2F passes protocol-level packets through the virtual tunnel between endpoints of a point-to-point connection. Frames from remote users are accepted by the service provider POP, stripped of any linked framing or transparency bytes, encapsulated in L2F, and forwarded over the appropriate tunnel. The customer's home gateway accepts these L2F frames, strips the L2F encapsulation, and processes incoming frames for the appropriate interface. Layer 2 Tunneling Protocol (L2TP) is an extension to PPP. It is a draft IETF standard derived from Cisco L2F and Microsoft Point-to-Point Tunneling Protocol (PPTP). L2TP delivers a full range of security control and policy management features, including end-user security policy control. Business customers have ultimate control over permitting and denying users, services, or applications.
GRE, or Generic Routing Encapsulation, is the standard solution for Service Providers that have an established IP network and want to provide managed IP VPN services. One of the most significant advantages of this approach is that Service Providers can offer application-level QoS. This is possible because the routers still have visibility into the additional IP header information needed for fine-grained QoS (this is hidden in an IPSec packet). Traffic is restricted to a single provider’s network, allowing end-to-end QoS control. This restriction of “on-net only” traffic also allows the GRE tunnels to remain secure without using encryption. Customers who require greater levels of security can still use “on-demand” application-level encryption such as secure connections in a web browser. The entire connection may be encrypted, but at the cost of QoS granularity. In summary, GRE offers: Encryption-optional tunneling. Fine-grained QoS service capabilities, including application-level QoS. IP-level visibility makes this the platform of choice for building value-added services such as application-level bandwidth management.
Now let’s take a look at encryption. IPSec provides IP network-layer encryption. IPSec is a standards-based technology that governs security management in IP environments. Originally conceived to solve scalable security issues in the Internet, IPSec establishes a standard that lets hardware and software products from many vendors interoperate more smoothly to create end-to-end security. IPSec provides a standard way to exchange public cryptography keys, specify an encryption method (e.g., data encryption standard (DES) or RC4), and specify which parts of packet headers are encrypted.
IPSec assumes that a security association is in place, but does have a mechanism for creating that association. The IETF chose to break the process into two parts: IPSec provides the packet level processing while IKE negotiates security associations. IKE is the mechanism IPSec uses to set up SAs IKE can be used for more than just IPSec. IPSec is its first application. It can also be used with S/Mime, SSL, etc. IKE does several things: Negotiates its own policy. IKE has several methods it can use for authentication and encryption. It is very flexible. Part of this is to positively identify the other side of the connection. Once it has negotiated an IKE policy, it will perform an exchange of key-material using authenticated Diffie-Hellman. After the IKE SA is established, it will negotiate the IPSec SA. It can derive the IPSec key material with a new Diffie Hellman or by a permutation of existing key material. Summarize that IKE does these 3 things: Identification Negotiation of policy Exchange key material
Now that you understand both IPSec and IKE, let’s look at what really happens from the client’s perspective. An IPSec client is a software component that allows a desktop user to create an IPSec tunnel to a remote site. IPSec provides privacy, integrity, and authenticity for VPN client operations. With IPSec, no one can see what data you are sending and no one can change it. What’s input by a remote user dialing in via the public Internet is encrypted all the way to corporate headquarters with an IPSec client to a router at the home gateway. Here’s how it works. First, the remote user dials into the corporate network. The client uses either an X.509 or one-time password with a AAA server to negotiate an Internet Key Exchange. Only after it’s authenticated is a secure tunnel created. Then all data is encrypted. IPSec is transparent tot he network infrastructure and is scalable from very small applications to very large networks. As you can see, this is an ideal way to connect remote users or telecommuters to corporate networks in a safe and secure environment. NOTE: THIS SLIDE USES BUILDS.
11 9 25 Another thing that people often get confused about is the relationship between L2TP and IPSec. Remember that L2TP is Layer 2 Tunneling Protocol. Some people think that the two technologies are exclusive of each other. In fact, they are complementary. So you can use both of these together. IPSec can create remote tunnels. L2TP can provide tunnel and end-to-end authentication. So IPSec is going to maintain the encryption, but often times you want to tunnel non-IP traffic in addition to IP traffic. L2TP can be useful for that.
DES stands for Data Encryption Standard. It is a widely adopted standard created to protect unclassified computer data and communications. DES has been incorporated into numerous industry and international standards since its approval in the late 1970s. DES and 3DES are strong forms of encryption that allow sensitive information to be transmitted over untrusted networks. They enable customers to utilize network layer encryption. The encryption algorithm specified by DES is a symmetric, secret-key algorithm. Thus it uses one key to encrypt and decrypt messages, on which both the sending and receiving parties must agree before communicating. It uses a 56-bit key, which means that a user must correctly employ 56 binary numbers, or bits, to produce the key to decode information encrypted with DES. DES is extremely secure, however, it has been cracked on several occasions by chaining hundreds of computers together at the same time; but even then, it took a very long time to break. This led to the development of Triple DES which uses a 168-bit algorithm.
A critical part of an overall security solution is a network firewall, which monitors traffic crossing network perimeters and imposes restrictions according to security policy. In a VPN application, firewalls protect enterprise networks from unauthorized access to computing resources and network attacks, such as denial of service. Furthermore, for authorized traffic, a VPN firewall verifies the source of the traffic and prescribes what access privileges users are permitted.
A key component of VPN security is making sure authorized users gain access to enterprise computing resources they need, while unauthorized users are shut out of the network entirely. AAA services (that stands for authentication, authorization, and accounting) provide the foundation to authenticate users, determine access levels, and archive all the necessary audit and accounting data. Such capabilities are paramount in the dial access and extranet applications of VPNs. Now that we’re done looking at security, let’s move on to QoS.
So how does QoS play a role in VPNs? Well, the goal of QoS is to control the utilization of bandwidth so that you can support mission critical applications. Here’s how it works. The customer premises equipment or CPE assigns packet priority based on the network policy. Packets are marked and bandwidth is managed so that the VNP WAN links don’t choke out the important traffic. One example of this could be an employee watching television off the Internet to his PC where the video traffic clogs a small 56K WAN line making it impossible for mission critical financial application data to pass. With QoS, you can take advantage of the service providers differentiated services to maximize network resources and minimize congestion at peak times. For example, e-mail traffic doesn’t care about latency, but video and mission-critical applications do. Some components of bandwidth management/QoS that apply to VPNs are as follows: Packet classification---assigns packet priority based on enterprise network policy Committed access rate (CAR)---provides policing and manages bandwidth based on applications and/or users according to enterprise network policy Weighted Random Early Detection (WRED)---complements TCP in predicting and managing network congestion on the VPN backbone, ensuring predictable throughput rates These QoS features complement each other, working together in different parts of the VPN to create a comprehensive bandwidth management solution. Bandwidth management solutions must be applied at multiple points on the VPN to be effective; single point solutions cannot ensure predictable performance.
Let’s look now at the three types of VPNs.
As previously stated, VPN is defined as customer connectivity deployed on a shared infrastructure with the same policies as a private network. The shared infrastructure can leverage a service provider IP, Frame Relay, or ATM backbone, or the Internet. Cisco defines three types of virtual private networks according to how businesses and organizations use VPNs: Access VPNs provide remote connectivity to telecommuters and mobile users. They’re typically an alternative to dedicated dial or ISDN connections. They offer users a range of connectivity options as well as a much lower cost solution. Intranet VPNs link corporate headquarters, remote offices, and branch offices over a shared infrastructure using dedicated connections. The VPN typically is an alternative to a leased line. It provides the benefit of extended connectivity and lower cost. Extranet VPNs link customers, suppliers, partners, or communities of interest to a corporate intranet over a shared infrastructure using dedicated connections. In this example, the VPN is often an alternative to fax, snail mail, or EDI. The extranet VPN facilitates e-commerce. Let’s look at the Access VPN in more detail.
Remote access VPNs extend the corporate network to telecommuters, mobile workers, and remote offices with minimal WAN traffic. They enable users to connect to their corporate intranets or extranets whenever, wherever, or however they require. Remote access VPNs provide connectivity to a corporate intranet or extranet over a shared infrastructure with the same policies as a private network. Access methods are flexible---asynchronous dial, ISDN, DSL, mobile IP, and cable technologies are supported. Migrating from privately managed dial networks to remote access VPNs offers several advantages, most notably: Reduced capital costs associated with modem and terminal server equipment Ability to utilize local dial-in numbers instead of long distance or 800 numbers, thus significantly reducing long distance telecommunications costs Greater scalability and ease of deployment for new users added to the network Restored focus on core corporate business objectives instead of managing and retaining staff to operate the dial network
16 In an Access VPN environment, the most important aspect of security revolves around identifying a user as a member of an approved customer company and establishing a tunnel to its home gateway, which handles per-user authentication, authorization, and accounting (AAA). User authentication is a critical characteristic of an Access VPN. Through a local point of presence (POP), a client establishes communication with the service provider network (1), and secondarily establishes a connection with the customer network (2). The Access VPN tunnel end points authenticate each other (3). Next, the user connects to the customer premises equipment (CPE) home gateway server (local network server) using PPP or SLIP (4) and is authenticated through a username/password handling protocol such as PAP, CHAP, or TACACS+. The home gateway maintains a relationship with an access control server (ACS), also known as an AAA server, using TACACS+ or RADIUS protocols. At this point, authorization is set up using the policies stored in the ACS and communicated to the home gateway at the customer premises (5). Often, the customer administrates the ACS server, providing ultimate and centralized control of who can access its network as well as which servers can be accessed. User profiles define what the user can do on the network. Using authorization profiles, the network creates a &quot;virtual interface&quot; for each user. Access policies are enforced using Cisco IOS software specific to each interface.
5 An access VPN has two basic components: L2TP Network Server (LNS): A device such as a Cisco router located in the customer premises. Remote dial users access the home LAN as if they were dialed into the home gateway directly, although their physical dialup is via the ISP network access server. Home gateway is the Cisco term for LNS. An LNS operates on any platform capable of PPP termination. LNS handles the server side of the L2TP protocol. Because L2TP relies only on the single media over which L2TP tunnels arrive, LNS may have only a single LAN or WAN interface, yet still be able to terminate calls arriving at any LAC's full range of PPP interfaces (async, synchronous ISDN, V.120, and so on). LNS is the initiator of outgoing calls and the receiver of incoming calls. LNS is also known as HGW in L2F terminology. L2TP Access Concentrator (LAC): A device such as a Cisco access server attached to the switched network fabric (for example, PSTN or ISDN) or colocated with a PPP end system capable of handling the L2TP protocol. An LAC needs to only implement the media over which L2TP is to operate to pass traffic to one or more local network servers (LNSs). It may tunnel any protocol carried within PPP. LAC is the initiator of incoming calls and the receiver of outgoing calls. LAC is also known as NAS in L2F.
There are two types of Access VPNs. Essentially they are dedicated or dial. With a dedicated or client-initiated Access VPNs, users establish an encrypted IP tunnel from their clients across a service provider's shared network to their corporate network. With a client-initiated architecture, businesses manage the client software tasked with initiating the tunnel. Client-initiated VPNs ensure end-to-end security from the client to the host. This is ideal for banking applications and other sensitive business transactions over the Internet. With client-initiated VPN Access, the end user has IPSec client software installed at the remote site, which can terminate into a firewall for termination into the corporate network. IPSec and IKE and certificate authority are used to generate the encryption, authentication, and certificate keys to be used to ensure totally secure VPN solutions.
An advantage of a client-initiated model is that the &quot;last mile&quot; service provider access network used for dialing to the point of presence (POP) is secured. An additional consideration in the client-initiated model is whether to utilize operating system embedded security software or a more secure supplemental security software package. While supplemental security software installed on the client offers more robust security, a drawback to this approach is that it entails installing and maintaining tunneling/encryption software on each client accessing the remote access VPN, potentially making it more difficult to scale.
8 24 In a NAS-initiated scenario, client software issues are eliminated. A remote user dials into a service provider's POP using a PPP/SLIP connection, is authenticated by the service provider, and, in turn, initiates a secure, encrypted tunnel to the corporate network from the POP using L2TP or L2F. With a NAS-initiated architecture, all VPN intelligence resides in the service provider network---there is no end-user client software for the corporation to maintain, thus eliminating client management burdens associated with remote access. The drawback, however, is lack of security on the local access dial network connecting the client to the service provider network. In a remote access VPN implementation, these security/management trade-offs must be balanced.
Pros: NAS-initiated Access VPNs require no specialized client software, allowing greater flexibility for companies to choose the access software that best fits their requirements. NAS solutions use robust tunneling protocols such as Cisco L2F or L2TP. IPSec provides encryption only, in contrast with the client-initiated model where IPSec enables both tunneling and encryption. Premium service examples include reserved modem ports, guarantees of modem availability, and priority data transport. The NAS can simultaneously be used for Internet as well as VPN access. All traffic to a given destination travels over a single tunnel from a NAS, making larger deployments more scalable and manageable. Con: NAS-initiated Access VPN connections are restricted to POPs that can support VPNs.
Intranet VPNs: Link corporate headquarters, remote offices, and branch offices over a shared infrastructure using dedicated connections. Businesses enjoy the same policies as a private network, including security, quality of service (QoS), manageability, and reliability. The benefits of an intranet VPN are as follows: Reduced WAN bandwidth costs Connect new sites easily Increased network uptime by enabling WAN link redundancy across service providers Building an intranet VPN using the Internet is the most cost-effective means of implementing VPN technology. Service levels, however, are generally not guaranteed on the Internet. When implementing an intranet VPN, corporations need to assess which trade-offs they are willing to make between guaranteed service levels, network ubiquity, and transport cost. Enterprises requiring guaranteed throughput levels should consider deploying their VPNs over a service provider's end-to-end IP network, or, potentially, Frame Relay or ATM.
Extending connectivity to corporate partners and suppliers is expensive and burdensome in a private network environment. Expensive dedicated connections must be extended to the partner, management and network access policies must be negotiated and maintained, and often compatible equipment must to be installed on the partner's site. When dial access is employed, the situation is equally complicated because separate dial domains must be established and managed. Due to the complexity, many corporations do not extend connectivity to their partners, resulting in complicated business procedures and reduced effectiveness of their business relationships. One of the primary benefits of a VPN WAN architecture is the ease of extranet deployment and management. Extranet connectivity is deployed using the same architecture and protocols utilized in implementing intranet and remote access VPNs. The primary difference is the access permission extranet users are granted once connected to their partner's network.
25 Intranet and extranet VPN services based on IPSec, GRE, and mobile IP create secure tunnels across an IP network. These technologies leverage industry standards to establish secure, point-to-point connections in a mesh topology that is overlaid on the service provider's IP network or the Internet. They also offer the option to prioritize applications. An IPSec architecture, however, includes the IETF proposed standard for IP-based encryption and enables encrypted tunnels from the access point to and across the intranet or extranet. An alternative approach to intranet and extranet VPNs is to establish virtual circuits across an ATM or Frame Relay backbone. With this architecture, privacy is accomplished with permanent virtual circuits (PVCs) instead of tunnels. Encryption is available for additional security as an optional feature, but more commonly, it is applied as needed by individual applications. Virtual circuit architectures provide prioritization through quality of service for ATM and committed information rate for Frame Relay. Finally, in addition to IP tunnels and virtual circuits, intranet and extranet VPNs can be deployed with a Tag Switching/MPLS architecture. Tag Switching is a switching mechanism created by Cisco Systems and introduced to the IETF under the name MPLS. MPLS has been adopted as an industry standard for converging IP and ATM technologies. A VPN built with Tag Switching/MPLS affords broad scalability and flexibility across any backbone choice whether IP, ATM, or multivendor. With Tag Switching/MPLS, packets are forwarded based on a VPN-based address that is analogous to mail forwarded with a postal office zip code. This VPN identifier in the packet header isolates traffic to a specific VPN. Tag Switching/MPLS solves peer adjacency scalability issues that occur with large virtual circuit topologies. It also offers granularity to the application for priority and bandwidth management, and it facilitates incremental multiservice offerings such as Internet telephony, Internet fax, and videoconferencing.
Access VPNs are differentiated from intranet and extranet VPNs primarily by the connectivity method into the network. While an access VPN refers to dialup (or part-time) connectivity, an intranet or extranet VPN may contain both dialup and dedicated links. The distinction between intranet and extranet VPNs is essentially in the users that will be connecting to the network and the security restrictions that each will be subject to.
Let’s look at some real examples of VPNs.
Here we have a health care company that's deploying an intranet. Well, why would they care so much about security? Your health records are something that you want to be secure. This is information that you don't want non-authorized personnel to have access to. So you can see on the screen, the company has a number of remote centers. In this case, these are like doc-in-the-box, those little new medical clinics that are springing up. So those are relayed back to a primary network and back to the association where the primary hospital that these different medical centers are associated with resides. So a lot of more sophisticated databases, etc., can be back at the hospital, and they can share the Internet and, with confidence, share medical data that they don't want to have published to the outside world.
Another example would be branch offices or perhaps telecommuters. So the challenge is getting a cost-effective means to connect those small offices that maybe can't afford a leased line or a leased line wouldn't be appropriate for. And so with IPSec, you can encrypt the traffic from the remote sites to the enterprise. It doesn't matter what applications the users are using. This isn't just encrypting mail or just encrypting the database or something like that. You can encrypt all traffic if you want to. And so that's something that you can set up right into the router in terms of what traffic you want to encrypt right into your client. So using this, telecommuters can have full access safely to the corporation.
To illustrate the savings an Access VPN can provide, compare the cost of implementing one with that of supporting a dial-up remote access application. Suppose a small manufacturing firm must support 20 mobile users dialing into the corporate network to access the company database and e-mail for approximately 90 minutes per day (per user). In the traditional dial-up model, the 20 mobile workers use a modem to dial long distance directly into their corporate remote access server. Most of the cost in this scenario comes from the monthly toll chares and the time and effort required to manage modem pools (access server) that accrue on an on-going basis over the life of the application. By using an access VPN, the manufacturing firm’s monthly toll charges can be significantly reduced. The mobile users will dial into a service provider’s local point of presence (POP) and initiate a tunnel back to the corporate headquarters over the Internet. Instead of paying long distance/800 toll charges, users pay only the cost equivalent to making a local call to the ISP. The initial investment in equipment and installation of an access VPN may be recaptured quickly by the savings in monthly toll charges. How long will it take the manufacturing firm to realize a payback of the initial capital investment, then realize recurring monthly savings?
Now, with the access VPN, you can see that there's more installation charges. But let's add them up and see what happens. So you can see the one-time capital expense using the access VPNs rose from $4,000 for the dialup users up to $10,600 for the VPN. But the recurring costs dropped from $5400 per month down to $2,900 per month. $2500 savings per month! Traditional Dial-up Access VPN Month Capital Recurring Total Capital Recurring Total 1 $4,000 $5,400 $9,400 $10,600 $2,900 $13,500 2 $5,400 $14,800 $2,900 $16,400 3 $5,400 $20,200 $2,900 $19,300 While costs will vary by region and local tariffs, this example illustrates that using an access VPN to support mobile users can typically provide returns on the initial investment in 6 months or less. While the initial installation and start-up costs of an Access VPN are higher, the advantages of streamlining ongoing monthly costs translates into big savings for total cost of ownership.
This chart shows us the return on investment. You can see that the payback is right about three months. So you can see that VPNs save money in the long run.
Lower cost: VPNs save money because they use the Internet, not costly leased lines, to transmit information to and from authorized users. Prior to VPNs, many companies with remote offices communicated through wide area networks (WANs), or by having remote workers make long-distance calls to connect to the main-office server. Both can be expensive propositions. WANs require establishing dedicated and inflexible leased lines between various business locations, which can be costly or impractical for smaller offices. Improved communications: A VPN provides a robust level of connectivity comparable to a WAN. With increased geographic coverage, remote offices, mobile employees, clients, vendors, telecommuters, and even international business partners can use a VPN to access information on a company's network. This level of interconnectivity allows for a more effective flow of information between a large number of people. The VPN provides access to both extranets and wide-area intranets, which opens the door for improved client service, vendor support, and company communications. Security: VPNs maintain privacy through the use of tunneling protocols and standard security procedures. A secure VPN encrypts data before it travels through the public network and decrypts it at the receiving end. The encrypted information travels through a secure &quot;tunnel” that connects to a company's gateway. The gateway then identifies the remote user and lets the user access only the information he or she is authorized to receive. Increased flexibility: With a VPN, customers, suppliers and remote users can be added to the network easily and quickly. Some VPN solutions simplify the process of administering the network by allowing the system's manager to implement changes from any desktop computer. Once the equipment is installed, the company simply signs up with a service provider that activates the network by giving the company a slice of its bandwidth. This is much easier than establishing a WAN, which must be designed, built and managed by the company that creates it. VPNs also easily adapt to a company's growth. These systems can connect 2,000 people as easily as 25. Reliability: A secure VPN can be used for the authorization of orders from suppliers, the forwarding of revised legal documents, and many other confidential business processes. Recent improvements in VPN technology have also increased the system's reliability. Many service providers will guarantee 99% VPN uptime and will offer credits for unanticipated outages.
Agenda <ul><li>What Are VPNs? </li></ul><ul><li>VPN Technologies </li></ul><ul><li>Access, Intranet, and Extranet VPNs </li></ul><ul><li>VPN Examples </li></ul>
What Are VPNs? <ul><li>Virtual Private Networks (VPNs) extend the classic WAN </li></ul><ul><li>VPNs leverage the classic WAN infrastructure, including Cisco’s family of VPN-enabled routers and policy management tools </li></ul><ul><li>VPNs provide connectivity on a shared infrastructure with the same policies and “performance” as a private network with lower total cost of ownership </li></ul>Service Provider Shared Network VPN Internet, IP, FR, ATM
<ul><li>Extends private network through public Internet </li></ul><ul><li>Lower cost than private WAN </li></ul><ul><li>Relies on tunneling and encryption </li></ul>Virtual Private Networks Internet Hong Kong Paris IP Packet (Private, Encrypted) IP Header (Public)
Why Build a VPN? <ul><li>Company information secured </li></ul><ul><li>Lower costs </li></ul><ul><ul><li>Connectivity costs </li></ul></ul><ul><ul><li>Capital costs </li></ul></ul><ul><ul><li>Management and support costs </li></ul></ul><ul><li>Wider connectivity options </li></ul><ul><li>Speed of deployment </li></ul>
Who Buys VPNs? <ul><li>Organizations wishing to: </li></ul><ul><ul><li>Implement more cost- effective WAN solutions </li></ul></ul><ul><ul><li>Connect multiple remote sites </li></ul></ul><ul><ul><li>Deploy intranets </li></ul></ul><ul><ul><li>Connect to suppliers, business partners, and customers </li></ul></ul><ul><ul><li>Get back to their core business, and leave the WAN to the experts </li></ul></ul><ul><ul><li>Lower operational and capital equipment costs </li></ul></ul><ul><li>Businesses with: </li></ul><ul><ul><li>Multiple branch office locations </li></ul></ul><ul><ul><li>Telecommuters </li></ul></ul><ul><ul><li>Remote workers </li></ul></ul><ul><ul><li>Contractors and consultants </li></ul></ul>
Example of a VPN <ul><li>Private networking service over a public network infrastructure </li></ul>Munich Main Office New York Office Milan Office Paris Office Internet Mobile Worker Dials to Munich over Internet
Security <ul><li>Tunnels and encryption </li></ul><ul><li>Packet authentication </li></ul><ul><li>Firewalls and intrusion detection </li></ul><ul><li>User authentication </li></ul>
Tunneling: L2F/L2TP SP Network/ Internet POP Corporate Intranet <ul><li>Mobile users </li></ul><ul><li>Telecommuters </li></ul><ul><li>Small remote offices </li></ul>1. User identification 2. Tunnel to home gateway Security Server 3. User authentication 4. PPP negotiation with user 5. End-to-end tunnel established Home GW LAC
Tunneling: Generic Route Encapsulation (GRE) <ul><li>Mesh of virtual point- to-point interfaces </li></ul><ul><li>Encapsulates multiprotocol packets in IP tunnels </li></ul><ul><li>Application-level QoS </li></ul><ul><li>Value-added platform (new services) </li></ul><ul><li>Encryption-optional tunneling </li></ul><ul><li>Standard architecture for service providers with IP infrastructures </li></ul>Service Provider Backbone Enterprise A Enterprise A Enterprise A Enterprise B Enterprise B
What Is IPSec? <ul><li>Network-layer encryption and authentication </li></ul><ul><li>Open standards for ensuring secure private communications over any IP network, including the Internet </li></ul><ul><li>Provides a necessary component of a standards-based, flexible solution for deploying a network-wide security policy </li></ul><ul><li>Data protected with network encryption, digital certification, and device authentication </li></ul><ul><li>Scales from small to very large networks </li></ul>
<ul><li>Automatically negotiates policy to protect communication </li></ul><ul><li>Authenticated Diffie-Hellman key exchange </li></ul><ul><li>Negotiates (possibly multiple) security associations for IPSec </li></ul>What is Internet Key Exchange (IKE)? 3DES, MD5, and RSA Signatures, OR IDEA, SHA, and DSS Signatures, OR Blowfish, SHA, and RSA Encryption IDEA, SHA, and DSS Signatures IKE Policy Tunnel
IPSec VPN Client Operation Remote User with IPSec Client Home Gateway Router Home Network Certificate Authority/ AAA Public Network Exchange X.509 or One-Time Password Secure Tunnel Established Encrypted Data flows Dial Access to Corporate Network IKE Negotiation Authentication Approved
L2TP and IPSec Are Complementary <ul><li>IPSec creates the remote tunnel </li></ul><ul><li>L2TP provides tunnel end-point authentication </li></ul><ul><li>IPSec maintains encryption </li></ul><ul><li>L2TP provides tunnels for non-IP traffic </li></ul><ul><li>AAA services and dynamic address like DHCP </li></ul>IPSec L2TP AAA Server
<ul><li>Widely adopted standard </li></ul><ul><li>Encrypts plain text, which becomes cyphertext </li></ul><ul><li>DES performs 16 rounds </li></ul><ul><li>Triple DES (3DES) </li></ul><ul><ul><li>The 56-bit DES algorithm runs three times </li></ul></ul><ul><ul><li>112-bit triple DES includes two keys </li></ul></ul><ul><ul><li>168-bit triple DES includes three keys </li></ul></ul><ul><li>Accomplished on a VPN client, server, router, or firewall </li></ul>Encryption: DES and 3DES
<ul><li>All traffic from inside to outside and vice versa must pass through the firewall </li></ul><ul><li>Only authorized traffic, as defined by the local security policy, is allowed in or out </li></ul><ul><li>The firewall itself is immune to penetration </li></ul>Firewalls
User Authentication <ul><li>Centralized security database (AAA services) </li></ul><ul><li>High availability </li></ul><ul><li>Same policy across many access points </li></ul><ul><li>Per-user access control </li></ul><ul><li>Single network login </li></ul><ul><li>Support for: TACACS+, RADIUS (IETF), Kerberos, one-time password </li></ul>TACACS+ RADIUS TACACS+ RADIUS ID/User Profile ID/User Profile ID/User Profile AAA Server Dial-In User Network Access Server Campus Internet User Gateway Router Firewall Intercept Connections Public Network Internet
VPNs and Quality of Service Voice Premium IP Best Effort Tunnel Conforming Traffic Packet Classification CAR Traffic Policing CAR Congestion Avoidance WRED Tunnel Layer 2TP IPSec, GRE AAA CA PBX
Three Types of VPNs Type Remote access VPN Application Mobile users Remote connectivity Alternative To Dedicated dial ISDN Intranet VPN Extranet VPN Site-to-site Internal connectivity Leased line Business-to-business External connectivity Fax Mail EDI Time Ubiquitous access, lower cost Benefits Extend connectivity, lower cost Facilitates e-commerce
Access VPNs Enterprise DMZ Web Servers DNS Server STMP Mail Relay AAA CA Service Provider A Small Office Mobile User or Corporate Telecommuter <ul><li>Ubiquitous Access </li></ul><ul><li>Modem, ISDN </li></ul><ul><li>xDSL, Cable </li></ul>Potential Operations and Infrastructure Cost Savings Client Initiated or NAS Initiated
Access VPN Operation Overview SP Network/ Internet POP Corporate Intranet Mobile Users and Telecommuters 1. VPN identification 2. Tunnel to home gateway Security Server 3. User authentication 4. PPP negotiation with user 5. End-to-end tunnel established Home Gateway NAS
Access VPN Basic Components Dial Client (PPP Peer) AAA Server (RADIUS/TACACS+) ISDN ASYNC L2TP Access Concentrator AAA Server (RADIUS/TACACS +) L2TP Network Server ( Home Gateway)
<ul><li>Encrypted tunnel from the remote client to the corporate network </li></ul><ul><li>Independent of access technology </li></ul><ul><li>Standards compliant </li></ul><ul><ul><li>IPSec encapsulated tunnel </li></ul></ul><ul><ul><li>IKE key management </li></ul></ul>Client-Initiated Access VPN Internet Corporate Network Encrypted IP
Client-Initiated VPNs <ul><li>Pros: </li></ul><ul><ul><li>Use same hardware for dedicated access </li></ul></ul><ul><ul><li>Dedicated encryption hardware in firewall for performance </li></ul></ul><ul><li>Cons: </li></ul><ul><ul><li>Management of IPSec PC client </li></ul></ul><ul><ul><li>Security must be initiated by user </li></ul></ul>
NAS-Initiated Access VPN NAS [email_address] Home Gateway IP Network
NAS-Initiated VPNs <ul><li>Pros: </li></ul><ul><ul><li>No PC client software to manage </li></ul></ul><ul><ul><li>Premium services </li></ul></ul><ul><ul><li>VPN and Internet access at the NAS </li></ul></ul><ul><ul><li>More scalable and manageable </li></ul></ul><ul><li>Cons: </li></ul><ul><ul><li>Users can connect only to certain POPs </li></ul></ul>
The Intranet VPN Enterprise DMZ Web Servers DNS Server STMP Mail Relay AAA CA Remote Office Service Provider A Regional Office Potential Operations and Infrastructure Cost Savings Extends the Corporate IP Network Across a Shared WAN
The Extranet VPN Business Partner Enterprise DMZ Web Servers DNS Server STMP Mail Relay AAA CA Service Provider A Service Provider B Extends Connectivity to Business Partners, Suppliers, and Customers Security Policy Very Important Supplier
Intranet and Extranet VPNs <ul><li>Multiple users, multiple sites, and potentially multiple companies or multiple communities of interest </li></ul><ul><li>Dedicated connections </li></ul><ul><li>Flexible architecture options </li></ul><ul><ul><li>IP tunnels with IPSec or GRE </li></ul></ul><ul><ul><li>Managed router service with Frame Relay or ATM virtual circuits </li></ul></ul><ul><ul><li>Tag Switching/MPLS </li></ul></ul>
Comparing the Types Intranet Access VPN NAS-Initiated Extranet Type Client-Initiated Router-Initiated X X X X X X X X
Health Care Company Intranet Deployment Challenge—Low-cost means for connecting remote sites with primary hospital Primary Hospital Remote Centers Remote Center Public Network Private Network
<ul><li>IPSec encrypts traffic from remote sites to the enterprise using any application </li></ul><ul><li>IPSec may be combined with other tunnel protocols, e.g., GRE </li></ul><ul><li>Telecommuters can gain secure, transparent access to the corporate network </li></ul>Branch Office or Telecommuters Public Network Challenge—Cost-effective means for connecting branch offices and telecommuters to the corporate network
Traditional Dialup Versus Access VPN Monthly long-distance charges per minute Avg. use per day, per user (min) Traditional Dialup Access VPN Number of users Remote access server One-time installation fee: 10 phone lines 20 $4,600 $1,000 $5,000 20 $3,000 $1,000 Number of users Access router, T1/E1, DSU/CSU, firewall VPN client software ($50/user) T1/E1 installation $0.10 90 Central site T1/E1 Intranet access Monthly ISP access ($20/user) $2,500 $400
Traditional Dialup Versus Access VPN Traditional Dial-Up Access VPN Number of users Remote access server One-time installation fee-10 phone lines 20 $4,600 $1,000 $5,000 20 $3,000 $1,000 Number of users Access router, T1/E1, DSU/CSU, firewall VPN client software ($50/user) T1/E1 installation One-time capital cost $4,000 One-time capital cost $10,600 Recurring cost $5,400 Recurring cost $2,900 Monthly long distance charges per minute Avg. use per day per user (min) $0.10 90 Central site T1/E1 Intranet access Monthly ISP access ($20/user) $2,500 $400
VPN Payback 0 $20,000 $40,000 $60,000 $80,000 1 2 3 4 5 6 7 8 9 10 11 12 Month Payback in 3 months!! Total Cost Traditional VPN