Understanding Virtual Private Networks WWW - Acit.in: © 1999, Cisco Systems, Inc

Module 12: Understanding Virtual Private Networks www.acit.
in
www.cisco.com
1999, Cisco Systems, Inc.
Agenda
What Are VPNs? VPN Technologies Access, Intranet, and Extranet VPNs VPN Examples
CSE: Networking FundamentalsVPNs
www.cisco.com
12-2
What Are VPNs?

Service Provider Shared Network
VPN
Internet, IP, FR, ATM
Virtual Private Networks (VPNs) extend the classic WAN VPNs leverage the classic WAN infrastructure, including Ciscos family of VPN-enabled routers and policy management tools VPNs provide connectivity on a shared infrastructure with the same policies and performance as a private network with lower total cost of ownership
www.cisco.com
12-3
Virtual Private Networks

IP Packet (Private, Encrypted) IP Header (Public) Internet Paris
Hong Kong
Extends private network through public Internet Lower cost than private WAN Relies on tunneling and encryption
www.cisco.com
12-4
Why Build a VPN?

Company information secured
Lower costs
Connectivity costs
Capital costs Management and support costs
Wider connectivity options Speed of deployment

www.cisco.com
12-5
Whats Driving VPN Offerings?

Reduced Networking Costs
Mobile Users
Telecommuters Organizational Changes Mergers/ Acquisitions Extranets Intranets
Increased Network Flexibility
www.cisco.com
12-6
Who Buys VPNs?

Organizations wishing to:
Implement more costBusinesses with: effective WAN solutions Multiple branch office locations Connect multiple remote sites Telecommuters Deploy intranets Remote workers Connect to suppliers, business Contractors and consultants partners, and customers Get back to their core business, and leave the WAN to the experts Lower operational and capital equipment costs www.cisco.com
12-7
Networked Applications
Traditional applications
E-mail Database File transfer
New applications

Videoconferencing Distance learning Advanced publishing Voice

www.cisco.com
1999, Cisco Systems, Inc. 12-8
Example of a VPN
Private networking service over a public network infrastructure
Munich Main Office Paris Office
Internet
Mobile Worker Dials to Munich over Internet
New York Office

Milan Office
www.cisco.com
VPN Technologies
www.cisco.com
VPN Technology Building Blocks
Security
QoS
www.cisco.com
12-11
Security
Tunnels and encryption
Packet authentication
Firewalls and intrusion detection User authentication
www.cisco.com
12-12
Tunneling: L2F/L2TP
1. User identification
Mobile users Telecommuters Small remote offices
2. Tunnel to home gateway
POP LAC
Corporate Intranet SP Network/ Internet

Home GW
5. End-to-end tunnel established
Security Server
4. PPP negotiation with user

3. User authentication
www.cisco.com
12-13
Tunneling: Generic Route Encapsulation (GRE)

Mesh of virtual pointto-point interfaces Encapsulates multiprotocol packets in IP tunnels Application-level QoS Value-added platform (new services) Encryption-optional Enterprise A tunneling Standard architecture for service providers with IP infrastructures
Enterprise B Enterprise A
Service Provider Backbone
Enterprise B
Enterprise A
www.cisco.com
What Is IPSec?
Network-layer encryption and authentication Open standards for ensuring secure private communications over any IP network, including the Internet Provides a necessary component of a standards-based, flexible solution for deploying a network-wide security policy Data protected with network encryption, digital certification, and device authentication Scales from small to very large networks
www.cisco.com
12-15
What is Internet Key Exchange (IKE)?

Automatically negotiates policy to protect communication Authenticated Diffie-Hellman key exchange Negotiates (possibly multiple) security associations for IPSec
3DES, MD5, and RSA Signatures, OR IDEA, SHA, and DSS Signatures, OR Blowfish, SHA, and RSA Encryption
IDEA, SHA, and DSS Signatures
IKE Policy Tunnel

www.cisco.com
12-16
IPSec VPN Client Operation

Remote User with IPSec Client
Public Network
Home Gateway Router
Home Network
Secure Tunnel Established
Certificate Authority/ AAA
Dial Access to Corporate Network Exchange X.509 or One-Time Password IKE Negotiation
Authentication Approved
Encrypted Data flows
www.cisco.com
12-17
L2TP and IPSec Are Complementary

IPSec
L2TP
IPSec creates the remote tunnel L2TP provides tunnel end-point authentication IPSec maintains encryption L2TP provides tunnels for non-IP traffic AAA services and dynamic address like DHCP
www.cisco.com
AAA Server
12-18
Encryption: DES and 3DES

Widely adopted standard Encrypts plain text, which becomes cyphertext DES performs 16 rounds Triple DES (3DES) The 56-bit DES algorithm runs three times 112-bit triple DES includes two keys 168-bit triple DES includes three keys Accomplished on a VPN client, server, router, or firewall
www.cisco.com
12-19
Firewalls
All traffic from inside to outside and vice versa must pass through the firewall
Only authorized traffic, as defined by the local security policy, is allowed in or out
The firewall itself is immune to penetration
www.cisco.com
12-20
User Authentication
Network Access Server Public Network Dial-In User Internet Internet User Gateway Router Firewall AAA Server ID/User
Profile ID/User Profile ID/User Profile
TACACS+ RADIUS
Intercept Connections
Campus
Centralized security database (AAA services) High availability Same policy across many access points Per-user access control Single network login Support for: TACACS+, RADIUS (IETF), Kerberos, one-time password
www.cisco.com
VPNs and Quality of Service

PBX
Tunnel
AAA CA
Conforming Traffic
Packet Classification
CAR
Traffic Policing
CAR
Congestion Avoidance
WRED
Tunnel
Layer 2TP IPSec, GRE
Voice Premium IP Best Effort

www.cisco.com
12-22
Access, Intranet, and Extranet VPNs
www.cisco.com
Three Types of VPNs

Time
Type
Remote access
Application
Mobile users Remote connectivity
Alternative To
Dedicated dial
ISDN
Benefits
Ubiquitous access, lower cost
VPN
Site-to-site
Intranet VPN
Internal connectivity
Leased line
Extend connectivity, lower cost
Business-to-business
Fax Mail EDI
Extranet VPN
External connectivity
Facilitates e-commerce
www.cisco.com
12-24
Access VPNs
Potential Operations and Infrastructure Cost Savings
Client Initiated or NAS Initiated
Enterprise
AAA CA
DMZ
Ubiquitous Access Modem, ISDN xDSL, Cable
Service Provider A
Web Servers DNS Server STMP Mail Relay Mobile User or Corporate Telecommuter
Small Office
www.cisco.com
Access VPN Operation Overview

1. VPN identification 2. Tunnel to home gateway
Mobile Users and Telecommuters
POP NAS
Corporate Intranet SP Network/ Internet

Home Gateway
5. End-to-end tunnel established
Security Server
4. PPP negotiation with user

3. User authentication
www.cisco.com
12-26
Access VPN Basic Components

Dial Client (PPP Peer)
L2TP Access Concentrator L2TP Network Server (Home Gateway)
ASYNC ISDN
AAA Server (RADIUS/TACACS+)

AAA Server (RADIUS/TACACS +)
www.cisco.com
12-27
Client-Initiated Access VPN

Internet
Encrypted IP
Corporate Network
Encrypted tunnel from the remote client to the corporate network Independent of access technology Standards compliant
IPSec encapsulated tunnel IKE key management
www.cisco.com
12-28
Client-Initiated VPNs
Pros:
Use same hardware for dedicated access Dedicated encryption hardware in firewall for performance
Cons:
Management of IPSec PC client Security must be initiated by user
www.cisco.com
12-29
NAS-Initiated Access VPN
username@domain
NAS
Home Gateway
IP Network
www.cisco.com
12-30
NAS-Initiated VPNs
Pros:
No PC client software to manage
Premium services
VPN and Internet access at the NAS More scalable and manageable
Cons:
Users can connect only to certain POPs
www.cisco.com
12-31
The Intranet VPN

Extends the Corporate IP Network Across a Shared WAN
Enterprise
AAA CA
Remote Office
Service Provider A
DMZ
Web Servers DNS Server STMP Mail Relay Regional Office

Potential Operations and Infrastructure Cost Savings

www.cisco.com
The Extranet VPN
Supplier Business Partner Service Provider B
Enterprise
AAA CA
DMZ
Service Provider A
Extends Connectivity to Business Partners, Suppliers, and Customers
Web Servers DNS Server STMP Mail Relay
Security Policy Very Important

www.cisco.com
Intranet and Extranet VPNs

Multiple users, multiple sites, and potentially multiple companies or multiple communities of interest Dedicated connections Flexible architecture options
IP tunnels with IPSec or GRE Managed router service with Frame Relay or ATM virtual circuits Tag Switching/MPLS
www.cisco.com
12-34
Comparing the Types

Type
NAS-Initiated ClientInitiated RouterInitiated
Access VPN
Intranet
Extranet
X X
X X
www.cisco.com
12-35
VPN Examples
www.cisco.com
Health Care Company Intranet Deployment

ChallengeLow-cost means for connecting remote sites with primary hospital
Public Network
Remote Center
Primary Hospital Private Network
Remote Centers
www.cisco.com
12-37
Branch Office or Telecommuters

ChallengeCost-effective means for connecting branch offices and telecommuters to the corporate network
Public Network
IPSec encrypts traffic from remote sites to the enterprise using any application IPSec may be combined with other tunnel protocols, e.g., GRE Telecommuters can gain secure, transparent access to the corporate network
www.cisco.com
12-38
Traditional Dialup Versus Access VPN

Traditional Dialup Access VPN
20 $4,600
$1,000 $5,000 Number of users Number of users 20 Remote access server $3,000 Access router, T1/E1, DSU/CSU, firewall One-time installation $1,000 VPN client software ($50/user) fee: 10 phone lines T1/E1 installation
Monthly long-distance charges per minute Avg. use per day, per user (min)
$0.10 90
Central site T1/E1 Intranet access Monthly ISP access ($20/user)

$2,500 $400
www.cisco.com
12-39
Traditional Dialup Versus Access VPN

Traditional Dial-Up Access VPN
20 $4,600 Number of users Number of users 20 Remote access server $3,000 Access router, T1/E1, DSU/CSU, firewall One-time installation $1,000 VPN client software ($50/user) fee-10 phone lines T1/E1 installation One-time capital cost $4,000 Monthly long distance $0.10 charges per minute Avg. use per day per 90 user (min) Recurring cost
$1,000
$5,000
One-time capital cost $10,600 Central site T1/E1 $2,500 Intranet access Monthly ISP access $400 ($20/user) Recurring cost
$5,400
$2,900
12-40
www.cisco.com
VPN Payback
Total Cost $80,000 $60,000 $40,000 $20,000 0
Traditional VPN
6
Month
10
11
12
Payback in 3 months!!
www.cisco.com
12-41
Summary
VPNs reduce costs
VPNs improve connectivity

VPNs maintain security
VPNs offer flexibility

VPNs are reliable
www.cisco.com
12-42
Presentation_ID
www.cisco.com
43

Understanding Virtual Private Networks WWW - Acit.in: © 1999, Cisco Systems, Inc

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Understanding Virtual Private Networks WWW - Acit.in: © 1999, Cisco Systems, Inc

Enviado por

Direitos autorais:

Formatos disponíveis

Module 12: Understanding Virtual Private Networks www.acit.

CSE: Networking FundamentalsVPNs

1999, Cisco Systems, Inc.

What Are VPNs?

Internet, IP, FR, ATM

1999, Cisco Systems, Inc.

Virtual Private Networks

1999, Cisco Systems, Inc.

Why Build a VPN?

Wider connectivity options Speed of deployment

1999, Cisco Systems, Inc.

Whats Driving VPN Offerings?

Increased Network Flexibility

CSE: Networking FundamentalsVPNs

1999, Cisco Systems, Inc.

Who Buys VPNs?

CSE: Networking FundamentalsVPNs

Videoconferencing Distance learning Advanced publishing Voice

Mobile Worker Dials to Munich over Internet

New York Office

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

VPN Technology Building Blocks

CSE: Networking FundamentalsVPNs

1999, Cisco Systems, Inc.

Tunnels and encryption

CSE: Networking FundamentalsVPNs

1999, Cisco Systems, Inc.

2. Tunnel to home gateway

Corporate Intranet SP Network/ Internet

5. End-to-end tunnel established

4. PPP negotiation with user

1999, Cisco Systems, Inc.

Tunneling: Generic Route Encapsulation (GRE)

Service Provider Backbone

1999, Cisco Systems, Inc.

What is Internet Key Exchange (IKE)?

IDEA, SHA, and DSS Signatures

IKE Policy Tunnel

1999, Cisco Systems, Inc.

IPSec VPN Client Operation

Home Gateway Router

Secure Tunnel Established

Certificate Authority/ AAA

Encrypted Data flows

CSE: Networking FundamentalsVPNs

1999, Cisco Systems, Inc.

L2TP and IPSec Are Complementary

CSE: Networking FundamentalsVPNs

Encryption: DES and 3DES

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

CSE: Networking FundamentalsVPNs

VPNs and Quality of Service

Voice Premium IP Best Effort

1999, Cisco Systems, Inc.

Access, Intranet, and Extranet VPNs

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

Three Types of VPNs

Extend connectivity, lower cost

Fax Mail EDI