Escolar Documentos
Profissional Documentos
Cultura Documentos
in
www.cisco.com
1999, Cisco Systems, Inc.
Agenda
What Are VPNs? VPN Technologies Access, Intranet, and Extranet VPNs VPN Examples
www.cisco.com
12-2
Virtual Private Networks (VPNs) extend the classic WAN VPNs leverage the classic WAN infrastructure, including Ciscos family of VPN-enabled routers and policy management tools VPNs provide connectivity on a shared infrastructure with the same policies and performance as a private network with lower total cost of ownership
CSE: Networking FundamentalsVPNs
www.cisco.com
12-3
Hong Kong
Extends private network through public Internet Lower cost than private WAN Relies on tunneling and encryption
CSE: Networking FundamentalsVPNs
www.cisco.com
12-4
www.cisco.com
12-5
www.cisco.com
12-6
12-7
Networked Applications
Traditional applications
E-mail Database File transfer
New applications
CSE: Networking FundamentalsVPNs
Example of a VPN
Private networking service over a public network infrastructure
Munich Main Office Paris Office
Internet
Milan Office
www.cisco.com
1999, Cisco Systems, Inc. 12-9
VPN Technologies
www.cisco.com
Security
QoS
www.cisco.com
12-11
Security
Packet authentication
Firewalls and intrusion detection User authentication
www.cisco.com
12-12
Tunneling: L2F/L2TP
1. User identification
Mobile users Telecommuters Small remote offices
POP LAC
Security Server
3. User authentication
www.cisco.com
12-13
Enterprise B Enterprise A
Enterprise B
Enterprise A
www.cisco.com
1999, Cisco Systems, Inc. 12-14
What Is IPSec?
Network-layer encryption and authentication Open standards for ensuring secure private communications over any IP network, including the Internet Provides a necessary component of a standards-based, flexible solution for deploying a network-wide security policy Data protected with network encryption, digital certification, and device authentication Scales from small to very large networks
CSE: Networking FundamentalsVPNs
www.cisco.com
12-15
www.cisco.com
12-16
Public Network
Home Network
Dial Access to Corporate Network Exchange X.509 or One-Time Password IKE Negotiation
Authentication Approved
www.cisco.com
12-17
L2TP
IPSec creates the remote tunnel L2TP provides tunnel end-point authentication IPSec maintains encryption L2TP provides tunnels for non-IP traffic AAA services and dynamic address like DHCP
www.cisco.com
1999, Cisco Systems, Inc.
AAA Server
12-18
www.cisco.com
12-19
Firewalls
All traffic from inside to outside and vice versa must pass through the firewall
Only authorized traffic, as defined by the local security policy, is allowed in or out
The firewall itself is immune to penetration
CSE: Networking FundamentalsVPNs
www.cisco.com
12-20
User Authentication
Network Access Server Public Network Dial-In User Internet Internet User Gateway Router Firewall AAA Server ID/User
Profile ID/User Profile ID/User Profile
TACACS+ RADIUS
Intercept Connections
Campus
Centralized security database (AAA services) High availability Same policy across many access points Per-user access control Single network login Support for: TACACS+, RADIUS (IETF), Kerberos, one-time password
www.cisco.com
1999, Cisco Systems, Inc. 12-21
Tunnel
AAA CA
Conforming Traffic
Packet Classification
CAR
Traffic Policing
CAR
Congestion Avoidance
WRED
Tunnel
Layer 2TP IPSec, GRE
www.cisco.com
12-22
www.cisco.com
Application
Mobile users Remote connectivity
Alternative To
Dedicated dial
ISDN
Benefits
Ubiquitous access, lower cost
VPN
Site-to-site
Intranet VPN
Internal connectivity
Leased line
Business-to-business
Extranet VPN
External connectivity
Facilitates e-commerce
www.cisco.com
12-24
Access VPNs
Potential Operations and Infrastructure Cost Savings
Enterprise
AAA CA
DMZ
Service Provider A
Web Servers DNS Server STMP Mail Relay Mobile User or Corporate Telecommuter
1999, Cisco Systems, Inc. 12-25
Small Office
CSE: Networking FundamentalsVPNs
www.cisco.com
POP NAS
Security Server
3. User authentication
www.cisco.com
12-26
ASYNC ISDN
www.cisco.com
12-27
Corporate Network
Encrypted tunnel from the remote client to the corporate network Independent of access technology Standards compliant
IPSec encapsulated tunnel IKE key management
CSE: Networking FundamentalsVPNs
www.cisco.com
12-28
Client-Initiated VPNs
Pros:
Use same hardware for dedicated access Dedicated encryption hardware in firewall for performance
Cons:
Management of IPSec PC client Security must be initiated by user
www.cisco.com
12-29
username@domain
NAS
Home Gateway
IP Network
www.cisco.com
12-30
NAS-Initiated VPNs
Pros:
No PC client software to manage
Premium services
VPN and Internet access at the NAS More scalable and manageable
Cons:
Users can connect only to certain POPs
CSE: Networking FundamentalsVPNs
www.cisco.com
12-31
Enterprise
AAA CA
Remote Office
Service Provider A
DMZ
Enterprise
AAA CA
DMZ
Service Provider A
www.cisco.com
12-34
Access VPN
Intranet
Extranet
X X
X X
www.cisco.com
12-35
VPN Examples
www.cisco.com
Public Network
Remote Center
Primary Hospital Private Network
Remote Centers
CSE: Networking FundamentalsVPNs
www.cisco.com
12-37
Public Network
IPSec encrypts traffic from remote sites to the enterprise using any application IPSec may be combined with other tunnel protocols, e.g., GRE Telecommuters can gain secure, transparent access to the corporate network
CSE: Networking FundamentalsVPNs
www.cisco.com
12-38
Monthly long-distance charges per minute Avg. use per day, per user (min)
CSE: Networking FundamentalsVPNs
$0.10 90
$2,500 $400
www.cisco.com
12-39
$1,000
$5,000
One-time capital cost $10,600 Central site T1/E1 $2,500 Intranet access Monthly ISP access $400 ($20/user) Recurring cost
1999, Cisco Systems, Inc.
$5,400
$2,900
12-40
www.cisco.com
VPN Payback
Total Cost $80,000 $60,000 $40,000 $20,000 0
Traditional VPN
6
Month
10
11
12
Payback in 3 months!!
CSE: Networking FundamentalsVPNs
www.cisco.com
12-41
Summary
VPNs reduce costs
www.cisco.com
12-42
Presentation_ID
www.cisco.com
43