12 Understanding VPNs

  • View
    217

  • Download
    0

Embed Size (px)

Text of 12 Understanding VPNs

  • 7/27/2019 12 Understanding VPNs

    1/22

    1999, Cisco Systems, Inc.www.cisco.com

    Module 12Virtual Private

    Networks

  • 7/27/2019 12 Understanding VPNs

    2/22

    12-2CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com

    Agenda

    What Are VPNs?

    VPN Technologies Access, Intranet, and

    Extranet VPNs

    VPN Examples

  • 7/27/2019 12 Understanding VPNs

    3/22

    12-4CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com

    Extends private network through public Internet

    Lower cost than private WAN

    Relies on tunneling and encryption

    Internet

    Hong Kong

    Paris

    IP Packet

    (Private,

    Encrypted)

    IP Header

    (Public)

    Virtual Private Networks

  • 7/27/2019 12 Understanding VPNs

    4/2212-9CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com

    Example of a VPN

    Private networking service overa public network infrastructure

    Munich Main Office

    New York Office Milan Office

    Paris Office

    Internet

    Mobile

    Worker

    Dials to Munichover Internet

  • 7/27/2019 12 Understanding VPNs

    5/22 1999, Cisco Systems, Inc.www.cisco.com

    VPN Technologies

    1999, Cisco Systems, Inc. www.cisco.com

  • 7/27/2019 12 Understanding VPNs

    6/2212-11CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com

    VPN Technologies

    VPN

    Corporate

    Business Partnerwith Cisco Router

    Remote Officewith Cisco Router

    Regional Officewith Cisco PIX

    Firewall

    SOHO with Cisco

    ISDN/DSL Router

    POP

    Mobile Workerwith Cisco Secure VPN

    Client on Laptop Computer

    Cisco PIXFirewall

    Main Site

    PerimeterRouter

    VPNConcentrator

    PIX = Private Internet Exchange

  • 7/27/2019 12 Understanding VPNs

    7/2212-15CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com

    SP Network/

    Internet

    PoP Corporate

    Intranet

    Mobile users

    Telecommuters

    Small remote

    offices

    Tunneling: L2F/L2TP

    1. User identification2. Tunnel to

    home gateway

    Security

    Server

    3. User authentication4. PPP negotiation

    with user

    5. End-to-end tunnelestablished

    Home

    GW

    LAC

    LAC = L2TP Access Concentrator

  • 7/27/2019 12 Understanding VPNs

    8/2212-17CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com

    Tunneling: Generic RouteEncapsulation (GRE)

    Mesh of virtual point-

    to-point interfaces

    Encapsulates multiprotocol

    packets in IP tunnels Application-level QoS

    Value-added platform

    Encryption-optional

    tunneling

    Standard architecture for

    service providers with

    IP infrastructures

    Service ProviderBackbone

    Enterprise A

    Enterprise A

    Enterprise A

    Enterprise B

    Enterprise B

  • 7/27/2019 12 Understanding VPNs

    9/2212-18CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com

    What Is IPSec?

    Network-layer encryption and authentication

    Open standards for ensuring secure private

    communications over any IP network,

    including the Internet

    Data protected with network encryption, digital

    certification, and device authentication

    Scales from small to very large networks

    Wh t i I t t

  • 7/27/2019 12 Understanding VPNs

    10/2212-19CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com

    Automatically negotiates policy to protect

    communication

    Authenticated Diffie-Hellman key exchange

    Negotiates security associations for IPSec

    3DES, MD5, and RSA Signatures,

    OR

    IDEA, SHA, and DSS Signatures,

    OR

    Blowfish, SHA, and RSA Encryption IDEA, SHA, and DSS Signatures

    IKE Policy Tunnel

    What is InternetKey Exchange (IKE)?

    DES = Data Encryption Standard

    MD5 = Message Digest algorithm 5

    RSA = Rivest-Shamir-Adleman algorithm

    IDEA = International Data Encryption Algorithm

    SHA = Secure Hash Algorithm

    DSS = Digital Signature Standard

    IPS VPN Cli t

  • 7/27/2019 12 Understanding VPNs

    11/22

    12-20CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com

    Remote User

    with IPSec Client

    Home Gateway

    Router

    Home

    Network

    Certificate

    Authority/AAA

    Public Network

    Dial Access to Corporate NetworkExchange X.509 or One-Time Password

    IKE

    Negotiation

    Secure Tunnel Established

    Authentication Approved

    Encrypted Data flows

    IPSec VPN ClientOperation

  • 7/27/2019 12 Understanding VPNs

    12/22

    1999, Cisco Systems, Inc.www.cisco.com

    Access, Intranet,and Extranet VPNs

    1999, Cisco Systems, Inc. www.cisco.com

  • 7/27/2019 12 Understanding VPNs

    13/22

    12-28CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com

    Type

    Remote access

    VPN

    Application

    Mobile users

    Remote

    connectivity

    Alternative To

    Dedicated dial

    ISDN

    Intranet VPN

    Extranet VPN

    Site-to-site

    Internal

    connectivity

    Leased line

    Business-to-business

    External

    connectivity

    Fax

    Mail

    EDI

    Time

    Ubiquitous

    access,

    lower cost

    Benefits

    Extend

    connectivity,

    lower cost

    Facilitates

    e-commerce

    Three Types of VPNs

  • 7/27/2019 12 Understanding VPNs

    14/22

    12-30CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com

    Enterprise

    DMZ

    Web ServersDNS Server

    STMP Mail Relay

    AAACA

    Service

    Provider A

    Small

    Office

    Mobile User

    or Corporate

    Telecommuter

    Ubiquitous

    Access

    Modem, ISDN

    xDSL, Cable

    PotentialOperations

    and

    Infrastructure

    Cost Savings

    Client Initiated or

    NAS InitiatedNetwork Access Server

    Access VPNs

    DNS = Domain Name System

    STMP = Simple Mail Transfer ProtocolDMZ = Demilitarized Zone (PCs directly connected online)

    A VPN O ti

  • 7/27/2019 12 Understanding VPNs

    15/22

    12-31CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com

    SP Network/

    Internet

    POPCorporate

    Intranet

    Mobile Users

    and

    Telecommuters

    Access VPN OperationOverview

    1. VPN identification 2. Tunnel to

    home gateway

    Security

    Server

    3. User authentication4. PPP negotiation

    with user

    5. End-to-end tunnelestablished

    Home

    Gateway

    NAS

  • 7/27/2019 12 Understanding VPNs

    16/22

    12-40CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com

    Enterprise

    DMZ

    Web Servers

    DNS Server

    STMP Mail Relay

    AAACA

    Remote

    Office

    Service

    Provider A

    Regional

    Office

    Potential Operations

    and Infrastructure

    Cost Savings

    Extends the Corporate

    IP Network Across a

    Shared WAN

    The Intranet VPN

  • 7/27/2019 12 Understanding VPNs

    17/22

    12-42CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com

    Business

    Partner

    Enterprise

    DMZ

    Web Servers

    DNS Server

    STMP Mail Relay

    AAACA

    Service

    Provider A

    Service

    Provider B

    Extends Connectivity

    to Business Partners,

    Suppliers, and Customers Security Policy

    Very Important

    Supplier

    The Extranet VPN

  • 7/27/2019 12 Understanding VPNs

    18/22

    12-44CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com

    Intranet/Extranet VPN

    VPNRouter

    FirewallAppliance

    FirewallAppliance

    VPN Router

    WAN Router

    Integrated VPN router w/ BB Access

    BroadbandAccess

    VPNAccess

    Company B

    Extranet VPN

    Company ARemote Site

    Intranet VPN Intranet Intranet

    Internet,IP, FR, ATM

    Company A

    Core SIte

  • 7/27/2019 12 Understanding VPNs

    19/22

    1999, Cisco Systems, Inc.www.cisco.com

    VPN Examples

    1999, Cisco Systems, Inc. www.cisco.com

    H lth C C

  • 7/27/2019 12 Understanding VPNs

    20/22

    12-46CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com

    Primary Hospital

    Remote Centers

    Remote Center

    Public Network

    Private Network

    ChallengeLow-cost means for connecting

    remote sites with primary hospital

    Health Care CompanyIntranet Deployment

    Branch Office or

  • 7/27/2019 12 Understanding VPNs

    21/22

    12-47CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com

    IPSec encrypts traffic from

    remote sites to the enterprise using any application

    IPSec may be combined with other tunnelprotocols, e.g., GRE

    Telecommuters can gain secure, transparent accessto the corporate network

    Public Network

    ChallengeCost-effective means for connecting branch

    offices and telecommuters to the corporate network

    Branch Office orTelecommuters

  • 7/27/2019 12 Understanding VPNs

    22/22

    48Presentation_ID 1999, Cisco Systems, Inc. www.cisco.com