Download pdf - 12 Understanding VPNs

7/27/2019 12 Understanding VPNs

1/22

1999, Cisco Systems, Inc.www.cisco.com

Module 12Virtual Private

Networks


2/22

12-2CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com

Agenda

What Are VPNs?

VPN Technologies Access, Intranet, and

Extranet VPNs

VPN Examples


3/22


Extends private network through public Internet

Lower cost than private WAN

Relies on tunneling and encryption

Internet

Hong Kong

Paris

IP Packet

(Private,

Encrypted)

IP Header

(Public)

Virtual Private Networks


4/2212-9CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com

Example of a VPN

Private networking service overa public network infrastructure

Munich Main Office

New York Office Milan Office

Paris Office

Internet

Mobile

Worker

Dials to Munichover Internet


5/22 1999, Cisco Systems, Inc.www.cisco.com

VPN Technologies

1999, Cisco Systems, Inc. www.cisco.com



VPN Technologies

VPN

Corporate

Business Partnerwith Cisco Router

Remote Officewith Cisco Router

Regional Officewith Cisco PIX

Firewall

SOHO with Cisco

ISDN/DSL Router

POP

Mobile Workerwith Cisco Secure VPN

Client on Laptop Computer

Cisco PIXFirewall

Main Site

PerimeterRouter

VPNConcentrator

PIX = Private Internet Exchange



SP Network/

Internet

PoP Corporate

Intranet

Mobile users

Telecommuters

Small remote

offices

Tunneling: L2F/L2TP

1. User identification2. Tunnel to

home gateway

Security

Server

3. User authentication4. PPP negotiation

with user

5. End-to-end tunnelestablished

Home

GW

LAC

LAC = L2TP Access Concentrator



Tunneling: Generic RouteEncapsulation (GRE)

Mesh of virtual point-

to-point interfaces

Encapsulates multiprotocol

packets in IP tunnels Application-level QoS

Value-added platform

Encryption-optional

tunneling

Standard architecture for

service providers with

IP infrastructures

Service ProviderBackbone

Enterprise A

Enterprise A

Enterprise A

Enterprise B

Enterprise B



What Is IPSec?

Network-layer encryption and authentication

Open standards for ensuring secure private

communications over any IP network,

including the Internet

Data protected with network encryption, digital

certification, and device authentication

Scales from small to very large networks

Wh t i I t t



Automatically negotiates policy to protect

communication

Authenticated Diffie-Hellman key exchange

Negotiates security associations for IPSec

3DES, MD5, and RSA Signatures,

OR

IDEA, SHA, and DSS Signatures,

OR

Blowfish, SHA, and RSA Encryption IDEA, SHA, and DSS Signatures

IKE Policy Tunnel

What is InternetKey Exchange (IKE)?

DES = Data Encryption Standard

MD5 = Message Digest algorithm 5

RSA = Rivest-Shamir-Adleman algorithm

IDEA = International Data Encryption Algorithm

SHA = Secure Hash Algorithm

DSS = Digital Signature Standard

IPS VPN Cli t


11/22


Remote User

with IPSec Client

Home Gateway

Router

Home

Network

Certificate

Authority/AAA

Public Network

Dial Access to Corporate NetworkExchange X.509 or One-Time Password

IKE

Negotiation

Secure Tunnel Established

Authentication Approved

Encrypted Data flows

IPSec VPN ClientOperation


12/22


Access, Intranet,and Extranet VPNs



13/22


Type

Remote access

VPN

Application

Mobile users

Remote

connectivity

Alternative To

Dedicated dial

ISDN

Intranet VPN

Extranet VPN

Site-to-site

Internal

connectivity

Leased line

Business-to-business

External

connectivity

Fax

Mail

EDI

Time

Ubiquitous

access,

lower cost

Benefits

Extend

connectivity,

lower cost

Facilitates

e-commerce

Three Types of VPNs


14/22


Enterprise

DMZ

Web ServersDNS Server

STMP Mail Relay

AAACA

Service

Provider A

Small

Office

Mobile User

or Corporate

Telecommuter

Ubiquitous

Access

Modem, ISDN

xDSL, Cable

PotentialOperations

and

Infrastructure

Cost Savings

Client Initiated or

NAS InitiatedNetwork Access Server

Access VPNs

DNS = Domain Name System

STMP = Simple Mail Transfer ProtocolDMZ = Demilitarized Zone (PCs directly connected online)

A VPN O ti


15/22


SP Network/

Internet

POPCorporate

Intranet

Mobile Users

and

Telecommuters

Access VPN OperationOverview

1. VPN identification 2. Tunnel to

home gateway

Security

Server

3. User authentication4. PPP negotiation

with user

5. End-to-end tunnelestablished

Home

Gateway

NAS


16/22


Enterprise

DMZ

Web Servers

DNS Server

STMP Mail Relay

AAACA

Remote

Office

Service

Provider A

Regional

Office

Potential Operations

and Infrastructure

Cost Savings

Extends the Corporate

IP Network Across a

Shared WAN

The Intranet VPN


17/22


Business

Partner

Enterprise

DMZ

Web Servers

DNS Server

STMP Mail Relay

AAACA

Service

Provider A

Service

Provider B

Extends Connectivity

to Business Partners,

Suppliers, and Customers Security Policy

Very Important

Supplier

The Extranet VPN


18/22


Intranet/Extranet VPN

VPNRouter

FirewallAppliance

FirewallAppliance

VPN Router

WAN Router

Integrated VPN router w/ BB Access

BroadbandAccess

VPNAccess

Company B

Extranet VPN

Company ARemote Site

Intranet VPN Intranet Intranet

Internet,IP, FR, ATM

Company A

Core SIte


19/22


VPN Examples


H lth C C


20/22


Primary Hospital

Remote Centers

Remote Center

Public Network

Private Network

ChallengeLow-cost means for connecting

remote sites with primary hospital

Health Care CompanyIntranet Deployment

Branch Office or


21/22


IPSec encrypts traffic from

remote sites to the enterprise using any application

IPSec may be combined with other tunnelprotocols, e.g., GRE

Telecommuters can gain secure, transparent accessto the corporate network

Public Network

ChallengeCost-effective means for connecting branch

offices and telecommuters to the corporate network

Branch Office orTelecommuters


22/22

48Presentation_ID 1999, Cisco Systems, Inc. www.cisco.com