7/27/2019 12 Understanding VPNs
1/22
1999, Cisco Systems, Inc.www.cisco.com
Module 12Virtual Private
Networks
7/27/2019 12 Understanding VPNs
2/22
12-2CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com
Agenda
What Are VPNs?
VPN Technologies Access, Intranet, and
Extranet VPNs
VPN Examples
7/27/2019 12 Understanding VPNs
3/22
12-4CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com
Extends private network through public Internet
Lower cost than private WAN
Relies on tunneling and encryption
Internet
Hong Kong
Paris
IP Packet
(Private,
Encrypted)
IP Header
(Public)
Virtual Private Networks
7/27/2019 12 Understanding VPNs
4/2212-9CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com
Example of a VPN
Private networking service overa public network infrastructure
Munich Main Office
New York Office Milan Office
Paris Office
Internet
Mobile
Worker
Dials to Munichover Internet
7/27/2019 12 Understanding VPNs
5/22 1999, Cisco Systems, Inc.www.cisco.com
VPN Technologies
1999, Cisco Systems, Inc. www.cisco.com
7/27/2019 12 Understanding VPNs
6/2212-11CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com
VPN Technologies
VPN
Corporate
Business Partnerwith Cisco Router
Remote Officewith Cisco Router
Regional Officewith Cisco PIX
Firewall
SOHO with Cisco
ISDN/DSL Router
POP
Mobile Workerwith Cisco Secure VPN
Client on Laptop Computer
Cisco PIXFirewall
Main Site
PerimeterRouter
VPNConcentrator
PIX = Private Internet Exchange
7/27/2019 12 Understanding VPNs
7/2212-15CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com
SP Network/
Internet
PoP Corporate
Intranet
Mobile users
Telecommuters
Small remote
offices
Tunneling: L2F/L2TP
1. User identification2. Tunnel to
home gateway
Security
Server
3. User authentication4. PPP negotiation
with user
5. End-to-end tunnelestablished
Home
GW
LAC
LAC = L2TP Access Concentrator
7/27/2019 12 Understanding VPNs
8/2212-17CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com
Tunneling: Generic RouteEncapsulation (GRE)
Mesh of virtual point-
to-point interfaces
Encapsulates multiprotocol
packets in IP tunnels Application-level QoS
Value-added platform
Encryption-optional
tunneling
Standard architecture for
service providers with
IP infrastructures
Service ProviderBackbone
Enterprise A
Enterprise A
Enterprise A
Enterprise B
Enterprise B
7/27/2019 12 Understanding VPNs
9/2212-18CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com
What Is IPSec?
Network-layer encryption and authentication
Open standards for ensuring secure private
communications over any IP network,
including the Internet
Data protected with network encryption, digital
certification, and device authentication
Scales from small to very large networks
Wh t i I t t
7/27/2019 12 Understanding VPNs
10/2212-19CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com
Automatically negotiates policy to protect
communication
Authenticated Diffie-Hellman key exchange
Negotiates security associations for IPSec
3DES, MD5, and RSA Signatures,
OR
IDEA, SHA, and DSS Signatures,
OR
Blowfish, SHA, and RSA Encryption IDEA, SHA, and DSS Signatures
IKE Policy Tunnel
What is InternetKey Exchange (IKE)?
DES = Data Encryption Standard
MD5 = Message Digest algorithm 5
RSA = Rivest-Shamir-Adleman algorithm
IDEA = International Data Encryption Algorithm
SHA = Secure Hash Algorithm
DSS = Digital Signature Standard
IPS VPN Cli t
7/27/2019 12 Understanding VPNs
11/22
12-20CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com
Remote User
with IPSec Client
Home Gateway
Router
Home
Network
Certificate
Authority/AAA
Public Network
Dial Access to Corporate NetworkExchange X.509 or One-Time Password
IKE
Negotiation
Secure Tunnel Established
Authentication Approved
Encrypted Data flows
IPSec VPN ClientOperation
7/27/2019 12 Understanding VPNs
12/22
1999, Cisco Systems, Inc.www.cisco.com
Access, Intranet,and Extranet VPNs
1999, Cisco Systems, Inc. www.cisco.com
7/27/2019 12 Understanding VPNs
13/22
12-28CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com
Type
Remote access
VPN
Application
Mobile users
Remote
connectivity
Alternative To
Dedicated dial
ISDN
Intranet VPN
Extranet VPN
Site-to-site
Internal
connectivity
Leased line
Business-to-business
External
connectivity
Fax
EDI
Time
Ubiquitous
access,
lower cost
Benefits
Extend
connectivity,
lower cost
Facilitates
e-commerce
Three Types of VPNs
7/27/2019 12 Understanding VPNs
14/22
12-30CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com
Enterprise
DMZ
Web ServersDNS Server
STMP Mail Relay
AAACA
Service
Provider A
Small
Office
Mobile User
or Corporate
Telecommuter
Ubiquitous
Access
Modem, ISDN
xDSL, Cable
PotentialOperations
and
Infrastructure
Cost Savings
Client Initiated or
NAS InitiatedNetwork Access Server
Access VPNs
DNS = Domain Name System
STMP = Simple Mail Transfer ProtocolDMZ = Demilitarized Zone (PCs directly connected online)
A VPN O ti
7/27/2019 12 Understanding VPNs
15/22
12-31CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com
SP Network/
Internet
POPCorporate
Intranet
Mobile Users
and
Telecommuters
Access VPN OperationOverview
1. VPN identification 2. Tunnel to
home gateway
Security
Server
3. User authentication4. PPP negotiation
with user
5. End-to-end tunnelestablished
Home
Gateway
NAS
7/27/2019 12 Understanding VPNs
16/22
12-40CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com
Enterprise
DMZ
Web Servers
DNS Server
STMP Mail Relay
AAACA
Remote
Office
Service
Provider A
Regional
Office
Potential Operations
and Infrastructure
Cost Savings
Extends the Corporate
IP Network Across a
Shared WAN
The Intranet VPN
7/27/2019 12 Understanding VPNs
17/22
12-42CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com
Business
Partner
Enterprise
DMZ
Web Servers
DNS Server
STMP Mail Relay
AAACA
Service
Provider A
Service
Provider B
Extends Connectivity
to Business Partners,
Suppliers, and Customers Security Policy
Very Important
Supplier
The Extranet VPN
7/27/2019 12 Understanding VPNs
18/22
12-44CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com
Intranet/Extranet VPN
VPNRouter
FirewallAppliance
FirewallAppliance
VPN Router
WAN Router
Integrated VPN router w/ BB Access
BroadbandAccess
VPNAccess
Company B
Extranet VPN
Company ARemote Site
Intranet VPN Intranet Intranet
Internet,IP, FR, ATM
Company A
Core SIte
7/27/2019 12 Understanding VPNs
19/22
1999, Cisco Systems, Inc.www.cisco.com
VPN Examples
1999, Cisco Systems, Inc. www.cisco.com
H lth C C
7/27/2019 12 Understanding VPNs
20/22
12-46CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com
Primary Hospital
Remote Centers
Remote Center
Public Network
Private Network
ChallengeLow-cost means for connecting
remote sites with primary hospital
Health Care CompanyIntranet Deployment
Branch Office or
7/27/2019 12 Understanding VPNs
21/22
12-47CSE: Networking FundamentalsVPNs 1999, Cisco Systems, Inc.www.cisco.com
IPSec encrypts traffic from
remote sites to the enterprise using any application
IPSec may be combined with other tunnelprotocols, e.g., GRE
Telecommuters can gain secure, transparent accessto the corporate network
Public Network
ChallengeCost-effective means for connecting branch
offices and telecommuters to the corporate network
Branch Office orTelecommuters
7/27/2019 12 Understanding VPNs
22/22
48Presentation_ID 1999, Cisco Systems, Inc. www.cisco.com