Embed Size (px)
DESCRIPTION
http://www.acit.in/
Citation preview
© 1999, Cisco Systems, Inc. www.cisco.com
Module 12:Understanding Virtual Private
Networkswww.acit.in
Module 12:Understanding Virtual Private
Networkswww.acit.in
12-2CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
AgendaAgenda
• What Are VPNs?
• VPN Technologies
• Access, Intranet, and Extranet VPNs
• VPN Examples
12-3CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
Service Provider Shared
Network
VPNVPN
Internet, IP, FR, ATM
What Are VPNs?What Are VPNs?
• Virtual Private Networks (VPNs) extend the classic WAN
• VPNs leverage the classic WAN infrastructure, including Cisco’s family of VPN-enabled routers and policy management tools
• VPNs provide connectivity on a shared infrastructure with the same policies and “performance” as a private network with lower total cost of ownership
12-4CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
• Extends private network through public Internet
• Lower cost than private WAN
• Relies on tunneling and encryption
Internet
Hong Kong
Paris
IP Packet(Private,
Encrypted)
IP Header (Public)
Virtual Private NetworksVirtual Private Networks
12-5CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
Why Build a VPN? Why Build a VPN?
• Company information secured
• Lower costs– Connectivity costs
– Capital costs
– Management and support costs
• Wider connectivity options
• Speed of deployment
12-6CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
ReducedNetworking
Costs
IncreasedNetwork
Flexibility
Mobile UsersMobile Users
TelecommutersTelecommuters
Organizational Organizational ChangesChanges
Mergers/Mergers/AcquisitionsAcquisitions
ExtranetsExtranets
IntranetsIntranets
What’s Driving VPN Offerings?What’s Driving VPN Offerings?
12-7CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
Who Buys VPNs?Who Buys VPNs?
• Organizations wishing to:– Implement more cost-
effective WAN solutions
– Connect multiple remote sites
– Deploy intranets
– Connect to suppliers, business partners, and customers
– Get back to their core business, and leave the WAN to the experts
– Lower operational and capital equipment costs
Businesses with:Businesses with:• Multiple branch Multiple branch
office locationsoffice locations
• TelecommutersTelecommuters
• Remote workersRemote workers
• Contractors and Contractors and consultantsconsultants
12-8CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
Networked ApplicationsNetworked Applications
• Traditional applications– E-mail
– Database
– File transfer
• New applications– Videoconferencing
– Distance learning
– Advanced publishing
– Voice
12-9CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
Example of a VPNExample of a VPN
• Private networking service over a public network infrastructure
Munich Main OfficeMain Office
New York Office Milan Office
Paris Office
Internet
MobileWorkerDials to Munichover Internet
© 1999, Cisco Systems, Inc. www.cisco.com
VPN TechnologiesVPN Technologies
© 1999, Cisco Systems, Inc. www.cisco.com
12-11CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
SecuritySecurity
QoSQoS
VPN Technology Building Blocks
VPN Technology Building Blocks
12-12CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
SecuritySecurity
• Tunnels and encryption
• Packet authentication
• Firewalls and intrusion detection
• User authentication
12-13CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
SP Network/Internet
POP CorporateIntranet
• Mobile users• Telecommuters• Small remote
offices
Tunneling: L2F/L2TPTunneling: L2F/L2TP
1. User identification2. Tunnel to
home gateway
SecurityServer
3. User authentication4. PPP negotiationwith user
5. End-to-end tunnel established
HomeGW
LAC
12-14CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
Tunneling: Generic Route Encapsulation (GRE)
Tunneling: Generic Route Encapsulation (GRE)
• Mesh of virtual point-to-point interfaces
• Encapsulates multiprotocolpackets in IP tunnels
• Application-level QoS
• Value-added platform (new services)
• Encryption-optional tunneling
• Standard architecture for service providers with IP infrastructures
Service ProviderBackbone
Enterprise A
Enterprise A
Enterprise A
Enterprise B
Enterprise B
12-15CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
What Is IPSec?What Is IPSec?
• Network-layer encryption and authentication
• Open standards for ensuring secure private communications over any IP network, including the Internet
• Provides a necessary component of a standards-based, flexible solution for deploying a network-wide security policy
• Data protected with network encryption, digital certification, and device authentication
• Scales from small to very large networks
12-16CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
• Automatically negotiates policy to protect communication
• Authenticated Diffie-Hellman key exchange
• Negotiates (possibly multiple) security associations for IPSec
3DES, MD5, and RSA Signatures, OR
IDEA, SHA, and DSS Signatures, OR
Blowfish, SHA, and RSA Encryption
3DES, MD5, and RSA Signatures, OR
IDEA, SHA, and DSS Signatures, OR
Blowfish, SHA, and RSA EncryptionIDEA, SHA, and DSS SignaturesIDEA, SHA, and DSS Signatures
IKE Policy TunnelIKE Policy Tunnel
What is Internet Key Exchange (IKE)?
What is Internet Key Exchange (IKE)?
12-17CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
Remote User with IPSec Client
Home Gateway Router
HomeNetwork
CertificateAuthority/AAA
Public Network
Dial Access to Corporate NetworkExchange X.509 or One-Time Password
IKE Negotiation
Secure Tunnel EstablishedSecure Tunnel Established
Authentication Approved
Encrypted Data flows
IPSec VPN Client Operation
IPSec VPN Client Operation
12-18CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
IPSec
L2TP
AAA Server
L2TP and IPSec Are Complementary
L2TP and IPSec Are Complementary
• IPSec creates the remote tunnel
• L2TP provides tunnel end-point authentication
• IPSec maintains encryption
• L2TP provides tunnels for non-IP traffic
• AAA services and dynamic address like DHCP
12-19CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
• Widely adopted standard
• Encrypts plain text, which becomes cyphertext
• DES performs 16 rounds
• Triple DES (3DES)– The 56-bit DES algorithm runs three times
– 112-bit triple DES includes two keys
– 168-bit triple DES includes three keys
• Accomplished on a VPN client, server, router, or firewall
Encryption: DES and 3DES
Encryption: DES and 3DES
12-20CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
• All traffic from inside to outside and vice versa must pass through the firewall
• Only authorized traffic, as defined by the local security policy, is allowed in or out
• The firewall itself is immune to penetration
FirewallsFirewalls
12-21CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
User AuthenticationUser Authentication
• Centralized security database (AAA services)• High availability• Same policy across many access points• Per-user access control• Single network login• Support for: TACACS+, RADIUS (IETF), Kerberos, one-time password
TACACS+
RADIU
S
TACACS+
RADIUS
ID/User ID/User ProfileProfileID/User ID/User ProfileProfileID/User ID/User ProfileProfile
ID/User ID/User ProfileProfileID/User ID/User ProfileProfileID/User ID/User ProfileProfile
AAAServer
Dial-In User
NetworkAccess Server
Campus
Internet UserGatewayRouter Firewall
Intercept Connections
Public Network
Internet
12-22CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
VoicePremium IPBest Effort
Tunnel
Conforming TrafficConforming Traffic
PacketClassification
CAR
PacketClassification
CAR
TrafficPolicing
CAR
TrafficPolicing
CAR
CongestionAvoidance
WRED
CongestionAvoidance
WRED
TunnelLayer 2TPIPSec, GRE
TunnelLayer 2TPIPSec, GRE
AAACA
PBX
VPNs and Quality of Service
VPNs and Quality of Service
© 1999, Cisco Systems, Inc. www.cisco.com
Access, Intranet, and Extranet VPNsAccess, Intranet,
and Extranet VPNs
© 1999, Cisco Systems, Inc. www.cisco.com
12-24CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
Type
Remote access VPN
Application
Mobile users
Remote connectivity
Alternative To
Dedicated dial
ISDN
Intranet VPN
Extranet VPN
Site-to-site
Internalconnectivity
Leased line
Business-to-business
External connectivity
Fax
EDI
TimeUbiquitous
access,lower cost
Benefits
Extend connectivity,
lower cost
Facilitates e-commerce
Three Types of VPNsThree Types of VPNs
12-25CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
Enterprise
DMZ
Web ServersDNS Server
STMP Mail Relay
AAACA
Service Provider A
SmallOffice
Mobile Useror Corporate
Telecommuter
UbiquitousAccess• Modem, ISDN• xDSL, Cable
PotentialOperations
andInfrastructure Cost Savings
Client Initiated or NAS Initiated
Access VPNsAccess VPNs
12-26CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
SP Network/Internet
POPCorporateIntranet
Mobile Usersand Telecommuters
Access VPN Operation Overview
Access VPN Operation Overview
1. VPN identification 2. Tunnel tohome gateway
SecurityServer
3. User authentication4. PPP negotiationwith user
5. End-to-end tunnel established
HomeGateway
NAS
12-27CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
Access VPN Basic Components
Access VPN Basic Components
Dial Client(PPP Peer)
AAA Server(RADIUS/TACACS+)
ISDN
ASYNC
L2TP AccessConcentrator
AAA Server(RADIUS/TACACS +)
L2TP Network Server (Home Gateway)Home Gateway)
12-28CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
Internet
CorporateNetwork
Encrypted IP
• Encrypted tunnel from the remote client to the corporate network
• Independent of access technology
• Standards compliant– IPSec encapsulated tunnel
– IKE key management
Client-Initiated Access VPNClient-Initiated Access VPN
12-29CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
Client-Initiated VPNsClient-Initiated VPNs
• Pros:– Use same hardware for dedicated access
– Dedicated encryption hardware in firewall for performance
• Cons:– Management of IPSec PC client
– Security must be initiated by user
12-30CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
NAS-Initiated Access VPNNAS-Initiated Access VPN
NASusername@domain
HomeGateway
IP Network
12-31CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
NAS-Initiated VPNsNAS-Initiated VPNs
• Pros:
– No PC client software to manage
– Premium services
– VPN and Internet access at the NAS
– More scalable and manageable
• Cons:
– Users can connect only to certain POPs
12-32CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
Enterprise
DMZ
Web ServersDNS Server
STMP Mail Relay
AAACA
RemoteOffice
Service Provider A
RegionalOffice
Potential Operations and Infrastructure
Cost Savings
Extends the Corporate IP Network Across a
Shared WAN
The Intranet VPNThe Intranet VPN
12-33CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
BusinessPartner
Enterprise
DMZ
Web ServersDNS Server
STMP Mail Relay
AAACA
Service Provider A
Service Provider B
Extends Connectivityto Business Partners,
Suppliers, and Customers Security PolicyVery Important
Supplier
The Extranet VPNThe Extranet VPN
12-34CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
Intranet and Extranet VPNsIntranet and Extranet VPNs
• Multiple users, multiple sites, and potentially multiple companies or multiple communities of interest
• Dedicated connections
• Flexible architecture options– IP tunnels with IPSec or GRE
– Managed router service with Frame Relay or ATM virtual circuits
– Tag Switching/MPLS
12-35CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
Comparing the TypesComparing the Types
IntranetIntranetAccess VPNAccess VPN
NAS-InitiatedNAS-Initiated
ExtranetExtranetTypeType
Client-Client-InitiatedInitiated
Router-Router-InitiatedInitiated
XX
XX XX
XX
XX
XX
XX
XX
© 1999, Cisco Systems, Inc. www.cisco.com
VPN ExamplesVPN Examples
© 1999, Cisco Systems, Inc. www.cisco.com
12-37CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
Primary Hospital
Remote Centers
Remote Center
Public Network
Private Network
Challenge—Low-cost means for connecting remote sites with primary hospital
Health Care Company Intranet Deployment
Health Care Company Intranet Deployment
12-38CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
• IPSec encrypts traffic fromremote sites to the enterprise using any application
• IPSec may be combined with other tunnel protocols, e.g., GRE
• Telecommuters can gain secure, transparent access to the corporate network
Public Network
Challenge—Cost-effective means for connecting branch offices and telecommuters to the corporate network
Branch Office or TelecommutersBranch Office or Telecommuters
12-39CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
Monthly long-distanceMonthly long-distance charges per minutecharges per minute
Avg. use per day, perAvg. use per day, per user (min)user (min)
Traditional DialupTraditional Dialup Access VPNAccess VPN
Number of usersNumber of users
Remote access serverRemote access server
One-time installation One-time installation fee: 10 phone linesfee: 10 phone lines
2020
$4,600$4,600
$1,000$1,000
$5,000$5,000
2020
$3,000$3,000
$1,000$1,000
Number of usersNumber of users
Access router, T1/E1,Access router, T1/E1, DSU/CSU, firewallDSU/CSU, firewall
VPN client software VPN client software ($50/user)($50/user)
T1/E1 installationT1/E1 installation
$0.10$0.10
9090
Central site T1/E1Central site T1/E1 Intranet accessIntranet access
Monthly ISP accessMonthly ISP access ($20/user)($20/user)
$2,500$2,500
$400$400
Traditional Dialup Versus Access VPN
Traditional Dialup Versus Access VPN
12-40CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
Traditional Dial-UpTraditional Dial-Up Access VPNAccess VPN
Number of usersNumber of users
Remote access serverRemote access server
One-time installation One-time installation fee-10 phone linesfee-10 phone lines
2020
$4,600$4,600
$1,000$1,000
$5,000$5,000
2020
$3,000$3,000
$1,000$1,000
Number of usersNumber of users
Access router, T1/E1,Access router, T1/E1, DSU/CSU, firewallDSU/CSU, firewall
VPN client software VPN client software ($50/user)($50/user)
T1/E1 installationT1/E1 installation
Monthly long distanceMonthly long distance charges per minutecharges per minute
Avg. use per day perAvg. use per day per user (min)user (min)
$0.10$0.10
9090
Central site T1/E1Central site T1/E1 Intranet accessIntranet access
Monthly ISP accessMonthly ISP access ($20/user)($20/user)
$2,500$2,500
$400$400
One-time capital cost $4,000One-time capital cost $4,000 One-time capital cost $10,600One-time capital cost $10,600
Recurring cost $5,400Recurring cost $5,400 Recurring cost $2,900Recurring cost $2,900
Traditional Dialup Versus Access VPN
Traditional Dialup Versus Access VPN
12-41CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
0
$20,000
$40,000
$60,000
$80,000
Traditional
VPN
1 2 3 4 5 6 7 8 9 10 11 12
Month
Payback in 3 months!!
Total Cost
VPN PaybackVPN Payback
12-42CSE: Networking Fundamentals—VPNs © 1999, Cisco Systems, Inc. www.cisco.com
SummarySummary
• VPNs reduce costs
• VPNs improve connectivity
• VPNs maintain security
• VPNs offer flexibility
• VPNs are reliable
43Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com
