Course

2400
2400Number
1190_05_2000_c2
2000,
Cisco
Systems,
[Link].
1190_05_2000_c2 1999,
2000,
Cisco
Systems,

1 1

Introduction to VPNs
Extending the Classic WAN
Session 2400
2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

Agenda

VPN ChoicesChoosing Whats Right For You

Understanding the Building Blocks of a VPN
Security
Platforms
Quality of Service
Network and Service Monitoring

Next Steps and Real World Deployments

Q&A
2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

What Is a VPN?
Connectivity Deployed on a Shared
Infrastructure with the Same Policies and
Performance as a Private Network
Virtual Private
Network
Main
Office
POP

Business
Partner
Remote
Office
2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

Regional
Office

Home
Office

Mobile
Worker
4

The VPN Timeline

1996

IETF IPSec Draft Standard

1997

IKE Reference Code

Diffie/Hellman Patent Buyout

1998

Simple Certificate Enrollment Protocol (SCEP)

Campus VPN

1999

Remote Access VPN

2000

IETF PKIX CMC

Accelerated VPN Services

2001

Secure Streaming Services

Audio/Video/Voice

2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

Classic WAN
Main
Office

Private Line Network

Remote
Office
Regional
Office
Home
Offices

2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

Mobile
Workers

Classic WAN
Todays New Challenges
Business
Partners
Very
Remote
Office

Main
Office

?
?
1000s of Remote
Workers

Private Line Network

Remote
Office

Regional
Office

Home
Offices
2400
1190_05_2000_c2

Mobile
Workers
7

2000, Cisco Systems, Inc.

VPNs Extend the Classic WAN

Business
Partners
Very
Remote
Office

Main
Office

?
?
Internet/IP
VPN
?
1000s of Remote
Workers

Private Line Network

Remote
Office

Regional
Office

Home
Offices
2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

Mobile
Workers

Enabling the Internet Economy

Very Remote Sites
Telecommuters

Customers
Partners

Enterprise
WAN
Connectivity
Multiservice/Voice

Networked Applications
2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

Types of Virtual Private Networks

Intranet VPN
Low cost, tunneled
connections with
rich VPN services,
like IPSec
encryption and QoS
to ensure reliable
throughput

Home
Office
Main
Office
POP

Cost savings over

Frame Relay and
leased lines

VPN

Remote
Office

POP

Extranet VPN
Extends WANs
to business
partners
Safe L3 security
2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

Business
Partner

Remote Access VPN

Secure, scalable,
encrypted tunnels
across a public
network, client
software

Mobile Cost savings over

toll-free number
Worker
expenditures
10

VPN Applications and

Requirements
Extranet
Business-to-Business

Remote Access
DSL
Cable

POP

VPN

Intranet
Central Site

Remote Access
Extension of dial
User manageability and
deployment scalability

Site-to-Site:
Intranet and Extranet
Extension of classic WAN
VPN services and scalable
performance

The Challenge and Opportunity

of Broadband Access
2400
1190_05_2000_c2

11

2000, Cisco Systems, Inc.

Access VPN: Client Initiated

Internet
Encrypted IP

Corporate
Network

Encrypted tunnel from the remote client

to the corporate network
Independent of broadband access technology
Standards compliant
IPSec encapsulated tunnel
IKE key management

Fully interoperable
Cisco IOS and other IPSec-compliant systems
2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

12

VPN Types: Intranet VPN

Remote
Office
Main
Office
POP

Remote
Office

Internet/
IP VPNs

POP

POP

Service Provider

Extends the connectionless

IP model across a shared WAN
Reduces application development time
Reduces support costs
Reduces line costs
2400
1190_05_2000_c2

13

2000, Cisco Systems, Inc.

VPN Types: Extranet VPN

Remote
Office

Business
Partner
POP
Internet/
IP VPNs

Remote
Office

POP

POP
Service Provider

Main
Office

Supplier
Customer

2400
1190_05_2000_c2

Extend connectivity to suppliers, customers, and business partners

Over a shared infrastructure
Using dedicated connections
While ensuring proper level of authorized access
2000, Cisco Systems, Inc.

14

Router/Firewall-Initiated VPN

Internet
POP

POP

IPSec
Encrypted
Tunnel

Remote Router or Firewall Initiated

For Site-to-Site ConnectivityIntranets and Extranets

2400
1190_05_2000_c2

15

2000, Cisco Systems, Inc.

VPNs Come in Many Flavors

Intranet VPN
Extranet VPN
Layer 2
FR

2400
1190_05_2000_c2

ATM

2000, Cisco Systems, Inc.

Layer 3
Internet VPN

IP VPN

16

VPNsWho Does What

Enterprise Managed

Service Provider Managed

IP
VPN

Internet
VPN

Service Provider provides

basic VPN connectivity

Service Provider provides

turnkey VPN

Enterprise manages QoS,

security, SLA, and
configuration of VPN
functions

Enterprise outsources design,

provisioning and management

2400
1190_05_2000_c2

Enterprise controls security

17

2000, Cisco Systems, Inc.

Service
Provider

En
cr
yp
Fi t
re
w
B all
/w
M
gr

VPN Equipment Options

Service
Provider

SLA Probe

Multiple devices

Integrated services

Separate
management

Scalable performance

2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

Simplified provisioning
18

VPN Security

2400
1190_05_2000_c2

19

2000, Cisco Systems, Inc.

Security: A Physical Analogy

Security
Camera

Traditional
Locks
Security Office

Card Key

Guard
2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

20

Elements of Network Security

Corporate security policy
Secure
Identification
Provide authentication services
Perimeter control
Restrict and manage access to network
resources
Protect against denial-of-service attacks, etc.
Data privacyVPN
Ensure data confidentiality

Security monitoring
Detect and react to intruders

Test
Recognize network vulnerabilities

Policy

Policy Management
Centralized control of security services
2400
1190_05_2000_c2

21

2000, Cisco Systems, Inc.

Why VPN Security?

VPNs are shared IP
networks (untrusted)
VPNs need robust
security like classic WANs
Authentication
Integrity and confidentiality

VPNs need
auditing/monitoring:
How do you know your
VPN is secure?
2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

22

IPSec Technology Review

Router to Router
PC to Server

Router to Firewall
PC to Router

IETF standard enables encrypted communication between users and devices

Implemented transparently into the network infrastructure
Scales from small to very large networks

Open standard enables multivendor interoperability

Included in Cisco IOS 11.3 and later
2400
1190_05_2000_c2

23

2000, Cisco Systems, Inc.

IPSec Modes
Tunnel mode:
applied
to an IP tunnel
Outer IP header specifies
IPSec processing
destination
Inner IP header specifies
ultimate packet destination

Transport mode:
between two hosts
Header after IP header,
before TCP/UDP header
2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

Tunnel Mode
IP HDR

DATA

New IP HDR IPSec HDR IP HDR

DATA

Encrypted

Transport Mode
IP HDR

IP HDR

IPSec HDR

DATA

DATA

Encrypted
24

Public Key Infrastructure

BANK

?
CA

CA

Internet

Digital certification identity mechanism for users and devices

(electronic ID card)
Certificate Authority (CA) verifies identity and signs digital
certificate, and deals with certificate creation, storage,
distribution, revocation, recovery
Certificate Authorities help provide scalability
Cisco IOS interoperates with:
2400
1190_05_2000_c2

Verisign Onsite for IPSec, Entrust VPN Connector, Baltimore Technologies,

Microsoft
25

2000, Cisco Systems, Inc.

IPSec Linking Sites

Device authentication

Authorization
Packet selection via ACLs
Security Association (SA)
established via IKE

Internal Network
Certificate
Authority
Di
gi
ta
lC
er
t if
ic
at
e

Crypto devices obtain digital

certificates from CAs

A
IS

KM

Digital Certificate

s
es

io

SA

Authenticated
Encrypted Tunnel

Privacy and integrity

IPSec-based encryption
and digital signature

Security Associations
are a scarce resource
2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

Internal Network

Clear Text
Encrypted

26

Secure VPN: Identity

DMZ

Business Partner
age
Mess

Corporate Network

Certificate
Authority

Digital
Certificate

CiscoSecure

Intrusion Detection

Internet
Manufacturing

PIX

Service
Provider

Router

age
Mess

Digital
Certificate

Security Scanner

Policy Server

Security Manager

VPN Client

IOS Firewall
Remote Office
2400
1190_05_2000_c2

Mobile User
27

2000, Cisco Systems, Inc.

Secure VPN: Data Privacy

DMZ

Business Partner

Certificate
Authority

Corporate Network
CiscoSecure
Intrusion Detection

Internet
Manufacturing

PIX

Service
Provider

Router

Security Scanner
Policy Server

Security Manager

VPN Client

IOS Firewall
Remote Office
2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

Mobile User
28

Secure VPN: Perimeter Security

DMZ

Business Partner

Certificate
Authority

Corporate Network
Hacker

CiscoSecure

Intrusion Detection

Internet
Manufacturing

PIX

Service
Provider

Router

Security Scanner
Policy Server

Security Manager

VPN Client

IOS Firewall
Remote Office
2400
1190_05_2000_c2

Mobile User
29

2000, Cisco Systems, Inc.

Secure VPN: Security Monitoring

DMZ

Business Partner

Certificate
Authority

Corporate Network
Hacker

CiscoSecure

Intrusion Detection

Internet
Manufacturing

PIX

Service
Provider

Router

Security Scanner
Policy Server

Security Manager

VPN Client

IOS Firewall
Remote Office
2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

Mobile User
30

Secure VPN: Policy Management

DMZ

Business Partner

Certificate
Authority

Corporate Network
Policy

CiscoSecure

Intrusion Detection

Update
Policy
Policy

Policy

PIX

Router

Manufacturing

Internet
Service
Provider

Security Scanner
Policy Server

Security Manager

VPN Client
Policy

Policy

IOS Firewall
Remote Office
2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

Mobile User
31

E-VPN Platforms

2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

32

Remote Access VPN

Cisco VPN 3000 Concentrator Series

Scalable
Encryption
Processor
(SEP)
2400
1190_05_2000_c2

33

2000, Cisco Systems, Inc.

Cisco Site-to-Site VPN Solutions

Scalability for Every Site
Cisco 1700 Series
VPN-optimized
router connecting
remote offices at
T1/E1 speeds

Remote
Office

Cisco 7100, 7200 and 7500 Series

7100 for dedicated VPN
head-end; 7200, and 7500
for hybrid private WAN and
VPN connectivity
Main
Office

Regional
Office

Cisco 2600 and 3600 Series

VPN-optimized routers
connecting branch and
regional offices at
nxT1/E1 speeds
2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

Internet/IP VPN

Small Office/
Home Office

Cisco 800, UBr900, and

1400 Series
VPN-optimized routers for
ISDN, DSL, and cable
connectivity
34

Site-to-Site VPN Solutions

Site-Specific
Scalability
Range of platforms to
meet requirements
from ISDN to DS3+

Feature Interoperability
Single device solution
ensures interoperability
of all VPN services

Remote
Office

Main
Office
Regional
Office

Internet/IP VPN

Device Integration
VPN-Security, L3
routing, QoS, Service
level validation, and
diverse VPN access
media
2400
1190_05_2000_c2

Investment Protection

Small Office/
Home Office

Encryption acceleration
modularity and software
extensions

35

2000, Cisco Systems, Inc.

E-VPN
Services

2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

36

Quality of Service in a VPN

QoS Benefits for VPNs
Make optimum use of
VPN WAN link(s)

ISP

Provide bandwidth and priority

to mission-critical apps
Control non-mission-critical
applications
Exploit differentiated
services offered by
Service Provider

CPE Functions
Packet classification
Packet marking
WAN-link bandwidth
management
Measurement
2400
1190_05_2000_c2

SP Functions
Adhere to SLA
Throughput
Latency
Availability
Control congestion

37

2000, Cisco Systems, Inc.

IPSec TOS Preservation

Enables classification for encrypted and
tunneled VPNs
Supports ISP Differentiated Services offerings
Preserves QoS Signaling end-to-end
Tunneled and Encrypted Packet
with QoS Preservation
Non-Classified Traffic

r
ifie
ss
a
l
C

2400
1190_05_2000_c2

Output Queuing
ISP
End-to-End

Qo

2000, Cisco Systems, Inc.

in
ark
SM

g
y
Cr

E
pto

ine
ng

38

E-VPN
Management

2400
1190_05_2000_c2

39

2000, Cisco Systems, Inc.

VPN Security Management

Security Manager
Centralized
Security Policy
Control

ACL
Manager
Manages
Access
Control Lists

Certificate
Authority
Issue Digital
Certificates
Headquarters

IKE
ate
t ific
Cer

Regional
Office

2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

IPSec

Pix
Intrusion
Detection

Internet /IP VPN

40

VPN Bandwidth Management

QoS Policy
Manager
Centralized
Bandwidth
Management
Policy Control

QoS Monitor
Monitors
Traffic
Distribution

Service Level
Manager
SLA Monitoring
and
Measurement

SAA

Pix

Regional
Office

2400
1190_05_2000_c2

Intrusion
Detection

Internet /IP VPN

Headquarters

41

2000, Cisco Systems, Inc.

Next Steps

2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

42

Major VPN Challenges

Mobility
Streaming services
Voice, video, audio
Scalable deployment
Policy management
2400
1190_05_2000_c2

43

2000, Cisco Systems, Inc.

Non-Technology Challenges

Role of
Regulation

Conflicting
National
Policies

Local Standards
and Practices

2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

44

VPN Deployment Options

Increasing Enterprise Network Role

90%

10%

50%

Network Manager

Network Manager

Buys products from

VPN vendor
Manages network

Provides ongoing
application and
configuration
management and
help desk support

Service Provider
Supplies VPN
equipment and adds
QoS to bandwidth
offering

Service Provider
Supplies basic
Internet access

10%

Net Manager
Administers
security server

Service Provider
Supplies complete
VPN solution,
including service,
training, and help
desk

90%

50%
Increasing Service Provider Role

2400
1190_05_2000_c2

45

2000, Cisco Systems, Inc.

Cost-Effectiveness of VPN
Remote Access*
In-House

VPN

Savings

Ports and Tollfree Access

$957,000

$700,000

$257,000

Network Backbone

$500,000

$450,000

$50,000

Staffing

$440,000

$0

$440,000

Security

$185,000

$100,000

$85,000

24 x 7 Help Desk

$750,000

$550,000

$200,000

$75,000

$0

$75,000

$2,907,000

$1,800,000

$1,107,000

Network Management
Totals:

Savings Based on
VPN Solution (1000 Users)

38%

*Numbers are quoted on an annual basis for 1000 users.

2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

46

Waterbury Hospital
2. Solution

1. Requirement

Extranet VPN Via

Cable modems and IPSec

Fast/secure access
to patient records
T1

PIX Firewall

Cox
Communications
Cable
Modems

ChimeLink

Cisco 3640

T1

CT Hospital
Association

Charter
Communications

Encrypted IP Tunnel
IPSec Client
Laurel
Clinical Data
Repository

Cable
Physicians
Home/Office

3. Benefit
High speed access to new applications
More detailed patient information for doctors
2400
1190_05_2000_c2

47

2000, Cisco Systems, Inc.

Media Company
1. Requirement
Reliable/low-cost
Access from remote office

56K
Connection

2. Solution
Intranet VPN Via
From Delhi to Hong Kong
Lease line From Hong Kong
to US HQ

Leased
Line

Internet

Encrypted IP Tunnel
Cisco 1720
Cisco 3600

Delhi
India

Singapore

United
States

3. Benefit
10x cost savings over Frame Relay
Deployment in 3 weeks vs 6 months
Expanding VPN to other remote sites around world
2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

48

Altera Semiconductor
1. Requirement
Reliable/low-cost/secure
Connections to remote offices and
telecommuters

2. Solution
Intranet and Remote Access
VPN

Toronto
Cisco 2610 ISDN
Santa Cruz
Cisco 2621
DSL

T1
Encrypted IP Tunnel

Internet

Fremont
Cable Modem

Cisco 3640
Gateway

Cisco 7120
VPN Router

San Jose HQ
3. Benefit
Fast/flexible deployment
Higher speeds
Secure communications

United
Kingdom
IPSec Client
2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

49

Additional Information
[Link]/go/evpn
[Link]/go/security
[Link]/go/securityassociates
Networking Professionals Community
White Papers, ISPs with Cisco
Powered VPN Services, Design Guides,
Data Sheets, 3rd Party Solutions
2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

50

Are You Ready?

Customers

Very Remote Sites

Telecommuters

Partners

Virtual
Private
Networks
Multiservice/Voice

Networked Applications
2400
1190_05_2000_c2

51

2000, Cisco Systems, Inc.

Introduction to VPNs
Extending the Classic WAN
Session 2400
2400
1190_05_2000_c2

1999,
2000, Cisco Systems, Inc.

52

Please Complete Your

Evaluation Form
Session 2400

2400
1190_05_2000_c2

1999,
2000, Cisco Systems, Inc.

53

2400
1190_05_2000_c2

2000, Cisco Systems, Inc.

54