A VPN Primer

ITC February 3, 2000

Presentation_ID

1998, Cisco Systems, Inc.

1998, Cisco Systems, Inc. Presentation_ID.scr

Market Forces for VPN

Proliferation of Network Economy is changing how companies conduct business Remote users, telecommuters, road-warriors, external business partners require access to networked computing resources Extending the network with a classic Wide Area Network (WAN) is not easy accomplished to meet these requirements Many are considering VPNs to complement existing WAN infrastructures
Presentation_ID
1998, Cisco Systems, Inc.

The proliferation of the networked economy has spawned fundamental changes in how corporations conduct business. Corporate staff is no longer defined by where they do their jobs as much as how well they perform their job functions. Competitive pressures in many industries have spawned alliances and partnerships among enterprises, requiring separate corporations to act and function as one when facing customers. While such developments have increased productivity and profitability for many corporations, they have also created new demands on the corporate network. A network focused solely on connecting fixed corporate sites is no longer feasible for many companies. Remote users, such as telecommuters or road warriors, and external business partners now require access to enterprise computing resources. Extending the enterprise network to accommodate these users is not easily accomplished with a classic wide-area network (WAN) or an enterprise-owned wide-area switching infrastructure. Consequently, many enterprises are considering virtual private networks (VPNs) to complement their existing classic WAN infrastructures.

1998, Cisco Systems, Inc. Presentation_ID.scr

Market Potential
Gartner Group, by 2003 nearly 100% of enterprise accounts will supplement their WAN with VPNs Motivation?
VPNs can meet diverse connectivity needs VPNs are less expensive to operate in terms of management, band-with, and capital Payback in months instead of years
Presentation_ID
1998, Cisco Systems, Inc.

According to the Gartner Group, a networking research and consulting firm, by 2003 nearly 100 percent of enterprises will supplement their WAN infrastructures with VPNs. From a network architecture perspective, the motivation for this is manifesta VPN can better meet todays diverse connectivity needs. The advantages of a VPN, however, are also visible at the bottom line. VPNs are less expensive to operate than private networks from a management, bandwidth, and capital perspective. Consequently, the payback period for VPN equipment is generally measured in months instead of years. Perhaps the most important benefit of all, however, is that VPNs enable enterprises to focus on their core business objectives instead of running the corporate network.

1998, Cisco Systems, Inc. Presentation_ID.scr

VPN Market Opportunity

VPN Services Revenue VPN Services Revenue
$16,000 $16,000 $14,000 $14,000 $12,000 $12,000 $10,000 $10,000 $8,000 $8,000 $6,000 $6,000 $4,000 $4,000 $2,000 $2,000 $$1998 1999 2000 2001 2002 1998 1999 2000 2001 2002 IP VPNs IP VPNs Managed Router Svcs. Managed Router Svcs. Frame Relay // L2 ATM Frame Relay L2 ATM

Internet WANs will be the primary means of building intranets by the year 2001 Forrester 11/97

Service Provider Revenue ($M, Worldwide)

Source: CIMI, Nov. 1997

Presentation_ID

1998, Cisco Systems, Inc.

1998, Cisco Systems, Inc. Presentation_ID.scr

Ciscos VPN Position

VPN Solutions encompass all segments of networking infrastructure
Platforms Security Network services Network appliances Management
Presentation_ID
1998, Cisco Systems, Inc.

Cisco VPN solutions encompass all segments of the networking infrastructureplatforms, security, network services, network appliances, and managementthus providing the broadest set of VPN service offerings across many different network architectures. Ciscos support of existing WAN infrastructures is essential in accommodating hybrid network architectures, where users will require access to the VPN from leased line, frame relay, as well as IP and Internet VPN connections. Leveraging existing network gear in these deployment scenarios is paramount; wholesale infrastructure replacement to accommodate VPN deployment is infeasible. Cisco VPN solutions enable corporations to deploy VPNs on their existing Cisco networking gear. Ciscos entire line of router platforms is easily VPN-enabled through Cisco IOS software enhancements, thus providing corporations a smooth migration path to a VPN environment. Through Cisco IOS software enhancements, Ciscos installed base of VPN ready ports numbers nearly 10 million today.

1998, Cisco Systems, Inc. Presentation_ID.scr

Ciscos VPN Position

Ciscos network architecture flexibility and ubiquity make Cisco uniquely positioned as the guide to the new world of VPNs

Presentation_ID

1998, Cisco Systems, Inc.

Network architecture flexibility and ubiquity make Cisco uniquely positioned as the guide to the new world of VPNs. Industry-leading Cisco platforms, including routers, WAN switches, access servers, and firewallscombined with robust security and management services afforded by Cisco IOS softwareare the foundation for deploying the most comprehensive set of VPN service offerings available. Cisco VPN solutions tightly integrate the many facets of VPNs with existing Cisco products, ensuring the smooth integration of VPN technology into Cisco enterprise networks. The breadth of Cisco solutions, such as voice over the enterprise WAN, are fully compatible with Cisco VPN platforms. Furthermore, the ubiquity of Cisco equipment in service provider IP, Frame Relay, and ATM backbones provides the means for a high degree of feature integration over the WAN, including common QoS functions across service provider and enterprise networks.

1998, Cisco Systems, Inc. Presentation_ID.scr

Virtual Private Network Defined

Customer Connectivity Deployed on a Shared Infrastructure with the Same Policies as a Private Network
SP Shared Network VPN Internet, IP, FR, ATM Internet, IP, FR, ATM

Presentation_ID

1998, Cisco Systems, Inc.

There is much hype in the industry currently concerning VPNs, their functionality, and how they fit in the enterprise network architecture. Simply defined, a VPN is an enterprise network deployed on a shared infrastructure employing the same security management, and throughput policies applied in a private network. VPNs are an alternative WAN infrastructure that replace or augment existing private networks that utilize leased-line or enterprise-owned Frame Relay/ATM networks. VPNs do not inherently change WAN requirements, such as support for multiple protocols, high reliability, and extensive scalability, but instead meet these requirements more cost effectively. A VPN can utilize the most pervasive transport technologies available today: the public Internet, service provider IP backbones, as well as service provider Frame Relay and ATM networks. The functionality of a VPN, however, is defined primarily by the equipment deployed at the edge of the enterprise network and feature integration across the WAN, not by the WAN transport protocol itself.

1998, Cisco Systems, Inc. Presentation_ID.scr

VPN Defined
A network deployed on a shared network providing the same security, management, and throughput as a private network VPNs dont change WAN requirements, but instead meet the requirements more cost effectively

Presentation_ID

1998, Cisco Systems, Inc.

1998, Cisco Systems, Inc. Presentation_ID.scr

Types of VPNs

Remote Access Intranets Extranets

Presentation_ID

1998, Cisco Systems, Inc.

VPNs are segmented into three categories: remote access, intranets, and extranets. remote access VPNs connect telecommuters, mobile users, or even smaller remote offices with minimal traffic to the enterprise WAN and corporate computing resources. An intranet VPN connects fixed locations, branch and home offices, within an enterprise WAN. An extranet extends limited access to enterprise computing resources to business partners, such as suppliers or customers, enabling access to shared information. Each type of VPN has different security and quality of service (QoS) issues to consider.

1998, Cisco Systems, Inc. Presentation_ID.scr

VPNs Leverage Classic WAN

Leased Lines ATM Frame Relay Branch Sites

Telecommuters

Dial / ISDN

Networking
infrastructure

Internet IP-VPN
Mobile Users Partners / Customers

Mobile Users

Security and
management infrastructure
Presentation_ID
1998, Cisco Systems, Inc.

Remote Sites

10

VPNs and VPDNs are exciting technologies which have the potential to dramatically slash the cost of providing network support to remote offices and mobile users. By leveraging the Internet and the services provided by ISPs, you can tightly integrate the corporate intranet with remote users, and cut costs at the same time.

1998, Cisco Systems, Inc. Presentation_ID.scr

10

Why Consider VPNs

Lower cost than private networks
LAN to LAN connectivity reduced by 20-40% Remote access cost reduction of 60-80%

Proliferation of Internet Economy Reduced management burdens Simplified network topologies

Presentation_ID
1998, Cisco Systems, Inc.

11

VPNs offer many advantages over traditional, leased-line networks. Some of the primary benefits are: Lower cost than private networks; total cost of ownership is reduced through lower cost transport bandwidth, backbone equipment, and operations; according to Infonetics, a networking management consulting firm, LAN-to-LAN connectivity costs are typically reduced by 20 to 40 percent over domestic leased-line networks; cost reduction for remote access is in the 60 to 80 percent range Proliferation of the Internet economy; VPNs are inherently more flexible and scalable network architectures than classic WANs, thereby enabling enterprises to easily and cost effectively connect and disconnect remote offices, international locations, telecommuters, roaming mobile users, and external business partners as business requirements demand Reduced management burdens compared to owning and operating a private network infrastructure, enterprises may outsource some or all of their WAN functions to a service provider, enabling enterprises to focus on core business objectives, instead of managing a WAN or dial-access network Simplify network topologies, thus reducing management burdens; utilizing an IP backbone eliminates permanent virtual circuits (PVCs) associated with connection oriented protocols such as Frame Relay and ATM, thereby creating a fully meshed network topology while actually decreasing network complexity and cost

1998, Cisco Systems, Inc. Presentation_ID.scr

11

Components of the VPN

Security: tunneling, encryption, packet authentication, user authentication, access control Appliances: Firewalls, intrusion detection, active security auditing VPN Services: QoS
Queuing, Network congestion avoidance, Traffic shaping, Packet classification, VPN routing using EIGRP, OSPF, BGP

Management:Enforcing QoS policies Platform scalability:ability to adapt the VPN to meet bandwidth and connectivity needs

Presentation_ID

1998, Cisco Systems, Inc.

12

VPN solutions are defined by the breadth of features offered. A VPN platform must be secure from intrusion and tampering, deliver mission-critical data in a reliable and timely manner, and be manageable across the enterprise. Unless each of these requirements is addressed, the VPN solution is incomplete. The essential elements of a VPN can be segmented into five broad categories: SecurityTunneling, encryption, packet authentication, user authentication, and access control AppliancesFirewalls, intrusion detection, and active security auditing VPN ServicesQuality of service (QoS) functions like queuing, network congestion avoidance, traffic shaping, and packet classification, as well as VPN routing services utilizing EIGRP, OSPF, and BGP ManagementEnforcing security and QoS policies across the VPN and monitoring the network Platform ScalabilityEach of these elements must be scalable across VPN platforms ranging from a small office configuration through the largest enterprise implementations; the ability to adapt the VPN to meet changing bandwidth and connectivity needs is crucial in a VPN solution.

1998, Cisco Systems, Inc. Presentation_ID.scr

12

E-VPN Building Blocks

End-to-End Networking
Security QoS Network & Service Monitoring Network Management Policy Management

Open Architecture

Scalability

Core Networking Services Cisco IOS Infrastructure Platforms Appliances

Presentation_ID

1998, Cisco Systems, Inc.

13

Satisfying these VPN requirements does not necessarily require replacement of an existing wide-area networking infrastructure. Cisco VPN solutions augment existing WAN infrastructures to meet the enhanced security, reliability, and management requirements present in a VPN environment. Ciscos existing router portfolio is VPN-capable, with VPN features deployable through Cisco IOS software. In some VPN deployments, depending on encryption performance requirements and WAN topology, the Cisco portfolio of VPN-optimized routers may be a better alternative. VPN-optimized routers offer optional hardware extensibility for enhanced security performance. Implementing VPN solutions on either portfolio of VPN routers enables robust VPN deployment using existing Cisco networking gear, thus preserving enterprise investments in networking infrastructures.

1998, Cisco Systems, Inc. Presentation_ID.scr

13

Security and Appliances Protecting the Network

Tunnels and Encryption
Tunnels provide logical point-to-point connections across a connectionless IP network. Encryption is applied to the tunneled connection to scramble data.

Tunnel support
IPsec, Layer 2 Tunneling Protocol (L2TP), Layer 2 Forwarding (L2F), and Generic Routing Encapsulation (GRE)

Encryption Support
DES, and 3DES, support for major certificate authorities like Verisign, Entrust, and Netscape

Presentation_ID

1998, Cisco Systems, Inc.

14

Cisco VPN solutions employ encrypted tunnels to protect data from being intercepted and viewed by unauthorized entities and to perform multiprotocol encapsulation, if necessary. Tunnels provide logical, pointto-point connections across a connectionless IP network, enabling application of advanced security features in a connectionless environment. Encryption is applied to the tunneled connection to scramble data, thus making data legible only to authorized senders and receivers. In applications where security is less of a concern, tunnels can be employed without encryption to provide multiprotocol support without privacy. Cisco VPNs employ IPSec, Layer 2 Tunneling Protocol (L2TP), Layer 2 Forwarding (L2F), and Generic Routing Encapsulation (GRE) for tunnel support, as well as the strongest standard encryption technologies availableDES and 3DES. Furthermore, Cisco VPN solutions support major certificate authority vendors, like Verisign, Entrust, and Netscape, for managing security/encryption administration.

1998, Cisco Systems, Inc. Presentation_ID.scr

14

Security and Appliances Protecting the Network

Packet Authentication On an unsecured network, packets can be intercepted by a perpetrator, the contents changed, then forwarded to the destination Packet Authentication protects against tampering by applying headers to the IP packet
Authentication Header (AH), Encapsulation Security Protocol(ESP), Hashing functions of MD-5 and Secure Hash Algorithm(SHA)

Presentation_ID

1998, Cisco Systems, Inc.

15

While interception and viewing of data on a shared network is the primary security concern for enterprises, data integrity is also an issue. On an unsecured network, packets can be intercepted by a perpetrator, the contents changed, then forwarded on to their destination with erroneous information. For example, an order placed to a supplier over an unsecured network could be modified by a perpetrator, changing the order quantity from 1000 to 100. Packet authentication protects against such tampering by applying headers to the IP packet to ensure its integrity. Components of IP Security, authentication header (AH) and Encapsulation Security Protocol (ESP) are employed in conjunction with industry-standard hashing algorithms such as MD-5 and Secure Hash Algorithm (SHA) to ensure data integrity of packets transmitted over a shared IP backbone.

1998, Cisco Systems, Inc. Presentation_ID.scr

15

Security and Appliances Protecting the Network

Firewalls, Intrusion Detection, and Security Auditing Firewalls protect against network attacks, denial of service, verify the source of traffic, prescribe access privileges
IOS firewall feature set, PIX Firewall Appliance

Intrusion Detection operates with firewall to analyze the content and context of individual packets to determine if they are authorized
NetRanger:

Security Auditing scan the network for potential risks

NetSonar:

Presentation_ID

1998, Cisco Systems, Inc.

16

A critical part of an overall security solution is a network firewall, which monitors traffic crossing network perimeters and imposes restrictions according to security policy. In a VPN application, firewalls protect enterprise networks from unauthorized access to computing resources and network attacks, such as denial of service. Furthermore, for authorized traffic, a VPN firewall verifies the source of the traffic and prescribes what access privileges users are permitted. Cisco VPN solutions provide enterprises flexibility in firewall choices, offering Cisco IOS software-based firewalls resident on VPN routers, as well as the separate PIX Firewall appliance. An added element of insurance in perimeter security is intrusion detection. While firewalls permit or deny traffic based on source, destination, port, and other criteria, they do not actually analyze traffic. Intrusion detection systems, such as Cisco NetRanger, operate in conjunction with firewalls to extend perimeter security to the packet payload level by analyzing the content and context of individual packets to determine if the traffic is authorized. If a networks data stream experiences unauthorized activity, NetRanger automatically applies real-time security policy, such as disconnecting the offending session, and notifies a network administrator of the incident. The NetRanger products provide automated monitoring and response of more robust network security while simultaneously reducing personnel costs associated with perimeter monitoring. Monitoring traffic and intrusion detection provide strong defense mechanisms against network attacks, but strong security begins inside the corporate network by ensuring that security vulnerabilities are minimized. Security auditing systems like, Cisco's NetSonar, scan the corporate network identifying potential security risks. NetSonar maps all active systems on a network, their operating systems and network services, and their associated potential vulnerabilities. NetSonar also proactively and safely probes systems using its comprehensive network security database to confirm vulnerabilities, and provides detailed information about security vulnerabilities enabling network managers to better secure the network from attacks.

1998, Cisco Systems, Inc. Presentation_ID.scr

16

Security and Appliances Protecting the Network

User Authentication: Making sure authorized users gain access to enterprise computing resources AAA
Authentication, Authorization, Accounting TACAS+, RADIUS ( CiscoSecure )

Presentation_ID

1998, Cisco Systems, Inc.

17

User Authentication

A key component of VPN security is making sure authorized users gain access to enterprise computing resources they need, while unauthorized users are shut out of the network entirely. Cisco VPN solutions are built around authentication, authorization, and accounting (AAA) capabilities that provide the foundation to authenticate users, determine access levels, and archive all the necessary audit and accounting data. Such capabilities are paramount in the dial access and extranet applications of VPNs. Cisco VPN solutions support Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System (TACACS+) user authentication platforms.

1998, Cisco Systems, Inc. Presentation_ID.scr

17

Managing Routing and Throughput

Quality of Service (QoS)
QoS that apply to Layer 2 and Layer 3 VPNs
Packet Classification, Weighted Fair Queuing(WFQ), Weighted Random Early Detection(WRED), Tag Switching/Multi-protocol Label Switching(MPLS), Generic Traffic Shaping(GTS), Border Gateway Protocol(BGP)

Routing Protocols like EIGRP and OSPF

Presentation_ID

1998, Cisco Systems, Inc.

18

QoS is an essential component in efficient use of precious WAN bandwidth and ensuring reliable throughput of important data. The bursty nature of network traffic characteristically makes poor use of network bandwidth by sending too many packets into the network at once or congesting network bottlenecks. The result is twofold: WAN links are often under utilized, letting expensive bandwidth lie dormant; network congestion during peak times constrains throughput of delay-sensitive and mission-critical traffic. It is a lose/lose situation. QoS determines the networks ability to assign resources to mission-critical or delay-sensitive applications, while limiting resources committed to low-priority traffic. QoS addresses two fundamental requirements for applications run on a VPN: predictable performance and policy implementation. Policies are used to assign network resources to specific users, applications, project groups, or servers in a prioritized way. Components of QoS that apply to Layer 2 and Layer 3 VPNs are as follows: Packet classificationassigns packet priority based on enterprise network policy. Committed access rate (CAR)guarantees minimum throughput levels to specific applications and users based on enterprise network policy. Weighted Fair Queuing (WFQ)allocates packet throughput based on packet priority. Weighted Random Early Detection (WRED)complements TCP in predicting and managing network congestion on the VPN backbone, ensuring predictable throughput rates. Tag Switching/Multiprotocol Label Switching (MPLS)ensures continuity of packet priority across Layer 2 and Layer 3 VPNs. Generic traffic shaping (GTS)smooths bursty traffic and packet trains to ensure optimal average utilization of VPN WAN links. Border Gateway Protocol (BGP) propagationenables the QoS policies to extend to traffic in both directions of the VPN connection These QoS mechanisms complement each other, working together in different parts of the VPN to create a comprehensive end-to-end QoS solution. QoS solutions must be integrated across all parts of the VPN to be effective; single point solutions cannot ensure predictable performance.

1998, Cisco Systems, Inc. Presentation_ID.scr

18

Operating the VPN

VPNs integrate multiple security policies and QoS services Companies need to manage these devices and features across the VPN infrastructure A VPN WAN allows for outsourcing of many aspects of network management Unlike private networks, a VPN enables a company to define what level of network control they need to retain in house while outsourcing less sensitive functions to the service provider

Presentation_ID

1998, Cisco Systems, Inc.

19

VPNs integrate multiple security and QoS services in addition to the network devices themselves. Enterprises need to seamlessly manage these devices and features across the VPN infrastructure, including remote access and extranet users. Given these issues, network management becomes a major consideration in a VPN environment. A VPN WAN architecture, however, affords network managers the opportunity to outsource many aspects of network management. Unlike in a private network architecture, a VPN enables enterprises to define what level of network control they need to retain in-house, while outsourcing less sensitive functions to service providers.

1998, Cisco Systems, Inc. Presentation_ID.scr

19

Operating the VPN

Business Requirement
Scalable Device Management Support for Hybrid Network Architectures Leveraging Cisco Powered Networks Cisco Enterprise Network Management Strategy

Presentation_ID

1998, Cisco Systems, Inc.

20

Many companies choose to retain full control over deployment and daily operation of their VPN, and thus require a comprehensive, policy-based management system. Such a system extends the existing management framework to encompass WAN management functions unique to VPNs. Cisco enterprise network management provides a comprehensive suite of tools for managing devices, security policies, and services across any size VPN. As the WAN is extended with VPN technology, a strict set of business requirements must be met for the enterprise network manager to be successful. These requirements include: Minimize riskmoving from a dedicated infrastructure to a shared infrastructure that utilizes WAN transport mediums, such as the public Internet, presents the network manager with new security and auditing challenges; network managers must be able to extend VPN access to multiple corporate sites, business partners, and remote users, while assuring the integrity of the corporate data resources Scalethe rapid addition of mobile users and business partners to the VPN requires network managers to expand the network, make hardware and software upgrades, manage bandwidth, and maintain security policies with unprecedented speed and accuracy Costto fully realize the cost benefits of a VPN, network managers must be able to implement new VPN technologies and provision additional network users without growing the operations staff at a proportional rate

1998, Cisco Systems, Inc. Presentation_ID.scr

20

Remote Access VPNs

IPsec/PPTP/L2TP Client Initiated Tunnel
VPN Router

VPN Cloud (Internet, IP) L2TP/L2F

Main Office

PSTN

NAS

PPP/SLIP

NAS-Initiated Tunnel
Presentation_ID
1998, Cisco Systems, Inc.

21

When implementing a remote access VPN architecture, an important consideration is where to initiate tunneling and encryptionon the dialup client or on the network access server (NAS). In a client-initiated model, the encrypted tunnel is established at the client using IPSec, L2TP, or PPTP, thereby making the service provider network solely a means of transport to the corporate network. An advantage of a clientinitiated model is that the last mile service provider access network used for dialing to the point of presence (POP) is secured. An additional consideration in the clientinitiated model is whether to utilize operating system embedded security software or a more secure supplemental security software package. While supplemental security software installed on the client offers more robust security, a drawback to this approach is that it entails installing and maintaining tunneling/ encryption software on each client accessing the remote access VPN, potentially making it more difficult to scale. In a NAS-initiated scenario, client software issues are eliminated. A remote user dials into a service providers POP using a PPP/SLIP connection, is authenticated by the service provider, and, in turn, initiates a secure, encrypted tunnel to the corporate network from the POP using L2TP or L2F. With a NAS-initiated architecture, all VPN intelligence resides in the service provider networkthere is no end-user client software for the corporation to maintain, thus eliminating client management burdens associated with remote access. The drawback, however, is lack of security on the local access dial network connecting the client to the service provider network. In a remote access VPN implementation, these security/management trade-offs must be balanced.

1998, Cisco Systems, Inc. Presentation_ID.scr

21

Remote Access VPNs

Outsourced Remote Access
Mobile users, telecommuters, extranet, small remote offices Laptop with IPSec AAA Server NAS L2F / L2TP AAA Server Laptop with PPP Firewall Router/ Gateway

Mobile User Client-Initiated Client-

Ubiquitous Access
Dial, ISDN xDSL, Cable, and Mobile IP

IPSec

Reduces Infrastructure and Operations Costs NAS-Initiated

Scalable No PC client maintenance

Client-Initiated
Access independent Standards evolution / deployment

Residence NAS-Initiated NAS-

Corporate Headquarters

Presentation_ID

1998, Cisco Systems, Inc.

22

These are the standard features typically provided with an Access VPN

1998, Cisco Systems, Inc. Presentation_ID.scr

22

Intranet VPNs
Remote Office

VPN Router

Tunnels
Main Office

IPsec/GRE

IPsec/GRE

Internet/IP
VPN Router

Remote Office

VPN Router

IPsec/GRE

Presentation_ID

1998, Cisco Systems, Inc.

23

Intranet VPNs are an alternative WAN infrastructure that can augment or replace private lines or other private WAN infrastructures by utilizing shared network infrastructures provided by service providers. Intranet VPNs are built using the Internet or service provider IP, Frame Relay, or ATM networks. Intranet VPNs built on an IP WAN infrastructure utilize IPSec or GRE to create secure tunnels across the network to carry WAN traffic. When combined with service provider backbone QoS mechanisms, QoS functions such as WFQ, WRED, GTS, and CAR employed on corporate network edge routers ensure efficient use of WAN bandwidth and reliable throughput. The benefits of an intranet VPN are as follows: Reduced WAN bandwidth costs Connect new sites easily Increased network uptime by enabling WAN link redundancy across service providers Building an intranet VPN using the Internet is the most cost-effective means of implementing VPN technology. Service levels,however, are generally not guaranteed on the Internet. When implementing an intranet VPN, corporations need to assess which\ trade-offs they are willing to make between guaranteed service levels, network ubiquity, and transport cost. Enterprises requiring guaranteed throughput levels should consider deploying their VPNs over a service providers endto-end IP network, or, potentially, Frame Relay or ATM.

1998, Cisco Systems, Inc. Presentation_ID.scr

23

Internet & IP VPNs

Internet VPN IP VPN

Public Internet-based Ubiquitous connectivity Low cost Throughput and latency concerns Constrained by lack of interISP SLAs
Presentation_ID
1998, Cisco Systems, Inc.

Provided by single ISP: controls all access and backbone facilities With QoS control Enables SLAs to be delivered/enforced

24

1998, Cisco Systems, Inc. Presentation_ID.scr

24

Extranets
Business Partner

VPN Router

Tunnels
Main Office

IPsec/GRE

Internet/IP
L2TP/L2F VPN Router

PSTN Service Provider Network

Dial-Up Business Partner

Presentation_ID

1998, Cisco Systems, Inc.

25

Extending connectivity to corporate partners and suppliers is expensive and burdensome in a private network environment. Expensive dedicated connections must be extended to the partner, management and network access policies must be negotiated and maintained, and often compatible equipment must to be installed on the partners site. When dial access is employed, the situation is equally complicated because separate dial domains must be established and managed. Due to the complexity, many corporations do not extend connectivity to their partners, resulting in complicated business procedures and reduced effectiveness of their business relationships. One of the primary benefits of a VPN WAN architecture is the ease of extranet deployment and management. Extranet connectivity is deployed using the same architecture and protocols utilized in implementing intranet and remote access VPNs. The primary difference is the access permission extranet users are granted once connected to their partners network. Choosing a Service Provider Partner With any VPN implementation scenario, service providers become partners in the solution. The performance of a VPN relies not only on the networking equipment chosen, but also on the service providers providing the WAN bandwidth and dialup facilities for remote access. As such, service providers used for VPN implementation should be chosen carefully. Service providers offer various levels of VPN services, from basic connectivity to completely outsourced solutions. Decisions regarding which aspects of the VPN will managed in-house or by the service provider should be reviewed in-depth when choosing service providers. Ultimately, the service providers chosen are partners in the VPN implementation. Consequently, a strong working relationship and established expectations should be a guiding factor in the overall decision process.

1998, Cisco Systems, Inc. Presentation_ID.scr

25

Intranet And Extranet E-VPNs

Remote Office Business Partner

Internet IP, FR, ATM Remote Office

Main Office

Supplier Customer

Extend connectivity - remote offices, partners

Extranet
Presentation_ID

1998, Cisco Systems, Inc.

Intranet

Lower costs Simplify operations Enable new applications

26

1998, Cisco Systems, Inc. Presentation_ID.scr

26

1 - Platforms

Cisco E-VPN-Optimized Routers

Branch

Regional Office

Enterprise Core
Cisco 7100 VPN

Cisco 1720
VPN router 2 WIC slots 10/100 Enet Future HW encryption

Cisco 3600
Data, voice and dial 2/4 NM slot Future HW encryption

Integrated I/O Features Firewall feature Set

Cisco 7200 VXR

Telecommuter
Cisco 2600 Cisco 800
Entry-level Cisco IOS ISDN One fixed WAN Simple to install Data, voice and dial 2 WIC + 1 NM slot AIM expansion slot Future HW encryption

New 300kpps Processor Multi-Service Interchange

Cisco 7200
High Performance High Density Port Adapters 4/6 slot Systems IPSec Accelerator Future HW encryption

Cisco 7500
Distributed Architecture

27

The Cisco 1600 and 1720 routers are positioned for the Small and Medium-sized Businesses and Small Branch Offices. The Cisco 1720 router is an extension of the Cisco 1600 series, with the same desktop form factor and software feature sets, offering higher functionality at a higher price point. The Cisco 2500 and 2600 routers are positioned as enterprise-class solutions for enterprise branch offices, offering rack-mount for wiring closet environments, internal power supply, optional redundant power supply, Token Ring, high-density WAN, and legacy protocol support (DECnet, VINES, APPN). The Cisco 2500 router continues to be the industry-leading fixed-configuration data router, with strong sales across all geographies. The Cisco 2600 routers support the same software feature sets as the 2500 and 3600 series, providing additional capabilities such as voice and dial services at a higher price point. It offers a flexible, modular solution with higher performance; more WAN density such as dual ISDN Primary Rate Interface (PRI), 10 ISDN BRIs, four T1/E1s, 36 async modem interfaces; and support for voice and dial. These four router families are positioned as two winning pairs: Cisco 1600/1720 for Small and Medium-sized Businesses and Small Branch Offices Cisco 2500/2600 for Enterprise branch offices
1998, Cisco Systems, Inc. Presentation_ID.scr 27

1 - Platforms

Cisco 1720 VPN Router

VPN Access
Cisco IOS technologies
Security, QoS, management, reliability/scalability

RISC processor for encryption performance

IPSec DES encryption at 512 Kbps, 256-byte packets

Future hardware-assisted encryption @ T1/E1

Flexibility
Autosensing 10/100 Fast Ethernet + two WIC slots + AUX port Any combination of current 1600 WICs and 2600 dual serial WICs

Network Device integration

Router-firewall-encryption-VPN tunnel server-DSU/CSU-NT1 Part of Cisco Networked Office stack

Global List Price with IP and T1/E1 Serial WIC: US $1,595

With IP and Dual-T1/E1 WIC: US $1,895 Dual28

The Cisco 1720 provides 3 key advantages for small/medium businesses and small branch offices: VPN Access Cisco IOS software, the defacto standard for the Internet and private networks, now extends its leadership to VPNs. It provides superior security, QoS, management, reliability/scalability The RISC processor on the Cisco 1720 offers encryption performance. IPSec DES encryption performance: 512 Kbps for 256-byte packets There is an internal expansion slot for future hardware-assisted encryption @ T1/E1 Flexibility Autosensing 10/100 Fast Ethernet + two WIC slots + AUX port Mix and match any combination of current 1600 WICs and 2600 dual serial WICs on the 2 WIC slots Network Device integration The Cisco 1720 provides all-in-one functionality such as router-firewall-encryptionVPN tunnel server-DSU/CSU-ISDN NT1 It is part of Cisco Networked Office stack, which provides an integrated single vendor LAN and WAN solution Global List Price Base Chassis with IP Software and no WIC cards: US $1,795 With IP and one-port T1/E1 Serial WIC = US $1,795 + $400 = US $2,195 With IP and two-port T1/E1 Serial WIC = US $1,795 + $700 = US $2,495

1998, Cisco Systems, Inc. Presentation_ID.scr

28

Cisco 7100 Series Integrated VPN Router

Comprehensive, Integrated High-End VPN Solutions High-

Feature Rich Routing

Industry leading routing
- World-class Cisco IOS World-

Optimized for VPN

Integrated LAN/WAN Range of WAN Services Single/Dual homed configurations Extensibility

Rich VPN Services

Security/Tunneling/ High-Speed Encryption HighFirewall and Intrusion Detection Advanced Bandwidth Management Service Level Validation
29

Fast Layer 3 routing

-RIP, OSPF, EIGRP, BGP, NHRP, IGRP

VPN Management
Presentation_ID
1998, Cisco Systems, Inc.

The Cisco 7100 Series VPN Router is and integrated VPN router designed for larger regional office and headquarter environments. It integrates key features of VPNs to provide VPN solutions for remote access, intranet, and extranet VPNs as discussed on the previous two slides. Key features include: Feature Rich Routing Ciscos industry leading routing delivered through Cisco IOS, including support for numerous routing protocols and a framework for managing routing and VPN functions Optimized for VPN The Cisco 7100 includes integrated LAN/WAN interfaces for connectivity to the VPN and corporate LAN Range of WAN interfaces are included with the Cisco 7100 from 4T1/E1 to T3/E3 and OC3, available in single and dual interfaces for single or dual homed connectivity to the VPN The Cisco 7100 has a service module slot to accommodate task-specific VPN service processing modules, like the Integrated Services Module for hardware-assisted encryption and tunneling scalability Rich VPN Services The Cisco 7100 integrates all of the VPN services outlined above in the third column. Integrating these features on a single device reduces network complexity associated with deploying numerous single purpose devices, such as firewalls or bandwidth managers, in the network.

1998, Cisco Systems, Inc. Presentation_ID.scr

29

Summary of Cisco VPN

VPNs make sense from a business and technology perspective VPNs enable business to refocus their energies on core business objectives instead of networking needs VPNs are not an all-or-nothing networking decision
Phased approach
Presentation_ID
1998, Cisco Systems, Inc.

30

VPNs make sense from a business and technology perspective. VPNs enable businesses to refocus their energies on core business objectives instead of networking needs, while reducing operations and bandwidth costs. Furthermore, VPNs are not an all-or-nothing network decision. VPN can be phased into existing private network architectures offering a flexible migration path for the evolution of private networks. VPN solutions must offer strong security features such as 3DES encryption, scalable tunneling, and packet authentication, as well as transport reliability mechanisms such as WFQ, WRED, GTS, and CAR. VPN solutions must also be interoperable with the existing network infrastructure. Unless each of these features is included in a VPN implementation, the VPN is subject to security and transport reliability issues. The Cisco VPN solution offers an exhaustive feature set to address any security and reliability issues associated with VPN implementations.

1998, Cisco Systems, Inc. Presentation_ID.scr

30

Summary of Cisco VPN

Cisco VPN solutions encompass all segments of networking infrastructure
Platforms, Security, Network services, Network appliances, and Management

Cisco provides the broadest set of VPN service offerings across many different network architectures
Presentation_ID
1998, Cisco Systems, Inc.

31

Cisco VPN solutions encompass all segments of the networking infrastructureplatforms, security, network services, network appliances, and managementthus providing the broadest set of VPN service offerings across many different network architectures. Ciscos support of existing WAN infrastructures is essential in accommodating hybrid network architectures, where users will require access to the VPN from leased line, frame relay, as well as IP and Internet VPN connections. Leveraging existing network gear in these deployment scenarios is paramount; wholesale infrastructure replacement to accommodate VPN deployment is infeasible. Cisco VPN solutions enable corporations to deploy VPNs on their existing Cisco networking gear. Ciscos entire line of router platforms is easily VPN-enabled through Cisco IOS software enhancements, thus providing corporations a smooth migration path to a VPN environment. Through Cisco IOS software enhancements, Ciscos installed base of VPN ready ports numbers nearly 10 million today.

1998, Cisco Systems, Inc. Presentation_ID.scr

31

Thank You

Presentation_ID

1998, Cisco Systems, Inc.

32

1998, Cisco Systems, Inc. Presentation_ID.scr

32