Professional Documents
Culture Documents
Understanding
Virtual Private
Networks
www.cisco.com
Agenda
What Are VPNs?
VPN Technologies
Access, Intranet, and
Extranet VPNs
VPN Examples
CSE: Networking FundamentalsVPNs
www.cisco.com
12-2
VPN
www.cisco.com
12-3
Paris
Hong Kong
www.cisco.com
12-4
Wider connectivity
options
Speed of deployment
CSE: Networking FundamentalsVPNs
www.cisco.com
12-5
Mobile Users
Telecommuters
Increased
Network
Flexibility
Organizational
Changes
Mergers/
Acquisitions
Extranets
Intranets
CSE: Networking FundamentalsVPNs
www.cisco.com
12-6
www.cisco.com
Businesses with:
Multiple branch
office locations
Telecommuters
Remote workers
Contractors and
consultants
12-7
Networked Applications
Traditional applications
E-mail
Database
File transfer
New applications
Videoconferencing
Distance learning
Advanced publishing
Voice
www.cisco.com
12-8
Example of a VPN
Private networking service over
a public network infrastructure
Munich Main Office
Paris Office
Internet
Mobile
Worker
Dials to Munich
over Internet
Milan Office
www.cisco.com
12-9
VPN Technologies
www.cisco.com
VPN Technology
Building Blocks
Security
QoS
www.cisco.com
12-11
Security
www.cisco.com
12-12
Tunneling: L2F/L2TP
1. User identification
Mobile users
Telecommuters
Small remote
offices
2. Tunnel to
home gateway
Corporate
Intranet
POP
LAC
SP Network/
Internet
Home
GW
5. End-to-end tunnel
established
Security
Server
4. PPP negotiation
with user
CSE: Networking FundamentalsVPNs
www.cisco.com
3. User authentication
12-13
What Is IPSec?
Network-layer encryption and authentication
Open standards for ensuring secure private
communications over any IP network, including the
Internet
Provides a necessary component of a standards-based,
flexible solution for deploying a network-wide security
policy
Data protected with network encryption, digital
certification, and device authentication
Scales from small to very large networks
www.cisco.com
12-15
What is Internet
Key Exchange (IKE)?
Automatically negotiates policy to protect
communication
Authenticated Diffie-Hellman key exchange
Negotiates (possibly multiple) security
associations for IPSec
3DES, MD5, and RSA Signatures,
OR
IDEA, SHA, and DSS Signatures,
OR
Blowfish, SHA, and RSA Encryption
www.cisco.com
12-16
Public Network
Home Gateway
Router
Home
Network
Certificate
Authority/
AAA
Authentication Approved
IKE
Negotiation
www.cisco.com
12-17
L2TP
www.cisco.com
AAA Server
12-18
Encryption:
DES and 3DES
Widely adopted standard
Encrypts plain text, which becomes cyphertext
DES performs 16 rounds
Triple DES (3DES)
The 56-bit DES algorithm runs three times
112-bit triple DES includes two keys
168-bit triple DES includes three keys
Accomplished on a VPN client, server, router, or firewall
www.cisco.com
12-19
Firewalls
All traffic from inside to outside and vice versa must pass through
the firewall
Only authorized traffic, as defined by the local security policy, is
allowed in or out
The firewall itself is immune to penetration
www.cisco.com
12-20
User Authentication
Network
Access Server
Public
Network
Dial-In User
AAA
ID/User
Server ID/User
TACACS+
RADIUS
S+
C
C A IU S
A
T AD
R
Intercept
Connections
Profile
Profile
ID/User
ID/User
Profile
Profile
ID/User
ID/User
Profile
Profile
Campus
Internet
Internet User
Gateway
Router
Firewall
www.cisco.com
12-21
Tunnel
AAA
CA
Conforming Traffic
Packet
Classification
CAR
Traffic
Policing
CAR
Congestion
Avoidance
WRED
Tunnel
Layer 2TP
IPSec, GRE
Voice
Premium IP
Best Effort
CSE: Networking FundamentalsVPNs
www.cisco.com
12-22
Access, Intranet,
and Extranet VPNs
www.cisco.com
Type
Remote access
VPN
Application
Alternative To
Mobile users
Dedicated dial
Remote
connectivity
ISDN
Benefits
Ubiquitous
access,
lower cost
Site-to-site
Intranet VPN
Extranet VPN
Internal
connectivity
Leased line
Business-to-business
Fax
External
connectivity
www.cisco.com
Extend
connectivity,
lower cost
Facilitates
e-commerce
EDI
12-24
Access VPNs
Client Initiated or
NAS Initiated
Potential
Operations
and
Infrastructure
Cost Savings
Enterprise
AAA
CA
DMZ
Ubiquitous
Access
Modem, ISDN
xDSL, Cable
Service
Provider A
Web Servers
DNS Server
STMP Mail Relay
Small
Office
CSE: Networking FundamentalsVPNs
www.cisco.com
Mobile User
or Corporate
Telecommuter
1999, Cisco Systems, Inc.
12-25
Mobile Users
and
Telecommuters
POP
2. Tunnel to
home gateway
Corporate
Intranet
NAS
SP Network/
Internet
Home
Gateway
5. End-to-end tunnel
established
Security
Server
4. PPP negotiation
with user
CSE: Networking FundamentalsVPNs
www.cisco.com
3. User authentication
1999, Cisco Systems, Inc.
12-26
L2TP Access
Concentrator
ASYNC
ISDN
AAA Server
(RADIUS/TACACS+)
CSE: Networking FundamentalsVPNs
www.cisco.com
AAA Server
(RADIUS/TACACS +)
12-27
Corporate
Network
www.cisco.com
12-28
Client-Initiated VPNs
Pros:
Use same hardware for dedicated access
Dedicated encryption hardware in firewall for
performance
Cons:
Management of IPSec PC client
Security must be initiated by user
www.cisco.com
12-29
username@domain
NAS
Home
Gateway
IP Network
www.cisco.com
12-30
NAS-Initiated VPNs
Pros:
No PC client software to manage
Premium services
VPN and Internet access at the NAS
More scalable and manageable
Cons:
Users can connect only to certain POPs
www.cisco.com
12-31
Enterprise
AAA
CA
DMZ
Remote
Office
Service
Provider A
Regional
Office
CSE: Networking FundamentalsVPNs
Potential Operations
and Infrastructure
Cost Savings
www.cisco.com
Web Servers
DNS Server
STMP Mail Relay
12-32
Supplier
Enterprise
Business
Partner
Service
Provider B
AAA
CA
DMZ
Service
Provider A
Extends Connectivity
to Business Partners,
Suppliers, and Customers
Web Servers
DNS Server
STMP Mail Relay
Security Policy
Very Important
www.cisco.com
12-33
www.cisco.com
12-34
Extranet
NAS-Initiated
ClientInitiated
RouterInitiated
www.cisco.com
12-35
VPN Examples
www.cisco.com
Remote Centers
CSE: Networking FundamentalsVPNs
www.cisco.com
12-37
Branch Office or
Telecommuters
ChallengeCost-effective means for connecting branch
offices and telecommuters to the corporate network
Public Network
www.cisco.com
12-38
Access VPN
Number of users
Number of users
20
Remote access server $3,000 Access router, T1/E1,
DSU/CSU, firewall
One-time installation
$1,000 VPN client software
($50/user)
fee: 10 phone lines
T1/E1 installation
Monthly long-distance
charges per minute
Avg. use per day, per
user (min)
CSE: Networking FundamentalsVPNs
$0.10
90
www.cisco.com
20
$4,600
$1,000
$5,000
$2,500
$400
12-39
Access VPN
Number of users
Number of users
20
Remote access server $3,000 Access router, T1/E1,
DSU/CSU, firewall
One-time installation
$1,000 VPN client software
($50/user)
fee-10 phone lines
T1/E1 installation
One-time capital cost $4,000
Monthly long distance $0.10
charges per minute
Avg. use per day per
90
user (min)
Recurring cost
CSE: Networking FundamentalsVPNs
$5,400
20
$4,600
$1,000
$5,000
www.cisco.com
$2,900
12-40
VPN Payback
Total Cost
Traditional
$80,000
VPN
$60,000
$40,000
$20,000
0
1
10
11
12
Month
Payback in 3 months!!
CSE: Networking FundamentalsVPNs
www.cisco.com
12-41
Summary
VPNs reduce costs
VPNs improve connectivity
VPNs maintain security
VPNs offer flexibility
VPNs are reliable
www.cisco.com
12-42
Presentation_ID
www.cisco.com
43