Module 12:

Understanding
Virtual Private
Networks
www.cisco.com

1999, Cisco Systems, Inc.

Agenda
What Are VPNs?
VPN Technologies
Access, Intranet, and
Extranet VPNs
VPN Examples
CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-2

What Are VPNs?

Service Provider
Shared
Network

Internet, IP, FR, ATM

VPN

Virtual Private Networks (VPNs) extend the classic WAN

VPNs leverage the classic WAN infrastructure, including Ciscos family of VPNenabled routers and policy management tools
VPNs provide connectivity on a shared infrastructure
with the same policies and performance as a private
network with lower total cost of ownership
CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-3

Virtual Private Networks

IP Packet
(Private,
Encrypted)
IP Header
(Public)
Internet

Paris

Hong Kong

Extends private network through public Internet

Lower cost than private WAN
Relies on tunneling and encryption
CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-4

Why Build a VPN?

Company information
secured
Lower costs
Connectivity costs
Capital costs
Management and
support costs

Wider connectivity
options
Speed of deployment
CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-5

Whats Driving VPN Offerings?

Reduced
Networking
Costs

Mobile Users
Telecommuters

Increased
Network
Flexibility

Organizational
Changes
Mergers/
Acquisitions
Extranets
Intranets
CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-6

Who Buys VPNs?

Organizations wishing to:
Implement more costeffective WAN solutions
Connect multiple remote sites
Deploy intranets
Connect to suppliers, business
partners, and customers
Get back to their core business,
and leave the WAN to the experts
Lower operational and
capital equipment costs

CSE: Networking FundamentalsVPNs

www.cisco.com

Businesses with:
Multiple branch
office locations
Telecommuters
Remote workers
Contractors and
consultants

1999, Cisco Systems, Inc.

12-7

Networked Applications
Traditional applications
E-mail
Database
File transfer

New applications

CSE: Networking FundamentalsVPNs

Videoconferencing
Distance learning
Advanced publishing
Voice

www.cisco.com

1999, Cisco Systems, Inc.

12-8

Example of a VPN
Private networking service over
a public network infrastructure
Munich Main Office

Paris Office

Internet

New York Office

CSE: Networking FundamentalsVPNs

Mobile
Worker
Dials to Munich
over Internet

Milan Office
www.cisco.com

1999, Cisco Systems, Inc.

12-9

VPN Technologies

1999, Cisco Systems, Inc.

www.cisco.com

1999, Cisco Systems, Inc.

VPN Technology
Building Blocks

Security

QoS

CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-11

Security

Tunnels and encryption

Packet authentication
Firewalls and intrusion detection
User authentication

CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-12

Tunneling: L2F/L2TP
1. User identification
Mobile users
Telecommuters
Small remote
offices

2. Tunnel to
home gateway

Corporate
Intranet

POP
LAC

SP Network/
Internet

Home
GW

5. End-to-end tunnel
established

Security
Server

4. PPP negotiation
with user
CSE: Networking FundamentalsVPNs

www.cisco.com

3. User authentication

1999, Cisco Systems, Inc.

12-13

What Is IPSec?
Network-layer encryption and authentication
Open standards for ensuring secure private
communications over any IP network, including the
Internet
Provides a necessary component of a standards-based,
flexible solution for deploying a network-wide security
policy
Data protected with network encryption, digital
certification, and device authentication
Scales from small to very large networks

CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-15

What is Internet
Key Exchange (IKE)?
Automatically negotiates policy to protect
communication
Authenticated Diffie-Hellman key exchange
Negotiates (possibly multiple) security
associations for IPSec
3DES, MD5, and RSA Signatures,
OR
IDEA, SHA, and DSS Signatures,
OR
Blowfish, SHA, and RSA Encryption

IDEA, SHA, and DSS Signatures

IKE Policy Tunnel

CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-16

IPSec VPN Client

Operation
Remote User
with IPSec Client

Public Network

Home Gateway
Router

Home
Network

Secure Tunnel Established

Certificate
Authority/
AAA

Dial Access to Corporate Network

Exchange X.509 or One-Time Password

Authentication Approved

IKE
Negotiation

Encrypted Data flows

CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-17

L2TP and IPSec Are

Complementary
IPSec

L2TP

IPSec creates the remote tunnel

L2TP provides tunnel end-point authentication
IPSec maintains encryption
L2TP provides tunnels for non-IP traffic
AAA services and dynamic address like DHCP

CSE: Networking FundamentalsVPNs

www.cisco.com

AAA Server

1999, Cisco Systems, Inc.

12-18

Encryption:
DES and 3DES
Widely adopted standard
Encrypts plain text, which becomes cyphertext
DES performs 16 rounds
Triple DES (3DES)
The 56-bit DES algorithm runs three times
112-bit triple DES includes two keys
168-bit triple DES includes three keys
Accomplished on a VPN client, server, router, or firewall

CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-19

Firewalls

All traffic from inside to outside and vice versa must pass through
the firewall
Only authorized traffic, as defined by the local security policy, is
allowed in or out
The firewall itself is immune to penetration

CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-20

User Authentication
Network
Access Server
Public
Network
Dial-In User

AAA
ID/User
Server ID/User

TACACS+
RADIUS
S+
C
C A IU S
A
T AD
R
Intercept

Connections

Profile
Profile
ID/User
ID/User
Profile
Profile
ID/User
ID/User
Profile
Profile

Campus

Internet
Internet User

Gateway
Router

Firewall

Centralized security database (AAA services)

High availability
Same policy across many access points
Per-user access control
Single network login
Support for: TACACS+, RADIUS (IETF), Kerberos, one-time password

CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-21

VPNs and Quality

of Service
PBX

Tunnel

AAA
CA

Conforming Traffic
Packet
Classification
CAR

Traffic
Policing
CAR

Congestion
Avoidance
WRED

Tunnel
Layer 2TP
IPSec, GRE

Voice
Premium IP
Best Effort
CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-22

Access, Intranet,
and Extranet VPNs

1999, Cisco Systems, Inc.

www.cisco.com

1999, Cisco Systems, Inc.

Three Types of VPNs

Time

Type
Remote access

VPN

Application

Alternative To

Mobile users

Dedicated dial

Remote
connectivity

ISDN

Benefits
Ubiquitous
access,
lower cost

Site-to-site

Intranet VPN

Extranet VPN

CSE: Networking FundamentalsVPNs

Internal
connectivity

Leased line

Business-to-business

Fax

External
connectivity

Mail

www.cisco.com

Extend
connectivity,
lower cost

Facilitates
e-commerce

EDI

1999, Cisco Systems, Inc.

12-24

Access VPNs

Client Initiated or
NAS Initiated

Potential
Operations
and
Infrastructure
Cost Savings

Enterprise
AAA
CA

DMZ

Ubiquitous
Access
Modem, ISDN
xDSL, Cable

Service
Provider A
Web Servers
DNS Server
STMP Mail Relay

Small
Office
CSE: Networking FundamentalsVPNs

www.cisco.com

Mobile User
or Corporate
Telecommuter
1999, Cisco Systems, Inc.

12-25

Access VPN Operation

Overview
1. VPN identification

Mobile Users
and
Telecommuters

POP

2. Tunnel to
home gateway

Corporate
Intranet

NAS

SP Network/
Internet

Home
Gateway

5. End-to-end tunnel
established

Security
Server

4. PPP negotiation
with user
CSE: Networking FundamentalsVPNs

www.cisco.com

3. User authentication
1999, Cisco Systems, Inc.

12-26

Access VPN Basic

Components
Dial Client
(PPP Peer)

L2TP Access
Concentrator

L2TP Network Server

(Home Gateway)

ASYNC
ISDN

AAA Server
(RADIUS/TACACS+)
CSE: Networking FundamentalsVPNs

www.cisco.com

AAA Server
(RADIUS/TACACS +)

1999, Cisco Systems, Inc.

12-27

Client-Initiated Access VPN

Internet
Encrypted IP

Corporate
Network

Encrypted tunnel from the remote client to the

corporate network
Independent of access technology
Standards compliant
IPSec encapsulated tunnel
IKE key management
CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-28

Client-Initiated VPNs
Pros:
Use same hardware for dedicated access
Dedicated encryption hardware in firewall for
performance

Cons:
Management of IPSec PC client
Security must be initiated by user

CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-29

NAS-Initiated Access VPN

username@domain

NAS

Home
Gateway

IP Network

CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-30

NAS-Initiated VPNs
Pros:
No PC client software to manage
Premium services
VPN and Internet access at the NAS
More scalable and manageable

Cons:
Users can connect only to certain POPs

CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-31

The Intranet VPN

Extends the Corporate
IP Network Across a
Shared WAN

Enterprise
AAA
CA

DMZ

Remote
Office
Service
Provider A

Regional
Office
CSE: Networking FundamentalsVPNs

Potential Operations
and Infrastructure
Cost Savings
www.cisco.com

Web Servers
DNS Server
STMP Mail Relay

1999, Cisco Systems, Inc.

12-32

The Extranet VPN

Supplier

Enterprise

Business
Partner
Service
Provider B

AAA
CA

DMZ

Service
Provider A

Extends Connectivity
to Business Partners,
Suppliers, and Customers

CSE: Networking FundamentalsVPNs

Web Servers
DNS Server
STMP Mail Relay

Security Policy
Very Important
www.cisco.com

1999, Cisco Systems, Inc.

12-33

Intranet and Extranet VPNs

Multiple users, multiple sites, and
potentially multiple companies or multiple
communities of interest
Dedicated connections
Flexible architecture options
IP tunnels with IPSec or GRE
Managed router service with Frame
Relay or ATM virtual circuits
Tag Switching/MPLS
CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-34

Comparing the Types

Type

Access VPN Intranet

Extranet

NAS-Initiated

ClientInitiated

RouterInitiated

CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-35

VPN Examples

1999, Cisco Systems, Inc.

www.cisco.com

1999, Cisco Systems, Inc.

Health Care Company

Intranet Deployment
ChallengeLow-cost means for connecting
remote sites with primary hospital
Public Network
Remote Center
Primary Hospital
Private Network

Remote Centers
CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-37

Branch Office or
Telecommuters
ChallengeCost-effective means for connecting branch
offices and telecommuters to the corporate network

Public Network

IPSec encrypts traffic from

remote sites to the enterprise using any application
IPSec may be combined with other tunnel
protocols, e.g., GRE
Telecommuters can gain secure, transparent access
to the corporate network
CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-38

Traditional Dialup Versus

Access VPN
Traditional Dialup

Access VPN

Number of users
Number of users
20
Remote access server $3,000 Access router, T1/E1,
DSU/CSU, firewall
One-time installation
$1,000 VPN client software
($50/user)
fee: 10 phone lines
T1/E1 installation
Monthly long-distance
charges per minute
Avg. use per day, per
user (min)
CSE: Networking FundamentalsVPNs

$0.10
90

Central site T1/E1

Intranet access
Monthly ISP access
($20/user)

www.cisco.com

1999, Cisco Systems, Inc.

20
$4,600
$1,000
$5,000
$2,500
$400

12-39

Traditional Dialup Versus

Access VPN
Traditional Dial-Up

Access VPN

Number of users
Number of users
20
Remote access server $3,000 Access router, T1/E1,
DSU/CSU, firewall
One-time installation
$1,000 VPN client software
($50/user)
fee-10 phone lines
T1/E1 installation
One-time capital cost $4,000
Monthly long distance $0.10
charges per minute
Avg. use per day per
90
user (min)
Recurring cost
CSE: Networking FundamentalsVPNs

$5,400

20
$4,600
$1,000
$5,000

One-time capital cost $10,600

Central site T1/E1
$2,500
Intranet access
Monthly ISP access
$400
($20/user)
Recurring cost

www.cisco.com

1999, Cisco Systems, Inc.

$2,900
12-40

VPN Payback
Total Cost

Traditional

$80,000

VPN

$60,000
$40,000
$20,000
0
1

10

11

12

Month

Payback in 3 months!!
CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-41

Summary
VPNs reduce costs
VPNs improve connectivity
VPNs maintain security
VPNs offer flexibility
VPNs are reliable

CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-42

Presentation_ID

1999, Cisco Systems, Inc.

www.cisco.com

43