Managing the Costs and Complexities of VPN Deployment

Transcription

1 THE TECHNOLOGY GUIDE SERIES Managing the Costs and Complexities of VPN Deployment This Guide has been sponsored by

2 Can-Do! VPN solutions Table of Contents Introduction The Importance of VPNs to Business The Advantage of the Internet The Added Opportunities of Adding Secure VPN Techniques to the Internet Infrastructure Customer vs. Provider-based VPN Services Provisioning Management Premises-based VPNs: Architecture and Services.. 11 VPN Access Node Functions a) Tunneling Functions b) Security Functions c) Firewall Functions d) Routing and WAN Access Functions e) QoS Functions The Benefits of VPN Access Node Integration Policy-based Management for VPNs Summary Glossary About the Editor Deploying a VPN solution may lead to technical and operational cost and complexities that must be clearly understood and carefully managed. This guide identifies the key features and benefits of an IP-based VPN, explores alternative strategies for building a VPN, specifies the key requirements for customer premises-based VPN solutions, and assesses the overall benefits of centralized policy management. Jerry Ryan is a principal at ATG and the Editor-in-Chief of techguide.com. He is the author of numerous technology papers on various aspects of networking. Mr. Ryan has developed and taught many courses in network analysis and design for carriers, government agencies and private industry. He has provided consulting support in the area of WAN and LAN network design, negotiation with carriers for contract pricing and services, technology acquisition, customized software development for network administration, billing and auditing of telecommunication expenses, project management, and RFP generation. Mr. Ryan has been a member of the Networld+Interop Program Committee and the ComNet steering Committee. He holds a B.S. degree in electrical engineering. The Guide format and main text of this Guide are the property of The Applied Technologies Group, Inc. and is made available upon these terms and conditions. The Applied Technologies Group reserves all rights herein. Reproduction in whole or in part of the main text is only permitted with the written consent of The Applied Technologies Group. The main text shall be treated at all times as a proprietary document for internal use only. The main text may not be duplicated in any way, except in the form of brief excerpts or quotations for the purpose of review. In addition, the information contained herein may not be duplicated in other books, databases or any other medium. Making copies of this Guide, or any portion for any purpose other than your own, is a violation of United States Copyright Laws. The information contained in this Guide is believed to be reliable but cannot be guaranteed to be complete or correct. Any case studies or glossaries contained in this Guide or any Guide are excluded from this copyright. Copyright 2000 by The Applied Technologies Group, Inc. One Apple Hill, Suite 216, Natick, MA 01760, Tel: (508) , Fax: (508) info@techguide.com Web Site:

3 Virtual Private Networks (VPN), with their promise of robust IP-based communications, are becoming recognized as another killer application for the Internet. VPNs support secure, private connections among corporate users (the Intranet), business partners (the Extranet), off-site employees (Remote Access) and customers (e-commerce), all using the Internet as the underlying transport facility. The deployment of VPN technologies promises to be the breakthrough that makes the Internet suitable for supporting enterprise networks. And the value of a VPN adds up to more than just cost savings it opens the door for new business methods and even new business opportunities. But deploying a VPN solution comes with technical and operational complexities that have to be both clearly understood and carefully managed if the VPN is to be a success. This Technology Guide identifies the key features and benefits of IP-based VPNs and describes alternative strategies for building them. This guide also examines the key requirements for customer premises based VPN solutions. Finally, as an aspect of delivering secure customer premises-based VPNs, this guide explores the overall benefits of centralized policy management. Introduction IP-based VPNs, which are the subject of this Technology Guide, at their most basic level allow the use of the public Internet as a secure foundation for reaching any location that has Internet access. VPNs are becoming an important business communications tool, offering a significant extension to the reach and functionality of today s corporate network. They offer a cost and ease of deployment that is unmatched by previous networking solutions and technologies. These VPNs will come in a variety of models. They could be VPNs that are customer owned and managed premises and operated privately, or they could be VPNs supplied and managed by public service providers with equipment located either at their public point of presence (POP) or at their customer s premises. Regardless of the implementation, a robust VPN solution must include a range of selectable qualities of service, intelligent and dynamic service provisioning tools and comprehensive security capabilities. The VPN solution must also be scaleable in order to meet the needs of large and growing VPN user communities, and assure ease of deployment and operation at the best possible cost. This Technology Guide examines the key elements of a successful VPN implementation and focuses specifically on those secure VPN solutions that are based on customer premises equipment to deliver end to end security and SLA management. The Importance of VPNs to Business There is no doubt that the Internet provides valuable business opportunities to the enterprise. The various advantages of global access to information via services such as electronic mail and the World Wide Web (WWW) have been well proven. So what additional value can a secure VPN solution offer to end users or service providers that may not otherwise be readily available? The short answer is the opportunity to leverage the Internet for a much broader base of globally accessible corporate e-business applications. 2 Managing the Costs and Complexities of VPN Deployment Technology Guide 3

4 Three specific forms of secure business communications will be enabled by a VPN solution (see Figure 1): Remote access to the corporate network allows seamless communications for road warriors while retaining high security and ensuring service quality, all at low cost; Corporate Intranets interconnect local and international offices privately, securely and costeffectively using Internet facilities that need not be permanently allocated to any specific user; Extranets (including e-commerce) which allow for rapid, low-cost deployment of secure connections between a corporation and its trading partners, suppliers and/or agents, potentially for hundreds or thousands of external parties. Intranet Internet (TCP/IP-based network) Internet VPN Internet VPN Minicomputer Extranet & E-commerce Figure 1: VPN Application Areas Remote Access Laptop VPN benefits can be divided into two major categories: the advantages of the Internet itself, and those that accrue from the application of secure VPN techniques to the Internet infrastructure. 4 Managing the Costs and Complexities of VPN Deployment The Advantage of the Internet If circuit cost were of no concern and multiple ports had no cost penalty, dedicated ports and circuits with excess capacity might be the choice for many business applications. Most network operators, however, cannot afford this luxury, especially when traffic volumes are low or long distances are involved. Sharing network resources by using the Internet is definitely more costeffective than using dedicated facilities. Another consideration in any network solution is scalability. Scalability implies the capacity to extend to large, dynamic, populations, with varying bandwidth requirements. It would be impossible, for example, for a bank to have dedicated high-capacity links to every other bank with which it deals. Even large companies that do justify a private Intranet cannot provide dedicated links to all their customers and business partners. For most companies, a mix of public and private networks is the only viable answer, especially when e-commerce is involved. Further, the Internet can be accessed from virtually anywhere in the world (ubiquity), with operations and administration supplied by the local Internet Service Provider (ISP). The many issues of network interconnection across ISP boundaries and/or national borders can also be hidden from the user by using an Internetbased infrastructure. The Added Opportunities of Adding Secure VPN Techniques to the Internet Infrastructure A common goal of network managers is to preserve the characteristics of a dedicated network for their e-business applications, including well-defined performance expectations and high levels of security, while fully exploiting the cost and convenience advantages of the public Internet. VPNs are considered to be Technology Guide 5

5 the best available solution to this challenge. Incentives for deploying VPNs include: Enhanced Security: A dedicated network is generally viewed as secure simply because of its physical isolation and restricted usage. The openness of the Internet, on the other hand, produces a relatively insecure environment that cannot be trusted. An IP-based VPN overcomes the security limitations of a public network by applying mechanisms such as tunneling, access control, encryption, user authentication and data integrity to each separate group of users. These levels of protection can be tailored to each user s specific needs. Performance Control: Because they have a private dimension, VPNs can provide welldefined performance and quality characteristics, which can be managed using service level agreements and deployed with a clear distinctions among traffic classes. The fact that the underlying resources are shared becomes invisible to the user. Robust VPNs will invoke mechanisms (such as bandwidth management, traffic classification and traffic queuing) in order to control performance at both the underlying trunk level and the individual VPN user level. The types of controls that can be applied can be defined for each individual VPN. Service Flexibility: A dedicated network is limited by the very fact that it is physically defined it has fixed capacity, fixed locations and limited configuration flexibility. Adding or deleting sites, installing new physical facilities, changing bandwidth or altering service agreements is time consuming and costly. A VPN, on the other hand, is more flexible since re-configuring the network can be as simple as changing software parameters, with no need to modify the physical network itself. Ease of Application and Service Integration: Users on one network may need to access a variety of applications or services on different VPNs both within and external to the enterprise. Because VPNs are standards-based, users on one network with the proper permissions and security capabilities can connect to other networks of trading partners and even communicate across different service provider boundaries. Cost Savings: In addition to the fundamental cost savings associated with using the Internet, sharing network access links to reach many different VPN and non-vpn sites can result in a network that is less expensive to build, operate and administer than an equivalent set of discrete networks. Outsourcing the VPN to a service provider can produce even greater savings. Not every application requires the privacy and security that is ordinarily provided on a VPN. Electronic mail applications, for example, usually require open access to any other mailbox on the Internet, not just those within a closed user group. To meet the need for open access while still maintaining a degree of privacy, electronic mail security could be applied to the message at the protocol application layer rather than to the packets at the network layer. Another example in which the tight security of a VPN is not required is in accessing sites on the World Wide Web. It is, however, highly desirable to share a common Internet access link in supporting the integrated secure VPN and open communication needs of the enterprise. 6 Managing the Costs and Complexities of VPN Deployment Technology Guide 7

6 Customer vs. Provider-based VPN Services Obviously, the benefits of using VPN technologies must be balanced against the costs and complexities of implementing the technology. For some companies, owning and fully controlling the network resource will be paramount, while for others, the opportunity to outsource various pieces in order to address some of these complexities will be a priority. Provisioning A VPN may be provisioned in one of two distinctly different ways: A network-based VPN (edge-to-edge configuration see Figure 2A) is built on edge devices that are located at the service provider s POP, with many customers sharing the same edge equipment. Secure connections are established on behalf of each customer from network edge to network edge. The ability to service many customers from a single POP can afford economies of scale to a VPN managed service provider in VPN engineering, implementation and management. As a result, service providers expect the advantages of this approach to result in lower service provisioning cost and less complexity. The tradeoff in this approach is that service level agreements and security cannot be extended all the way to the customer premises. Another challenge with this approach is that it requires that all of the provider s POPs in the network to be constantly updated to meet a customer s changing global VPN service requirements, which can result in new service delays. 8 Managing the Costs and Complexities of VPN Deployment A premises-based VPN (CPE-to-CPE configuration) places the VPN access point at the customer premises, protecting the access link by providing end-to-end security and service level control. A premises-based VPN can be built by installing a secure VPN gateway with an existing customer router or by building upon a fully integrated VPN router. This VPN access device can be readily deployed on a global basis, without requiring significant upgrades to the service provider s network infrastructure. In addition, control over this VPN environment can be shared between the user and the provider. A potential problem for premisesbased VPNs is their distributed nature which can increase management complexity for large-scale VPNs. This challenge has driven the development of policy-based management and provisioning for premises-based VPN solutions. Management VPNs may also be classified according to who manages the network and its operation: A service provider-managed VPN is owned and operated by the service provider. The service itself could be network-based or customer premisesbased. The important points are that the provider owns the equipment and takes responsibility for equipment management, service provisioning, service quality, and other parameters as dictated by the service definition. A customer-managed VPN is owned and operated by the enterprise customer, which means it is transparent to the service provider. This type of VPN is typically deployed as a private, end-toend overlay on the Internet. All parts of this network are covered by the privacy and quality controls built into the VPN by the enterprise network Technology Guide 9

7 manager although a customer-controlled VPN would still be dependent upon the provider for meeting their committed service level characteristics. In this environment, the customer must also provide the expertise to properly engineer and manage the security requirements, which could add to the overall cost of the network. A shared-control VPN is typically owned by the service provider and jointly managed by the customer and the service provider. In this environment, the service provider typically manages the hardware and network elements, while the customer manages its own VPN and security policies. This allows both the cost benefits of a providercontrolled solution and the flexibility and control needed in a dynamic enterprise. Internet VPN Public Internet Network + VPN Access Customer Premises Equipment VPN Router Access Router VPN Gateway Figure 2: Premises- vs. Network-based VPNs B A C Premises-based VPNs: Architecture and Services Premises-based VPN solutions have been developing rapidly because of the significant progress within the IETF to solidify the IPSec suite of security standards. Secure, IPSec-based VPNs are currently being deployed to meet a variety of remote access, Intranet or Extranet VPN requirements. Most of the premises-based VPN functionality is implemented in what can be generically called a VPN access node. A VPN access node is an intelligent customer premises device, typically located at the demarcation point between the corporate network (e.g., LAN) and the public Internet. Consolidation of the functions required to implement a VPN into a common VPN access node permits a consistent, coherent approach resulting in more reliable, more easily managed VPN deployment. The following key functions should be available in this context: Robust, scalable tunneling in order to create the paths through the public network; High performance security services in order to avoid bottlenecks and minimize latency; Data and resource security to allow user data to be fully protected; A stateful, packet filtering firewall to provide access controls; Centralized, secure VPN management; QoS controls (especially bandwidth controls) to differentiate services and enforce SLAs; and Robust, reliable Internet-scale IP routing and WAN access. 10 Managing the Costs and Complexities of VPN Deployment Technology Guide 11

8 VPN Access Node Functions The VPN access node must bring together all the elements needed to build a high quality, scalable VPN. The functions of a VPN access node, as illustrated in Figure 3, include the following: a) Tunneling Functions The fundamental basis for any VPN is the creation of tunnels through another network, with the Internet being the most popular network of choice. Tunnels separate the details of the container protocols from those of the payload protocols. Several different protocols are being used to provide tunneling functions including IPSec (for security and Layer 3 tunnels), L2TP (Layer 2 Tunneling Protocol) and PPTP (Pointto-Point Tunneling Protocol). Packets that are to be forwarded through the tunnel (i.e., packets that have an IP header) are treated as data to be encapsulated and then sent using the tunnel endpoint as the destination. The protocol information that is transferred inside the tunnel is completely separate from the protocols used to support the tunnel service. A VPN can be described as a set of tunnels across a common host network. b) Security Functions Security functions that can be applied to a tunnel in order to increase privacy and provide access control include: Access control using authentication of services, applications and/or resources; Data authentication and privacy using encryption and digital signatures to ensure the message is not intercepted or modified during transit; 12 Managing the Costs and Complexities of VPN Deployment User authentication via challenge/response protocols that verify the identity of the person using the VPN. Standard security functions and protocols that can be applied to VPNs are being defined by the IETF (the IPSec Working Group). The IPSec standard defines the overall IP packet structure and security associations for VPN communications. The IPSec security standard specifies both the tunneling and encryption functions that are necessary to protect sensitive information while it is being transferred across the public Internet. IPSec provides a robust architecture for secure site-to-site and remote access VPNs. Security can be applied to the VPN in several different ways. Some solutions will encrypt the entire message that is to be transferred through the tunnel including both the IP header and the user data; others encrypt only the data portions, leaving the headers visible. VPN security should include support for Internet Key Exchange (IKE), which automatically negotiates security associations among the access nodes. Additional support is desirable for a Public Key Infrastructure (PKI) using X.509 certificates. IPSec is fully complementary to any approach that is chosen for Layer 2 (L2TP and PPTP). Since IPSec operates at the Network Layer, it promises to be more scalable than Layer 2 mechanisms. It is also important that the VPN access node implementation of IPSec be both high performance and interoperable with other implementations. c) Firewall Functions Access to the network can be controlled using integrated firewall functions that filter packets according to their source and destination IP addresses, the Technology Guide 13

9 port numbers being used by each network connection and possibly the type of application. The firewall will terminate access when the connection is shut down. Another function typically associated with a firewall is network address translation (NAT). The NAT function substitutes a tunneling address for IP traffic crossing the WAN, thus preventing outsiders from deducing the internal topology of the corporate network. This also allows a single address to be used for all traffic across the VPN. d) Routing and WAN Access Functions The VPN access node is enhanced if it also includes routing and WAN access services. Since VPNs operate over the Internet, robust and reliable Internetscale routing services should be provided. For any large scale VPN deployment, routing should be integrated into the same node thereby simplifying connectivity for large scale global networks. Access to a rich set of frame relay, ATM and PPP WAN services is also required. A robust standards-compliant IP routing solution must include full support for RIP, OSPF, BGP-4 and static routing. For example, reliable access to the Internet is mandatory and is provided through a robust BGP-4 implementation that provides reliable, multihomed connections from the customer premises to the backbone network. Added reliability using the Virtual Router Redundancy Protocol (VRRP), which supports redundant access from the corporate LAN to a primary or back-up default gateway, is also important. Integrated routing also provides a simplified reliability and recovery strategy for secure tunnels. Separate secure tunnels can be directed to alternate routes, assuring that if one route goes away an alternate path is automatically available. e) QoS Functions Another set of functions relate to quality of service (QoS) and performance provided by the network. Emulation of a physical network generally requires more than the simple best effort service that the Internet currently offers. This requirement is essentially the same for both VPN and non-vpn users of the Internet, and a significant amount of effort is being devoted to creating standards that support more robust, differentiated services. Several approaches are being proposed and various mechanisms are being incorporated into the network nodes. The goal for a VPN is to offer predictable performance with QoS that meets or exceeds what has been available previously with dedicated networks. QoS is required at two levels: The underlying network must provide guarantees for the tunnel level (i.e., for the VPN trunks across the Internet backbone) such as would be available if a dedicated circuit were used; and Bandwidth management must be applied to the VPN so that it is properly shared among the VPN s user applications. A VPN should take advantage of router-based mechanisms for maintaining contracted levels of QoS whenever possible. Emerging standards such as Differentiated Services (DiffServ), allow end-to-end support for different categories of service. Specific traffic can be given preference over other traffic based on the type of application or user, the location or address of the destination or even the type of protocol. Traffic classification can be used in conjunction with advanced router queuing strategies. Class-Based Queuing (CBQ), for example, classifies the traffic according to rules specified in network policies. 14 Managing the Costs and Complexities of VPN Deployment Technology Guide 15

10 Individual applications, subnets, or users receive an amount of bandwidth that is tailored to their specific needs. Bandwidth management can be applied to each traffic class in realtime, with minimal processing delay, and with traffic flows mapped to an appropriate level of service. For VPNs this can be applied at two levels: to the packets that are being tunneled and to the VPN tunnel. Each packet can be assigned a class of service, a priority or a discard eligibility marker by the source (or more often by the ingress node) and this information can be used by the network nodes for access control, shaping, congestion avoidance and queuing purposes. Most of the functions described in this section have been used in today s standard IP-based networks. Each is often implemented in a separate device: route processing and switching in a router; security in a firewall and/or a router; QoS in the end system or in a dedicated bandwidth management device, and so on. Even protocol encapsulation can be viewed as a primitive form of tunneling. Since each of these functions needs to be managed and controlled, preferably in combination, there are advantages to an integrated solution combined with advanced, policy-based management support. The Benefits of VPN Access Node Integration The services provided by a VPN platform must exhibit the reliability, scalability and manageability that are required for any large scale IP VPN solution. This means VPN functions should be implemented in a consistent and coordinated manner, using a tightly integrated IP-based system architecture that is designed for high performance packet processing. In addition to raw 16 Managing the Costs and Complexities of VPN Deployment performance, the VPN platform must support flexible service definitions and controls that allow each specific type of application to be accommodated. Choosing an integrated platform that offers sustained performance, high availability, ease of management and superior price/performance is the obvious answer for both enterprise users and service providers. Figure 3 illustrates the different components that would be combined into an integrated access node. Firewall QoS Router IPSec QoS Router Public Internet Service Router IPSec QoS Figure 3: VPN Access Node Components Firewall QoS Router An integrated VPN platform offers a number of important benefits: Reliability: Early VPN implementations were assembled from many separate internetworking devices, including routers, bandwidth managers, gateways and firewalls. Unfortunately, componentbased systems introduce additional points of failure that are often hard to avoid (or at least are expensive) and which reduce overall reliability. If any one of these components fails, the entire communication path may be lost or severely compromised. Combining all the necessary VPN functions into a single box and adding advanced redundancy features (such as multi-homed connections and reliable router recovery mechanisms) is a far more robust solution. Technical Integration: Discrete components need to be chained together to create a complete VPN solution. This can lead to technical Technology Guide 17

11 problems such as increased latency (each box introduces a delay) and performance mismatches that compromise the scale of the entire solution. The use of multiple components often leads to a multi-vendor environment in which device interoperability may not have been fully tested. An integrated platform in which all of the functions are engineered to work together is less likely to have compatibility problems. Scalability: Close integration of security, routing, and QoS functions allows the network to scale to larger sizes than would be possible if separate components were required. Configuration complexities are reduced as functions are naturally integrated and supported by a single user interface. Advanced features such as integrated routing further reduce complexity by allowing, for example, the use of such as dynamic routing to discover the secure tunnels that are available to a VPN user. Management Simplification: Discrete single function components can also add considerable complexity to the operation and management of the VPN. Different support systems would need to be learned and coordinated for each of the components. Reducing the number of separate configuration tasks will eliminate errors that cause outages. An integrated management system can eliminate configuration mismatches, lack of alarm correlations, etc. Complications also arise when the distinct devices have different owners or administrators. An integrated VPN platform, with a similarly integrated element management system, allows a simpler and more powerful network management framework. Cost Savings: Combining multiple devices onto a single platform also reduces the total hardware and software cost. Integration of packaging and 18 Managing the Costs and Complexities of VPN Deployment power supplies reduces duplication and allows common tasks and data to be shared. Inter-component interfaces can be eliminated (or at least can be built directly into the software). An integrated VPN platform also requires less physical space, less power and less cabling, all of which result in lower total cost of operation. An integrated platform will also be covered by a single vendor s support and maintenance contract, providing the savings from one-stop shopping. Policy-based Management for VPNs Building and operating a VPN requires a strong, centrally managed provisioning capability that is policy-enabled. Each site in a VPN must be separately profiled, with all of the details that typically need to be considered when users move, when their membership requirements change or when the underlying physical networks are redesigned. In fact, it is the complexity of deploying and managing VPNs, especially when discrete components are being used, that has thus far been a major inhibitor. The emergence of policy-based network management solutions promises to solve this issue. Major management challenges have included the time, cost and expertise required to create large numbers of secure tunnels between participating sites or between a central site and large numbers of remote clients. Each pair of subnets that needs to communicate securely over the Internet must have a secure tunnel defined. As an example, a large corporation might require the sales departments in each major North American city to be interconnected in a full mesh configuration, with potentially hundreds or thousands Technology Guide 19

12 of separate tunnels. Manual or semi-automated VPN design techniques require expert network designers, are quite time consuming and are prone to error. Moves, adds and changes can add considerably to the overall workload and can be disruptive to the service. For a large network, the management overhead can easily outweigh the advantages of implementing VPN technologies. Similarly, the process of creating, distributing and managing tunnel parameters at remote clients is complex. Another management challenge is to ensure accuracy and consistency in matching user requirements (as expressed by the service level agreement) to VPN profiles. At its simplest, the source and destination VPN configurations must be compatible and loading them into the access nodes must be coordinated. Integrating the access nodes with QoS controls that are available within the network adds additional complexity, especially in a multi-vendor environment. Centralized, policy-based management systems can dramatically reduce the time it takes to design and deploy a VPN-based infrastructure. By providing central control over VPN provisioning, new users and sites can be added (or modified) quickly and efficiently with much less chance of error than would otherwise be possible. This increases the scale of operations and range of customers that can be handled by a VPN administrator (and hence the profitability of a managed service). In general, the level of expertise required is also reduced since many of the configuration rules can be embedded in the policy workstation. Examples of the VPN design details that must be planned in advance, checked for correctness and distributed to all access nodes in the network include: Membership in the VPN which is usually restricted to specific users, groups or applications must be defined; Access points for VPN users and for external 20 Managing the Costs and Complexities of VPN Deployment gateways must be specified since not all physical network points of presence will necessarily be included in the VPN; Security and tunneling requirements must be determined and the protocols to be used need to be invoked; Routing information and/or constraints may be required; Performance and QoS specifications must be used to activate specific network mechanisms. A centralized, policy-based approach to VPN planning and design can eliminate many of the administrative headaches. The VPN administrator centrally defines the members of the VPN and matches these to access node locations (i.e., their IP addresses) using policy workstation and management databases or directory services. Profiles are then developed that specify policies covering all the features that may be necessary. Examples of this type of decision include the type of encryption needed, the type of authentication to be used and the tunnel topology of the VPN itself. Centralized definition of VPN profiles establishes a database to track network information, enables creation of standard policies and profiles that can be re-used, and facilitates validity and consistency testing. Agreed-upon VPN profiles must then be translated into specific access node device configurations and these must be distributed for implementation (using, for example, a secure SNMPv3 link between the management system and the access node). Using a VPN management system, scalability need no longer be a show stopper. Hundreds of VPNs can be supported from a single management workstation and multiple users can share a single management system. Large-scale Internet VPN service deployment becomes much more practical when suitable operations, administration, maintenance, and provisioning tools are readily available. Technology Guide 21

13 Summary VPN technologies are designed to provide the appearance of a dedicated network despite the use of shared resources for physical connectivity. IP-based VPNs offer a standard way to exploit the benefits of the public Internet without compromising on the security, reliability and performance that are delivered from dedicated networks. VPNs open up new opportunities for implementing e-business applications, for extending customer access worldwide, and for connecting remote employees to corporate resources. The deployment of VPNs is expected to be a major enabler for business use of the Internet. VPN-specific functions include VPN gateway, firewall, QoS, and routing services, each of which need to be carefully integrated to ensure optimal performance, reliability, and scale. The ability to manage and scale the VPN is also critical to the success of the solution, and policy-based management will be a necessity, especially in deploying large-scale VPNs. 22 Managing the Costs and Complexities of VPN Deployment Technology Guide 23

14 Glossary Border Gateway Protocol A standards-compliant IP routing protocol for traffic between autonomous systems. Certificate A package of information, digitally signed by a trusted authority (usually referred to as a CA or Notary) that binds a public key to an owner. The package usually consists of an identifier field, a public key field, serial number (of the certificate) activation and expiration date as well as a signature field. ITU X.509 defines a standard format for these certificates (in ASN.1). Certificate Authority (CA) A trusted entity that has the capability of creating and revoking public key certificates for users and network elements. Challenge Handshake Authentication Protocol (CHAP) Part of the PPP suite, an authentication protocol that provides additional network security so that a remote access device can authenticate users. It is more secure than PAP because it uses a cryptographic handshake to transmit and receive password information. CPE (Customer Premises Equipment) Equipment installed on the customer premises. Data Encryption Standard (DES) A method of encrypting and decrypting data by typically using a secret 56-bit key. A symmetric key cryptographic system that has been standardized by NIST. Decrypt A process that changes encrypted data into a readable state. Using a decryption key you can take in encrypted information and translate it into decrypted information. DES (3DES, Triple DES) An enhancement to DES that uses three 56-bit DES keys (to create 168 bits to encrypt, decrypt, then encrypt), for added security. Effective strength is 112 bits. Dial-in The process of initiating a call from a device, using dial-in client software and a modem to attach to a remote network. Dial-out The process of initiating a call from a networked device, using dial-out client software and a modem to attach to a remote service. DiffServ A reclassification of the Type of Service (TOS) field in a standard IP header to indicate the per hop behavior (phb) required by the respective datagram. Encryption Transformation of data into unreadable data through a cryptographic transformation using a key. Decryption is the process of reversing the unintelligible data into meaningful data using a key. Encryption Control Protocol (ECP) Used to negotiate the use of encryption on PPP links. Extranet A connection between different companies for the means of exchanging commercial data. This is typically a dial up line, private line, Frame Relay, ATM or secure VPN connection. Home Gateway (HG) A device that terminates an L2F tunnel and the associated PPP sessions transported over the tunnel. IKE (Internet Key Exchange) A method of exchanging secure encryption keys over the Internet. Internet A collection of networks and gateways that use the TCP/IP protocol suite and function as a single, co-operative network. When the term Internet is capitalized, it specifically refers to the worldwide, interconnected group of networks and gateways that use the TCP/IP suite of protocols to communicate. 24 Managing the Costs and Complexities of VPN Deployment Glossary 25

15 IETF (Internet Engineering Task Force) An association of interested parties that works to provide standards for IP-based technologies. Internet Protocol (IP) Part of the TCP/IP suite, a protocol that provides a connectionless internetwork service. Internet Protocol Security (IPSec) A collection of IP security measures that define a method for ensuring data privacy, integrity, authentication, key management, and tunneling methods. This is one method that can be used to provide a secure VPN over the Internet. Internet Service Provider (ISP) A communications company that provides access to the Internet. L2TP Access Concentrator (LAC) A device used as part of an L2TP VPN. The NAS acts as a modem, ISDN or other access technology that provides call termination and tunnels the PPP traffic over an L2F tunnel to the L2TP Network Server (LNS). L2TP Network Server (LNS) A device that terminates an L2TP tunnel and the associated PPP sessions transported over the tunnel. Layer 2 Forwarding (L2F) A tunneling system to allow PPP sessions to be transported between data communication access wholesalers (such as a Regional Bell Operating Company) and Service Providers. Layer 2 Tunneling Protocol (L2TP) A tunneling system developed by the IETF as a convergence between PPTP and L2F to allow PPP sessions to be transported between data communication access wholesalers (such as a Regional Bell Operating Company) and an organization, such as a Service Provider or a Corporate company. Network Access Server (NAS) A device used as part of an L2F VPN. The NAS acts as a modem, 26 Managing the Costs and Complexities of VPN Deployment ISDN or other access technology that provides call termination and tunnels the PPP traffic over an L2F tunnel to the Home Gateway (HG). Network Address Translation (NAT) A mechanism for reducing the need for globally unique IP addresses. NAT allows an organization with addresses that are not globally unique to connect to the Internet by translating those addresses into globally routable address space. DIAT and IPX DIAT are forms of NAT. It is also used to obscure the IP addresses of an organization s internal network. OSPF (Open Shortest Path First) A routing algorithm for routed networks such as TCP/IP. PKI (Public Key Infrastructure) A standard for the exchange of encryption keys PPTP A protocol, developed by Microsoft, to transport PPP from remote clients via a public network to their corporate site. PPTP Access Concentrator (PAC) A device used as part of a PPTP VPN. The PAC acts as a modem or an ISDN termination device, provides call termination, and tunnels the PPP traffic over a PPTP tunnel to the PPTP Network Server (PNS). PPTP Network Concentrator (PNC) A device that terminates a PPTP tunnel and the associated PPP sessions transported over the tunnel. QoS (Quality of Service) A generic term to describe the process of treating and measuring data traffic in terms of the traffic s importance. Routing Information Protocol (RIP) A protocol in the TCP/IP and IPX suites, RIP allows gateways and hosts to exchange information about routes to various networks. Devices use RIP over IP and IPX to exchange routing information with other routers and to update the information in the routing table. Glossary 27

16 Transmission Control Protocol/Internet Protocol (TCP/IP) A suite of protocols used to provide a transport service in networks. The Internet uses TCP/IP. Tunnel A virtual communication channel established over the Internet or other shared medium, by which encapsulated data packets are exchanged. Tunneling Technique of encapsulating one protocol within another, such as IPX within IP. In the context of security it refers to encrypting IP within IP so that the traffic may be routed securely. Virtual Private Network (VPN) A combination of software and hardware components that use public networks to create what appears to be a private network. X.509 Defined structure for a certificate. Main fields are ID, Subject field, Validity dates, public key and CA signature. NOTES 28 Managing the Costs and Complexities of VPN Deployment Notes 29

17 NOTES NOTES 30 Managing the Costs and Complexities of VPN Deployment Notes 31

18 Can-Do! VPN solutions Deploying a VPN solution may lead to technical and operational cost and complexities that must be clearly understood and carefully managed. This guide identifies the key features and benefits of an IP-based VPN, explores alternative strategies for About Lucent Lucent Technologies, headquartered in Murray Hill, NJ, designs, builds and delivers a wide range of public and private networks, communications systems and software, data networking systems, business telephone systems and microelectronics components. Bell Labs is the research and development arm for the company. building a VPN, specifies the key requirements for customer premises-based VPN solutions, and assesses the overall benefits of centralized policy management.

19 This Technology Guide is one in a series of topicfocused Guides that provides a comprehensive examination of important and emerging technologies. This series of Guides offers objective information and practical guidance on technologies related to Communications & Networking, the Internet, Computer Telephony, Document Management, Data Warehousing, Enterprise Solutions, Software Applications, and Security. Built upon the extensive experience and ongoing research of our writers and editorial team, these Technology Guides assist IT professionals in making informed decisions about all aspects of technology development and strategic deployment. techguide.com is supported by a consortium of leading technology providers. Lucent has lent its support to produce this Guide. Visit our Web site at to view and print this Guide, as well as all of our other Technology Guides. This is a free service. Part # produced and published by visit