Cisco Group Encrypted Transport VPN: Tunnel-less VPN Delivering Encryption and Authentication for the WAN



Similar documents
Group Encrypted Transport VPN

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

Advanced IPSec with GET VPN. Nadhem J. AlFardan Consulting System Engineer Cisco Systems

TrustNet CryptoFlow. Group Encryption WHITE PAPER. Executive Summary. Table of Contents

November Defining the Value of MPLS VPNs

BUY ONLINE AT:

MPLS/IP VPN Services Market Update, United States

VPN Modules for Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers

Cisco Which VPN Solution is Right for You?

Group Encryption. The key to protecting data in motion BLACK BOX blackbox.com

Best Effort gets Better with MPLS. Superior network flexibility and resiliency at a lower cost with support for voice, video and future applications

AT&T Managed IP Network Service (MIPNS) MPLS Private Network Transport Technical Configuration Guide Version 1.0

TrustNet Group Encryption

Exam : Implementing Cisco Service Provider Next-Generation Egde Network Services. Title :

Integrated Services Router with the "AIM-VPN/SSL" Module

High Level Overview of IPSec and MPLS IPVPNs

MPLS VPN basics. E-Guide

CCNA Security 1.1 Instructional Resource

Sprint Global MPLS VPN IP Whitepaper

Intelligent WAN 2.0 principles. Pero Gvozdenica, Systems Engineer, Vedran Hafner, Systems Engineer,

Securing Networks with Cisco Routers and Switches 1.0 (SECURE)

Licenses are not interchangeable between the ISRs and NGX Series ISRs.

Cisco IPsec and SSL VPN Solutions Portfolio

Cisco Cisco 3845 X X X X X X X X X X X X X X X X X X

Site to Site Virtual Private Networks (VPNs):

the about MPLS security

Multi Protocol Label Switching (MPLS) is a core networking technology that

Managed Services: Taking Advantage of Managed Services in the High-End Enterprise

Integrated Services Router with the "AIM-VPN/SSL" Module

Cisco Integrated Services Routers Performance Overview

Cisco IP Solution Center MPLS VPN Management 5.0

Network Virtualization Network Admission Control Deployment Guide

Cisco Virtual Office Flexibility and Productivity for the Remote Workforce

Cisco Easy VPN on Cisco IOS Software-Based Routers

The term Virtual Private Networks comes with a simple three-letter acronym VPN

ethernet services for multi-site connectivity security, performance, ip transparency

ENTERPRISE CONNECTIVITY

Virtual Privacy vs. Real Security

CLOUD NETWORKING FOR ENTERPRISE CAMPUS APPLICATION NOTE

- Multiprotocol Label Switching -

Ethernet Wide Area Networking, Routers or Switches and Making the Right Choice

Cisco EXAM Implementing Cisco Secure Mobility Solutions (SIMOS) Buy Full Product.

Cisco Virtual Office Overview. Contents. Scope of Document. Introduction

Managed 4G LTE WAN: Provide Cost-Effective Wireless Broadband Service

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

Transform Your Business and Protect Your Cisco Nexus Investment While Adopting Cisco Application Centric Infrastructure

MPLS VPN over mgre. Finding Feature Information. Prerequisites for MPLS VPN over mgre

USB etoken and USB Flash Features Support

Mesh VPN Link Sharing (MVLS) Solutions

Site2Site VPN Optimization Solutions

MPLS in Private Networks Is It a Good Idea?

Optimizing Networks for NASPI

Point-to-Point GRE over IPsec Design and Implementation

Enterprise Business Products 2014

Enterprise Network Simulation Using MPLS- BGP

Cisco IWAN and Akamai Intelligent Platform : Maximize Your WAN Investment

MITEL. NetSolutions. Flat Rate MPLS VPN

Cisco Virtual Office Express

White Paper. Cisco MPLS based VPNs: Equivalent to the security of Frame Relay and ATM. March 30, 2001

Unifying the Distributed Enterprise with MPLS Mesh

Business Case for Cisco Intelligent WAN

MPLS: Key Factors to Consider When Selecting Your MPLS Provider Whitepaper

MPLS: Key Factors to Consider When Selecting Your MPLS Provider

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP

WAN Optimization Integrated with Cisco Branch Office Routers Improves Application Performance and Lowers TCO

SNRS. Securing Networks with Cisco Routers and Switches. Length 5 days. Format Lecture/lab

Network Management for Common Topologies How best to use LiveAction for managing WAN and campus networks

IWAN Security for Remote Site Direct Internet Access and Guest Wireless

Chapter 1 The Principles of Auditing 1

How To Make A Cisco Vpn Work From Home

ENTERPRISE GUIDE FOR SELECTING AN IP VPN ARCHITECTURE COMPARING MPLS, IPSEC, AND SSL

Cisco WAAS Express. Product Overview. Cisco WAAS Express Benefits. The Cisco WAAS Express Advantage

Preparing Your IP network for High Definition Video Conferencing

VPLS lies at the heart of our Next Generation Network approach to creating converged, simplified WANs.

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

Part The VPN Overview

IP-VPN Architecture and Implementation O. Satty Joshua 13 December Abstract

Cisco Actualtests Exam Questions & Answers

Deploying Secure Enterprise Wide IP Videoconferencing Across Virtual Private Networks

IPv6 Fundamentals, Design, and Deployment

Comparing MPLS-Based VPNs, IPSec-Based VPNs, and a Combined Approach from Cisco Systems

Colt IP VPN Services Colt Technology Services Group Limited. All rights reserved.

Cisco RV 120W Wireless-N VPN Firewall

How Routers Forward Packets

RFC 2547bis: BGP/MPLS VPN Fundamentals

MPLS over IP-Tunnels. Mark Townsley Distinguished Engineer. 21 February 2005

Efficient and low cost Internet backup to Primary Video lines

(d-5273) CCIE Security v3.0 Written Exam Topics

Frame Relay vs. IP VPNs

Case Studies. Static p2p GRE over IPsec with a Branch Dynamic Public IP Address Case Study. Overview CHAPTER

Creating a VPN Using Windows 2003 Server and XP Professional

References and Requirements for CPE Architectures for Data Access

WHITEPAPER MPLS: Key Factors to Consider When Selecting Your MPLS Provider

Transcription:

Cisco Group Encrypted Transport VPN: Tunnel-less VPN Delivering Encryption and Authentication for the WAN Product Overview Today s networked applications such as voice and video are accelerating the need for instantaneous, branch-interconnected, and quality of service (QoS)-enabled WANs. And the distributed nature of these applications results in increased demands for scale. At the same time, enterprise WAN technologies force businesses to make a tradeoff between QoS-enabled branch interconnectivity and transport security. As network security risks increase and regulatory compliance becomes essential, Cisco Group Encrypted Transport VPN, a next-generation WAN encryption technology, eliminates the need to compromise between network intelligence and data privacy. With the introduction of Group Encrypted Transport, Cisco now delivers a new category of Virtual Private Network (VPN) that eliminates the need for tunnels. By removing the need for point to point tunnels, distributed branch networks are able to scale higher while maintaining networkintelligence features critical to voice and video quality, such as QoS, routing, and multicast. Group Encrypted Transport offers a new standards-based IP Security (IPsec) security model that is based on the concept of trusted group members. Trusted member routers use a common security methodology that is independent of any point-to-point IPsec tunnel relationship. Group Encrypted Transport-based networks can be used in a variety of WAN environments, including IP and Multiprotocol Label Switching (MPLS). MPLS VPNs that use this encryption technology are highly scalable, manageable, and cost-effective, and meet regulatory-mandated encryption requirements. The flexible nature of Group Encrypted Transport allows securityconscious enterprises to manage their own network security over a service provider WAN service or to offload encryption services to their providers. Group Encrypted Transport simplifies securing large Layer 2 or MPLS networks requiring partial or full-mesh connectivity. Key Features and Benefits Group Encrypted Transport is built on standards-based technologies and easily integrates routing and security together in the network fabric. Secure group members are managed through an IETF standard, Group Domain of Interpretation (GDOI). Simplifying the Security Policy Distribution GDOI alleviates the need to configure tunnel endpoints. A key server distributes keys and policies to all registered and authenticated member routers (Figure 1). All contents are Copyright 1992 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 5

Figure 1. Key and Policy Distribution with GDOI By distributing policies from a centralized point and by sharing the same group security association with authenticated group members, key distribution and management are greatly simplified. IP Routing Preservation A Group Encrypted Transport-enabled security model uses the existing routing infrastructure rather than using the traditional IPsec overlay. Data packets maintain their original IP source and destination addresses (Figure 2). By preserving the original IP header in IPsec packets, Group Encrypted Transport enables organizations to rely on the existing Layer 3 routing information, thus providing the ability to address multicast replication inefficiencies and improving network performance. Figure 2. IP Routing Comparison Between IPsec and Group Encrypted Transport Additionally, Group Encrypted Transport helps ensure low latency and jitter for voice, video, and other latency-sensitive traffic by enabling direct, always-on communication between all sites without traversing a central hub site. Furthermore, it reduces traffic loads for multicast traffic across IP Layer 3 VPNs by eliminating the broadcast traffic replication usually required on IPsecencrypted networks. Table 1 summarizes the key Group Encrypted Transport VPN features. Table 1. Key Features Feature Description Group Domain of Interpretation GDOI (RFC 3547) is the key management protocol that establishes security associations among authorized group member routers. IP Header Preservation Centralized Key and Policy Management The original IP header inside the IPsec packet is preserved. A centrally available key server, typically a head-end router, is responsible for pushing keys and re-key messages as well as security policies to authorized group member routers. Both local and global policies, applicable to all members in a group, are supported, such as Permit any any, a policy to encrypt all traffic. All contents are Copyright 1992 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 5

Feature Key Server High Availability Support for Anti-Replay Encryption Support Description The key server, responsible for pushing keys and policies, supports high availability by synchronizing keys and the policy database with a secondary key server. Anti-replay support protects against man-in-the-middle attacks. Data Encryption Standard (DES), Triple DES (3DES), and Advanced Encryption Standard (AES) Hardware Support Hardware acceleration of IPsec encryption helps ensure that performance requirements are achieved. Cisco Systems recommends hardware acceleration of IPsec whenever IPsec is employed. IPsec acceleration and the Group Encrypted Transport feature set are supported with the onboard encryption capabilities of the Cisco Integrated Services Routers, and the Cisco 7200 Series Routers and the Cisco 7301 Router with VPN modules. See Table 2 for acceleration support for Cisco routers. Table 2. Cisco Hardware Support for GET VPN Feature Platform Cisco VPN Acceleration GET VPN Group Member GET VPN Key Server Cisco 870, 1800 Series, 2800 Series, and 3800 Series Cisco 1841, 2800 and 3800 Series Cisco 7200 Series and 7301 routers Cisco 1841, 2800 Series and 3800 Series, Cisco 7200 Series and 7301 routers On-board IPSec Acceleration AIM-VPN/SSL-1, AIM-VPN/SSL-2, AIM-VPN/SSL-3* Cisco VPN Acceleration Module 2+ (VAM2+), Cisco VPN Services Adapter (VSA)** AIM-VPN/SSL-1, AIM-VPN/SSL-2, AIM-VPN/SSL-3* (Cisco ISR) Cisco VAM2+, Cisco VSA** (Cisco 7200 Series and 7301 routers) * Cisco ISRs with Cisco AIM-VPN-HPII-PLUS, Cisco AIM-VPN-EPII-PLUS, Cisco AIM-VPN-BPII-PLUS are supported, however they do not accelerate the GDOI RFC 3547 functionalty ** Cisco VPN Services Adapter (VSA) is supported on the Cisco 7200 Series routers and requires NPE-G2. It supports GET VPN starting from 12.4(15)T5 onwards (with the Advanced Security feature set or higher). Cisco Group Encrypted Transport Benefits In extending GDOI by encrypting and authenticating both multicast and unicast traffic, the Group Encrypted Transport provides benefits to a variety of applications: Provides data security and transport authentication, helping to meet security compliance and internal regulation by encrypting all WAN traffic Enables high-scale network meshes and eliminates complex peer-to-peer key management with group encryption keys For MPLS networks, maintains the network intelligence such as full-mesh connectivity, natural routing path, and QoS Grants easy membership control with a centralized key server Helps ensure low latency and jitter by enabling full-time, direct communications between sites, without requiring transport through a central hub Reduces traffic loads on customer premises equipment (CPE) and provider-edge encryption devices by using the core network for replication of multicast traffic, avoiding packet replication at each individual peer site Applications Private WAN Environments All contents are Copyright 1992 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 5

Increased network security risks and regulatory compliances have driven the need for WAN transport security. Enterprise organizations that are either self-managing their own MPLS network or have purchased MPLS or private WAN services from a service provider can self-employ Group Encrypted Transport to help ensure data privacy while maintaining the any-to-any connectivity intrinsic in many private WANs. In doing so, organizations attain a much needed balance of control over security between their businesses and service providers while maintaining compliance with security regulations. Public Internet Environments For enterprise IPsec VPNs that traverse the public Internet, Group Encrypted Transport enhances Dynamic Multipoint VPN (DMVPN) and GRE-based site-to-site VPNs by providing manageable, highly scalable network meshing cost-effectively by using the group shared key. In this way, Group Encrypted Transport simplifies key management in large network deployments. For a comparison of Cisco IPSec site-to-site solutions available for either tunnel-less or tunnelbased environments, view the Cisco Site-to-Site At a Glance Document. Management In addition to providing monitoring and debugging capabilities for both group member routers and the key server, Cisco Group Encrypted Transport supports Easy Secure Device Deployment for secure device provisioning in PKI deployments. Future support will include Cisco Security Manager. Feature Availability Table 3 provides information about the availability of the Cisco Group Encrypted Transport feature set. Table 3. Feature Availability Feature Platform Support Availability Cisco IOS Software Group Encrypted Transport VPN Cisco 870, 1800, 2800, 3700, 3800, and 7200 Series, and 7301 Routers November 2006 Release 12.4(11)T Recommended Cisco IOS version: minimum of 12.4(15)T To Download the Software Visit the Cisco Software Center to download Cisco IOS Software. The Cisco IOS Software Release 12.4(11)T Advanced Security Image and later contain the Cisco Group Encrypted Transport feature set. For More Information For more information about Cisco Group Encrypted Transport, visit http://www.cisco.com/go/getvpn or contact your local account representative. All contents are Copyright 1992 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 5

Printed in USA C78-373601-02 03/08 All contents are Copyright 1992 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information