A Primer for Implementing a Cisco Virtual Private Network REFERENCE GUIDE Executive Summary The proliferation of the networked economy has spawned fundamental change in how corporations conduct business. Corporate staff is no longer defined by where they do their jobs as much as how well they perform their job functions. Competitive pressures in many industries have spawned alliances and partnerships among enterprises, requiring separate corporations to act and function as one when facing customers. While such developments have increased productivity and profitability for many corporations, they have also created new demands on the corporate network. A network focused solely on connecting fixed corporate sites is no longer feasible for many companies. Remote users, such as telecommuters or road warriors, and external business partners now require access to enterprise computing resources. The classic wide-area network must be extended to accommodate these users. Consequently, many enterprises are considering virtual private networks (VPNs) to complement their existing classic WAN infrastructure. According to the Gartner Group, a networking research and consulting firm, by 2003 nearly 100 percent of enterprises will supplement their WAN infrastructures with VPNs. From a network architecture perspective, the motivation for this is manifest a VPN can better meet today s diverse connectivity needs. The advantages of a VPN, however, are also visible at the bottom line. VPNs are less expensive to operate than private networks from management, bandwidth, and capital perspectives. Consequently, the payback period for VPN equipment is generally measured in months instead of years. Perhaps the most important benefit of all, however, is that VPNs enable enterprises to focus on their core business objectives instead of running the corporate network. Cisco VPN solutions encompass all segments of the networking infrastructure platforms, security, network services, network appliances, and management thus providing the broadest set of VPN service offerings across many different network architectures. Cisco support of existing WAN infrastructures is essential in accommodating hybrid network architectures, where users will require access to the VPN from leased-line, Frame Relay, and IP and Internet VPN connections. Leveraging existing network gear in these deployment scenarios is paramount. A VPN must extend the classic WAN and provide a common networking, security, and management environment across the enterprise network. Cisco VPN solutions enable corporations to deploy VPNs on their existing Cisco networking gear. The entire line of Cisco router and firewall platforms is easily VPN-enabled through Cisco IOS or PIX Firewall software enhancements, thus providing corporations a smooth migration path to a VPN environment. The Cisco installed base of VPN-ready ports numbers over ten million today. Cisco also offers integrated VPN platforms designed for the specific needs of VPN-centric environments. Network architecture flexibility and ubiquity make Cisco uniquely positioned as the guide to the new world of VPNs. Cisco VPN solutions tightly integrate the many facets of VPNs with existing Cisco products such as routers, WAN switches, access servers, and firewalls ensuring the smooth integration of VPN technology into Cisco enterprise networks. The breadth of Cisco solutions, such as voice over the enterprise WAN using Cisco AVVID (Architecture for Voice, Video and Integrated Data) and content networking technologies, are Page 1 of 18
fully compatible with Cisco VPN platforms. Furthermore, the ubiquity of Cisco equipment in service provider IP, Frame Relay, and ATM backbones provides the means for a high degree of feature integration over the WAN, including common bandwidth management/quality of service (QoS) functions across service provider and enterprise networks. What Is a VPN? There is much hype in the industry currently concerning VPNs, their functionality, and how they fit in the enterprise network architecture. Simply defined, a VPN is an enterprise network deployed on a shared infrastructure employing the same security, management, and throughput policies applied in a private network. VPNs are an alternative WAN infrastructure that replace or augment existing private networks that utilize leased-line or enterprise-owned Frame Relay/ATM networks. VPNs do not inherently change WAN requirements, such as support for multiple protocols, high reliability, and extensive scalability, but instead meet these requirements more cost-effectively and with greater flexibility. A VPN can utilize the most pervasive transport technologies available today: the public Internet, service provider IP backbones, as well as service provider Frame Relay and ATM networks. The functionality of a VPN, however, is defined primarily by the equipment deployed at the edge of the enterprise network and feature integration across the WAN, not by the WAN transport protocol itself. Figure 1 VPN Defined Remote Home Main POP Business Partner POP Internet/ IP, Frame Relay, ATM POP Service Provider Network Mobile Worker VPNs are segmented into three categories: remote access, intranets, and extranets. Remote access VPNs connect telecommuters, mobile users, or even smaller remote offices with minimal traffic to the enterprise WAN and corporate computing resources. An intranet VPN connects fixed locations, branch, and home offices, within an enterprise WAN. An extranet extends limited access of enterprise computing resources to business partners, such as suppliers or customers, enabling access to shared information. Each type of VPN has different security and bandwidth management issues to consider. Why Enterprises Consider VPNs VPNs offer many advantages over traditional, leased-line networks. The primary benefits include: Lower cost than private networks Total cost of ownership is reduced through lower-cost transport bandwidth, backbone equipment, and operations; according to Infonetics, a networking management consulting firm, LAN-to-LAN connectivity costs are typically reduced by 20 to 40 percent over domestic leased-line networks; cost reduction for remote access is in the 60- to 80-percent range. Page 2 of 18
Enabling the Internet economy through enterprise network agility VPNs are inherently more flexible and scalable network architectures than classic WANs, thereby enabling enterprises to quickly and cost-effectively extend connectivity, facilitating connection or disconnection of remote offices, international locations, telecommuters, roaming mobile users, and external business partners as business requirements demand. Reduced management burdens compared to owning and operating a private network infrastructure Enterprises may outsource some or all of their WAN functions to a service provider, enabling enterprises to focus on core business objectives, instead of managing a WAN or dial-access network. Simplify network topologies, thus reducing management burdens Utilizing an IP backbone eliminates static permanent virtual circuits (PVCs) associated with connection-oriented protocols such as Frame Relay and ATM, thereby creating a fully meshed network topology while actually decreasing network complexity and cost. Components of the VPN VPN solutions are defined by the breadth of features offered. A VPN platform must be secure from intrusion and tampering, deliver mission-critical data in a reliable and timely manner, and be manageable across the enterprise. Unless each of these requirements is addressed, the VPN solution is incomplete. The essential elements of a VPN can be segmented into five broad categories: Platform Scalability Each of these elements must be scalable across VPN platforms ranging from a small office configuration through the largest enterprise implementations; the ability to adapt the VPN to meet changing bandwidth and connectivity needs is crucial in a VPN solution. Security Tunneling, encryption, and packet authentication are necessary for transport security on public networks; in addition, user authentication and access control are essential for assigning network privileges and access. VPN services Bandwidth management and QoS functions such as queuing, network congestion avoidance, traffic shaping, and packet classification, as well as VPN routing services utilizing Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), and Border Gateway Protocol (BGP) are essential elements of a VPN. Appliances Firewalls, intrusion detection, and active security auditing are essential for comprehensive VPN perimeter security. Management Enforcing security and bandwidth management policies across the VPN and monitoring the network are necessary for a VPN solution. These five key components of VPN solutions are delivered by Cisco within the context of open standards, scalability, and providing end-to-end networking capabilities. Page 3 of 18
Figure 2 VPN Building Blocks Security VPN Features QoS Network and Service Monitoring Network Management Policy Management Classic WAN Requirements Core Networking Services Cisco IOS Platforms Infrastructure Appliances Satisfying these VPN requirements does not necessarily require replacement of an existing wide-area networking infrastructure. Cisco VPN solutions augment existing WAN infrastructures to meet the enhanced security, reliability, and management requirements present in a VPN environment. The existing Cisco router portfolio is VPN capable, with VPN features deployable through Cisco IOS software. In some VPN deployments depending on encryption performance requirements and WAN topology, the Cisco portfolio of VPN-optimized routers may be a better alternative. VPN-optimized routers offer optional hardware extensibility for enhanced security performance. VPNs can also be implemented using the PIX Firewall. Implementing VPN solutions on either portfolio of VPN routers or the PIX Firewall enables robust VPN deployment using existing Cisco networking gear, thus preserving enterprise investments in networking infrastructures. Security and Appliances: Protecting the Network Deploying WANs on a shared network makes security issues paramount. Enterprises need to be assured that their VPNs are secure from perpetrators observing or tampering with confidential data passing over the network and from unauthorized users gaining access to network resources and proprietary information. Encryption, authentication, and access control guard against these security breaches. Key components of VPN security follows: Tunnels and encryption Packet authentication Firewalls and intrusion detection User authentication These mechanisms complement each other, providing security at different points throughout the network. VPN solutions must offer each of these security features to be considered a viable solution for utilizing a public network infrastructure. Tunnels and Encryption Cisco VPN solutions employ encrypted tunnels to protect data from being intercepted and viewed by unauthorized entities and to perform multiprotocol encapsulation, if necessary. Tunnels provide logical, point-to-point connections across a connectionless IP network, enabling application of advanced security features. Encryption is applied to the tunneled connection to scramble data, thus making data legible only to authorized senders and receivers. In applications where security is less of a concern, tunnels can be employed without encryption to provide multiprotocol support without privacy. Page 4 of 18
Cisco VPNs employ IP Security (IPSec), Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), Layer 2 Forwarding (L2F), and generic routing encapsulation (GRE) for tunnel support, as well as the strongest standard encryption technologies available Data Encryption Standard (DES), 3DES, and 40/128-bit RC4 for Microsoft Point-to-Point Encryption (MPPE). Furthermore, Cisco VPN solutions support major certificate authority vendors, such as Verisign and Entrust, for managing security/encryption administration. Packet Authentication Although interception and viewing of data on a shared network is the primary security concern for enterprises, data integrity is also an issue. On an unsecured network, packets can be intercepted by a perpetrator, the contents changed, then forwarded on to their destination with erroneous information. For example, an order placed to a supplier over an unsecured network could be modified by a perpetrator, changing the order quantity from 1000 to 100. Packet authentication protects against such tampering by applying headers to the IP packet to ensure its integrity. Components of IPSec, Authentication Header (AH), and Encapsulation Security Protocol (ESP) are employed in conjunction with industry-standard hashing algorithms such as Message Digest 5 (MD5) and secure hash algorithm (SHA) to ensure data integrity of packets transmitted over a shared IP backbone. Firewalls, Intrusion Detection, and Security Auditing A critical part of an overall security solution is a network firewall, which monitors traffic crossing network perimeters and imposes restrictions according to security policy. In a VPN application, firewalls protect enterprise networks from unauthorized access to computing resources and network attacks, such as denial of service. Furthermore, for authorized traffic, a VPN firewall verifies the source of the traffic and prescribes the access privileges that users are permitted. Cisco VPN solutions provide enterprises flexibility in firewall choices, offering Cisco IOS software-based firewalls resident on VPN routers, as well as the separate PIX Firewall appliance. Utilizing IPSec software, the PIX Firewall can also serve as a VPN tunneling and encryption appliance. An added element of assurance in perimeter security is intrusion detection. While firewalls permit or deny traffic based on source, destination, port, and other criteria, they do not actually analyze traffic. Intrusion-detection systems, such as the Cisco NetRanger system, operate in conjunction with firewalls to extend perimeter security to the packet payload level by analyzing the content and context of individual packets to determine if the traffic is authorized. If the data stream of a network experiences unauthorized activity, NetRanger software automatically applies real-time security policy, such as disconnecting the offending session, and notifies a network administrator of the incident. The NetRanger products provide automated monitoring and response for more robust network security while simultaneously reducing personnel costs associated with perimeter monitoring. Firewalling and intrusion detection provide strong defense mechanisms against network attacks, but strong security begins inside the corporate network by ensuring that security vulnerabilities are minimized. Security auditing systems, such as the Cisco NetSonar software, scan the corporate network to identify potential security risks. NetSonar software maps all active systems on a network, their operating systems and network services, and their associated potential vulnerabilities. NetSonar software also proactively and safely probes systems using its comprehensive network security database to confirm vulnerabilities, and provides detailed information about security vulnerabilities, enabling network managers to better secure the network from attacks. User Authentication A key component of VPN security is ensuring that authorized users gain access to enterprise computing resources they need, while unauthorized users are shut out of the network entirely. Cisco VPN solutions are built around authentication, authorization, and accounting (AAA) capabilities that provide the foundation to authenticate users, determine access levels, and archive all the necessary audit and accounting data. Such capabilities are paramount in the dial-access and extranet applications of VPNs. Cisco VPN solutions support Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+) user authentication protocols for centralized AAA services. Page 5 of 18
VPN Services: Managing Routing and Throughput An essential component of VPN solutions is ensuring efficient use of precious WAN bandwidth and reliable throughput of important data while performing traditional routing services. The bursty nature of network traffic characteristically makes poor use of network bandwidth by sending too many packets into the network at once or creating network bottlenecks. The result is twofold: WAN links are often underutilized, letting expensive bandwidth lie dormant; network congestion during peak times constrains throughput of delay-sensitive and mission-critical traffic. It is a lose/lose situation. QoS determines the ability of the network to assign resources to mission-critical or delay-sensitive applications, while limiting resources committed to low-priority traffic. QoS addresses two fundamental requirements for applications run on a VPN: predictable performance and policy implementation. Policies are used to assign network resources to specific users, applications, project groups, or servers in a prioritized way. Components of bandwidth management/qos that apply to Layer 2 and Layer 3 VPNs include: Packet classification provides the foundation for bandwidth management traffic classification policies within the VPN. Cisco network-based application recognition (NBAR) delivers application-aware classification, enabling bandwidth management by true application type, by Web URL and sub-url, and among dynamically assigned TCP ports. Furthermore, NBAR provides a detailed view of protocols traversing the VPN through its automated protocol discovery features. Traffic shaping and policing technology Cisco committed access rate (CAR) and generic traffic shaping (GTS) enable mission-critical traffic to receive an appropriate share of VPN bandwidth, while limiting the amount of bandwidth dedicated to less-critical applications. Advanced outbound queuing, congestion management, and bandwidth allocation Cisco Weighted Fair Queuing (WFQ) delivers congestion management and bandwidth allocation among specific applications and users. Weighted Random Early Detection (WRED) provides congestion avoidance in the VPN, thus increasing overall network throughput by reducing data retransmission. Together, WFQ and WRED maximize use of limited WAN resources. These QoS features complement each other, working together in different parts of the VPN to create a comprehensive bandwidth management solution. Bandwidth management solutions must be applied at multiple points on the VPN to be effective; single- point solutions cannot ensure predictable performance. Furthermore, Cisco QoS features fully interoperate with tunneling and encryption services utilizing standards-based type of service (ToS) and DiffServ markings. The Cisco standards-based approach to QoS ensures that QoS can be applied throughout the service provider network, thus delivering end-to-end bandwidth management throughout the VPN. The efficacy of end-to-end QoS can be measured by monitoring network performance using the Cisco Service Assurance Agent, a network monitoring feature embedded on the router in Cisco IOS software. Cisco Service Assurance Agent measures network uptime, latency, and other service characteristics, enabling corporations to ensure that service-level agreements (SLAs) with their service providers are being met. In addition to the benefits of managing bandwidth, Cisco recognizes the importance of providing VPN routing services that complement QoS mechanisms while seamlessly integrating into existing corporate network routing configurations. By supporting standard routing protocols, such as EIGRP and OSPF, Cisco VPN routing services ensure cost-effective migration to VPN infrastructures that provide robust bandwidth management without impacting existing network configurations. Network Management: Operating the VPN VPNs integrate multiple security and bandwidth management services in addition to the network devices themselves. Enterprises need to seamlessly manage these devices and features across the VPN infrastructure, including remote access and extranet users. Given these issues, network management becomes a major consideration in a VPN environment. A VPN WAN architecture, however, affords network managers the opportunity to outsource many aspects of network management. Unlike in a private network architecture, a VPN enables enterprises to define what level of network control they need to retain in house, while outsourcing less-sensitive functions to service providers. Many companies choose to retain full control over deployment and daily operation of their VPN, and thus require a comprehensive, policy-based management system. Such a system extends the existing management framework to encompass WAN management functions unique to VPNs. Cisco enterprise network management provides a comprehensive suite of tools for managing devices, security policies, and services across any size VPN. As the WAN is extended with VPN technology, a strict set of business requirements must be met for the enterprise network manager to be successful. These requirements include: Page 6 of 18
Minimize risk Moving from a dedicated infrastructure to a shared infrastructure that utilizes WAN transport mediums, such as the public Internet, presents the network manager with new security and auditing challenges. Network managers must be able to extend VPN access to multiple corporate sites, business partners, and remote users, while assuring the integrity of corporate data resources. Scale The rapid addition of mobile users and business partners to the VPN requires network managers to expand the network, make hardware and software upgrades, manage bandwidth, and maintain security policies with unprecedented speed and accuracy. Cost To fully realize the cost benefits of a VPN, network managers must be able to implement new VPN technologies and provision additional network users without growing the operations staff at a proportional rate. Cisco enterprise management tools empower network managers to effectively meet these business requirements via a three-tiered management strategy: enabling scalable device management, supporting hybrid network architectures, and using Cisco Powered Networks to their advantage. Scalable Device Management Integrated tools that manage one device work well for smaller VPN deployments. Managing a vast portfolio of VPN solutions and technologies across numerous devices and locations is best managed by policy. Policy management provides a uniform and integrated approach to VPN management, enabling the network manager to consistently implement VPN policies across the collection of resources that create the VPN. Supporting Hybrid Network Architectures In a hybrid private/vpn environment, VPN management functions must integrate seamlessly into the existing private enterprise network management architecture. Private network management tools must be augmented to support new VPN management capabilities, providing network managers with end-to-end control and visibility. Leveraging Cisco Powered Networks Service providers that deploy Cisco technology and services to deliver the VPN infrastructure may utilize the Cisco Service Management (CSM) System to achieve their operations and business objectives. As part of the CSM solution set, provisioning and service monitoring solutions enable the service provider to deliver the VPN connectivity to the enterprise customer. By creating a bridge between enterprise management solutions and CSM solutions, Cisco enables enterprise network managers to receive configuration information from the service provider, validate that service levels provided by the service provider match the expectations of the enterprise, and deliver bandwidth management policy to the service provider to ensure end-to-end QoS for mission-critical applications. Management tools such as the Cisco Internetwork Performance Monitor (IPM) and Service-Level Agreement Manager (SLAM) operate in conjunction with the Cisco Service Assurance Agents, enabling network managers to ensure that their SLAs with service providers are being met. The Cisco Enterprise Network Management Strategy Cisco has developed policy-based management tools for enterprise VPNs that also use the features of Cisco Powered Networks deployed by service providers. The Cisco VPN management strategy delivers a comprehensive approach to operating a VPN by addressing the key components of VPN management: configuration, multidevice policy, and monitoring. For VPN configuration and policy management, Cisco offers a suite of management tools, such as CiscoWorks 2000, Cisco Secure Policy Manager, and QoS Policy Manager, which provide a comprehensive view of the VPN network that enables scalable deployment of tunnels, encryption, firewalls, and QoS on Cisco VPN platforms. Monitoring the network is key to successful management of the VPN. For monitoring, Cisco leverages the breadth of CiscoView applications to provide an integrated view of VPN operation and activity. Going forward, policy-based management of VPN features and security parameters will be enhanced with Directory-Enabled Network (DEN) features to provide centralized VPN management based on directory policy. Platform Scalability and Migration Paths: Looking to the Future When considering a VPN solution, enterprises should consider how VPN technology will integrate into their existing network infrastructure and how it will grow with the dynamic requirements of the enterprise network. VPNs are not an all-or-nothing network decision. A VPN can be phased into existing private network architectures to offer a flexible migration path for the evolution of private networks. Many organizations will likely deploy VPNs as an augmentation of their existing private WAN infrastructures. For such hybrid applications, VPNs Page 7 of 18
can be implemented on existing Cisco VPN-capable routers using Cisco IOS software with its extensive array of VPN features. Additionally, existing VPN-optimized routers can utilize optional hardware components to increase VPN performance. Implementing VPNs through Cisco IOS software and optional hardware components enables robust VPN functionality without impacting existing network infrastructures, thus ensuring flexibility and growth necessary for the future. Figure 3 Hybrid Private/VPN Business Partner Mobile Worker Main Remote VPN Cloud (Internet, IP) Regional Private Line Throughout its VPN portfolio, Cisco employs standards-based solutions. For Layer 3 security, Cisco VPNs use IPSec, a standards track proposal in the Internet Engineering Task Force (IETF) for IP security. For Layer 2 tunneling, Cisco supports L2TP, the standards track Layer 2 protocol for VPN tunneling. Furthermore, Cisco VPNs support Point-to-Point Tunneling Protocol (PPTP), L2F and GRE. For encryption, Cisco supports the strongest standard algorithms available in the industry DES, 3DES, and 40/128-bit MPPE. According to the Gartner Group, the nascence of the VPN equipment market raises risks of choosing the wrong vendor. Cisco equipment comprises more than 80 percent of the Internet backbone and is the cornerstone of enterprise networks. These factors make Cisco uniquely positioned as the guide to the new world of VPNs. Industry-leading Cisco platforms, including routers, WAN switches, access servers, and firewalls combined with robust Cisco IOS software are the foundation for deploying the broadest set of VPN service offerings across many different network architectures. This scenario enables corporations to preserve their network investments by deploying VPNs on their existing Cisco gear. Furthermore, Cisco VPN solutions tightly integrate the many facets of VPNs with existing Cisco products, ensuring the smooth integration of VPN technology into Cisco enterprise networks. The breadth of Cisco solutions, such as voice over the enterprise WAN, are fully compatible with Cisco VPN platforms. Additionally, the ubiquity of Cisco equipment in service provider IP, Frame Relay, and ATM backbones provides the means for a high degree of feature integration over the WAN, including common bandwidth management functions across service provider and enterprise networks. Common Architectures for VPNs Today s Corporate WAN: The Private Network Today s corporate WAN is typically built using private lines or private Frame Relay/ATM. The remote access portion of the network is also typically a private solution, with corporations deploying and managing their own dial-access infrastructure. Extranet applications are often either not supported, or they are supported so as an expensive and burdensome extension of the WAN cloud. Page 8 of 18
Figure 4 Today s Corporate Network Remote Business Partner? Main Private Line Network Remote Regional Home Mobile Worker A private network architecture limits network extendibility to remote users and partners, is difficult to manage, and is expensive to provide bandwidth for and to maintain. Migration from a private network infrastructure to a VPN focuses on each distinct segment of the private network the intranet and remote access network and extends the network to business partners. Remote Access VPNs Remote access VPNs extend the corporate network to telecommuters, mobile workers, and remote offices with minimal WAN traffic. They enable users to connect to their corporate intranets or extranets whenever, wherever, or however they require. Remote access VPNs provide connectivity to a corporate intranet or extranet over a shared infrastructure with the same policies as a private network. Access methods are flexible asynchronous dial, ISDN, digital subscriber line (DSL), cable, and wireless mobile IP technologies are supported on Cisco VPN platforms. Migrating from privately managed dial networks to remote access VPNs offers several advantages, most notably: Reduced capital costs associated with modem and terminal server equipment Ability to utilize local dial-in numbers instead of long-distance or 800 numbers, thus significantly reducing long-distance telecommunications costs Greater scalability and ease of deployment for new users added to the network Restored focus on core corporate business objectives instead of managing and retaining staff to operate the dial network When implementing a remote access VPN architecture, an important consideration is where to initiate tunneling and encryption on the dialup client PC or on the network access server (NAS). In a client-initiated model, the encrypted tunnel is established at the client using IPSec, L2TP, or PPTP, thereby making the service provider network solely a means of transport to the corporate network. An advantage of a client-initiated model is that VPN intelligence resides in the customer premise equipment (CPE), enabling VPN functionality to be delivered over any network infrastructure, including the Internet. Furthermore, in the client-initiated model, the last mile service provider access network used for dialing to the point of presence (POP) is secured. An additional consideration in the client-initiated model is whether to utilize operating system-embedded multiprotocol security software, such as PPTP, or a more secure supplemental security software package, such as the Cisco Secure VPN client. While supplemental security software installed on the client offers more robust security, a consideration in this approach is that it entails installing and maintaining tunneling/encryption software on each client accessing the remote access VPN. In Page 9 of 18
a NAS-initiated scenario, client software issues are eliminated. A remote user dials into a service provider s POP using a Point-to-Point Protocol/Serial Line Internet Protocol (PPP/SLIP) connection, is authenticated by the service provider, and, in turn, initiates a secure tunnel to the corporate network from the POP using L2TP or L2F, which is then authenticated by the enterprise. With a NAS-initiated architecture, VPN intelligence resides in the service provider network there is no end-user client software for the corporation to maintain, thus eliminating client management issues associated with remote access. The drawbacks, however, are lack of security on the local access dial network connecting the client to the service provider network and the need to utilize a single service provider end to end, a scenario that eliminates the Internet as a transport network. In a remote access VPN implementation, these security/management trade-offs must be balanced. Fortunately, Cisco VPN solutions flexibility enable implementation of the remote access model that best fits deployment requirements. If the NAS-initiated model better suits the deployment environment, Cisco VPN platforms support L2TP and L2F for robust NAS-initiated remote access VPN deployments. For client-based VPN deployments, Cisco offers the IPSec-based Cisco Secure VPN Client, complete with turnkey support for major certificate authority vendors such as Verisign and Entrust. Cisco also supports PPTP clients and 40/128-bit MPPE, enabling remote access VPN deployment utilizing client software resident in Microsoft Windows 95, 98, and NT operating systems. Furthermore, Cisco codeveloped the IPSec software resident in Microsoft Windows 2000, thus ensuring interoperability with Microsoft s next-generation operating system VPN client. Figure 5 NAS- and Client-Initiated Remote Access VPNs Main IPSec/PPTP/L2TP Client-Initiated Tunnel Tunnel VPN Cloud (internet, IP) Tunnel L2TP/L2F VPN Router NAS PSTN NAS-Initiated Tunnel Intranet VPNs Intranet VPNs are an alternative WAN infrastructure that can augment or replace private lines or other private WAN infrastructures by utilizing shared network infrastructures provided by service providers. Intranet VPNs are built using the Internet or service provider IP, Frame Relay, or ATM networks. Intranet VPNs built on an IP WAN infrastructure utilize IPSec or GRE to create secure tunnels across the network to carry WAN traffic. When combined with service provider backbone QoS mechanisms, bandwidth management features such as bandwidth allocation and policing, congestion avoidance, and traffic shaping employed on corporate network edge routers ensure efficient use of WAN bandwidth and reliable throughput. The benefits of an intranet VPN follow: Reduced WAN bandwidth costs Flexible topologies enabled, including fully meshed Page 10 of 18
New sites connected easily and quickly Increased network uptime by enabling WAN link redundancy across service providers Figure 6 Intranet VPN Remote VPN Router IPSec/GRE Tunnels Main Internet/IP Remote IPSec/GRE IPSec/GRE VPN Router VPN Router Service Provider Network Building an intranet VPN using the Internet is the most cost-effective means of implementing VPN technology. Service levels, however, are generally not guaranteed on the Internet. When implementing an intranet VPN, corporations need to assess which trade-offs they are willing to make between guaranteed service levels, network ubiquity, and transport cost. Enterprises requiring guaranteed throughput levels should consider deploying their VPNs over a service provider s end-to-end IP network, or, potentially, Frame Relay or ATM. Table 1 Comparison of Network Transport Infrastructures Characteristic Frame Relay Internet IP-VPN Ubiquity Low High Moderate Cost Moderate Low Moderate Inherent Security High Low High Performance High Low-moderate High Guaranteed Service Levels Yes No Yes Extranets Extending connectivity to corporate partners and suppliers is expensive and burdensome in a private network environment. Expensive dedicated connections must be extended to the partner, management and network access policies must be negotiated and maintained, and often compatible equipment must to be installed on the partner s site. When dial access is employed, the situation is equally complicated because separate dial domains must be established and managed. Because of the complexity, many corporations do not extend connectivity to their partners, resulting in complicated business procedures and reduced effectiveness of their business relationships. Page 11 of 18
One of the primary benefits of a VPN WAN architecture is the ease of extranet deployment and management. Extranet connectivity is deployed using the same architecture and protocols utilized in implementing intranet and remote access VPNs. The primary difference is the access permission extranet users are granted once connected to their partner s network. The router-based Cisco IOS Firewall and PIX Firewall provide access control based on protocol, time of day, and many other criteria for advanced extranet security. Figure 7 Extranet VPN Business Partner VPN Router IPSec/GRE Tunnels Main Internet/IP L2TP/L2F VPN Router NAS PSTN Service Provider Network Dial-Up Business Partner Choosing a Service Provider Partner With any VPN implementation scenario, service providers become partners in the solution. The performance of a VPN relies not only on the networking equipment chosen, but also on the service providers providing the WAN bandwidth and dialup facilities for remote access. As such, service providers used for VPN implementation should be chosen carefully. Service providers offer various levels of VPN services, from basic connectivity to completely outsourced solutions. Decisions regarding which aspects of the VPN will be managed in house or by the service provider should be reviewed in depth when choosing service providers. Ultimately, the service providers chosen are partners in the VPN implementation. Consequently, a strong working relationship and established expectations should be guiding factors in the overall decision process. Numerous Cisco Powered Network providers offer VPN services. To locate a Cisco Powered Network provider, refer to http://www.cisco.com/warp/customer/779/servpro/cpn/. Implementing a VPN Once enterprise network requirements have been analyzed for security, bandwidth management, manageability, scalability, and migration considerations, as previously outlined, the final consideration is how to implement the VPN. VPN Equipment Infrastructure VPN solutions can be built using multiple devices routers, firewalls, and bandwidth managers or they can be implemented on an integrated VPN router that provides on board firewall and bandwidth management capabilities. Integrating all VPN functions on a router reduces network complexity and total cost of ownership of the VPN solution. Cisco VPN solutions, however, provide an open implementation architecture accommodating VPN routers for integrated device architectures, as well as high-performance VPN appliances, such as the PIX Firewall, used in multiple-device VPN architectures. Ultimately, overall network architecture, protocol, and connectivity requirements of the Page 12 of 18
enterprise drive the VPN architecture. Cisco accommodates the most diverse VPN architectures by providing full interoperability among its VPN routers and VPN firewall appliances, thus delivering a VPN deployment flexibility unparalleled in the VPN device market. Table 2 outlines features of Cisco router and firewall VPN solutions. Table 2 Cisco VPN Equipment Infrastructure Comparison Cisco VPN-Optimized Routers PIX Firewall VPN Application Integrated VPN services with full routing VPN services for behind WAN edge routers IPSec Yes Yes L2TP, GRE, and L2F Yes Provided by WAN edge router PPTP/MPPE Cisco 7100 and 7200 Provided by Cisco 7xxx WAN edge router Hardware Encryption Acceleration Cisco 7100 and 7200; Cisco 1700 in Q1 00 Q1 00 Routing Full Layer 3 routing Provided by WAN edge router WAN Interfaces Optional Provided by WAN edge router Multiprotocol Support for VPNs Yes No Stateful Firewall Yes Yes QoS Yes Provided by WAN edge router or upstream campus switches/routers Intrusion Detection Yes Provided by separate NetSonar appliance Service-Level Validation Yes Provided by WAN edge router Certificate Authority Support Verisign and Entrust Verisign and Entrust VPN Routing Solutions For integrated VPN solutions, Cisco offers a suite of VPN-enabled and VPN-optimized routers spanning the range of VPN applications from telecommuter to branch office and headquarters. VPN-enabled routers, such as the Cisco 1000, 1600, 2500, 4000, 4500, and 4700 series, are appropriate for VPNs with moderate encryption and tunneling requirements. VPN-enabled routers provide VPN services entirely through Cisco IOS software features. To address more scalable security requirements, as well as VPN-centric WAN topologies, Cisco also offers a portfolio of VPN-optimized and integrated VPN routers. VPN-optimized and integrated VPN routers are designed to meet higher encryption and tunneling requirements of more demanding VPN deployments by offering hardware extensibility for high-speed encryption performance and optimized WAN interface configurations for VPN-centric WANs. The Cisco VPN-optimized and integrated VPN router portfolio consists of the Cisco 800, 1700, 2600, 3600, 7100, 7200, and 7500 series routers. The breadth of Cisco VPN routing solutions also provides integrated solutions for cable and DSL based VPNs with the Cisco UBr900 and the Cisco 1400 series routers. Page 13 of 18
Figure 8 Cisco VPN-Optimized and Integrated VPN Router Portfolio Regional and Headquarters Small Branch Medium Branch and Small Regional Cisco 7100 Cisco 7200 Cisco 7500 Broadband Telecommuter/Small Cisco 2600 Cisco 3600 Cisco 1700 Cisco 800 (ISDN) Cisco ubr900 (Cable) Cisco 1400 (DSL) Solutions for Telecommuters and Small s: The Cisco 800, UBr900, and 1400 Series The Cisco 800 series routers provide secure ISDN access to the Internet and the corporate LAN. By incorporating Cisco IOS features including IPSec, L2TP, GRE, and the Cisco IOS Firewall Feature Set, the Cisco 800 extends VPN applications to telecommuters and very small offices (typically 6 to 19 employees). The Cisco 800 series includes four router models and a choice of software feature sets. The Cisco UBr900 and 1400 series, with support for IPSec, L2TP, and the Cisco IOS Firewall feature set, provide integrated VPN solutions for cable- and DSL-based VPNs, thus enabling broadband access for high-bandwidth telecommuting environments and remote-office connectivity. The Cisco UBr900 cable access router is a fully integrated Cisco IOS router and Data-over-Cable Service Interface Specification (DOCSIS) 1.1 standard-based cable modem, thus ensuring interoperability with cable networks and other Cisco IOS devices. The Cisco 1400 series provide high-performance connectivity from Ethernet to ATM cell-based DSL WAN infrastructures with support for multiple DSL standards. Solutions for Small Branch s: The Cisco 1700 Series The Cisco 1700 access router is a modular solution that provides all the necessary components required to build an integrated VPN solution on one platform. Powered by a RISC processor, the Cisco 1700 is optimized to support VPN applications with full Cisco IOS software support for encryption, tunneling (L2F, L2TP, IPSec, and GRE), QoS, Cisco IOS Firewall, and an option for hardware-assisted encryption and compression. This all-in-one VPN solution minimizes setup costs and reduces the deployment and management of VPNs in small branch offices and small and medium-sized business environments. The Cisco 1700 series features one autosensing 10/100 Fast Ethernet port, up to three modular voice or WAN interface card slots, and one auxiliary (AUX) port. The Cisco 1700 offers WAN service flexibility and investment protection by supporting any of the WAN interface cards available for the Cisco 1600, 2600, and 3600 platforms, including ISDN, serial, and integrated data service unit/channel service unit (DSU/CSU) cards. Solutions for Medium-Sized Branches and Small Regional s: The Cisco 2600 and 3600 Series The Cisco 2600 and 3600 are effectively one extended family of products since they share so many of the same network modules (NMs) and WAN interface cards. With their modular design, the Cisco 2600 and 3600 empower the flexibility benefits of VPNs. Their support for a wide range of serial, channelized, ISDN, and modem interfaces allows them to support robust intranet, extranet, and remote access VPNs. For medium-sized branch offices with a single NM slot, the Cisco 2600 is an ideal platform for VPNs because its RISC processor provides the power to run the robust Cisco IOS security, tunneling, and QoS features that make these virtual networks private. Sized for large branch offices and small regional offices, the Cisco 3600 series offers higher-performance RISC processors and higher density. Page 14 of 18
In addition to IPSec1, GRE, L2F, and L2TP, the Cisco 2600 and 3600 series support the Cisco IOS Firewall with its stateful packet filtering and in HI 00 will offer optional encryption hardware modules. The Cisco 2600 module will utilize the internal advanced integration module (AIM) slot, while the Cisco 3600 will utilize a NM or AIM. With packetized voice modules, the Cisco 2600 and 3600 series are already enabled for the expansion of VPNs from data to multiservice. This integration capability is but one example of how the Cisco 2600 and 3600 series can simplify system management and reduce life-cycle costs in branch offices by limiting the number of boxes that constitute the network infrastructure of a branch office. The investment protection of the modular design of the Cisco 2600 and 3600 encompasses other platforms because it shares WAN interface cards with the Cisco 1600 and 1700. Solutions for Regional s and Headquarters: The Cisco 7100, 7200, and 7500 Cisco 7100, 7200, and 7500 series routers integrate high-speed, industry-leading routing with comprehensive VPN services, such as tunneling, data encryption, security, advanced bandwidth management, and service-level validation. These services provide secure, scalable VPN platforms to better and more cost-effectively accommodate remote-access, remote-office, and extranet connectivity using public data services. Cisco 7200 and 7500 series routers, through their high port density and robust services delivery, provide scalable VPN solutions while also accommodating extensive private WAN aggregation requirements pervasive in classic WAN environments. The Cisco 7100 series VPN router augments VPN solutions provided by the Cisco 7200 and 7500 series, providing a scalable VPN platform designed specifically for networks that have minimal private WAN requirements. As members of the Cisco 7000 family of routers, the Cisco 7100, 7200, and 7500 share interface cards, known as port adapters, thus simplifying sparing. Cisco 7100, 7200, and 7500 series routers deliver tunneling and encryption services suitable for site-to-site intranet, extranet, or remote access applications. Each of these platforms supports IPSec, L2TP, L2F, and GRE for tunneling and encryption for securing data over the public network infrastructure. The Cisco 7100 and 7200 also support PPTP and MPPE. As scalability requirements increase, an optional integrated services adapter (ISA) can be installed on the Cisco 7200 to provide IPSec or MPPE encryption acceleration and tunnel scalability. IPSec or MPPE encryption acceleration and tunnel scalability are delivered on the Cisco 7100 by utilizing the integrated services module (ISM). For perimeter security applications, the Cisco 7100 and 7200 series also support the Cisco IOS Firewall feature set, enabling stateful packet filtering on the routing infrastructure. VPN Firewall Appliance Solutions Firewalls have traditionally provided perimeter security by maintaining stateful control of connections between connected network segments. With the advent of VPNs, customers are looking to expand firewall functionality to provide VPN services in addition to access control. Utilizing IPSec software on the Cisco PIX Firewall, enterprises can support secure VPNs between multiple endpoints, including client-initiated remote access VPNs from Windows PCs using Cisco Secure VPN Client software, Cisco routers, other PIX Firewalls, or other standards-compliant IPSec devices. For VPN deployment, PIX Firewall supports DES and 3DES encryption, as well as certificate authority support for Verisign and Entrust. In Q1 00, Cisco will deliver IPSec hardware acceleration for the PIX Firewall, delivering scalability for branch-office and headend VPN environments. Page 15 of 18
Figure 9 PIX Firewall VPN Portfolio Regional and Headquarters Solutions Branch Solutions PIX 520-DC PIX 520 PIX 515-UR PIX 515-R WAN Transport Options Cisco VPNs take an open approach to WAN protocols used to implement the VPN. Enterprises can deploy VPNs utilizing the public Internet, or service provider IP, Frame Relay, or ATM networks. Layer 2 and Layer 3 networks each offer certain advantages. Layer 3 IP-based VPNs reduce network complexity by eliminating permanent virtual circuits (PVCs) from the WAN. Instead of managing a port and multiple PVCs between locations, enterprises can deploy a single port to the IP cloud and attain meshed connectivity among locations on the enterprise WAN. A VPN network cost study conducted by Data Communications magazine indicated that utilizing an Internet-based VPN could save users more than 50 percent in connectivity costs over a comparable Frame Relay design. Today, however, Layer 2 VPNs offer enterprises static, private routes through the network, resulting in more deterministic traffic patterns than in IP networks. This distinction will diminish over time as Cisco continues developing policy-based routing for IP networks. Summary of Features and Benefits of Cisco VPN Platforms VPNs make sense from a business and technology perspective. VPNs enable businesses to refocus their energies on core business objectives instead of networking needs, while reducing operations and bandwidth costs. Furthermore, VPNs are not an all-or-nothing network decision. VPN can be phased into existing private network architectures, offering a flexible migration path for the evolution of private networks. VPN solutions must offer strong security features such as 3DES and MPPE encryption, scalable tunneling, and packet authentication, as well as transport reliability mechanisms such as bandwidth allocation and policing, congestion avoidance, and traffic shaping. VPN solutions must also be interoperable with the existing network infrastructure. Unless each of these features is included in VPN implementation, the VPN is subject to security and transport reliability issues. The Cisco VPN solution offers an exhaustive feature set to address any security and reliability issues associated with VPN implementations. In summary, Cisco VPN solutions offer the features and benefits outlined in Table 3. Table 3 Features and Benefits Feature Function Benefit Cisco IOS VPN devices run on Cisco IOS software. Ensures interoperability with all Cisco products Leverages existing hardware infrastructure in deploying VPN solutions Integrated Solution This feature unites every aspect of the enterprise data network: intranet, extranet, and dial access. Reduces network complexity by creating a common platform for enterprise networking Open Architecture Cisco VPNs utilize Layer 2 and Layer 3 WAN facilities. Enables enterprises to choose a WAN transport that best fits their needs Page 16 of 18
Feature Function Benefit Robust Security Features: Tunneling, Encryption, Packet/User Authentication, Firewall Flexible, All-Encompassing Bandwidth Management/Qos Integrates Single-Purpose Applications Enterprise Network Management Standards-Based Solution Open Implementation Architecture Strong Relationships with Service Providers This function enables enterprises to securely utilize service provider Layer 2 and Layer 3 back bones or the public internet for WAN bandwidth and dial access. This feature manages network traffic based on priority and traffic patterns. This feature integrates firewall and bandwidth management on router Integrated set of network management tools for configuring and monitoring the VPN. This solution offers support for the following: IPSec, L2TP, GRE, DES, 3DES. Cisco VPNs can be implemented in software or hardware. Cisco provides 80% of the networking equipment used on the Internet Reduces bandwidth, management, and capital costs Enables enterprises to focus on core business instead of managing a data network Better manages expensive WAN bandwidth Provides reliable throughput on Layer 2 and Layer 3 shared backbones Reduces network complexity Lowers TCO Ensures manageability across the enterprise VPN Integrates with existing network infrastructure Ensures logical technology migration path No forklift upgrades required Preserves investment in networking gear High degree of feature integration across service provider WAN infrastructures Additional Information and Supporting Documents Please refer to the following documents for detailed information on VPN-enabling technologies, protocols, and products: Cisco Enterprise VPN Solutions http://www.cisco.com/warp/customer/cc/so/neso/vpn/vpne/index.shtml Cisco VPN-Optimized Routers Cisco 800 series:http://www.cisco.com/warp/customer/cc/pd/rt/800/index.shtml Cisco UBr 900 series Cable Access Router: http://www.cisco.com/warp/customer/cc/pd/rt/900/index.shtml Cisco 1400 series DSL router: http://www.cisco.com/warp/customer/cc/pd/rt/1400/index.shtml Cisco 1700 VPN access router: http://www.cisco.com/warp/customer/cc/pd/rt/1700/index.shtml Cisco 2600 series: http://www.cisco.com/warp/customer/cc/pd/rt/2600/index.shtml Cisco 3600 series: http://www.cisco.com/warp/customer/cc/pd/rt/3600/index.shtml Cisco 7100 series VPN router: http://www.cisco.com/warp/customer/cc/pd/rt/7100/index.shtml Cisco 7200 series: http://www.cisco.com/warp/customer/cc/pd/rt/7200/index.shtml Cisco 7500 series: http://www.cisco.com/warp/customer/cc/pd/rt/7500/index.shtml Cisco Tunneling and Encryption IPSec: http://www.cisco.com/warp/customer/cc/techno/protocol/ipsecur/ipsec/tech/ipsec_wp.htm L2TP: http://www.cisco.com/warp/customer/cc/pd/iosw/prodlit/l2tun_ds.htm L2F: http://www.cisco.com/warp/customer/732/l2f/index.html Cisco Secure VPN Client Software http://www.cisco.com/warp/public/cc/pd/sqsw/vpncl/index.shtml Cisco Bandwidth Management/QoS Features http://www.cisco.com/warp/customer/732/net_enabled/qos.html Cisco NetRanger http://www.cisco.com/warp/customer/cc/pd/sqsw/sqidsz/index.shtml Cisco NetSonar http://www.cisco.com/warp/customer/cc/pd/sqsw/nesn/index.shtml Page 17 of 18
Cisco IOS Firewall http://www.cisco.com/warp/customer/cc/pd/iosw/ioft/iofwft/index.shtml Cisco PIX Firewall http://www.cisco.com/warp/customer/cc/pd/fw/sqfw500/index.shtml Cisco Powered Network Service Providers http://www.cisco.com/warp/customer/779/servpro/cpn/ Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 European Headquarters Cisco Systems Europe s.a.r.l. Parc Evolic, Batiment L1/L2 16 Avenue du Quebec Villebon, BP 706 91961 Courtaboeuf Cedex France http://www-europe.cisco.com Tel: 33 1 69 18 61 00 Fax: 33 1 69 28 83 26 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883 Asia Headquarters Nihon Cisco Systems K.K. Fuji Building, 9th Floor 3-2-3 Marunouchi Chiyoda-ku, Tokyo 100 Japan http://www.cisco.com Tel: 81 3 5219 6250 Fax: 81 3 5219 6001 Cisco Systems has more than 200 offices in the following countries. Addresses, phone numbers, and fax numbers are listed on the Cisco Connection Online Web site at http://www.cisco.com/offices. Argentina Australia Austria Belgium Brazil Canada Chile China Colombia Costa Rica Croatia Czech Republic Denmark Dubai, UAE Finland France Germany Greece Hong Kong Hungary India Indonesia Ireland Israel Italy Japan Korea Luxembourg Malaysia Mexico The Netherlands New Zealand Norway Peru Philippines Poland Portugal Puerto Rico Romania Russia Saudi Arabia Singapore Slovakia Slovenia South Africa Spain Sweden Switzerland Taiwan Thailand Turkey Ukraine United Kingdom United States Venezuela Copyright 1999 Cisco Systems, Inc. All rights reserved. Printed in the USA. Access Registrar, AccessPath, Any to Any, AtmDirector, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, the Cisco logo, Cisco Certified Internetwork Expert logo, CiscoLink, the Cisco Management Connection logo, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Capital, the Cisco Systems Capital logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, the Cisco Technologies logo, ConnectWay, Fast Step, FireRunner, GigaStack, IGX, Internet Quotient, Kernel Proxy, MGX, MultiPath Data, MultiPath Voice, Natural Network Viewer, NetSonar, Network Registrar, Packet, PIX, Point and Click Internetworking, Policy Builder, Precept, Secure Script, ServiceWay, SlideCast, SMARTnet, The Cell, TrafficDirector, TransPath, ViewRunner, Virtual Service Node, VisionWay, VlanDirector, WebViewer, Workgroup Director, and Workgroup Stack are trademarks; Changing the Way We Work, Live, Play, and Learn, Empowering the Internet Generation, The Internet Economy, and The New Internet Economy are service marks; and ASIST, BPX, Catalyst, Cisco, Cisco IOS, the Cisco IOS logo, Cisco Systems, the Cisco Systems logo, the Cisco Systems Cisco Press logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastLink, FastPAD, FastSwitch, GeoTel, IOS, IP/TV, IPX, LightStream, LightSwitch, MICA, NetRanger, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any of its resellers. (9910R) 11/99 LW