305 1112_06F9_c2 1112_06F9_c1
1
© 1999, Cisco Systems, Inc.
Introduction to Virtual Private Networks Session 305
305 1112_06F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
2
1
Agenda
• Scope of this Session • Intro and History of VPNs • VPN Technology Building Blocks • Basic VPN Architectures • Next Generation VPN Solutions 305 1112_06F9_c2
© 1999, Cisco Systems, Inc.
3
Scope of this Session
• Provide a basic understanding of the component technologies relevant to VPNs • Show how these technologies fit together to provide today’s VPN solutions • Speculate on some of the VPN advances that may come along in the near future • For further info attend Dave Phillip’s Level 2 Deploying VPN Solutions (Session 313) 305 1112_06F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
4
2
What Is a VPN Service ?
A “VPN service” is a service which offers secure, reliable connectivity over a shared public network infrastructure such as the Internet. Because the infrastructure is “shared”, connectivity can be provided at lower cost than existing dedicated private networks
305 1112_06F9_c2
5
© 1999, Cisco Systems, Inc.
A VPN Analogy!
305 1112_06F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
6
3
Traditional VPNs Regional Office Remote Office
128 K
Enterprise
T1
64 K
AAA
DMZ Frame Relay Service Provider
56 K Remote Office
305 1112_06F9_c2
GRE Tunnel IP Network
Web Servers DNS Server STMP Mail Relay
7
© 1999, Cisco Systems, Inc.
What’s Driving VPN Offerings Reduced Networking Costs
305 1112_06F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Increased Network Flexibility
8
4
VPN Building Blocks
Management
Tunneling
305 1112_06F9_c2
Provisioning
Security
QoS
9
© 1999, Cisco Systems, Inc.
Tunneling Types Tunneling Tunneling
Layer 2/Layer 3
Compulsory or Voluntary
305 1112_06F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
10
5
Layer 2 vs. Layer 3 Tunneling Tunneling
Tunneling Comparison IP Centric
Layer 3
Less Integrated Solutions Solutions Still in Definition Stage Center on PPP
Layer 2
Multiprotocol Integrated With Existing Access Technologies
305 1112_06F9_c2
11
© 1999, Cisco Systems, Inc.
Generic Route Encapsulation (GRE)
IP Network GRE Tunnel
IP
GRE
Network Packet
Transport Protocol
Carrier Protocol
Passenger Protocol
305 1112_06F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
12
6
Compulsory Tunnel Model LAC
PPP VPDN DATA
LNS
VPDN
DATA
• Client software wraps data in tunneling protocol then in transport protocol • Transparent to LAC 305 1112_06F9_c2
13
© 1999, Cisco Systems, Inc.
Voluntary Tunnel Model
LAC
PPP
DATA
LNS
VPDN
DATA
• Generic PPP encapsulated data from any standard client
305 1112_06F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
14
7
PPP Tunneling Tunneling Tunneling
L2TP
305 1112_06F9_c2
PPTP
PPPoE
15
© 1999, Cisco Systems, Inc.
L2TP Tunneling Tunneling
LAC
LNS
• L2TP is an IETF draft moving towards standards status • Mostly used in voluntary mode • Some third party clients available 305 1112_06F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
16
8
Microsoft Point-to-Point Tunneling Protocol Tunneling Tunneling
LAC
LNS
• An informational RFC • Primarily used in compulsory mode • Widely available clients Win95, Win98, NT, Third parties 305 1112_06F9_c2
17
© 1999, Cisco Systems, Inc.
PPP over Ethernet Hosts Run PPPoE Client SW
Runs RFC 1483 Bridge Mode
Tunneling Tunneling LAC
ATM PVC DSLAM
Host 1 DSL CPE
Key Benefits VI VI
Host 2
DSL
Corporate
PPP Tunneling Routing, etc.
VI VI
•• Leverages Leverages existing existing Ethernet Ethernet based based infrastructure infrastructure ISP
PPP over Ethernet
•• Preservation Preservation of of Dial Dial Model— Model— PPP PPP session-based session-based communication communication
•• Allows Allows multiple multiple PPP PPP sessions sessions to to be be initiated initiated within within home home LAN LAN •• Enables Enables destination destination selection selection
• Informational RFC
•• DSL DSL Modem Modem Independent Independent (must (must run run RFC RFC 1483 1483 Bridging) Bridging)
• Primarily used in xDSL environments 305 1112_06F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
18
9
VPN Security Security Security
• IPSec • MPPE
305 1112_06F9_c2
19
© 1999, Cisco Systems, Inc.
IPSec Transport Mode Security Security
IP Network IPSec Transport Mode
Router LEFT
Router RIGHT
IP HDR
IP HDR
Data
IPSec HDR
Data May Be Encrypted
305 1112_06F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
20
10
IPSec Tunnel Mode Security Security
SP 1 IPSec Tunnel Mode
SP 2
Router LEFT
Router RIGHT
IP HDR
New IP HDR IPSec HDR
Data
IP HDR
Data
May Be Encrypted 305 1112_06F9_c2
21
© 1999, Cisco Systems, Inc.
IPSec VPN Client Operation Remote User w/IPSec Client
Public Network
Home Gateway Router
Home Network
Security Security
Secure Secure Tunnel Tunnel Established Established
Certificate Authority/ AAA
Dial Access to Corporate Network Exchange X.509 or One-Time Password
Authentication Approved
IKE Negotiation
Encrypted Data flows
305 1112_06F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
22
11
Microsoft Point-to-Point Encryption Security Security
PPTP Tunnel
LNS
• RC4 encryption of PPP packets • Used almost exclusively with PPTP • Informational RFC 2118 305 1112_06F9_c2
© 1999, Cisco Systems, Inc.
23
VPNs and Quality of Service
• Optimize use of the WAN link • Guarantee bandwidth for mission critical applications • Take advantage of differentiated services offered by the ISP 305 1112_06F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
24
12
VPNs and Quality of Service
PBX
Tunnel
AAA CA
Conforming Traffic • Classification
• Policing
CAR CAR
CAR CAR
• Congestion • Avoidance WRED WRED
• Tunnel Layer Layer 2TP 2TP IPSec, IPSec, GRE GRE Voice Premium IP Best Effort
305 1112_06F9_c2
© 1999, Cisco Systems, Inc.
25
Management and Provisioning
• Generic configuration • AAA • Policy management • Certificate authorities 305 1112_06F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
26
13
Architectures
So, How Does It All Go Together ? 305 1112_06F9_c2
27
© 1999, Cisco Systems, Inc.
VPN Architectures
Cisco IOS®
305 1112_06F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
28
14
VPN Architectures and Applications Type
Application
Access
VPN
Remote Connectivity
Intranet VPN
Internal Corporate Connectivity
Extranet VPN 305 1112_06F9_c2
Alternative To
Benefits
Dedicated Dial
Ubiquitous Access Lower Cost
Business-to Business
External Connectivity
ISDN
Leased Lines
Extend Connectivity Lower Cost
Fax, Mail, EDI
Facilitates E-Commerce
29
© 1999, Cisco Systems, Inc.
Access VPNs
Compulsory or Voluntary Tunneling Solutions
Potential Operations and Infrastructure Cost Savings
Enterprise AAA CA
DMZ
Ubiquitous Access • Modem, ISDN • Xdsl, Cable
305 1112_06F9_c2
Service Provider A Web Servers DNS Server STMP Mail Relay
Small Office © 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Mobile User or Corporate Telecommuter 30
15
The Intranet VPN
Extends the Corporate IP Network across a Shared WAN
Enterprise AAA CA
DMZ
Remote Office Service Provider A
Regional Office 305 1112_06F9_c2
Potential Operations and Infrastructure Cost Savings
Web Servers DNS Server STMP Mail Relay
31
© 1999, Cisco Systems, Inc.
The Extranet VPN
Supplier
Enterprise
Business Partner Service Provider B
DMZ
AAA CA
Service Provider A
Extends Connectivity To Business Partners, Suppliers and Customers
305 1112_06F9_c2
Web Servers DNS Server STMP Mail Relay
Security Policy Very Important
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
32
16
The Complete VPN
Supplier
Enterprise
Business Partner Service Provider B Remote Office
AAA CA
DMZ
Service Provider A
Web Servers DNS Server STMP Mail Relay Regional Office 305 1112_06F9_c2
Small Office
Mobile User Or Corporate Telecommuter 33
© 1999, Cisco Systems, Inc.
Deployment Alternatives Service Provider Focused
Collaborative
Enterprise Focused
Service Provider
Service Provider
Service Provider
Supplies Majority of VPN Solution Equipment Service Training Help Desk
Supplies Hardware Qos to Bandwidth Offering
Supplies Basic Network Access
Enterprise
Enterprise
Enterprise
Manages Security Services
Application and Configuration Management Help Desk Support
Supplies VPN Equipment Manages Network
305 1112_06F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
34
17
Next Generation VPNs
• Multiservice VPNs • MPLS VPNs “Next generation networks must allow the corporation to thrive on change…” The Burton Group
305 1112_06F9_c2
35
© 1999, Cisco Systems, Inc.
Multiservice VPNs Tokyo
London
Internet
Live Audio/Video Feed
Australia Stored Video 305 1112_06F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Brazil 36
18
Multiservice VPNs PBX
Remote Office Enterprise AAA CA
DMZ
Service Provider A Web Servers DNS Server STMP Mail Relay
Regional Office 305 1112_06F9_c2
Remote Office
Mobile User Or Corporate Telecommuter 37
© 1999, Cisco Systems, Inc.
MPLS VPNs Corp A Site 3
VPN Membership Based on Interface And Unique RD Corp A Site 1
Corp A Site 2
Mpls Network Corporate Corporate A A MPLS MPLS VPN VPN
Corp B Site 2
Corporate Corporate B B MPLS MPLS VPN VPN
Corp B Site 3 Corp B Site 1
Traffic Separation By Interface 305 1112_06F9_c2
Scalable IETF Standards Based
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
38
19
Summary
QoS
Security Mgmt.
Platforms
Services
Core
Scalability Standards Based Future Flexibility
305 1112_06F9_c2
39
© 1999, Cisco Systems, Inc.
Other Useful Information
Location Cisco VPN Solutions
http://www.cisco.com/warp/public/779/largeent/learn/technologies/vpn/
L2TP
http://search.ietf.org/internet-drafts/draft-ietf-pppext-l2tp-15.txt
IPSec
http://www.cisco.com/warp/public/cc/cisco/mkt/security/encryp/tech/ipsec_wp.htm
PPTP
http://search.ietf.org/internet-drafts/draft-ietf-pppext-pptp-10.txt
MPPE
http://search.ietf.org/internet-drafts/draft-ietf-pppext-mppe-03.txt
305 1112_06F9_c2
http://www.cisco.com/warp/public/779/servpro/solutions/vpn/
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
40
20
Q&A
305305 1112_06F9_c2 Cisco Systems, Inc. Inc. 1112_06F9_c2 © 1999, © 1999, Cisco Systems,
41
Thank You
305 1112_06F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
42
21
Please Complete Your Evaluation Form Session 305
305 1112_06F9_c2
© 1999, Cisco Systems, Inc.
43
305 1112_06F9_c2
© 1999, Cisco Systems, Inc.
44
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
22