Cisco VPN Primer

© 1998, Cisco Systems, Inc. Presentation_ID.scr

1

1Presentation_ID © 1998, Cisco Systems, Inc.

A VPN PrimerITCFebruary 3, 2000

Presentation_ID


2


Market Forces for VPN• Proliferation of Network Economy is changing

how companies conduct business• Remote users, telecommuters, road-warriors,

external business partners require access to networked computing resources

• Extending the network with a classic Wide Area Network (WAN) is not easy accomplished to meet these requirements

• Many are considering VPNs to complement existing WAN infrastructures

• The proliferation of the networked economy has spawned fundamental changes in how corporations conduct business. Corporate staff is no longer defined by where they do their jobs as much as how well they perform their job functions. Competitive pressures in many industries have spawned alliances and partnerships among enterprises, requiring separate corporations to act and function as one when facing customers. While such developments have increased productivity and profitability for many corporations, they have also created new demands on the corporate network. A network focused solely on connecting fixed corporate sites is no longer feasible for many companies. Remote users, such as telecommuters or road warriors, and external business partners now require access to enterprise computing resources. Extending the enterprise network to accommodate these users is not easily accomplished with a classic wide-area network (WAN) or an enterprise-owned wide-area switching infrastructure. Consequently, many enterprises are considering virtual private networks (VPNs) to complement their existing classic WAN infrastructures.


3


Market Potential

• Gartner Group, by 2003 nearly 100% of enterprise accounts will supplement their WAN with VPNs

• Motivation?VPNs can meet diverse connectivity needsVPNs are less expensive to operate in terms of management, band-with, and capitalPayback in months instead of years

• According to the Gartner Group, a networking research and consulting firm, by 2003 nearly 100 percent of enterprises will supplement their WAN infrastructures with VPNs. From a network architecture perspective, the motivation for this is manifest—a VPN can better meet today’s diverse connectivity needs. The advantages of a VPN, however, are also visible at the bottom line. VPNs are less expensive to operate than private networks from a management, bandwidth, and capital perspective. Consequently, the payback period for VPN equipment is generally measured in months instead of years. Perhaps the most important benefit of all, however, is thatVPNs enable enterprises to focus on their core business objectives instead of running the corporate network.


4


VPN Market Opportunity

VPN Services Revenue

$-

$2,000

$4,000

$6,000

$8,000

$10,000

$12,000

$14,000

$16,000

1998 1999 2000 2001 2002

IP VPNsManaged Router Svcs.Frame Relay / L2 ATM

VPN Services Revenue

$-

$2,000

$4,000

$6,000

$8,000

$10,000

$12,000

$14,000

$16,000

1998 1999 2000 2001 2002

IP VPNsManaged Router Svcs.Frame Relay / L2 ATM

Source: CIMI, Nov. 1997

Service Provider Revenue ($M, Worldwide)

“Internet WANs “Internet WANs will be the primary will be the primary means of building means of building

intranetsintranetsby theby the

year 2001”year 2001”Forrester 11/97


5


Cisco’s VPN Position• VPN Solutions encompass all

segments of networking infrastructure

PlatformsSecurityNetwork servicesNetwork appliancesManagement

• Cisco VPN solutions encompass all segments of the networking infrastructure—platforms, security, network services, network appliances, and management—thus providing the broadest set of VPN service offerings across many different network architectures. Cisco’s support of existing WAN infrastructures is essential in accommodating hybrid network architectures, where users will require access to the VPN from leased line, frame relay, as well as IP and Internet VPN connections. Leveraging existing network gear in these deployment scenarios is paramount; wholesale infrastructure replacement to accommodate VPN deployment is infeasible. Cisco VPN solutions enable corporations to deploy VPNs on their existing Cisco networking gear. Cisco’s entire line of router platforms is easily VPN-enabled through Cisco IOS ® software enhancements, thus providing corporations a smooth migration path to a VPN environment. Through Cisco IOS software enhancements, Cisco’s installed base of VPN ready ports numbers nearly 10 million today.


6


Cisco’s VPN Position

• “Cisco’s network architecture flexibility and ubiquity make Cisco uniquely positioned as the guide to the new world of VPNs”

• Network architecture flexibility and ubiquity make Cisco uniquely positioned as the guide to the new world of VPNs. Industry-leading Cisco platforms, including routers, WAN switches, access servers, and firewalls—combined with robust security and management services afforded by Cisco IOS software—are the foundation for deploying the most comprehensive set of VPN service offerings available. Cisco VPN solutions tightly integrate the many facets of VPNs with existing Cisco products, ensuring the smooth integration of VPN technology into Cisco enterprise networks. The breadth of Cisco solutions, such as voice over the enterprise WAN, are fully compatible with Cisco VPN platforms. Furthermore, the ubiquity of Cisco equipment in service provider IP, Frame Relay, and ATM backbones provides the means for a high degree of feature integration over the WAN, including common QoS functions across service provider and enterprise networks.


7


Virtual Private Network DefinedCustomer Connectivity Deployed

on a Shared Infrastructure with the Same Policies as a Private Network

SP SharedNetwork

Internet, IP, FR, ATMInternet, IP, FR, ATM

VPNVPN

• There is much hype in the industry currently concerning VPNs, their functionality, and how they fit in the enterprise network architecture. Simply defined, a VPN is an enterprise network deployed on a shared infrastructure employing the same security management, and throughput policies applied in a private network. VPNs are an alternative WAN infrastructure that replace or augment existing private networks that utilize leased-line or enterprise-owned Frame Relay/ATM networks. VPNs do not inherently change WAN requirements, such as support for multipleprotocols, high reliability, and extensive scalability, but instead meet these requirements more cost effectively. A VPN can utilize the most pervasive transport technologies available today: the public Internet, service provider IP backbones, as well as service provider Frame Relay and ATM networks. The functionality of a VPN, however, is defined primarily by the equipment deployed at the edge of the enterprise network and feature integration across the WAN, not by the WAN transport protocol itself.


8


VPN Defined

• A network deployed on a shared network providing the same security, management, and throughput as a private network

• VPNs don’t change WAN requirements, but instead meet the requirements more cost effectively


9


Types of VPNs

• Remote Access• Intranets• Extranets

• VPNs are segmented into three categories: remote access, intranets, andextranets. remote access VPNs connect telecommuters, mobile users, or even smaller remote offices with minimal traffic to the enterprise WAN and corporate computing resources. An intranet VPN connects fixed locations, branch and home offices, within an enterprise WAN. Anextranet extends limited access to enterprise computing resources to business partners, such as suppliers or customers, enabling access to shared information. Each type of VPN has different security and quality of service (QoS) issues to consider.


10

• VPNs and VPDNs are exciting technologies which have the potential to dramatically slash the cost of providing network support to remote offices and mobile users. By leveraging the Internet and the services provided by ISPs, you can tightly integrate the corporate intranet with remote users, and cut costs at the same time.


VPNs Leverage Classic WAN

10

Mobile Users

Dial / ISDN

Remote Sites

Mobile Users

TelecommutersATM

Frame Relay

Branch Sites

Leased Lines

Partners / Customers

IP-VPN

Internet• Networking infrastructure

• Security and management infrastructure


11


Why Consider VPNs

• Lower cost than private networksLAN to LAN connectivity reduced by 20-40%Remote access cost reduction of 60-80%

• Proliferation of Internet Economy• Reduced management burdens• Simplified network topologies

• VPNs offer many advantages over traditional, leased-line networks. Some of the primary benefits are:

• Lower cost than private networks; total cost of ownership is reduced through lower cost transport bandwidth, backbone equipment, and operations; according toInfonetics, a networking management consulting firm, LAN-to-LAN connectivity costs are typically reduced by 20 to 40 percent over domestic leased-line networks; cost reduction for remote access is in the 60 to 80 percent range

• Proliferation of the Internet economy; VPNs are inherently more flexible and scalable network architectures than classic WANs, thereby enabling enterprises to easily and cost effectively connect and disconnect remote offices, international locations, telecommuters, roaming mobile users, and external business partners as business requirements demand

• Reduced management burdens compared to owning and operating a private network infrastructure, enterprises may outsource some or all of their WAN functions to a service provider, enabling enterprises to focus on core business objectives, instead of managing a WAN or dial-access network

• Simplify network topologies, thus reducing management burdens; utilizing an IP backbone eliminates permanent virtual circuits (PVCs) associated with connection oriented protocols such as Frame Relay and ATM, thereby creating a fully meshed network topology while actually decreasing network complexity and cost


12


Components of the VPN• Security: tunneling, encryption, packet authentication,

user authentication, access control• Appliances: Firewalls, intrusion detection, active

security auditing

• VPN Services: QoSQueuing, Network congestion avoidance, Traffic shaping, Packet classification, VPN routing using EIGRP, OSPF, BGP

• Management:Enforcing QoS policies• Platform scalability:ability to adapt the VPN to meet

bandwidth and connectivity needs

• VPN solutions are defined by the breadth of features offered. A VPN platform must be secure from intrusion and tampering, deliver mission-critical data in a reliable and timely manner, and be manageable across the enterprise. Unless each of these requirements is addressed, the VPN solution is incomplete.

• The essential elements of a VPN can be segmented into five broad categories:• Security—Tunneling, encryption, packet authentication, user authentication, and

access control• Appliances—Firewalls, intrusion detection, and active security auditing• VPN Services—Quality of service (QoS) functions like queuing, network congestion

avoidance, traffic shaping, and packet classification, as well as VPN routing services utilizing EIGRP, OSPF, and BGP

• Management—Enforcing security and QoS policies across the VPN and monitoring the network

• Platform Scalability—Each of these elements must be scalable across VPN platforms ranging from a small office configuration through the largest enterprise implementations; the ability to adapt the VPN to meet changing bandwidth and connectivity needs is crucial in a VPN solution.


13


E-VPN Building Blocks

InfrastructurePlatforms Appliances

Core Networking ServicesCisco IOS

Network Management

Policy Management

Security

QoS

Network & Service Monitoring

Open Architecture

Scalability

End-to-End Netw

orking

• Satisfying these VPN requirements does not necessarily require replacement of an existing wide-area networking infrastructure. Cisco VPN solutions augment existing WAN infrastructures to meet the enhanced security, reliability, and management requirements present in a VPN environment. Cisco’s existing router portfolio is “VPN-capable,” with VPN features deployable through Cisco IOS software. In some VPN deployments, depending on encryption performance requirements and WAN topology, the Cisco portfolio of “VPN-optimized” routers may be a better alternative. VPN-optimized routers offer optional hardware extensibility for enhanced security performance. Implementing VPN solutions on either portfolio of VPN routers enables robust VPN deployment using existing Cisco networking gear, thus preservingenterprise investments in networking infrastructures.


14


Security and Appliances“Protecting the Network”

• Tunnels and EncryptionTunnels provide logical point-to-point connections across a connectionless IP network.Encryption is applied to the tunneled connection to scramble data.

Tunnel supportIPsec, Layer 2 Tunneling Protocol (L2TP), Layer 2 Forwarding (L2F), and Generic Routing Encapsulation (GRE)

Encryption SupportDES, and 3DES, support for major certificate authorities like Verisign, Entrust, and Netscape

• Cisco VPN solutions employ encrypted tunnels to protect data from being intercepted and viewed by unauthorized entities and to perform multiprotocol encapsulation, if necessary. Tunnels provide logical, point-to-point connections across a connectionless IP network, enabling application of advanced security features in a connectionless environment. Encryption is applied to the tunneled connection to scramble data, thus making data legible only to authorized senders and receivers. Inapplications where security is less of a concern, tunnels can be employed without encryption to provide multiprotocol support without privacy.

• Cisco VPNs employ IPSec, Layer 2 Tunneling Protocol (L2TP), Layer 2 Forwarding (L2F), and Generic Routing Encapsulation (GRE) for tunnel support, as well as the strongest standard encryption technologies available—DES and 3DES. Furthermore, Cisco VPN solutions support major certificate authority vendors, like Verisign, Entrust, and Netscape, for managing security/encryption administration.


15



• Packet Authentication• On an unsecured network, packets can be intercepted by

a perpetrator, the contents changed, then forwarded to the destination

• Packet Authentication protects against tampering by applying headers to the IP packet

Authentication Header (AH), Encapsulation Security Protocol(ESP), Hashing functions of MD-5 and Secure Hash Algorithm(SHA)

• While interception and viewing of data on a shared network is the primary security concern for enterprises, data integrity is also an issue. On an unsecured network, packets can be intercepted by a perpetrator, the contents changed, then forwarded on to their destination with erroneous information. For example, an order placed to a supplier over an unsecured network could be modified by a perpetrator, changing the order quantity from 1000 to 100. Packet authentication protects against such tampering by applying headers to the IP packet to ensure its integrity. Components of IP Security, authentication header (AH) and Encapsulation Security Protocol (ESP) are employed in conjunction with industry-standard hashing algorithms such as MD-5 and Secure Hash Algorithm (SHA) to ensure data integrity of packets transmitted over a shared IP backbone.


16



• Firewalls, Intrusion Detection, and Security Auditing• Firewalls protect against network attacks, denial of

service, verify the source of traffic, prescribe access privileges

IOS firewall feature set, PIX Firewall Appliance

• Intrusion Detection operates with firewall to analyze the content and context of individual packets to determine if they are authorized

NetRanger:

• Security Auditing scan the network for potential risksNetSonar:

• A critical part of an overall security solution is a network firewall, which monitors traffic crossing network perimeters and imposes restrictions according to security policy. In a VPN application, firewalls protect enterprise networks from unauthorized access to computing resources and network attacks, such as denial of service. Furthermore, for authorized traffic, a VPN firewall verifies the source of the traffic and prescribes what access privileges users are permitted. Cisco VPN solutions provide enterprises flexibility in firewall choices, offering Cisco IOS software-based firewalls resident on VPN routers, as well as the separate PIX™ Firewall appliance.

• An added element of insurance in perimeter security is intrusion detection. While firewalls permit or deny traffic based on source, destination, port, and other criteria, they do not actually analyze traffic. Intrusion detection systems, such as Cisco NetRanger™, operate in conjunction with firewalls to extend perimeter security to the packet payload level by analyzing the content and context of individual packets to determine if the traffic is authorized. If a network’s data stream experiences unauthorized activity, NetRanger automatically applies real-time security policy, such as disconnecting the offending session, and notifies a network administrator of the incident. TheNetRanger products provide automated monitoring and response of more robust network security while simultaneously reducing personnel costs associated with perimeter monitoring. Monitoring traffic and intrusion detection provide strong defense mechanisms against network attacks, but strong security begins inside the corporate network by ensuring that security vulnerabilities are minimized. Security auditing systems like, Cisco's NetSonar, scan the corporate network identifying potential security risks. NetSonar maps all active systems on a network, their operating systems and network services, and their associated potential vulnerabilities. NetSonar also proactively and safely probes systems using its comprehensive network security database to confirm vulnerabilities, and provides detailed information about security vulnerabilities enabling network managers to better secure the network from attacks.


17



• User Authentication: Making sure authorized users gain access to enterprise computing resources

• AAA Authentication, Authorization, AccountingTACAS+, RADIUS ( CiscoSecure )

• User Authentication

• A key component of VPN security is making sure authorized users gain access to enterprise computing resources they need, while unauthorized users are shut out of the network entirely. Cisco VPN solutions are built around authentication, authorization, and accounting (AAA) capabilities that provide the foundation to authenticate users, determine access levels, and archive all the necessary audit and accounting data. Such capabilities are paramount in the dial access and extranet applications of VPNs. Cisco VPN solutions support Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System (TACACS+) user authentication platforms.


18


Managing Routing and Throughput

• Quality of Service (QoS)• QoS that apply to Layer 2 and Layer 3 VPNs

Packet Classification, Weighted Fair Queuing(WFQ), Weighted Random Early Detection(WRED), Tag Switching/Multi-protocol Label Switching(MPLS), Generic Traffic Shaping(GTS), Border Gateway Protocol(BGP)

• Routing Protocols like EIGRP and OSPF

• QoS is an essential component in efficient use of precious WAN bandwidth and ensuring reliable throughput of important data. The bursty nature of network traffic characteristically makes poor use of network bandwidth by sending too many packets into the network at once or congesting network bottlenecks. The result is twofold: WAN links are often under utilized, letting expensive bandwidth lie dormant; network congestion during peak times constrains throughput of delay-sensitive and mission-critical traffic. It is a lose/lose situation.

• QoS determines the network’s ability to assign resources to mission-critical or delay-sensitive applications, while limiting resources committed to low-priority traffic. QoS addresses two fundamental requirements for applications run on a VPN: predictable performance and policy implementation. Policies are used to assign network resources to specific users, applications, project groups, or servers in a prioritized way. Components of QoS that apply to Layer 2 and Layer 3 VPNs are as follows:

• Packet classification—assigns packet priority based on enterprise network policy. Committed access rate (CAR)—guarantees minimum throughput levels to specific applications and users based on enterprise network policy. Weighted Fair Queuing (WFQ)—allocates packet throughput based on packet priority. Weighted Random Early Detection (WRED)—complements TCP in predicting and managing network congestion on the VPN backbone, ensuring predictable throughput rates. Tag Switching/Multiprotocol Label Switching (MPLS)—ensures continuity of packet priority across Layer 2 and Layer 3 VPNs. Generic traffic shaping (GTS)—smooths bursty traffic and “packet trains” to ensure optimal average utilization of VPN WAN links. Border Gateway Protocol (BGP) propagation—enables the QoS policies to extend to traffic in both directions of the VPN connection These QoS mechanisms complement each other, working together in different parts of the VPN to create a comprehensive end-to-end QoS solution. QoS solutions must be integrated across all parts of the VPN to be effective; single point solutions cannot ensure predictable performance.


19


Operating the VPN• VPNs integrate multiple security policies and QoS

services• Companies need to manage these devices and features

across the VPN infrastructure• A VPN WAN allows for outsourcing of many aspects of

network management• Unlike private networks, a VPN enables a company to

define what level of network control they need to retain in house while outsourcing less sensitive functions to the service provider

• VPNs integrate multiple security and QoS services in addition to the network devices themselves. Enterprises need to seamlessly manage these devices and features across the VPN infrastructure, including remote access and extranet users. Given these issues, network management becomes a major consideration in a VPN environment. A VPN WAN architecture, however, affords network managers the opportunity to outsource many aspects of network management. Unlike in a private network architecture, a VPN enables enterprises to define what level of network control they need to retain in-house, while outsourcing less sensitive functions to service providers.


20


Operating the VPN

• Business RequirementScalable Device Management Support for Hybrid Network ArchitecturesLeveraging Cisco Powered NetworksCisco Enterprise Network Management Strategy

• Many companies choose to retain full control over deployment and daily operation of their VPN, and thus require a comprehensive, policy-based management system. Such a system extends the existing management framework to encompass WAN management functions unique to VPNs. Cisco enterprise network management provides a comprehensive suite of tools for managing devices, security policies, and services across any size VPN. As the WAN is extended with VPN technology, a strict set of business requirements must be met for the enterprise network manager to be successful. These requirements include:

• Minimize risk—moving from a dedicated infrastructure to a shared infrastructure that utilizes WAN transport mediums, such as the public Internet, presents the network manager with new security and auditing challenges; network managers must be able to extend VPN access to multiple corporate sites, business partners, and remote users, while assuring the integrity of the corporate data resources

• Scale—the rapid addition of mobile users and business partners to the VPN requires network managers to expand the network, make hardware and software upgrades, manage bandwidth, and maintain security policies with unprecedented speed and accuracy

• Cost—to fully realize the cost benefits of a VPN, network managers must be able to implement new VPN technologies and provision additional network users without growing the operations staff at a proportional rate


21


Remote Access VPNs

NAS

VPN Router

L2TP/L2F

IPsec/PPTP/L2TP

VPN Cloud(Internet, IP)

Client InitiatedTunnel

NAS-Initiated Tunnel

PSTN

Main Office

PPP/SLIP

• When implementing a remote access VPN architecture, an important consideration is where to initiate tunneling and encryption—on the dialup client or on the network access server (NAS). In a client-initiated model, the encrypted tunnel is established at the client using IPSec, L2TP, or PPTP, thereby making the service provider network solely a means of transport to the corporate network. An advantage of a client-initiated model is that the “last mile” service provider access network used for dialing to the point of presence (POP) is secured. An additional consideration in the client-initiated model is whether to utilize operating system embedded security software or a more secure supplemental security software package. While supplemental security software installed on the client offers more robust security, a drawback to this approach is that it entails installing and maintaining tunneling/ encryption software on each client accessing the remote access VPN, potentially making it more difficult to scale. In a NAS-initiated scenario, client software issues are eliminated. A remote user dials into a service provider’s POP using a PPP/SLIP connection, is authenticated by the service provider, and, in turn, initiates a secure, encrypted tunnel to the corporate network from the POP using L2TP or L2F. With a NAS-initiated architecture, all VPN intelligence resides in the service provider network—there is no end-user client software for the corporation to maintain, thus eliminating client management burdens associated with remote access. The drawback, however, is lack of security on the local access dial network connecting the client to the service provider network. In a remote access VPN implementation, these security/management trade-offs must be balanced.


22


Remote Access VPNs• Outsourced Remote Access

Mobile users, telecommuters, extranet, small remote offices

• Ubiquitous AccessDial, ISDNxDSL, Cable, and Mobile IP

• Reduces Infrastructure and Operations Costs

• NAS-InitiatedScalableNo PC client maintenance

• Client-InitiatedAccess independentStandards evolution / deployment

AAA Server

Mobile UserMobile UserClientClient--InitiatedInitiated

CorporateCorporateHeadquartersHeadquarters

Laptop Laptop with PPPwith PPP Router/Router/

GatewayGateway

FirewallFirewall

L2F / L2TP

AAAAAAServerServer

Laptop Laptop with IPSecwith IPSec

NASNASIPSec

ResidenceResidenceNASNAS--InitiatedInitiated

• These are the standard features typically provided with an Access VPN


23


Intranet VPNs

Internet/IP

Remote Office

Remote Office

Main Office

VPN Router

VPN Router

VPN Router

TunnelsIPsec/GRE

IPsec/GRE

IPsec/GRE

• Intranet VPNs are an alternative WAN infrastructure that can augment or replace private lines or other private WAN infrastructures by utilizing shared network infrastructures provided by service providers. Intranet VPNs are built using the Internet or service provider IP, Frame Relay, or ATM networks.

• Intranet VPNs built on an IP WAN infrastructure utilize IPSec or GRE to create secure tunnels across the network to carry WAN traffic. When combined with service provider backbone QoSmechanisms, QoS functions such as WFQ, WRED, GTS, and CAR employed on corporate network edge routers ensure efficient use of WAN bandwidth and reliable throughput.

• The benefits of an intranet VPN are as follows:• Reduced WAN bandwidth costs• Connect new sites easily• Increased network uptime by enabling WAN link redundancy across service providers• Building an intranet VPN using the Internet is the most cost-effective means of implementing VPN

technology. Service levels,however, are generally not guaranteed on the Internet. When implementing an intranet VPN, corporations need to assess which\ trade-offs they are willing to make between guaranteed service levels, network ubiquity, and transport cost. Enterprises requiring guaranteed throughput levels should consider deploying their VPNs over a service provider’s end-to-end IP network, or, potentially, Frame Relay or ATM.


24


Internet & IP VPNs

• Public Internet-based• Ubiquitous connectivity• Low cost • Throughput and latency

concerns• Constrained by lack of inter-

ISP SLAs

• Provided by single ISP: controls all access and backbone facilities

• With QoS control• Enables SLAs to be

delivered/enforced

Internet VPN IP VPN


25


Extranets

Internet/IP

Business Partner

Main Office

VPN Router

VPN RouterTunnels

IPsec/GRE

Dial-UpBusiness Partner

Service Provider Network

L2TP/L2F

PSTN

• Extending connectivity to corporate partners and suppliers is expensive and burdensome in a private network environment. Expensive dedicated connections must be extended to the partner, management and network access policies must be negotiated and maintained, and often compatible equipment must to be installed on the partner’s site. When dial access is employed, the situation is equally complicated because separate dial domains must be established and managed. Due to the complexity, many corporations do not extend connectivity to their partners, resulting in complicated business procedures and reduced effectiveness of their business relationships.

• One of the primary benefits of a VPN WAN architecture is the ease of extranet deployment and management. Extranet connectivity is deployed using the same architecture and protocols utilized in implementing intranet and remote access VPNs. The primary difference is the access permissionextranet users are granted once connected to their partner’s network.

• Choosing a Service Provider Partner• With any VPN implementation scenario, service providers become partners in the solution. The

performance of a VPN relies not only on the networking equipment chosen, but also on the service providers providing the WAN bandwidth and dialup facilities for remote access. As such, service providers used for VPN implementation should be chosen carefully.

• Service providers offer various levels of VPN services, from basic connectivity to completelyoutsourced solutions. Decisions regarding which aspects of the VPN will managed in-house or by the service provider should be reviewed in-depth when choosing service providers. Ultimately, the service providers chosen are partners in the VPN implementation. Consequently, a strong working relationship and established expectations should be a guiding factor in the overall decision process.


26


Intranet And Extranet E-VPNs

• Extend connectivity - remote offices, partners• Lower costs• Simplify operations• Enable new applications

InternetIP, FR, ATM

Remote Remote OfficeOffice

Remote Remote OfficeOffice

Business Business PartnerPartner

SupplierSupplierCustomerCustomer

Main Main OfficeOffice

Intranet

Extranet


27

Cisco 1720• VPN router • 2 WIC slots• 10/100 Enet• Future HW encryption

Cisco 2600• Data, voice and dial• 2 WIC + 1 NM slot• AIM expansion slot• Future HW encryption

TelecommuterTelecommuter

BranchBranch

Cisco 800• Entry-level Cisco IOS• ISDN• One fixed WAN• Simple to install

27

Cisco E-VPN-Optimized Routers

Regional OfficeRegional Office

Cisco 3600• Data, voice and dial• 2/4 NM slot• Future HW

encryption

Cisco 7200• High Performance• High Density Port

Adapters• 4/6 slot Systems• IPSec Accelerator• Future HW encryption

Cisco 7200 VXR• New 300kpps Processor• Multi-Service Interchange

Enterprise CoreEnterprise Core

Cisco 7500• Distributed

Architecture

1 - Platforms

Cisco 7100 VPN•Integrated I/O Features•Firewall feature Set

• The Cisco 1600 and 1720 routers are positioned for the Small and Medium-sized Businesses and Small Branch Offices. The Cisco 1720 router is an extension of the Cisco 1600 series, with the same desktopform factor and software feature sets, offering higher functionality at a higher price point.

• The Cisco 2500 and 2600 routers are positioned as enterprise-classsolutions for enterprise branch offices, offering rack-mount for wiring closet environments, internal power supply, optional redundant power supply, Token Ring, high-density WAN, and legacy protocol support (DECnet, VINES, APPN). The Cisco 2500 router continues to be theindustry-leading fixed-configuration data router, with strong sales across all geographies. The Cisco 2600 routers support the same software feature sets as the 2500 and 3600 series, providing additional capabilities such as voice and dial services at a higher price point. It offers a flexible, modular solution with higher performance; more WAN density such as dual ISDN Primary Rate Interface (PRI), 10 ISDN BRI’s, four T1/E1s, 36 async modem interfaces; and support for voice and dial.

• These four router families are positioned as two winning pairs: • Cisco 1600/1720 for Small and Medium-sized Businesses and Small

Branch Offices• Cisco 2500/2600 for Enterprise branch offices


28

Cisco 1720 VPN Router•• VPN AccessVPN Access

Cisco IOS™ technologiesSecurity, QoS, management, reliability/scalability

RISC processor for encryption performanceIPSec DES encryption at 512 Kbps, 256-byte packets

Future hardware-assisted encryption @ T1/E1

•• FlexibilityFlexibilityAutosensing 10/100 Fast Ethernet + two WIC slots + AUX portAny combination of current 1600 WICs and 2600 dual serial WICs

•• Network Device integrationNetwork Device integrationRouter-firewall-encryption-VPN tunnel server-DSU/CSU-NT1Part of Cisco Networked Office stack

Global List Price with IP and T1/E1 Serial WIC: US $1,595Global List Price with IP and T1/E1 Serial WIC: US $1,595With IP and DualWith IP and Dual--T1/E1 WIC: US $1,895T1/E1 WIC: US $1,895

28

1 - Platforms

• The Cisco 1720 provides 3 key advantages for small/medium businesses and small branch offices:

•• VPN AccessVPN Access• Cisco IOS™ software, the defacto standard for the Internet and private networks,

now extends its leadership to VPNs. It provides superior security, QoS, management, reliability/scalability

• The RISC processor on the Cisco 1720 offers encryption performance.• IPSec DES encryption performance: 512 Kbps for 256-byte packets• There is an internal expansion slot for future hardware-assisted encryption @ T1/E1

•• FlexibilityFlexibility• Autosensing 10/100 Fast Ethernet + two WIC slots + AUX port• Mix and match any combination of current 1600 WICs and 2600 dual serial WICs on

the 2 WIC slots•• Network Device integrationNetwork Device integration

• The Cisco 1720 provides all-in-one functionality such as router-firewall-encryption-VPN tunnel server-DSU/CSU-ISDN NT1

• It is part of Cisco Networked Office stack, which provides an integrated single vendor LAN and WAN solution

• Global List Price• Base Chassis with IP Software and no WIC cards: US $1,795• With IP and one-port T1/E1 Serial WIC = US $1,795 + $400 = US $2,195• With IP and two-port T1/E1 Serial WIC = US $1,795 + $700 = US $2,495


29


Feature Rich RoutingFeature Rich Routing�� Industry leading routingIndustry leading routing

-- WorldWorld--class Cisco IOSclass Cisco IOS®®

�� Fast Layer 3 routingFast Layer 3 routing--RIP, OSPF, EIGRP, BGP, RIP, OSPF, EIGRP, BGP, NHRP, IGRPNHRP, IGRP

�� VPN ManagementVPN Management

Optimized for VPNOptimized for VPN�� Integrated LAN/WANIntegrated LAN/WAN�� Range of WAN ServicesRange of WAN Services�� Single/Dual homed Single/Dual homed

configurationsconfigurations�� ExtensibilityExtensibility

Rich VPN ServicesRich VPN Services�� Security/Tunneling/ Security/Tunneling/

HighHigh--Speed EncryptionSpeed Encryption�� Firewall andFirewall and

Intrusion DetectionIntrusion Detection�� Advanced Bandwidth Advanced Bandwidth

ManagementManagement�� Service Level ValidationService Level Validation

Cisco 7100 Series Integrated VPN RouterComprehensive, Integrated HighComprehensive, Integrated High--End VPN SolutionsEnd VPN Solutions

• The Cisco 7100 Series VPN Router is and integrated VPN router designed for larger regional office and headquarter environments. It integrates key features of VPNs to provide VPN solutions for remote access, intranet, and extranet VPNs as discussed on the previous two slides. Key features include:

• Feature Rich Routing• Cisco’s industry leading routing delivered through Cisco IOS, including support for

numerous routing protocols and a framework for managing routing and VPN functions• Optimized for VPN• The Cisco 7100 includes integrated LAN/WAN interfaces for connectivity to the VPN

and corporate LAN• Range of WAN interfaces are included with the Cisco 7100 from 4T1/E1 to T3/E3 and

OC3, available in single and dual interfaces for single or dual homed connectivity to the VPN

• The Cisco 7100 has a service module slot to accommodate task-specific VPN service processing modules, like the Integrated Services Module for hardware-assisted encryption and tunneling scalability

• Rich VPN Services• The Cisco 7100 integrates all of the VPN services outlined above in the third column.

Integrating these features on a single device reduces network complexity associated with deploying numerous single purpose devices, such as firewalls or bandwidth managers, in the network.


30


Summary of Cisco VPN• VPNs make sense from a business

and technology perspective• VPNs enable business to refocus

their energies on core business objectives instead of networking needs

• VPNs are not an all-or-nothing networking decision

Phased approach

• VPNs make sense from a business and technology perspective. VPNsenable businesses to refocus their energies on core business objectives instead of networking needs, while reducing operations and bandwidth costs. Furthermore, VPNs are not an all-or-nothing network decision. VPN can be phased into existing private network architectures offering a flexible migration path for the evolution of private networks.

• VPN solutions must offer strong security features such as 3DES encryption, scalable tunneling, and packet authentication, as well as transport reliability mechanisms such as WFQ, WRED, GTS, and CAR. VPN solutions must also be interoperable with the existing network infrastructure. Unless each of these features is included in a VPN implementation, the VPN is subject to security and transport reliability issues. The Cisco VPN solution offers an exhaustive feature set to address any security and reliability issues associated with VPN implementations.


31


Summary of Cisco VPN

• Cisco VPN solutions encompass all segments of networking infrastructure

Platforms, Security, Network services, Network appliances, and Management

• Cisco provides the broadest set of VPN service offerings across many different network architectures

• Cisco VPN solutions encompass all segments of the networking infrastructure—platforms, security, network services, network appliances, and management—thus providing the broadest set of VPN service offerings across many different network architectures. Cisco’s support of existing WAN infrastructures is essential in accommodating hybrid network architectures, where users will require access to the VPN from leased line, frame relay, as well as IP and Internet VPN connections. Leveraging existing network gear in these deployment scenarios is paramount; wholesale infrastructure replacement to accommodate VPN deployment is infeasible. Cisco VPN solutions enable corporations to deploy VPNs on their existing Cisco networking gear. Cisco’s entire line of router platforms is easily VPN-enabled through Cisco IOS ® software enhancements, thus providing corporations a smooth migration path to a VPN environment. Through Cisco IOS software enhancements, Cisco’s installed base of VPN ready ports numbers nearly 10 million today.


32

Thank You


Documents

Cisco VPN Primer