Documente Academic
Documente Profesional
Documente Cultură
2400
2400Number
1190_05_2000_c2
2000,
Cisco
Systems,
Inc.Inc.
1190_05_2000_c2 1999,
2000,
Cisco
Systems,
1 1
Introduction to VPNs
Extending the Classic WAN
Session 2400
2400
1190_05_2000_c2
Agenda
What Is a VPN?
Connectivity Deployed on a Shared
Infrastructure with the Same Policies and
Performance as a Private Network
Virtual Private
Network
Main
Office
POP
Business
Partner
Remote
Office
2400
1190_05_2000_c2
Regional
Office
Home
Office
Mobile
Worker
4
1997
1998
1999
2000
2001
2400
1190_05_2000_c2
Classic WAN
Main
Office
2400
1190_05_2000_c2
Mobile
Workers
Classic WAN
Todays New Challenges
Business
Partners
Very
Remote
Office
Main
Office
?
?
1000s of Remote
Workers
Regional
Office
Home
Offices
2400
1190_05_2000_c2
Mobile
Workers
7
Main
Office
?
?
Internet/IP
VPN
?
1000s of Remote
Workers
Regional
Office
Home
Offices
2400
1190_05_2000_c2
Mobile
Workers
Customers
Partners
Enterprise
WAN
Connectivity
Multiservice/Voice
Networked Applications
2400
1190_05_2000_c2
Home
Office
Main
Office
POP
VPN
Remote
Office
POP
Extranet VPN
Extends WANs
to business
partners
Safe L3 security
2400
1190_05_2000_c2
Business
Partner
Remote Access
DSL
Cable
POP
VPN
Intranet
Central Site
Remote Access
Extension of dial
User manageability and
deployment scalability
Site-to-Site:
Intranet and Extranet
Extension of classic WAN
VPN services and scalable
performance
11
Internet
Encrypted IP
Corporate
Network
Fully interoperable
Cisco IOS and other IPSec-compliant systems
2400
1190_05_2000_c2
12
Remote
Office
Internet/
IP VPNs
POP
POP
Service Provider
13
Business
Partner
POP
Internet/
IP VPNs
Remote
Office
POP
POP
Service Provider
Main
Office
Supplier
Customer
2400
1190_05_2000_c2
14
Router/Firewall-Initiated VPN
Internet
POP
POP
IPSec
Encrypted
Tunnel
15
2400
1190_05_2000_c2
ATM
Layer 3
Internet VPN
IP VPN
16
IP
VPN
Internet
VPN
2400
1190_05_2000_c2
Service
Provider
En
cr
yp
Fi t
re
w
B all
/w
M
gr
Service
Provider
SLA Probe
Multiple devices
Integrated services
Separate
management
Scalable performance
2400
1190_05_2000_c2
Simplified provisioning
18
VPN Security
2400
1190_05_2000_c2
19
Traditional
Locks
Security Office
Card Key
Guard
2400
1190_05_2000_c2
20
Security monitoring
Detect and react to intruders
Test
Recognize network vulnerabilities
Policy
Policy Management
Centralized control of security services
2400
1190_05_2000_c2
21
VPNs need
auditing/monitoring:
How do you know your
VPN is secure?
2400
1190_05_2000_c2
22
Router to Router
PC to Server
Router to Firewall
PC to Router
23
IPSec Modes
Tunnel mode:
applied
to an IP tunnel
Outer IP header specifies
IPSec processing
destination
Inner IP header specifies
ultimate packet destination
Transport mode:
between two hosts
Header after IP header,
before TCP/UDP header
2400
1190_05_2000_c2
Tunnel Mode
IP HDR
DATA
DATA
Encrypted
Transport Mode
IP HDR
IP HDR
IPSec HDR
DATA
DATA
Encrypted
24
?
CA
CA
Internet
Authorization
Packet selection via ACLs
Security Association (SA)
established via IKE
Internal Network
Certificate
Authority
Di
gi
ta
lC
er
t if
ic
at
e
A
IS
KM
Digital Certificate
s
es
io
SA
Authenticated
Encrypted Tunnel
Security Associations
are a scarce resource
2400
1190_05_2000_c2
Internal Network
Clear Text
Encrypted
26
Business Partner
age
Mess
Corporate Network
Certificate
Authority
Digital
Certificate
CiscoSecure
Intrusion Detection
Internet
Manufacturing
PIX
Service
Provider
Router
age
Mess
Digital
Certificate
Security Scanner
Policy Server
Security Manager
VPN Client
IOS Firewall
Remote Office
2400
1190_05_2000_c2
Mobile User
27
Business Partner
Certificate
Authority
Corporate Network
CiscoSecure
Intrusion Detection
Internet
Manufacturing
PIX
Service
Provider
Router
Security Scanner
Policy Server
Security Manager
VPN Client
IOS Firewall
Remote Office
2400
1190_05_2000_c2
Mobile User
28
Business Partner
Certificate
Authority
Corporate Network
Hacker
CiscoSecure
Intrusion Detection
Internet
Manufacturing
PIX
Service
Provider
Router
Security Scanner
Policy Server
Security Manager
VPN Client
IOS Firewall
Remote Office
2400
1190_05_2000_c2
Mobile User
29
Business Partner
Certificate
Authority
Corporate Network
Hacker
CiscoSecure
Intrusion Detection
Internet
Manufacturing
PIX
Service
Provider
Router
Security Scanner
Policy Server
Security Manager
VPN Client
IOS Firewall
Remote Office
2400
1190_05_2000_c2
Mobile User
30
Business Partner
Certificate
Authority
Corporate Network
Policy
CiscoSecure
Intrusion Detection
Update
Policy
Policy
Policy
PIX
Router
Manufacturing
Internet
Service
Provider
Security Scanner
Policy Server
Security Manager
VPN Client
Policy
Policy
IOS Firewall
Remote Office
2400
1190_05_2000_c2
Mobile User
31
E-VPN Platforms
2400
1190_05_2000_c2
32
Scalable
Encryption
Processor
(SEP)
2400
1190_05_2000_c2
33
Remote
Office
Regional
Office
Internet/IP VPN
Small Office/
Home Office
Feature Interoperability
Single device solution
ensures interoperability
of all VPN services
Remote
Office
Main
Office
Regional
Office
Internet/IP VPN
Device Integration
VPN-Security, L3
routing, QoS, Service
level validation, and
diverse VPN access
media
2400
1190_05_2000_c2
Investment Protection
Small Office/
Home Office
Encryption acceleration
modularity and software
extensions
35
E-VPN
Services
2400
1190_05_2000_c2
36
ISP
CPE Functions
Packet classification
Packet marking
WAN-link bandwidth
management
Measurement
2400
1190_05_2000_c2
SP Functions
Adhere to SLA
Throughput
Latency
Availability
Control congestion
37
r
ifie
ss
a
l
C
2400
1190_05_2000_c2
Output Queuing
ISP
End-to-End
Qo
in
ark
SM
g
y
Cr
E
pto
ine
ng
38
E-VPN
Management
2400
1190_05_2000_c2
39
ACL
Manager
Manages
Access
Control Lists
Certificate
Authority
Issue Digital
Certificates
Headquarters
IKE
ate
t ific
Cer
Regional
Office
2400
1190_05_2000_c2
IPSec
Pix
Intrusion
Detection
40
QoS Monitor
Monitors
Traffic
Distribution
Service Level
Manager
SLA Monitoring
and
Measurement
SAA
Pix
Regional
Office
2400
1190_05_2000_c2
Intrusion
Detection
Headquarters
41
Next Steps
2400
1190_05_2000_c2
42
Mobility
Streaming services
Voice, video, audio
Scalable deployment
Policy management
2400
1190_05_2000_c2
43
Non-Technology Challenges
Role of
Regulation
Conflicting
National
Policies
Local Standards
and Practices
2400
1190_05_2000_c2
44
90%
10%
50%
Network Manager
Network Manager
Provides ongoing
application and
configuration
management and
help desk support
Service Provider
Supplies VPN
equipment and adds
QoS to bandwidth
offering
Service Provider
Supplies basic
Internet access
10%
Net Manager
Administers
security server
Service Provider
Supplies complete
VPN solution,
including service,
training, and help
desk
90%
50%
Increasing Service Provider Role
2400
1190_05_2000_c2
45
Cost-Effectiveness of VPN
Remote Access*
In-House
VPN
Savings
$957,000
$700,000
$257,000
Network Backbone
$500,000
$450,000
$50,000
Staffing
$440,000
$0
$440,000
Security
$185,000
$100,000
$85,000
24 x 7 Help Desk
$750,000
$550,000
$200,000
$75,000
$0
$75,000
$2,907,000
$1,800,000
$1,107,000
Network Management
Totals:
Savings Based on
VPN Solution (1000 Users)
38%
46
Waterbury Hospital
2. Solution
1. Requirement
Fast/secure access
to patient records
T1
PIX Firewall
Cox
Communications
Cable
Modems
ChimeLink
Cisco 3640
T1
CT Hospital
Association
Charter
Communications
Encrypted IP Tunnel
IPSec Client
Laurel
Clinical Data
Repository
Cable
Physicians
Home/Office
3. Benefit
High speed access to new applications
More detailed patient information for doctors
2400
1190_05_2000_c2
47
Media Company
1. Requirement
Reliable/low-cost
Access from remote office
56K
Connection
2. Solution
Intranet VPN Via
From Delhi to Hong Kong
Lease line From Hong Kong
to US HQ
Leased
Line
Internet
Encrypted IP Tunnel
Cisco 1720
Cisco 3600
Delhi
India
Singapore
United
States
3. Benefit
10x cost savings over Frame Relay
Deployment in 3 weeks vs 6 months
Expanding VPN to other remote sites around world
2400
1190_05_2000_c2
48
Altera Semiconductor
1. Requirement
Reliable/low-cost/secure
Connections to remote offices and
telecommuters
2. Solution
Intranet and Remote Access
VPN
Toronto
Cisco 2610 ISDN
Santa Cruz
Cisco 2621
DSL
T1
Encrypted IP Tunnel
Internet
Fremont
Cable Modem
Cisco 3640
Gateway
Cisco 7120
VPN Router
San Jose HQ
3. Benefit
Fast/flexible deployment
Higher speeds
Secure communications
United
Kingdom
IPSec Client
2400
1190_05_2000_c2
49
Additional Information
www.cisco.com/go/evpn
www.cisco.com/go/security
www.cisco.com/go/securityassociates
Networking Professionals Community
White Papers, ISPs with Cisco
Powered VPN Services, Design Guides,
Data Sheets, 3rd Party Solutions
2400
1190_05_2000_c2
50
Partners
Virtual
Private
Networks
Multiservice/Voice
Networked Applications
2400
1190_05_2000_c2
51
Introduction to VPNs
Extending the Classic WAN
Session 2400
2400
1190_05_2000_c2
1999,
2000, Cisco Systems, Inc.
52
2400
1190_05_2000_c2
1999,
2000, Cisco Systems, Inc.
53
2400
1190_05_2000_c2
54