Module 12 Virtual Private Networks

www.cisco.com
1999, Cisco Systems, Inc.

Agenda
What Are VPNs? VPN Technologies Access, Intranet, and Extranet VPNs VPN Examples

CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-2

Virtual Private Networks

IP Packet (Private, Encrypted) IP Header (Public) Internet Paris

Hong Kong

Extends private network through public Internet Lower cost than private WAN Relies on tunneling and encryption
CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-4

Example of a VPN
Private networking service over a public network infrastructure
Munich Main Office Paris Office

Internet

Mobile Worker Dials to Munich over Internet

New York Office

CSE: Networking FundamentalsVPNs

Milan Office
www.cisco.com
1999, Cisco Systems, Inc. 12-9

VPN Technologies

1999, Cisco Systems, Inc.

www.cisco.com

1999, Cisco Systems, Inc.

VPN Technologies
Business Partner with Cisco Router

Main Site

VPN
Remote Office with Cisco Router POP Cisco PIX Firewall

Perimeter Router
VPN Concentrator

Regional Office with Cisco PIX Firewall SOHO with Cisco ISDN/DSL Router
CSE: Networking FundamentalsVPNs

Corporate Mobile Worker with Cisco Secure VPN Client on Laptop Computer PIX = Private Internet Exchange
1999, Cisco Systems, Inc. 12-11

www.cisco.com

Tunneling: L2F/L2TP
1. User identification
Mobile users Telecommuters Small remote offices

2. Tunnel to home gateway

PoP LAC

Corporate Intranet SP Network/ Internet

Home GW

5. End-to-end tunnel established

Security Server

LAC = L2TP Access Concentrator

4. PPP negotiation with user

www.cisco.com

3. User authentication

CSE: Networking FundamentalsVPNs

1999, Cisco Systems, Inc.

12-15

Tunneling: Generic Route Encapsulation (GRE)

Mesh of virtual pointto-point interfaces
Enterprise B Enterprise A

Encapsulates multiprotocol packets in IP tunnels

Application-level QoS

Value-added platform Encryption-optional tunneling

Service Provider Backbone

Enterprise A Enterprise B

Standard architecture for service providers with IP infrastructures

CSE: Networking FundamentalsVPNs

Enterprise A
www.cisco.com
1999, Cisco Systems, Inc. 12-17

What Is IPSec?
Network-layer encryption and authentication Open standards for ensuring secure private communications over any IP network, including the Internet Data protected with network encryption, digital certification, and device authentication Scales from small to very large networks
CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-18

What is Internet Key Exchange (IKE)?

Automatically negotiates policy to protect communication
Authenticated Diffie-Hellman key exchange Negotiates security associations for IPSec
3DES, MD5, and RSA Signatures, OR IDEA, SHA, and DSS Signatures, OR Blowfish, SHA, and RSA Encryption
DES = Data Encryption Standard MD5 = Message Digest algorithm 5 RSA = Rivest-Shamir-Adleman algorithm IDEA = International Data Encryption Algorithm SHA = Secure Hash Algorithm DSS = Digital Signature Standard

IDEA, SHA, and DSS Signatures

IKE Policy Tunnel

CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-19

IPSec VPN Client Operation

Remote User with IPSec Client

Public Network

Home Gateway Router

Home Network

Secure Tunnel Established

Certificate Authority/ AAA

Dial Access to Corporate Network Exchange X.509 or One-Time Password IKE Negotiation

Authentication Approved

Encrypted Data flows

CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-20

Access, Intranet, and Extranet VPNs

1999, Cisco Systems, Inc.

www.cisco.com

1999, Cisco Systems, Inc.

Three Types of VPNs

Time
Type
Remote access

Application
Mobile users Remote connectivity

Alternative To
Dedicated dial
ISDN

Benefits
Ubiquitous access, lower cost

VPN

Site-to-site

Intranet VPN

Internal connectivity

Leased line

Extend connectivity, lower cost

Business-to-business

Fax Mail EDI

Extranet VPN

External connectivity

Facilitates e-commerce

CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-28

Access VPNs
Potential Operations and Infrastructure Cost Savings

Client Initiated or NAS Initiated

Network Access Server

Enterprise
AAA CA

DMZ

Ubiquitous Access Modem, ISDN xDSL, Cable

Service Provider A
Web Servers DNS Server STMP Mail Relay Mobile User or Corporate Telecommuter
1999, Cisco Systems, Inc. 12-30

CSE: Networking FundamentalsVPNs

Small DNS = Domain Name System STMP = Simple Mail Transfer Protocol Office DMZ = Demilitarized Zone (PCs directly connected online)

www.cisco.com

Access VPN Operation Overview

1. VPN identification 2. Tunnel to home gateway

Mobile Users and Telecommuters

POP NAS

Corporate Intranet SP Network/ Internet

Home Gateway

5. End-to-end tunnel established

Security Server

4. PPP negotiation with user

CSE: Networking FundamentalsVPNs

3. User authentication

www.cisco.com

1999, Cisco Systems, Inc.

12-31

The Intranet VPN

Extends the Corporate IP Network Across a Shared WAN

Enterprise
AAA CA

Remote Office
Service Provider A

DMZ

Web Servers DNS Server STMP Mail Relay Regional Office

CSE: Networking FundamentalsVPNs

Potential Operations and Infrastructure Cost Savings

www.cisco.com
1999, Cisco Systems, Inc. 12-40

The Extranet VPN

Supplier Business Partner Service Provider B

Enterprise
AAA CA

DMZ

Service Provider A

Extends Connectivity to Business Partners, Suppliers, and Customers

Web Servers DNS Server STMP Mail Relay

Security Policy Very Important

www.cisco.com
1999, Cisco Systems, Inc. 12-42

CSE: Networking FundamentalsVPNs

Intranet/Extranet VPN
Intranet VPN Intranet WAN Router Intranet VPN Router

Integrated VPN router w/ BB Access

VPN Broadband Access Access Company A Remote Site Extranet VPN Firewall Appliance

Internet, IP, FR, ATM

Company A Core SIte

Company B

VPN Firewall Router Appliance

CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-44

VPN Examples

1999, Cisco Systems, Inc.

www.cisco.com

1999, Cisco Systems, Inc.

Health Care Company Intranet Deployment

ChallengeLow-cost means for connecting remote sites with primary hospital

Public Network

Remote Center
Primary Hospital Private Network

Remote Centers
CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-46

Branch Office or Telecommuters

ChallengeCost-effective means for connecting branch offices and telecommuters to the corporate network

Public Network

IPSec encrypts traffic from remote sites to the enterprise using any application IPSec may be combined with other tunnel protocols, e.g., GRE Telecommuters can gain secure, transparent access to the corporate network
CSE: Networking FundamentalsVPNs

www.cisco.com

1999, Cisco Systems, Inc.

12-47

Presentation_ID

1999, Cisco Systems, Inc.

www.cisco.com

48