1113 0973_05F9_c2
1
© 1999, Cisco Systems, Inc.
New Developments For The Enterprise Virtual Private Network Session 1...
34 downloads
775 Views
2MB Size
Report
This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form
1113 0973_05F9_c2
1
© 1999, Cisco Systems, Inc.
New Developments For The Enterprise Virtual Private Network Session 1113
1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
2
1
Agenda • VPN Choices—Choosing What’s Right for You • The Building Blocks of a VPN Security Quality of Service Network and Service Monitoring
• Real World Implementations • Q&A 1113 0973_05F9_c2
3
© 1999, Cisco Systems, Inc.
What Are VPNs? Connectivity Deployed on a Shared Infrastructure With the Same Policies and ‘Performance’ As a Private Network with Lower Total Cost of Ownership Regional Sites
Virtual Private Network
Branches SoHo Telecommuters Mobile Users
Central /HQ
Internet, IP, FR, ATM 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Partners
Customers 4
2
Comprehensive E-VPN Solutions 1
2
3
Platforms
Security
Services
Cisco 7100 Integrated VPN Router
VPN Client Enhanced IPSec
Network-Based Application Recognition
IOS Firewall Phase 2 Tunnel Endpoint Discovery
VPN Optimized Routers
New!
4
5
Appliances Management PIX 515 Firewall
QoS Policy Manager 1.0
VPN End-to-End QoS Class Based Queuing
IOS Firewall
IP QoS
NetRanger 2.2
Security Mgr 1.0
3DES
IP/ATM QoS
NetSonar 2.0
ACL Mgr 1.0
Time-based ACLs
SLA Monitoring
IPM 2.0
DELIVERED
Access VPN 1113 0973_05F9_c2
Intranet VPN
Extranet VPN 5
© 1999, Cisco Systems, Inc.
Extending the Classic WAN Branch Sites
Leased Lines ATM Frame Relay
Telecommuters
Dial/ISDN
• New issues Networking infrastructure Security and management infrastructure 1113 0973_05F9_c2
Mobile Users
Internet Partners
IP-VPN
Customers © 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
6
3
VPN Types and Applications Type
Application
Remote Access
Remote
As Alternative To Dedicated Dial
Connectivity
VPN
ISDN
Site-to-Site Intranet VPN
Extranet VPN
Internal Connectivity Business-toBusiness External
Benefits Ubiquitous Access Lower Cost
Leased Line
Extend Connectivity Lower Cost
Fax, Mail, EDI
Facilitates E-Commerce
Connectivity 1113 0973_05F9_c2
7
© 1999, Cisco Systems, Inc.
VPN Requirements
Network Management
Core Networking Services Infrastructure: Platforms Appliances 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
End-to-End Networking
Policy Management
Scalability
QoS Network and Service Monitoring
Open Architecture
Security
8
4
Security Aspects of VPNs • Cyclical process • Identity Accurately identify users Determine what users are allowed to do
• Integrity Ensure network availability Provide perimeter security Ensure privacy
• Active audit Recognize network weak spots Detect and react to unwanted activity
• Manageability Centralized control of security services Scalability, modeling administrative roles 1113 0973_05F9_c2
Policy
9
© 1999, Cisco Systems, Inc.
Identity Challenges
• Uniquely and accurately identify network users and devices • Configure services dynamically • Scalability • Provide accounting records 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
10
5
Identity Solutions • User name and password • PAP and CHAP • AAA servers (RADIUS and TACACS+) • One time passwords • PKI with digital certificates (X.509) and certificate authorities
CiscoSecure
• Products: CiscoSecure 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
11
Challenges of Integrity • Control access to information Allow authenticated employees and partners seamless access (intranet) Restrict access of unauthenticated or untrusted users (extranet)
• Protect against data loss or theft • Defend against Denial of Service (DoS) 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
12
6
IPSec VPN Client Operation Email Server
• Remote user can access a public Internet connection locally and then tunnel encrypted data to the home gateway • Client uses a X.509 certificate or a one-time password with a AAA server to negotiate an Internet Key Exchange and establish a secure tunnel
7100/VPN Optimized Router
Certificate Authority/ AAA
Internet
• All data is encrypted and allowed only after being fully authenticated • Allows safe low cost and ubiquitous access to the corporate network 1113 0973_05F9_c2
VPN Remote User with IPSec Client 13
© 1999, Cisco Systems, Inc.
Remote Access Client Software Highlights Platforms • Windows 95
Interoperability • IPSec and IKE with DES/3DES • Interoperable with IPSec in Cisco IOS software
• Windows 98 • Windows NT 4.0 NEW VPN
Features • Simple to use policy editor • Transparent to end-user • Dynamic addressing • AAA support through IOS Firewall feature set • Digital certificate support from Verisign, Netscape and Entrust with Certificate Enrollment Protocol (CEP) 1113 0973_05F9_c2
Cisco VPN Client
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Policy Management • Centrally configurable policy • Can prevent end-users from changing policy • Optionally prevent direct Internet access when IPSec tunnel is active
14
7
Cisco VPN Software Solutions
• Ipsec VPN client: IRE safenet/soft-pk Tunnel mode or transport mode security DES, 3-DES, MD-5, and SHA-1 algorithms
New
IKE (internet key exchange using ISAKMP/oakley) Authenticate via digital signatures and X.509 certificates
• Pki/certificate authority partners Entrust technologies Netscape communications Verisign Baltimore technologies 1113 0973_05F9_c2
15
© 1999, Cisco Systems, Inc.
IPSec Enhancements New
• Tunnel Endpoint Discovery (TED) Dynamically determines tunnel endpoint Removes the requirement to pre-configure tunnel endpoints for each router Eases deployment of intranet/extranet networks
1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
16
8
Integrity Solutions
• Tunnels • Firewalls • Access control lists
PIX Firewall
• Route authentication Products: PIX firewall, Cisco IOS devices Cisco IOS Firewall 1113 0973_05F9_c2
17
© 1999, Cisco Systems, Inc.
PIX™ 515 Firewall New
• Dedicated appliance • Aggressively priced • Hybrid design Adaptive Security Algorithm (ASA) Cut-through proxy (patent-pending)
• High-performance Up to 128,000 simultaneous sessions Up to 170 Mbps throughput Up to 6,500 connections per second
• Low-profile chassis Single rack unit with up to six integrated 10/100 Ethernet ports 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
18
9
IOS Firewall Phase 2 New
• Initial support for 2600, 3600, 7100, 7200 platforms • Cut through proxy for user authentication and authorization • Embedded Intrusion Detection capability • Port application mapping • SMTP mail attack prevention • IP Fragmentation attack prevention • CBAC supported apps 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
19
Challenges of Active Audit • Visibility into activity • Operational scalability • Signal to noise ratio • Reactive alarming and posture alteration • Update attack signatures
1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
20
10
Active Audit Solutions • Proactive vulnerability assessment (security scanning) • Perpetually updated vulnerability database
New NetRanger Appliance
• Intrusion detection systems (IDS) • Products: NetRanger™ and NetSonar™ 1113 0973_05F9_c2
New NetSonar NT Version! 21
© 1999, Cisco Systems, Inc.
NetSonar 2.0
• Windows NT version • UDP port scanner • Vulnerability severity ratings • DNS name resolution • SNMP scanning module • Enhanced signature database • Web-based rules updates 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
22
11
Cisco End-to-End VPN Security DMZ VPN Client
Campus NetSona r
NetRange r
PIX Administrator Security Manager
CA/AAA
• VPN Security: User Authentication Firewalls Encryption Intrusion Detection Vulnerability Scanning VPN Client Software VPN Optimized and Integrated Routers Management 1113 0973_05F9_c2
Internet VPN IP-VPN
Cisco Router
Cisco 7100 Integrated VPN Router
Cisco VPN Optimized Router
Extranet Partner 23
© 1999, Cisco Systems, Inc.
VPN Requirements
Policy Management
Network Management
Core Networking Services Infrastructure: Platforms Appliances 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
End-to-End Networking
Network and Service Monitoring
Scalability
QoS
Open Architecture
Security
24
12
QoS in a VPN
ISP SP Network Functions
QoS Benefits for VPNs
• Adhere to SLA
CPE Functions • Packet classification • Packet marking • WAN-link bandwidth management • Measurement
1113 0973_05F9_c2
Throughput Latency Availability Control congestion
Make optimum use of VPN WAN link(s) Provide bandwidth and priority to mission-critical apps Control non-mission-critical applications Exploit differentiated services offered by Service Provider 25
© 1999, Cisco Systems, Inc.
Packet Classification
VPN Network Edge Packet Classifier
Customer Premise
Policy Specification • Committed Access Rate (CAR) • Up to six traffic classes via ToS precedence bits • Classification by Layer 3 address, Layer 4 port number, URL, application • Network or external assignment 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
26
13
Traffic Policing in a VPN
HQ or Remote Office Internet Traffic Policing
• Used to enforce a maximum transmit rate (rate limit) for IP traffic • Can be applied on input or output direction of an interface • Applied to user-selected traffic classes • Traffic that exceeds the rate is dropped or reclassified 1113 0973_05F9_c2
27
© 1999, Cisco Systems, Inc.
Network-Based Application Recognition • Enhances bandwidth management, providing stateful prioritization by:
New
True application type URL and sub-URL Dynamically assigned ports Mission-Critical
Campus
1113 0973_05F9_c2
Multimedia
WAN
applications use Multi-Service • Traditional static port assignments
Campus
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
• New applications (voice, video, web, ERP) use dynamic port assignments • NBAR monitors session activity based on stateful inspection and URL parsing • Dynamic packet classification is acted on by downstream QoS features • Modular Service Definition 28
14
Prioritizing VPN Traffic Flow-Based WFQ
New
Flow defined by packet type Source/Destination IP address Static port numbers Traffic assigned to queues based on flows Fair queuing, or relative bandwidth allocation
Class-Based WFQ Class defined by user. All voice traffic– traffic–1st class ERP– ERP –2nd class Web traffic– traffic–3rd class
Web ERP (20%) (30%)
Traffic assigned to queues based on class assignment
Voice (50%)
Traffic prioritization based on user-defined minimum bandwidth allocation % bandwidth kpps rate
1113 0973_05F9_c2
29
© 1999, Cisco Systems, Inc.
VPN End-to-End QoS New
• Enables classification for encrypted and tunneled VPNs • Supports ISP differentiated services offerings • Preserves QoS signaling end-to-end Tunneled and Encrypted Packet with QoS Preservation
Non-Classified Traffic ier sif s Cla 1113 0973_05F9_c2
Qo
Output Queuing ISP End-to-End
S
rk Ma
ing
ine ng E to yp Cr
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
30
15
IETF Diff-Serv Working Group • Redefining the IP type-of-service (ToS) byte into the Diff-Serv byte (“DS byte”) Signals what QoS to provide to the packet, thus identifying packets as belonging to one class or another
• Fostering common QoS behaviors in the SP network, such as Expedited forwarding—guaranteed bandwidth (minimum and maximum) for a traffic class Assured forwarding—four classes of forwarding priority, three drop classes within each
• Provides the basis for standards-based QoS in a VPN, end-to-end 1113 0973_05F9_c2
31
© 1999, Cisco Systems, Inc.
VPN Requirements
Policy Management
Network Management
Core Networking Services Infrastructure: Platforms Appliances 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Scalability
Network and Service Monitoring
Open Architecture
QoS
End-to-End Networking
Security
32
16
Security Objectives DMZ
• Policy-based
Campus Network
• Centralized command and control
NetRanger
Internet Admin
Policy System CiscoSecure
• Secure component conversations
• High availability • Ease of use
PIX
Router
NAS
• Administrative roles and authentication methods
1113 0973_05F9_c2
Mobile User
NetSonar
• Integrated management of components
Remote Office Dial-in User
33
© 1999, Cisco Systems, Inc.
Security Policy Management Security Manager Policy-Based PIX Management
Delivered
• Visual security policy development environment • Scalable, network wide operations for Internet, intranet, and extranet topologies • Windows-based, manage from Win95/98/NT clients • Web reports integrate with CiscoWorks2000 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
34
17
VPN QoS Management Objectives • Prioritize business-critical applications
QoS Policy Server
• Provide centralized policy control
Catalyst 8510
• Enable enterprise-wide
Campus Backbone
• QoS services • Support feature-rich QoS mechanisms
• Integrate directory services in phases • Deliver enterprise scalability 1113 0973_05F9_c2
Catalyst 5509 with RSM
Cisco 7200 Router
Enterprise Enterprise Application Application Servers Servers
Enterprise Database Servers 35
© 1999, Cisco Systems, Inc.
QoS Monitoring 2H ’99
CW2000—CiscoView Complete Device Management • Monitor vital statistics per traffic class Throughput Queue latency Packet drops Rate limits Traffic policing
• Traffic distribution views of IP precedence or traffic class 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
36
18
QoS Policy Management
Delivered
QoS Policy Manager Application Aware Networking QoS Policy Server
• Translates application priority to QoS policy • Automates policy configuration and auditing • Configures rich set of QoS services
Catalyst 8540 Campus Backbone Cisco 7200 Router
• Web-based reporting and device import integration with CW2000 1113 0973_05F9_c2
Enterprise Application Servers
Enterprise Database Servers 37
© 1999, Cisco Systems, Inc.
Service Monitoring Delivered
CW2000—IPM V2.0 Validate Network Service Levels • WAN troubleshooting Measures hop-by-hop response time and availability Provides real-time and historical reports
• Service management agent embedded in Cisco IOS Cost effective deployment throughout the network 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
38
19
Automated Cisco IOS Configuration
Delivered
CW2000—ACL Manager Automates Cisco IOS Service Creation • Web-based application for all IOS platforms • Extremely Scalable, network-wide operations • Dramatically reduce the time to design, implement, and deploy • Templates of policy for consistent deployment 1113 0973_05F9_c2
39
© 1999, Cisco Systems, Inc.
VPN Building Blocks
Policy Management
Network Management
Core Networking Services Infrastructure: Platforms Appliances 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Scalability
Network and Service Monitoring
Open Architecture
QoS
End-to-End Networking
Security
40
20
Enterprise VPN Router Requirements Core
VPN Optimized Routers Cisco 7200 VXR
Cisco 7500 Cisco 7500
Cisco 7200 Cisco 7200VXR Cisco 7200
Density
Cisco 3600 Cisco 2600
Cisco 3600
Cisco 7100 Series VPN Router
Cisco 2600
Dedicated VPN
Cisco 1720
Branch
VPN—Optimized Routers • High density • High modularity and flexibility • Robust VPN services for hybrid private/VPN environments Cisco 7100 Series Integrated VPN Router • Low WAN Density for VPN topologies • Robust VPN services • Focused I/O
Cisco 800
Services Performance 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
41
VPN Optimized Routers Cisco 800 Series • ISDN access for telecommuters and small office • Integrated firewall • IPSec (2H ’99) • Four ISDN/Ethernet models: Four-port Ethernet hub Dual telephone analog ports North American and worldwide models
• Fixed configuration • Cisco IOS technology 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
42
21
VPN Optimized Routers Cisco 1720 VPN Router • VPN access Cisco IOS technologies Security, QoS, management, reliability/scalability RISC processor for encryption performance IPSec DES encryption at 512 kbps, 256-byte packets Future hardware-assisted encryption @ T1/E1
• Flexibility Autosensing 10/100 Fast Ethernet + two WIC slots + AUX port Any combination of current 1600 WICs and 2600 dual serial WICs
• Network device integration Router—firewall—encryption—VPN tunnel server-DSU/CSU-NT1 Part of Cisco Networked Office stack 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
43
VPN-Optimized Routers Cisco 2600 • Power Branch: RISC processor • Multiservice: data, voice, video • Modular: network module slot, two WAN Interface Card (WIC) slots, one AIM slot • Ethernet, Token Ring, mixed LAN, and 10/100 Fast Ethernet models • HW encryption AIM, H2 ’99 • Compression AIM • Optional integrated firewall 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
44
22
VPN-Optimized Routers Cisco 3600 • Power branch/regional: RISC processor • Multiservice: data, voice, video
Cisco 3640
• Modular: 2/4 network module slots (NM), WAN Interface Cards (WIC) • Ethernet, Token Ring, mixed LAN, and 10/100 Fast Ethernet NMs • Multi T1/E1 HW encryption NM, H2 ’99
Cisco 3620
• Compression NM • Optional integrated firewall 1113 0973_05F9_c2
45
© 1999, Cisco Systems, Inc.
Introducing the Cisco 7100 Series Integrated VPN Router Comprehensive, Integrated High-End VPN Solutions
Feature Rich Routing
Optimized for VPN
Rich VPN Services
• Industry leading routing
• Integrated LAN/WAN • Range of WAN services • Single/dual homed configurations • Extensibility
• Security/tunneling/ high-speed encryption • Firewall and intrusion detection • Advanced bandwidth management • Service level validation
World-class Cisco IOS
• Fast layer 3 routing RIP, OSPF, EIGRP, BGP, NHRP, IGRP
• VPN management 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
46
23
Cisco 7100 System Highlights Performance
Expansion Slots
• RISC MIPS processor for high throughput and rich VPN services • Modular VPN services processing architecture
• Port adapter slot for LAN/WAN extensibility with Cisco 7XXX series PA • VPN Service Module slot for IPSec DES/3DES acceleration to 90+Mbps
Extensive Memory
Integrated I/O
• 64 MB of system memory for reliable, high-speed services delivery--upgradeable to 256 MB • 64 MB of packet memory for advanced bandwidth management and high latency networks • 40 MB flash memory —upgradeable upgradeable to 110 MB
• • • • •
1113 0973_05F9_c2
Dual auto-sensing 10/100 Fast Ethernet 4 port serial Single or dual port T3/E3 serial or ATM Single port OC3 SM Dual OC3 MM ports
47
© 1999, Cisco Systems, Inc.
Cisco 7200 VXR Multifunction VPN-Optimized Router Hardware Acceleration for Encryption and Compression
Up to 6 High-Speed LAN/WAN Port Adapters
Integrated Multiservice Switching for Voice/Video/Data VPNs
High Speed Security, QoS and Tunneling 1113 0973_05F9_c2
Integrated Firewalling
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
48
24
IPSec Acceleration
• Integrated IPSec encryption and IP compression • VIP-distributed Crypto engine per VIP on 7500
• 7200/7500 hardware accelerator DS3 full duplex 3-DES 2000 tunnels per adapter
• Targets VIP Distributed mid ’99 Hardware acceleration mid ’99 (7200/7500) 1113 0973_05F9_c2
49
© 1999, Cisco Systems, Inc.
Putting it All Together Regional Sites Branches SoHo Telecommuters Mobile Users
Campus Infrastructure Service Provider Infrastructure
Partners
• Extensive security Customers
• Rich quality of service • Service monitoring and audit • Multiservice integration • Integrated policy management • Wide range of platforms and appliances 1113 0973_05F9_c2
• Open standards • Scalability • End-to-end networking
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
50
25
Technology Partners Service Providers
Technologies
Servers
Internet Applications
1113 0973_05F9_c2
System Integrators
51
© 1999, Cisco Systems, Inc.
VPN Deployment Options Increasing Enterprise Network Role
90%
50%
10%
Network manager
Network manager
Net manager
•• Buys Buys products products from from VPN VPN vendor vendor
•• Provides Provides ongoing ongoing application application and and configuration configuration management management and and help help desk desk support support
•• Administers Administers security security server server
•• Manages Manages network network
Service provider Service provider •• Supplies Supplies basic basic Internet Internet access access
10%
•• Supplies Supplies VPN VPN equipment equipment and and adds adds QoS QoS to to bandwidth bandwidth offering offering
50%
Service provider •• Supplies Supplies complete complete VPN VPN solution, solution, including including service, service, training, training, and and help help desk desk
90%
Increasing Service Provider Role Source: Infonetics, 1997 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
52
26
Choosing a Service Provider
Over 120 Certified Service Providers Worldwide
1113 0973_05F9_c2
53
© 1999, Cisco Systems, Inc.
VPNs From CPNs
• @Home, Infornet, Pilot Network Services, BellSouth, Ameritech, Hong Kong Telecom, IXC Communications, Swisscom, TopNet AG, Equant, WorldCom, US West, GlobalOne, KPN, Telemedia International…
1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
54
27
Service Level Agreements
• Typical service level agreement* Overall network availability
99.7%
Dial port availability
99.5%
End-to-end latency
150 ms roundtrip
Local loop availability
99.7%
Packet loss
<1%
Firewall updates
Within 24 hours of alert
*Source: Forester Research 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
55
Implementation Issues
• Which users/sites/customers/partners will move to the VPN? • How will the VPN impact my security “wheel”? • What applications will VPN need to support now? In future? • How do I allocate bandwidth? • What will be the role of the ISP? • How will my devices interoperate with those of the ISP? • What impact will the VPN have on my campus/LAN environment? • How scalable is the solution? 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
56
28
Possible Next Steps… Remote Access
• Decide on remote access/intranet/extranet or combination • Create security policy incorporating VPNs • Contact different ISPs • Trial implementations Intranet 1113 0973_05F9_c2
Extranet 57
© 1999, Cisco Systems, Inc.
Waterbury Hospital 2. Solution Extranet VPN Via Cable Modems and IPSec
1. Requirement Fast/Secure access to patient records
T1
PIX Firewall Cisco 3640
Cox Communications Cable Modems
ChimeLink T1
CT Hospital Association
Charter Communications
Encrypted IP Tunnel IRE IPSec Client
Cisco 7206 Laurel Clinical Data Repository
Cable
Physician’s Home/Office
3. Benefit High-speed access to new applications More detailed patient information for doctors 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
58
29
Financial Data Corporation 1. Requirement Reduce WAN Costs for sending mission critical real-time financial data
2. Solution Intranet IP VPN to 10 regional offices
Regional Offices (10) T1
Sprint IP Network
Cisco 1720 T1
T1
Encrypted IPSec Tunnels
T1 T1
1113 0973_05F9_c2
Corporate HQ Northeast
3. Benefit Annual line charges decline from $1+M to $180K
59
© 1999, Cisco Systems, Inc.
Keesal, Young & Logan Law Firm 1. Requirement Reduce line charges from Hong Kong to Long Beach CA
256k
T1 POP
Cat5000
2524 USA
2. Solution Encrypted IPSec Tunnel across Internet. 56k leased line improved to 256k Internet connection
Internet
POP
Encrypted IPSec Tunnel
1720 Hong Kong
3. Benefits Save 30-40% on access charges ROI in 6 months 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
60
30
Leading Multinational Food Corporation 1. Requirement Cost-Effective…. Supplier connectivity Extension of corporate net
Midwest
2. Solution Dedicated access Internet Based VPN Encrypted tunnels
ACL 128kbps 40bit DES GRE
ISP ISP ISP T1 40bit DES GRE
Internet Backbone ISP
ISP
128Kbps
10BaseT
South America Manufacturing Plant 1113 0973_05F9_c2
South Carolina
3. Benefits Reduced access costs Secure networking International connectivity
Asia Trusted 3rd Party 61
© 1999, Cisco Systems, Inc.
Most Comprehensive E-VPN Solutions 1
2
3
Platforms
Security
Services
Cisco 7100 Integrated VPN Router
VPN Client Enhanced IPSec
Network-Based Application Recognition
IOS Firewall Phase 2 Tunnel Endpoint Discovery
VPN Optimized Routers
4
New!
5
Appliances Management PIX 515 Firewall
QoS Policy Manager 1.0
VPN End-to-End QoS Class Based Queuing
IOS Firewall
IP QoS
NetRanger 2.2
Security Mgr 1.0
3DES
IP/ATM QoS
NetSonar 2.0
ACL Mgr 1.0
Time-based ACLs
SLA Monitoring
IPM 2.0
DELIVERED
Access VPN 1113 0973_05F9_c2
Intranet VPN
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Extranet VPN 62
31
Multiphase E-VPN Strategy 2
3
Platforms
Security
Services
Partners
1
√ √
4
5
Appliances Management
Classic WAN E-VPN Accelerated VPN
Now
Enhanced Multiservice VPN
Access VPN 1113 0973_05F9_c2
Intranet VPN
Extranet VPN 63
© 1999, Cisco Systems, Inc.
Resources • White papers IP VPN Primer Security Management Quality of Service
• http://www.cisco.com/warp/public/ 779/largeent/learn/technologies/vpn/ 1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
64
32
Q&A
1113 0973_05F9_c2
65
© 1999, Cisco Systems, Inc.
Please Complete Your Evaluation Form Session 1113
1113 Presentation_ID 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
66
33
1113 0973_05F9_c2
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
67
34