Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Virtual Private Networks Ng Tock Hiong Systems Engineering Manager

Similar presentations


Presentation on theme: "© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Virtual Private Networks Ng Tock Hiong Systems Engineering Manager"— Presentation transcript:

1 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Virtual Private Networks Ng Tock Hiong Systems Engineering Manager

2 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 2 Agenda  Remote Access VPN – IPSec – SSL  Site to Site VPN – Problem Statement – Site to Site VPN Technologies – GETVPN  Summary  Q & A

3 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 3 Remote Access VPN

4 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 4 SSL VPNIPSEC VPN SSL VPN and IPSec Connectivity Profiles  Uses a standard web browser to access the corporate network  SSL encryption native to browser provides transport security  Applications accessed through browser portal  Limited client/server applications accessed using applets  Uses purpose-built client software for network access  Client provides encryption and desktop security  Client establishes seamless connection to network  All applications are accessible through their native interface

5 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 5 SSL VPNIPSEC VPN SSL VPN and IPSec Solution Characteristics  Using a web browser for remote access enables: Anywhere access Access from non-corporate machines Customized user portals Granular access control Easy firewall traversal from any location  Using an IPSec client for remote access enables: Access to any application Native application interfaces Consistent user experience Embedded security, such as personal firewall

6 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 6 Comprehensive Secure Connectivity VPN Services for Any Access Scenario Public Internet ASA 5500 Clientless SSL VPN Client-based SSL or IPSec VPN Partner Access Requires “locked-down” access to specific extranet resources and applications Company Managed Desktop Remote access users require seamless, easy to use, access to corporate network resources Public Kiosk Remote users may require lightweight access to and web-based applications from a public machine Company Managed Desktops at Home Day extenders and mobile employees require consistent LAN-like, full-network access, to corporate resources and applications Client-based SSL or IPSec VPN

7 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 7 Cisco ASA 5500 Series: Threat Protected VPN Services Leveraging On-Board Security to Protect the VPN Threat Vector ASA 5500 Worm/ Virus Unwanted Application Spyware Illegal Access Exploit Remote Access VPN User Threat Mitigation Incident Control Virus Detection Worm Mitigation Spyware Detection Application Firewall and Access Control Application Inspection/Control Granular, Per-User/Group Access Control Protocol Anomaly Detection Stateful Traffic Filtering Accurate Enforcement Real-Time Correlation Risk Rating Attack Drop Session Removal and Resets Comprehensive Endpoint Security Pre-Connection Posture Assessment Malware Mitigation Session/Data Security Post-Session Clean-Up Leverages Depth of Threat Defense Features to Stop Malicious Worms, Viruses, and More…and Without External Devices or Performance Loss!

8 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 8 Cisco ASA 5500 Software v8.0 Introduces Significant Enhancements in Clientless Access  Precise, granular access control to specific resources  Enhanced Portal Design Localizable RSS feeds Personal bookmarks AnyConnect Client access  Drag and Drop file access and webified file transport  Transformation enhancements including Flash support  Head-end deployed applets for telnet, SSH, RDP, and VNC, framework supports add’l plug-ins  Advanced port-forwarder for Windows (Smart Tunnel) accesses TCP applications without admin privileges on Client PC New in 8.0!

9 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 9 Cisco AnyConnect Client  Next generation VPN client, available on many platforms including: Windows Vista 32- and 64-bitt, Windows XP 32- and 64-bit, and Windows 2000 Mac OS X 10.4 (Intel and PPC) Intel-based Linux Windows Mobile 5 Pocket PC Edition  Stand-alone, Web Launch, and Portal Connection Modes  Start before Login (SBL) and DTLS support Windows 2000 and XP only New!

10 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 10 Comprehensive EndPoint Security  Cisco Secure Desktop (CSD) now supports hundreds of pre-defined products, updated frequently Anti-virus, anti-spyware, personal firewall, and more  Administrators can define custom checks including running processes  CSD posture policy presented visually to simplify configuration and troubleshooting New in 8.0!

11 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 11 Enhanced Remote Access Security  Enhanced authorization using policies and group information  Embedded Certificate Authority (CA)  Virtual keyboard option  Group/User-to-VLAN mapping support New in 8.0!

12 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 12 Site to Site VPN

13 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 13 Problem Statement  Today’s Enterprise WAN technologies force a trade-off between QoS-enabled branch interconnectivity and transport security –Networked applications such as voice, video and web-based applications drive the need for instantaneous, branch interconnected, QoS-enabled WANs –Distributed nature of network applications result in increased demands for scalable branch to branch interconnectivity –Increased network security risks and regulatory compliance have driven the need for WAN transport security –Need for balanced control of security management between enterprises and service providers  Service providers want to deliver security services on top of WANs such as MPLS without compromising their SLAs

14 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 14 S-S VPN Technology Positioning & Differentiators DMVPNGET VPNIPSec (P2P/GRE)Easy VPN with VTI When to Use? Replacement for/Existing Traditional FR/ATM WAN Alternative/Backup WAN Virtualize WAN infrastructure Existing Private WAN (FR/ATM) Encryption on IP VPN w/o Tunnels Virtualize WAN infrastructure Replacement for/Existing Traditional FR/ATM WAN Alternative/Backup WAN Replacement for/Existing Traditional FR/ATM WAN Alternative/Backup WAN What it Does? Simplifies configuration for hub & spoke VPNs Provides low-scale, on- demand meshing Provide scalable, full-time any- any secure connectivity Enable participation of smaller routers in large meshed networks Simplified key management Encryption of pipeSimplifies configuration for hub & spoke VPNs Scale High Scale Hub/Spoke Low Scale Meshing Any Scale Hub/Spoke Any Scale Mesh High Scale Hub/Spoke for IPsec (Low Scale for GRE) High Scale Hub/Spoke Native Multicast No – treats like unicast traffic by tunneling it YesNo – treats like unicast traffic by tunneling it DynamicR outing Yes—Overlay RoutingYes– No overlay RoutingYes for GRE (Overlay routing) No – not supported by BU Failover Method Routing basedRouting, Stateful (?)Stateful Failover QoS Yes Keys Peer-basedGroup-basedPeer-based

15 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 15 DMVPN – How it Works  DMVPN is a Cisco IOS Software solution for building IPsec+GRE VPNs in an easy and scalable manner  Relies on two proven Cisco technologies Next Hop Resolution Protocol (NHRP) Hub maintains a (NHRP) database of all the spoke’s real (public interface) addresses Each spoke registers its real address when it boots Spokes query NHRP database for real addresses of destination spokes to build direct tunnels Multipoint GRE Tunnel Interface Allows single GRE interface to support multiple IPsec tunnels Simplifies size and complexity of configuration  DMVPN does not alter the standards-based IPsec VPN tunnels, but it changes their configuration

16 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 16 DMVPN – How it works (Cont.)  Spokes have a permanent IPsec tunnel to the hub, but not to the spokes. They register as clients of the NHRP server  When a spoke needs to send a packet to a destination (private) subnet on another spoke, he queries the NHRP server for the real (outside) address of the destination spoke  Now the originating spoke can initiate a dynamic ipsec tunnel to the target spoke (because he knows the peer address).  The spoke-to-spoke tunnel is built over the mGRE interface

17 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 17 Mesh VPN issues 1.In a tunneled IPsec network (e.g., hub-and-spoke) system administrators can accurately predict which VPN gateways will setup VPN connections with which other VPN gateways But this isn’t true in a partial or full mesh of IPsec connections! Connections are built in an ad-hoc basis depending on application traffic (e.g., VoIP, video) flows. 2.In a hub-and-spoke topology system administrators can accurately predict the cryptographic capacity needed at each VPN gateway. But this isn’t true in a partial or full mesh! The system administrators are faced with either: Making an educated guess (which potentially affects reliability of the VPN), or Outfitting the the entire system with costly high-capacity VPN gateways. 3.Management & synchronization of IKE/IPsec state on 100s or 1000s of VPN gateways is problematic.

18 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 18 Mesh VPN issues 4.Native IP multicast may be available across the provider network, but traditional VPN technologies protect it with tunneling, which destroys the efficiency of using IP multicast! 5.In a hub-and-spoke topology VoIP packets are not optimally sent between spokes Packets sent through the hub suffer from added latency The hub takes an unnecessary load If packets do also start flowing directly between spokes, the packets can be delivered out of order, which affects the voice quality

19 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 19 Pair-wise Tunnel Issues  Pair-wise authentication Before the tunnel can be setup, the VPN Gateways must authenticate each other with IKE. IKE is a cryptographically expensive protocol and there are limits to the number of simultaneous IPsec sessions that can be setup at a VPN gateway protecting a large enterprise network. Note: Such a VPN Gateway must be sized not according to the maximum bandwidth load but to the number of IKE peers that it can handle!

20 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 20 Pair-wise Tunnel Issues  Tunneled data packets VPN Gateways use IP tunnel mode, with new addresses that are routed differently: IPsec does include a transport mode: But it is inadvisable for IPsec gateways to use transport mode to protect data packets between themselves. This can require fragment re- assembly which can overly tax the route processor. Use of ESP transport mode is risky for group traffic since the receiver cannot detect a 3rd party changing the source and/or dest. address Original IP Header Data New IP Header ESP Data IP Header ESP

21 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 21 Using Group Security to avoid the barriers  Use a new type of IPsec tunnel mode Recall that routers cannot use IPsec transport mode for this application. But we can use a new tunnel mode type which uses the original source and destination addresses in the outer header. This allows IPsec gateways to encapsulate both packets and fragments, but still create packets that are routable using the host source and destination addresses This is called “tunnel mode with address preservation”. Note: Tunnel mode with preservation is required for protecting native IP multicast packets. GET VPN also applies it to unicast packets. Original IP Header Data Original Src/Dst ESP

22 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 22 Cisco Group Encrypted Transport (GET) VPN – Solution for Tunnel-less VPNs Cisco GET VPN delivers a revolutionary solution for tunnel-less, any- to-any branch confidential communications  Large-scale any-to-any encrypted communications  Native routing without tunnel overlay  Optimal for QoS and Multicast support - improves application performance  Transport agnostic - private LAN/WAN, FR/AATM, IP, MPLS  Offers flexible span of control among subscribers and providers  Available on Cisco Integrated Services Routers; Cisco 7200 and Cisco 7301 with Cisco IOS 12.4(11)T Any-to-Any Connectivity Real TimeScalable Any-to-Any Connectivity Cisco GET VPN

23 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 23 Basic GET VPN Architecture  Two Roles: VPN Gateways (a.k.a. “group members”) Group Controller/Key Server (GCKS) (a.k.a. “key server”) GW1 GW2 GW3 GW4 GW5 GW6 GW7 GW8 GW9 GCKS  Step 1: VPN Gateways “register” with the GCKS GCKS authenticates & authorizes the GW GCKS returns a set of IPsec SAs for the VPN Gateways to use GW1 GCKS

24 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 24 Basic GET VPN Architecture GW1 GW2 GW3 GW4 GW5 GW6 GW7 GW8 GW9 GCKS  Step 2: VPN Gateways exchange encrypted traffic using the group keys. The traffic uses the “address preservation” tunnel mode.  Step 3: GCKS pushed out replacement IPsec keys when before current IPsec keys expire. This is called a “rekey”. GW1 GW2 GW3 GW4 GW5 GW6 GW7 GW8 GW9 GCKS

25 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 25 Tunnel-less VPN Tunnel Based VPN Built in Bolted on Complex architecture Seamless integration Investment protection Wasted capital GET VPN is a new Security Paradigm: Introducing new Category Tunnel-less VPNs Intelligent transport Simple transport Fueled by demand for agility within a security framework 25 © 2005 Cisco Systems, Inc. All rights reserved. Flexible design Rigid design

26 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 26 Tunnel-less VPN - A New Security Model Any-to-Any encryption: Before and After GET VPN Scalability—an issue (N^2 problem) Overlay routing Any-to-any instant connectivity can’t be done to scale Limited advanced QoS Multicast replication inefficient WAN Multicast Before: IPsec P2P TunnelsAfter: Tunnel-less VPN Scalable architecture for any-to-any connectivity and encryption No overlays – native routing Any-to-any instant connectivity Advanced QoS Efficient Multicast replication

27 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 27 GET VPN Concepts and Relationship  Key Distribution GDOI--Key distribution mechanism (RFC3547) –Group Keys/Keys between Peer –Encrypted Control Plane  Routing Continuity No overlay Routing - IP Header Preservation  Multicast Data Protection –Encrypt Multicast, Retain IP Header of Original packet with IP Address preservation –Replication in the core based on (S,G)  Unicast Data Protection IPSec is a well-known RFC (RFC2401) -Encrypt Unicast with IPsec -IP Header Preservation Data Protection Secure Multicast Data Protection Secure Unicast Key Distribution Group Domain Of Interpretation Routing IP Header Preservation

28 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 28 IP headerIP Payload Original IP Packet Routing Continuity: IPsec Tunnel Mode with IP Header Preservation This mode is already necessary when encrypting IP multicast packets in order to preserve the (S,G). Mitigates the requirement for a routing overlay network Routing IP Header Preservation IPSec Tunnel Mode IP Payload New hdr with Original IP hdr encapsulated Original source and destination IP address encapsulated in tunnel mode IP Header Preservation Original hdr preserved ESP header IPSec packet IPIP Payload

29 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 29 Summary

30 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 30 Mesh VPN issues Applying existing Site-to-Site VPN Technologies  Standard IPsec VPN Not intended for large-scale VPNs, so management of high numbers is challenging.  Cisco Easy VPN Hub-and-spoke technology, doesn’t support routing.  Cisco GRE-based VPN Management of tunnels in high numbers is challenging. Spoke-to- spoke tunnels must be setup manually.  Cisco DMVPN Hub-and-spoke technology, but has easier configuration and management. Supports spoke-to-spoke tunnels, but initial traffic flows through the hub. Uses GRE, which adds to the packet size. Will not scale to 1000s in full mesh mode Our observation: Pair-wise Tunnels are not going to solve this problem!

31 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 31 Motivation for GET VPN Solving the Mesh VPN problem  Enterprises are increasingly finding the need to setup a set of VPN gateways surrounding a service provider network (e.g., RFC 2547 (BGP/MPLS ) networks. In many cases, this is prompted by regulatory requirements such as HIPAA and SO.  With the inclusion of VoIP and video over IP multicast they are tending toward being a mesh rather than a traditional hub and spoke configuration  The number of VPN gateways is on the order of 100s and 1000s! GW1 GW2 GW3 GW4 GW5 GW6 GW7 GW8 GW9

32 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 32 Benefits of Cisco GET VPN Previous LimitationsNew Feature and Benefits Multicast traffic encryption through IPsec tunnels: –Not scalable –Difficult to troubleshoot Encryption supported for Native Multicast and Unicast traffic with GDOI –Allows higher scalability –Simplifies Troubleshooting –Extensible standards-based framework Overlay VPN Network –Overlay Routing –Sub-optimal Multicast replication –Lack of Advanced QoS No Overlay –Leverages Core network for Multicast replication via IP Header preservation –Optimal Routing introduced in VPN –Advanced QoS for encrypted traffic Full Mesh Connectivity –Hub and Spoke primary support –Spoke to Spoke not scalable Any to Any Instant Enterprise Connectivity –Leverages core for instant communication –Optimal for Voice over VPN deployments

33 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 33 Q & A


Download ppt "© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Virtual Private Networks Ng Tock Hiong Systems Engineering Manager"

Similar presentations


Ads by Google