copyright © 2000 intel network systems, inc. virtual private network seminar extend your network to...

Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.

Virtual Private Network Virtual Private Network SeminarSeminar

Extend Your Network to Customers, Partners Extend Your Network to Customers, Partners and Employees with Secure VPN Solutionsand Employees with Secure VPN Solutions

Spring 2000


AGENDAAGENDA

• Intel OverviewIntel Overview• Defining VPNDefining VPN• How VPNs WorkHow VPNs Work• Building a VPNBuilding a VPN• Intel’s VPN ComponentsIntel’s VPN Components• Demonstration Demonstration • Case StudyCase Study


INTEL’S STRATEGYINTEL’S STRATEGY

Be the pre-eminent building block Be the pre-eminent building block supplier to the Internet economysupplier to the Internet economy

INTEL IS SERIOUS ABOUT NETWORKINGINTEL IS SERIOUS ABOUT NETWORKING


Intel Network Systems VisionIntel Network Systems VisionTrusted and reliable access from any device Trusted and reliable access from any device over any medium, anytime, anywhere over any medium, anytime, anywhere at an at an affordable price.affordable price.

Network Systems MissionNetwork Systems MissionAccelerate the use of the Internet as the Accelerate the use of the Internet as the primary means for business connectivity.primary means for business connectivity.


INTEL NETWORK SYSTEMS SOLUTIONSINTEL NETWORK SYSTEMS SOLUTIONS

SmallSmallBusinessBusiness

Medium Medium Enterprise Enterprise

DataDataCenter/ISPCenter/ISP

AppliancesAppliances

LAN

WAN

Standalone HubsStandalone Hubs

Modular SwitchesModular Switches

RoutersRouters

Standalone Switches Standalone Switches

Scalable Stackable SwitchesScalable Stackable Switches

VPNVPNGatewaysGateways

AccessAccessConcentratorConcentrator

Access Port


AGENDAAGENDA



WHAT IS A VPN?WHAT IS A VPN?

VPNs VPNs reduce costsreduce costs by eliminating expensive leased lines and costly by eliminating expensive leased lines and costly long distance toll chargeslong distance toll charges

Communications are protected through encryption and authentication technology

Virtual presence on the local area network (LAN) is established with tunneling technology

Traveling Employee Traveling Employee or Telecommuteror Telecommuter

InternetISP ISP

ModemsModems

VPNVPNServerServer

VPNVPNServerServer

CorporateLAN

RemoteLAN HeadquartersHeadquarters

Branch OfficeBranch Office

VPNClient

A VPN (Virtual Private Network) is a technology that connects individuals and systems over an IP backbone or the Internet


REMOTE ACCESS APPLICATIONSREMOTE ACCESS APPLICATIONS

TelecommuterTelecommuter

Road WarriorRoad WarriorDay-ExtenderDay-Extender

Customer SiteCustomer Site

Branch OfficeBranch OfficeSupplier or PartnerSupplier or Partner LocationLocation

Individual Individual Remote AccessRemote Access

GroupGroupRemote AccessRemote Access


INDIVIDUAL REMOTE ACCESS ALTERNATIVESINDIVIDUAL REMOTE ACCESS ALTERNATIVES

CPELocal

ConnectionLong Distance

ConnectionLocal

ConnectionCPE

SPSPNetworkNetwork

RouterFrame Relay, Frame Relay, X.25, ATMX.25, ATM

AnalogAnalogISDNISDN

SPPOP

• Outsource Networking through a service provider’s private network

InternetInternetVPN

Gateway

T1, HDSLT1, HDSLInternet

POP

AnalogAnalogADSLADSLCableCableISDNISDN

PSTNPSTNModemServer

T1, ISDNT1, ISDNAnalogAnalogISDNISDN

• Dial-up NetworkingDial-up Networking through the public switched telephone network through the public switched telephone network

• Virtual Private Network through the Internet


GROUP REMOTE ACCESS ALTERNATIVESGROUP REMOTE ACCESS ALTERNATIVES

Fully meshed leased line or Fully meshed leased line or frame relay networkframe relay network

SanSanFranciscoFrancisco New YorkNew York

DallasDallas

ChicagoChicago

Internet

Fully meshed VPN networkFully meshed VPN network

SanSanFranciscoFrancisco New YorkNew York

DallasDallas

ChicagoChicago

Internet


THE UPSIDE OF VPNTHE UPSIDE OF VPN

RouterRouterRouterRouter RouterRouterRouterRouterDial-upDial-upServerServerDial-upDial-upServerServer

InternetPSTNFrameRelay

FirewallFirewallFirewallFirewall

LAN

IntranetIntranet

ExtranetExtranetTele-Tele-

commutercommuter

Mobile Mobile ProfessionalProfessional

World Wide World Wide WebWeb

E-MailE-Mail

VPNVPNGatewayGateway

LAN

IntranetIntranet

ExtranetExtranetTele-Tele-

commutercommuterMobile Mobile

ProfessionalProfessional

World Wide World Wide WebWeb

E-MailE-Mail

Internet

• One piece of gearOne piece of gear• One pipeOne pipe• One networkOne network• Many applicationsMany applications


BENEFITS OF VIRTUAL PRIVATE NETWORKSBENEFITS OF VIRTUAL PRIVATE NETWORKS• Reduced costsReduced costs

– Eliminate long distance toll chargesEliminate long distance toll charges

– Reduce leased line chargesReduce leased line charges

• High performanceHigh performance– Every call is a local callEvery call is a local call

– The Internet is a robust public data infrastructureThe Internet is a robust public data infrastructure

• Increased securityIncreased security– Better than traditional dial up and frame networksBetter than traditional dial up and frame networks

• Unparalleled flexibilityUnparalleled flexibility– Any internet connectionAny internet connection

– Any access technology (Cable, xDSL, etc)Any access technology (Cable, xDSL, etc)


WHEN TO USE DIAL-UP NETWORKS, OUTSOURCE WHEN TO USE DIAL-UP NETWORKS, OUTSOURCE NETWORKS AND VIRTUAL PRIVATE NETWORKSNETWORKS AND VIRTUAL PRIVATE NETWORKS

USE DIAL-UP USE DIAL-UP NETWORKING FORNETWORKING FOR

• Hub and spoke networks

• Multi-protocol networks

• Closed user groups

• Communications within a single country

• No additional IP access allowed/required

USE OUTSOURCEUSE OUTSOURCENETWORKING FORNETWORKING FOR

USE VIRTUAL PRIVATE USE VIRTUAL PRIVATE NETWORKINGNETWORKING

• Local telecommuters

• On-line transaction applications

• Flexible and rapid implementation

• As a back-up for outsource networks and VPN

• Fully or partially meshed networks

• IP-only networks

• Linking trading partners

• Road Warrior and site-to-site access

• International connectivity

• Flexible and rapid implementation


BENEFITS FOR COMBINING DIRECT DIAL BENEFITS FOR COMBINING DIRECT DIAL AND VPN BASED SOLUTIONSAND VPN BASED SOLUTIONS

• VPNVPN over the Internet is the low cost winner for long distance over the Internet is the low cost winner for long distance connectivityconnectivity

• Direct DialDirect Dial over the Telephone Network is the most reliable and over the Telephone Network is the most reliable and affordable solution for local accessaffordable solution for local access

• Integrated Direct Dial and VPN solutions can also Integrated Direct Dial and VPN solutions can also improve improve performance, security and reliabilityperformance, security and reliability

– Direct dial provides a back up to VPNDirect dial provides a back up to VPN– VPN supplements local direct dial capacity when exceptional conditions VPN supplements local direct dial capacity when exceptional conditions

such as snow storms require itsuch as snow storms require it– Common security and single authentication methods help implement a Common security and single authentication methods help implement a

unified security policyunified security policy


REMOTE ACCESS ANALYSIS TOOLREMOTE ACCESS ANALYSIS TOOLHelp plan operational costs for remote access networksHelp plan operational costs for remote access networks

http://www.shiva.com/remote/vpnroi


• Intel OverviewIntel Overview• Defining VPNDefining VPN• How VPNs WorkHow VPNs Work

– Security technologiesSecurity technologies• EncryptionEncryption• AuthenticationAuthentication• FirewallsFirewalls

– Networking technologiesNetworking technologies• Tunneling and tunneling protocolsTunneling and tunneling protocols

• Building a VPNBuilding a VPN• Intel’s VPN ComponentsIntel’s VPN Components• DemonstrationDemonstration• Case StudyCase Study

AGENDAAGENDA


A GENERAL MODEL OF ENCRYPTIONA GENERAL MODEL OF ENCRYPTION

Plain TextPlain TextPlain TextPlain Text

KeyKeyKeyKey

Cipher TextCipher TextCipher TextCipher TextFFFF

TransformationFunction

• Two general types of cryptographic systems:Two general types of cryptographic systems:

– Asymmetric or Asymmetric or ‘public key’‘public key’ encryption encryption

– Symmetric or Symmetric or ‘secret key’‘secret key’ encryption encryption


ASYMMETRIC CRYPTOGRAPHYASYMMETRIC CRYPTOGRAPHY

• Used to establish connectionsUsed to establish connections

• Key pairs (public / private)Key pairs (public / private)– Data encrypted with the public key can only be decrypted by the Data encrypted with the public key can only be decrypted by the

private keyprivate key

• Relatively slowRelatively slow

• Keys relatively long (up to 2048 bits)Keys relatively long (up to 2048 bits)– Key spaceKey space 2220482048

• Example:Example:– Pretty Good Protection (PGP)Pretty Good Protection (PGP)– Rivest, Shamir, Adelman (RSA)Rivest, Shamir, Adelman (RSA)


SYMMETRIC CRYPTOGRAPHYSYMMETRIC CRYPTOGRAPHY

• Used for information moving through the connection Used for information moving through the connection

• Single shared keySingle shared key– The same key is used to encrypt and decryptThe same key is used to encrypt and decrypt

• Relatively fastRelatively fast

• Keys relatively short (up to 168 bits)Keys relatively short (up to 168 bits)– Key space 2Key space 2168168

• Example: Example: – Data Encryption Standard (DES)Data Encryption Standard (DES)– RC4, RC5RC4, RC5


• US Data Encryption Standard (DES)US Data Encryption Standard (DES)

• VariantsVariants– 56-Bit DES56-Bit DES

• Single key; good protectionSingle key; good protection– 112-Bit (Triple-pass DES)112-Bit (Triple-pass DES)

• Two keys, three passes; better protectionTwo keys, three passes; better protection– 168-Bit (3DES)168-Bit (3DES)

• Three independent keys; three passes (encrypt-decrypt-encrypt)Three independent keys; three passes (encrypt-decrypt-encrypt)• Best protectionBest protection

• CaveatsCaveats– Encryption algorithms need to be safe from brute force attack because of the Encryption algorithms need to be safe from brute force attack because of the

increasing speed of modern computersincreasing speed of modern computers– Need frequent and automated key exchangesNeed frequent and automated key exchanges– Compute intensive; requires hardware acceleration on server sideCompute intensive; requires hardware acceleration on server side– US export and International import restrictionsUS export and International import restrictions

DATA ENCRYPTION STANDARD (DES)DATA ENCRYPTION STANDARD (DES)


KEY MANAGEMENTKEY MANAGEMENT

Key management controls the distribution and use Key management controls the distribution and use of encryption keysof encryption keys

– Asymmetric Asymmetric algorithms reveal the public key and algorithms reveal the public key and conceal the private keyconceal the private key

• Public keys are exchangedPublic keys are exchanged• Private keys are securedPrivate keys are secured

– Symmetric Symmetric algorithms require a secure key exchange algorithms require a secure key exchange mechanismmechanism

• Key secrecy must be maintained during key Key secrecy must be maintained during key exchangeexchange


VPN AUTHENTICATION SERVICESVPN AUTHENTICATION SERVICES

• Ensure the identity and authority of the VPN participantsEnsure the identity and authority of the VPN participants

• Choices include:Choices include:– Technologies: Technologies: passwords, challenge phrase, hard and soft tokens passwords, challenge phrase, hard and soft tokens

with one-time passwords, and X.509 digital certificateswith one-time passwords, and X.509 digital certificates

– Products: Products: NT Domains*, NDS*, RADIUS, SDI*, Entrust*, Shiva® CANT Domains*, NDS*, RADIUS, SDI*, Entrust*, Shiva® CA

• A VPN solution should allow you to select the authentication A VPN solution should allow you to select the authentication method that matches your needsmethod that matches your needs

• Recommend the use of digital certificatesRecommend the use of digital certificates– X.509 digital certificates are de facto standardX.509 digital certificates are de facto standard

– Better authentication than passwords and tokensBetter authentication than passwords and tokens

– Identify individuals Identify individuals andand systems systems

– Client and system operate even when certificate authority is Client and system operate even when certificate authority is unreachableunreachable

* Such trademarks belong to their respective companies


• Certificates are digital documents attesting to the binding of a public key to an individual or other entity

• Certificates allow verification of the claim that a specific public key does in fact belong to a specific individual

• Certificates contain – A public key and a name– Expiration date– Name of the certifying authority that issued the certificate – A serial number– Other information

• Most importantly, certificates contain the digital signature of the certificate issuer

WHAT ARE CERTIFICATES?WHAT ARE CERTIFICATES?


VPN FIREWALL SERVICESVPN FIREWALL SERVICES

• Integrated firewall capabilities enhance the flexibility and Integrated firewall capabilities enhance the flexibility and security of a VPN solutionsecurity of a VPN solution

• Integrated firewall capabilities:Integrated firewall capabilities:– Control traffic flow in and out of the corporate networkControl traffic flow in and out of the corporate network– Limit access of VPN tunnel traffic to specific resourcesLimit access of VPN tunnel traffic to specific resources– Provide a stand-alone solution for branch office applicationsProvide a stand-alone solution for branch office applications

• An integrated firewall should provide:An integrated firewall should provide:– Packet filteringPacket filtering– Network address translation (NAT) for non-VPN trafficNetwork address translation (NAT) for non-VPN traffic– Inbound & outbound proxiesInbound & outbound proxies– Sequence-based examination of trafficSequence-based examination of traffic– State-based examination of trafficState-based examination of traffic


ISPISP VPNVPNServerServer

Internet

WHAT IS TUNNELINGWHAT IS TUNNELING

B: 10.0.1.5B: 10.0.1.5

A: 10.0.1.3A: 10.0.1.3

AAAA BBBBDestinationDestinationDestinationDestination SourceSourceSourceSource

DataDataDataData

D: 200.176.43.11D: 200.176.43.11

C: 192.60.75.3C: 192.60.75.3

B: 10.0.1.6B: 10.0.1.6

CCCC DDDD

DestinationDestinationDestinationDestination SourceSourceSourceSource

AAAA BBBB DataDataDataDataEncryptedEncrypted


TUNNELED PACKETSTUNNELED PACKETS

DesDes

PortPort

SrcSrc

PortPort

ProtoProto-col-col

PayloadPayloadDesDes

IPIP

SrcSrc

IPIP

DesDesPortPort

==22332233

SrcSrcPortPort

==22332233

ProtoProto-col-col

==UDPUDP

PayloadPayloadDesDesEncEncIPIP

SrcSrcEncEncIPIP

DesDes

PorPortt

SrcSrc

PortPort

ProtoProto-col-col

PayloadPayloadDesDes

IPIP

SrcSrc

IPIP

Encrypted with unique Packet Key


L2TPL2F PPTP

VPN TUNNELING STANDARDSVPN TUNNELING STANDARDS

Layer-2Layer-3

AuthenticationHeader

EncapsulatingSecurityPayload

TransportMode

TunnelMode

Start

IPSec

• Dedicated point-to-point• Multi-protocol• Security not necessary• SP private networks

• Shared multi-point• IP only• Strong security required• Public Internet

industry standard

open standard

open standard

headerprotectiononly

header & payloadprotection

WANconnections

LANconnections


C: 200.176.43.11C: 200.176.43.11 D: 192.60.75.3D: 192.60.75.3tunnel across WAN

COMBINED TUNNEL AND TRANSPORT MODE COMBINED TUNNEL AND TRANSPORT MODE Enables enforcement of a single security policyEnables enforcement of a single security policy

• Protected tunnels across WAN combined with protected transport across Protected tunnels across WAN combined with protected transport across LAN to implement unified security policy for LAN and WAN accessLAN to implement unified security policy for LAN and WAN access

• Protected tunnels are tunnels that:Protected tunnels are tunnels that:– Guarantee the privacy and integrity of the transmitted data Guarantee the privacy and integrity of the transmitted data

– Guarantee the authenticity of the parties communicatingGuarantee the authenticity of the parties communicating

– Hide network topology and application informationHide network topology and application information



Internet

B: 10.0.1.3B: 10.0.1.3A: 10.0.1.5A: 10.0.1.5transport between hosts




IPSecIPSec

• Authentication HeaderAuthentication Header (AH) (AH)– Provides integrity and authentication for IP datagramsProvides integrity and authentication for IP datagrams

[RFC-1826[RFC-1826] ]

• Encapsulating Security PayloadEncapsulating Security Payload (ESP) (ESP)– Provides confidentiality for IP datagrams by encrypting the payload data Provides confidentiality for IP datagrams by encrypting the payload data

to be protectedto be protected

– Also provides confidentiality, data origin authentication, connectionless Also provides confidentiality, data origin authentication, connectionless integrity, an anti-replay service, and limited traffic flow confidentiality integrity, an anti-replay service, and limited traffic flow confidentiality [RFC-1827][RFC-1827]

• Internet Key ExchangeInternet Key Exchange (IKE) Protocol (IKE) Protocol – Executes communication, authenticates users/systems, negotiates Executes communication, authenticates users/systems, negotiates

security parameters and establishes keys security parameters and establishes keys [RFC-2409] [RFC-2409]


AGENDAAGENDA

• Intel OverviewIntel Overview• Defining VPNDefining VPN• How VPNs WorkHow VPNs Work• Building a VPNBuilding a VPN

– Performance parameters & requirementsPerformance parameters & requirements– Service provider considerationsService provider considerations– Legal constraintsLegal constraints– VPN Gateway & Client considerationsVPN Gateway & Client considerations

• Intel’s VPN ComponentsIntel’s VPN Components• Demonstration Demonstration • Case StudyCase Study


PERFORMANCE PARAMETERS AND PERFORMANCE PARAMETERS AND REQUIREMENTSREQUIREMENTS

• Performance starts with the applicationPerformance starts with the application– VPN solution must take applications into considerationVPN solution must take applications into consideration

– Different applications have different needs Different applications have different needs

• Performance parameters includePerformance parameters include

– Bandwidth: Bandwidth: megabits of encrypted traffic/secondmegabits of encrypted traffic/second

– Latency: Latency: delay introduced by VPN processing and transmissiondelay introduced by VPN processing and transmission

– Tunnel setup: Tunnel setup: number of simultaneous VPN connectionsnumber of simultaneous VPN connections


VPN PERFORMANCE PARAMETERS VPN PERFORMANCE PARAMETERS BANDWIDTHBANDWIDTH

• BandwidthBandwidth– The amount of information that moves across a point in The amount of information that moves across a point in

the network per some unit of timethe network per some unit of time

– Measured in bits-per-secondMeasured in bits-per-second

• Packet size considerationsPacket size considerations– Effects on performance Effects on performance

– Small vs. large packetsSmall vs. large packets

– Packet encapsulation Packet encapsulation


VPN PERFORMANCE PARAMETERS VPN PERFORMANCE PARAMETERS LATENCYLATENCY

• LatencyLatency– The time it takes information to move from one point in the The time it takes information to move from one point in the

network to anothernetwork to another

– Measured in millisecondsMeasured in milliseconds

• Traffic type considerationsTraffic type considerations– Streaming audio and videoStreaming audio and video

– File transfer, database backup and Fax-over-IPFile transfer, database backup and Fax-over-IP

– Application and transaction specificApplication and transaction specific

– e-Commerce and e-Businesse-Commerce and e-Business


VPN PERFORMANCE PARAMETERS VPN PERFORMANCE PARAMETERS TUNNEL SETUPTUNNEL SETUP

• Tunnel SetupTunnel Setup– Length of time required to establish a tunnelLength of time required to establish a tunnel

– Affects number of tunnels that can be supported by a VPN Affects number of tunnels that can be supported by a VPN solutionsolution

• Tunnel setup considerationsTunnel setup considerations– Security and encryption algorithmsSecurity and encryption algorithms

– Concurrent connectionsConcurrent connections

– Authentication Authentication

– Routing Routing

– FirewallFirewall


APPLICATION PERFORMANCE REQUIREMENTSAPPLICATION PERFORMANCE REQUIREMENTS

Large volume data, Large volume data, real timereal time

File transfer, web File transfer, web download, Fax-download, Fax-over-IPover-IP

Large volume dataLarge volume data

Streaming audio & Streaming audio & video, Voice over video, Voice over IPIP

Small data, many Small data, many messages, “chatty”messages, “chatty”

ApplicationApplication CharacteristicsCharacteristicsHighHigh

Band-Band-widthwidth

LowLowLatencyLatency

RapidRapidTunnelTunnelSetupSetup

Light client, Light client, on-line transaction on-line transaction systemssystems

E-commerce E-commerce transaction transaction systemssystems

Many brief Many brief connectionsconnections


SERVICE PROVIDER CONSIDERATIONSSERVICE PROVIDER CONSIDERATIONS

• Geographical CoverageGeographical Coverage– POPs where you need themPOPs where you need them– Easy to findEasy to find

• Performance and ReliabilityPerformance and Reliability– LatencyLatency– BandwidthBandwidth– AvailabilityAvailability

• Access TechnologiesAccess Technologies– Analog, ISDN, DSL, CableAnalog, ISDN, DSL, Cable

• Support ServicesSupport Services– Surveillance and diagnosticsSurveillance and diagnostics– Break/fixBreak/fix– Help deskHelp desk

• Service Level AgreementsService Level Agreements

DSLDSL

AnalogAnalog

CableCable

ISDNISDN

WirelessWireless


SERVICE LEVEL AGREEMENTS (SLA)SERVICE LEVEL AGREEMENTS (SLA)

• VPN cost/performance exceeds traditional methods when customers employ quality VPN products and services

• Service level agreements (SLA) cover:– availability: uptime of your connection

– latency: average monthly latency of not more than n ms

– proactive outage notification: within n minutes of an outage

– installation: up and billable by the date quoted to you

– 24/7 customer support


LEGAL CONSTRAINTSLEGAL CONSTRAINTS

• Governments may restrict access to encryption Governments may restrict access to encryption technologytechnology

– Export licenseExport license– Import licenseImport license– Restricted countriesRestricted countries

• Government regulations change frequentlyGovernment regulations change frequently

– Consult Intel sales for the latest information on export and import Consult Intel sales for the latest information on export and import restrictionsrestrictions


VPN GATEWAY CONSIDERATIONSVPN GATEWAY CONSIDERATIONS

• Standards support and interoperabilityStandards support and interoperability

• Performance - bandwidth, latency, tunnel setupPerformance - bandwidth, latency, tunnel setup– Line speed performanceLine speed performance– Hardware encryptionHardware encryption– 100’s of tunnels100’s of tunnels

• Management capabilitiesManagement capabilities– Ease of operationEase of operation– Automated tunnel and key managementAutomated tunnel and key management– Automated client management and distributionAutomated client management and distribution– SNMPSNMP– GUIGUI– CLICLI

• Reliability and scalabilityReliability and scalability– Client load balancingClient load balancing– Client redundancy with automated fail-overClient redundancy with automated fail-over


VPN CLIENT SOFTWARE CONSIDERATIONSVPN CLIENT SOFTWARE CONSIDERATIONS

• Ease of installation and deploymentEase of installation and deployment– Automated deployment and configurationAutomated deployment and configuration

– Ease of client deploymentEase of client deployment

• Ease of operationEase of operation– Transparent to end-userTransparent to end-user

• Interoperability with existing networking softwareInteroperability with existing networking software

• Interoperability with ISP platforms and dialersInteroperability with ISP platforms and dialers

• Support for multiple access technologiesSupport for multiple access technologies– ISDN, Wireless, Cable Modem, DSLISDN, Wireless, Cable Modem, DSL

• Support for multiple authentication technologiesSupport for multiple authentication technologies– Digital Certificates, Hard and Soft Tokens, Challenge Phrase, Digital Certificates, Hard and Soft Tokens, Challenge Phrase,

Name and Password, NT Domains, NDS, RADIUSName and Password, NT Domains, NDS, RADIUS


AGENDAAGENDA



INTEL’S VPN PRODUCT SUITEINTEL’S VPN PRODUCT SUITE

• LanRover™ VPN GatewayLanRover™ VPN Gateway– Dedicated Hardware PlatformDedicated Hardware Platform– Dedicated Triple-DES acceleration hardwareDedicated Triple-DES acceleration hardware– Integrated routing and ICSA-certified firewallIntegrated routing and ICSA-certified firewall– ScalabilityScalability

• Shiva® VPN Client for Win 95*, 98, NT* Shiva® VPN Client for Win 95*, 98, NT* – Transparent and works with existing client and server applicationsTransparent and works with existing client and server applications– Fail-over & redundancyFail-over & redundancy

• Shiva® VPN Client Deployment ToolShiva® VPN Client Deployment Tool– Automated distribution of pre-configured VPN ClientsAutomated distribution of pre-configured VPN Clients

• Shiva® Certificate AuthorityShiva® Certificate Authority– Most advanced type of security availableMost advanced type of security available

• Shiva® VPN ManagerShiva® VPN Manager– Centralized management of distributed gatewaysCentralized management of distributed gateways

* * Such trademarks belong to their respective companiesSuch trademarks belong to their respective companies


REMOTE CLIENT REDUNDANCY AND REMOTE CLIENT REDUNDANCY AND AUTOMATED FAIL-OVERAUTOMATED FAIL-OVER

• If the gateway is disconnected, client tunnels automatically If the gateway is disconnected, client tunnels automatically fail over to the next gatewayfail over to the next gateway

• Improves service, reliability and reduce costsImproves service, reliability and reduce costs

• New servers can be deployed for additional capacityNew servers can be deployed for additional capacity

VPN VPN GatewayGateway



Corporate Corporate NetworkNetwork

FirewallFirewallRouterRouterInternetInternet

VPN TunnelVPN TunnelRequestRequest

VPN TunnelVPN TunnelRequestRequest

VPN TunnelVPN TunnelEstablishedEstablished

VPN TunnelVPN TunnelEstablishedEstablished VPN TunnelVPN Tunnel

LostLost

VPN TunnelVPN TunnelLostLost

New TunnelNew TunnelCreated Created

AutomaticallyAutomatically

New TunnelNew TunnelCreated Created

AutomaticallyAutomatically


GATEWAY CONFIGURATIONGATEWAY CONFIGURATION(Frame/T1)

LAN stand-alone (VPN, firewall and router)

VPN TrafficPhysical ConnectionNon-VPN Traffic

LANrouterrouter firewall and VPN

LANfirewallfirewall in-line with firewall

LAN parallel with firewall

LANone-armed ethernet

Inte

rnet

Inte

rnet

Inte

rnet

Inte

rnet

firewallfirewall

firewallfirewallrouterrouter

routerrouter

routerrouter


SHIVASHIVA®® VPN CLIENT DEPLOYMENT TOOL VPN CLIENT DEPLOYMENT TOOL

What is the VPN Client Deployment Tool?What is the VPN Client Deployment Tool?

• The first email / web based stand alone deployment tool designed to distribute pre-configured clients

• Automates the delivery and update of VPN client files and configuration data

New!New!

UniquUniquee

New!New!

UniquUniquee


SHIVASHIVA®® VPN CLIENT DEPLOYMENT TOOL VPN CLIENT DEPLOYMENT TOOL ARCHITECTUREARCHITECTURE

SHIVASHIVA®® VPN CLIENT DEPLOYMENT TOOL VPN CLIENT DEPLOYMENT TOOL ARCHITECTUREARCHITECTURE

CD

T S

erve

rC

DT

Man

ager

Client

The CDT Manager and Server can be on the same or different machines

DatabaseDatabaseDatabaseDatabase

PolicyPolicyDatabaseDatabase

PolicyPolicyDatabaseDatabase

CDT CDT ServerServerCDT CDT ServerServer

Web ServerWeb ServerWeb ServerWeb Server

ManagerManagerManagerManager


SHIVASHIVA®® VPN CLIENT DEPLOYMENT TOOL VPN CLIENT DEPLOYMENT TOOL FEATURES/BENEFITSFEATURES/BENEFITS

Feature Function Benefit

Automateddistribution ofclients andconfiguration

Web server withautomated emailcapabilities

Reduces time andeffort forcentrallizeddeployment of theVPN client

Encrypted clientconfiguration file

CDT encrypts anddecrypts the clientconfiguration file

Enhanced security

Scalable Deploys anywherefrom 25 tothousands ofclients

Investmentprotection


SHIVASHIVA®® ACCESS MANAGER AND ACCESS MANAGER AND SHIVASHIVA®® CERTIFICATE AUTHORITY CERTIFICATE AUTHORITY

Accounting ServerLanRover TM

Access Switch

LanRover TM

VPN Gateway

Simultaneous Direct Dial and VPNAuthentication

Complete certificate management capabilities(Add, Mod, Delete)

Simultaneous Radius X.509 Authentication

Key Feature Summary• Integrated RADIUS and Certificate

Authority management• Full VPN and direct dial accounting• User explorer• Active user monitoring• LDAP support• SNMP support• Multi-level management

Simultaneous Direct Dial and VPN Accounting

Shiva®Access Manager 5.0

SAMSAM

Shiva®Certificate Authority

SCASCA


INTEL’S VPN MANAGEMENTINTEL’S VPN MANAGEMENT

• Intel provides efficient and flexible management capability that Intel provides efficient and flexible management capability that can help reduce the total cost of ownership of your VPN solutioncan help reduce the total cost of ownership of your VPN solution

• Intel’s VPN management supportsIntel’s VPN management supports– Tunnel managementTunnel management

• Fully automated key managementFully automated key management• Tunnel status monitoring & managementTunnel status monitoring & management

– Gateway managementGateway management• Centralized management of distributed devicesCentralized management of distributed devices• GUI, CLI and SNMP (MIB I & MIB II) based control and monitoringGUI, CLI and SNMP (MIB I & MIB II) based control and monitoring

– Client deployment, installation and managementClient deployment, installation and management

– Detailed loggingDetailed logging• All events from individual connections to failed key negotiations and All events from individual connections to failed key negotiations and

attempted security breaches are loggedattempted security breaches are logged


LANROVER VPN GATEWAY FAMILYLANROVER VPN GATEWAY FAMILY

VPN Client and Graphical Management Software Included

Product Numberof Users

VirtualPorts

Encryption LANInterface

WANInterface

ICSAFirewall

SuggestedPrice (USD)

LanRover (TM)

VPN Express10-150 50 40-bit & 56-

Bit DES,112-Bit and168-BitTriple-DES

Dual10/100Ethernet

V.35 Serial Included $3,495

LanRover (TM)

VPN Gateway100-1500

1000 40-bit & 56-Bit DES,112-Bit and168-BitTriple-DES

Dual10/100Ethernet

Dual V.35or DualX.21 Serial(Optional)

Included $6,014

LanRover (TM)

VPN GatewayPlus

250-5000

1000 40-bit & 56-Bit DES,112-Bit and168-BitTriple-DES

Dual10/100Ethernet

Dual V.35or DualX.21 Serial(Optional)

Included $9,250


AGENDAAGENDA



InternetInternetLocal call to Local call to

ISPISP

DEMONSTRATIONDEMONSTRATION

ISPISPPOPPOP

Intel’s Intel’s VPNVPN

GatewayGateway

Boston, MABoston, MA

Intel’s VPN Intel’s VPN clientclient

• VPN demonstration overviewVPN demonstration overview– Remote access with Intel’s VPN ClientRemote access with Intel’s VPN Client– Management through Intel’s VPN ManagerManagement through Intel’s VPN Manager

• Set up of tunnelsSet up of tunnels• Tunnel managementTunnel management• Firewall managementFirewall management


AGENDAAGENDA



Case StudyCase Study

• The Company:The Company: – World’s leading manufacturer of electronic formsWorld’s leading manufacturer of electronic forms

• The ChallengeThe Challenge– Connect 15 regional offices around the worldConnect 15 regional offices around the world

– Use existing applications Use existing applications

– Reduce network communication costsReduce network communication costs

– Reduce total cost of ownershipReduce total cost of ownership

– Implement enhanced securityImplement enhanced security

– Centralized management of devicesCentralized management of devices


• The Company: The Company: – World’s leading manufacturer of electronic formsWorld’s leading manufacturer of electronic forms

• The SolutionThe Solution– Installed LanRoverInstalled LanRoverTMTM VPN Gateways at remote offices VPN Gateways at remote offices

– Reduced communication costs by $40K per monthReduced communication costs by $40K per month

– Allowed protected, authenticated communications across the Allowed protected, authenticated communications across the Internet Internet

– Using the LanRoverUsing the LanRoverTMTM VPN Gateway to firewall all locations VPN Gateway to firewall all locations

– Doubled network performance (from 56Kbs frame to 128Kbs Internet Doubled network performance (from 56Kbs frame to 128Kbs Internet connection)connection)

– Centralized system management made possible with ShivaCentralized system management made possible with Shiva®® VPN VPN Manager and ShivaManager and Shiva®® Certificate Authority Certificate Authority

– Same solution will also support remote access for traveling usersSame solution will also support remote access for traveling users




Internet

routerrouter

California

routerrouter

Workstations

Sweden

ShivaShiva®® Certificate Certificate AuthorityAuthority

BenefitsBenefits::

• Saving 40K/month on Saving 40K/month on leased line chargesleased line charges

• Improved application Improved application performanceperformance

• Add new locations Add new locations quickly and easilyquickly and easily

• Minimize number of Minimize number of connections to Internetconnections to Internet

FileFileServersServers

FileFileServersServers


AGENDAAGENDA

• Intel OverviewIntel Overview• Defining VPNDefining VPN• How VPNs WorkHow VPNs Work• Building a VPNBuilding a VPN• Intel’s VPN ComponentsIntel’s VPN Components• Demonstration Demonstration • Case StudyCase Study• ConclusionConclusion


CONCLUSIONSCONCLUSIONS

• Remote Access has become a strategic corporate necessityRemote Access has become a strategic corporate necessity– Connecting employees, partners and customersConnecting employees, partners and customers

• Virtual Private Networks help companies implement remote Virtual Private Networks help companies implement remote access byaccess by– Reducing costsReducing costs

– Improving performance and securityImproving performance and security

– Increasing flexibilityIncreasing flexibility

• Intel’s product suite provides companies with enhanced VPN Intel’s product suite provides companies with enhanced VPN capabilities with cost effective and easy to use solutionscapabilities with cost effective and easy to use solutions


PROMOTIONSPROMOTIONS

FREE Shiva® VPN Client Deployment Tool: $5,000 value!

(This offer is available to Customers in the United States and Canada only)

Get a FREE VPN Client Deployment Tool with your first purchase of a LanRover™ VPN Gateway Plus unit, or 2 LanRover™ VPN Express units, between February 15th and June 30th, 2000

The VPN Client Deployment Tool, Intel's latest addition to its award

winning suite of virtual private networking (VPN) products, is an intelligent,

web-based solution allowing you to easily, quickly and accurately deploy

large numbers of fully-configured Shiva® VPN software clients.

Visit www.shiva.com/sales/promotions.html now for details!Visit www.shiva.com/sales/promotions.html now for details!

copyright © 2000 intel network systems, inc. virtual private network seminar extend your network to...

Documents