copyright © 2000 intel network systems, inc. virtual private network seminar extend your network to...
TRANSCRIPT
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
Virtual Private Network Virtual Private Network SeminarSeminar
Extend Your Network to Customers, Partners Extend Your Network to Customers, Partners and Employees with Secure VPN Solutionsand Employees with Secure VPN Solutions
Spring 2000
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
AGENDAAGENDA
• Intel OverviewIntel Overview• Defining VPNDefining VPN• How VPNs WorkHow VPNs Work• Building a VPNBuilding a VPN• Intel’s VPN ComponentsIntel’s VPN Components• Demonstration Demonstration • Case StudyCase Study
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
INTEL’S STRATEGYINTEL’S STRATEGY
Be the pre-eminent building block Be the pre-eminent building block supplier to the Internet economysupplier to the Internet economy
INTEL IS SERIOUS ABOUT NETWORKINGINTEL IS SERIOUS ABOUT NETWORKING
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
Intel Network Systems VisionIntel Network Systems VisionTrusted and reliable access from any device Trusted and reliable access from any device over any medium, anytime, anywhere over any medium, anytime, anywhere at an at an affordable price.affordable price.
Network Systems MissionNetwork Systems MissionAccelerate the use of the Internet as the Accelerate the use of the Internet as the primary means for business connectivity.primary means for business connectivity.
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
INTEL NETWORK SYSTEMS SOLUTIONSINTEL NETWORK SYSTEMS SOLUTIONS
SmallSmallBusinessBusiness
Medium Medium Enterprise Enterprise
DataDataCenter/ISPCenter/ISP
AppliancesAppliances
LAN
WAN
Standalone HubsStandalone Hubs
Modular SwitchesModular Switches
RoutersRouters
Standalone Switches Standalone Switches
Scalable Stackable SwitchesScalable Stackable Switches
VPNVPNGatewaysGateways
AccessAccessConcentratorConcentrator
Access Port
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
AGENDAAGENDA
• Intel OverviewIntel Overview• Defining VPNDefining VPN• How VPNs WorkHow VPNs Work• Building a VPNBuilding a VPN• Intel’s VPN ComponentsIntel’s VPN Components• Demonstration Demonstration • Case StudyCase Study
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
WHAT IS A VPN?WHAT IS A VPN?
VPNs VPNs reduce costsreduce costs by eliminating expensive leased lines and costly by eliminating expensive leased lines and costly long distance toll chargeslong distance toll charges
Communications are protected through encryption and authentication technology
Virtual presence on the local area network (LAN) is established with tunneling technology
Traveling Employee Traveling Employee or Telecommuteror Telecommuter
InternetISP ISP
ModemsModems
VPNVPNServerServer
VPNVPNServerServer
CorporateLAN
RemoteLAN HeadquartersHeadquarters
Branch OfficeBranch Office
VPNClient
A VPN (Virtual Private Network) is a technology that connects individuals and systems over an IP backbone or the Internet
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
REMOTE ACCESS APPLICATIONSREMOTE ACCESS APPLICATIONS
TelecommuterTelecommuter
Road WarriorRoad WarriorDay-ExtenderDay-Extender
Customer SiteCustomer Site
Branch OfficeBranch OfficeSupplier or PartnerSupplier or Partner LocationLocation
Individual Individual Remote AccessRemote Access
GroupGroupRemote AccessRemote Access
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
INDIVIDUAL REMOTE ACCESS ALTERNATIVESINDIVIDUAL REMOTE ACCESS ALTERNATIVES
CPELocal
ConnectionLong Distance
ConnectionLocal
ConnectionCPE
SPSPNetworkNetwork
RouterFrame Relay, Frame Relay, X.25, ATMX.25, ATM
AnalogAnalogISDNISDN
SPPOP
• Outsource Networking through a service provider’s private network
InternetInternetVPN
Gateway
T1, HDSLT1, HDSLInternet
POP
AnalogAnalogADSLADSLCableCableISDNISDN
PSTNPSTNModemServer
T1, ISDNT1, ISDNAnalogAnalogISDNISDN
• Dial-up NetworkingDial-up Networking through the public switched telephone network through the public switched telephone network
• Virtual Private Network through the Internet
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
GROUP REMOTE ACCESS ALTERNATIVESGROUP REMOTE ACCESS ALTERNATIVES
Fully meshed leased line or Fully meshed leased line or frame relay networkframe relay network
SanSanFranciscoFrancisco New YorkNew York
DallasDallas
ChicagoChicago
Internet
Fully meshed VPN networkFully meshed VPN network
SanSanFranciscoFrancisco New YorkNew York
DallasDallas
ChicagoChicago
Internet
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
THE UPSIDE OF VPNTHE UPSIDE OF VPN
RouterRouterRouterRouter RouterRouterRouterRouterDial-upDial-upServerServerDial-upDial-upServerServer
InternetPSTNFrameRelay
FirewallFirewallFirewallFirewall
LAN
IntranetIntranet
ExtranetExtranetTele-Tele-
commutercommuter
Mobile Mobile ProfessionalProfessional
World Wide World Wide WebWeb
E-MailE-Mail
VPNVPNGatewayGateway
LAN
IntranetIntranet
ExtranetExtranetTele-Tele-
commutercommuterMobile Mobile
ProfessionalProfessional
World Wide World Wide WebWeb
E-MailE-Mail
Internet
• One piece of gearOne piece of gear• One pipeOne pipe• One networkOne network• Many applicationsMany applications
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
BENEFITS OF VIRTUAL PRIVATE NETWORKSBENEFITS OF VIRTUAL PRIVATE NETWORKS• Reduced costsReduced costs
– Eliminate long distance toll chargesEliminate long distance toll charges
– Reduce leased line chargesReduce leased line charges
• High performanceHigh performance– Every call is a local callEvery call is a local call
– The Internet is a robust public data infrastructureThe Internet is a robust public data infrastructure
• Increased securityIncreased security– Better than traditional dial up and frame networksBetter than traditional dial up and frame networks
• Unparalleled flexibilityUnparalleled flexibility– Any internet connectionAny internet connection
– Any access technology (Cable, xDSL, etc)Any access technology (Cable, xDSL, etc)
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
WHEN TO USE DIAL-UP NETWORKS, OUTSOURCE WHEN TO USE DIAL-UP NETWORKS, OUTSOURCE NETWORKS AND VIRTUAL PRIVATE NETWORKSNETWORKS AND VIRTUAL PRIVATE NETWORKS
USE DIAL-UP USE DIAL-UP NETWORKING FORNETWORKING FOR
• Hub and spoke networks
• Multi-protocol networks
• Closed user groups
• Communications within a single country
• No additional IP access allowed/required
USE OUTSOURCEUSE OUTSOURCENETWORKING FORNETWORKING FOR
USE VIRTUAL PRIVATE USE VIRTUAL PRIVATE NETWORKINGNETWORKING
• Local telecommuters
• On-line transaction applications
• Flexible and rapid implementation
• As a back-up for outsource networks and VPN
• Fully or partially meshed networks
• IP-only networks
• Linking trading partners
• Road Warrior and site-to-site access
• International connectivity
• Flexible and rapid implementation
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
BENEFITS FOR COMBINING DIRECT DIAL BENEFITS FOR COMBINING DIRECT DIAL AND VPN BASED SOLUTIONSAND VPN BASED SOLUTIONS
• VPNVPN over the Internet is the low cost winner for long distance over the Internet is the low cost winner for long distance connectivityconnectivity
• Direct DialDirect Dial over the Telephone Network is the most reliable and over the Telephone Network is the most reliable and affordable solution for local accessaffordable solution for local access
• Integrated Direct Dial and VPN solutions can also Integrated Direct Dial and VPN solutions can also improve improve performance, security and reliabilityperformance, security and reliability
– Direct dial provides a back up to VPNDirect dial provides a back up to VPN– VPN supplements local direct dial capacity when exceptional conditions VPN supplements local direct dial capacity when exceptional conditions
such as snow storms require itsuch as snow storms require it– Common security and single authentication methods help implement a Common security and single authentication methods help implement a
unified security policyunified security policy
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
REMOTE ACCESS ANALYSIS TOOLREMOTE ACCESS ANALYSIS TOOLHelp plan operational costs for remote access networksHelp plan operational costs for remote access networks
http://www.shiva.com/remote/vpnroi
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
• Intel OverviewIntel Overview• Defining VPNDefining VPN• How VPNs WorkHow VPNs Work
– Security technologiesSecurity technologies• EncryptionEncryption• AuthenticationAuthentication• FirewallsFirewalls
– Networking technologiesNetworking technologies• Tunneling and tunneling protocolsTunneling and tunneling protocols
• Building a VPNBuilding a VPN• Intel’s VPN ComponentsIntel’s VPN Components• DemonstrationDemonstration• Case StudyCase Study
AGENDAAGENDA
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
A GENERAL MODEL OF ENCRYPTIONA GENERAL MODEL OF ENCRYPTION
Plain TextPlain TextPlain TextPlain Text
KeyKeyKeyKey
Cipher TextCipher TextCipher TextCipher TextFFFF
TransformationFunction
• Two general types of cryptographic systems:Two general types of cryptographic systems:
– Asymmetric or Asymmetric or ‘public key’‘public key’ encryption encryption
– Symmetric or Symmetric or ‘secret key’‘secret key’ encryption encryption
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
ASYMMETRIC CRYPTOGRAPHYASYMMETRIC CRYPTOGRAPHY
• Used to establish connectionsUsed to establish connections
• Key pairs (public / private)Key pairs (public / private)– Data encrypted with the public key can only be decrypted by the Data encrypted with the public key can only be decrypted by the
private keyprivate key
• Relatively slowRelatively slow
• Keys relatively long (up to 2048 bits)Keys relatively long (up to 2048 bits)– Key spaceKey space 2220482048
• Example:Example:– Pretty Good Protection (PGP)Pretty Good Protection (PGP)– Rivest, Shamir, Adelman (RSA)Rivest, Shamir, Adelman (RSA)
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
SYMMETRIC CRYPTOGRAPHYSYMMETRIC CRYPTOGRAPHY
• Used for information moving through the connection Used for information moving through the connection
• Single shared keySingle shared key– The same key is used to encrypt and decryptThe same key is used to encrypt and decrypt
• Relatively fastRelatively fast
• Keys relatively short (up to 168 bits)Keys relatively short (up to 168 bits)– Key space 2Key space 2168168
• Example: Example: – Data Encryption Standard (DES)Data Encryption Standard (DES)– RC4, RC5RC4, RC5
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
• US Data Encryption Standard (DES)US Data Encryption Standard (DES)
• VariantsVariants– 56-Bit DES56-Bit DES
• Single key; good protectionSingle key; good protection– 112-Bit (Triple-pass DES)112-Bit (Triple-pass DES)
• Two keys, three passes; better protectionTwo keys, three passes; better protection– 168-Bit (3DES)168-Bit (3DES)
• Three independent keys; three passes (encrypt-decrypt-encrypt)Three independent keys; three passes (encrypt-decrypt-encrypt)• Best protectionBest protection
• CaveatsCaveats– Encryption algorithms need to be safe from brute force attack because of the Encryption algorithms need to be safe from brute force attack because of the
increasing speed of modern computersincreasing speed of modern computers– Need frequent and automated key exchangesNeed frequent and automated key exchanges– Compute intensive; requires hardware acceleration on server sideCompute intensive; requires hardware acceleration on server side– US export and International import restrictionsUS export and International import restrictions
DATA ENCRYPTION STANDARD (DES)DATA ENCRYPTION STANDARD (DES)
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
KEY MANAGEMENTKEY MANAGEMENT
Key management controls the distribution and use Key management controls the distribution and use of encryption keysof encryption keys
– Asymmetric Asymmetric algorithms reveal the public key and algorithms reveal the public key and conceal the private keyconceal the private key
• Public keys are exchangedPublic keys are exchanged• Private keys are securedPrivate keys are secured
– Symmetric Symmetric algorithms require a secure key exchange algorithms require a secure key exchange mechanismmechanism
• Key secrecy must be maintained during key Key secrecy must be maintained during key exchangeexchange
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
VPN AUTHENTICATION SERVICESVPN AUTHENTICATION SERVICES
• Ensure the identity and authority of the VPN participantsEnsure the identity and authority of the VPN participants
• Choices include:Choices include:– Technologies: Technologies: passwords, challenge phrase, hard and soft tokens passwords, challenge phrase, hard and soft tokens
with one-time passwords, and X.509 digital certificateswith one-time passwords, and X.509 digital certificates
– Products: Products: NT Domains*, NDS*, RADIUS, SDI*, Entrust*, Shiva® CANT Domains*, NDS*, RADIUS, SDI*, Entrust*, Shiva® CA
• A VPN solution should allow you to select the authentication A VPN solution should allow you to select the authentication method that matches your needsmethod that matches your needs
• Recommend the use of digital certificatesRecommend the use of digital certificates– X.509 digital certificates are de facto standardX.509 digital certificates are de facto standard
– Better authentication than passwords and tokensBetter authentication than passwords and tokens
– Identify individuals Identify individuals andand systems systems
– Client and system operate even when certificate authority is Client and system operate even when certificate authority is unreachableunreachable
* Such trademarks belong to their respective companies
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
• Certificates are digital documents attesting to the binding of a public key to an individual or other entity
• Certificates allow verification of the claim that a specific public key does in fact belong to a specific individual
• Certificates contain – A public key and a name– Expiration date– Name of the certifying authority that issued the certificate – A serial number– Other information
• Most importantly, certificates contain the digital signature of the certificate issuer
WHAT ARE CERTIFICATES?WHAT ARE CERTIFICATES?
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
VPN FIREWALL SERVICESVPN FIREWALL SERVICES
• Integrated firewall capabilities enhance the flexibility and Integrated firewall capabilities enhance the flexibility and security of a VPN solutionsecurity of a VPN solution
• Integrated firewall capabilities:Integrated firewall capabilities:– Control traffic flow in and out of the corporate networkControl traffic flow in and out of the corporate network– Limit access of VPN tunnel traffic to specific resourcesLimit access of VPN tunnel traffic to specific resources– Provide a stand-alone solution for branch office applicationsProvide a stand-alone solution for branch office applications
• An integrated firewall should provide:An integrated firewall should provide:– Packet filteringPacket filtering– Network address translation (NAT) for non-VPN trafficNetwork address translation (NAT) for non-VPN traffic– Inbound & outbound proxiesInbound & outbound proxies– Sequence-based examination of trafficSequence-based examination of traffic– State-based examination of trafficState-based examination of traffic
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
ISPISP VPNVPNServerServer
Internet
WHAT IS TUNNELINGWHAT IS TUNNELING
B: 10.0.1.5B: 10.0.1.5
A: 10.0.1.3A: 10.0.1.3
AAAA BBBBDestinationDestinationDestinationDestination SourceSourceSourceSource
DataDataDataData
D: 200.176.43.11D: 200.176.43.11
C: 192.60.75.3C: 192.60.75.3
B: 10.0.1.6B: 10.0.1.6
CCCC DDDD
DestinationDestinationDestinationDestination SourceSourceSourceSource
AAAA BBBB DataDataDataDataEncryptedEncrypted
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
TUNNELED PACKETSTUNNELED PACKETS
DesDes
PortPort
SrcSrc
PortPort
ProtoProto-col-col
PayloadPayloadDesDes
IPIP
SrcSrc
IPIP
DesDesPortPort
==22332233
SrcSrcPortPort
==22332233
ProtoProto-col-col
==UDPUDP
PayloadPayloadDesDesEncEncIPIP
SrcSrcEncEncIPIP
DesDes
PorPortt
SrcSrc
PortPort
ProtoProto-col-col
PayloadPayloadDesDes
IPIP
SrcSrc
IPIP
Encrypted with unique Packet Key
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
L2TPL2F PPTP
VPN TUNNELING STANDARDSVPN TUNNELING STANDARDS
Layer-2Layer-3
AuthenticationHeader
EncapsulatingSecurityPayload
TransportMode
TunnelMode
Start
IPSec
• Dedicated point-to-point• Multi-protocol• Security not necessary• SP private networks
• Shared multi-point• IP only• Strong security required• Public Internet
industry standard
open standard
open standard
headerprotectiononly
header & payloadprotection
WANconnections
LANconnections
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
C: 200.176.43.11C: 200.176.43.11 D: 192.60.75.3D: 192.60.75.3tunnel across WAN
COMBINED TUNNEL AND TRANSPORT MODE COMBINED TUNNEL AND TRANSPORT MODE Enables enforcement of a single security policyEnables enforcement of a single security policy
• Protected tunnels across WAN combined with protected transport across Protected tunnels across WAN combined with protected transport across LAN to implement unified security policy for LAN and WAN accessLAN to implement unified security policy for LAN and WAN access
• Protected tunnels are tunnels that:Protected tunnels are tunnels that:– Guarantee the privacy and integrity of the transmitted data Guarantee the privacy and integrity of the transmitted data
– Guarantee the authenticity of the parties communicatingGuarantee the authenticity of the parties communicating
– Hide network topology and application informationHide network topology and application information
VPNVPNGatewayGateway
VPNVPNGatewayGateway
Internet
B: 10.0.1.3B: 10.0.1.3A: 10.0.1.5A: 10.0.1.5transport between hosts
VPNVPNGatewayGateway
VPNVPNGatewayGateway
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
IPSecIPSec
• Authentication HeaderAuthentication Header (AH) (AH)– Provides integrity and authentication for IP datagramsProvides integrity and authentication for IP datagrams
[RFC-1826[RFC-1826] ]
• Encapsulating Security PayloadEncapsulating Security Payload (ESP) (ESP)– Provides confidentiality for IP datagrams by encrypting the payload data Provides confidentiality for IP datagrams by encrypting the payload data
to be protectedto be protected
– Also provides confidentiality, data origin authentication, connectionless Also provides confidentiality, data origin authentication, connectionless integrity, an anti-replay service, and limited traffic flow confidentiality integrity, an anti-replay service, and limited traffic flow confidentiality [RFC-1827][RFC-1827]
• Internet Key ExchangeInternet Key Exchange (IKE) Protocol (IKE) Protocol – Executes communication, authenticates users/systems, negotiates Executes communication, authenticates users/systems, negotiates
security parameters and establishes keys security parameters and establishes keys [RFC-2409] [RFC-2409]
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
AGENDAAGENDA
• Intel OverviewIntel Overview• Defining VPNDefining VPN• How VPNs WorkHow VPNs Work• Building a VPNBuilding a VPN
– Performance parameters & requirementsPerformance parameters & requirements– Service provider considerationsService provider considerations– Legal constraintsLegal constraints– VPN Gateway & Client considerationsVPN Gateway & Client considerations
• Intel’s VPN ComponentsIntel’s VPN Components• Demonstration Demonstration • Case StudyCase Study
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
PERFORMANCE PARAMETERS AND PERFORMANCE PARAMETERS AND REQUIREMENTSREQUIREMENTS
• Performance starts with the applicationPerformance starts with the application– VPN solution must take applications into considerationVPN solution must take applications into consideration
– Different applications have different needs Different applications have different needs
• Performance parameters includePerformance parameters include
– Bandwidth: Bandwidth: megabits of encrypted traffic/secondmegabits of encrypted traffic/second
– Latency: Latency: delay introduced by VPN processing and transmissiondelay introduced by VPN processing and transmission
– Tunnel setup: Tunnel setup: number of simultaneous VPN connectionsnumber of simultaneous VPN connections
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
VPN PERFORMANCE PARAMETERS VPN PERFORMANCE PARAMETERS BANDWIDTHBANDWIDTH
• BandwidthBandwidth– The amount of information that moves across a point in The amount of information that moves across a point in
the network per some unit of timethe network per some unit of time
– Measured in bits-per-secondMeasured in bits-per-second
• Packet size considerationsPacket size considerations– Effects on performance Effects on performance
– Small vs. large packetsSmall vs. large packets
– Packet encapsulation Packet encapsulation
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
VPN PERFORMANCE PARAMETERS VPN PERFORMANCE PARAMETERS LATENCYLATENCY
• LatencyLatency– The time it takes information to move from one point in the The time it takes information to move from one point in the
network to anothernetwork to another
– Measured in millisecondsMeasured in milliseconds
• Traffic type considerationsTraffic type considerations– Streaming audio and videoStreaming audio and video
– File transfer, database backup and Fax-over-IPFile transfer, database backup and Fax-over-IP
– Application and transaction specificApplication and transaction specific
– e-Commerce and e-Businesse-Commerce and e-Business
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
VPN PERFORMANCE PARAMETERS VPN PERFORMANCE PARAMETERS TUNNEL SETUPTUNNEL SETUP
• Tunnel SetupTunnel Setup– Length of time required to establish a tunnelLength of time required to establish a tunnel
– Affects number of tunnels that can be supported by a VPN Affects number of tunnels that can be supported by a VPN solutionsolution
• Tunnel setup considerationsTunnel setup considerations– Security and encryption algorithmsSecurity and encryption algorithms
– Concurrent connectionsConcurrent connections
– Authentication Authentication
– Routing Routing
– FirewallFirewall
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
APPLICATION PERFORMANCE REQUIREMENTSAPPLICATION PERFORMANCE REQUIREMENTS
Large volume data, Large volume data, real timereal time
File transfer, web File transfer, web download, Fax-download, Fax-over-IPover-IP
Large volume dataLarge volume data
Streaming audio & Streaming audio & video, Voice over video, Voice over IPIP
Small data, many Small data, many messages, “chatty”messages, “chatty”
ApplicationApplication CharacteristicsCharacteristicsHighHigh
Band-Band-widthwidth
LowLowLatencyLatency
RapidRapidTunnelTunnelSetupSetup
Light client, Light client, on-line transaction on-line transaction systemssystems
E-commerce E-commerce transaction transaction systemssystems
Many brief Many brief connectionsconnections
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
SERVICE PROVIDER CONSIDERATIONSSERVICE PROVIDER CONSIDERATIONS
• Geographical CoverageGeographical Coverage– POPs where you need themPOPs where you need them– Easy to findEasy to find
• Performance and ReliabilityPerformance and Reliability– LatencyLatency– BandwidthBandwidth– AvailabilityAvailability
• Access TechnologiesAccess Technologies– Analog, ISDN, DSL, CableAnalog, ISDN, DSL, Cable
• Support ServicesSupport Services– Surveillance and diagnosticsSurveillance and diagnostics– Break/fixBreak/fix– Help deskHelp desk
• Service Level AgreementsService Level Agreements
DSLDSL
AnalogAnalog
CableCable
ISDNISDN
WirelessWireless
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
SERVICE LEVEL AGREEMENTS (SLA)SERVICE LEVEL AGREEMENTS (SLA)
• VPN cost/performance exceeds traditional methods when customers employ quality VPN products and services
• Service level agreements (SLA) cover:– availability: uptime of your connection
– latency: average monthly latency of not more than n ms
– proactive outage notification: within n minutes of an outage
– installation: up and billable by the date quoted to you
– 24/7 customer support
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
LEGAL CONSTRAINTSLEGAL CONSTRAINTS
• Governments may restrict access to encryption Governments may restrict access to encryption technologytechnology
– Export licenseExport license– Import licenseImport license– Restricted countriesRestricted countries
• Government regulations change frequentlyGovernment regulations change frequently
– Consult Intel sales for the latest information on export and import Consult Intel sales for the latest information on export and import restrictionsrestrictions
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
VPN GATEWAY CONSIDERATIONSVPN GATEWAY CONSIDERATIONS
• Standards support and interoperabilityStandards support and interoperability
• Performance - bandwidth, latency, tunnel setupPerformance - bandwidth, latency, tunnel setup– Line speed performanceLine speed performance– Hardware encryptionHardware encryption– 100’s of tunnels100’s of tunnels
• Management capabilitiesManagement capabilities– Ease of operationEase of operation– Automated tunnel and key managementAutomated tunnel and key management– Automated client management and distributionAutomated client management and distribution– SNMPSNMP– GUIGUI– CLICLI
• Reliability and scalabilityReliability and scalability– Client load balancingClient load balancing– Client redundancy with automated fail-overClient redundancy with automated fail-over
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
VPN CLIENT SOFTWARE CONSIDERATIONSVPN CLIENT SOFTWARE CONSIDERATIONS
• Ease of installation and deploymentEase of installation and deployment– Automated deployment and configurationAutomated deployment and configuration
– Ease of client deploymentEase of client deployment
• Ease of operationEase of operation– Transparent to end-userTransparent to end-user
• Interoperability with existing networking softwareInteroperability with existing networking software
• Interoperability with ISP platforms and dialersInteroperability with ISP platforms and dialers
• Support for multiple access technologiesSupport for multiple access technologies– ISDN, Wireless, Cable Modem, DSLISDN, Wireless, Cable Modem, DSL
• Support for multiple authentication technologiesSupport for multiple authentication technologies– Digital Certificates, Hard and Soft Tokens, Challenge Phrase, Digital Certificates, Hard and Soft Tokens, Challenge Phrase,
Name and Password, NT Domains, NDS, RADIUSName and Password, NT Domains, NDS, RADIUS
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
AGENDAAGENDA
• Intel OverviewIntel Overview• Defining VPNDefining VPN• How VPNs WorkHow VPNs Work• Building a VPNBuilding a VPN• Intel’s VPN ComponentsIntel’s VPN Components• Demonstration Demonstration • Case StudyCase Study
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
INTEL’S VPN PRODUCT SUITEINTEL’S VPN PRODUCT SUITE
• LanRover™ VPN GatewayLanRover™ VPN Gateway– Dedicated Hardware PlatformDedicated Hardware Platform– Dedicated Triple-DES acceleration hardwareDedicated Triple-DES acceleration hardware– Integrated routing and ICSA-certified firewallIntegrated routing and ICSA-certified firewall– ScalabilityScalability
• Shiva® VPN Client for Win 95*, 98, NT* Shiva® VPN Client for Win 95*, 98, NT* – Transparent and works with existing client and server applicationsTransparent and works with existing client and server applications– Fail-over & redundancyFail-over & redundancy
• Shiva® VPN Client Deployment ToolShiva® VPN Client Deployment Tool– Automated distribution of pre-configured VPN ClientsAutomated distribution of pre-configured VPN Clients
• Shiva® Certificate AuthorityShiva® Certificate Authority– Most advanced type of security availableMost advanced type of security available
• Shiva® VPN ManagerShiva® VPN Manager– Centralized management of distributed gatewaysCentralized management of distributed gateways
* * Such trademarks belong to their respective companiesSuch trademarks belong to their respective companies
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
REMOTE CLIENT REDUNDANCY AND REMOTE CLIENT REDUNDANCY AND AUTOMATED FAIL-OVERAUTOMATED FAIL-OVER
• If the gateway is disconnected, client tunnels automatically If the gateway is disconnected, client tunnels automatically fail over to the next gatewayfail over to the next gateway
• Improves service, reliability and reduce costsImproves service, reliability and reduce costs
• New servers can be deployed for additional capacityNew servers can be deployed for additional capacity
VPN VPN GatewayGateway
VPN VPN GatewayGateway
VPN VPN GatewayGateway
Corporate Corporate NetworkNetwork
FirewallFirewallRouterRouterInternetInternet
VPN TunnelVPN TunnelRequestRequest
VPN TunnelVPN TunnelRequestRequest
VPN TunnelVPN TunnelEstablishedEstablished
VPN TunnelVPN TunnelEstablishedEstablished VPN TunnelVPN Tunnel
LostLost
VPN TunnelVPN TunnelLostLost
New TunnelNew TunnelCreated Created
AutomaticallyAutomatically
New TunnelNew TunnelCreated Created
AutomaticallyAutomatically
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
GATEWAY CONFIGURATIONGATEWAY CONFIGURATION(Frame/T1)
LAN stand-alone (VPN, firewall and router)
VPN TrafficPhysical ConnectionNon-VPN Traffic
LANrouterrouter firewall and VPN
LANfirewallfirewall in-line with firewall
LAN parallel with firewall
LANone-armed ethernet
Inte
rnet
Inte
rnet
Inte
rnet
Inte
rnet
firewallfirewall
firewallfirewallrouterrouter
routerrouter
routerrouter
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
SHIVASHIVA®® VPN CLIENT DEPLOYMENT TOOL VPN CLIENT DEPLOYMENT TOOL
What is the VPN Client Deployment Tool?What is the VPN Client Deployment Tool?
• The first email / web based stand alone deployment tool designed to distribute pre-configured clients
• Automates the delivery and update of VPN client files and configuration data
New!New!
UniquUniquee
New!New!
UniquUniquee
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
SHIVASHIVA®® VPN CLIENT DEPLOYMENT TOOL VPN CLIENT DEPLOYMENT TOOL ARCHITECTUREARCHITECTURE
SHIVASHIVA®® VPN CLIENT DEPLOYMENT TOOL VPN CLIENT DEPLOYMENT TOOL ARCHITECTUREARCHITECTURE
CD
T S
erve
rC
DT
Man
ager
Client
The CDT Manager and Server can be on the same or different machines
DatabaseDatabaseDatabaseDatabase
PolicyPolicyDatabaseDatabase
PolicyPolicyDatabaseDatabase
CDT CDT ServerServerCDT CDT ServerServer
Web ServerWeb ServerWeb ServerWeb Server
ManagerManagerManagerManager
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
SHIVASHIVA®® VPN CLIENT DEPLOYMENT TOOL VPN CLIENT DEPLOYMENT TOOL FEATURES/BENEFITSFEATURES/BENEFITS
Feature Function Benefit
Automateddistribution ofclients andconfiguration
Web server withautomated emailcapabilities
Reduces time andeffort forcentrallizeddeployment of theVPN client
Encrypted clientconfiguration file
CDT encrypts anddecrypts the clientconfiguration file
Enhanced security
Scalable Deploys anywherefrom 25 tothousands ofclients
Investmentprotection
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
SHIVASHIVA®® ACCESS MANAGER AND ACCESS MANAGER AND SHIVASHIVA®® CERTIFICATE AUTHORITY CERTIFICATE AUTHORITY
Accounting ServerLanRover TM
Access Switch
LanRover TM
VPN Gateway
Simultaneous Direct Dial and VPNAuthentication
Complete certificate management capabilities(Add, Mod, Delete)
Simultaneous Radius X.509 Authentication
Key Feature Summary• Integrated RADIUS and Certificate
Authority management• Full VPN and direct dial accounting• User explorer• Active user monitoring• LDAP support• SNMP support• Multi-level management
Simultaneous Direct Dial and VPN Accounting
Shiva®Access Manager 5.0
SAMSAM
Shiva®Certificate Authority
SCASCA
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
INTEL’S VPN MANAGEMENTINTEL’S VPN MANAGEMENT
• Intel provides efficient and flexible management capability that Intel provides efficient and flexible management capability that can help reduce the total cost of ownership of your VPN solutioncan help reduce the total cost of ownership of your VPN solution
• Intel’s VPN management supportsIntel’s VPN management supports– Tunnel managementTunnel management
• Fully automated key managementFully automated key management• Tunnel status monitoring & managementTunnel status monitoring & management
– Gateway managementGateway management• Centralized management of distributed devicesCentralized management of distributed devices• GUI, CLI and SNMP (MIB I & MIB II) based control and monitoringGUI, CLI and SNMP (MIB I & MIB II) based control and monitoring
– Client deployment, installation and managementClient deployment, installation and management
– Detailed loggingDetailed logging• All events from individual connections to failed key negotiations and All events from individual connections to failed key negotiations and
attempted security breaches are loggedattempted security breaches are logged
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
LANROVER VPN GATEWAY FAMILYLANROVER VPN GATEWAY FAMILY
VPN Client and Graphical Management Software Included
Product Numberof Users
VirtualPorts
Encryption LANInterface
WANInterface
ICSAFirewall
SuggestedPrice (USD)
LanRover (TM)
VPN Express10-150 50 40-bit & 56-
Bit DES,112-Bit and168-BitTriple-DES
Dual10/100Ethernet
V.35 Serial Included $3,495
LanRover (TM)
VPN Gateway100-1500
1000 40-bit & 56-Bit DES,112-Bit and168-BitTriple-DES
Dual10/100Ethernet
Dual V.35or DualX.21 Serial(Optional)
Included $6,014
LanRover (TM)
VPN GatewayPlus
250-5000
1000 40-bit & 56-Bit DES,112-Bit and168-BitTriple-DES
Dual10/100Ethernet
Dual V.35or DualX.21 Serial(Optional)
Included $9,250
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
AGENDAAGENDA
• Intel OverviewIntel Overview• Defining VPNDefining VPN• How VPNs WorkHow VPNs Work• Building a VPNBuilding a VPN• Intel’s VPN ComponentsIntel’s VPN Components• Demonstration Demonstration • Case StudyCase Study
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
InternetInternetLocal call to Local call to
ISPISP
DEMONSTRATIONDEMONSTRATION
ISPISPPOPPOP
Intel’s Intel’s VPNVPN
GatewayGateway
Boston, MABoston, MA
Intel’s VPN Intel’s VPN clientclient
• VPN demonstration overviewVPN demonstration overview– Remote access with Intel’s VPN ClientRemote access with Intel’s VPN Client– Management through Intel’s VPN ManagerManagement through Intel’s VPN Manager
• Set up of tunnelsSet up of tunnels• Tunnel managementTunnel management• Firewall managementFirewall management
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
AGENDAAGENDA
• Intel OverviewIntel Overview• Defining VPNDefining VPN• How VPNs WorkHow VPNs Work• Building a VPNBuilding a VPN• Intel’s VPN ComponentsIntel’s VPN Components• Demonstration Demonstration • Case StudyCase Study
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
Case StudyCase Study
• The Company:The Company: – World’s leading manufacturer of electronic formsWorld’s leading manufacturer of electronic forms
• The ChallengeThe Challenge– Connect 15 regional offices around the worldConnect 15 regional offices around the world
– Use existing applications Use existing applications
– Reduce network communication costsReduce network communication costs
– Reduce total cost of ownershipReduce total cost of ownership
– Implement enhanced securityImplement enhanced security
– Centralized management of devicesCentralized management of devices
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
• The Company: The Company: – World’s leading manufacturer of electronic formsWorld’s leading manufacturer of electronic forms
• The SolutionThe Solution– Installed LanRoverInstalled LanRoverTMTM VPN Gateways at remote offices VPN Gateways at remote offices
– Reduced communication costs by $40K per monthReduced communication costs by $40K per month
– Allowed protected, authenticated communications across the Allowed protected, authenticated communications across the Internet Internet
– Using the LanRoverUsing the LanRoverTMTM VPN Gateway to firewall all locations VPN Gateway to firewall all locations
– Doubled network performance (from 56Kbs frame to 128Kbs Internet Doubled network performance (from 56Kbs frame to 128Kbs Internet connection)connection)
– Centralized system management made possible with ShivaCentralized system management made possible with Shiva®® VPN VPN Manager and ShivaManager and Shiva®® Certificate Authority Certificate Authority
– Same solution will also support remote access for traveling usersSame solution will also support remote access for traveling users
Case StudyCase Study
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
Case StudyCase Study
Internet
routerrouter
California
routerrouter
Workstations
Sweden
ShivaShiva®® Certificate Certificate AuthorityAuthority
BenefitsBenefits::
• Saving 40K/month on Saving 40K/month on leased line chargesleased line charges
• Improved application Improved application performanceperformance
• Add new locations Add new locations quickly and easilyquickly and easily
• Minimize number of Minimize number of connections to Internetconnections to Internet
FileFileServersServers
FileFileServersServers
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
AGENDAAGENDA
• Intel OverviewIntel Overview• Defining VPNDefining VPN• How VPNs WorkHow VPNs Work• Building a VPNBuilding a VPN• Intel’s VPN ComponentsIntel’s VPN Components• Demonstration Demonstration • Case StudyCase Study• ConclusionConclusion
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
CONCLUSIONSCONCLUSIONS
• Remote Access has become a strategic corporate necessityRemote Access has become a strategic corporate necessity– Connecting employees, partners and customersConnecting employees, partners and customers
• Virtual Private Networks help companies implement remote Virtual Private Networks help companies implement remote access byaccess by– Reducing costsReducing costs
– Improving performance and securityImproving performance and security
– Increasing flexibilityIncreasing flexibility
• Intel’s product suite provides companies with enhanced VPN Intel’s product suite provides companies with enhanced VPN capabilities with cost effective and easy to use solutionscapabilities with cost effective and easy to use solutions
Copyright © 2000 Intel Network Systems, Inc.Copyright © 2000 Intel Network Systems, Inc.
PROMOTIONSPROMOTIONS
FREE Shiva® VPN Client Deployment Tool: $5,000 value!
(This offer is available to Customers in the United States and Canada only)
Get a FREE VPN Client Deployment Tool with your first purchase of a LanRover™ VPN Gateway Plus unit, or 2 LanRover™ VPN Express units, between February 15th and June 30th, 2000
The VPN Client Deployment Tool, Intel's latest addition to its award
winning suite of virtual private networking (VPN) products, is an intelligent,
web-based solution allowing you to easily, quickly and accurately deploy
large numbers of fully-configured Shiva® VPN software clients.
Visit www.shiva.com/sales/promotions.html now for details!Visit www.shiva.com/sales/promotions.html now for details!