Common VPN Deployments


Network infrastructures in which a VPN technology may be commonly deployed include, but are not limited to, trunks to Internet service provider networks, corporate extranet partner networks, or even private leased line connections in a corporate intranet. Next, we will briefly explore some of the common situations in which a VPN may be deployed.

Site-to-Site VPNs

As cryptographic technology becomes more embedded in various network elements, growth in site-to-site VPN deployments has risen. A site-to-site VPN could be as simple as encrypting the link between two different nodes on a point-to-point connection. Or it could be slightly more complex, offloading the initiation and termination of the VPN tunnel to a firewall or VPN concentrator on each organization's DMZ. Figure 1-16 illustrates a simple site-to-site IPsec VPN deployment between two networks, A and B.

Figure 1-16. Simple Site-to-Site Design Scenario


Although the two IPsec tunnel implementations in Figure 1-16 use the same physical topology to accomplish a similar task, there is a significant difference between these two simple site-to-site VPN designs. For example, if a smaller router is used for the WAN connection, there could be a substantial improvement in VPN performance by processing IPsec on the VPN concentrators. In such a case, the routed IPsec tunnel between the two VPN concentrators would be an optimal choice. However, if the PIX are performing network address translation (NAT), the VPN concentrators may need support for special features, such as IPsec NAT Transversal (IPsec NAT-T), for IPsec to work properly. If the concentrators do not have the appropriate features, the IPsec tunnel built over the point-to-point line might be a better option.

In the scenario in Figure 1-16, it is critically important to note that the flexibility to choose between the two tunnel deployments is enabled by the fact that IPsec VPNs operate at Layer 3, the network layer, of the OSI model. As such, VPNs are no longer limited to bulk data-link encryption techniques on physical point-to-point links. Instead, an IPsec VPN tunnel could be used to secure traffic between two endpoints over a series of routed networks. The simple design decision presented in Figure 1-16 is just an introduction to the wide array of design options that should be considered when securing a network with a Layer 3 VPN technology such as IPsec.

Site-to-Site VPN connections are not only used to secure connectivity between two different organizations, but they are also used to secure links within an organization itself. As technology continues to evolve, network nodes such as routers and switches are becoming more and more capable of handling cryptographic operations involved with IPsec VPNs. As such, the growth of site-to-site VPNs within internal corporate enterprise networks has grown accordingly. Figure 1-17 shows a common network topology in enterprise network WANsa hub-and-spoke topology. In this scenario, the 7200 terminates multiple point-to-point connections from a combination of branch routers.

Figure 1-17. Hub-and-Spoke Networks and Site-to-Site VPNs.


Tip

Hardware-based crypto-accelerators allow head-end devices to scale the number of IPsec tunnels in a hub-and-spoke network dramatically. Cisco currently offers many choices for VPN hardware-based acceleration in routers and switches designed for the data center and branch office.


Tip

In a hub-and-spoke topology, a dynamic multipoint VPN (DMVPN) configuration can help scale the number of security associations supported. DMVPNs use next hop routing protocol (NHRP) and multipoint GRE (mGRE) tunnels to establish direct security associations between the branches, as opposed to one security association (SA) from branch to head-end and another from head-end to the destination branch. Chapter 8 covers DMVPN in greater detail.


Site-to-site VPN deployments are also popular in corporate extranets. When an organization requires dedicated site-to-site connectivity to a peer organization or subsidiary, often, a dedicated, high-speed WAN circuit is provisioned, not unlike the way Enterprise Network A is connected to Enterprise Network B in Figures 1-16 and 1-17. When an organization requires multiple dedicated external connections to other peer organizations, extranets are formed. Figure 1-18 illustrates an extension of the VPN topologies illustrated in Figure 1-16 and 1-17 to include a extranet deployment comprised of multiple site-to-site IPsec VPN tunnels.

Figure 1-18. Corporate Extranet and Site-to-Site VPNs


Remote Access VPNs

Remote access VPNs (RAVPN) drive workforce mobility and productivity by allowing secure connectivity from any point that can establish a Layer 3 connection (or in the case of a VPDN, a Layer 2 connection) to the network. As home high-speed Internet access has increased throughout the world with the advent and deployment of cable modem technologies and DSL technologies, more companies are turning to RAVPN solutions to allow their workforce to establish secure connectivity to central corporate resources from remote locations.

RAVPN infrastructures consist of two main componentsthe VPN client and the VPN concentrator:

  • VPN clients can either be hardware based or software based. Cisco offers the 827 VPN router or the 3002 hardware-based VPN client for RAVPN solutions. Software-based VPN clients run on the remote or mobile user's desktop or laptop PC. Cisco offers VPN client software for RAVPN software-based client implementations.

  • VPN concentrators are used to terminate RAVPN connections inbound from VPN clients. Cisco VPN concentrators offer a scalable solution for terminating large amounts of IPsec connections from VPN clients in an RAVPN solution. VPN concentrators are also capable of providing LNS/PNS functionality for VPDN implementations.

Figure 1-19 illustrates a basic example of a corporate VPN architecture that supports IPsec RAVPN, VPDN, and Extranet VPN access to enterprise networking resources.

Figure 1-19. RAVPN Implementation


SSL in RAVPN Architectures

Traditionally, SSL VPNs were embedded in web browsers for securing transactions in client/server architectures. However, as SSL can be deployed in specific applications, it enables RAVPN capabilities on a per-application basis. As such, SSL RAVPN solutions offer greater granularity over pure Layer 2 or 3 RAVPN solutions. For example, security administrators for Enterprise Network A may want to allow secure access only to e-mail or only for a specific application on a given web server, as opposed to allowing all of the remote user's IP traffic through the network. To achieve this, the remote user would use SSL client software installed with their web browser. The security administrator can then configure their VPN concentrator or web server to terminate the SSL VPN connection accordingly.




IPsec Virtual Private Network Fundamentals
IPSec Virtual Private Network Fundamentals
ISBN: 1587052075
EAN: 2147483647
Year: N/A
Pages: 113

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net