private use of public networks for enterprise customers
TRANSCRIPT
®
Private Use of Public Networks for Enterprise Customers
3 C o m T e c h n i c a l P a p e r s
New Standards-Based
Virtual Private Networks
Offer Cost Savings and
Business Opportunities
1
Private Use of Public Networks forEnterprise CustomersNew Standards-Based Virtual Private Networks Offer Cost Savings and Business Opportunities
Contents
Why Enterprises Need VPNs 2
What Is a VPN? 2
VPN Benefits 3
Cost Savings 3
Easy Scalability 4
Support for Ad-Hoc Business Relationships 4
Full Control 4
Enterprise VPN Applications 4
Global Internet Access 5
Dial Access Outsourcing 8
Virtual Leased Lines for Branch Office Connectivity 9
How VPNs Work 11
VPN Protocols 12
VPN Security 12
Microsoft Point-to-Point Encryption (MPPE) 12
Secure IP (IPsec) 13
Tunnel Switching: Improved Security and More Flexible VPN Applications 16
VPN Management 17
3Com VPN Solutions 17
3Com Solutions for Enterprises 17
Conclusion 18
Private Use of Public Networks forEnterprise Customers
New Standards-Based Virtual Private NetworksOffer Cost Savings and Business Opportunities
Virtual private networks (VPNs) offer cost-effective solutions to some of today’s most crit-ical networking challenges. Enterprises need amore affordable, scalable way to meet thedemands of a growing community of remoteusers and to manage branch office connectiv-ity. They need to be able to accommodate thepace and unpredictability of business by link-ing customers and partners into extranets onan ad-hoc basis. And they need to be able toprovide all of this access to networkedresources, including legacy systems andenterprise protocols, without compromisingsecurity.
The benefits of VPNs include the opportu-nity to save 50 percent or more in the cost ofremote access and branch office connectivity.VPNs also offer tremendously increased strate-gic flexibility, which can lead to additionalcost savings and potentially important businessadvantages.
This paper describes how VPNs cut costsand increase strategic flexibility. It describesand diagrams some of the most popular VPNapplications. It explains the underlyingtunneling technology, including system compo-nents and industry standards for tunneling andtunnel-based security. It introduces tunnelswitching and the advantages it offers forincreased enterprise network security, moreflexible access to network resources behindfirewalls, and more flexible service-level han-dling of tunneled traffic. The paper closes bydiscussing 3Com VPN solutions and theiradvantages.
Why Enterprises Need VPNsIndustry analysts predict that by 1999, 80 per-cent of corporate workers will have at least onemobile computing device.1 IT organizationseverywhere are struggling to meet this balloon-ing demand for remote connectivity and to dealwith the resulting increases in network com-plexity and end-user support costs.
At the same time, IT must support grow-ing branch office connectivity. Particularly inorganizations growing through acquisition ormerger, the ability to rapidly integrate separateand frequently incompatible infrastructures canbe critical to the success of business relation-ships. In addition, there is the emergingrequirement to deploy extranets that supportunpredictable relationships with customers andbusiness partners. IT also has to cope with theplethora of management and security issuesthese connections entail.
Virtual private networks (VPNs) offersolutions to these dilemmas. They provideenterprises with a number of ways to achievesubstantial and immediate remote access andbranch connectivity cost reductions by takingadvantage of the networking infrastructuresand services of Internet service providers(ISPs) and other network service providers(NSPs). VPNs offer a cost-effective, scalable,flexible, manageable, and secure means ofhandling network growth, of linking in newlyacquired business units, and of supporting ad-hoc business relationships. Companies can getall these benefits while retaining central con-trol over security and management of adds,moves, and changes.
Enterprises deploying VPNs will have anincreasing range of VPN-based services tochose from. Infonetics Research2 predicts thatthe VPN market will grow at more than 100percent per year through 2001, when it willreach nearly $12 billion. They report that 92percent of large ISPs and 60 percent of all ISPsplan to offer value-added VPN services bymid-1998.
What Is a VPN?A VPN is a connection that has the appearanceand many of the advantages of a dedicated linkbut occurs over a shared network. Using atechnique called “tunneling,” data packets aretransmitted across a public routed network,
2
1. “Internet Remote Access,” Network StrategyService, The Forrester Report, vol. 10, no. 8,July 1996.
2. “Virtual Private Networks,” Infonetics Research,1997.
Acronyms andAbbreviations
AALATM adaptation layer
CHAPChallenge HandshakeAuthentication Protocol
IPsecSecure IP
ISAKMPInternet Security AssociationKey Management Protocol
ISDNIntegrated Services DigitalNetwork
ISPInternet service provider
L2FLayer 2 Forwarding
L2TPLayer 2 Tunneling Protocol
MPPEMicrosoft Point-to-PointEncryption
NSPnetwork service provider
POPpoint of presence
PPPPoint-to-Point Protocol
PPTPPoint-to-Point TunnelingProtocol
such as the Internet or other commerciallyavailable network, in a private “tunnel” thatsimulates a point-to-point connection. Thisapproach enables network traffic from manysources to travel via separate tunnels across thesame infrastructure. It allows network proto-cols to traverse incompatible infrastructures. Italso enables traffic from many sources to bedifferentiated, so that it can be directed to spe-cific destinations and receive specific levels ofservice.
The basic components of a tunnel are: • A tunnel initiator (TI)• A routed network• An optional tunnel switch• One or more tunnel terminators (TT)
Tunnel initiation and termination can beperformed by a variety of network devices andsoftware (Figure 1). A tunnel could be started,for example, by an end user’s laptop equippedwith an analog PC modem card and VPN-enabled dial-up software (basic tunneling andsecurity capabilities are bundled into Windows95 and Windows NT 4.0). It could also bestarted by a VPN-enabled extranet router on anenterprise branch or home office LAN, or by aVPN-enabled access concentrator at a networkservice provider point of presence (POP). Atunnel could be ended by a tunnel terminatoror switch on an enterprise network or by a VPNgateway on an NSP’s network extranet router.
In addition, there will usually be one ormore security servers. Along with the conven-tional application of firewalls and address
translation, VPNs can provide for data encryp-tion, authentication, and authorization.Tunneling devices perform these functions bycommunicating with security servers. Suchservers also usually provide information onbandwidth, tunnel end points, and, in somecases, network policy information and servicelevels.
VPN capabilities can be added to existingnetworking equipment through a software orboard-level upgrade. Once installed, the capa-bility can be used for multiple VPN applica-tions, each delivering substantial cost and/orrevenue benefits.
VPN Benefits
Cost SavingsVPNs offer cost savings in the areas of com-munications charges, remote user support, andequipment.• Communications costs (leased line tariffs,
long-distance charges). Connecting twocomputers over long distances using theInternet can yield substantial savings overtoday’s dedicated leased lines and FrameRelay networks. The Internet is also lessexpensive than long-distance direct modemor ISDN calls. VPNs are money-saversbecause they enable remote users to makelocal calls to an ISP, which are then tunneledto a VPN device on the destination network.
3
Access concentrator
at an NSP POP
Tunnel initiator
Tunnel terminator
Tunnel
Tunnel termination device
or tunnel switch on
enterprise network
VPN gateway
on NSP network
Extranet router on
a branch LAN
Dial-up software on
an end user laptop
Shared routed
network
Figure 1. VPN Components
Acronyms andAbbreviations
PSTNpublic switched telephonenetwork
QoSQuality of Service
RADIUSRemote Authorization Dial-InUser Service
SMDSSwitched Multimegabit DataService
TItunnel initiator
TTtunnel terminator
VLANvirtual LAN
VLLvirtual leased line
VPNvirtual private network
VTPVirtual Tunneling Protocol
xDSLdigital subscriber line
Users have the same experience as if theyhad dialed directly into the network—typi-cally at half the cost of the most economical800 number.
Branch offices can use VPNs to replacededicated leased lines to company headquar-ters or to other branches. The branch LAN isconnected to a business class NSP, whichtunnels traffic from LAN users over theInternet or over its own network backbone toa LAN in another part of the user’s enter-prise. Branch users are still able to access thecorporate network in the usual way, and thecompany saves money. The savings comenot only from taking advantage of a sharednetwork for long-distance transport but alsobecause one WAN interface can be used forbranch access to both the enterprise networkand the Internet.
• Remote user support. In many companies,while a minority of network users areremote, they consume a majority of networksupport time. IT must support dial-in userswith varying technical abilities and withequipment ranging from analog modems andISDN terminal adapters to new cable modemsand digital subscriber line (xDSL) connec-tions. In addition, technical staff must eitherbe located at branches or provide supportremotely. Many companies can achieve sub-stantial cost savings by shifting these sup-port responsibilities from overburdened ITgroups to the dedicated help desks of NSPs.
• Equipment installation, maintenance, andobsolescence. VPNs enable enterprises tosave WAN equipment installation and main-tenance costs, since a single WAN interfacecan serve multiple purposes. Companies caneliminate or reduce modem pools in favor ofreceiving dial-up traffic over an existing oraugmented Internet connection. The sameInternet connection can also support LAN-to-LAN branch internetworking as well asbusiness-to-business links with customersand partners. And with less capital equip-ment, companies also lower their exposureto obsolescence.
Easy ScalabilityVPNs offer immediate scalability withminimal effort. Enterprises can expand the
capacity and reach of their network simply bysetting up an account with a new NSP orexpanding their agreement with an existingprovider. In addition, installing VPN capabili-ties in remote offices is typically a simple taskthat does not require a technical specialist onsite. A few simple commands should configurean extranet router for both Internet and VPNconnectivity, and workstations can get theirconfiguration automatically from the router.
Easy scalability allows agile responses toorganizational change and market demands. Acompany completing an acquisition, for exam-ple, could link a dozen new branches into itsnetwork and add support for thousands ofmobile users within just days, compared to theweeks or even months it could take to getleased lines or Frame Relay circuits installed.In addition, VPNs allow companies to linkinternational locations into the network afford-ably while avoiding the complexities anddelays associated with setting up Frame Relaycircuits across borders.
Support for Ad-Hoc Business RelationshipsPartnering is essential in many markets today,and the ability to move rapidly to mobilizecombined forces can determine success. WithVPNs, partners can implement new businessrelationships immediately. There’s no need todelay collaboration while counterparts in thetwo IT organizations negotiate setup of leasedlines or Frame Relay circuits. Connections canbe made on an ad-hoc basis with any companythat is on the Internet.
Full controlVPNs allow corporations to leverage the facili-ties and services of NSPs while continuing toexercise full control over their network. Forexample, companies can outsource dial accesswhile retaining responsibility for user authenti-cation, access privileges, network addressing,security, and management of network changes.
Enterprise VPN ApplicationsThere are numerous ways in which enterprisescan gain efficiency, cost, and security benefits.Following are three examples.
4
Global Internet AccessEnterprises that use VPNs to replace or aug-ment dedicated dial-up facilities with Internet-based dial-up (see Figure 2) can reduce bothline charges and equipment costs. In fact, totaloperating cost savings can reach 60 percent orbetter.
VPNs enable remote users to access thecorporate network by making a local, normallyunmetered call to an NSP. The traffic is thentunneled over the NSP’s network to the enter-prise’s Internet gateway and onto the corporatenetwork. The NSP is not aware that the data isbeing tunneled and doesn’t perform tunnelmanagement tasks. Built-in security features(see page 12) work with the enterprise firewallto ensure user authentication, privacy, and dataintegrity.
Enterprises can use VPNs to offer travel-ing employees “global local access.” Bychoosing an NSP with a global presence or set-ting up corporate accounts with several NSPs,companies can ensure that wherever their peo-ple travel, they can get onto the corporate net-work by making a local call.
Global Internet access can also be used toprovide customers and business partners withsecure access to extranet resources. In mostcases, since users in these organizations willalready be connected to the Internet, giving
them the VPN capability necessary to accessthe extranet simply involves upgrading desktopnetworking software or activating features inexisting software.
In this type of VPN, tunnels can be startedby a LAN-based or dial-up VPN client usingthe VPN capabilities in Windows 95 orWindows NT Dial-Up Networking or specialVPN software or modem card. A tunnel termi-nation device or tunnel switch at the firewall atheadquarters or another central location endsthe tunnel. The company can control userauthorization and other security functions fromthe central location.
The remote user is virtually plugged intothe corporate network at the point where thetunnel terminates. The exact location will varydepending on the type of firewall being used.In the case of a single firewall configuration,the “plug-in” point will be the enterpriseInternet access router where the firewall isdeployed. In the case of a double firewall con-figuration, the plug-in point will usually be the“demilitarized zone” (DMZ), which is the net-work segment between external and internalfirewalls. In either case, the remote user willhave access only to those network resourcesthat have points of connection at the networkedge.
5
Security
server
Tunnel terminator/switch
at firewall
VPN-enabled
dial-up software
VPN-enabled
NIC
Mobile or
telecommuting user
Authorized business partner
Remote users
NSP providing Internet accessEnterprise central site
Partner’s existing
Internet access router
ISDN terminal adapter
or analog modem
Internet
Figure 2. Global Internet Access
Optional tunnel switching can be usedwith global Internet access to increase securityand flexibility (Figure 3). In this case, a tunnelswitch at the enterprise extranet router or in theDMZ ends the incoming tunnel and starts anew tunnel to a tunnel termination device onthe internal network. The remote user is thusvirtually plugged into the network inside of thefirewall, where more network resources areavailable (Figure 4). There are severaladvantages:• Multiple applications can be supported
without having to open up multiple holesthrough the firewall. Tunnel switching caneliminate the need to put special applicationservers in the DMZ between the external andinternal firewalls. Tunnels can carry networktraffic for a wide variety of IP applications(FTP, Telnet, etc.) safely across the firewallto internal servers. Since the protocols forthese applications are encapsulated, a holeneeds to be opened in the firewall only forthe tunneling protocol.
• Traffic from partners and customers canbe segregated from remote employee traf-fic. Tunnel switching enables tunnels com-ing in from different types of users over thesame Internet interface to be terminated at
different locations where different securitypolicies can be applied. Network managerscan easily view and control extranet activityand rapidly make adds and changes toaccommodate new business relationships.
• Remote users can access legacy networkprotocols and systems. Tunnel switchingcan provide safe Internet-based access tonetworks, such as SNA, Novell NetWare,and AppleTalk, and the applications runningover them. Frequently these protocols arenot available in the DMZ.
• Organizational divisions can share anInternet interface while controlling theirown user authorization and access poli-cies. In a large organization that has variousdivisions (state government for example),these divisions can enjoy economies of scalefrom sharing one high-speed Internet con-nection, without relinquishing control overtheir own piece of the network. A tunnelswitch can create tunnels that direct traffic toseparate tunnel termination devices on eachdivision’s LAN. Remote users are virtuallyplugged into these network segments, andthe division can control network access priv-ileges in its own way.
6
Tunnel switch Only tunneling protocol
passes through firewall
Remote user virtually
plugged in here
Internet
Internal network
Tunnel terminator
Remote user virtually
plugged in here
Internet
Internal network
Figure 3. Tunnel Switching
• Companies can make optimal use of IPaddress space. Tunnel switching enablesVPN traffic to be terminated inside the net-work, where more address space is availablethan is usually the case in the DMZ. Compa-nies can use their own internal addressingschemes for tunnel end points, and theseaddresses are invisible to the NSP providingthe Internet VPN service, further increasingsecurity.
• Remote users can function as members ofvirtual LANs (VLANs). VLANs improvenetwork efficiency by directing traffic onlyto where it needs to go and they simplify
user moves and changes. But where VPNsare used without tunnel switching, allincoming traffic has to be assigned to thesame VLAN. This is because VLAN assign-ment is usually based on the hub port the useris plugged into. With VPNs, remote usersaccessing the network through a tunnel arevirtually plugged into the same port as what-ever device is terminating the tunnel. Withtunnel switching, however, tunnel traffic canbe forwarded to TTs at different locations,enabling users to be virtually plugged intothe network through different ports and thusto be members of different VLANs.
7
Tunnel switch
Exterior firewall
Interior firewall
Tunnel terminator
on internal server
(divisional network access)Tunnel terminator
on internal server
(FTP services for customers
and business partners access)
Tunnel terminator
on internal server
(SAP applications access)
Tunnel terminator
on internal server
(IPX, SNA access)
Internet
Security
server
Security
server
Enterprise WAN
Figure 4. Enterprise Tunnel Switching Application
Benefits: Global Internet Access• Cut long-distance charges in half and overall
remote access costs by even more• Reduce capital and maintenance costs by
replacing modem banks with a single Internetconnection
• Enable remote employees to access the cor-porate network over their existing Internetconnection
• Offer traveling employees worldwide localdial access to the corporate network
• Rapidly establish secure extranet connectionsfor ad-hoc business relationships
• Retain central control of security, firewalling,IP address management, and service offerings
Additional Benefits with Tunnel Switching• Increase access to network applications and
resources without compromising the securityperimeter
• Differentiate and manage various types oftunneled traffic coming in over the sameInternet connection
• Increase network scalability • Allow organizational divisions to share the
same WAN interface while enforcingseparate network access policies
• Increase addressing flexibility• Combine the advantages of VPNs and VLANs
Dial Access OutsourcingCompanies that outsource remote access to anNSP can reduce not only communicationscharges (tariffs, long-distance charges, etc.)and equipment costs, but end-user supportcosts as well (Figure 5). They can let their NSPtake on those responsibilities as part of a pack-age of VPN services.
The advantage to mobile users andtelecommuters is that they don’t need to have
tunneling-enabled networking software; theysimply dial in to the local NSP in the conven-tional way. A VPN is created from the NSP’sPOP to the appropriate enterprise customerand, in some cases, given specific handlingbased on a service level agreement.
In this type of VPN, an access concentra-tor at the NSP’s POP starts the tunnel. A tun-nel termination device or tunnel switch at theenterprise DMZ ends the tunnel. Tunnelswitching can be used in any of the waysdescribed above under “Global InternetAccess” to achieve additional benefits, includ-ing secure access to multiple applications andprotocols across the firewall and the ability todifferentiate and apply appropriate security to
8
Security
server
Security
server
Mobile or
telecommuting user
Branch LAN
Remote branches
and employees
NSP POPs
Enterprise central site
Tunnel switch
in DMZ
Tunnel
terminator
on internal
network server
Last point
where user
info available
Internal
network
Internet or
NSP IP backbone
PSTNAccess
concentrator
Access
concentratorPSTN
Figure 5. Dial Access Outsourcing
Benefits: Dial Access Outsourcing• Cut long-distance charges in half and overall
remote access costs by even more• Replace modem banks with a single Internet
connection• Reduce end-user support costs• Enable remote employees to access the cor-
porate network over their existing Internetconnection without the need for special net-working software
• Offer traveling employees worldwide localdial access to corporate network and superiorperformance (bandwidth, throughput, speed)
• Rapidly establish secure extranet connectionsfor ad-hoc business relationships
• Retain central control of security, firewalling,IP address management, and service offerings
Additional Benefits with Tunnel Switching• Increase access to network applications and
resources without compromising the firewall • Differentiate and manage various types of
tunneled traffic coming in over the sameInternet connection
• Increase network scalability• Allow organizational divisions to share the
same WAN interface while enforcingseparate network access policies
• Increase addressing flexibility• Combine the advantages of VPNs and VLANs
tunneled traffic coming in over the sameInternet interface from employees, customers,and partners.
Whether or not switches are used, becausethe tunnel is being terminated at the enterprisenetwork, the corporation can continue to con-trol user authorization and other security func-tions independently of the NSP. (Tunnel termi-nation is the last point where information aboutthe end user, necessary for performing autho-rization and applying privileges and policies, isavailable.)
Even companies that are not using a VPN-enabled device to connect to their NSP cantake advantage of VPN services (Figure 6). Agateway at the edge of the NSP’s network ter-minates the tunnel and forwards the trafficover a Frame Relay circuit to the enterprisenetwork. In this case, the NSP needs to be ableto access or mirror the corporation’s networkpolicy server since its tunnel terminationdevice (the last point where user information isavailable) must perform authorization func-tions. The enterprise, of course, continues tocontrol network access for all users at thefirewall.
Virtual Leased Lines for Branch Office Connectivity Companies that connect branches with virtualleased lines (VLLs) can typically save 50 to 75percent over the cost of dedicated lines (seeFigure 7 on page 10) while gaining the strate-gic advantage of enabling companies to link innew branches without delay. VLLs reducecommunications charges by replacing long-distance links with a connection to a localNSP. Equipment and administration costs arealso reduced since a single connection to alocal NSP can provide access to both the cor-porate network and the Internet. As a result ofthese cost savings, VLLs make a fully meshednetwork, with its performance and redundancyadvantages, affordable for most companies.And, like a leased-line mesh network, a VLLmesh network can incorporate preprogrammedalternative routing paths around busy or out-of-service routers.
Companies can purchase VLLs as aturnkey service from an NSP or they caninstall and maintain their own equipment,using the NSP only for transport. For compa-nies that decide to do it on their own, theinstallation process is still very simple; itinvolves setting up an account with an NSPand performing mostly automated remoteconfiguration tasks on the router.
9
RADIUS
server
Radius
server
Mobile or
telecommuting user
Branch LAN
Remote branches
and employees
NSP POPs
NSP network
Enterprise network
Last point where
user info available
RADIUS
server
Internet or
NSP IP backbone
Frame Relay
network Legacy
router
VPN
Frame Relay
gateway
PSTN Access
concentrator
Access
concentratorPSTN
Figure 6. Dial Access Outsourcing with VPN FrameGateway
In this type of VPN, an access router atthe branch office starts the tunnel. A tunnel ter-minator device or tunnel switch at a centralenterprise DMZ ends the tunnel. The connec-tion used at the branch can be any permanentor dial-on-demand link that meets the band-width requirements of that location. In thisrespect, VLLs offer much more flexibility thandirect Frame Relay or ISDN connections,which require all end points to be the same.
If the incoming Internet tunnel is termi-nated with a tunnel switch, a new secure tunnel
can be established to a tunnel terminator on theinternal network (Figure 8). Tunnel switchesenable VLLs to support traffic between legacyLANs without having to put support for proto-cols such as IPX on the portion of the networkthat connects to the public Internet. (They shiftthe virtual LAN-to-LAN connection pointinside the firewall.) Tunnel switching can alsofacilitate branch access to applications that areavailable only over legacy network protocolsas well as to those for which restrictions arebeing enforced at the firewall. In addition,switches enable employees transferred to orworking temporarily at branch offices toremain members of VLANs.
10
Security
server
VPN-enabled
branch extranet router
Branches
NSP providing Internet access
or other IP network service
Enterprise central site
VPN-enabled
branch extranet router
Internet or
NSP’s IP
network
POP
POP
Tunnel terminator or tunnel switch
at enterprise firewall
Figure 7. Virtual Leased Lines
Benefits: Virtual Leased Lines• Reduce branch office connection costs by
more than half• Enable branches to access corporate network
and Internet from a single connection to alocal NSP
• Connect new branches rapidly by purchasing aturnkey service or by self-installation (non-expert)
• Enable branches to choose network accessdevices that meet their particular bandwidthrequirements
• Support multiprotocol LAN-to-LAN connections • Selectively retain central control of security,
firewalling, IP address management, andservice offerings OR outsource to NSP
• Provide enterprise IT managers with self-provisioning VPN tools
Additional Benefits with Tunnel Switching• Support multiprotocol connections, including
legacy protocols, without putting interfaces onthe part of the network that connects to theInternet
• Increase branch access to network appli-cations without compromising the firewall
Enterprises can take advantage of anynumber of these VPN applications through asingle WAN connection. In many cases, allthat is required is a simple upgrade to existingnetwork access devices.
How VPNs WorkThere is nothing exotic about VPNs. They arebased on familiar networking technology andprotocols (Figure 9).
In the case of a remote access VPN, forexample, the remote access client is still send-ing a stream of Point-to-Point Protocol (PPP)packets to a remote access server. Similarly, inthe case of LAN-to-LAN virtual leased lines, arouter on one LAN is still sending PPP packetsto a router on another LAN. What is new isthat in each case instead of going across a ded-icated line, the PPP packets are going across atunnel over a shared network.
The effect of VPNs is like that of pulling a
11
Security
server Internet VPN
Internal VPN
VPN-enabled
branch extranet routerInternet or NSP’s
IP network
Enterprise WAN
Tunnel
terminator
or tunnel switch
at enterprise firewall
Tunnel
terminator
on internal server
(IPX, SNA access)
PSTN
(private circuits)
PPP packet stream
Direct dial-up connection
Shared IP network
Remote
access
user
ISDN
terminal
adapter
or analog
modem
Access
concentrator
at NSP POP
Tunnel
terminator
or switch at
enterprise firewall
Tunnel
terminator
on internal
server
PPP packet stream
Virtual private network
Figure 8. Virtual Leased Lines with Tunnel Switching
Figure 9. VPNs Are Based on Familiar Technology
serial cable across a WAN cloud. PPP protocolnegotiations set up a direct connection fromthe remote user to the tunnel terminationdevice.
The most widely accepted method of cre-ating industry-standard VPN tunnels is byencapsulating network protocols (IP, IPX,AppleTalk, etc.) inside the PPP and thenencapsulating the entire package inside a tun-neling protocol, which is typically IP but couldalso be ATM or Frame Relay. This approach iscalled “Layer 2 tunneling” since the passengeris a Layer 2 protocol (Figure 10).
Alternatively, network protocols can beencapsulated directly into a tunneling protocolsuch as 3Com’s Virtual Tunneling Protocol(VTP). This approach is called “Layer 3tunneling” since the passenger is a Layer 3protocol (Figure 11).
VPN ProtocolsCurrently, Microsoft’s Point-to-PointTunneling Protocol (PPTP), which is bundledwith Windows 95 and Windows NT 4.0, is themost widely used protocol for VPNs. (PPTPwas developed by 3Com and Microsoft.) In thenear future, however, most VPNs will be basedon the emerging Layer 2 Tunneling Protocol(L2TP).
The L2TP standard represents a mergingof PPTP and the Layer 2 Forwarding (L2F)protocol, both of which operate at Layer 2. Theemerging standard offers the best features ofthese protocols as well as additional features.One such enhancement is multipoint tunneling.It will enable users to initiate multiple VPNs in
order, for example, to access both the Internetand the corporate network at the same time.
Both L2TP and PPTP offer additionalcapabilities that aren’t available with Layer 3tunneling protocols:• They allow enterprises to choose whether to
manage their own user authorization, accesspermissions, and network addressing, or tohave their NSP do it. By receiving tunneledPPP packets, enterprise network servershave access to information about remoteusers, necessary for performing these tasks.
• They support tunnel switching. User infor-mation is necessary for tunnel switching,which is the ability to terminate a tunnel andinitiate a new tunnel to one of a number ofsubsequent tunnel terminators. Tunnelswitching extends the PPP connection to afurther end point.
• They enable enterprises to apply fine-grained access policies at the firewall and atinternal servers. Because tunnel terminatorsat the enterprise firewall are receiving PPPpackets that contain user information, theycan apply specific security policies to trafficfrom different sources. (With Layer 3 tun-neling, in contrast, there is no way to differ-entiate packets coming in from the NSP, sothe same set of filters has to be appliedacross the board.) In addition, if a tunnelswitch is used, it can initiate a subsequentLayer 2 tunnel to direct traffic from specificusers to the appropriate internal servers,where additional levels of access control canbe applied.
VPN SecuritySecure VPNs apply specific security protocolsto tunnels or to the packets they carry. Theseprotocols enable hosts to negotiate encryptionand digital signature techniques that ensuredata confidentiality, data integrity, and authen-tication of the sending and receiving sources.
Microsoft Point-to-Point Encryption (MPPE)MPPE adds integrated data privacy (encryp-tion) into standard Microsoft Dial-Up Net-working (Figure 12). A 40-bit version isbundled with PPTP into Windows 95 andWindows NT Dial-Up Networking; a 128-bitversion is also available.
12
IPXPPPL2TPIP
IPXVTPIP
Figure 10. Layer 2 Tunneling Protocol Encapsulation
Figure 11. Layer 3 Tunneling Protocol Encapsulation
MPPE encrypts PPP packets on the clientworkstation before they go into a PPTP tunnel.When the client workstation negotiates PPPwith the ultimate tunnel terminator, an encryp-tion session is initiated. (Interim tunnelswitches do not have the ability to decrypt PPPpackets.)
MPPE provides data privacy and uses anenhanced Challenge Handshake Protocol(MS-CHAP) for strong user authentication.
Secure IP (IPsec) IPsec is an emerging standard for VPN secu-rity. In cases where IP is used to transmittunneled traffic, IPsec will enable tunnel initi-ating and tunnel terminating products frommultiple vendors to interoperate.
The standard, which was written byInternet Engineering Task Force (IETF) com-mittees, consists of a set of IP-level protocolsfor setting up an agreement between two IPstations about the encryption and digital
signature methods that will be used. IPsec isrecommended for use with L2TP and will bemandatory for IPv6 compliance.
More robust than MPPE, IPsec encom-passes user authentication, privacy, and dataintegrity (Figure 13 on page 14). It can also beextended beyond the tunnel terminator to thedestination host workstation.
Another advantage of IPsec is that itssecurity mechanisms for authentication andsecurity are loosely coupled with its key man-agement systems. While Internet SecurityAssociation Key Management Protocol(ISAKMP)/Oakley and manual managementare the two key systems currently mandated inIETF draft standards, this loose coupling willallow for future systems to be used withoutrequiring modification of security mechanisms.
IPsec Example 1: Remote Access with ISPVPN Initiation. In this example, remoteaccess is achieved when the ISP initiates theVPN. This example describes the steps fol-lowed in the security process. In the examplethat follows, the client initiates the VPN, andthe ISP’s access concentrator acts as a router.1. User authentication. The remote user dials
up her ISP. The networking software on her
13
Enterprise network
Tunnel terminator
on internal server
Tunnel
switch at
firewall
Security
server
Dial-Up Networking
software with MPPE
NSP POP
Remote access user
Security
server
Tunnel
initiator
PAP/CHAP
MPPE encrypted data stream
Shared
IP network
Figure 12. MPPE with CHAP
3Com provides VPN products that enableboth ISP/NSP-terminated tunnels andenterprise-terminated tunnels. 3Com alsosupports both L2TP and PPTP tunneling pro-tocols, and is the only company currentlyoffering tunnel switching.
3Com Offers More Flexible VPN Choices
laptop sends a CHAP message with theuser’s name and password to the accessconcentrator at the ISP’s POP. The accessconcentrator transmits the name and pass-word to a security server (for example,Remote Authorization Dial-In UserService, or RADIUS) for user authentica-tion. When it receives a response from theserver, it converts the response back intoCHAP and transmits it to the remote user’slaptop.
Meanwhile, the access concentratorhas received additional information fromthe security server, such as which IPaddress to assign to the user and which sub-net mask to use. It knows the user is anemployee of a particular enterprise cus-tomer and the specified IP address of theappropriate tunnel termination device forthat customer. In most cases, this tunnelterminator will be the enterprise firewall oranother device inside the firewall “DMZ”(the network segment between the compo-nents of a two-part firewall).
2. Establishment of a secure channelbetween the tunnel initiation and termi-nation devices. The ISP’s access concen-trator and the tunnel termination device now
use the ISAKMP/Oakley protocols to agreeon which encryption and data authentica-tion algorithms (such as DES, 3DES) theywill use to establish a secure channel. InISAKMP each participant in an exchangehas a pair of keys, one private and one pub-lic. The ISP’s access concentrator sends thetunnel terminator a message along with adigital signature that it creates using its pri-vate key.
To read the digital signature, the tun-nel terminator must use the access concen-trator’s public key. It may already have thekey stored; if not, it can get it by contactinga Certificate Authority. This authority mightbe a commercial organization such asVeriSign or GTE’s CyberTrust, or it mightbe an enterprise server that stores the cer-tificates of companies with which the enter-prise does business. (The enterpriseCertificate Authority will, in turn, be certi-fied by a commercial or government orga-nization, which may, in turn, be certified byanother organization, and on up the hierar-chy of trust.)
The tunnel terminator returns a mes-sage with a signature created by its privatekey to the ISP’s access concentrator. Theaccess concentrator then uses the tunnel ter-minator’s public key to authenticate thesignature.
The Oakley protocols are employed toexchange information that will be used to
14
Enterprise network
Tunnel terminator
on internal server
Destination
host
Tunnel
switch at
firewall
Security
server
Dial-Up Networking
software with IPsec
NSP POP
Remote access user
Security
server
Tunnel
initiator
User authorization
Encrypted data stream
IPsec
IPsec
IPsec
IPsec
IPsec
Shared
IP network
Figure 13. IPsec
generate encryption keys. The access con-centrator and the tunnel terminator eachemploy an algorithm called Diffie-Hellmanto independently generate another public/private key set (actually, two half-keys, oneof which is kept secret). They thenexchange the public half of their keys. Theaccess concentrator takes its own secrethalf-key and the tunnel terminator’s publichalf-key and runs a mathematical functionon them that results in a third secret key.The tunnel terminator performs the functionagainst its secret half-key and the accessconcentrator’s public half-key, coming upwith the same third secret key. This pro-cess is highly secure because anyone inter-cepting the exchange will get only the twopublic half-keys. There is no hardware cur-rently available in the market with the com-putational power to derive the secrets fromthe public keys.
3. Application of organizational securitypolicies. The next step is for the devices toexchange information on how security willbe handled for this particular user. A trans-mission from the CEO, for example, mayneed to be sent using stronger messageauthentication and integrity methods (forexample, multiple levels of encryption,hash functions) than one from a salesrepresentative.
The access concentrator gets policyinformation about the user from a RADIUSserver or other internal source, and then ini-tiates an exchange with the tunnel termina-tor. This exchange is encrypted using the
algorithm already agreed upon during theISAKMP/Oakley exchange.
The user’s data packets (including thepayload and the IP header) are thenencrypted and encapsulated in a new IPheader. This header has a different set ofaddresses than the original IP header on theuser’s packet. Where initially the sourceaddress was the user’s laptop and the desti-nation address was a host somewherebehind the firewall, in the new IP header,the source is the ISP’s access concentratorand the destination is the tunnel terminator.This method is called IPsec “tunnelingmode,” because during transmission acrossthe public network, the IP addresses of thesource and destination hosts are hidden.To ensure data integrity during transmis-
sion, a hash function may be calculated on theuser’s IP packet before the new IP header isadded. Or, for stronger security, it may becalculated on the user’s packet and the newheader together. When the tunnel terminationdevice receives the packet, it will perform thesame hash function on the packet. If it gets thesame value, then the packet has not been tam-pered with.
The tunnel terminator uses the DES key todecrypt the packets as they are received. If thetunnel is being terminated by the ISP, thepackets are transmitted to the enterprise via aFrame Relay circuit or other dedicated link. Ifthe tunnel is being terminated by the enter-prise, the packets are dropped onto a LAN fortransmission to the destination host. If theenterprise is using a tunnel switch to receive
15
When IPsec-compliant encryption is applied toan entire network protocol packet (IP, IPX,AppleTalk, etc.), and then the encrypted resultsare encapsulated into another IP packet, theprocess is called “tunneling mode.”
The advantage of using this mode is that anetwork protocol can travel across a networkthat does not support it to a tunnel terminationdevice that does. Tunneling mode also protectsthe identity of networks, subnetworks, and ter-
minating notes. To confuse the picture further,Layer 2 VPNs provide these same benefits,whether or not they incorporate IPsec.
As a result of similarities in terminologyand this single overlap in functions, some peopleassume that all tunneling functions are per-formed by IPsec tunneling mode. In fact, IPsecprovides only a small part of the capabilitiesneeded for virtual private networking.
IPsec Tunneling Mode Is Not the Same as a VPN Tunnel
VPN traffic from its ISP or NSP, the switchcreates a new tunnel to the destination host.IPsec security can also be applied to thistunnel.
IPsec Example 2: Remote Access withClient VPN Initiation. This process is thesame as the one described in the first example,except that all of the exchanges (CHAP userauthentication, ISAKMP/Oakley establishmentof a security association, application of orga-nizational policy, and encrypted transmission)take place between the remote user’s laptopand the tunnel termination device. The ISP’saccess concentrator simply acts as a router. Itis not even aware that a secure VPN has beenestablished.
Tunnel Switching: Improved Security and More Flexible VPN ApplicationsA tunnel switch is a combination tunnel termi-nator/tunnel initiator. It can be used to extend
tunnels from one network to another—forexample, to extend a tunnel incoming fromISP’s network to a corporate network. It canalso be used to replace a point-to-point connec-tion with a point-to–switched fabric–to-pointconnection—one that behaves much like adedicated telephone switched circuit eventhough it occurs over a routed network.
Tunnel switching offers many businessadvantages and opens up the possibility of amyriad of tunneling applications. Enterprises,for example, can use tunnel switching toincrease security at the firewall while improv-ing their ability to manage remote access tonetwork resources behind the wall (Figure 14).In this case, the tunnel switch is generallylocated on the enterprise firewall. Based on aRADIUS lookup on the user name, the switchinitiates a new tunnel through the firewall to aspecific internal server. This approach protectsthe integrity and performance of the firewallwhile increasing access to networked applica-tions and resources.
Only a “rifle shot” hole has to be openedup in the firewall for the tunneling protocol topass through. During the initial tunnel termina-tion, however, the tunnel switch can identifyother encapsulated protocols that the IP data-gram is carrying with it. It can do a lookup to afirewall RADIUS server and, based on theremote user name and the protocols, retrieveinformation on the approved destinations ofthose packets. The switch then initiates newtunnels to carry packets to specific serversbehind the firewall. These internal networkservers, which do the final tunnel termination,can be equipped with detailed user profiles andprivileges, enabling them to make fine-graineddecisions about network access.
16
Tunnel switch,
“main gate sentry,”
performs basic
user authorization
Tunnel terminator on internal server,
“inner gate sentry,” performs more detailed user
authorization, enforces profiles and policies
Security
server
Internet
Internal network
Figure 14. Tunnel Switching Through the Firewall
To find out more about security technology,refer to the following documents:• RFC-1825, “Security Architecture for theInternet Protocol”• RFC 1827, “Encapsulating SecurityPayload (ESP)”• RFC-1851, “The ESP Triple DESTransform”
For More Information
One way to think about the impact thattunnel switching can have on security is toimagine a sentry at the main gate of a securecompound. This main gate sentry does nothave access to restricted access informationsuch as passwords, but he does have a general-ized set of criteria for screening visitors andplacing them in categories. This allows thesentry to direct the visitors to a specific guardstation at an internal gate. The guards at theseinternal gates have much more detailed infor-mation about access permissions and candemand a password or some other form ofauthentication.
The benefits of tunnel switching are notlimited to security, however. Enterprises canalso use tunnel switches to perform server loadbalancing for incoming VPN traffic and toincrease flexibility for IP addressing. NSPs canuse tunnel switching to flexibly direct trafficfrom different customers—and even from dif-ferent users within a customer account—intotunnels with appropriate end points andQuality of Service (QoS) handling. An NSP,for example, could switch a high-priority cus-tomer onto a higher-speed fabric or use tunnelswitching to avoid network congestion points.
VPN ManagementThe goal in VPN management is to makeVPNs look like a private network. 3Com VPNsolutions incorporate management tools thatmonitor and provide visibility into VPNs run-ning over provider networks. 3Com Transcend
AccessWatch/VPN, for example, is a Web-based application that enables network admin-istrators to profile the use and performance ofVPNs using both real-time and historical data.Using Transcend AccessWatch/VPN, admin-istrators can perform capacity utilization, QoS,security exception, and tunnel usage analyses.New-generation policy-based managementtools will also be deployable across both con-ventional network links and VPNs.
3Com VPN Solutions3Com has more experience with VPNs thanany other internetworking provider. 3Com wasthe first remote access vendor to deliver VPNsolutions, and now 3Com has more than
50,000 VPN ports currently in use, with morethan 2 million VPN-ready ports installedworldwide.
3Com offers end-to-end VPN solutions,including products for enterprises and both ser-vice-focused and infrastructure-intensiveNSPs. All 3Com VPN solutions adhere toindustry standards (including IPsec for secu-rity) and are compatible with each other, mak-ing it easy for VPN providers and users toestablish mutually beneficial business partner-ships.
Enterprises and NSPs can choose 3ComVPN products with confidence. VPN capabili-ties are built into 3Com’s proven product lines,including multiprotocol routers equipped witha rich set of management features and market-leading, award-winning access concentratorsand the highest-density carrier class solutionson the market. As the market leader in NICsand modems, 3Com also understands the needsof remote users.
3Com is also the first vendor to extend theVPN architecture to incorporate tunnel switch-ing, the key to better security and more flexibleVPN applications.
All VPN products ship with TranscendWare™
software, ensuring that 3Com customers willbe able to deploy and enforce network policiesconsistently across both conventional links andVPNs. TranscendWare software allows edgedevices to communicate with end devices toenforce network policies. By monitoring VPNtunnels, these devices will be able to bettermanage dial-up ports, bandwidth allocation,network load and destination, and return policyleases—all critical elements for control in aVPN environment.
3Com Solutions for EnterprisesEnterprises can add VPN network server capa-bility (tunnel termination) to their existingNETBuilder II® or SuperStack® II bridge/router. This single device can provide a con-nection to an NSP over leased line, FrameRelay, ISDN, SMDS, or Switched 56, and itprovides LAN connections over Ethernet,Token Ring, and ATM. The NETBuilder IIrouter supports all major LAN protocols,enabling multiprotocol tunnel traffic to be
17
routed to the appropriate LAN server; and italso supports SNA for access to legacy sys-tems.
NETBuilder® and SuperStack II productsoffer the unique advantage of BoundaryRouting® system architecture. BoundaryRouting technology enables companies tosimplify remote router installation and config-uration, eliminating the need for on-site techni-cal staff, by shifting key router managementand overall router management to a central site.
Where NSPs are providing tunnel creationservices, branch offices and remote users cancontinue to use their existing 3Com net-working devices (OfficeConnect® routers,3ComImpact® IQ ISDN terminal adapters,3Com x2™ or Courier™ modems, 3ComMegahertz® PC modem card) as is. Whereremote user devices are to create tunnels, addi-tional software is required. This software isalready integrated into 3Com network interfacecards and is also bundled into the Windows 95and Windows NT operating systems.
ConclusionIndustry-standard virtual private networks areushering in the next generation of networkconnectivity. Most analysts expect thatInternet-based VPNs will eventually replacemost leased-line networks. VPNs are beingwidely adopted because they offer immensecost savings as well as new business opportu-nities for both enterprises and network serviceproviders. Many of these benefits can begained by rapidly establishing new types ofbusiness relationships that are mutually benefi-cial to all parties.
3Com has a broader product line of solu-tions and more experience with VPNs than anyother vendor, and is the first vendor to offer thecompetitive advantage of tunnel switching.3Com customers can begin exploiting the ben-efits of VPNs now, with confidence, because3Com VPN solutions are available (in mostcases, through upgrades) on some of the indus-try’s most highly praised, market-proven net-working platforms and products.
18
19
20
®
Printed in U.S.A. 500651-001 2/98
© 1998 3Com Corporation. All rights reserved. 3Com, 3ComImpact, Boundary Routing, Megahertz, NETBuilder, NETBuilder II, OfficeConnect, Transcend, andSuperStack are registered trademarks of 3Com or its subsidiaries. Courier, TranscendWare, and x2 are trademarks of 3Com or its subsidiaries. AppleTalk is a trade-mark of Apple Computer. Windows and Windows NT are trademarks of Microsoft. IPX and NetWare are trademarks of Novell. Other brands or product names maybe trademarks or registered trademarks of their respective owners.
3Com CorporationP.O. Box 581455400 Bayfront PlazaSanta Clara, CA 95052-8145Phone: 800-NET-3Comor 408-764-5000Fax: 408-764-5001World Wide Web:http://www.3com.com
3Com ANZASydney, Australia Phone: 61 2 9937 5000Fax: 61 2 9956 6247Melbourne, AustraliaPhone: 61 3 9866 8022Fax: 61 3 9866 8219
3Com Asia LimitedBeijing, ChinaPhone: 8610 6849 2568Fax: 8610 6849 2789Shanghai, ChinaPhone: 86 21 63501581 Fax: 86 21 63501531Hong KongPhone: 852 2501 1111Fax: 852 2537 1149IndiaPhone: 91 11 644 3974Fax: 91 11 623 3192IndonesiaPhone: 6221 572 2088Fax: 6221 572 2089KoreaPhone: 82 2 319 4711Fax: 82 2 319 4710MalaysiaPhone: 60 3 732 7910Fax: 60 3 732 7912PakistanPhone: 92 21 5846240Fax: 92 21 5840727
PhilippinesPhone: 632 892 4476Fax: 632 811 5493SingaporePhone: 65 538 9368Fax: 65 538 9369TaiwanPhone: 886 2 377 5850Fax: 886 2 377 5860ThailandPhone: 622 231 8151 5Fax: 622 231 8158
3Com BelgiumBelgium, LuxembourgPhone: 32 2 725 0202Fax: 32 2 720 1211NetherlandsPhone: 31 30 6029700Fax: 31 30 6029777
3Com Canada CalgaryPhone: 403 265 3266Fax: 403 265 3268MontrealPhone: 514 683 3266Fax: 514 683 5122TorontoPhone: 416 498 3266Fax: 416 498 1262VancouverPhone: 604 434 3266Fax: 604 434 3264
3Com France Phone: 33 1 69 86 68 00 Fax: 33 1 69 07 11 54
3Com GmbH MunichPhone: 49 89 627 320Fax: 49 89 627 32 233AustriaPhone: 43 1 580 17 0Fax: 43 1 580 17 20
BerlinPhone: 49 30 34 98790Fax: 49 30 34 987999PolandPhone: 48 22 645 1351Fax: 48 22 645 1352SwitzerlandPhone: 41 31 996 1414Fax: 41 31 996 1410
3Com IrelandPhone: 353 1 820 7077Fax: 353 1 820 7107
3Com JapanPhone: 81 3 3345 7251Fax: 81 3 3345 7261
3Com Latin AmericaU.S. HeadquartersPhone: 408-326-2093Fax: 408-764-5730ArgentinaPhone: 541 312 3266Fax: 541 314 3 3329Brazil Phone: 55 11 5181 0869Fax: 55 11 5182 7399ChilePhone: 562 633 9242Fax: 562 633 8935MexicoPhone: 525 520 7841Fax: 525 520 7837
3Com Northern LatinAmericaMiami, FloridaPhone: 305-261-3266Fax: 305-261-4901ColombiaPhone: 571 629 4110Fax: 571 629 4503VenezuelaPhone: 582 953 8122Fax: 582 953 9686
3Com MediterraneoMilano, ItalyPhone: 39 2 253011Fax: 39 2 27304244Rome, ItalyPhone: 39 6 5279941Fax: 39 6 52799423SpainPhone: 34 1 509 69 00Fax: 34 1 307 66 63
3Com Middle EastPhone: 971 4 349049Fax: 971 4 349803
3Com Nordic ABDenmarkPhone: 45 39 27 85 00Fax: 45 39 27 08 44FinlandPhone: 358 0 435 420 67Fax: 358 0 455 51 66NorwayPhone: 47 22 58 47 00Fax: 47 22 58 47 01SwedenPhone: 46 8 632 56 00Fax: 46 8 632 09 05
3Com RussiaMoscowPhone: 007 095 258 09 40Fax: 007 095 258 09 41
3Com South AfricaPhone: 27 11 807 4397Fax: 27 11 803 7405
3Com UK Ltd.MarlowPhone: 44 1628 897000Fax: 44 1628 897003ManchesterPhone: 44 161 873 7717Fax: 44 161 873 8053EdinburghPhone: 44 131 240 2900Fax: 44 131 240 2903