Dedicated Connection Options

Also called leased lines, dedicated connections are pre-established point-to-point WAN connections from the customer premises through the provider network to a remote destination (see Figure 7-3).

Leased lines are usually more expensive than switched services because of the dedicated, always-on cost of providing WAN service to the customer. The dedicated capacity removes latency and jitter and provides a layer of security because only the customer’s traffic is allowed on the link. Table 7-1 lists the available leased line types and their bit-rate capacities.

Circuit-Switched Connection Options

The two main types of circuit-switched connections are analog dialup and ISDN. Both technologies have limited implementation bases in today’s networks. However, they are both still used in remote rural areas and other areas of the globe where more recent technologies are not yet available.

Analog dialup uses modems at very low-speed connections that might be adequate for the exchange of sales figures, prices, routine reports, and email, or as an emergency backup link.

ISDN turns the local loop into a TDM digital connection, which enables it to carry digital signals that result in higher-capacity switched connections than are available with analog modems. Two types of ISDN interfaces exist:

• Basic Rate Interface (BRI): Provides two 64-kbps B-channels for voice or data transfer and a 16-kbps D-channel for control signaling.

• Primary Rate Interface (PRI): Provides 23 B-channels with 64 kbps and 1 D-channel with 64 kbps in North America, for a total bit rate of up to 1.544 Mbps. Europe uses 30 B-channels and 1 D-channel, for a total bit rate of up to 2.048 Mbps.

Figure 7-4 illustrates the various differences between ISDN BRI and PRI lines.

Packet-Switched Connection Options

The most common packet-switching technologies used in today’s enterprise WANs include Metro Ethernet and MPLS. Legacy technologies include X.25 and ATM.

MPLS

Multiprotocol Label Switching (MPLS) has the following characteristics:

• Multiprotocol: MPLS can carry any payload, including IPv4, IPv6, Ethernet, ATM, DSL, and Frame Relay traffic.

• Labels: MPLS uses labels inside the service provider’s network to identify paths between distant routers instead of between endpoints.

• Switching: MPLS actually routes IPv4 and IPv6 packets, but everything else is switched.

As Figure 7-5 shows, MPLS supports a wide range of WAN technologies, including serial leased lines, Metro Ethernet, ATM, Frame Relay, and DSL (not shown).

In Figure 7-5, CE refers to the customer edge routers. PE is the provider edge routers that add and remove labels.

Note:

MPLS is primarily a service provider WAN technology.

Internet Connection Options

Broadband connection options typically are used to connect telecommuting employees to a corporate site over the Internet. These options include Digital Subscriber Line (DSL), cable, and wireless.

DSL

DSL technology, shown in Figure 7-6, is an always-on connection technology that uses existing twisted-pair telephone lines to transport high-bandwidth data and provides IP services to subscribers.

Current DSL technologies use sophisticated coding and modulation techniques to achieve data rates of up to 8.192 Mbps. A variety of DSL types, standards, and emerging technologies exist. DSL is a popular choice for enterprise IT departments to support home workers.

Cable Modem

A cable modem provides an always-on connection and simple installation. Figure 7-7 shows how a subscriber connects a computer or LAN router to the cable modem, which translates the digital signals into the broadband frequencies used for transmitting on a cable television network.

Choosing a WAN Link Option

Table 7-2 compares the advantages and disadvantages of the various WAN connection options reviewed.

VPN Benefits

Benefits of VPN include the following:

• Cost savings: Eliminates the need for expensive dedicated WAN links and modem banks

• Security: Uses advanced encryption and authentication protocols that protect data from unauthorized access

• Scalability: Can add large amounts of capacity without adding significant infrastructure

• Compatibility with broadband technology: Supported by broadband service providers, so mobile workers and telecommuters can take advantage of their home high-speed Internet service to access their corporate networks

Types of VPN Access

The following describes the types of VPN access methods:

• Site-to-site VPNs: Site-to-site VPNs connect entire networks to each other. For example, a site-to-site VPN can connect a branch office network to a company headquarters network, as in Figure 7-8. Each site is equipped with a VPN gateway, such as a router, firewall, VPN concentrator, or security appliance. In the figure, a remote branch office uses a site-to-site VPN to connect with the corporate head office.

• Remote-access VPNs: Remote-access VPNs enable individual hosts, such as telecommuters, mobile users, and extranet consumers, to access a company network securely over the Internet, as in Figure 7-9. Each host typically has client software for a client-based VPN connection or uses a web browser for clientless VPN connection. Web-based clientless VPNs are also typically called clientless Secure Sockets Layer (SSL) connections. However, the VPN is actually established using Transport Layer Security (TLS). TLS is the newer version of SSL and is sometimes expressed as SSL/TLS.

• Generic Routing Encapsulation (GRE): A standard IPsec VPN (non-GRE) can only create secure tunnels for unicast traffic. GRE is a nonsecure site-to-site VPN tunneling protocol that can support multicast and broadcast traffic needed for network layer protocols. However, GRE does not by default support encryption; therefore, it does not provide a secure VPN tunnel. To solve this problem, you can encapsulate routing protocol traffic by using a GRE packet and then encapsulate the GRE packet into an IPsec packet to forward it securely to the destination VPN gateway. The terms used to describe the encapsulation of GRE over IPsec tunnel are passenger protocol for the routing protocol, carrier protocol for GRE, and transport protocol for IPsec, as shown in Figure 7-10.

• Dynamic Multipoint VPN (DMVPN): DMVPN is a Cisco-proprietary solution for building many VPNs in an easy, dynamic, and scalable manner. DMVPN allows a network administrator to dynamically form hub-to-spoke tunnels and spoke-to-spoke tunnels, as in Figure 7-11. DMVPN simplifies the VPN tunnel configuration and provides a flexible option for connecting a central site with branch sites. It uses a hub-and-spoke configuration to establish a full mesh topology. Spoke sites establish secure VPN tunnels with the hub site. Each site is configured using Multipoint Generic Routing Encapsulation (mGRE). The mGRE tunnel interface allows a single GRE interface to dynamically support multiple IPsec tunnels.

DMVPN uses the following technologies:

• Next Hop Resolution Protocol (NHRP): Maps public IP addresses for all tunnel spokes

• IPsec encryption: Provides the security to transport private information over public networks

• mGRE: Allows a single interface to support multiple IPsec tunnels

• IPsec Virtual Tunnel Interface (VTI): Like DMVPN, VTI simplifies the configuration process required to support multiple sites and remote access. IPsec VTI is capable of sending and receiving both IP unicast and multicast encrypted traffic. Therefore, routing protocols are automatically supported without the need to configure GRE tunnels.

• Service provider MPLS VPNs: MPLS can provide clients with managed VPN solutions; therefore, securing traffic between client sites is the responsibility of the service provider. Two types of MPLS VPN solutions are supported by service providers:

  • Layer 3 MPLS VPN: The service provider participates in customer routing, redistributing the routes through the MPLS network to the customer’s remote locations.

  • Layer 2 MPLS VPN: The service provider is not involved in the customer routing. Instead, the provider deploys Virtual Private LAN Service (VPLS) to emulate an Ethernet multiaccess LAN segment over the MPLS network. No routing is involved. The customer’s routers effectively belong to the same multiaccess network.

VPN Components

Figure 7-12 illustrates a typical VPN topology. Components required to establish this VPN include the following:

• An existing enterprise network with servers and workstations

• A connection to the Internet

• VPN gateways, such as routers, firewalls, VPN concentrators, and Adaptive Security Appliances (ASAs), that act as endpoints to establish, manage, and control VPN connections

• Appropriate software to create and manage VPN tunnels

Establishing Secure VPN Connections

VPNs secure data by encapsulating and encrypting it. With regard to VPNs, encapsulation and encryption are defined as follows:

• Encapsulation is also called tunneling because encapsulation transmits data transparently from source network to destination network through a shared network infrastructure.

• Encryption codes data into a different format by using a secret key, which is then used on the other side of the connection for decryption.

VPN Tunneling

Tunneling uses three classes of protocols:

• Carrier protocol: The protocol over which information travels, such as Frame Relay, PPP, or MPLS

• Encapsulating protocol: The protocol that is wrapped around the original data, such as GRE, IPsec, L2F, PPTP, or L2TP

• Passenger protocol: The protocol over which the original data was carried, such as IPX, AppleTalk, IPv4, or IPv6

Figure 7-13 illustrates an email message traveling through the Internet over a VPN connection.

Hashes

VPNs use a keyed hashed message authentication code (HMAC) data-integrity algorithm to guarantee a message’s integrity and authenticity without any additional mechanisms.

The cryptographic strength of the HMAC depends on the cryptographic strength of the underlying hash function, the key’s size and quality, and the size of the hash output length, in bits. There are two common HMAC algorithms:

• Message Digest 5 (MD5): Uses a 128-bit shared secret key

• Secure Hash Algorithm 1 (SHA-1): Uses a 160-bit secret key

Figure 7-14 shows an example using MD5 as the HMAC algorithm.

An HMAC has two parameters: a message input and a shared secret key known only to the message originator and intended recipients. In Figure 7-14, both R1 and R2 know the shared secret key. The process in Figure 7-1. uses the following steps:

Step 1. R1 uses MD5 to perform the hashing function, which outputs a hash value. This hash value is then appended to the original message and sent to R2.

Step 2. R2 removes the hash value from the original message, runs the same hash operation, and then compares its hash value with the hash value sent by R1. If the two hashes match, data integrity has not been compromised.

IPsec Security Protocols

Both IPsec and SSL VPN technologies offer access to virtually any network application or resource. However, when security is an issue, IPsec is the superior choice. Table 7-3 compares IPsec and SSL remote access deployments.

IPsec spells out the messaging necessary to secure VPN communications but relies on existing algorithms. The two main IPsec framework protocols are as follows:

• Authentication Header (AH): Used when confidentiality is not required or permitted. AH provides data authentication and integrity for IP packets passed between two systems. It verifies the originators of any messages and that any message passed has not been modified during transit. AH does not provide data confidentiality (encryption) of packets. Used alone, the AH protocol provides weak protection. Consequently, it is used with the ESP protocol to provide data encryption and tamper-aware security features.

• Encapsulating Security Payload (ESP): Provides confidentiality and authentication by encrypting the IP packet. Although both encryption and authentication are optional in ESP, at a minimum, one of them must be selected.

IPsec relies on existing algorithms to implement encryption, authentication, and key exchange. Figure 7-1. shows how IPsec is structured.

IPsec provides the framework, and the administrator chooses the algorithms used to implement the security services within that framework. As Figure 7-1. illustrates, the administrator must fill the four IPsec framework squares:

• Choose an IPsec protocol.

• Choose the encryption algorithm that is appropriate for the desired level of security.

• Choose an authentication algorithm to provide data integrity.

• The last square is the Diffie-Hellman (DH) algorithm group, which establishes the sharing of key information between peers. Choose which group to use: DH1, DH2, or DH5.