Traditional WAN networking involved dedicated circuits running Frame Relay or leased lines. Although prices have recently decreased, the cost of these private circuits continues to be high.
In addition to dedicated WAN connections, corporations had to maintain large banks of dialup modems (or outsource the dial-in to a vendor) so that workers could remotely access the corporate network with modems. In both cases, the goal was to extend the corporate network to remote locations and individuals.
With the widespread implementation of the Internet, IP connectivity is accessible both from people’s houses as well as public locations, such as airports and coffee shops. Service providers find it more cost-effective to offer IP-based WAN services as opposed to dedicated circuits. Corporations must provide extensive Internet services to their employees, partners, and customers to remain competitive.
Given the confluence of IP public and corporate networks, extending the corporate network to places other than the main campus is more economical and practical.
Virtual private networks (VPNs) allow corporations to replace their dedicated private networks (such as Frame Relay, ATM, and leased line) with “virtually” private networks. This means their data traverses public IP networks but is secure due to authentication and encryption. Because of the Internet and service-provider IP networks, networks of equivalent bandwidth end up being cheaper than dedicated services.
With the availability of Internet connectivity, VPNs allow users to access their corporate networks securely from homes, hotels, businesses, and other public locations. VPNs also provide the ability to “work from home,” creating “telecommuters.” For example, call-center employees can answer phones from home (using IP-based call center and IP phones).
With the convergence of voice, video, and data, VPNs add value not previously available from dialup and WAN services. IP connectivity to the corporation eliminates the need for separate fax, data, phone, and video lines. However, because using a VPN involves heavy data crunching to encrypt traffic, and data typically traverses the public Internet, unpredictable delay and jitter can affect voice and video quality.
The term VPN actually defines two different concepts for virtual networks. To corporations, a VPN typically means encrypted traffic (using IPSec, IP Security) is tunneled through public IP networks. To service providers, VPN typically describes a tag-switching–based IP service, which does not involve encryption. This discussion focuses on IPSec-based VPNs.
The three types of VPN connectivity follow:
Site-to-site—. Connects remote corporate locations to the corporate network. The remote site typically has multiple users sharing access to the corporate network.
Remote user—. Individual users gain access to the corporate network either over dialup or broadband network. Also called teleworker.
Extranet—. Similar to site-to-site, except the VPN connects separate companies. Security concerns increase because both companies must protect their networks from each other.
Because they traverse public IP networks, VPNs introduce security considerations that were not necessary with private dial-in or WAN topologies. In general, providing security means encrypting corporate-bound traffic using secure authentication. For site-to-site VPNs, providing security means adding firewalls, intrusion detection, and NAT/PAT.
IPSec provides a way to manage encryption between multiple hosts using secure communications. Encrypting devices (such as routers or end-station PCs) inspect traffic ready to be transmitted. A set of rules on the device determines whether a particular packet must be encrypted. For example, a packet destined for the Internet can be left unencrypted, but a packet destined for the corporate network must be encrypted.
If a packet is to be encrypted, the device scrambles the contents, rendering them unreadable. Different encryption algorithms determine how difficult an encrypted packet is to crack: an encryption scheme that is more difficult to decode by an intruder requires more computing cycles than one that is less difficult.
VPNs are point-to-point, meaning every connection has only two endpoints. A single device (such as an WAN aggregation router) can have multiple remote sites, and users terminate their connections on the one box, but there is still one connection (or tunnel) per pair.
For each encrypted tunnel, the two endpoints must first authenticate each other and ensure that the other end is whom it claims. In encryption terms, this means that each endpoint must establish a security association (SA) with the other. Essentially, this involves the trusted exchange of information between the two hosts that allow each to verify the identity of the other. This process is called Internet Key Exchange (IKE).
After both sides determine that the other side is whom it claims and that they can trust each other, they can then send encrypted data across the VPN.
At-A-Glance—VPN Architecture
Several methods (both Layer 2 and Layer 3) and technologies serve those who want to establish a VPN. You can establish and manage VPNs on the customer site or over the network with a service provider. As if that were not enough, you can combine several methods at once to meet a specific need.
</division><division> <title>Putting It All Together</title>
General routing encapsulation (GRE) is a workaround method for routing packets over an IP network that are otherwise not routable. You can also use GRE for routing multicast packets over incompatible networks. GRE can route non-IP protocols (e.g. AppleTalk, Internetwork Packet Exchange, or IPX) over IP networks. The next figure illustrates the concept of encapsulating a packet. When the GRE packet reaches the destination network, the GRE header and trailer are stripped off and the original protocol works as usual.
IPSec tunnels over a service-provider network—. This setup is a trusted, virtual, point-to-point connection.
MPLS VPN—. When they enter the service-provider network, packets are assigned labels, and they are routed according to forwarding instructions.
Simple GRE over an L2 transport—. You can use this setup to transport AppleTalk over an IP network. A company that needs to send AppleTalk over a secure link can implement this setup using a service provider and MPLS or another method.
This scenario could be implemented by a company needing to transport AppleTalk over a secure link.
</division>At-A-Glance—IP Security and MPLS
IP Security (IPSec) is an Internet standard for establishing and managing data privacy between network entities over unprotected networks such as the Internet.
IPSec security services are provided at the network layer, allowing simple and effective encryption of IP traffic. Prior to IPSec, you encrypted data on an application basis or added hardware (HW) encryptors to the network. None of these security steps was standardized at the time, so companies tended to use proprietary solutions, limiting how they could share secure information with trusted partners, customers, and resellers.
With IPSec networks, tunnels essentially serve as point-to-point “virtual circuits” through a service provider’s network.
</division><division> <title>Multiprotocol Label Switching</title>
Multiprotocol Label Switching (MPLS) uses a method of forwarding packets that is based on labels. The labels can correspond to IP destination networks, as in traditional IP forwarding, but they can also represent other parameters, sources addresses, quality of service (QoS), or other protocols. MPLS implements label swapping between different modules within the network. The two main components in an MPLS network are the control plane and the data plane. The control plane takes care of routing exchanges and exchanging labels between adjacent devices. The data plane, which forwards packets based on labels, is independent of routing or label-exchange protocols.
You can use MPLS on virtually any media and Layer 2 encapsulation. For frame-based encapsulations, MPLS inserts a 32-bit label between the Layer 2 and Layer 3 headers (“frame-mode” MPLS).
MPLS allows service providers to offer enterprises similar services as those in Frame Relay or ATM networks, with the conveniences of an IP network.
With MPLS networks, VPNs operate as logical “ships in the night” across a common routed backbone. The VPN appears as a privately routed WAN to the enterprise.
</division>
