Understanding VPN Connectivity
- Describe different methods for connecting to a WAN
Anyone who has ever set up a private point-to-point WAN link between two offices can probably attest to some of the challenges: long wait times (it can take months to get a private line installed), high monthly costs, and technical issues between your equipment and the carrier. On the other hand, Internet connections are relatively inexpensive and typically faster to install. These are just a few of the reasons why VPN connectivity has become so popular. As I just mentioned, VPN connectivity allows any location that has Internet connectivity to bring up a virtual private line between locations, allowing true any-to-any connectivity, as shown in Figure 24.1.
The focus of most of this chapter is the “private” piece of the VPN acronym. For the VPN to be considered a secure means of transferring data, that data must be heavily encrypted.
FIGURE 24.1 VPN topology
VPN Benefits and Considerations
We have already discussed some of the benefits of VPN connectivity. Here is a list of all the benefits of using VPN connections over private lines:
- Cost savings: Internet connectivity is considerably cheaper than private-line connections. Likewise, a corporation could use a single Internet connection to communicate with many branch offices using VPN technology. In the private-line arena, each of the branch office connections would be a recurring monthly cost.
- Remote-access connections: If a corporation used only private-line connections, mobile workers and telecommuters would be limited to dialup technology to obtain remote access to the company. Dialup is considered extremely slow by today’s standards. Many newer computers no longer feature preinstalled modems.
- Scalability: VPN connections allow the company to grow to add new locations without adding significant infrastructure considerations.
Be sure to understand the benefits of VPN connectivity over leased-line connections.
Looking at this list of benefits, it may seem like a no-brainer to choose VPN connections over other styles of WAN connectivity. Unfortunately, there is no perfect WAN connection, and VPN has its share of drawbacks:
- Higher overhead: Because of the significant amount of encryption that must be performed on all data sent over the VPN, VPN technology does cause more overhead than a traditional WAN link. This can manifest itself in many ways: the processor and memory utilization of your router or firewall will increase, more delay in sending and receiving packets, and more overhead in the header of each packet sent.
- Varying service levels: Because the Internet is considered the “network of networks,” there is no guarantee when sending and receiving data. Although the Internet has been proven time and time again to be stable and resilient, a downstream ISP failure can cause your data to reroute through a slower connection, causing varying service levels. This makes deploying real-time applications such as voice and video over IP a challenge.
- Security considerations: Although varying levels of encryption and authentication can be applied to your VPN connection(s), the data is still being sent over a public network. Some high-security organizations may find this risk unacceptable.
Types of VPNs
VPN connections come in two major genres: site-to-site and remote-access VPNs. Let’s talk about each of these individually.
Site-to-site VPNs are the direct replacement for private-line WAN connections. They allow offices to maintain permanent or semipermanent connections between each other through the Internet, as shown in Figure 24.2.
FIGURE 24.2 Site-to-site VPN technology
One of the first things you’ll notice when you look at Figure 24.2 is that VPN connections are commonly represented by a tunnel. That picture has even moved into common IT lingo. You’ll hear things like “The VPN tunnel is down” and “Our VPN tunnel uses AES encryption.” This terminology comes from the concepts behind the VPN; these connection types create a logical tunnel through the Internet. From the perspective of the internal user, she is unable to see any of the devices that the data passes through on the Internet. Likewise, the Internet cannot see any of the data contained on the inside of the tunnel; it is all encrypted. This effectively simulates a private-line feel between the two (or more) offices.
I mentioned that the VPN connection can be permanent or semipermanent. This is really up to the network administrator. The benefit of using a permanent VPN connection is the “always there” feeling. When you transmit data between the two locations, it immediately passes through without delay. The drawback of this connection is that router or firewall resources are always being consumed to maintain the VPN connection. Semipermanent connections are an “on-demand” style of VPN. When the VPN is needed, the router or firewall establishes the VPN connection. When the VPN is no longer required (data is no longer attempting to pass between offices), the router or firewall tears down the tunnel. Because the router or firewall does not need to maintain idle VPN connections, a semipermanent connection allows you to maximize your resources. On the flip side, VPN connections take a moment to establish when data needs to be transmitted. This may result in the initial connection attempt between offices experiencing delay or failure while the VPN tunnel is formed.
Remote-access VPNs typically are used to allow telecommuting or mobile workers to connect to the corporate network from home or hotel-like locations, as shown in Figure 24.3.
FIGURE 24.3 Remote-access VPN technology.
Remote-access VPNs are always on-demand in nature rather than being a permanent connection. When a user wants to connect, he typically opens VPN software installed on his laptop by an administrator. After selecting the VPN connection he wants to use and clicking a connect button, he is be prompted for his user credentials. This can range from a simple username
and password to a token-based system requiring a credit card-style device that generates a password that is valid for only 60 seconds. (This can get into some very cool security stuff, but we won’t go there yet.)
Remote-access VPNs (and even some site-to-site VPNs) are configured through a system Cisco calls Cisco Easy VPN. If you look at the command-line configuration of an Easy VPN device (which is well beyond the CCNA), you quickly realize that it’s anything but easy to set up. Cisco calls this configuration Easy VPN because the VPN client (called the Easy VPN Remote device) requires very little configuration. Just about all of the setup is done on the Easy VPN Server. When the Easy VPN Remote client connects, the Easy VPN Server chooses the type of encryption, authentication, and other settings that the VPN tunnel will use and transmits those settings to the Easy VPN Remote device. Easy, right? At least from the client perspective. The Easy VPN Server requires quite a bit of configuration for this to work correctly.
Within the last few years, a new style of remote-access VPN connection has emerged, called an SSL (Secure Socket Layer) VPN. Many people call this a WebVPN or clientless VPN connection. Here’s the concept: We have long used security for websites. Any site you connect to using the https://sitename string uses the SSL protocol to create a secure, encrypted session. When using an SSL VPN connection, the remote-access client accesses a secure web page, managed by your Cisco router or firewall and is prompted for a username and password. As soon as the client successfully authenticates, the web page turns into a type of portal that allows a VPN-style connection as long as the web page remains open. This phenomenal new type of connection allows you to have remote-access VPN clients without the need to install client software or have extensive training teaching remote users how to use the VPN connection. The SSL VPN comes in two forms:
- Clientless: The purely clientless SSL VPN connection allows you to create a web page listing the resources that the user can access after he or she has successfully authenticated to the VPN. For example, the user would connect, enter his or her username and password, and be redirected to a web page with links to all the common resources the user could access. The clientless VPN does not allow users to use applications on their own PC over the VPN.
- Thin client: The thin-client form of the SSL VPN asks to install an ActiveX- or Javabased plug-in after the user has successfully authenticated to the VPN. This plug-in allows other applications (only TCP-based applications at this time) to run from the user’s PC across the VPN. An example of this connection type in action goes something like this: The user opens the SSL VPN web page in her browser and is prompted for a username and password.
After she enters the correct authentication credentials, the web page asks the user if she wants to install the thin client. If she accepts this request, a small program downloads and runs. Depending on how you (as the network administrator) structure the SSL VPN, the web page can then redirect to a “quick link” page with access to many of the common resources inside the network. You could also just have the web page redirect to a “Connection Successful” message. The user can now open TCP-based applications (such as email or web browsing, to name a couple) and access servers located at the corporate office through the VPN.
Let me mention off the CCNA record that I believe this new SSL VPN connection will be the “wave of the future” in regards to remote-access VPNs. Cisco has already released a new implementation called the Cisco Secure Desktop. Check this out: When the thin client downloads to the user’s PC, it also installs a “secure desktop” system that takes over the user’s Windows desktop environment. The thin client tracks any files that the user downloads from the corporate office. When the user disconnects from the VPN, all the secure corporate files are removed from her PC (they literally disappear)! When the user reconnects to the VPN, the SSL VPN thin client automatically replaces all the files that the user previously had on her PC, in the respective locations. Isn’t that amazing? The secure desktop system ensures that if the end user’s PC is stolen or compromised (such as by a worm or virus), the corporate data will be inaccessible. Nice.
Be sure to understand the difference between site-to-site and remote-access VPN connectivity.
The Pieces That Make a VPN Tick
- Describe VPN technology (including: importance, benefits, role, impact, components)
To run a VPN connection, you must have a router or firewall that supports VPN connectivity (such as the Cisco ISR or ASA Firewall) and a VPN client (only if you are deploying a remote-access VPN).
Most of the modern business-class routers manufactured by Cisco are considered Integrated Services Routers (ISRs). These routers are designed to fill multiple roles in a network, one of which is managing site-to-site and remote-access VPN connectivity. However, to support VPNs, you may need to upgrade the IOS version that the router is running to a version that
supports security features. Cisco also supports the ASA Firewall (previously known as the PIX Firewall).
The ASA firewall is designed to handle many security aspects of the network and supports both site-to-site and remote-access VPN connections. Depending on the size and needs of your business, you can choose one or both product lines. ISRs are designed to handle routing as their primary function (which they do quite well) and handle VPNs as a secondary function (which they do fairly well). The ASA is designed to handle VPNs and other firewall processes as its primary function (which it does quite well) and routing as a secondary function (which it does fairly well).
If you are managing a site-to-site connection, two routers or two ASA firewalls are all that will be required. If you are managing remote-access VPN connections, you will also need to consider a VPN client. These clients can come in many forms:
- Cisco VPN client: If you purchase a Cisco SmartNET agreement (Cisco’s fancy name for an extended support and warranty agreement) with your ISR router or ASA firewall, you can download the latest versions of the Cisco VPN client. This provides the most compatibility (supports many features) when used with the Cisco VPN solution. For example, you can enable a VPN-triggered firewall that begins working as soon as the user connects to the VPN. This firewall can protect the client from being compromised by Internet-based attacks while connected to the VPN. When the user disconnects from the VPN, the firewall disables itself to allow unfiltered Internet and local network access. The rules of this firewall can be controlled by the Cisco administrator (that’s you!).
- Certicom client: The Certicom client is a widely supported VPN client that can be installed on portable devices such as a PDA. This allows the user to connect to the corporate VPN from the PDA device and perform tasks such as checking corporate email.
- Cisco VPN 3002 hardware client: You can install this lower-cost device in a small office/home office (SOHO) environment. It establishes on-demand VPN connections when data that needs to cross the VPN is sent. This can be done without installing any software on the client PCs or requiring extra training on the use of VPN software. Although this product is considered end of life (EOL—no longer manufactured by Cisco), other products like this are manufactured by third-party companies that are compatible with the Cisco VPN solution.
- Third-party IPsec VPN software: The industry-standard IPsec protocol is supported in many other VPN clients. So, if you or your company has purchased some other non-Cisco, IPsec-compatible VPN software, chances are you can make it work with the Cisco VPN solution. It may just take a little more work!