virtual private networks an economical option for broadband connectivity
TRANSCRIPT
Virtual Private Networks
An Economical Option for Broadband Connectivity
3
Agenda
Current ISU Extension network Why do we need a Virtual Private Network? What is a Virtual Private Network? Types of VPNs, typical configurations What ISU Extension has done Lessons learned Cost analysis Conclusion
4
Current ISU Extension network
107 county and area offices Frame-relay 56k links aggregated into 3 T1s Bandwidth unchanged since 1994 Local file storage and network printing
managed centrally from ISU campus
5
Problems
Low speed High cost
6
Solutions
Increase spending (funding) Find alternative technologies
7
Increase spending
Increase state/federal appropriations Pursue grants Form strategic partnerships
Any way you cut it, this is a difficult thing to do
8
Alternative technologies
Broadband options are increasingly common A connection to the Internet is probably less
costly than a connection to your central site How to manage effectively?
Virtual Private Networks
9
Why do we need a VPN?
Security Remote management Ability to “touch” workstations Network identity ISP service filtering and firewalls
10
What is a Virtual Private Network?
According to Webopedia.com: a network that is constructed by using public wires to connect nodes. For example … using the Internet as the medium for transporting data. These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.
11
What is a Virtual Private Network?
Uses a public network (the Internet) Secured through encryption Limited access Logically acts like a traditional private network
12
Benefits
Connection-independent Comparable equipment cost Secure – all data encrypted Extend the network to anywhere
13
Typical VPN tunnel
IPSec 3DES encryption Pre-shared keys
L2TP with IPSec 3DES encryption Digital certificates Multi-protocol
PPTP MPPE encryption
14
Two types of VPNs
Remote-user Usually software-based Workstation to central site Best for roaming users
Remote-site Connect sites to each other Hardware- or software-based Best for entire office
15
Typical frame-relay network
Remote Office(Field)
Central Site(Campus)
Internet
physical and logical
16
Typical Internet-connected network
Remote Office(Field)
Central Site(Campus)
Internet
physical and logical
17
Typical virtual private network
Remote Office(Field)
Central Site(Campus)
Internet
logical physical
18
Split-tunneling
Two logical networks VPN tunnel to central site Direct to Internet (not tunneled)
Reduces bandwidth used at central site Allows Internet access when central site is
down Could introduce security risks – bypasses
central site firewall, policies, etc
19
Split-tunneled VPN
Remote Office(Field)
Central Site(Campus)
Internet
20
Equipment options
Software-based Linux, BSD, Windows 2000, etc Re/use commodity PC hardware Might perform double-duty as fileserver, etc
Hardware-based Dedicated system “Black box” Alcatel, Check Point, Cisco, Intel, Network
Associates, SonicWALL, others
21
Hardware used
Cisco VPN devices Familiar with Cisco brand Most of ISU uses Cisco devices State contract Existing Cisco infrastructure
22
Hardware used – central site
Cisco VPN 3030 Concentrator Hardware-based encryption Up to 1500 simultaneous tunnels Up to 50 Mbit encrypted throughput Appliance-like functionality Does not use Cisco IOS
23
Hardware used – remote sites
Cisco VPN 3002 Client Hardware-based encryption Up to 2 Mbit encrypted throughput Appliance-like functionality Does not use Cisco IOS Two modes
Client mode – uses NAT to hide LAN Network Extension Mode – LAN is fully routable
24
Real-world testing
Positive results DSL, cable, wireless, dial-up About 10% overhead Two active pilots
DSL – over three months Wireless – over four months
Negative results Satellite
25
Lessons learned – VPN 3000 series
Easy to set up and configure Reliability depends on service Works well for both site-to-site and remote-
user tunnels Appliance-like functionality
Not as flexible as some other products Does not properly support split-tunneling
26
Other Cisco hardware choices
1710 or 1720 for remote sites Most flexible Uses Cisco IOS Up to 4 Mbit encrypted throughput
3600, 7100 or 7200 series for central site Most flexible Uses Cisco IOS Multi-purpose
27
Cost Analysis
Frame-relay 56 Kbit service Line charges: $275k per year
Average $2570 per office per year Average $214 per office per month
Remote site hardware: $1500 (each, approx.)
28
Cost Analysis
Virtual Private Network (actual example)
768/512 Kbit DSL service $99.95 per office per month $1200 per office per year 20 service locations Remote site hardware: $900 (each, approx.)
29
Cost Analysis
Line cost savings: $2570 - $1200 = $1370 per office per year
Hardware cost: $1370 - $900 = $470 still saved! Pays for itself within the first year
Bandwidth dramatically increased After the first year, saves $25k+ per year
30
More information
VPN Concepts http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw
2000/vpnmon/1_x/1_0/using/vpnmcon.htm
Virtual Private Network Consortium http://www.vpnc.org
Introduction to IPSec http://www.cisco.com/warp/public/105/IPSECpart1.html
Various whitepapers http://directory.google.com/Top/Computers/Security/Virtual_
Private_Networks/Whitepapers/
