Private Use of Public Networks for Service Providers
T e c h n i c a l P a p e r
New Standards-Based Virtual Private Networks
Offer Business Opportunities and Improved
Return on Assets
1
Private Use of Public Networks for ServiceProviders
New Standards-Based Virtual Private Networks Offer Business Opportunitiesand Improved Return on Assets
Contents
Why VPNs Mean Opportunity 2
What Is a VPN? 2
Service-Focused ISPs: Moving Toward More Profitable Business Models 3
Dial Access Outsourcing 4
Virtual Leased Lines 5
Virtual POPs 6
Capital-Intensive NSPs: Improving Return on Investment While Expanding Business 7
Dial Access Outsourcing 7
Access and Value-Added Service Mix 8
How VPNs Work 9
VPN Protocols 9
VPN Security 11
Microsoft Point-to-Point Encryption (MPPE) 11
Secure IP (IPsec) 11
Tunnel Switching: More Business Models and Service Delivery 14
VPN Management 15
3Com VPN Solutions 15
3Com Solutions for NSPs 16
3Com Solutions for Enterprises 16
Conclusion 17
Private Use of Public Networks forService Providers
New Standards-Based Virtual Private NetworksOffer Business Opportunities and ImprovedReturn on Assets
Virtual private networks (VPNs) offer solutionsto some of todayÕs most critical networkingchallenges. Many Internet service providers(ISPs) are looking to shift the focus of theirbusiness from commodity-priced access tohigher-margin value-added services for corpo-rations. Serving the needs of corporate clients,however, may require expanding capacity andgeographic coverage. VPNs are an opportu-nity to add new services and expand reachwhile avoiding major capital investments andfacilities negotiations.
Some larger ISPs as well as other types ofnetwork service providers (NSPs) already ownsignificant infrastructure and are continuing toinvest in it. VPNs offer them the opportunity toimprove asset utilization and return on invest-ment by leasing available capacity to otherproviders. These facility-owning service pro-viders can generate new streams of revenuethat can help justify expansion costs. For thosecompanies whose business plans call forexpansion of both infrastructure and services,leased facilities can be a means of acceleratingcoverage, broadening services, and generatingrevenues to support new service development.
This paper describes how VPNs based onindustry-standard secure tunneling are pro-viding solutions for growth and improvedreturn on investment. It describes and dia-grams some of the most popular VPN applica-tions. It explains VPN technology, includingtunnel components and industry standards fortunneling and tunnel-based security. It intro-duces tunnel switching and the advantages itoffers for more flexible NSP service-level han-dling of tunneled traffic as well as mutuallybeneficial partnerships between service pro-viders. The paper closes by discussing 3ComVPN solutions and their advantages.
Why VPNs Mean OpportunityVPNs enable ISPs and NSPs to use theInternet or their own IP backbones to provide
enterprises with remote access and branch con-nectivity services. The benefits to enterprisesinclude dramatically lower costs, reduced man-agement and end user support requirements,and increased strategic flexibility. The benefitsto service providers include opportunities togrow the business by offering a variety ofvalue-added services, to grow customer baseand geographic range, and to increase returnon assets.
The VPN market is growing rapidly.Infonetics Research1 predicts that the marketwill increase at an annual rate of over 100 per-cent through 2001, when it will reach nearly$12 billion. They report that 92 percent oflarge ISPs and 60 percent of all ISPs plan tooffer value-added VPN services by mid-1998.
What Is a VPN?A VPN is a connection that has the appearanceand many of the advantages of a dedicated linkbut occurs over a shared network.
Using a technique called Òtunneling,Ó datapackets are transmitted across a public routednetwork, such as the Internet or other commer-cially available network, in a private ÒtunnelÓthat simulates a point-to-point connection. Thisapproach enables network traffic from manysources to travel via separate tunnels across thesame infrastructure. It allows network proto-cols to traverse incompatible infrastructures. Italso enables traffic from many sources to bedifferentiated, so that it can be directed to spe-cific destinations and receive specific levels ofservice.
The basic components of a tunnel are: ¥ A tunnel initiator (TI)¥ A routed network¥ An optional tunnel switch¥ One or more tunnel terminators (TT)
Tunnel initiation and termination can beperformed by a variety of network devices andsoftware (Figure 1). A tunnel could be started,for example, by a VPN-enabled access concen-trator at an ISP point of presence (POP). Itcould also be started by a VPN-enabled accessrouter on an enterprise branch or home office
2
1. ÒVirtual Private Networks,Ó Infonetics Research,1997.
Acronyms andAbbreviations
CHAPChallenge HandshakeAuthentication Protocol
CPEcustomer premises equipment
DESData Encryption Standard
IPsecSecure IP
ISAKMPInternet Security AssociationKey Managment Protocol
ISDNIntegrated Services DigitalNetwork
ISPInternet service provider
L2FLayer 2 Forwarding
L2TPLayer 2 Tunneling Protocol
MPPEMicrosoft Point-to-PointEncryption
NSPnetwork service provider
POPpoint of presence
PPPPoint-to-Point Protocol
LAN, or by an end userÕs laptop equipped withan analog PC modem card and VPN-enableddial-up software (basic tunneling and securitycapabilities are bundled into Windows 95 andWindows NT 4.0). A tunnel could be ended bya VPN gateway on an ISPÕs or NSPÕs networkaccess router or by a tunnel terminator orswitch on an enterprise network.
In addition, there will usually be one ormore security servers. Along with the conven-tional application of firewalls and addresstranslation, VPNs can provide for data encryp-tion, authentication, and authorization.Tunneling devices perform these functions bycommunicating with security servers. Suchservers also usually provide information onbandwidth, tunnel end points, and, in somecases, network policy information and servicelevels.
VPN capabilities can be added to existingnetworking equipment through a software orboard-level upgrade. Once installed, the capa-bility can be used for multiple VPN applica-tions, each delivering substantial cost and/orrevenue benefits.
Service-Focused ISPs: Moving Toward MoreProfitable Business ModelsISPs face fierce competition in a low-marginbusiness based on flat-rate retail pricingmodels. To stay in business, increase prof-itability, and grow, many providers are tryingto rise above the commodity market byoffering higher-margin value-added services toenterprises.
Since the connectivity needs of corpora-tions are rarely confined to local areas, thisstrategy usually means expanding geographicreach. Faced with the cost of building out theirnetworks and the need to move quickly, ISPsare looking for ways to expand services andreach without adding to infrastructure.
VPNs provide answers to these growthissues. They allow ISPs to differentiate them-selves in a crowded marketplace by focusingon the service side of the business, capitalizingon their knowledge of customer needs. ¥ Value-added services. VPNs open up a
myriad of possibilities for offering newInternet-based services that can help torelieve margin pressures. By using theirexisting infrastructure to provide not onlyInternet access but remote access out-sourcing and branch office connectivity,ISPs can generate new revenue streamsand improve returns on their facilitiesinvestments.
VPN technology also enables ISPs todifferentiate traffic from various customersand even to differentiate traffic from varioususers within a customer account, making itpossible to apply a prenegotiated Quality ofService (QoS) agreement. High-prioritytraffic, for example, could be directed overthe NSPÕs own backbone, where it can guar-antee speed and reliability, instead of ontoits Internet gateway. And ISPs can also
3
Access concentrator
at an NSP POP
Tunnel initiator
Tunnel terminator
Tunnel
Tunnel termination device
or tunnel switch on
enterprise network
VPN gateway
on NSP network
Extranet router on
a branch LAN
Dial-up software on
an end user laptop
Shared routed
network
Figure 1. VPN Components
Acronyms andAbbreviations
PPTPPoint-to-Point TunnelingProtocol
PSTNpublic switched telephonenetwork
QoSQuality of Service
RADIUSRemote Authorization Dial-InUser Service
SMDSSwitched Multimegabit DataService
TItunnel initiator
TTtunnel terminator
VLLvirtual leased line
VPNvirtual private network
VPOPvirtual point of presence
VTPVirtual Tunneling Protocol
capture tunnel user information for inputinto their itemized billing systems.
¥ Geographic expansion without capitalinvestment. Tunneling enables ISPs toexpand geographic coverage on an as-needed basis by establishing virtual points ofpresence (VPOPs). VPOPs can be set up bypurchasing VPN services from dial accessoutsourcers or other ISPs with availablecapacity. This arrangement is entirely trans-parent to customers, who connect to theirNSP in the normal way. VPN-basedaccounting mechanisms enable ISPs to pro-vide accurate end-to-end billing even thoughpart of the route is over someone elseÕsnetwork.
VPNs offer service-focused ISPs andNSPs the opportunity to provide value-addedservices and economical geographic expansionby deploying three applications of VPNs: dialaccess outsourcing, virtual leased lines, and/orvirtual points of presence.
Dial Access OutsourcingBy offering enterprises an easy way to respondto growing demand for remote access, ISPscan build a high-margin business in value-added service while increasing the return onowned or leased network facilities. The marketfor this service is likely to grow rapidly ascompanies realize that outsourcing enablesthem to achieve a scalable, manageable solu-tion while reducing line charges and equipment
costs, and eliminating the need to devote theirown technical staff to supporting remote users.
In this type of VPN, an access concen-trator at the ISPÕs POP is the tunnel initiator.The tunnel terminator can vary depending oncustomer needs. Where the enterprise customeris using a VPN-enabled router to connect tothe ISP, the tunnel can extend to the enterprisenetwork (Figure 2). A customer premisestunnel termination device or tunnel switchends the tunnel. Because tunnels carry withthem information about the end user, the enter-prise has the opportunity to control userauthentication and network access. Most com-panies will choose to do so. The advantage toISPs is that their job is simply delivering tun-nels, and they donÕt have to be involved in net-work access issues.
Some customers will want to continueusing their existing Frame Relay connectionwithout a VPN upgrade (Figure 3). In thiscase, the tunnel termination device is a FrameRelay gateway at the edge of an NSPÕs net-work. The gateway extracts packets from thetunnel and sends them over the Frame Relaycircuit to the enterprise. Because tunnel termi-nation is the last point where remote user infor-mation is available, the NSP must handle userauthentication on behalf of the enterprise.
4
Security
server
Security
server
Mobile or
telecommuting user
Branch LAN
ISP backbone
Internet or
NSP IP backbone
PSTNOutsourcer’s
POP
Outsourcer’s
POP
VPOP
ingress router
PSTN
Tunnel switch
To enterprise
VPN customer
Figure 2. Dial Access Outsourcing for NSPs
Typically, the NSPÕs tunnel termination devicewill perform this service by interfacing withthe customerÕs security server.
Virtual Leased LinesNSPs that currently offer branch connectivityover their own value-added IP networks canuse VPNs to simplify network management
and reduce the cost of providing this service toenterprise customers (Figure 4). VPNs, forexample, eliminate the need to segregate eachenterprise customerÕs traffic and manage loadson that portion of the network. Traffic from allenterprise customers can travel the same net-work in separate tunnels. NSPs, as a result, canleverage their IP networks across a growingcustomer base without creating a corre-sponding increase in network complexity.
5
Security
server
NSP network
Enterprise network
VPOP ingress
router
Security
server
Frame Relay
network
Gateway
Security
server
Mobile or
telecommuting user
Branch LAN
NSP POPs
Remote branches
and employees Internet or
NSP IP backbone
PSTNAccess
concentrator
Access
concentratorPSTN
Figure 3. Dial Access Outsourcing Using a VPN Gateway
Security
server
VPN-enabled
branch extranet router
Branches
NSP providing Internet access
or other IP network service
Enterprise central site
VPN-enabled
branch extranet router
Internet or
NSP’s IP
network
POP
POP
Tunnel terminator or tunnel switch
at enterprise firewall
Figure 4. Virtual Leased Lines
They also have the option of expanding theirservice tier structure by offering branch con-nectivity over the Internet to customers withless demanding requirements for network per-formance and guarantee of service.
ISPs as well as NSPs that do not currentlyoffer branch connectivity services can nowenter the market without having to make thecapital investment to build out their own IPnetwork. The service provider simply tunnelstraffic between customersÕ branch offices overthe Internet.
In virtual leased lines (VLLs), tunnels areinitiated and terminated by VPN-enabledrouters at the customer premises. The serviceprovider can be responsible for just the band-width or it can offer a turnkey VLL package,including the installation and management ofcustomer premises equipment (CPE).
Virtual POPsISPs with business plans that call for invest-ment in services rather than infrastructure can
still expand their geographic reach by leasingVPOPs. Dial access outsourcers can receivecalls at their POPs and then, based on userinformation, forward the traffic over a VPN tothe ISP (Figure 5). Users never know this ishappening; as far as theyÕre concerned, theyÕvedialed into the ISPÕs POP.
The combination of VPOPs and VPNsmeans that even small ISPs have the opportu-nity to participate on a national and even inter-national scale in the growing markets forremote access outsourcing and branch inter-connectivity. As shown in the next section,even ISPs that donÕt have tunneling-enabledequipment can take advantage of VPOPs toexpand their customer base for Internet accessonly.
In this type of VPN application, an accessconcentrator at the dial access outsourcerÕs POPstarts the tunnel. Where the tunnel ends andwhat type of device performs the terminationdetermine how wide a range of services the
6
Benefits: Remote Access Outsourcing• Shift focus of business to higher-margin
value-added services• Increase rate of return on existing network
facilities• Provide service through customers’ existing
WAN interfaces as well as through tunneling-enabled upgraded devices
• Offer turnkey solution option, including CPEprovisioning and management
Benefits: Virtual Leased Lines• Leverage existing IP network over larger
customer base while keeping managementsimple and costs low
• Offer Internet-based branch connectivity• Expand value-added service offerings• Provide turnkey solutions, including CPE
installation and management
VPOP
ISP #1 dial-up
customer
PSTN
Security
serverGateway Legacy
router
ISP #2
backbone
Security
server
Wholesaler's
IP backbone
Frame Relay
network
Tunnel
terminator
ISP #1
backbone
Internet
Internet
Security
server
Figure 5. Virtual POP
ISP can provide to traffic coming in overVPOPs.
If the ISP is not using VPN-enabledequipment to connect to its dial access out-sourcer, the VPN must end at the edge of theoutsourcerÕs network. The outsourcerÕs gate-way terminates the tunnel and forwards thepackets over a Frame Relay circuit to the ISPÕsnetwork. The ISP can then direct the packetsonto the Internet.
If the ISP is using VPN-enabled equip-ment to connect to its dial access outsourcer,the VPN can extend to the ISPÕs network. Inthat case, a tunnel termination device or tunnelswitch ends the tunnel, removes the packets,and directs them onto the Internet.
If the device that terminates the tunnelcoming in from the outsourcer is a tunnelswitch, the ISP gains even more advantages(Figure 6). The tunnel switch can not only endthe incoming tunnel but can create a newtunnel to direct the traffic over the Internet to aparticular enterprise customer. As a result, the
ISP can offer customers coming in over VPOPsthe same range of value-added services it offersto customers coming in over its own POPs.
Service providers can deploy any numberof these VPN applications over a single net-work infrastructure, increasing return on theirowned and leased facilities. For technicalinformation about how VPNs work, pleaseturn to page 9.
Capital-Intensive NSPs: Improving Return onInvestment While Expanding BusinessNSPs that have built large network infrastruc-tures have made costly investments. VPNsoffer these providers the means to increasereturn on their investments by selling wholesaleaccess to other NSPs, by providing value-added services to enterprises, or by a combina-tion of these strategies.
Dial Access OutsourcingVPNs create a market for leasing networkcapacity, enabling NSPs with available infra-structure capacity to improve asset utilizationand leverage investments across the trafficflows of other service providers (Figure 7 onpage 8). Depending on their business focus,providers can launch dial access outsourcing
7
Benefits: Virtual POPs• Rapidly expand geographic reach without
capital investment• Meet the demands of corporate customers for
national or international coverage• Ensure total transparency to customer base
Additional Benefits with Tunnel Switching• Offer customers coming in over virtual POPs a
full range of value-added services
Internet
ISP POPISP POP
access concentrator
access concentrator
with tunnel switch
with tunnel switchISP POP
access concentrator
with tunnel switchWholesalers IP backbone
Wholesalers IP backboneISPISP’’s IP backbone
s IP backbone
Wholesaler‘s IP backboneISP’s IP backbone
VPOP
ISP dial-up
customer
ISP dial-up
customerPSTN
Security
server
Security
server
Figure 6. Virtual POP with Tunnel Switching
businesses or remain primarily in retail accessand service while helping to finance expansionby occasionally leasing access to selected busi-ness partners. In either case, outsourcers canoffer VPN services to multiple ISPs whilekeeping traffic for each ISP independent fromthe others and from traffic generated by theoutsourcerÕs own enterprise customers.
In this type of VPN, tunnels are started byan access concentrator at the dial accessoutsourcerÕs POP. The outsourcer provideseach ISP customer with one or more telephonenumbers. When calls come into the POP,based on the number the user dialed or otheruser identification information, the TI creates atunnel to the appropriate ISP.
If the ISP is not using VPN-enabledequipment to connect to the dial access out-sourcer, the VPN must end at the edge of the
outsourcerÕs network. The outsourcerÕsgateway terminates the tunnel and forwards thepackets over a Frame Relay circuit to the ISPÕsnetwork.
If the ISP is using VPN-enabled equip-ment to connect to its outsourcer, the VPN canextend to the ISPÕs network. In that case, atunnel termination device or tunnel switch onthe ISPÕs network ends the tunnel.
Access and Value-Added Service MixVPNs are a potentially huge business opportu-nity (Figure 8). Capital-intensive NSPs can usethem to generate multiple revenue streamsÑaccess wholesaling, retail Internet access,value-added services such as remote accessoutsourcing and branch connectivityÑover asingle network infrastructure. In most cases,adding VPN capability requires only softwareor board-level upgrades to existing devices onthe edges of the NSPÕs network.
Where multiple services are being offeredto both enterprise and ISP customers, there willbe a mix of equipment initiating and termi-nating tunnels. Tunnels can be started byaccess concentrators on the NSPÕs network aswell as by end-user workstations or laptops at
8
Benefits: Wholesale Access• Generate incremental revenue from fixed
assets• Accelerate return on investment• Improve utilization of excess-capacity
facilities• Finance expansion and development of new
service offerings
Benefits: Access and Value-Added Service Mix• Accelerate return on network facilities
investments by leveraging them acrossmultiple wholesale and retail revenue streams
• Improve margins by offering value-added VPNservices
• Offer turnkey solution options, including CPEprovisioning and management
Security
server
Security
server
Mobile or
telecommuting user
Branch LAN
Remote branches
and employees
NSP POPs
Enterprise central site
Tunnel switch
in DMZ
Tunnel
terminator
on internal
network server
Last point
where user
info available
Internal
network
Internet or
NSP IP backbone
PSTNAccess
concentrator
Access
concentratorPSTN
Figure 7. Dial Access Outsourcing
enterprise customer locations. Tunnels can beended by a tunnel termination device or tunnelswitch at an enterprise customerÕs premises oron the network of an ISP dial access out-sourcing customer. They can also be ended bya Frame Relay gateway either on the networkof the outsourcer or the network of the ISPleasing the access.
NSPs can deploy any number of theseVPN applications as customer demands andmarket opportunities develop. The next sectionprovides technical information about howVPNs work.
How VPNs WorkThere is nothing exotic about VPNs. They arebased on familiar networking technology andprotocols (Figure 9 on page 10). In the case ofa remote access VPN, for example, the remoteaccess client is still sending a stream of Point-to-Point Protocol (PPP) packets to a remoteaccess server. Similarly, in the case of LAN-to-LAN VLLs, a router on one LAN is stillsending PPP packets to a router on anotherLAN. What is new is that in each case, insteadof going across a dedicated line, the PPP packetsare going across a tunnel over a shared network.
The effect of VPNs is like that of pulling aserial cable across a WAN cloud. PPP protocol
negotiations set up a direct connection fromthe remote user to the tunnel terminationdevice. The most widely accepted method ofcreating industry-standard VPN tunnels is byencapsulating network protocols (IP, IPX,AppleTalk, etc.) inside the PPP and thenencapsulating the entire package inside a tun-neling protocol, which is typically IP but couldalso be ATM or Frame Relay. This approach iscalled ÒLayer 2 tunnelingÓ since the passengeris a Layer 2 protocol (Figure 10 on page 10).
Alternatively, network protocols can beencapsulated directly into a tunneling protocolsuch as 3ComÕs Virtual Tunneling Protocol(VTP). This approach is called ÒLayer 3 tun-neling,Ó since the passenger is a Layer 3 pro-tocol (Figure 11 on page 10).
VPN ProtocolsCurrently, MicrosoftÕs Point-to-PointTunneling Protocol (PPTP), which is bundledwith Windows 95 and Windows NT 4.0, is themost widely used protocol for VPNs. (PPTPwas developed by 3Com and Microsoft.) In thenear future, however, most VPNs will be basedon the emerging Layer 2 Tunneling Protocol(L2TP).
9
ISP remote
access customer
NSP remote
access customer
NSP enterprise
customer
PSTN
Security
server
Internet
Security
server
Security
server
NSP VLAN
customer
NSPNSP’’s IP backbones IP backbone
NSP’s IP backboneNSP’s
New York
POP
NSP’s
San Francisco
POPNSP VLAN
customer
ISP
(wholesale access
customer backbone)
ISP customer’s
network
Figure 8. Access and Value-Added Service Mix
The L2TP standard represents a mergingof PPTP and Layer 2 Forwarding (L2F) pro-tocol, both of which operate at Layer 2. Theemerging standard offers the best features ofthese protocols as well as additional features.One such enhancement is multipoint tunneling.It will enable users to initiate multiple VPNs inorder, for example, to access both the Internetand the corporate network at the same time.
Both L2TP and PPTP offer additionalcapabilities that arenÕt available with Layer 3tunneling protocols:¥ They allow enterprises to choose whether to
manage their own user authorization, accesspermissions, and network addressing or havetheir NSP do it. By receiving tunneled PPPpackets, enterprise network servers haveaccess to information about remote users,
necessary for performing these tasks. ¥ They support tunnel switching. User infor-
mation is necessary for tunnel switching,which is the ability to terminate a tunnel andinitiate a new tunnel to one of a number ofsubsequent tunnel terminators. Tunnelswitching extends the PPP connection to afurther end point.
¥ They enable enterprises to apply fine-grained access policies at the firewall and atinternal servers. Because tunnel terminatorsat the enterprise firewall are receiving PPPpackets that contain user information, theycan apply specific security policies to trafficfrom different sources. (With Layer 3 tun-neling, in contrast, there is no way to differ-entiate packets coming in from the NSP sothe same set of filters has to be appliedacross the board.) In addition, if a tunnelswitch is used, it can initiate a subsequentLayer 2 tunnel to direct traffic from specificusers to the appropriate internal servers,where additional levels of access control canbe applied.
10
Figure 9. VPNs Are Based on Familiar Technology
IPXPPPL2TPIP
Figure 10. Layer 2 Tunneling Protocol Encapsulation
IPXVTPIP
Figure 11. Layer 3 Tunneling Protocol Encapsulation
PSTN
(private circuits)
PPP packet stream
Direct dial-up connection
Shared IP network
Remote
access
user
ISDN
terminal
adapter
or analog
modem
Access
concentrator
at NSP POP
Tunnel
terminator
or switch at
enterprise firewall
Tunnel
terminator
on internal
server
PPP packet stream
Virtual private network
VPN SecuritySecure VPNs apply specific security protocolsto tunnels or to the packets they carry. Theseprotocols enable hosts to negotiate encryptionand digital signature techniques that ensuredata confidentiality, data integrity, and authen-tication of the sending and receiving sources.
Microsoft Point-to-Point Encryption (MPPE)MPPE adds integrated data privacy (encryp-tion) into standard Microsoft Dial-Up Net-working (Figure 12). A 40-bit version isbundled with PPTP into Windows 95 andWindows NT Dial-Up Networking; a 128-bitversion is also available.
MPPE encrypts PPP packets on the clientworkstation before they go into a PPTP tunnel.When the client workstation negotiates PPPwith the ultimate tunnel terminator, an encryp-tion session is initiated. (Interim tunnelswitches do not have the ability to decrypt PPPpackets.)
MPPE provides data privacy and uses anenhanced Challenge Handshake Protocol(MS-CHAP) for strong user authentication.
Secure IP (IPsec) IPsec is an emerging standard for VPN secu-rity. In cases where IP is used to transmit
tunneled traffic, IPsec will enable tunnel initi-ating and tunnel terminating products frommultiple vendors to interoperate.
The standard, which was written byInternet Engineering Task Force (IETF) com-mittees, consists of a set of IP-level protocolsfor setting up an agreement between two IPstations about the encryption and digitalsignature methods that will be used. IPsec isrecommended for use with L2TP and will bemandatory for IPv6 compliance.
More robust than MPPE, IPsec encom-passes user authentication, privacy, and dataintegrity (Figure 13 on page 12). It can also beextended beyond the tunnel terminator to thedestination host workstation.
Another advantage of IPsec is that itssecurity mechanisms for authentication andsecurity are loosely coupled with its key man-agement systems. While Internet SecurityAssociation Key Management Protocol
11
Enterprise network
Tunnel terminator
on internal server
Tunnel
switch at
firewall
Security
server
Dial-Up Networking
software with MPPE
NSP POP
Remote access user
Security
server
Tunnel
initiator
PAP/CHAP
MPPE encrypted data stream
Shared
IP network
Figure 12. MPPE with CHAP
3Com provides VPN products that enableboth ISP/NSP-terminated tunnels andenterprise-terminated tunnels. 3Com alsosupports both L2TP and PPTP tunneling pro-tocols and is the only company currentlyoffering tunnel switching.
3Com Offers More Flexible VPN Choices
(ISAKMP)/Oakley and manual managementare the two key systems currently mandated inIETF draft standards, this loose coupling willallow for future systems to be used withoutrequiring modification of security mechanisms.
IPsec Example 1: Remote Access with ISPVPN Initiation. In this example, remoteaccess is achieved when the ISP initiates theVPN. This example describes the steps fol-lowed in the security process. In the examplethat follows, the client initiates the VPN, andthe ISPÕs access concentrator acts as a router.1. User authentication. The remote user dials
up her ISP. The networking software on herlaptop sends a CHAP message with theuserÕs name and password to the accessconcentrator at the ISPÕs POP. The accessconcentrator transmits the name and pass-word to a security server (for example,Remote Authorization Dial-In UserService, or RADIUS) for user authentica-tion. When it receives a response from theserver, it converts the response back intoCHAP and transmits it to the remote userÕslaptop.
Meanwhile, the access concentratorhas received additional information from
the security server, such as which IPaddress to assign to the user and whichsubnet mask to use. It knows the user is anemployee of a particular enterprise cus-tomer and the specified IP address of theappropriate tunnel termination device forthat customer. In most cases, this tunnelterminator will be the enterprise firewall oranother device inside the firewall ÒDMZÓ(the network segment between the compo-nents of a two-part firewall).
2. Establishment of a secure channelbetween the tunnel initiation and termi-nation devices. The ISPÕs access concen-trator and the tunnel termination device nowuse the ISAKMP/Oakley protocols to agreeon which encryption and data authentica-tion algorithms (such as DES, 3DES) theywill use to establish a secure channel. InISAKMP each participant in an exchangehas a pair of keys, one private and onepublic. The ISPÕs access concentrator sendsthe tunnel terminator a message along witha digital signature that it creates using itsprivate key.
To read the digital signature, thetunnel terminator must use the access con-centratorÕs public key. It may already havethe key stored; if not, it can get it by con-tacting a Certificate Authority. This authoritymight be a commercial organization suchas VeriSign or GTEÕs CyberTrust, or itmight be an enterprise server that stores the
12
Enterprise network
Tunnel terminator
on internal server
Destination
host
Tunnel
switch at
firewall
Security
server
Dial-Up Networking
software with IPsec
NSP POP
Remote access user
Security
server
Tunnel
initiator
User authorization
Encrypted data stream
IPsec
IPsec
IPsec
IPsec
IPsec
Shared
IP network
Figure 13. IPsec
certificates of companies with which theenterprise does business. (The enterpriseCertificate Authority will, in turn, be certi-fied by a commercial or government orga-nization, which may, in turn, be certified byanother organization, and on up the hier-archy of trust.)
The tunnel terminator returns a mes-sage with a signature created by its privatekey to the ISPÕs access concentrator. Theaccess concentrator then uses the tunnel ter-minatorÕs public key to authenticate thesignature.
The Oakley protocols are employed toexchange information that will be used togenerate encryption keys. The access con-centrator and the tunnel terminator eachemploy an algorithm called Diffie-Hellmanto independently generate another public/private key set (actually, two half-keys, oneof which is kept secret). They thenexchange the public half of their keys. Theaccess concentrator takes its own secrethalf-key and the tunnel terminatorÕs publichalf-key and runs a mathematical functionon them that results in a third secret key.The tunnel terminator performs the functionagainst its secret half-key and the accessconcentratorÕs public half-key, coming upwith the same third secret key. This pro-cess is highly secure because anyone inter-cepting the exchange will get only the twopublic half-keys. There is no hardware cur-rently available in the market with the com-putational power to derive the secrets fromthe public keys.
3. Application of organizational securitypolicies. The next step is for the devices toexchange information on how security willbe handled for this particular user. A trans-mission from the CEO, for example, mayneed to be sent using stronger messageauthentication and integrity methods (forexample, multiple levels of encryption,hash functions) than one from a salesrepresentative.
The access concentrator gets policyinformation about the user from a RADIUSserver or other internal source, and then ini-tiates an exchange with the tunnel termi-nator. This exchange is encrypted using thealgorithm already agreed upon during theISAKMP/Oakley exchange.
The userÕs data packets (including thepayload and the IP header) are thenencrypted and encapsulated in a new IPheader. This header has a different set ofaddresses than the original IP header on theuserÕs packet. Where initially the sourceaddress was the userÕs laptop and the desti-nation address was a host somewherebehind the firewall, in the new IP header,the source is the ISPÕs access concentratorand the destination is the tunnel terminator.This method is called IPsec Òtunnelingmode,Ó because during transmission acrossthe public network, the IP addresses of thesource and destination hosts are hidden.To ensure data integrity during transmis-
sion, a hash function may be calculated on theuserÕs IP packet before the new IP header isadded. Or, for stronger security, it may be
13
When IPsec-compliant encryption is applied toan entire network protocol packet (IP, IPX,AppleTalk, etc.), and then the encrypted resultsare encapsulated into another IP packet, theprocess is called “tunneling mode.”
The advantage of using this mode is that anetwork protocol can travel across a networkthat does not support it to a tunnel terminationdevice that does. Tunneling mode also protectsthe identity of networks, subnetworks, and
terminating notes. To confuse the picturefurther, Layer 2 VPNs provide these samebenefits, whether or not they incorporate IPsec.
As a result of similarities in terminologyand this single overlap in functions, some peopleassume that all tunneling functions are per-formed by IPsec tunneling mode. In fact, IPsecprovides only a small part of the capabilitiesneeded for virtual private networking.
IPsec Tunneling Mode Is Not the Same as a VPN Tunnel
calculated on the userÕs packet and the newheader together. When the tunnel terminationdevice receives the packet, it will perform thesame hash function on the packet. If it gets thesame value, then the packet has not been tam-pered with.
The tunnel terminator uses the DES key todecrypt the packets as they are received. If thetunnel is being terminated by the ISP, thepackets are transmitted to the enterprise via aFrame Relay circuit or other dedicated link. Ifthe tunnel is being terminated by the enter-prise, the packets are dropped onto a LAN fortransmission to the destination host. If theenterprise is using a tunnel switch to receiveVPN traffic from its ISP or NSP, the switchcreates a new tunnel to the destination host.IPsec security can also be applied to thistunnel.
IPsec Example 2: Remote Access withClient VPN Initiation. This process is thesame as the one described in the first example,except that all of the exchanges (CHAP userauthentication, ISAKMP/Oakley establishmentof a security association, application of
organizational policy, and encrypted transmis-sion) take place between the remote userÕslaptop and the tunnel termination device. TheISPÕs access concentrator simply acts as arouter. It is not even aware that a secure VPNhas been established.
Tunnel Switching: More Business Models andService DeliveryA tunnel switch is a combination tunnel termi-nator/tunnel initiator. It can be used to extendtunnels from one network to anotherÑforexample, to extend a tunnel incoming from anISPÕs network to a corporate network. It canalso be used to replace a point-to-point connec-tion with a point-toÐswitched fabricÐto-pointconnectionÑone that behaves much like adedicated telephone switched circuit eventhough it occurs over a routed network.
One of the most intriguing aspects oftunnel switching is the opportunities it opensup for mutually beneficial relationshipsbetween service providers (Figure14). Tunnelswitching is the enabler for the much-neededcooperation between providers that has beenmissing from conventional ÒcloudÓ servicessuch as Frame Relay. It means that any twoVPN customers could potentially exchangepackets without both having to use the sameservice provider. Using switching, ISPs andNSPs could hand off packets to each other,with appropriate data capture for separateaccounting. And, as a result, even those ISPsthat do not have large network infrastructurescould offer their customers nationwide andeven worldwide coverage.
14
Figure 14. Tunnel Switching Between Provider Networks
Security
serverRemote access
client
NSP #1 IP backbone
NSP #2 IP backbone
Tunnel initiator
Tunnel
switch
Security
server
To find out more about security technology,refer to the following documents:• RFC-1825, “Security Architecture for the
Internet Protocol”• RFC 1827, “Encapsulating Security
Payload (ESP)”• RFC-1851, “The ESP Triple DES Transform”
For More Information
Service providers can also use tunnelswitching to flexibly direct traffic from dif-ferent customers, and even from different userswithin a customer account, into tunnels withappropriate end points and Quality of Service(QoS) handling. An NSP, for example, couldswitch a high-priority customer onto a higher-speed fabric or use tunnel switching to avoidnetwork congestion points.
Tunnel switching can also benefit enter-prises. A company, for example, could usetunnel switching to increase security at thefirewall while improving its ability to manageremote access to network resources behind thewall (Figure 15). In this case, the tunnel switchwould generally be located on the enterprisefirewall. Based on a RADIUS lookup on theuser name, the switch would initiate a newtunnel through the firewall to a specificinternal server. Switching protects the integrityand performance of the firewall whileincreasing access to networked applicationsand resources. Other benefits for enterprisesinclude the ability to perform server load bal-ancing for incoming VPN traffic and increasedflexibility for IP addressing.
VPN ManagementThe goal of VPN management is to makeVPNs look like a private network. 3Com VPNsolutions incorporate management tools thatmonitor and provide visibility into VPNs run-ning over provider networks. 3Com TranscendÒ
AccessWatch/VPN software, for example, is aWeb-based application that enables network
administrators to profile the use and perfor-mance of VPNs using both real-time and his-torical data. Using Transcend AccessWatch/VPN software, administrators can performcapacity utilization, QoS, security exception,and tunnel usage analyses. New-generationpolicy-based management tools will also bedeployable across both conventional networklinks and VPNs.
3Com VPN Solutions3Com has more experience with VPNs thanany other internetworking provider. 3Com wasthe first remote access vendor to deliver VPNsolutions. Today, 3Com has more than 50,000VPN ports currently in use, with more than 2million VPN-ready ports installed worldwide.
3Com offers end-to-end VPN solutions,including products for enterprises and bothservice-focused and infrastructure-intensiveNSPs. All 3Com VPN solutions adhere toindustry standards (including IPsec for secu-rity) and are compatible with one another,making it easy for VPN providers and users toestablish mutually beneficial business partner-ships.
Enterprises and NSPs can choose 3ComVPN products with confidence. VPN capabili-ties are built into 3ComÕs proven product lines,including multiprotocol routers equipped witha rich set of management features and market-leading, award-winning access concentratorsand the highest-density carrier class solutionson the market. As the market leader in NICsand modems, 3Com also understands the needsof remote users.
15
Tunnel switch,
“main gate sentry,”
performs basic
user authorization
Tunnel terminator on internal server,
“inner gate sentry,” performs more detailed user
authorization, enforces profiles and policies
Security
server
Internet
Internal network
Figure 15. Tunnel Switching Through the Firewall
3Com is also the first vendor to extend theVPN architecture to incorporate tunnelswitching, the key to better security and moreflexible VPN applications.
All 3Com VPN solutions ship withTranscendWareª software, ensuring that3Com customers will be able to deploy andenforce network policies consistently acrossboth conventional links and VPNs.TranscendWare software allows edge devicesto communicate with end devices to enforcenetwork policies. By monitoring VPN tunnels,these devices will be able to better managedial-up ports, bandwidth allocation, networkload and destination, and return policyleasesÑall critical elements for control in aVPN environment.
3Com Solutions for NSPsNSPs can transport and receive tunneled trafficusing the 3Com Total Controlª family ofhubs. These devices enable NSPs to respondflexibly to market needs by simply adding orexchanging application interface cards. AnNSP, for example, currently supporting ISDNand 33.6 Kbps modem dial-up connections,can add Frame Relay by just hot-swapping acard. Adding 56 Kbps modem support simplyrequires a software download. Total Control
hubs provide all connections in a singlechassis, relying on the system buses rather thancongestion-prone cabling for communications.
Hubs can configure themselves on the flyto support different applications. A singlemodem can support, for example, dial-up to amainframe host, remote access to a corporateLAN, and point-of-sale transaction processingÑapplications that would otherwise require threedifferent modem pools.
3Com Total Control hubs provide the highreliability NSPs require. They are fault-tolerantand equipped with redundant power supplies.Hot-swappable cards and software download-able upgrades mean that these systems rarelyneed to be taken off-line. To avoid a singlepoint of failure, they also incorporate card orport redundancy, with the ability to reroutetraffic to hot-standby backup cards ifnecessary.
3Com Solutions for EnterprisesEnterprises can add VPN network server capa-bility (tunnel termination) to their existingNETBuilder II¨ or SuperStack¨ II bridge/router. This single device can provide a con-nection to an NSP over leased line, FrameRelay, ISDN, SMDS, or Switched 56, and itprovides LAN connections over Ethernet,
16
• First remote access vendor to deliver VPNsolutions
• Key member of IETF L2TP working group• Inventor of patent-pending Tunnel Switching
architecture
• Developer of PPTP for Microsoft Windows andWindows NT
• Developer of Virtual Tunneling Protocol (VTP)based on close carrier input
3Com VPN Technology Leadership
• End-to-end compatible VPN solutions• Built into industry-leading, market-proven
products• Tunnel switching for increased flexibility in
service offerings and Quality of Servicehandling, cooperation with other serviceproviders
• Standards-based (L2TP, IPsec, MPPE, etc.)• Easy, cost-effective scalability• Flexibility to add or change communication
components with board plug-ins and softwaredownloads
• Low cost of ownership• Ease of migration/investment protection
3Com VPN Solutions Advantages
Token Ring, and ATM. The NETBuilder IIrouter products support all major LAN proto-cols, enabling multiprotocol tunnel traffic to berouted to the appropriate LAN server, and theyalso support SNA for access to legacy systems.
NETBuilder¨ and SuperStack II productsoffer the unique advantage of BoundaryRouting¨ system architecture. BoundaryRouting technology enables companies to sim-plify remote router installation and configura-tion, eliminating the need for on-site technicalstaff, by shifting key router management andoverall router management to a central site.
Where NSPs are providing tunnel creationservices, branch offices and remote users cancontinue using their existing networkingdevices (OfficeConnect¨ routers, 3ComImpact¨
IQ ISDN terminal adapters, 3Com x2ª orCourierª modems, 3Com Megahertz¨ PCmodem card) as is. Where remote user devicesare to create tunnels, additional software mustbe used. This software is already integratedinto 3Com network interface cards and is alsobundled into the Windows 95 and WindowsNT operating systems.
ConclusionIndustry-standard virtual private networks areushering in the next generation of networkconnectivity. Most analysts expect thatInternet-based VPNs will eventually replacemost leased-line networks. VPNs are beingwidely adopted because they offer immensecost savings as well as new business opportu-nities for both enterprises and NSPs. Many ofthese benefits can be gained by rapidly estab-lishing new types of business relationships thatare mutually beneficial to all parties.
3Com has a broader product line of solu-tions and more experience with VPNs than anyother vendor, and is the first vendor to offer thecompetitive advantage of tunnel switching.3Com customers can now begin exploiting thebenefits of VPNs with confidence, because3Com VPN solutions are available (in mostcases, through upgrades) on some of theindustryÕs most highly praised, market-provennetworking platforms and products.
17
To learn more about 3Com products and services, visit our World Wide Web site at www.3com.com. 3Com is a publicly traded corporation (Nasdaq: COMS).
© 1998 3Com Corporation. All rights reserved. 3Com, the 3Com logo, 3ComImpact, Boundary Routing, Megahertz, NETBuilder, NETBuilder II, OfficeConnect, Transcend, Transcendware, and SuperStack areregistered trademarks of 3Com Corporation. More connected., Courier, Total Control, and x2 are trademarks of 3Com Corporation. AppleTalk is a trademark of Apple Computer. Windows and Windows NT aretrademarks of Microsoft. IPX is a trademark of Novell. Other brands or product names may be trademarks or registered trademarks of their respective owners. All specifications are subject to change withoutnotice.
Printed in U.S.A. on recycled paper 500649-002 11/98
3Com CorporationP.O. Box 581455400 Bayfront PlazaSanta Clara, CA 95052-8145Phone: 1 800 NET 3Comor 1 408 326 5000
Fax: 1 408 326 5001World Wide Web:www.3com.com
Asia Pacific Rim
Sydney, Australia Phone: 61 2 9937 5000Fax: 61 2 9956 6247
Melbourne, AustraliaPhone: 61 3 9934 8888Fax: 61 3 9934 8880
Beijing, ChinaPhone: 86 10 68492 568Fax: 86 10 68492 789
Shanghai, ChinaPhone: 86 21 6350 1581Fax: 86 21 6350 1531
Hong KongPhone: 852 2501 1111Fax: 852 2537 1149
IndiaPhone: 91 11 644 3974Fax: 91 11 623 3192
IndonesiaPhone: 62 21 572 2088Fax: 62 21 572 2089
Osaka, JapanPhone: 81 6 536 3303Fax: 81 6 536 3304
Tokyo, JapanPhone: 81 3 5977 3266Phone: 0120 313266(toll free from Japan)
Fax: 81 3 5977 3370
KoreaPhone: 82 2 3455 6300Fax: 82 2 319 4710
MalaysiaPhone: 60 3 715 1333Fax: 60 3 715 2333
New ZealandPhone: 64 9 366 9138Fax: 64 9 366 9139
PhilippinesPhone: 632 892 4476Fax: 632 811 5493
SingaporePhone: 65 538 9368Fax: 65 538 9369
TaiwanPhone: 886 2 2 377 5850Fax: 886 2 2 377 5860
ThailandPhone: 662 231 8151 5Fax: 662 231 8158
3Com Austria
Phone: 43 1 580 17 0Fax: 43 1 580 17 20
3Com Benelux B.V.
BelgiumPhone: 32 2 725 0202Fax: 32 2 720 1211
NetherlandsPhone: 31 346 58 62 11Fax: 31 346 58 62 22
3Com Canada
CalgaryPhone: 1 403 265 3266Fax: 1 403 265 3268
EdmontonPhone: 1 403 423 3266Fax: 1 403 423 2368
MontrealPhone: 1 514 683 3266Fax: 1 514 683 5122
OttawaPhone: 1 613 566 7055Fax: 1 613 233 9527
TorontoPhone: 1 416 498 3266Fax: 1 416 498 1262
VancouverPhone: 1 604 434 3266Fax: 1 604 434 3264
3Com Eastern Europe/CIS
BulgariaPhone: 359 2 962 5222Fax: 359 2 962 4322
Czech RepublicPhone: 420 2 21845 800Fax: 420 2 21845 811
HungaryPhone: 36 1 250 8341Fax: 36 1 250 8347
PolandPhone: 48 22 6451351Fax: 48 22 6451352
RussiaPhone: 7 095 258 09 40Fax: 7 095 258 09 41
Slovak RepublicPhone: 421 7 317 850Fax: 421 7 317 849
3Com France
Phone: 33 1 69 86 68 00 Fax: 33 1 69 07 11 54 Carrier and Client Access
Phone: 33 1 41 97 46 00Fax: 33 1 49 07 03 43
3Com GmbH
Munich, Germany Phone: 49 89 627320Fax: 49 89 62732233
3Com Iberia
PortugalPhone: 351 1 3404505Fax: 351 1 3404575
SpainPhone: 34 1 509 69 00Fax: 34 1 307 79 82
3Com Latin America
U.S. HeadquartersPhone: 1 408 326 2093Fax: 1 408 764 5730
Miami, FloridaPhone: 1 305 461 8400Fax: 1 305 461 8401
ArgentinaPhone: 54 1 312 3266Fax: 54 1 314 3329
Brazil Phone: 55 11 246 5001Fax: 55 11 246 3444
Chile (serving Chile, Bolivia, andPeru)Phone: 562 240 6200Fax: 562 6240 6231
ColombiaPhone: 57 1 629 4847Fax: 57 1 629 4503
MexicoPhone: 52 5 520 7841/7847Fax: 52 5 520 7837
PeruPhone: 51 1 221 5399Fax: 51 1 221 5499
VenezuelaPhone: 58 2 953 8122Fax: 58 2 953 9686
3Com Mediterraneo
Milan, ItalyPhone: 39 2 253011Fax: 39 2 27304244
Rome, ItalyPhone: 39 6 5279941Fax: 39 6 52799423
3Com Middle East
Phone: 971 4 319533Fax: 971 4 316766
3Com Nordic AB
DenmarkPhone: 45 48 10 50 00Fax: 45 48 10 50 50
FinlandPhone: 358 9 435 420 67Fax: 358 9 455 51 66
NorwayPhone: 47 22 58 47 00Fax: 47 22 58 47 01
SwedenPhone: 46 8 587 05 600Fax: 46 8 587 05 601
3Com Southern Africa
Phone: 27 11 807 4397Fax: 27 11 803 7405
3Com Switzerland
Phone: 41 844 833 933Fax: 41 844 833 934
3Com UK Ltd.
EdinburghPhone: 44 131 240 2900Fax: 44 131 240 2903
IrelandPhone: 353 1 823 5000Fax: 353 1 823 5001
ManchesterPhone: 44 161 873 7717Fax: 44 161 873 8053
Winnersh Phone: 44 1189 27 8200Fax: 44 1189 695555
3Com Corporation enables individuals and organizations worldwide to communicate and shareinformation and resources anytime, anywhere. As one of the world’s preeminent suppliers of data,voice, and video communications technology, 3Com has delivered networking solutions to morethan 200 million customers worldwide. The company provides large enterprises, small and mediumenterprises, carriers and network service providers, and consumers with comprehensive, innovativeinformation access products and system solutions for building intelligent, reliable, and high-performance local and wide area networks.