enterprise class telecommuter vpn solution · presentation_id cisco public ect the business enabler...

1© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public

Enterprise Class Telecommuter VPN Solution

David IacobacciMike SwartzPlamen Nedeltchev, Ph.D.


ECT Agenda

Access Market Demands and Landscape

ECT: The Business Enabler Meets Customer Requirements

ECT Reduces TCO

ECT Solution: Site-to-Site Cisco IOS®-based VPN

ECT Is End-to-End, Scalable VPN Solution

ECT E2EVPN Model End-to-End SecurityEnd-to-End ConnectivityEnd-to-End DeploymentEnd-to-End Management

ECT Best Practices


Access Market Demands and Landscape

• Customers require a VPN solution that:Provides secure end-to-end support for data, voice, wireless, and video Is simple, scalable, and manageable and allows customers to easily subscribe or unsubscribe from modular servicesIs proven in real-world scenarios; vendors should provide effective information including lessons learned, detailing how to deploy and manage, while minimizing TCO

• LandscapeVPN has proven to be a big cost saver for enterprisesIndustry is transitioning from permanent circuits to Internet as a super mediaResidential broadband is exploding; home access speeds rapidly increasing Telecommuting lifestyle continues to grow—up to 50 million people by 2006Clients continue to operate in a hostile environment as 70% of attacks are coming across Internet


ECTThe Business Enabler Meets Customer Requirements

• ManageableMinimizes TCO due to ZTD and automated management; results in improved control of remote devices

• ScalableCan address the requirements of ISPs as well as large and small enterprises

• SecureSupports layers of Cisco security features consistent with self-defending networks strategy; will transform from integrated to collaborative and later adaptive security

• Market distinguisherStreamlines router configurations and integrates Cisco security with Cisco dynamic routing framework creating a solution only Cisco can offer

• Flexible and modular service offeringsECT is expanding from secure data to secure IPT, Wi-Fi, and video


ECT Reduces TCO

Total Cost Of Ownership

(TCO)

Return on investment

(ROI)

Life Time of the Asset1 2 3 4 5

Years

Maintain a Low TCO by Using Automation to :• Lower costs of deployment• Lower costs of management

Total Cost of Ownership (TCO) Is the Sum of Acquisition Costs, Plus All the Operational and Support Costs Over the Lifetime of an Asset—generally 3–5 Years; as TCO Decreases, ROI Improves

35% Operational

Costs

20% Acquisition

Costs

45% Management

Costs


ECT SolutionCisco IOS®-Based Site-to-Site VPN

• Enterprise or ISP models

• Spoke router in home network has three VPN tunnels; two data and one mgmt

• Traffic is routed over data tunnels in fail-over model

• Management subnet is separate from data subnet and can be physically isolated

Data GW1

ISCIE2100PKI ServersEzSDD Registrar

Secondary Data Tunnel

Cisco

Internet

Mgmt Tunnel

Primary Data Tunnel

Data GW #1

MgmtGW

Home Network

ISP

Data GW#2


ECT 3 Phase Approach

Phase 1

Benefits:

• New HW VPN architecture for home users

• 831 replaces 3002

• Automated Provisioning

• Secure and Standardized Management

• Auth-proxy user id

Phase 2

Benefits:

• Automated provisioning of IP Telephony

• Add NBAR, IPS, 802.1x

• Out-of-office productivity close to office levels

• Multiple device types

Phase 3

Benefits:

• Introduce the 871 router as new standard

• Integration of secure, managed wireless LAN service

• 20x improved performance/ throughput


ECT’s Global Reach Is Scalable

Tokyo

San Jose

Amsterdam

Singapore

BoxboroughRTP

Hong Kong

Richardson Tel Aviv

Management and Data Hub Data Hub

Sydney


ECT Management Hub

Other Equipment Not on Management Subnet

ACS Server Provisioning Infrastructure

IE2100 Linux-Based

Appliance

DC GW 2

DC GW 1

SMGCisco 374 or Cat65K Spoke Router

Cisco 831

ISC IP Solutions Center

UNIX-Based Server

Plain IPSec Tunnel to Loopback of ECT-smg1

Internet

Data Center

Cert2Cisco 3725

Cert1Cisco 3725


Typical ECT Data HubCorporate Network

Internet Secondary Data GW7206 VXRNPE-G1 and VAM2

Primary Data GW7206 VXR

NPE-G1 and VAM2

DMVPN-Based IPSec Primary Tunnel DMVPN-Based IPSec

Secondary Tunnel

Spoke RouterCisco 831

SDP RegistrarCisco 3725

Layer 3 Wired Connection

DMVPN IPSec Connection


ECT and End-to-End VPN

DMVPN

• Failover/Load-balancing• Dynamic routing

• Full—mesh and partial-mesh topologies

• Hub-to-spoke and spoke-to-spoke tunnels. Permanent and on-demand tunnels

• mGRE, IPSec, NHRP. Transport and Tunnel modes

• Multiple DMVPN clouds per head-end router. Resiliency

Full Support of IP Applications

• Data• VoIP

• QoS• Wi-Fi

• Multicast• Video

End-to-End Management

Device and User

Authentication and Anti-Theft Protection

• Secure RSA Lock Key• Secure ARP-proxy

• Auth-Proxy• 802.1X

IOS-Based PKI

• Certificate Server (CA&RA, Sub-CS modes)

• PKI-AAA Integration• Auto-enrollment

• Multiple Trust Points

Underlying Security Features

• IPSec (3DES or AES)• Stateful Firewall

• NBAR, IDS/IPS, and NAC

Ongoing Management IP Solution Center (ISC)Cisco IE2100 based CNS Notification Engines• CNS Configuration

• CNS Notification

• CNS Image Management EMAN Framework Integration

• Automated user service application and entitlement

• Automated configuration/pre-configuration and audit

• Automated image mgmt.

• Automated control, monitoring and security mgmt.

• Interactive/Automated decision making and service termination

• Anti-virus, anti-worm and DoS protection

• Automated event log mgmt.

Configuration AutomationIP Solution Center (ISC)Cisco CNS 2100 Series Intelligence Engine:• CNS Configuration Engine

• CNS Notification Engine

• CNS Image engineAutomated Zero TouchDeployment (ZTD)• Bootstrap Configuration and

PKI certificates (EzSDD)

• Off-line (ISC CA Proxy)• In-house (RA engineer)Automated Policy Deployment, Re-deployment and Audit• DMVPN/IPSec

• Firewall

• QoS• NAT, NBAR & IDS

End-to-End Security End-to-End Connectivity

E2EVPN

End-to-End Deployment


End-to-End SecurityLayered Security

Feature BenefitRSA Key Loss Due to Password Recovery Guards against unauthorized configuration changes

Prevents VPN connection after theft Anti-spoofing of IP addresses assigned to devicesUser-level authentication (layer 3)User-level authentication (layer 2)Secure, scalable solution enables quick addition and deletion of spoke routers utilizing existing AAA serversMaintains state info per application, will provide deep packet inspection and off-board URL filteringMultiple signatures, will combine with CBAC to perform deep packet inspection with single lookup

Device posture validation

Secure RSA Private KeySecure ARPAuthentication-Proxy802.1xCisco IOS® PKI Support and PKI-AAA IntegrationCisco IOS® Stateful Firewall (CBAC)

Cisco IOS® IPS

Network Admission Control (NAC)


RSA Key Loss Due to Password Recovery

• If someone attempts password recovery on the router, the RSA private key will become unusable

• If the user tries to change the hostname of the router, the RSA private key is permanently deleted

The Router Cannot Establish a VPN Session Using the Installed

Certificates After Password Recovery


Protected Private RSA Key

• RSA Private key is locked by user—must be unlocked by password entry in order to establish VPN connection

• VPN connections will not be established until the private key is unlocked

The Router Cannot Be Stolen and Later Used to Establish a VPN Session


Secure ARP

• When the spoke router assigns an IP address via DHCP, the entry is secured in the ARP table

• Intruder cannot just clear the ARP cache and use the IP address to gain access to the Cisco network

Secure ARP Is an Effective Anti-Spoofing Mechanism; However the Best Approach for All

Services Would Be to Require Device Certificates


Authentication Proxy

• Authentication proxy enables user authentication at layer 3 of the network stack; the user must authenticate in order gain intranet access from laptops, workstations, and PCs; upon successful authentication, an access list will be then downloaded to the router from the AAA RADIUS servers to enforce corporate access policies

• Authentication proxy can be implemented as a mechanism to prevent non-employees from accessing corporate network resources in a teleworker scenario

• User access to different areas of an intranet can be controlled via the group info on the RADIUS server


802.1x-Based Device Authentication

• 802.1x provides layer 2 authentication of devices

• 2 VLANs on the spoke router Trusted (corporate routable) VLAN

Non-trusted (home) VLAN

Devices that pass 802.1x authentication assigned to trusted VLAN

• 802.1x simplifies router configuration vs. authentication proxy


Cisco IOS® Certificate Server Support and PKI-AAA Integration

• Cisco IOS® Certificate Server (IOS®-CS) feature enables a router to function as a certificate server

• IOS®-CS supports CA, RA, and subordinate server modes

• IOS®-CS supports exportable and non-exportable keys, full backup, restore, and auto-enroll

• IOS®-CS permits storage of certificates on external databases or on local flash

• Cisco IOS® provides PKI-AAA integration which can eliminate the need to manage CRLs; this significantly simplifies the management and deployment of a PKI solution and builds upon existing AAA infrastructure


Cisco IOS® Firewall Features

• Cisco IOS® provides a stateful firewall and CBAC (Context-Based Access Control)

• The firewall ACL will block any access attempts from outside

• CBAC will punch holes for the return traffic for the connections initiated from the inside

• Apart from standard TCP and UDP, CBAC; also supports protocols like SIP, SCCP, SMTP, FTP, and more


Intrusion Prevention System (IPS)

• Intrusion prevention system detects attack signatures and raises alarms

• Cisco IOS® has increasing number of built-in signatures

• New signatures can be loaded at any time

• Combined with CBAC, the Cisco IOS®-based IPS will perform deep packet inspection with a single lookup


Network Admission ControlDevice Posture Validation

• NAC ensures that only PCs with latest anti-virus software can access the network

• In addition to anti-virus posture, it can check many other parameters like system OS, OS patch level, etc.

• These policies are configured on the Cisco Secure ACS server; each posture status results in different network access levels for the PC

• The anti-virus SW must also support NAC; supported vendors include NAI anti-virus, Symantec, and Trend Micro


End-to-End Connectivity

Feature Benefit

DMVPN Fundamentals Dynamic Multipoint VPN based upon IPSec, NHRP, and Multipoint GRE Allows for dynamically-configured IPSec tunnels that support routing protocolsRouting protocols in DMVPN cloud provide responsive failover Simplifies configurations, separates management and data traffic paths and builds on-demand full or partially meshed networksLatency-sensitive applications, e.g., voice and video as well as multicast; managed Wi-Fi in near future

DMVPN Functionality

Routing with DMVPN

DMVPN Key Differentiators

IP Applications Support


DMVPN Fundamentals

• Dynamic Multipoint VPN is a Cisco IOS®-based solution for easily building scalable VPNs by encapsulating GRE in IPSec

• Relies on three proven Cisco technologiesIPSec

Next Hop Resolution Protocol (NHRP)

Hub maintains a (NHRP) database of all the spoke’s routable (public interface) addresses

Each spoke registers its routable address with the NHRP server (hub) after successful negotiation of the IPSec tunnel

Spokes query NHRP database for routable addresses of destination spokes to build direct tunnels

Multipoint GRE tunnel interface

Allows GRE interface to support multiple IPSec tunnels

Simplifies size and complexity of configuration


DMVPN Functionality

• Spokes have a dynamic, permanent IPSec tunnel with the hub, but not with other spokes; the spokes register as clients of the NHRP server on the hub

• All routing information pushed to spoke routers across DMVPN cloud via routing protocols

• In a spoke-to-spoke scenario, when a spoke needs to send a packet to a destination (private) subnet on another spoke, it queries the NHRP server for the routable (outside) address of the destination spoke

• The originating spoke then initiates a dynamic GRE tunnel, encapsulated in IPSec to the target spoke

• The spoke to spoke tunnel is built over the mGRE interface


Routing with DMVPN

• Dynamic routing is required over hub-to-spoke tunnels

• Spokes learn the private networks of other spokes and the hub via routing updates sent by the hub

• From the hub perspective, the IP next-hop for a spoke network is the tunnel interface for that spoke

• Possible routing protocols are EIGRP, OSPF, BGP, RIP

• Failover between spoke and primary/secondary hubs occurs via routing protocol; EIGRP failover is < 10ms


DMVPN: Key Differentiators

• DMVPN uses crypto profiles and tunnel protection; this frees the physical interface from a crypto map

• Management is performed over a separate VPN tunnel independent of the primary DMVPN data tunnels

• DMVPN allows for dynamic registration of spokesOne tunnel interface defined on the hub side supports a single DMVPN cloud Eliminates static point-to-point configurationsReduces the complexity of the hub configuration

• DMVPN provides dynamic full and partial mesh capability

Provides improved support for applications such as voice and video


IP Applications Support

• IP phones (SIP and SCCP) are supported

• QoS for Voice over IP (VoIP) provided on spoke routers; QoS with LLQ/Shaping—provides acceptable voice for links > 128k upstream bw, but 256k+ recommended

Future improvements will allow QoS settings to be applied per security association on the hub

• Multicast support available

• Video can be supported

• Managed Wi-Fi support will be available with the deployment of the 871 router


End-to-End Deployment

Major Features and ComponentsConventional Provisioning of CPE/Spoke Routers

Three Deployment Options in ECTZTD: Zero-Touch Deployment OverviewZTD Secure BootstrappingZTD Secure Policy EnforcementZTD of a Spoke Router: Step-by-StepOn-line Deployment Option (Cert-Proxy)ZTD of IPT for Remote Access


End-to-End Deployment Major Features and Components

Feature BenefitZTD: Zero-Touch Deployment

Touchless/automated configuration of the remote device—router, IPT, Wi-Fi

SDM: Secure Device Manager (Formerly CRWS)

Friendly GUI interface to configure spoke router to gain Internet access

SDP: Secure Device Provisioning(Formerly EzSDD)

Securely bootstraps spoke routers including enrollment in PKI CA that establishes management tunnel

ISC: IP Solutions Center Management

Securely provisions and audit spoke routers

IE2100: Intelligence Engine 2100

CNS (Cisco Network Services) transport mechanism


Conventional Provisioning and Deployment of CPE/Spoke Routers

• In-house; router configured by IT

• Outsource to ISP; router configured at staging facility

• Outsource to 3rd party; router configured at staging facility or on-site

All Three Methods Add Excessive Cost to the Deployment Process!


ECT Offers Three Deployment Options

• ZTD User responsible for configuring router for Internet access and running EzSDD (SDP)

Policy configurations are pushed over the CNS transport mechanism

• On-line (Cert-Proxy)Allows engineer to configure router remotely

• Off-lineSpecial cases/configurations and pilot environments

• Regardless of the deployment option, spoke router provisioning process is automated to minimize TCO


ZTD Steps

ZTD Is Achieved in Two Steps

Secure Bootstrapping Access to Management Servers1.

2. Secure Policy Enforcement

Full Access to Internal Network Resources Per Enterprise Guidelines


ZTD Secure Bootstrapping

• Secure bootstrapping involves configuring the router to connect to a management gateway; this bootstrap configuration includes:

Internet connectivity

IPSec management tunnel

Bootstrap/Management PKI Certificate

CNS (Cisco Network Service) agents

Spoke router is CNS client, CNS agents configured on the spoke router

IE2100 is CNS engine

IP Solutions Center (ISC) is CNS server


ZTD Secure Policy Enforcement

• When ISC receives a cns.device.connect event for a spoke it will then push staged configlets to the spoke via the IE2100 CNS engine

• Policies are represented as configlets which are generated by service requests on the ISC

• Phase 1 policies DMVPN-IPSec

Firewall

QoS

NAT

• Future policies will include 802.1x, NAC, IPS, etc.


ZTD of a Spoke Router: Step-by-Step

1. User applies for the ECT service and upon approval orders their 831 router from CCO; templates and SR’s auto-populated on ISC

2. Router is shipped to user directly from factory3. User connects the spoke router at home and

configures it to access the Internet via friendly, intuitive GUI menu—originally CRWS, now SDM

4. User authenticates SSL session with EzSDD Registrar (now SDP) with OTP, router is enrolled in certificate authority (CA) and minimum configlet is pushed to router to establish management VPN tunnel and CNS connection with IE2100

5. IPSEC tunnel to Management GW is established upon successful authentication using PKI-AAA

6. CNS agent in the router sends a connect event to the IE2100 (CNS engine) which notifies ISC (CNS server) that the spoke router is connected

7. ISC pushes all the policies (configlets): DMVPN, Cisco IOS®-Firewall, NAT, QoS, etc., and enrolls the router in the CA for data tunnel authentication

8. Data tunnels come up and spoke router has primary and failover data connections to the corporate network

CorporateNetwork

New SpokeRouter

Primary VPN Gateway

Failover VPN Gateway

Data Tunnels

Management Tunnel

ManagementVPN Gateway

ISCIE2100AAA ServersCA Servers


On-Line Deployment (Cert-Proxy)

Cert-proxy Is an ISC Tool That Allows ISC to Authenticate and Enroll in a Cisco IOS®-based CA on behalf of a router • User configures router to access Internet

• Engineer pastes certificates and configuration required to bring up management VPN tunnel in user’s router

• The remaining configlets (policies) are pushed to the spoke router upon establishment of the management tunnel via the CNS connection


ZTD of IPT for Remote Access

1. User applies for the IPT service as part of their ECT service and upon approval orders their IP Phone or installs IP Communicator (IPC); an additional instance of a phone is configured for the employees Dialed Number (DN) on the Cisco Call Manager (CM)

2. IPT device is shipped from factory (if applicable)3. ECT router is successfully configured and has established data tunnels;

user connects the IPT device to the ECT router4. CNS agent on router sends cns.IPPhone.connect event when a IPT device

is connected to the router5. The cns.IPPhone.connect event includes the IPT MAC address, hostname,

and IP address6. The cns.IPPhone.connect event is published by the IE2100 CNS engine,

on the Tibco bus (logical bus)7. Java agent listens for events on the TIBCO bus intercepts the

cns.IPPhone.connect event and associates the MAC address information with the DN in the CM

8. TFTP session is established, and configuration information is sent from CM to the IPT device


End-to-End Management

ISC Basic Functionality

ISC Policy Management GUIISC CLI Commands/ACLs/Enable Secret Password Rotation Management GUIIE2100 Basic Functionality

IE2100 Image Management GUI

IE2100 Log Management GUI

Enterprise Management Framework Integration


ISC Basic Functionality

IP Solution Center v.3.2.x Supports the Following Basic Functions• Create, deploy, audit policies

IPSec-DMVPN QoSCBAC FW NAT

• Create and deploy “velocity-based” templates and instantiate them with data files to create configlets during the deployment

• CLI commands/ACL/enable secret password management• Communicates with CNS Engine over the TIBCO bus to push/pull

policiesEvent-drivenSchedule-drivenRapid deployment

• Supports open XML/SOAP interface and NB APIs enabling integration with existing enterprise management framework

• Supports fully managed service functionality to notify the administrators for non-ISC initiated configuration changes


ISC Policy Management GUI


ISC ACL/Enable Secret Management GUI


IE2100: Basic Functionality

• Pull/push policies, CLI commands and populated templates • Notifies all Tibco subscribers of the events originating from the CNS agents, such as

config_change, load, warning, etc.• Generates and sends to all TIBCO subscribers two events: connect and disconnect on

behalf of the CNS agents• Performs Cisco IOS® image management• v.1.5 provides major enhancement—ability to create and deploy “velocity-based”

templates, instantiating the templates w/data files to create configlets for deployment• Provides capability to perform upgrades/updates based on schedule, event-driven,

and rapid deployment

CNS Engine Supports the Following Main CNS Agents:

CNS Engine Supports the Following Basic Functions:

• Event Agent: Enables CNS management (sends connect, disconnect to ISC)• Exec Agent: Allows remote application to send CLI commands to the router• Partial Configuration Agent: Allows configlet pushes and notifies ISC of unauthorized

configuration changes• Image Agent: Enables image upgrades


IE2100 Image Management GUI


IE2100 Log Management GUI


Enterprise Management Framework Integration

EMAN ProvisioningUser Zone

Auto-Populated from HR DBClient Zone

IT RA Provisioning Controls This ZoneISP Zone

From User’s Service Request

User _ID Create, Search, Show Provisioning Status

Approved, Not-Approved, Ordered, Cancelled,

DeactivatedISP Service Type (xDSL,

Cable, T1, etc.)

IP Address Type (Static,

DHCP, PPPoE)

DNS1DNS2

Subnet Mask

ISP Password

Provider’s Device

EMAN OperationsAAA Zone

IT RA Configures/Controls This ZonePolicies Zone

IT RA Configures/Controls This ZoneOperational Zone

IT RA Controls This Zone

Config. Change (Last 10)

Static IP GW

ISP Login Name

Home Phone

Address, City, State, and Country SMG Hub SDG Hub Speed Service

AA History Search, Show QoS Policy Name DMVPN Policy Name Enable Password (Last 10)Auth-Proxy Policy

NameSplit Tunneling

Policy NameCNS Agent

StatusNAT Policy Name DHCP Policy Name Connect/Disconnect

Status: Waiting_to_Deploy/Deployed Disable Service

Site Location

User Comments(Full-Time Telecommuter)

SMG CERT Serial # SDG CERT Serial # Connection Specifics (Modem, NAT, etc.)

AAA Status Create, View, Update, Enable, Disable

IKE/IPSec Policy Name

Fire Wall Policy Name

Status (Operational, Connected, Disconnected, Cancelled

Last Name, First Name Emp. # Manager Router Type Hostname

Office Phone

Cisco Call Manager Approver IP Address Subnet

Mask mGREIP

Location Information Cisco IOS®

Image Config IE2100

EMAN Populated Fields in Red


Best Practices

• Start with limited pilot Become familiar with technology

Understand information requirements and system flow

• Plan phased approach for new services

• Automate as much as possible for production process

• Select hub locations to optimize latency for most users


Q and A


More Networked Home/Access Resources

http://www.cisco.com/web/about/ciscoitatwork/case_studies.htmlCase Studies

Call to get Product, Solution and Financing Information1-800-745-8308 ext 4699

Order Resourceshttp://cisco.com/en/US/ordering/index.shtml

http://www.cisco.com/web/about/ciscoitatwork/case_studies.html

Resourceshttp://cisco.com/en/US/ordering/index.shtml

enterprise class telecommuter vpn solution · presentation_id cisco public ect the business enabler...

Documents