Designing Virtual Private Networks © 2004 Cisco Systems, Inc. All rights reserved. Designing Remote- Access VPNs ARCH v1.29-1
© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Remote-Access VPN Requirements Connects remote sites, users, and partners across VPN Requires high-density, low-bandwidth connections
© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Typical Remote-Access VPN Network Design Connects small or home offices to central site –DSL, cable, dial-up –Data, voice, and video Tunneling –IPSec –GRE –L2TP
© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Placement of the VPN Concentrator
© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Remote-Access VPN Design Questions Is remote-access (client-to-LAN) connectivity the main focus of the solution? What operating systems will remote users use? Which VPN tunneling protocol will be used in this solution? What type of routing protocols will be used on the VPN concentrator? How will user authentication be achieved in this solution?
© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Remote-Access Firewall Design Questions Is there an existing firewall in the current Internet access network topology? Is there a security policy that mandates how traffic going to the Internet passes from the firewall private interface to the firewall public interface, and vice versa? Is it feasible to use one or more firewall interfaces to create VPN perimeter LAN segments? Are there two available firewall interfaces to protect the public and private interfaces of the VPN concentrator? If there is only one firewall interface, which interface should be protected by this firewall perimeter LAN interface?
© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Broadband Access Design Considerations Key considerations: –Persistent connections –Shared medium –Security Protective measures: –Use a password-protected screen saver. –Use strong authentication methods. –Use workstation encryption packages, optionally. –Consider inactivity timeouts for tunnels. –Consider split-tunneling restrictions and personal firewall hardware or software.
© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Remote-Access VPN Capacity Planning Estimate the total number of users. Estimate the number of concurrent users. Determine the current bandwidth of the ISP connection. Estimate the required bandwidth for the ISP connection. Identify the user connection method. Forecast VPN usage growth.
© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Network Address Translation Issues NAT translates between internal (non-registered) and external (registered) addresses. PAT uses port numbers to map many internal to one external address. Routing occurs before NAT on outbound interfaces. To implement NAT for remote-access VPNs: –Use NAT statically or dynamically. –Mix IPSec and NAT functions carefully.
© 2004 Cisco Systems, Inc. All rights reserved. ARCH v VPN Split-Tunnel Communication
© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Example: Small Remote-Access VPN
© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Example: Large Remote-Access VPN
© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Summary Remote-access VPNs typically begin as a replacement technology for traditional remote-access servers. As high-speed Internet access and broadband connectivity emerge as cost-effective choices for consumers and businesses, the VPN becomes more strategic. To design a remote-access VPN, you will determine the primary applications and requirements for the system. You will select a VPN concentrator for a remote-access VPN based on current and future capacity projections. NAT along with IPSec present issues for the remote-access VPN. You can implement remote-access VPNs in any network from a small company to large enterprise environments.
© 2004 Cisco Systems, Inc. All rights reserved. ARCH v Learning Activities Case Study: OCSIC Bottling Company –Design a site-to-site VPN solution between the headquarters and each international plant –Design a remote-access VPN solution for U.S.- based telecommuters to the headquarters location –Provide justification for each design decision OPNET IT Guru Simulation –View the instructor demonstration and consider the key design questions