Copyright 2003 CCNA 4 Chapter 23 Virtual Private Networks By Your Name
Copyright 2003 Objectives Describe VPN operation Describe VPN implementation Describe Cisco Systems VPNs Describe tunneling Describe Ciscos L2F implementation Describe the end-to-end virtual dialup process Describe highlights of the virtual dialup service
Copyright 2003 Types of VPNs Three types of VPNs exist, aligning to how businesses and organizations use VPNs: –Access VPN –Intranet VPN –Extranet VPN
Copyright 2003 A Logical Topology View of a VPN
Copyright 2003 A Virtual Private Network
Copyright 2003 VPN Implementation Security audit Scope and application needs Documentation Security policy
Copyright 2003 The Cisco Systems VPN Design Tunneling –Passenger protocol –Encapsulating protocol –Carrier protocol Cisco virtual dialup services Cisco L2F implementation End-to-end virtual dialup process
Copyright 2003 Tunneling Tunneling involves three types of protocols: Passenger protocol Protocol being encapsulated. –In a dialup scenario, might be PPP, SLIP, or text dialog. Encapsulating protocol Creates, maintains, and tears down the tunnel. –Cisco supports several encapsulating protocols, including the L2F protocol, which is used for virtual dialup services. Carrier protocol Carries the encapsulated protocol. –IP is used by the L2F protocol because of its robust routing capabilities, ubiquitous support across different media, and deployment within the Internet.
Copyright 2003 End-to-End Virtual Dialup Process Remote user The client dials ISDN/Public Switched Telephone Network (PSTN). Network access server (NAS) The telecommuting device that terminates the dialup calls over either analog (telephone) or digital (ISDN) circuits. Internet service provider (ISP) The dialup services provider can provide itself using a NAS, or can deliver the dialup remote user to a designated corporate gateway. Corporate gateway The destination router that provides access to the services the remote user requests. The services could be a corporation or even another ISP.
Copyright 2003 Ciscos L2F Implementation Neither the remote system nor the corporate hosts should require special software to use this service in a secure manner. Authentication is provided by dialup PPP supporting the following: –CHAP or PAP –Terminal Access Controller Access Control System Plus (TACACS+) –Remote Authentication Dial-In User Service (RADIUS) –Smart cards and one-time passwords –Authentication managed by the user independent of the ISP Addressing will be as manageable as dedicated dialup solutions; the address will be assigned by the remote users respective corporation, not by the ISP. Authorization will be managed by the corporations remote users, as it would be in a direct dialup solution. Accounting can be performed by both the ISP (billing purposes) and by the user (charge back and auditing purposes).
Copyright 2003 Remote User Establishes a PPP Connection
Copyright 2003 Steps Required for a Remote VPN Session
Copyright 2003 Highlights of Virtual Dialup Service Authentication and security Authorization Address allocation Accounting