3 Com Technical Papers

¨

Private Use of Public Networks for Enterprise Customers

New Standards-Based Virtual Private Networks Offer Cost Savings and Business Opportunities Private Use of Public Networks for Enterprise Customers New Standards-Based Virtual Private Networks Offer Cost Savings and Business Opportunities

Contents

Why Enterprises Need VPNs 2 What Is a VPN? 2 VPN Benefits 3 Cost Savings 3 Easy Scalability 4 Support for Ad-Hoc Business Relationships 4

Full Control 4 Enterprise VPN Applications 4 Global Access 5 Dial Access Outsourcing 8 Virtual Leased Lines for Branch Office Connectivity 9 How VPNs Work 11 VPN Protocols 12 VPN Security 12 Microsoft Point-to-Point Encryption (MPPE) 12 Secure IP (IPsec) 13 Tunnel Switching: Improved Security and More Flexible VPN Applications 16 VPN Management 17 3Com VPN Solutions 17 3Com Solutions for Enterprises 17 Conclusion 18

1 Private Use of Public Networks for At the same time, IT must support grow- Enterprise Customers ing branch office connectivity. Particularly in organizations growing through acquisition or New Standards-Based Virtual Private Networks merger, the ability to rapidly integrate separate Offer Cost Savings and Business Opportunities and frequently incompatible infrastructures can be critical to the success of business relation- ships. In addition, there is the emerging Acronyms and Virtual private networks (VPNs) offer cost- requirement to deploy extranets that support Abbreviations effective solutions to some of today’s most crit- ical networking challenges. Enterprises need a unpredictable relationships with customers and AAL more affordable, scalable way to meet the business partners. IT also has to cope with the ATM adaptation layer demands of a growing community of remote plethora of management and security issues CHAP users and to manage branch office connectiv- these connections entail. Challenge Handshake ity. They need to be able to accommodate the Virtual private networks (VPNs) offer Authentication Protocol pace and unpredictability of business by link- solutions to these dilemmas. They provide IPsec ing customers and partners into extranets on enterprises with a number of ways to achieve Secure IP an ad-hoc basis. And they need to be able to substantial and immediate remote access and branch connectivity cost reductions by taking ISAKMP provide all of this access to networked Internet Security Association resources, including legacy systems and advantage of the networking infrastructures Key Management Protocol enterprise protocols, without compromising and services of Internet service providers (ISPs) and other network service providers ISDN security. Integrated Services Digital The benefits of VPNs include the opportu- (NSPs). VPNs offer a cost-effective, scalable, Network nity to save 50 percent or more in the cost of flexible, manageable, and secure means of handling network growth, of linking in newly ISP remote access and branch office connectivity. Internet service provider VPNs also offer tremendously increased strate- acquired business units, and of supporting ad- gic flexibility, which can lead to additional hoc business relationships. Companies can get L2F all these benefits while retaining central con- Layer 2 Forwarding cost savings and potentially important business advantages. trol over security and management of adds, L2TP This paper describes how VPNs cut costs moves, and changes. Layer 2 Tunneling Protocol and increase strategic flexibility. It describes Enterprises deploying VPNs will have an MPPE and diagrams some of the most popular VPN increasing range of VPN-based services to Microsoft Point-to-Point 2 applications. It explains the underlying chose from. Infonetics Research predicts that Encryption tunneling technology, including system compo- the VPN market will grow at more than 100 NSP nents and industry standards for tunneling and percent per year through 2001, when it will network service provider tunnel-based security. It introduces tunnel reach nearly $12 billion. They report that 92 POP switching and the advantages it offers for percent of large ISPs and 60 percent of all ISPs point of presence increased enterprise network security, more plan to offer value-added VPN services by PPP flexible access to network resources behind mid-1998. Point-to-Point Protocol firewalls, and more flexible service-level han- What Is a VPN? PPTP dling of tunneled traffic. The paper closes by Point-to-Point Tunneling discussing 3Com VPN solutions and their A VPN is a connection that has the appearance Protocol advantages. and many of the advantages of a dedicated link but occurs over a shared network. Using a Why Enterprises Need VPNs technique called “tunneling,” data packets are Industry analysts predict that by 1999, 80 per- transmitted across a public routed network, cent of corporate workers will have at least one mobile computing device.1 IT organizations 1. “Internet Remote Access,” Network Strategy everywhere are struggling to meet this balloon- Service, The Forrester Report, vol. 10, no. 8, July 1996. ing demand for remote connectivity and to deal with the resulting increases in network com- 2. “Virtual Private Networks,” Infonetics Research, plexity and end-user support costs. 1997.

2 such as the Internet or other commercially translation, VPNs can provide for data encryp- available network, in a private “tunnel” that tion, authentication, and authorization. simulates a point-to-point connection. This Tunneling devices perform these functions by approach enables network traffic from many communicating with security servers. Such sources to travel via separate tunnels across the servers also usually provide information on same infrastructure. It allows network proto- , tunnel end points, and, in some cols to traverse incompatible infrastructures. It cases, network policy information and service Acronyms and also enables traffic from many sources to be levels. Abbreviations differentiated, so that it can be directed to spe- VPN capabilities can be added to existing cific destinations and receive specific levels of networking equipment through a software or PSTN service. board-level upgrade. Once installed, the capa- public switched network The basic components of a tunnel are: bility can be used for multiple VPN applica- ¥ A tunnel initiator (TI) tions, each delivering substantial cost and/or QoS ¥ A routed network revenue benefits. Quality of Service ¥ An optional tunnel switch RADIUS ¥ One or more tunnel terminators (TT) VPN Benefits Remote Authorization Dial-In Tunnel initiation and termination can be User Service performed by a variety of network devices and Cost Savings SMDS software (Figure 1). A tunnel could be started, VPNs offer cost savings in the areas of com- Switched Multimegabit Data for example, by an end user’s laptop equipped munications charges, remote user support, and Service with an analog PC card and VPN- equipment. TI enabled dial-up software (basic tunneling and ¥ Communications costs (leased line tariffs, tunnel initiator long-distance charges). Connecting two security capabilities are bundled into Windows TT 95 and Windows NT 4.0). It could also be computers over long distances using the tunnel terminator started by a VPN-enabled extranet on an Internet can yield substantial savings over today’s dedicated leased lines and Frame VLAN enterprise branch or home office LAN, or by a virtual LAN VPN-enabled access concentrator at a network Relay networks. The Internet is also less expensive than long-distance direct modem VLL service provider point of presence (POP). A virtual leased line tunnel could be ended by a tunnel terminator or ISDN calls. VPNs are money-savers or switch on an enterprise network or by a VPN because they enable remote users to make VPN gateway on an NSP’s network extranet router. local calls to an ISP, which are then tunneled In addition, there will usually be one or to a VPN device on the destination network. VTP more security servers. Along with the conven- Virtual Tunneling Protocol tional application of firewalls and address xDSL Tunnel terminator

Tunnel Tunnel initiator Tunnel termination device or tunnel switch on enterprise network

Shared routed VPN gateway Access concentrator network at an NSP POP on NSP network

Extranet router on a branch LAN

Dial-up software on an end user laptop Figure 1. VPN Components

3 Users have the same experience as if they capacity and reach of their network simply by had dialed directly into the network—typi- setting up an account with a new NSP or cally at half the cost of the most economical expanding their agreement with an existing 800 number. provider. In addition, installing VPN capabili- Branch offices can use VPNs to replace ties in remote offices is typically a simple task dedicated leased lines to company headquar- that does not require a technical specialist on ters or to other branches. The branch LAN is site. A few simple commands should configure connected to a business class NSP, which an extranet router for both Internet and VPN tunnels traffic from LAN users over the connectivity, and workstations can get their Internet or over its own network backbone to configuration automatically from the router. a LAN in another part of the user’s enter- Easy scalability allows agile responses to prise. Branch users are still able to access the organizational change and market demands. A corporate network in the usual way, and the company completing an acquisition, for exam- company saves money. The savings come ple, could link a dozen new branches into its not only from taking advantage of a shared network and add support for thousands of network for long-distance transport but also mobile users within just days, compared to the because one WAN interface can be used for weeks or even months it could take to get branch access to both the enterprise network leased lines or circuits installed. and the Internet. In addition, VPNs allow companies to link ¥ Remote user support. In many companies, international locations into the network afford- while a minority of network users are ably while avoiding the complexities and remote, they consume a majority of network delays associated with setting up Frame Relay support time. IT must support dial-in users circuits across borders. with varying technical abilities and with equipment ranging from analog and Support for Ad-Hoc Business Relationships ISDN terminal adapters to new cable modems Partnering is essential in many markets today, and digital subscriber line (xDSL) connec- and the ability to move rapidly to mobilize tions. In addition, technical staff must either combined forces can determine success. With be located at branches or provide support VPNs, partners can implement new business remotely. Many companies can achieve sub- relationships immediately. There’s no need to stantial cost savings by shifting these sup- delay collaboration while counterparts in the port responsibilities from overburdened IT two IT organizations negotiate setup of leased groups to the dedicated help desks of NSPs. lines or Frame Relay circuits. Connections can ¥ Equipment installation, maintenance, and be made on an ad-hoc basis with any company obsolescence. VPNs enable enterprises to that is on the Internet. save WAN equipment installation and main- Full control tenance costs, since a single WAN interface VPNs allow corporations to leverage the facili- can serve multiple purposes. Companies can ties and services of NSPs while continuing to eliminate or reduce modem pools in favor of exercise full control over their network. For receiving dial-up traffic over an existing or example, companies can outsource dial access augmented Internet connection. The same while retaining responsibility for user authenti- Internet connection can also support LAN- cation, access privileges, network addressing, to-LAN branch internetworking as well as security, and management of network changes. business-to-business links with customers and partners. And with less capital equip- Enterprise VPN Applications ment, companies also lower their exposure There are numerous ways in which enterprises to obsolescence. can gain efficiency, cost, and security benefits. Easy Scalability Following are three examples. VPNs offer immediate scalability with minimal effort. Enterprises can expand the

4 l site entra rise c nterp E ty ecuri s S cces rver net a se Inter ding provi NSP

ers te us Remo t terne In witch pter tor/s l ada mina mina el ter ll N ter odem unn rewa ISD log m T at fi r ana e or d o obil nable M user PN-e re uting V oftwa omm -up s telec dial g xistin r’s e ter artne s rou P cces net a er Inter partn iness bled d bus -ena orize VPN Auth NIC

Figure 2. Global

Global Internet Access them the VPN capability necessary to access Enterprises that use VPNs to replace or aug- the extranet simply involves upgrading desktop ment dedicated dial-up facilities with Internet- networking software or activating features in based dial-up (see Figure 2) can reduce both existing software. line charges and equipment costs. In fact, total In this type of VPN, tunnels can be started operating cost savings can reach 60 percent or by a LAN-based or dial-up VPN client using better. the VPN capabilities in Windows 95 or VPNs enable remote users to access the Windows NT Dial-Up Networking or special corporate network by making a local, normally VPN software or modem card. A tunnel termi- unmetered call to an NSP. The traffic is then nation device or tunnel switch at the firewall at tunneled over the NSP’s network to the enter- headquarters or another central location ends prise’s Internet gateway and onto the corporate the tunnel. The company can control user network. The NSP is not aware that the data is authorization and other security functions from being tunneled and doesn’t perform tunnel the central location. management tasks. Built-in security features The remote user is virtually plugged into (see page 12) work with the enterprise firewall the corporate network at the point where the to ensure user authentication, privacy, and data tunnel terminates. The exact location will vary integrity. depending on the type of firewall being used. Enterprises can use VPNs to offer travel- In the case of a single firewall configuration, ing employees “global local access.” By the “plug-in” point will be the enterprise choosing an NSP with a global presence or set- Internet access router where the firewall is ting up corporate accounts with several NSPs, deployed. In the case of a double firewall con- companies can ensure that wherever their peo- figuration, the plug-in point will usually be the ple travel, they can get onto the corporate net- “demilitarized zone” (DMZ), which is the net- work by making a local call. work segment between external and internal Global Internet access can also be used to firewalls. In either case, the remote user will provide customers and business partners with have access only to those network resources secure access to extranet resources. In most that have points of connection at the network cases, since users in these organizations will edge. already be connected to the Internet, giving

5 twork al ne ntern ally I virtu user mote here Re ed in plugg lly irtua ser v ote u ere tor Rem in h mina gged el ter plu Tunn net Inter rk etwo nal n Inter

tocol g pro nelin wall h y tun fire switc Onl rough nnel es th Tu pass net Inter

Figure 3. Tunnel Switching

Optional tunnel switching can be used different locations where different security with global Internet access to increase security policies can be applied. Network managers and flexibility (Figure 3). In this case, a tunnel can easily view and control extranet activity switch at the enterprise extranet router or in the and rapidly make adds and changes to DMZ ends the incoming tunnel and starts a accommodate new business relationships. new tunnel to a tunnel termination device on ¥ Remote users can access legacy network the internal network. The remote user is thus protocols and systems. Tunnel switching virtually plugged into the network inside of the can provide safe Internet-based access to firewall, where more network resources are networks, such as SNA, Novell NetWare, available (Figure 4). There are several and AppleTalk, and the applications running advantages: over them. Frequently these protocols are ¥ Multiple applications can be supported not available in the DMZ. without having to open up multiple holes ¥ Organizational divisions can share an through the firewall. Tunnel switching can Internet interface while controlling their eliminate the need to put special application own user authorization and access poli- servers in the DMZ between the external and cies. In a large organization that has various internal firewalls. Tunnels can carry network divisions (state government for example), traffic for a wide variety of IP applications these divisions can enjoy economies of scale (FTP, Telnet, etc.) safely across the firewall from sharing one high-speed Internet con- to internal servers. Since the protocols for nection, without relinquishing control over these applications are encapsulated, a hole their own piece of the network. A tunnel needs to be opened in the firewall only for switch can create tunnels that direct traffic to the tunneling protocol. separate tunnel termination devices on each ¥ Traffic from partners and customers can division’s LAN. Remote users are virtually be segregated from remote employee traf- plugged into these network segments, and fic. Tunnel switching enables tunnels com- the division can control network access priv- ing in from different types of users over the ileges in its own way. same Internet interface to be terminated at

6 tor rmina nel te rver ss) Tun al se acce ntern ions on i licat P app (SA

nator termi nel rver Tun al se tern ss) on in acce curity NA WAN Se IPX, S rise r ( nterp serve E

r itch inato el sw ator l term Tunn rmin nne erver el te er Tu nal s ers Tunn l serv ) inter stom erna cess on for cu ess) n int rk ac ices acc o etwo serv tners nal n (FTP s par l ivisio ines ewal (d d bus ior fir an Inter rity Secu

rnet l rver Inte ewal se ior fir Exter

Figure 4. Enterprise Tunnel Switching Application

¥ Companies can make optimal use of IP user moves and changes. But where VPNs address space. Tunnel switching enables are used without tunnel switching, all VPN traffic to be terminated inside the net- incoming traffic has to be assigned to the work, where more address space is available same VLAN. This is because VLAN assign- than is usually the case in the DMZ. Compa- ment is usually based on the hub port the user nies can use their own internal addressing is plugged into. With VPNs, remote users schemes for tunnel end points, and these accessing the network through a tunnel are addresses are invisible to the NSP providing virtually plugged into the same port as what- the Internet VPN service, further increasing ever device is terminating the tunnel. With security. tunnel switching, however, tunnel traffic can ¥ Remote users can function as members of be forwarded to TTs at different locations, virtual LANs (VLANs). VLANs improve enabling users to be virtually plugged into network efficiency by directing traffic only the network through different ports and thus to where it needs to go and they simplify to be members of different VLANs.

Benefits: Global Internet Access Additional Benefits with Tunnel Switching • Cut long-distance charges in half and overall • Increase access to network applications and remote access costs by even more resources without compromising the security • Reduce capital and maintenance costs by perimeter replacing modem banks with a single Internet • Differentiate and manage various types of connection tunneled traffic coming in over the same • Enable remote employees to access the cor- Internet connection porate network over their existing Internet • Increase network scalability connection • Allow organizational divisions to share the • Offer traveling employees worldwide local same WAN interface while enforcing dial access to the corporate network separate network access policies • Rapidly establish secure extranet connections • Increase addressing flexibility for ad-hoc business relationships • Combine the advantages of VPNs and VLANs • Retain central control of security, firewalling, IP address management, and service offerings

7 int st po La er re us nnel whe le Tu r ailab l site inato fo av entra term in ise c rnal terpr n inte En o erver ork s netw

rity Secu

erver s h l switc erna nnel Int Tu MZ work in D net

POPs NSP rity Secu er ches serv bran mote es et or Re ploye ntern ne d em I ckbo an IP ba NSP N s PST cces A ator centr con

or obile r M g use mutin com s tele PSTN cces tunneling-enabled networking software; they A ator centr con simply dial in to the local NSP in the conven- tional way. A VPN is created from the NSP’s POP to the appropriate enterprise customer N ch LA Figure 5. Dial Access Outsourcing Bran and, in some cases, given specific handling based on a service level agreement. Dial Access Outsourcing In this type of VPN, an access concentra- Companies that outsource remote access to an tor at the NSP’s POP starts the tunnel. A tun- NSP can reduce not only communications nel termination device or tunnel switch at the charges (tariffs, long-distance charges, etc.) enterprise DMZ ends the tunnel. Tunnel and equipment costs, but end-user support switching can be used in any of the ways costs as well (Figure 5). They can let their NSP described above under “Global Internet take on those responsibilities as part of a pack- Access” to achieve additional benefits, includ- age of VPN services. ing secure access to multiple applications and The advantage to mobile users and protocols across the firewall and the ability to telecommuters is that they don’t need to have differentiate and apply appropriate security to

Benefits: Dial Access Outsourcing Additional Benefits with Tunnel Switching • Cut long-distance charges in half and overall • Increase access to network applications and remote access costs by even more resources without compromising the firewall • Replace modem banks with a single Internet • Differentiate and manage various types of connection tunneled traffic coming in over the same • Reduce end-user support costs Internet connection • Enable remote employees to access the cor- • Increase network scalability porate network over their existing Internet • Allow organizational divisions to share the connection without the need for special net- same WAN interface while enforcing working software separate network access policies • Offer traveling employees worldwide local • Increase addressing flexibility dial access to corporate network and superior • Combine the advantages of VPNs and VLANs performance (bandwidth, throughput, speed) • Rapidly establish secure extranet connections for ad-hoc business relationships • Retain central control of security, firewalling, IP address management, and service offerings

8 S ork ADIU netw R prise ver Enter ser US RADI ork netw rver NSP se here int w st po able La avail y info Rela acy Ps user rame Leg P PO F ork ter NS netw rou s Radiu es rver anch se te br or Remo yees ernet PN mplo Int bone V and e back Relay P IP ame NS Fr ay atew s g PSTN cces A ator centr con

r bile o Mo user uting comm s tele PSTN cces A ator centr con

N ch LA Bran Virtual Leased Lines for Branch Office Connectivity Figure 6. Dial Access Outsourcing with VPN Frame Companies that connect branches with virtual Gateway leased lines (VLLs) can typically save 50 to 75 percent over the cost of dedicated lines (see tunneled traffic coming in over the same Figure 7 on page 10) while gaining the strate- Internet interface from employees, customers, gic advantage of enabling companies to link in and partners. new branches without delay. VLLs reduce Whether or not switches are used, because communications charges by replacing long- the tunnel is being terminated at the enterprise distance links with a connection to a local network, the corporation can continue to con- NSP. Equipment and administration costs are trol user authorization and other security func- also reduced since a single connection to a tions independently of the NSP. (Tunnel termi- local NSP can provide access to both the cor- nation is the last point where information about porate network and the Internet. As a result of the end user, necessary for performing autho- these cost savings, VLLs make a fully meshed rization and applying privileges and policies, is network, with its performance and redundancy available.) advantages, affordable for most companies. Even companies that are not using a VPN- And, like a leased-line mesh network, a VLL enabled device to connect to their NSP can mesh network can incorporate preprogrammed take advantage of VPN services (Figure 6). A alternative routing paths around busy or out-of- gateway at the edge of the NSP’s network ter- service routers. minates the tunnel and forwards the traffic Companies can purchase VLLs as a over a Frame Relay circuit to the enterprise turnkey service from an NSP or they can network. In this case, the NSP needs to be able install and maintain their own equipment, to access or mirror the corporation’s network using the NSP only for transport. For compa- policy server since its tunnel termination nies that decide to do it on their own, the device (the last point where user information is installation process is still very simple; it available) must perform authorization func- involves setting up an account with an NSP tions. The enterprise, of course, continues to and performing mostly automated remote control network access for all users at the configuration tasks on the router. firewall.

9 te ral si cent prise Enter cess urity et ac Sec ntern ce r ing I servi erve rovid ork s tch SP p netw l swi N er IP unne r oth r or t o inato ll l term rewa nne ise fi Tu terpr ches t en Bran a

r net o Inter IP SP’s N ork netw OP led P -enab ter VPN et rou xtran nch e POP bra

led -enab ter VPN et rou xtran nch e bra

Figure 7. Virtual Leased Lines can be established to a tunnel terminator on the internal network (Figure 8). Tunnel switches enable VLLs to support traffic between legacy In this type of VPN, an access router at LANs without having to put support for proto- the branch office starts the tunnel. A tunnel ter- cols such as IPX on the portion of the network minator device or tunnel switch at a central that connects to the public Internet. (They shift enterprise DMZ ends the tunnel. The connec- the virtual LAN-to-LAN connection point tion used at the branch can be any permanent inside the firewall.) Tunnel switching can also or dial-on-demand link that meets the band- facilitate branch access to applications that are width requirements of that location. In this available only over legacy network protocols respect, VLLs offer much more flexibility than as well as to those for which restrictions are direct Frame Relay or ISDN connections, being enforced at the firewall. In addition, which require all end points to be the same. switches enable employees transferred to or If the incoming Internet tunnel is termi- working temporarily at branch offices to nated with a tunnel switch, a new secure tunnel remain members of VLANs.

Benefits: Virtual Leased Lines Additional Benefits with Tunnel Switching • Reduce branch office connection costs by • Support multiprotocol connections, including more than half legacy protocols, without putting interfaces on • Enable branches to access corporate network the part of the network that connects to the and Internet from a single connection to a Internet local NSP • Increase branch access to network appli- • Connect new branches rapidly by purchasing a cations without compromising the firewall turnkey service or by self-installation (non- expert) • Enable branches to choose network access devices that meet their particular bandwidth requirements • Support multiprotocol LAN-to-LAN connections • Selectively retain central control of security, firewalling, IP address management, and service offerings OR outsource to NSP • Provide enterprise IT managers with self- provisioning VPN tools

10 PN nal V Inter

urity VPN Sec ernet r Int serve

nnel AN Tu r rise W inato nterp term rver E al se ntern ss) on i acce SNA (IPX, SP’s t or N nel terne Tun In twork ator bled P ne rmin -ena ter I te witch VPN et rou nel s ll tran r tun rewa ch ex o ise fi bran terpr at en

Figure 8. Virtual Leased Lines with Tunnel Switching

In the case of a remote access VPN, for Enterprises can take advantage of any example, the remote access client is still send- number of these VPN applications through a ing a stream of Point-to-Point Protocol (PPP) single WAN connection. In many cases, all packets to a remote access server. Similarly, in that is required is a simple upgrade to existing the case of LAN-to-LAN virtual leased lines, a network access devices. router on one LAN is still sending PPP packets to a router on another LAN. What is new is How VPNs Work that in each case instead of going across a ded- There is nothing exotic about VPNs. They are icated line, the PPP packets are going across a based on familiar networking technology and tunnel over a shared network. protocols (Figure 9). The effect of VPNs is like that of pulling a

eam ction et str onne pack -up c PPP t dial Direc

N PST ) cuits te cir (priva

eam et str pack PPP

rk etwo ate n nel l priv Tun irtua ator V k l rmin twor unne te nal IP ne T r inter ared inato on Sh term t rver tch a se r swi all o firew prise enter ess Acc r trato DN ncen IS co POP te nal NSP Remo termi at ss ter acce adap r log use r ana o m mode Figure 9. VPNs Are Based on Familiar Technology

11 order, for example, to access both the Internet and the corporate network at the same time. IP L2TP PPP IPX Both L2TP and PPTP offer additional capabilities that aren’t available with Layer 3 tunneling protocols: Figure 10. Layer 2 Tunneling Protocol Encapsulation ¥ They allow enterprises to choose whether to manage their own user authorization, access serial cable across a WAN cloud. PPP protocol permissions, and network addressing, or to negotiations set up a direct connection from have their NSP do it. By receiving tunneled the remote user to the tunnel termination PPP packets, enterprise network servers device. have access to information about remote The most widely accepted method of cre- users, necessary for performing these tasks. ating industry-standard VPN tunnels is by ¥ They support tunnel switching. User infor- encapsulating network protocols (IP, IPX, mation is necessary for tunnel switching, AppleTalk, etc.) inside the PPP and then which is the ability to terminate a tunnel and encapsulating the entire package inside a tun- initiate a new tunnel to one of a number of neling protocol, which is typically IP but could subsequent tunnel terminators. Tunnel also be ATM or Frame Relay. This approach is switching extends the PPP connection to a called “Layer 2 tunneling” since the passenger further end point. is a Layer 2 protocol (Figure 10). ¥ They enable enterprises to apply fine- Alternatively, network protocols can be grained access policies at the firewall and at encapsulated directly into a tunneling protocol internal servers. Because tunnel terminators such as 3Com’s Virtual Tunneling Protocol at the enterprise firewall are receiving PPP (VTP). This approach is called “Layer 3 packets that contain user information, they tunneling” since the passenger is a Layer 3 can apply specific security policies to traffic protocol (Figure 11). from different sources. (With Layer 3 tun- neling, in contrast, there is no way to differ- VPN Protocols entiate packets coming in from the NSP, so Currently, Microsoft’s Point-to-Point the same set of filters has to be applied Tunneling Protocol (PPTP), which is bundled across the board.) In addition, if a tunnel with Windows 95 and Windows NT 4.0, is the switch is used, it can initiate a subsequent most widely used protocol for VPNs. (PPTP Layer 2 tunnel to direct traffic from specific was developed by 3Com and Microsoft.) In the users to the appropriate internal servers, near future, however, most VPNs will be based where additional levels of access control can on the emerging Layer 2 Tunneling Protocol be applied. (L2TP). The L2TP standard represents a merging VPN Security of PPTP and the Layer 2 Forwarding (L2F) Secure VPNs apply specific security protocols protocol, both of which operate at Layer 2. The to tunnels or to the packets they carry. These emerging standard offers the best features of protocols enable hosts to negotiate encryption these protocols as well as additional features. and digital signature techniques that ensure One such enhancement is multipoint tunneling. data confidentiality, data integrity, and authen- It will enable users to initiate multiple VPNs in tication of the sending and receiving sources.

Microsoft Point-to-Point Encryption (MPPE) MPPE adds integrated data privacy (encryp- tion) into standard Microsoft Dial-Up Net- IP VTP IPX working (Figure 12). A 40-bit version is bundled with PPTP into Windows 95 and Windows NT Dial-Up Networking; a 128-bit Figure 11. Layer 3 Tunneling Protocol Encapsulation version is also available.

12 signature methods that will be used. IPsec is 3Com Offers More Flexible recommended for use with L2TP and will be VPN Choices mandatory for IPv6 compliance. More robust than MPPE, IPsec encom- 3Com provides VPN products that enable passes user authentication, privacy, and data both ISP/NSP-terminated tunnels and integrity (Figure 13 on page 14). It can also be enterprise-terminated tunnels. 3Com also extended beyond the tunnel terminator to the supports both L2TP and PPTP tunneling pro- destination host workstation. tocols, and is the only company currently offering tunnel switching. Another advantage of IPsec is that its security mechanisms for authentication and security are loosely coupled with its key man- MPPE encrypts PPP packets on the client agement systems. While Internet Security workstation before they go into a PPTP tunnel. Association Key Management Protocol When the client workstation negotiates PPP (ISAKMP)/Oakley and manual management with the ultimate tunnel terminator, an encryp- are the two key systems currently mandated in tion session is initiated. (Interim tunnel IETF draft standards, this loose coupling will switches do not have the ability to decrypt PPP allow for future systems to be used without packets.) requiring modification of security mechanisms. MPPE provides data privacy and uses an enhanced Challenge Handshake Protocol IPsec Example 1: Remote Access with ISP (MS-CHAP) for strong user authentication. VPN Initiation. In this example, remote access is achieved when the ISP initiates the Secure IP (IPsec) VPN. This example describes the steps fol- IPsec is an emerging standard for VPN secu- lowed in the security process. In the example rity. In cases where IP is used to transmit that follows, the client initiates the VPN, and tunneled traffic, IPsec will enable tunnel initi- the ISP’s access concentrator acts as a router. ating and tunnel terminating products from 1. User authentication. The remote user dials multiple vendors to interoperate. up her ISP. The networking software on her The standard, which was written by Internet Engineering Task Force (IETF) com- mittees, consists of a set of IP-level protocols rk etwo for setting up an agreement between two IP rise n nterp E urity stations about the encryption and digital Sec r serve

ator ity rmin ecur nel te ver POP S ared Tun l ser NSP er Sh terna serv work on in er P net ss us I acce nel mote Tun Re h at switc all firew

el Tunn tor initia rking etwo Up N PPE Dial- ith M re w CHAP oftwa PAP/ s am a stre d dat rypte E enc MPP

Figure 12. MPPE with CHAP

13 rk etwo rise n nterp E urity Sec r serve IPsec IPsec ation estin D t IPsec ator hos ity ermin P ecur nel t ver P PO S ared Tun l ser NS ver Sh terna ser twork on in er IP ne ss us acce nel mote Tun Re IPsec h at switc all firew IPsec el Tunn tor initia ing twork p Ne ec ial-U th IPs tion D re wi oriza ftwa auth so User

m strea data pted use the ISAKMP/Oakley protocols to agree Encry on which encryption and data authentica- tion algorithms (such as DES, 3DES) they Figure 13. IPsec will use to establish a secure channel. In ISAKMP each participant in an exchange laptop sends a CHAP message with the has a pair of keys, one private and one pub- user’s name and password to the access lic. The ISP’s access concentrator sends the concentrator at the ISP’s POP. The access tunnel terminator a message along with a concentrator transmits the name and pass- digital signature that it creates using its pri- word to a security server (for example, vate key. Remote Authorization Dial-In User To read the digital signature, the tun- Service, or RADIUS) for user authentica- nel terminator must use the access concen- tion. When it receives a response from the trator’s public key. It may already have the server, it converts the response back into key stored; if not, it can get it by contacting CHAP and transmits it to the remote user’s a Certificate Authority. This authority might laptop. be a commercial organization such as Meanwhile, the access concentrator VeriSign or GTE’s CyberTrust, or it might has received additional information from be an enterprise server that stores the cer- the security server, such as which IP tificates of companies with which the enter- address to assign to the user and which sub- prise does business. (The enterprise net mask to use. It knows the user is an Certificate Authority will, in turn, be certi- employee of a particular enterprise cus- fied by a commercial or government orga- tomer and the specified IP address of the nization, which may, in turn, be certified by appropriate tunnel termination device for another organization, and on up the hierar- that customer. In most cases, this tunnel chy of trust.) terminator will be the enterprise firewall or The tunnel terminator returns a mes- another device inside the firewall “DMZ” sage with a signature created by its private (the network segment between the compo- key to the ISP’s access concentrator. The nents of a two-part firewall). access concentrator then uses the tunnel ter- 2. Establishment of a secure channel minator’s public key to authenticate the between the tunnel initiation and termi- signature. nation devices. The ISP’s access concen- The Oakley protocols are employed to trator and the tunnel termination device now exchange information that will be used to

14 generate encryption keys. The access con- algorithm already agreed upon during the centrator and the tunnel terminator each ISAKMP/Oakley exchange. employ an algorithm called Diffie-Hellman The user’s data packets (including the to independently generate another public/ payload and the IP header) are then private key set (actually, two half-keys, one encrypted and encapsulated in a new IP of which is kept secret). They then header. This header has a different set of exchange the public half of their keys. The addresses than the original IP header on the access concentrator takes its own secret user’s packet. Where initially the source half-key and the tunnel terminator’s public address was the user’s laptop and the desti- half-key and runs a mathematical function nation address was a host somewhere on them that results in a third secret key. behind the firewall, in the new IP header, The tunnel terminator performs the function the source is the ISP’s access concentrator against its secret half-key and the access and the destination is the tunnel terminator. concentrator’s public half-key, coming up This method is called IPsec “tunneling with the same third secret key. This pro- mode,” because during transmission across cess is highly secure because anyone inter- the public network, the IP addresses of the cepting the exchange will get only the two source and destination hosts are hidden. public half-keys. There is no hardware cur- To ensure data integrity during transmis- rently available in the market with the com- sion, a hash function may be calculated on the putational power to derive the secrets from user’s IP packet before the new IP header is the public keys. added. Or, for stronger security, it may be 3. Application of organizational security calculated on the user’s packet and the new policies. The next step is for the devices to header together. When the tunnel termination exchange information on how security will device receives the packet, it will perform the be handled for this particular user. A trans- same hash function on the packet. If it gets the mission from the CEO, for example, may same value, then the packet has not been tam- need to be sent using stronger message pered with. authentication and integrity methods (for The tunnel terminator uses the DES key to example, multiple levels of encryption, decrypt the packets as they are received. If the hash functions) than one from a sales tunnel is being terminated by the ISP, the representative. packets are transmitted to the enterprise via a The access concentrator gets policy Frame Relay circuit or other dedicated link. If information about the user from a RADIUS the tunnel is being terminated by the enter- server or other internal source, and then ini- prise, the packets are dropped onto a LAN for tiates an exchange with the tunnel termina- transmission to the destination host. If the tor. This exchange is encrypted using the enterprise is using a tunnel switch to receive

IPsec Tunneling Mode Is Not the Same as a VPN Tunnel

When IPsec-compliant encryption is applied to minating notes. To confuse the picture further, an entire network protocol packet (IP, IPX, Layer 2 VPNs provide these same benefits, AppleTalk, etc.), and then the encrypted results whether or not they incorporate IPsec. are encapsulated into another IP packet, the As a result of similarities in terminology process is called “tunneling mode.” and this single overlap in functions, some people The advantage of using this mode is that a assume that all tunneling functions are per- network protocol can travel across a network formed by IPsec tunneling mode. In fact, IPsec that does not support it to a tunnel termination provides only a small part of the capabilities device that does. Tunneling mode also protects needed for virtual private networking. the identity of networks, subnetworks, and ter-

15 rity Secu r serve

ork r, etw serve er rnal n rnal d us Inte n inte etaile tor o ore d ies mina s m polic el ter rform and Tunn y,” pe ofiles sentr es pr gate nforc ner on, e “in rizati autho

ch, l swit unne ntry,” et T te se ntern in ga ic I “ma s bas form on per rizati tunnels from one network to another—for autho user example, to extend a tunnel incoming from ISP’s network to a corporate network. It can Figure 14. Tunnel Switching Through the Firewall also be used to replace a point-to-point connec- tion with a point-toÐswitched fabricÐto-point VPN traffic from its ISP or NSP, the switch connection—one that behaves much like a creates a new tunnel to the destination host. dedicated telephone switched circuit even IPsec security can also be applied to this though it occurs over a routed network. tunnel. Tunnel switching offers many business advantages and opens up the possibility of a IPsec Example 2: Remote Access with myriad of tunneling applications. Enterprises, Client VPN Initiation. This process is the for example, can use tunnel switching to same as the one described in the first example, increase security at the firewall while improv- except that all of the exchanges (CHAP user ing their ability to manage remote access to authentication, ISAKMP/Oakley establishment network resources behind the wall (Figure 14). of a security association, application of orga- In this case, the tunnel switch is generally nizational policy, and encrypted transmission) located on the enterprise firewall. Based on a take place between the remote user’s laptop RADIUS lookup on the user name, the switch and the tunnel termination device. The ISP’s initiates a new tunnel through the firewall to a access concentrator simply acts as a router. It specific internal server. This approach protects is not even aware that a secure VPN has been the integrity and performance of the firewall established. while increasing access to networked applica- tions and resources. Tunnel Switching: Improved Security and Only a “rifle shot” hole has to be opened More Flexible VPN Applications up in the firewall for the tunneling protocol to A tunnel switch is a combination tunnel termi- pass through. During the initial tunnel termina- nator/tunnel initiator. It can be used to extend tion, however, the tunnel switch can identify other encapsulated protocols that the IP data- gram is carrying with it. It can do a lookup to a For More Information firewall RADIUS server and, based on the remote user name and the protocols, retrieve To find out more about security technology, information on the approved destinations of refer to the following documents: those packets. The switch then initiates new • RFC-1825, “Security Architecture for the tunnels to carry packets to specific servers Internet Protocol” behind the firewall. These internal network • RFC 1827, “Encapsulating Security Payload (ESP)” servers, which do the final tunnel termination, • RFC-1851, “The ESP Triple DES can be equipped with detailed user profiles and Transform” privileges, enabling them to make fine-grained decisions about network access.

16 One way to think about the impact that 50,000 VPN ports currently in use, with more tunnel switching can have on security is to than 2 million VPN-ready ports installed imagine a sentry at the main gate of a secure worldwide. compound. This main gate sentry does not 3Com offers end-to-end VPN solutions, have access to restricted access information including products for enterprises and both ser- such as passwords, but he does have a general- vice-focused and infrastructure-intensive ized set of criteria for screening visitors and NSPs. All 3Com VPN solutions adhere to placing them in categories. This allows the industry standards (including IPsec for secu- sentry to direct the visitors to a specific guard rity) and are compatible with each other, mak- station at an internal gate. The guards at these ing it easy for VPN providers and users to internal gates have much more detailed infor- establish mutually beneficial business partner- mation about access permissions and can ships. demand a password or some other form of Enterprises and NSPs can choose 3Com authentication. VPN products with confidence. VPN capabili- The benefits of tunnel switching are not ties are built into 3Com’s proven product lines, limited to security, however. Enterprises can including multiprotocol routers equipped with also use tunnel switches to perform server load a rich set of management features and market- balancing for incoming VPN traffic and to leading, award-winning access concentrators increase flexibility for IP addressing. NSPs can and the highest-density carrier class solutions use tunnel switching to flexibly direct traffic on the market. As the market leader in NICs from different customers—and even from dif- and modems, 3Com also understands the needs ferent users within a customer account—into of remote users. tunnels with appropriate end points and 3Com is also the first vendor to extend the Quality of Service (QoS) handling. An NSP, VPN architecture to incorporate tunnel switch- for example, could switch a high-priority cus- ing, the key to better security and more flexible tomer onto a higher-speed fabric or use tunnel VPN applications. switching to avoid network congestion points. All VPN products ship with TranscendWareª software, ensuring that 3Com customers will VPN Management be able to deploy and enforce network policies The goal in VPN management is to make consistently across both conventional links and VPNs look like a private network. 3Com VPN VPNs. TranscendWare software allows edge solutions incorporate management tools that devices to communicate with end devices to monitor and provide visibility into VPNs run- enforce network policies. By monitoring VPN ning over provider networks. 3Com Transcend tunnels, these devices will be able to better AccessWatch/VPN, for example, is a Web- manage dial-up ports, bandwidth allocation, based application that enables network admin- network load and destination, and return policy istrators to profile the use and performance of leases—all critical elements for control in a VPNs using both real-time and historical data. VPN environment. Using Transcend AccessWatch/VPN, admin- istrators can perform capacity utilization, QoS, 3Com Solutions for Enterprises security exception, and tunnel usage analyses. Enterprises can add VPN network server capa- New-generation policy-based management bility (tunnel termination) to their existing tools will also be deployable across both con- NETBuilder II¨ or SuperStack¨ II bridge/ ventional network links and VPNs. router. This single device can provide a con- nection to an NSP over leased line, Frame 3Com VPN Solutions Relay, ISDN, SMDS, or Switched 56, and it 3Com has more experience with VPNs than provides LAN connections over Ethernet, any other internetworking provider. 3Com was Token Ring, and ATM. The NETBuilder II the first remote access vendor to deliver VPN router supports all major LAN protocols, solutions, and now 3Com has more than enabling multiprotocol tunnel traffic to be

17 routed to the appropriate LAN server; and it Conclusion also supports SNA for access to legacy sys- Industry-standard virtual private networks are tems. ushering in the next generation of network NETBuilder¨ and SuperStack II products connectivity. Most analysts expect that offer the unique advantage of Boundary Internet-based VPNs will eventually replace Routing¨ system architecture. Boundary most leased-line networks. VPNs are being Routing technology enables companies to widely adopted because they offer immense simplify remote router installation and config- cost savings as well as new business opportu- uration, eliminating the need for on-site techni- nities for both enterprises and network service cal staff, by shifting key router management providers. Many of these benefits can be and overall router management to a central site. gained by rapidly establishing new types of Where NSPs are providing tunnel creation business relationships that are mutually benefi- services, branch offices and remote users can cial to all parties. continue to use their existing 3Com net- 3Com has a broader product line of solu- working devices (OfficeConnect¨ routers, tions and more experience with VPNs than any 3ComImpact¨ IQ ISDN terminal adapters, other vendor, and is the first vendor to offer the 3Com x2ª or Courierª modems, 3Com competitive advantage of tunnel switching. Megahertz¨ PC modem card) as is. Where 3Com customers can begin exploiting the ben- remote user devices are to create tunnels, addi- efits of VPNs now, with confidence, because tional software is required. This software is 3Com VPN solutions are available (in most already integrated into 3Com network interface cases, through upgrades) on some of the indus- cards and is also bundled into the Windows 95 try’s most highly praised, market-proven net- and Windows NT operating systems. working platforms and products.

18 19 20 ¨

3Com Corporation Philippines Berlin 3Com Mediterraneo P.O. Box 58145 Phone: 632 892 4476 Phone: 49 30 34 98790 Milano, Italy 5400 Bayfront Plaza Fax: 632 811 5493 Fax: 49 30 34 987999 Phone: 39 2 253011 Santa Clara, CA Singapore Poland Fax: 39 2 27304244 95052-8145 Phone: 65 538 9368 Phone: 48 22 645 1351 Rome, Italy Phone: 800-NET-3Com Fax: 65 538 9369 Fax: 48 22 645 1352 Phone: 39 6 5279941 or 408-764-5000 Taiwan Switzerland Fax: 39 6 52799423 Fax: 408-764-5001 Phone: 886 2 377 5850 Phone: 41 31 996 1414 Spain World Wide Web: Fax: 886 2 377 5860 Fax: 41 31 996 1410 Phone: 34 1 509 69 00 http://www.3com.com Thailand Fax: 34 1 307 66 63 3Com Ireland Phone: 622 231 8151 5 3Com ANZA Phone: 353 1 820 7077 3Com Middle East Fax: 622 231 8158 Sydney, Australia Fax: 353 1 820 7107 Phone: 971 4 349049 Phone: 61 2 9937 5000 3Com Belgium Fax: 971 4 349803 3Com Japan Fax: 61 2 9956 6247 Belgium, Luxembourg Phone: 81 3 3345 7251 3Com Nordic AB Melbourne, Australia Phone: 32 2 725 0202 Fax: 81 3 3345 7261 Denmark Phone: 61 3 9866 8022 Fax: 32 2 720 1211 Phone: 45 39 27 85 00 Fax: 61 3 9866 8219 Netherlands 3Com Latin America Fax: 45 39 27 08 44 Phone: 31 30 6029700 U.S. Headquarters 3Com Asia Limited Finland Fax: 31 30 6029777 Phone: 408-326-2093 Beijing, China Phone: 358 0 435 420 67 Fax: 408-764-5730 Phone: 8610 6849 2568 3Com Canada Fax: 358 0 455 51 66 Argentina Fax: 8610 6849 2789 Calgary Norway Phone: 541 312 3266 Shanghai, China Phone: 403 265 3266 Phone: 47 22 58 47 00 Fax: 541 314 3 3329 Phone: 86 21 63501581 Fax: 403 265 3268 Fax: 47 22 58 47 01 Brazil Fax: 86 21 63501531 Montreal Sweden Phone: 55 11 5181 0869 Hong Kong Phone: 514 683 3266 Phone: 46 8 632 56 00 Fax: 55 11 5182 7399 Phone: 852 2501 1111 Fax: 514 683 5122 Fax: 46 8 632 09 05 Chile Fax: 852 2537 1149 Toronto Phone: 562 633 9242 3Com Russia India Phone: 416 498 3266 Fax: 562 633 8935 Moscow Phone: 91 11 644 3974 Fax: 416 498 1262 Mexico Phone: 007 095 258 09 40 Fax: 91 11 623 3192 Vancouver Phone: 525 520 7841 Fax: 007 095 258 09 41 Indonesia Phone: 604 434 3266 Fax: 525 520 7837 Phone: 6221 572 2088 Fax: 604 434 3264 3Com South Africa Fax: 6221 572 2089 3Com Northern Latin Phone: 27 11 807 4397 3Com France Korea America Fax: 27 11 803 7405 Phone: 33 1 69 86 68 00 Phone: 82 2 319 4711 Miami, Florida Fax: 33 1 69 07 11 54 3Com UK Ltd. Fax: 82 2 319 4710 Phone: 305-261-3266 Marlow 3Com GmbH Malaysia Fax: 305-261-4901 Phone: 44 1628 897000 Phone: 60 3 732 7910 Munich Colombia Fax: 44 1628 897003 Phone: 49 89 627 320 Fax: 60 3 732 7912 Phone: 571 629 4110 Manchester Fax: 49 89 627 32 233 Pakistan Fax: 571 629 4503 Phone: 44 161 873 7717 Phone: 92 21 5846240 Austria Venezuela Fax: 44 161 873 8053 Phone: 43 1 580 17 0 Fax: 92 21 5840727 Phone: 582 953 8122 Edinburgh Fax: 43 1 580 17 20 Fax: 582 953 9686 Phone: 44 131 240 2900 Fax: 44 131 240 2903

© 1998 3Com Corporation. All rights reserved. 3Com, 3ComImpact, Boundary Routing, Megahertz, NETBuilder, NETBuilder II, OfficeConnect, Transcend, and SuperStack are registered trademarks of 3Com or its subsidiaries. Courier, TranscendWare, and x2 are trademarks of 3Com or its subsidiaries. AppleTalk is a trade- mark of Apple Computer. Windows and Windows NT are trademarks of Microsoft. IPX and NetWare are trademarks of Novell. Other brands or product names may be trademarks or registered trademarks of their respective owners.

Printed in U.S.A. 500651-001 2/98