Lesson
12:�Understanding Virtual Private Networks
What Are
VPNs? | VPN
Technologies | Access,
Intranet, and Extranet VPNs | VPN
Examples
Access VPN Basic Components
An access VPN has two basic components:
L2TP Network Server (LNS): A device
such as a Cisco router located in the customer premises. Remote
dial users access the home LAN as if they were dialed into
the home gateway directly, although their physical dialup
is via the ISP network access server. Home gateway is the
Cisco term for LNS.
An LNS operates on any platform capable of PPP termination.
LNS handles the server side of the L2TP protocol. Because
L2TP relies only on the single media over which L2TP tunnels
arrive, LNS may have only a single LAN or WAN interface, yet
still be able to terminate calls arriving at any LAC's full
range of PPP interfaces (async, synchronous ISDN, V.120, and
so on). LNS is the initiator of outgoing calls and the receiver
of incoming calls. LNS is also known as HGW in L2F terminology.
L2TP Access Concentrator (LAC): A device such
as a Cisco access server attached to the switched network
fabric (for example, PSTN or ISDN) or colocated with a PPP
end system capable of handling the L2TP protocol. An LAC needs
to only implement the media over which L2TP is to operate
to pass traffic to one or more local network servers (LNSs).
It may tunnel any protocol carried within PPP. LAC is the
initiator of incoming calls and the receiver of outgoing calls.
LAC is also known as NAS in L2F.
Client-Initiated Access VPN
There are two types of Access VPNs. Essentially
they are dedicated or dial.
With a dedicated or client-initiated Access VPNs, users establish
an encrypted IP tunnel from their clients across a service
provider's shared network to their corporate network.
With a client-initiated architecture, businesses manage the
client software tasked with initiating the tunnel. Client-initiated
VPNs ensure end-to-end security from the client to the host.
This is ideal for banking applications and other sensitive
business transactions over the Internet.
With client-initiated VPN Access, the end user has IPSec client
software installed at the remote site, which can terminate
into a firewall for termination into the corporate network.
IPSec and IKE and certificate authority are used to generate
the encryption, authentication, and certificate keys to be
used to ensure totally secure VPN solutions.
Client-Initiated VPNs
An advantage of a client-initiated model
is that the "last mile" service provider access
network used for dialing to the point of presence (POP) is
secured. An additional consideration in the client-initiated
model is whether to utilize operating system embedded security
software or a more secure supplemental security software package.
While supplemental security software installed on the client
offers more robust security, a drawback to this approach is
that it entails installing and maintaining tunneling/encryption
software on each client accessing the remote access VPN, potentially
making it more difficult to scale.
NAS-Initiated Access VPN
In a NAS-initiated scenario, client software
issues are eliminated. A remote user dials into a service
provider's POP using a PPP/SLIP connection, is authenticated
by the service provider, and, in turn, initiates a secure,
encrypted tunnel to the corporate network from the POP using
L2TP or L2F. With a NAS-initiated architecture, all VPN intelligence
resides in the service provider network---there is no end-user
client software for the corporation to maintain, thus eliminating
client management burdens associated with remote access. The
drawback, however, is lack of security on the local access
dial network connecting the client to the service provider
network. In a remote access VPN implementation, these security/management
trade-offs must be balanced.
NAS-Initiated VPNs
Pros: NAS-initiated
Access VPNs require no specialized client software, allowing
greater flexibility for companies to choose the access software
that best fits their requirements. NAS solutions use robust
tunneling protocols such as Cisco L2F or L2TP.
IPSec provides encryption only, in contrast with the client-initiated
model where IPSec enables both tunneling and encryption. Premium
service examples include reserved modem ports, guarantees
of modem availability, and priority data transport.
The NAS can simultaneously be used for Internet as well as
VPN access.
All traffic to a given destination travels over a single tunnel
from a NAS, making larger deployments more scalable and manageable.
Con: NAS-initiated Access VPN connections
are restricted to POPs that can support VPNs.
<<Back
[1] [2]
[3]
[4] [5]
[6] [7]
[8] [9]
Next>>
|
