| 2 comments ]

Designing Site-to-Site VPNs

Add a note hereSite-to-site VPNs are an alternative WAN infrastructure used to connect branch offices, home offices, or business partners to all or portions of an enterprise network. VPNs do not inherently change private WAN requirements, such as support for multiple protocols, high reliability, and extensive scalability, but instead meet these requirements more cost-effectively and with greater flexibility. Site-to-site VPNs use the most pervasive transport technologies available today, such as the public Internet or service provider IP networks, by using tunneling and encryption for data privacy and quality of service (QoS) for transport reliability.

Site-to-Site VPN Applications

Add a note here Site-to-site VPNs can be used to replace costly WAN services or serve as a backup for disaster recovery purposes. Site-to-site VPNs can also help organizations meet regulatory requirements by providing encryption for sensitive data. This section examines these common uses for site-to-site IPsec VPNs.

Add a note here WAN Replacement Using Site-to-Site IPsec VPNs

Add a note hereWAN replacement is one of the biggest reasons organizations implement IPsec VPNs.

Add a note hereUp to 40 percent of typical enterprise employees work in branch offices, away from the central sites that provide mission-critical applications and services required for business operations. As these services are extended to branch office employees, requirements increase for bandwidth, security, and high availability.

Add a note hereIPsec VPNs can provide a cost-effective replacement for a private WAN infrastructure. Often the cost of a relatively high-bandwidth IP connection, such as an Internet service provider (ISP) connection, IP VPN service provider connection, or broadband digital subscriber line (DSL) or cable access, is lower than existing or upgraded WAN circuits.

Add a note hereOrganizations can use IPsec VPNs to connect remote branches or offices, teleworkers, and mobile users to the corporate resources as the central site. Organizations also use IPsec VPNs to provide extranet connectivity for business to business applications.

Add a note hereThere are four key components of site-to-site VPN:

  • Add a note here Headend VPN devices: Serve as VPN headend termination devices at a central campus

  • Add a note here VPN access devices: Serve as VPN branch-end termination devices at branch office locations

  • Add a note here IPsec and generic routing encapsulation (GRE) tunnels: Interconnect the headend and branch-end devices in the VPN

  • Add a note here Internet services from ISPs: Serve as the WAN interconnection medium

Add a note here WAN Backup Using Site-to-Site IPsec VPNs

Add a note hereAnother common business application use for IPsec VPNs is for backing up an existing WAN.

Add a note hereWhen a primary network connection malfunctions, the remote branch office can rely on Internet VPN connectivity while waiting for the primary connection to be restored.

Add a note hereIPsec VPNs over a high-speed ISP connection or broadband cable or DSL access can provide a cost-effective secondary WAN connection for branch offices. Many customers continue to route their most critical traffic across their private WAN circuits, and route higher-bandwidth, less-critical traffic across IPsec VPNs as a secondary connection path. If a failure occurs on their primary WAN circuit, the IPsec VPN can also function as an established backup path.


Note

Add a note here The Internet VPN option does not offer QoS and service level agreements (SLA), which may be necessary for applications such as IP telephony.

Add a note here Regulatory Encryption Using Site-to-Site IPsec VPNs

Add a note hereAnother common business application use for IPsec VPNs is for mandatory or regulatory encryption.

Add a note hereRegulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX), and the Basel II agreement recommend or mandate the need for companies to implement all reasonable safeguards to protect personal, customer, and corporate information. IPsec VPNs inherently provide a high degree of data privacy through establishment of trust points between communicating devices, and data encryption with the Triple Data Encryption Standard (3DES) or Advanced Encryption Standard (AES).

Add a note hereSite-to-site VPNs support regulatory constraints and business policies. As network security risks increase and regulatory compliance becomes essential, organizations are using IPsec VPNs to encrypt and protect data such as medical records, corporate or personal financial data, and sensitive information such as legal, police, and academic records, whether a private WAN, IP VPN, or the Internet is used for connectivity.

Site-to-Site VPN Design Considerations

Add a note hereThe design of site-to-site VPNS is impacted by the organization’s routing and addressing schema. Other important design considerations are the size, scale, and performance expectations for the site-to-site VPN. These requirements drive the selection of and appropriate platform to provision the service. The following section examines these elements and their impact on site-to-site VPN design.

Add a note here IP Addressing and Routing

Add a note hereAn IPsec VPN is an overlay on an existing IP network.

Add a note hereThe VPN termination devices need routable IP addresses for the outside Internet connection. Private IP addresses can be used on the inside of the VPN. Just as good IP network design supports summarization, the VPN address space needs to be designed to allow for network summarization. NAT may be needed to support overlapping address space between sites in an organization.

Add a note hereMost IPsec VPNs forward data across the network using IPsec tunnel mode, which encapsulates and protects an entire IP packet. Because tunnel mode encapsulates or hides the IP header of the pre-encrypted packet, a new IP header is added so that the packet can be successfully forwarded.

Add a note hereMany larger enterprise WANs need dynamic routing protocols such as Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF) to provide routing and maintain link state and path resiliency. All Interior Gateway Protocol (IGP) routing protocols use either broadcast or IP multicast as a method of transmitting routing table information. However, basic IPsec designs cannot transport IGP dynamic routing protocols or IP multicast traffic. When support for one or more of these features are required, IPsec should be used in conjunction with other technologies such as GRE.

Add a note here Scaling, Sizing, and Performance

Add a note here The task of scaling large IPsec VPNs while maintaining performance and high availability is challenging and requires careful planning and design. Many factors affect scalability of an IPsec VPN design, including the number of route sites, access connection speeds, routing peer limits, IPsec encryption engine throughput, features to be supported, and applications that will be transported over the IPsec VPN.

Add a note hereThe number of remote sites is a primary factor in determining scalability of a design and affects the routing plan, high-availability design, and ultimately the overall throughput that must be aggregated by the VPN headend routers. Different routers can support different numbers of tunnels.

Add a note hereIPsec VPN throughput depends on several factors, including connection speeds, capacity of the crypto engine, and CPU limits of the router. An IPsec crypto engine in a Cisco IOS router is a unidirectional device that must process bidirectional packets. Outbound packets must be encrypted by the IPsec crypto engine, and inbound packets must be decrypted by the same device. For each interface having packets encrypted, it is necessary to consider the bidirectional speed of the interface. For example, a T1 connection speed is 1.544 Mb/s, but the IPsec throughput required is 3.088 Mb/s.

Add a note hereCisco recommends the following practices for VPN device performance limits:

  • Add a note hereThe redundant headend device should be deployed in a configuration that results in CPU utilization less than 50 percent. The 50 percent target includes all overhead incurred by IPsec and any other enabled features such as firewall, routing, intrusion-detection system (IDS), and logging. This performance limit will allow the headend device to handle failover of the other headend device.

  • Add a note hereBecause branch devices will need to support fewer additional tunnels in a failover event, branch devices can be deployed in a configuration with less than 65 percent CPU utilization.

Cisco Router Performance with IPsec VPNs

Add a note hereBecause IPsec VPN connections do not normally have a bandwidth associated with them, the overall physical interface connection speeds of both the headend and branch routers largely determine the maximum speeds at which the IPsec VPN must operate. Table 9-1 shows best-case scenarios with minimal features running IPsec VPNs in a lab with 1400-byte packets.

Add a note here Table 9-1: Cisco Router Performance with IPsec VPNs
Open table as spreadsheet

Add a note hereCisco VPN Security Router

Add a note hereMaximum Number of Tunnels

Add a note here3DES Throughput

Add a note hereAES Throughput

Add a note hereCisco 850 series

Add a note here5

Add a note here8 Mb/s

Add a note here8 Mb/s

Add a note hereCisco 870 series

Add a note here10

Add a note here30 Mb/s

Add a note here30 Mb/s

Add a note hereCisco 1841 Integrated Services Router with AIM-VPN/BPII

Add a note here800

Add a note here95 Mb/s

Add a note here95 Mb/s

Add a note hereCisco 2801 Integrated Services with AIM-VPN/BPII

Add a note here1500

Add a note here100 Mb/s

Add a note here100 Mb/s

Add a note hereCisco 2811 Integrated Services with AIM-VPN/EPII

Add a note here1500

Add a note here130 Mb/s

Add a note here130 Mb/s

Add a note hereCisco 2821 Integrated Services with AIM-VPN/EPII

Add a note here1500

Add a note here140 Mb/s

Add a note here140 Mb/s

Add a note hereCisco 2851 Integrated Services with AIM-VPN/EPII

Add a note here1500

Add a note here145 Mb/s

Add a note here145 Mb/s

Add a note hereCisco 3825 Integrated Services with AIM-VPN/EPII

Add a note here2000

Add a note here175 Mb/s

Add a note here175 Mb/s

Add a note hereCisco 3845 Integrated Services with AIM-VPN/EPII

Add a note here2500

Add a note here185 Mb/s

Add a note here185 Mb/s

Add a note hereCisco 7200VXR series with a Single Cisco SA-VAM2+

Add a note here5000

Add a note here260 Mb/s

Add a note here260 Mb/s

Add a note hereCisco 7301 router with Cisco SA-VAM2+

Add a note here5000

Add a note here370 Mb/s

Add a note here370 Mb/s

Add a note hereCisco Catalyst 6500/7600 router with 1 IPsec VPN SPA

Add a note here8000

Add a note here2.5 Gb/s

Add a note here2.5 Gb/s

Add a note hereHowever, the packets-per-second (PPS) rate matters more than throughput bandwidth (in bits per second) for the connection speeds being terminated or aggregated. In general, routers and crypto engines have upper boundaries for processing a given number of packets per second. The size of packets used for testing and throughput evaluations can understate or overstate true performance. For example, if a device can support 20 Kb/s, 100-byte packets lead to 16 Mb/s throughput, and 1400-byte packets at the same packet rate lead to 224 Mb/s throughput. Because of such a wide variance in throughput, it is generally better to use packets per second for scalability than bits per second.

Add a note here Each time a crypto engine encrypts or decrypts a packet, it performs mathematical computations on the IP packet payload using the unique crypto key for the trustpoint, agreed upon by the sender and receiver. If more than one IPsec tunnel is terminated on a router, the router has multiple trust points and therefore multiple crypto keys. When packets are to be sent to or received from a different tunnel from the last packet sent or received, the crypto engine must swap keys to use the right key matched with the trust point. This key swapping can degrade the performance of a crypto engine, depending on its architecture, and increase the router CPU utilization. For some Cisco platforms, such as Cisco 7200VXR series routers with Cisco Service Adapter VPN Acceleration Module 2+ (SA-VAM2+), as the number of tunnels increases, throughput of the IPsec crypto engine decreases. For other Cisco platforms, such as Cisco 7600 series routers with VPN Shared Port Adapter (SPA), performance is relatively linear, with relatively the same throughput for a single tunnel as for 1000 or even 5000 tunnels.

Cisco Router Security Performance

Add a note here The Cisco Integrated Services Routers (ISR) are built with fast processors and cryptography to support high-performance security features. The Cisco IOS advanced security feature set combines a rich VPN feature set with advanced firewall, intrusion-prevention, and extensive Cisco IOS Software capabilities, including QoS, multiprotocol, multicast, and advanced routing support. The figure shows some best-case performance measures for individual security features. The VPN throughput numbers are with 1400-byte packets and Advanced Integration Module (AIM) acceleration cards installed. Figure 9-4 illustrates the performance metrics associated with the ISR series routers.

Click to collapse
Add a note hereFigure 9-4: Cisco Router Security Performance

Note

Add a note hereThe performance numbers in a production environment may differ.

Cisco ASA 5500 Series Performance

Add a note hereASA 5500 series all-in-one Adaptive Security Appliances deliver enterprise-class security and VPN services to small- and medium-size businesses and large enterprise networks in a modular, purpose-built appliance. The ASA 5500 series incorporates a wide range of integrated security services, including firewall, intrusion-prevention system (IPS), and anti-X services with SSL and IPsec VPN services in an easy-to-deploy, high-performance solution. The ASA 5500 series is the most feature-rich solution for SSL and IPsec-based remote access that Cisco offers, and it supports robust site-to-site connectivity. The series provides higher scalability and greater throughput capabilities than the widely deployed Cisco VPN 3000 series concentrators.

Add a note here Table 9-2 shows some best-case performance measures for the ASA 5500 series.

Add a note here Table 9-2: Cisco ASA 5500 Series Performance
Open table as spreadsheet

Add a note hereModel

Add a note hereSSL/IPsec Scalability

Add a note hereMaximum VPN Throughput

Add a note hereCisco ASA 5505

Add a note here25 simultaneous SSL sessions

Add a note here25 simultaneous VPN sessions

Add a note here100 Mb/s

Add a note hereCisco ASA 5510

Add a note here250 simultaneous SSL sessions

Add a note here250 simultaneous VPN sessions

Add a note here170 Mb/s

Add a note hereCisco ASA 5520

Add a note here750 simultaneous SSL sessions

Add a note here750 simultaneous VPN sessions

Add a note here225 Mb/s

Add a note hereCisco ASA 5540

Add a note here2500 simultaneous SSL VPN sessions

Add a note here5000 simultaneous VPN sessions

Add a note here325 Mb/s

Add a note hereCisco ASA 5550

Add a note here5000 simultaneous SSL sessions

Add a note here5000 simultaneous VPN sessions

Add a note here425 Mb/s

Add a note hereCisco ASA 5580

Add a note here10,000 simultaneous SSL sessions

Add a note here10,000 simultaneous VPN sessions

Add a note here1 Gb/s


Note

Add a note hereThe performance numbers in a production environment may differ.

Typical VPN Device Deployments

Add a note here Table 9-3 shows where Cisco VPN devices are typically deployed.

Add a note here Table 9-3: Typical VPN Device Deployment
Open table as spreadsheet

Add a note hereLocation

Add a note hereModels

Add a note hereTeleworkers

Add a note hereCisco 850 and 870

Add a note hereSmall office/home office (SOHO)

Add a note hereSmall business

Add a note hereCisco 850 and 870

Add a note hereCisco ASA 5505

Add a note hereSmall branch

Add a note hereCisco 1800

Add a note hereCisco ASA 5510

Add a note hereMedium branch

Add a note here Cisco 2800

Add a note hereCisco ASA 5520

Add a note hereEnterprise branch

Add a note hereCisco 3800

Add a note hereCisco ASA 5540 and 5550

Add a note hereEnterprise edge

Add a note hereCisco 7200 and 7301

Add a note hereEnterprise headquarters

Add a note hereData center

Add a note hereCatalyst 6500

Add a note hereCisco 7600

Add a note hereCisco ASA 5550

Add a note hereThe ASA 5500 series supports both IPsec VPNs and SSL-based remote-access VPN services deployments on a single integrated platform. Cisco ISRs and Cisco Catalyst switches support site-to-site IPsec VPNs of any topology, from hub-and-spoke to the more complex fully meshed VPNs on networks of all sizes, integrating security services with extensive Cisco IOS Software capabilities that include QoS, multiprotocol, multicast, and advanced routing support.

Add a note here Design Topologies

Add a note hereA peer-to-peer IPsec VPN provides connectivity between two sites through a tunnel that secures traffic.

Add a note hereTypically, remote peers are connected to the central site over a shared infrastructure in a hub-and-spoke topology with tunnels from the multiple spokes to the headend hub. The hub-and-spoke topology scales well. However, a performance penalty applies because of the two encryption/decryption cycles for spoke-to-spoke traffic.

Add a note hereA meshed topology may be the appropriate design to use when there are multiple locations with a large amount of traffic flowing between them. To eliminate the performance penalty due to two encryption/decryption cycles for spoke-to-spoke traffic, a partial-mesh topology can be used. The partial-mesh topology is similar to a hub-and-spoke topology, but it supports some direct spoke-to-spoke connectivity.

Add a note hereThe full-mesh topology provides direct connectivity between all locations. There are scaling issues as the number of IPsec tunnels needed grows exponentially as number of sites increases. This topology is also more difficult to provision.


Note

Add a note hereDesign topologies are discussed in more detail in the “Using IPsec VPN Technologies” section of this chapter.

VPN Device Placement Designs

Add a note hereThe following section provides an overview of various design options for placement of VPN devices in the network.

Add a note here VPN Device Parallel to Firewall

Add a note here The VPN device can be placed parallel to a firewall in the network, as shown in Figure 9-5.

Click to collapse
Add a note hereFigure 9-5: VPN Device Placement: Parallel to Firewall

Add a note hereThere are advantages in placing the VPN device parallel to the firewall:

  • Add a note hereSimplified deployment because firewall addressing does not need to change

  • Add a note hereHigh scalability because multiple VPN devices can be deployed in parallel with the firewall

Add a note hereThere are some disadvantages to placing the VPN device parallel to the firewall:

  • Add a note hereIPsec decrypted traffic is not firewall inspected. This issue is a major concern if the traffic is not subject to a stateful inspection.

  • Add a note hereNo centralized point of logging or content inspection is implemented.

Add a note here VPN Device on a Firewall DMZ

Add a note hereThe VPN device can be placed in the demilitarized zone (DMZ) on the firewall in the network, as shown here in Figure 9-6.

Click to collapse
Add a note hereFigure 9-6: VPN Device on a Firewall DMZ

Add a note hereThere are advantages to placing the VPN device in the DMZ of a firewall:

  • Add a note here The firewall can statefully inspect the decrypted VPN traffic. The design supports the layered security model and enforces firewall security policies.

  • Add a note hereThe design supports moderate-to-high scalability by adding additional VPN devices. Migration to this design is relatively straightforward with the addition of a LAN interface to firewall.

Add a note hereThere are disadvantages to placing the VPN device in the DMZ of a firewall:

  • Add a note hereThe configuration complexity increases because additional configuration on the firewall is required to support the additional interfaces. The firewall must support policy routing to differentiate VPN versus non-VPN traffic.

  • Add a note hereThe firewall may impose bandwidth restrictions on stacks of VPN devices.

Add a note here Integrated VPN and Firewall

Add a note hereAnother option is an integrated VPN and firewall device in the network, as shown in Figure 9-7.

Click to collapse
Add a note hereFigure 9-7: Integrated VPN and Firewall

Add a note hereThere are advantages to integrating the VPN device and the firewall:

  • Add a note hereThe firewall can statefully inspect the decrypted VPN traffic. The design supports the layered security model and enforces firewall security policies.

  • Add a note hereThe design may be easier to manage with the same or fewer devices to support.

Add a note hereThere are disadvantages to placing the VPN device in the DMZ of a firewall:

  • Add a note hereScalability can be an issue because a single device must scale to meet the performance requirements of multiple features.

  • Add a note hereThe configuration complexity increases because all the configurations are applied to one device.