One of the primary benefits of IPSec technology for the remote-access environment is the ability to decouple the teleworker’s workstation from a private dial-up infrastructure, removing both cost and bandwidth constraints.
Previous remote-access solutions typically employed private dial-access modem sharing and terminal server equipment at Layer 1, long-distance or 800 numbers, secure token Table 4-2 Benefits of Remote-Access VPNs
Business Benefits Technical Benefits
Reduce operations and management costs Scale quickly to expand remote-access coverage
Expand geographic coverage for mobile users Choose from a variety of remote-access technologies
Save on toll charges for dial-up users Leverage service provider technical expertise Maintain privacy of company data Extend decision data to users anywhere via
encrypted communications
Achieve a reduced total cost of ownership Offer quick provisioning for remote users Have networks that meet changing business
needs
Enjoy simplified, efficient networks
Refocus internal resources on core business needs
Shift risk of technology investment to service providers
Access VPNs 173
passcodes, in-house authentication, authorization, and accounting (AAA) systems and operations, administration, and management personnel to keep teleworkers productive. This approach ensured a reasonable amount of security, as the dial connection was usually authenticated on a user basis and then trusted as a private host-to-LAN connection. The two primary constraints of this environment were the bandwidth limitations inherent in the public-switched telephone network and the abundance of long-distance and per-user connection charges. Only applications with minimal data transfer were realistically usable in this type of environment. For enterprises requiring higher bandwidth for remote-access users, ISDN was an option but only doubled bandwidth while maintaining the dissuasion of a long-distance, cost-per-minute revenue model. Companies with geographically large remote-access deployments often required a distributed design model using network access servers (NASs) to switch teleworker calls to Layer 2 forwarding and tunneling protocols, providing backhaul data transport to the central computing site.
As the security architecture for the IP protocol was standardized in the fall of 1998, IPSec solutions then followed to allow secure remote access over a publicly shared IP infrastructure such as the Internet. By doing so, teleworkers could dial or connect with local Internet access numbers and then build secure, IPSec tunnels across the Internet, connecting to the company’s IPSec VPN head-end concentrator. This VPN concentrator was responsible for authenticating and logically bridging the remote user’s workstation into the enterprise computing environment on a trusted basis. This removed the constraint of long-distance charges for IT budgets supporting remote-access users. Soon to follow, the bandwidth limitations of switched dial access were then outpaced ten times or more using local broadband connections to the Internet, primarily through cable high-speed data access and DSL. Best of all, IPSec removed major concerns with moving enterprise data through publicly shared communications facilities, because all data was authenticated and optionally encrypted. The IPSec open standard benefits the remote-access environment, helping to remove cost and bandwidth constraints through the use of lower-cost, flat-rate broadband Internet access pricing. With stronger authentication and encryption options than any previously available remote-access technologies, IPSec remote-access solutions scale well with Internet and ISP broadband connectivity, providing faster performance, quicker deployment, and more secure communications for mobile workers, home-office workers, and small sites. By using IPSec and local IP broadband connections, companies are able to
•
Reduce capital costs of the analog/digital modem-sharing equipment•
Reduce operational costs using local dial-up or broadband connections as opposed to long-distance and 800 number facilities•
Scale their remote-access networks larger with easier deployment and management•
Meet any data communication security requirements mandated by lawRemote-access IPSec VPN technology might be implemented in software such as a software program in a PC. It might also be implemented in hardware such as a custom ASIC chip within a hardware client. IPSec VPNs can be implemented as software or firmware inside
a network firewall hardware device. This technology might also be implemented in software or firmware inside a network router.
Remote-access IPSec VPNs might be implemented with one or more IPSec form factors, although four options are typically seen in the market. These options are
•
Software IPSec VPN client on a remote workstation•
IPSec VPN client in a remote-access firewall•
Hardware IPSec VPN client device at a remote site•
IPSec VPN client feature in a remote-site routerFigure 4-5 conceptualizes these types of remote-access IPSec VPN designs. Because VPNs are customarily established across public access networks such as the Internet, it is good security practice to deploy firewall and virus scanning technology into these environments.
Software-Based IPSec VPN Clients
Workstation software-based IPSec VPN clients are more applicable to remote-access work- ers who need maximum mobility, connecting from their home office one day, and perhaps from a customer business site or hotel conference center the next. This provides great flex- ibility for the remote user but also requires software administration and management at the individual workstation level via the user or via central site personnel. The software VPN client program will have specific dependencies on the workstation’s operating system, so if there are multiple PC operating systems in play such as Windows 2000, Windows XP, and perhaps Mac OS 10.x on an Apple PowerBook, then multiple versions of the software client will be required.
Using a software-based IPSec VPN client, a remote user will connect via a local broadband facility to the Internet or ISP or use a dial-up connection to reach the company VPN con- centrator. A VPN concentrator is a performance-enhanced device that is centrally located for the express purpose of “concentrating” VPN sessions from multiple remote-access VPN users. The VPN concentrator provides specific features that augment the flexibility, perfor- mance, and manageability of large numbers of VPN remote-access users.
The remote user will first be authenticated by the central site VPN concentrator, validating the user’s identity. If approved, an IPSec tunnel will be built with the appropriate security options. A virtual IP address will be assigned to the client to enable IP routing for VPN- destined traffic along with the IP addresses of name servers, such as Microsoft WINS and Internet DNS. With this knowledge, the remote workstation can access authorized applications and browse intranet and Internet sites.
Access VPNs 175
Figure 4-5 Remote-Access IPSec VPN Solutions
Source: Cisco Systems, Inc.
Authentication of the PC device occurs at the VPN concentrator, typically using an IPSec group preshared key. Often, further identification is needed to validate that the current user of the PC is indeed the authorized user. This is usually implemented with a one-time password (OTP) solution such as a token generator in the user’s possession, linked to a Authentication Dial-In User Service (RADIUS) server/OTP server database of authorized users at the cen- tral site. Once authenticated, central site security management servers push current user access policies over the IPSec tunnel to the software IPSec client. New maintenance ver- sions of the IPSec client might also be pushed over the tunnel to the remote PC device.
Authenticate Remote Site Terminate IPSec Personal Firewall and Virus Scanning for Local Attack Mitigation Authenticate Remote Site Terminate IPSec Firewall Personal Firewall and Virus Scanning for Local Attack Mitigation Virus Scanning
for Local Attack Mitigation
Virus Scanning for Local Attack Mitigation ISP Broadband Access Device Broadband Access Device Home Office Firewall with VPN Hardware VPN Client Remote Site Router with VPN VPN Software Client with Personal Firewall Remote Site Firewall Option Software Access Option Hardware VPN Client Option Remote Site Router Option Authenticate Remote Site Terminate IPSec Firewall Broadband Access Device Authenticate Remote Site Terminate IPSec
Software-based IPSec VPN clients on PC workstations allow for flexible mobility and reasonable cost. This environment is useful for mobile and occasional home office users who generally need best-effort data support, because QoS is not an option for these environments.
Remote-Site IPSec VPN Firewalls
Network device software and/or firmware-based IPSec VPN clients can be implemented as operating system feature sets of IOS-based firewalls. Depending on the size of the remote site, some of these firewall devices might include hardware acceleration to get the best performance for IPSec tunnel processing and termination.
The remote-site IPSec VPN firewall option is frequently oriented to the prime home office worker or to a small branch or agency with few personnel. Since a firewall only has Ethernet, Fast Ethernet, or Gigabit Ethernet interfaces, it is best installed behind a broadband access device (the client side) of a DSL or cable modem on a broadband connection from an ISP.
The IPSec client exists as either software or firmware within the remote-site firewall and originates the remote end of the IPSec tunnel toward a central site firewall with IPSec. As such, the remote-site workstations require only an IP over Ethernet connection to the remote-site firewall and not a software IPSec VPN client. This type of design is frequently postconfigured, administered, and maintained from the central site with minimal, if any, setup by the remote-site user.
The stateful firewall functionality strengthens security protection from Internet risks and provides a feature for split tunneling, separating remote-site Internet-bound traffic from the VPN traffic destined to the corporate site. Optionally, user authentication might be used and performed by systems at the central site.
Remote-site IPSec firewalls are usually installed at trusted site locations to meet require- ments for always-on connectivity, stronger security, and more IPSec user performance. Their personal size allows for some ease of transport if required.
Hardware IPSec VPN Clients
Often, there are small remote office locations with a few desktop workstations that never become mobile workstations. These environments can be served with a purpose-built hardware IPSec VPN client, connecting upstream to the broadband Internet service and downstream to a small office Ethernet LAN connecting a few PCs. A hardware IPSec VPN client is a purpose- built IPSec device, primarily in an ASIC chipset, designed for easier central site administration and management. The device typically has two or more Ethernet ports:
•
One for connecting upstream to a broadband DSL or cable modemAccess VPNs 177
The hardware IPSec client device might optionally embed an Ethernet switch to support a few workstation users at a small site. With the IPSec client resident within the hardware, downstream workstations don’t require software-based IPSec clients or their administra- tion. The central site uses an SSL-based Internet browser connection to contact and configure the hardware client, minimizing remote-user dependency. The hardware client authenticates with the central site VPN concentrator, often with a statically configured, preshared group key, to form the IPSec tunnel.
Since this device doesn’t contain firewall functionality, a decision to support split tunneling should be coupled with personal firewall software on the remote workstations. IPSec client firmware upgrades are pushed from the central site VPN concentrator during maintenance periods.
The hardware IPSec VPN client option is typically installed in a controlled remote-site location. Primary advantages are the alleviation of software-based IPSec clients on PC workstations, simplified central site management, and low cost of ownership.
Remote-Site, IPSec-Enabled Routers
Network device software- and/or firmware-based IPSec VPN clients can be implemented as operating system feature sets of IOS-based routers. Many of these routers include hardware acceleration for IPSec tunnel processing and termination. When implemented in an IOS-based router, other router features such as QoS can be leveraged.
The remote-site, IPSec-enabled router is often used to connect to a local broadband service and build IPSec tunnel communication with a central site IPSec-enabled router. Optionally, firewall support can be embedded in the router, and a full set of Layer 3 routing features exist such as QoS, different LAN interfaces, and VPN hardware acceleration options for best performance. This design usually bridges the distinction between IPSec remote-access and IPSec site-to-site designs.