White Paper

Cisco Directions for the VPN-Enabled Enterprise Network

A supplement to Cisco's white paper entitled "Cisco VPN Primer"

Cisco Systems Enterprise VPN (E-VPN) solutions offer the enterprise a complementary alternative to private WAN networking. Virtual private networks (VPNs) extend geographical connectivity to home and mobile users, as well as to new constituencies, including customers, suppliers, and partners. The benefits of Cisco E-VPNs span from providing cost reductions through lower transport costs and a simplified network infrastructure to enabling new business applications, global networking, and enabling the Internet economy.

In most situations, VPNs augment the private WAN creating a hybrid network topology. An important consideration in deploying VPN applications in the existing WAN infrastructure is that a VPN is still an end-to-end network that exhibits the same characteristics and requirements of private WAN infrastructures. VPNs must:

Remain scalable to address the needs of increased business requirements
Assure end-to-end reliability
Provide for the integration of legacy protocols and services
Allocate bandwidth, via quality-of-service (QoS) metrics, to assure mission-critical applications and receive appropriate throughput
Secure corporate data
Be manageable across the network and integrate the private and VPN domains

Figure 1: Enterprise VPN

Successful VPN solutions are defined by the breadth of features offered within each of these VPN characteristics and the ease with which they integrate into the existing network infrastructure. Cisco Systems, the world's leading supplier of networking equipment and technologies, is uniquely positioned to address the needs of organizations deploying VPNs by providing the most comprehensive end-to-end VPN solution in the industry. Successful VPN deployment providing secure, scalable and manageable VPNs is assured through Cisco's comprehensive 5-element strategy for VPN solutions (see Figure 2):

1. Scalable platforms---Providing E-VPN services from the telecommuter through corporate backbones

2. Extensive data, packet, and user security---Protecting corporate assets

3. Robust VPN services, including Quality of Service and VPN routing services

4. High-performance VPN appliances---For infrastructure scalability and flexibility

5. End-to-end policy-based management with service monitoring and auditing capabilities

Figure 2: Cisco's Five-Point VPN Strategy

Cisco has shipped nearly 10 million VPN-ready ports, which are easily enabled with the Cisco IOS^®software. These VPN-enabled routers provide a smooth migration to an E-VPN environment. Cisco IOS software-based security and VPN services provide the integrated building blocks for secure, scalable and manageable VPNs, integrating existing enterprise LANs and WANs with the new VPN infrastructure. Cisco also provides comprehensive pre- and postsale service and support to facilitate VPN migration.

Cisco VPN solutions are open, standards-based, implementations facilitating integration with the existing network and with business partners. Cisco VPN solutions may utilize VPN-optimized routers for unified device architectures, as well as dedicated-purpose, high-performance appliances. Ultimately, overall network architecture, protocol, and connectivity requirements of the enterprise drive the VPN architecture.

As illustrated in Figure 3, Cisco's E-VPN strategy delivers these elements across four time phases, and builds on the existing private or "classic" WAN (Phase 1). Today, the E-VPN (Phase 2) is enable through a multitude of features, services and management tools assuring a scalable, secure and manageable VPN seamlessly integrated into existing private WAN infrastructures. Over time, Cisco will integrate advanced technology into its platforms and appliances accelerating VPN services beyond today's needs as well as integrating packetized voice and other multi-service technologies for the "new world" network.

Figure 3: Cisco E-VPN Strategy Phases

Scalable Platforms

Executive Summary

Cisco Systems offers the widest array of integrated VPN-enabled routers, each with specific VPN performance and services integration to meet the end-to-end requirements of the enterprise. New capabilities addressed in this section include:

A range of VPN-Optimized routers addressing the needs of the telecommuter through large-scale enterprise head-end facilities.
VPN-focused platforms such as the new Cisco 1720-R VPN-optimized router---Providing integrated multiprotocol routing, LAN/WAN integration, and future hardware-accelerated triple-Data Encryption Standard (DES) encryption
Distributed IPSec---Accelerating security performance of the Cisco 7500 series router family
Integrated services adapter for Cisco 7200 and 7500 series---Providing integrated triple-DES encryption and Layer 3 compression for high-speed network interconnects at DS-3 performance
Encryption AIM for the Cisco 1720-R and 2600 series, and network module for the Cisco 3600 series---With multiple T1/E1 performance and support for optional Layer 3 compression
Multiservice Integration---Integrating data, voice, and video applications onto the VPN architecture

Introduction to Cisco's E-VPN integrated solutions

For unified and integrated E-VPN solutions, Cisco offers a suite of VPN-enabled and VPN-optimized routers, spanning the range of VPN applications from telecommuter to branch office to the headend. Each of Cisco's integrated router systems provides for a multifunction VPN solution that exhibits:

Unsurpassed LAN/WAN protocol integration
Increasing levels of VPN service acceleration
Integrated security and QoS
Common management infrastructures
Multiservice integration (data, voice, video)

At the heart of Cisco's VPN solution is the Cisco IOS software; used in over 80 percent of today's service provider (SP) and enterprise networks. Cisco IOS software, with its robust multiprotocol routing facilities, end-to-end QoS, integrated IPSec, and authentication, authorization, and accounting (AAA) user security and a multitude of other Layer 3 services, makes all Cisco routing platforms "VPN-ready." Cisco IOS software makes it simple to enhance and extend existing networks to VPN and to provide integrated access into VPN and private WANs. By integrating all VPN functions on a router, network complexity and lower total cost of ownership of the VPN platform can be realized.

A VPN-enabled router, such as the Cisco 1000,1600, 2500, 4500, and 4700 series is appropriate for VPNs with moderate encryption and tunneling requirements. VPN-enabled routers provide VPN services entirely through Cisco IOS software features,

To address more scalable security requirements, as well as VPN-centric WAN topologies, Cisco also offers a portfolio of VPN-optimized routers. VPN-optimized routers are designed to meet higher encryption and tunneling requirements of more aggressive VPN deployments by offering hardware extensibility for high-speed encryption performance and optimized WAN interface configurations for VPN-centric WANs. Cisco's VPN-optimized router portfolio consists of the Cisco 800, 1720, 2600, 3600, 7200, and 7500 series routers. (See Figure 4.)

Figure 4: Cisco VPN-Optimized Router Portfolio

Solutions for Telecommuters and Small Offices: Cisco 800 Series

The Cisco 800 series routers provide secure ISDN access to the Internet and the corporate LAN. By incorporating Cisco IOS features, including generic routing encapsulation (GRE) and IPSec for tunneling and encryption, the Cisco 800 extends VPN applications out to telecommuters and very small offices (typically 6-19 employees). The Cisco 800 Series includes four router models and a choice of software feature sets. The Cisco 801 and 802 models provide an ISDN Basic Rate Interface (BRI) and one Ethernet LAN connection, whereas the Cisco 803 and 804 models add a four-port Ethernet hub and two RJ-11 interfaces to support plain old telephone service (POTS) devices, including telephones, fax machines, and modems.

Solutions for Small Branch Offices: Cisco 1700 Series

The Cisco 1720 access router is a modular solution that provides all the necessary components required to build an integrated VPN solution in one platform. Powered by a RISC processor, the Cisco 1720 is optimized to support VPN applications with full Cisco IOS support for encryption, tunneling (Layer 2 Forwarding [L2F], Layer 2 Tunneling Protocol [L2TP], IPSec, and GRE), QoS, optional dynamic Cisco IOS Firewall, and an option for hardware-assisted encryption and compression. This all-in-one VPN solution minimizes setup costs and reduces the deployment and management of VPNs in small branch offices and small and medium-sized business environments.

The Cisco 1720 features one autosensing 10/100 Fast Ethernet port, two modular WAN interface card slots, and one auxiliary (AUX) port. The Cisco 1720 offers WAN service flexibility and investment protection by supporting any of the WAN interface cards available for the Cisco 1600, 2600, and 3600 platforms, including ISDN, serial, and integrated data service unit/channel service unit (DSU/CSU) cards.

Solutions for Medium Branch to Small Regional Offices: Cisco 2600 and 3600 Series

The Cisco 2600 and 3600 are effectively one extended family of products because they share so many of the same network modules (NMs) and WAN Interface Cards. With their modular design, the Cisco 2600 and 3600 empower the flexibility benefits of VPNs. Their support for a wide range of serial, channelized, ISDN, and modem interfaces allows them to support robust intranet, extranet, and remote dial access VPNs.

Sized for medium branch offices with a single NM slot, the Cisco 2600 is an ideal platform for VPNs because its RISC processor provides the power to run the robust Cisco IOS security, tunneling, and QoS features that make these virtual networks private. Sized for large branch and small regional offices, the Cisco 3600 series offers higher-performance RISC processors and higher density with two slots in the Cisco 3620 for NMs and four in the Cisco 3640.

In addition to IPSec, GRE, L2F, and L2TP, the Cisco 2600 and 3600 series support the Cisco IOS Firewall with its stateful packet filtering and will offer optional encryption hardware modules in the second half of 1999. In the case of the Cisco 2600, the module will utilize the internal advanced integration module (AIM) slot, whereas in the Cisco 3600 it will be an NM. These modules will support multiple T1/E1 levels of bandwidth.

With packetized voice modules, the Cisco 2600 and 3600 series are already enabled for the expansion of VPNs from data to multiservice. This integration capability is but one example of how the Cisco 2600 and 3600 series can simplify system management and reduce life-cycle costs in branch offices by limiting the number of "boxes" that constitute the network infrastructure of a branch office. The investment protection of the Cisco 2600's and 3600's modular design encompasses other platforms because it shares WAN interface cards with the Cisco 1600 and 1720.

Solutions for Regional Offices and Corporate Headends: Cisco 7200 and 7500

Cisco 7200 and 7500 series routers combine interface flexibility and density, speed, multiservice support, and modularity with VPN features such as encryption, tunneling, and QoS to create enterprise-class VPN routers. With their high density and broad media support, Cisco 7200 and 7500 series routers enable corporations to optimize configurations for any blend of private and VPN connectivity deployed in the WAN, as well as interface with a wide range of LAN and legacy protocols.

The processing performance of the Cisco 7200 and 7500 series enables deployment of Cisco IOS advanced security features across intranet, extranet, and remote dial access VPNs, while still performing all the routing functions required in a private WAN environment. Beginning in Q1 `99, the Cisco 7200 also supports the Cisco IOS Firewall, enabling stateful packet filtering without a separate firewall appliance. Furthermore, a hardware encryption module offering superior encryption performance will be available on both platforms in mid-1999.

Although both platforms support IPSec, L2TP, L2F, and GRE, the Cisco 7500 will also offers VIP-distributed IPSec support. VIP-distributed software encryption augments Route Switch Processor (RSP) software encryption by providing software-based encryption for its local port adapters, while the RSP provides software encryption services for all other interfaces. A VIP-distributed IPSec configuration provides more scalable software-based security solutions for the Cisco 7500.

Security and VPN Appliances

Executive Summary

Cisco Systems provides the most comprehensive set of security features and appliances for the Enterprise VPN. The products, technologies and services that Cisco delivers address all elements of a successful security policy comprising authentication, perimeter security, data confidentiality, intrusion detection, active auditing and management. New capabilities addressed in this section include:

Authentication Perimeter Security Data Confidentiality Intrusion Detection & Active Audit Security Management

Authentication for PIX Firewall

PIX Platform Update

Cisco IOS Triple-DES Support

Cisco NetRanger Appliance

Cisco Security Manager

X.509 Digital Certificate Support

Cisco IOS Firewall Feature Set on Cisco 7200 Series

Distributed IPSec for Cisco 7500 Series

Cisco NetRanger Reporting enhancements

ACL policy management tools

Time-Based ACLs

Hardware-accelerated IPSec for Cisco 7200 and 7500 Series

Cisco NetSonar

Future IPSec Hardware-accelerators for Cisco 1720, 2600 and 3600 Series

Intrusion Detection for Switched Internets

Authentication	Perimeter Security	Data Confidentiality	Intrusion Detection & Active Audit	Security Management
Authentication for PIX Firewall	PIX Platform Update	Cisco IOS Triple-DES Support	Cisco NetRanger Appliance	Cisco Security Manager
X.509 Digital Certificate Support	Cisco IOS Firewall Feature Set on Cisco 7200 Series	Distributed IPSec for Cisco 7500 Series	Cisco NetRanger Reporting enhancements	ACL policy management tools
	Time-Based ACLs	Hardware-accelerated IPSec for Cisco 7200 and 7500 Series	Cisco NetSonar
		Future IPSec Hardware-accelerators for Cisco 1720, 2600 and 3600 Series	Intrusion Detection for Switched Internets

Introduction to Cisco's Security and E-VPN Appliances

The challenge of deploying WANs over a shared network heightens the visibility of security issues. Enterprises need to be assured that their VPNs are secure from perpetrators observing or tampering with confidential data passing over the network, and from unauthorized users gaining access to network resources and proprietary information. Extranet VPNs can also extend the corporation's network boundary to embrace suppliers and business partners, increasing still more the need for security.

Security, therefore, is a fundamental requirement for successful VPN deployments. The VPN security policy needs to address user, network, data, and event response security concerns to protect corporate information.

Elements of VPN Security

Authenticating Users of Network Services

Accurately and positively identifying users of network services and resources is a critical component of any secure network, and is key to the successful deployment of VPNs. Cisco VPN solutions are built around AAA capabilities that provide the foundation to authenticate users, determine access levels, and archive all the necessary audit and accounting data. Such capabilities are paramount in dial access and extranet applications of VPNs.

Providing Secure Network Perimeters

Controlling access to applications, services, and resources in a nonintrusive manner is one function of a properly designed network. The use of such network tools as access control lists, firewalls, content filtering tools (such as URL blockers), and virus scanning provides a method of securing the movement of data through the infrastructure.

Transporting Confidential Data over Shared Public Data Networks

As VPN services are deployed over shared network infrastructures, the tools used to ensure the authenticity and privacy of this data need to become more sophisticated, scalable, and manageable. Requirements for privacy range from mere separation of traffic with the use of tunneling or encapsulation techniques, to sophisticated encryption as a method of guaranteeing confidentiality. A technology such as IPSec, with its authentication, key management, and encryption components, is, therefore, a very important enabler of VPNs.

Monitoring and Responding to Network Intrusions and Suspicious Events

Unfortunately, security looks the same whether it is working or not, unless you actively monitor and test for intrusions and vulnerabilities. Therefore, it is important to include vulnerability testing and intrusion-detection capabilities in any VPN design.

Cisco's VPN Security Strategy

By delivering a comprehensive set of technologies, products, and services, Cisco can address all aspects of network security and help its customers design, deploy, and manage successful VPNs. Recognizing that the unique security challenges posed by VPNs will require flexible solutions, Cisco offers products that include stand-alone software packages, network appliances, Cisco IOS software-based solutions, and high-performance interface cards for Cisco hardware platforms. All these products work together to deliver comprehensive security solutions, but it is the successful partnerships with other technology vendors, systems integrators, service providers, and its customers that allows Cisco to offer true end-to-end solutions.

In order to address effectively the networking needs of customers, Cisco is developing its products and technologies to fit within an architectural model of efficiency. This model defines the critical functions that the VPN of the future must:

Positively and granularly identify users, hosts, applications, and more
Understand and act on data in context according to defined rules; this might include denying access to, encrypting, or changing the priority of selected data, or recognizing and reporting anomalies or intrusions
Configure, manage, audit, and centrally control the configuration of the network based on the relationship between these items

Cisco's VPN Security Roadmap

Cisco's comprehensive roadmap extends the four key areas of VPN security discussed in above.

Authentication

More efficient and scalable methods of identifying network users, applications, and resources must be developed in order to handle the growth in VPNs and networks in general. Forward-looking network architects are envisioning a future in which authentication can be scaled to address orders of magnitude more users, and deliver an even more granular and secure set of solutions. Emerging technologies such as digital certificates and directory services enable a more scalable, flexible, and secure infrastructure for the authentication of network users.

The use of protocols and technologies such as TACACS+, RADIUS, Kerberos, one-time passwords, and Microsoft login enables today's network administrators to control access in a granular manner. For example, users logging in can be treated differently based on their IP address, domain membership, or location.

The CiscoSecure access control server (ACS) product line are access control servers used to determine who may access the network and what services they are authorized to use. An access control server can be used simultaneously with dialup access servers, routers, and firewalls.

In order to enable a more practical use of digital encryption, which relies on the accurate distribution of software "keys" for operation, Cisco has pioneered the use of X.509 digital certificates. Through the use of these certificates, which are essentially digital identity cards, Cisco VPNs can scale more efficiently and be managed more effectively. Cisco VPN products can use these digital certificates to confirm the identity of the end station dynamically, reducing the need for operator intervention.

Digital certificates are currently used to authenticate the encryption keys of IPSec end stations. In the future, these certificates are expected to carry more information about network users. This information can and will be used to create dynamic network profiles, allowing security policies to be implemented and enforced more practically. The enhancement of these capabilities is being pursued under the Public Key Infrastructure (PKI) initiative in the IETF. Cisco is working with such industry leaders as VeriSign, Entrust, Microsoft, and Netscape to help in the development of these standards.

It is also expected that network directory technologies and products such as Lightweight Directory Access Protocol (LDAP), Novell's NetWare Directory Services (NDS), and Microsoft's Active Directory and Directory-Enabled Network (DEN) initiatives will also play a large role in managing authentication and security policy information. These directories are a logical place to store user profiles, and will make the storage and management of digital certificates more efficient. Cisco continues to work with such partners as Microsoft and Novell to develop these directory technologies.

Perimeter Security

As a leader in Internet security solutions, Cisco is at the forefront of access control and firewall technology development. Cisco offers two firewalls designed to meet different performance, service, site and corporate policy requirements. They include a dedicated appliance (the PIX Firewall family) and one fully integrated into the network infrastructure itself (the Cisco IOS Firewall Feature Set).

Cisco's PIX Firewall is a leading, dedicated security appliance that offers the industry's highest performance (according to KeyLabs' Firewall Shootout), with stateful packet filtering and security analysis. Using cut-through proxy, the PIX Firewall authenticates users against RADIUS or TACACS+ at very high speeds. NetPartner's WebSENSE Internet Access Management software is incorporated into the PIX Firewall to block outbound access to objectionable or unproductive content. With hardware-based encryption/acceleration, the PIX Firewall is an excellent solution for e-commerce over the Internet and for creating high-performance VPNs. Planned enhancements to the PIX platform will offer increased performance, lower cost of ownership, and increased capabilities.

The Cisco IOS Firewall is a security-specific, value-add option to the most widely installed internetwork operating system in the world---the Cisco Internetwork Operating System (Cisco IOS software). The Cisco IOS Firewall enhances existing Cisco IOS software security capabilities, such as authentication, encryption, and fail-over, with state-of-the-art security, including stateful, application-based filtering, defense against network attacks such as syn flooding, port scans, and packet injection, Java blocking, and VPNs based on Cisco IOS IPSec. Because it runs on a wide range of Cisco routers, the Cisco IOS Firewall feature set can be deployed extensively across a VPN, while the routers simultaneously provide multiprotocol routing, network services such as QoS, plus the full breadth of standard Cisco software features.

The Cisco IOS Firewall feature set is currently available for Cisco 1600, 1700, 2600 and 3600 and 7200 series routers. The recent addition of the Cisco IOS Firewall feature set for the Cisco 7200 series provides a high-performance integrated solution for VPN enterprise facilities. These scalability improvements, coupled with enhancements that address authentication, reporting, and flexible alerts, will continue to make the Cisco IOS Firewall feature set a key element of the VPN infrastructure.

Data Confidentiality

IPSec is a framework of open standards for ensuring secure private communications over IP networks. Based on standards developed by the Internet Engineering Task Force (IETF), IPSec ensures confidentiality, integrity, and authenticity of data communications across a public IP network. IPSec provides a necessary component of a standards-based, flexible solution for deploying a network-wide security policy.

With VPNs gaining in popularity, the deployment of IPSec-based privacy and authenticity solutions is expected to grow significantly over the next several years. In order to accommodate this growth in VPNs, new solutions that provide increased encryption performance and scalability are required. IPSec capabilities in Cisco IOS software are scheduled to be augmented with high-performance encryption hardware adapters in mid-1999. These hardware adapters will deliver the ability to support large numbers of encryption sessions and provide higher-speed encryption data rates. Coupled with IPSec client software for workstations or IPSec-enabled access routers, these hardware accelerators will allow Cisco devices to serve as efficient encryption gateways or aggregation points in distributed VPN architectures.

In addition, as hackers and technology increases in sophistication, customers continue to demand more sophisticated and secure encryption technology for their VPNs. Although encryption based on 40- and 56-bit key lengths is generally accepted as sufficient today, tomorrow's VPNs will rely on longer keys and stronger encryption algorithms. Cisco will be ready in early 1999 with support for 3-DES, and, with the flexibility of Cisco IOS software, has developed Cisco VPN products with the capability to support future encryption algorithms.

Intrusion Detection

Cisco's NetRanger system is an enterprise-scale, real-time, intrusion detection system to detect, report, and terminate unauthorized activity throughout a network. NetRanger is the dynamic security component of Cisco's end-to-end security product line. With the NetRanger system, users can detect and terminate unauthorized network activity from both external and internal sources. Internal, authorized users conducting unauthorized activity on the network---such as trying to transmit confidential documents over the Internet or illegally modifying network access privileges---can be detected in real time and stopped. An external intruder trying to break into the network could be handled in the same manner.

Monitoring traffic and intrusion detection provide strong defense mechanisms against network attacks, but strong security begins inside the corporate network by ensuring that security vulnerabilities are minimized. Security auditing systems like, Cisco's NetSonar, scan the corporate network identifying potential security risks. NetSonar maps all active systems on a network, their operating systems and network services, and their associated potential vulnerabilities. NetSonar also proactively and safely probes systems using its comprehensive network security database to confirm vulnerabilities, and provides detailed information about security vulnerabilities enabling network managers to better secure the network from attacks.

As the threats to networks increase in sophistication and complexity, the ability to detect and react to these threats becomes critical. With the Cisco NetRanger intrusion detection products, Cisco has increased the ability of VPNs to operate securely. NetRanger threat database is easily upgradable for SMARTnet customers that include the latest threat profiles that the Cisco engineering labs have uncovered. NetRanger is also available as a stand-alone appliance that works in coordination the NetRanger Director simplifying deployment across the VPN infrastructure. The Cisco NetRanger system will also be enhanced with additional reporting tools that will allow the intrusion-detection tools to more fully integrate with VPN management tools.

In order to increase the value and availability of intrusion detection in the network infrastructure, Cisco plans to introduce intrusion detection capability as an optional integrated feature in selected Cisco IOS software images. Additional efforts will focus on the integration of intrusion detection systems for switched internetworks and the development of high-performance hardware products.

Management

VPNs are an extension to the enterprise network and must fit seamlessly into the overall enterprise management architecture for the current infrastructure. Enterprise customers require that the existing enterprise management environment be extended and enhanced with new VPN management capabilities that provide the administrator with control, security, and visibility from the wiring closet to the campus backbone, through the wide area and out to the VPN end user.

To meet these business requirements, Cisco is delivering a solution portfolio that meets the needs for comprehensive management of VPNs. A critical element of a comprehensive network security solution is centralized, coordinated security management. Cisco Security Manager is a security policy management system for Cisco security technologies and network devices. In its V1.0 release, Security Manager enables an administrator to define, enforce, and audit security policies for distributed Cisco PIX Firewalls.Through Cisco Security Manager, Cisco will deliver a comprehensive, policy-based security management system that extends the existing management framework with additional capabilities to manage the unique aspects of the VPN.

Cisco will also introduce an ACL policy-based manager, providing administrators with an easy-to-use, Web-based application for the design and implementation of Cisco IOS services configured through access list statements. Administrators with the ACL management tool can easily create, edit, archive, and delete ACLs for devices throughout the enterprise network.

Both Security Manager and ACL Manager will be integrated into the CiscoWorks 2000 family of network management products. By consolidating configuration, reporting, and event information into CiscoWorks 2000 Resource Manager Essentials, Cisco will enable an administrator to view critical security and network management information from a single console.

As the management cornerstone of Cisco's end-to-end security product line, Cisco Security Manager will be extended in the future to support Cisco's comprehensive security solutions, including Cisco IOS Firewall, IPSec encryption, user identity/authentication, intrusion detection, and vulnerability scanning technologies. These continuing efforts will result in a centralized, coordinated security management system for the enterprise, including support for VPNs.

VPN Services

Executive Summary---Key Developments in Quality of Service

Cisco Systems provides enterprise users with the ability to create VPNs based on software or hardware, at Layer 2 or Layer 3, and provides Quality of Service (QoS) tools to better manage expensive WAN bandwidth while providing reliable throughput on Layer 2/3 shared backbones. Cisco's ongoing developments in the arena of policy servers, Common Open Policy Service (COPS) compliance, DENs, and LDAP integration will ensure a complete end-to-end solution for QoS on virtual private networks.

Cisco's continuing developments are to enhance and augment existing Cisco IOS end-to-end QoS offerings and to offer the facilities to integrate enterprise and service provider QoS services. New capabilities addressed in this section include:

Cisco IOS 12.0 QoS enhancements
Enterprise/Service Provider QoS integration facilities
RSVP integration with Layer 2 ATM services
Cisco's IETF Intserv and DiffServ activities and developments

On-going developments include:

Rich classifier with the ability to autoclassify traffic (for example, enterprise resources planning [ERP] traffic) and mark such traffic using IP Precedence or Diff-Serv code points transparent to the user
Service-level measurement reporting
Adoption of the Diff-Serv type-of-service (ToS) byte on a universal basis
Per-ATM virtual circuit (VC) WFQ
Integration of RSVP with Distributed WFQ (DWFQ)

Introduction---VPN Services

QoS is an essential component in the efficient use of precious WAN bandwidth and ensuring reliable throughput of mission-critical data. QoS addresses two fundamental requirements for VPNs: predictable performance and policy implementation.

Cisco's QoS strategy is to provide a rich set of standards-based QoS capabilities across Cisco switch and router product families that allow the enterprise customer to fully ensure appropriate service levels for mission-critical applications, while controlling non-mission-critical applications. In a VPN environment, this strategy extends to leveraging any service provider-offered differentiated services to extend enterprise QoS policies end to end. Further, a rich set of management tools are provided for powerful configuration, administration, and measurement of QoS within the enterprise network, as well as service-level validation tools to measure service provider performance.

Today, Cisco offers the industry's most complete solution to end-to-end QoS, and with Cisco IOS Release 12.0, Cisco has significantly extended its enterprise QoS capabilities. End-to-end QoS refers to all aspects of ensuring mission-critical throughput, including features such as traffic classification, policing/shaping, bandwidth allocation, congestion avoidance, and management and validation tools. Key elements of Cisco's VPN QoS solution currently include:

Packet classification---Assigns packet priority based on enterprise network policy
Committed access rate (CAR)---Guarantees minimum throughput levels to specific applications or users based on enterprise network policy
Weighted Fair Queuing (WFQ)---Controls packet throughput based on packet priority
Weighted Random Early Detection (WRED)---Complements TCP in predicting and managing network congestion on the VPN backbone, ensuring predictable throughput rates
Tag Switching/Multiprotocol Label Switching (MPLS)---Ensures continuity of packet priority across Layer 2 and Layer 3 VPNs
Generic traffic shaping (GTS)---Smoothes bursty traffic and "packet trains" to ensure optimal average utilization of VPN WAN links
Distributed traffic shaping (dTS)---Allows traffic shaping on the distributed Versatile Interface Process (VIP) on the Cisco 7500; this combines the features of GTS and Frame Relay traffic shaping (FRTS).
IP QoS/Frame Relay interworking---Allows IP QoS parameters to be respected in a Frame Relay cloud
Border Gateway Protocol (BGP) propagation---Enables the QoS policies to extend to traffic in both directions of the VPN connection
Layer 2/3 integration---Per-ATM private virtual circuit (PVC) WRED allowing congestion avoidance inside the ATM cloud

These QoS mechanisms complement each other, working together in different parts of the VPN to create a comprehensive end-to-end QoS solution. QoS solutions must be integrated across all parts of the VPN to be effective; single-point solutions cannot ensure predictable performance.

In addition to the benefits of managing bandwidth, Cisco recognizes the importance of providing VPN routing services that complement QoS mechanisms while seamlessly integrating into existing corporate network routing configurations. By supporting standard routing protocols, like EIGRP and OSPF, Cisco VPN routing services ensure cost-effective migration to VPN infrastructures that provide robust QoS without impacting existing network configurations.

Leveraging QoS into SP Networks

A key area of development is to extend the QoS policies of the enterprise into the service provider network by allowing the enterprise to leverage differentiated services offered by the service provider. The growth of Cisco Powered Networks promotes enterprise/service provider QoS integration via a common equipment infrastructure.

In addition, Cisco is actively contributing and supporting standards-based QoS activities such as the emerging IETF's Diff-Serv standards:

Intserv---The integrated services approach to QoS provides for several service types, including controlled load and guaranteed services. These services are typically implemented via Resource Reservation Protocol (RSVP). Cisco has been an active contributor to the Intserv working group and continues to expand on its RSVP product offering, including the upcoming release of RSVP/ATM QoS interworking feature on Cisco 7500 series routers.
Diff-Serv---The differentiated services approach to providing QoS in networks employs the DS byte (formerly ToS byte) in the IP header to mark a packet to receive a particular forwarding treatment, or per-hop behavior, at each network node. This standardized approach is required for interdomain use and multivendor interoperability, and consistent reasoning about expected service behaviors in a network.

Cisco is an active contributor to the IETF Diff-Serv working group and was one of the first vendors to support many of the Diff-Serv QoS behaviors being advanced by the IETF.

Cisco's Enterprise Network Management Strategy

Executive Summary - Key Developments for VPN Management

Cisco has developed a phased plan for delivering policy-based management tools for enterprise VPNs that also leverage the features of Cisco Powered Networks deployed by service providers. In the initial phases, VPN management features are integrated into the CiscoWorks 2000 product family, enabling Web-based, end-to-end management of Cisco networks. Through CiscoWorks 2000 enhancements, network managers can manage security and QoS parameters of VPNs. In the final phases, policy-based management of VPN features and security parameters are added and extended to include DEN management. Furthermore, in the final phases, Cisco provides tools for measuring and monitoring service provider performance against service-level agreement (SLA) commitments. New capabilities addressed in this section include:

Response Time Reporter
Internetwork Performance Monitor 2.0
Security Manager 1.0
ACL management tools
QoS Policy Manager 1.0

Introduction---E-VPN Management

VPNs provide enterprise customers with a unique opportunity to extend their existing network and achieve cost savings over traditional leased or private dial networks. To take advantage of this opportunity, the enterprise customer is faced with either outsourcing key aspects of the infrastructure to a service provider or taking on additional management responsibilities. For the typical enterprise customer who chooses to deploy and manage the VPN infrastructure, a comprehensive, policy-based management system is required that extends the existing management framework with additional capabilities to manage the unique aspects of the VPN.

As the network is extended with VPN technology, a strict set of business requirements must be met for the enterprise network manager to be successful. These requirements include:

Minimizing risk---Moving from a dedicated infrastructure to a shared infrastructure that perhaps utilizes the Internet as the transport presents the network manager with new security and auditing challenges. The network manager must be able to open the network to join remote users, suppliers, and partners into the network while assuring the integrity of the corporate data resources.
Scale---The rapid addition of mobile users and new business partners requires the network manager to be able to grow the network, upgrading hardware, software, bandwidth, and services with unprecedented speed and accuracy.
Cost---To realize the savings of a shared infrastructure, the network manager must be able to implement new VPN technologies and take on additional network users without growing the operations staff at a proportional rate. This scenario presents a significant issue for the network manager because the complexities of the VPN technology added to an already taxed operations staff could easily erode the cost savings.
Reliability---The performance, availability, and latency of today's wide-area networking are well understood by the network designers and managers and they are able to deploy a wide-area network that meets the availability requirements of the business. The move to a shared infrastructure presents new challenges in delivering and monitoring the reliability of the network service provided.

These business requirements present new challenges to the network manager, including:

1. Solving the issues associated with potentially complex configuration environments across multiple service providers

2. Assuring the security and integrity of the network and the corporate resources of the enterprise

3. Delivering and monitoring service levels to the customers

Cisco Systems realizes that to meet these challenges, businesses require a cohesive management environment for both today's network and the new VPN infrastructure.

Vision and Strategy

Cisco's strategy for empowering the network manager to deploy and manage effective VPN solutions comprises three major elements:

Provide scalable, network-wide management---The network must be managed by policy, as a uniform and integrated entity, and not by approaches that require the network manager to configure the network on a device-by-device basis. A comprehensive approach enables the network manager to consistently implement security and QoS policy across the collection of resources that create the VPN.
Evolve a comprehensive management suite for hybrid networks---VPNs are an extension to the enterprise network and must seamlessly fit into the overall enterprise management architecture already in place for managing the current infrastructure. The solutions require that the existing enterprise management environment be extended and enhanced with new VPN management capabilities that provide the network manager with control, security, and visibility from the wiring closet to the campus backbone, through the wide area and out to the VPN end user. Only through the end-to-end management of these hybrid networks will the business requirements be satisfied.
Leverage the value of Cisco Powered Networks---Service providers that have deployed Cisco technology and services to deliver the VPN infrastructure may utilize the Cisco Service Management (CSM) solution set to achieve their operations and business objectives. As part of the CSM solution set, provisioning and service monitoring solutions enable the service provider to deliver the VPN connectivity to businesses. By creating a bridge between the enterprise management solutions and the CSM solutions, Cisco enables the enterprise network manager to receive configuration information from the SP; validate that the service levels provided by the SP match the experience of the enterprise; and deliver QoS policy to the SP to ensure end-to-end QoS for mission-critical applications.

To meet these business requirements, Cisco is delivering a solution portfolio that meets the needs for comprehensive management of VPNs. This multitiered functional architecture provides the framework for the delivery of solutions for service management, network management, policy management, and infrastructure management, as shown in Figure 5.

Figure 5: VPN Management Model

Cisco has developed a four-phase plan for achieving the vision and strategy of policy-based, enterprise management of hybrid networks that can leverage the power of Cisco Powered Networks.

Phase I: Internet-Powered Network Management---Building on the success of the CiscoWorks 2000 product family that provides comprehensive, Web-enabled management for campus and end-to-end Cisco networks, the new VPN infrastructure will be seamlessly integrated into this solution portfolio. This scenario provides the network manager with a unified and broad range of enterprise functionality for managing the additional VPN technologies.
Phase II: Network Service Management---Extending on the existing infrastructure and connectivity management provided in Phase I, the management of VPN perimeter security, QoS, and network services delivered through Cisco IOS access control lists, is provided in this phase. This functionality provides the network manager with new control and management applications that meet the needs of the initial VPN solutions.
Phase III: Enhanced VPN Management---To meet the challenges of additional VPN solutions, this phase delivers comprehensive, policy-based security management for administration of IPSec, multiple tunnel technology (L2TP, L2F, GRE), and an embedded certificate authority to enhance scalability. Extensions to the QoS management for the unique challenges presented by VPN solutions are delivered in this phase, enabling the network manager to deliver large-scale VPN solutions that meet the strict requirements for mission-critical applications. The delivery and monitoring of service levels provided by the VPN infrastructure are also delivered in this phase, providing the network manager with advanced solutions to the unique challenges of VPN security, QoS, and service-level management.
Phase IV: Directory-Based Policy Management---As the diversity of the VPN solutions grows and increasing numbers of service providers, customers, remote access users, and applications are deployed on VPN solutions, the need for open, standard, replicated, and integrated management services becomes imperative. It is in this phase that the solutions delivered in the previous phases are enabled with the power of directory services to realize comprehensive, directory-enabled network solutions for VPNs.

Product Developments

The rollout of solutions for VPN management builds on the Cisco Assure initiative and the CiscoWorks 2000 enterprise management family to deliver scalable, policy-based management solutions for each phase of the strategy. The solutions roadmap by phase follows:

Phase I: Internet-Powered Network Management
- CiscoWorks 2000---A new family of products based on Internet standards and technologies for managing Cisco enterprise networks and devices; Resource Manager Essentials and CiscoWorks For Switched Internetworks (CWSI) campus couple device management with Web-based technologies, Internet information, and extensive third-party partnering to deliver on Cisco's vision of a comprehensive enterprise management intranet
- Cisco ConfigMaker---A free, easy-to-use Microsoft Windows 95, 98, and NT 4.0-based software tool designed to configure a small network of Cisco routers, switches, hubs, and other network devices from a single PC
Phase II: Network Service Management
- Security Manager---A comprehensive policy-based solution for security management that in this initial release manages Cisco's PIX Firewall solution
- CiscoWorks 2000 WAN Services Suite
  - IPM 2.0---Internetwork Performance Monitor (IPM) Version 2.0 is a network response time and availability troubleshooting application; this tool empowers network engineers to proactively troubleshoot network response times utilizing real-time and historical reports
  - Access Control List management---ACL management tools is a easy-to-use application that provides the network engineer and operations staff with a Web-based application for the design and implementation of Cisco IOS services configured through access list statements
- CiscoAssure Policy System---A QoS management environment for centralized policy enforcement and auditing of the broad range of Cisco IOS QoS features
Phase III: Enhanced VPN Management
- Service-Level Agreement Monitor---A robust, scalable service-level agreement monitoring solution that leverages the embedded intelligence of Cisco IOS software; provides the network manager with a business level monitor for deploying and maintaining service levels
- Security Manager VPN Enhanced
- CiscoAssure Policy System VPN Enhanced
- CiscoWorks 2000 Automated Configuration Manager---A scalable, Web-based solution for automating the rapid and reliable deployment of network changes throughout the campus and wide-area networks
Phase IV: Directory-Based Policy Management
- Cisco Networking Services for Active Directory (CNS/AD)
- Cisco Powered Networks Management Connection
- Directory-Enabled Networks (DENs) enhanced
  - Security Manager
  - QoS Manager
  - CiscoWorks 2000

Cisco's E-VPN Strategy - Conclusion

There is much hype in the industry currently concerning VPNs, their functionality, and how they fit in the enterprise network architecture. VPNs do not inherently change WAN requirements like support for secure infrastructures, high reliability, multi-protocol support and extensive scalability, but instead meet these requirements more cost effectively. A VPN can utilize the most pervasive transport technologies available today: the public Internet, service provider IP backbones, as well as service provider frame relay and ATM networks. The functionality of a VPN is defined primarily by the equipment deployed at the edge of the enterprise network, and feature integration across the WAN, not by the WAN transport protocol itself.

Cisco E-VPN's complement and extend existing private enterprise networks by:

Extending geographical connectivity to home and mobile users, as well as to new constituencies, which include customers, suppliers and partners.
Providing cost reductions which result from lower transport costs and a simplified network infrastructure
Enabling new business applications, global networking and the Internet economy

Cisco's VPN-enabled router family provides a smooth migration to an E-VPN environment

Cisco has shipped nearly 10 million VPN-ready ports, which are easily enabled with Cisco IOS 12.0
IOS-based security and VPN services provide the integrated building blocks for reliable and secure VPNs
Cisco integrates existing enterprise LANs and WANs with the new VPN infrastructure
VPN migration is facilitated with comprehensive pre- and post-sale service and support

Cisco provides the most comprehensive solution set for E-VPN networking with:

Cisco's 5-point E-VPN strategy delivering an integrated tool kit of E-VPN platforms, security, services, appliances and management solutions
An open standards-based solution, which facilitates integration with the existing network and with business partners
Cisco's products extending the scalability and services of the existing enterprise network to create secure and reliable VPNs
Cisco's end to end E-VPNs link to the campus and Service Provider WAN for data, voice and video communications at narrowband and broadband speeds
Cisco service monitoring and auditing capabilities which underpin E-VPN Service Level Agreements (SLAs), security and services
Key technology and support partnerships extending and complementing the Cisco E-VPN solution

Figure 6: Cisco's E-VPN Advantage