The Cisco® Network-Based Security Services solution helps service providers to deliver cost-effective, scalable, integrated security services for enterprise customers using Cisco platforms. With the centrally managed Cisco Network-Based Security Services solution, service providers can expand their service portfolio with secure on-net and off-net remote access, remote site-to-site services, and firewall capabilities.
Service providers can take advantage of this Cisco solution to evolve network foundations for enabling additional value-added services, maintaining long-term competitive advantages, increasing return on investment (ROI), and reducing operating expenses. This solution is currently available on the Cisco 7200 Series and Cisco 7301 routers, with the newest release also supporting the Cisco 7600 Series routers and Cisco Catalyst® 6500 Series switches.
With the newest platforms and corresponding unique hardware service modules, service providers can deliver IP Security (IPSec) aggregation and virtual firewall functions on one platform and with the performance and scalability to support a growing base of customers.
The Cisco Network-Based Security Services solution helps service providers to generate new revenue streams by offering a more comprehensive bundle of secure VPN and security services for enterprise and small- and medium-sized-business (SMB) customers. Simultaneously, this Cisco solution helps service providers to broaden their service portfolio and securely extend the customer's networked resources outside of the service area to teleworkers, mobile workers, remote sites, and business partners.
Hardware service modules integrate and optimize support for the following:
• Secure IPSec VPN termination
• Stateful firewall and authentication services
• Network Address Translation (NAT)
Cisco Network-Based Security Services solution supports one or more of the following VPN deployment architectures:
• IPSec to IP/Multiprotocol Label Switching (MPLS) VPNs
While this paper focuses predominantly on MPLS core networks, it is important to note that these architectures can work with Layer 2 ATM or Frame Relay core networks or IP core networks, as well.
The supported deployment architectures feature:
• The latest Cisco software and hardware technology enhancements
• Flexible firewall, NAT, and authentication, authorization, and accounting (AAA) options
• High availability and load-balancing controls
CISCO SOLUTION OVERVIEW
Historically, customer premises equipment (CPE)-based solutions have dominated the managed VPN services market. However, managed CPE-based firewalls and VPN services do not scale well and require costly management and provisioning for individual customer connections. A more viable approach, implemented with the Cisco Network-Based Security Services solution, facilitates greatly enhanced, scalable, and cost-effective solutions for service providers. Service providers gain the ability to introduce new incremental services on the same platform, with the associated service modules providing an integrated solution with efficient support of VPN and firewall capabilities.
With the Cisco Network-Based Security Services solution, service providers can offer a secure, ubiquitous, and fully integrated VPN service to enterprise and SMB customers. Service providers can take full advantage of an existing Layer 3 MPLS-enabled network or Layer 2 network to introduce new revenue-generating service options such as class-of-service (CoS) priorities for individual applications and users as well as service-level agreements (SLAs). New VPN customers can be provisioned without installing additional interfaces or re-addressing edge platforms.
The Cisco Network-Based Security Services solution facilitates easy turn-up of new customers by eliminating the need for truck rolls and ongoing management of individual CPE, thereby reducing costs and operational demands. More remote sites and enterprise users can be effectively served at a lower cost with centralized configurations and simplified network operations. These savings help a service provider more quickly respond to customer needs, ultimately increasing customer loyalty and reducing turnover.
The following sections describe the primary VPN and firewall product features of the Cisco Network-Based Security Services solution, and the high-availability and load-balancing capabilities available with all of the deployment architectures.
Primary Features for IPSec VPNs
The Cisco Network-Based Security Services solution includes many features for enhanced IPSec capability and VPN deployments:
• Virtual route forwarding (VRF)-aware IPSec-This feature provides IPSec tunnel mapping to a VRF-aware core network, VPNs supporting IPSec integration to MPLS-based VPNs, as well as IPSec integration to Layer 2 ATM-based and Frame Relay-based networks. A single public-facing interface can be used to support customers and sites belonging to multiple enterprises. The IPSec sessions are mapped to their respective VRFs based on IKE identities.
• Cisco Easy VPN server and remote client-Establishing secure VPN connections can involve multiple network administrators installing network security policies at both the server and all the associated remote VPN clients. The Cisco Easy VPN feature eliminates much of the previously tedious configuration work by implementing the Cisco VPN client protocol on the Cisco CPE. Most VPN parameters can then be defined at the centrally managed Cisco Easy VPN server (IPSec aggregator). IPSec policies are dynamically "pushed" to the client by the server during the IPSec tunnel establishment time, minimizing the tedious configuration work required at the individual remote-client level.
• IPSec NAT transparency-IPSec and NAT technologies have numerous incompatibilities that do not allow IPSec connections to function through NAT devices. With this feature, IPSec peers can establish a connection through a NAT device. The IETF working draft related to this feature can be found at http://www.ietf.org/rfc/rfc3947.txt.
• Dynamic Multipoint VPN (DMVPN) (Supported on the Cisco 7200 Series and Cisco 7301 only.)-DMVPN uses Next Hop Resolution Protocol (NHRP) and multipoint generic routing encapsulation (mGRE) to create dynamic and scalable hub-to-spoke as well as spoke-to-spoke IPSec topologies that can be fully integrated with an MPLS VPN. It reduces the configuration on the aggregation or CPE devices and supports dynamic addressing on the CPE.
• Quality of service (QoS) per VPN group-This feature helps enable applications of QoS services such as traffic policing and shaping on IPSec protected data. On Cisco 7200 and Cisco 7301, the QoS policies can be defined per the Internet Security Association Key Management Protocol (ISAKMP) group (an ISAKMP group could correspond to a customer), and can be used to enforce bandwidth agreements and help ensure that the customers get equal access to available bandwidth across available links. Since Cisco 7600 uses a VLAN per VPN, we can apply per-VPN QoS policies on the VLAN interface and provide QoS per VPN customer.
• Public Key Infrastructure (PKI)-The solution supports extensive PKI features including enhancements such as support for multiple Rivest, Shamir, and Adelman (RSA) key pairs as well as trust points per box. This allows the IPSec aggregator to support multiple certificate authority (CA) servers with a certificate from each server. This is useful because each supported VPN can potentially use a different CA server for its PKI implementation. The solution also supports mapping the IPSec sessions into their respective VRFs based on the Distinguished Name (DN) attributes in the certificates presented by the clients.
• Dead-peer detection (DPD)-Based on the IETF standard keepalive mechanism, DPD facilitates high availability and resource cleanup by letting a peer to accurately determine the connection status and take appropriate action when the connection is lost. DPD is a scalable mechanism that does not affect the CPU as much as the traditional internal OS keepalive mechanisms. This is especially important on an IPSec aggregator router that supports a large number of IPSec connections.
• Idle timeout-The IPSec idle-timeout feature allows the IPSec aggregator to disconnect idle IPSec sessions after a predefined period of time, thereby conserving resources and facilitating accurate billing for connection time.
The Cisco Network-Based Security Services solution also includes AAA features and extensive RADIUS support:
• Per-VRF AAA feature (Supported on the Cisco 7200 Series and Cisco 7301 only.)-Using this feature on the IPSec aggregator or provider edge, service providers can partition AAA services based on VRF. This allows the IPSec Aggregator to communicate directly with the RADIUS server associated with a specific customer VPN, without having to go through a RADIUS proxy.
• Client authentication-A RADIUS server (for example, Cisco CNS Access Registrar, at either the customer or service provider site, can be used to authenticate and authorize remote-access clients. Customer-managed RADIUS servers typically store per-user information (such as user authentication). At the service provider site, a RADIUS server can store all AAA and configuration information, or the information can be split across two servers.
• RADIUS-based start-stop IPSec accounting feature-This feature provides client accounting records that can be used for billing purposes. The accounting records use the VRF ID to provide VPN identification information in the accounting records. Some of the VRF ID attributes include the client username, IP address, session time, and session-byte and packet counts. A session constitutes all IPSec transmissions for a particular user or device.
• Per-user RADIUS attributes-A number of per-user attributes are supported to provide granular AAA control. These attributes include per-user IP address assignment, controlling the number of maximum allowed logins per user and remote firewall check.
• Per-group RADIUS attributes-The per-group attributes supported include group lock (the ability to ensure that users can only connect to their own VPN by tying Internet Key Exchange group membership to user authentication during XAUTH), the ability to control the maximum number of simultaneous sessions per VPN, and the ability to define split-Domain Name System (DNS) servers.
The Cisco Network-Based Security Services solution features the Cisco 7600 Series IPSec VPN Service for efficiently delivering IP VPN connectivity with basic network-device capabilities and various VPN technologies such as Multiprotocol Label Switching (MPLS) (currently only one VPNSM module per chassis supported with this solution). The VPN services module delivers performance and scalability with up to:
• 1.9-Gbps Triple Data Encryption Standard (3DES) (for large packet sizes)
• 65 tunnels-per-second establishment rate
• Maximum of 4000 VPN tunnels per chassis
The latest release of this service module incorporates many enhancements including:
• Easy VPN IPSec-based remote access
• Onboard GRE acceleration
• Look-ahead fragmentation support
Primary Features for Firewalls
The Cisco Network-Based Security Services solution provides the industry's best firewall performance with the introduction of the Cisco 7600 Series Firewall Services Module. While minimizing the required hardware investment, the firewall services module helps service providers to offer scalable, high-performance, versatile firewall services to their VPN customers. Service providers can take advantage of hardware functions to offer customers perimeter security, secure connectivity, intrusion protection, authentication, and policy management.
The firewall services module introduces the ability to support virtual firewalls. A Virtual Firewall System (VFS) provides multiple logical firewalls for multiple networks on one system. A service provider with numerous subscribers can provide virtualized firewall functions separating and securing all the subscribers while managing the solution and services from one system. This is accomplished by establishing "security domains" controlled by virtual firewalls, with each logical firewall having its own defined security policy. Security domains are exclusive in that they are external to any other security domain in a given system. Virtual firewalls are functionally similar to a simple firewall, and are configured with their own outbound and inbound policies, and network objects. However, virtual firewalls simplify management of a collection of firewalls through policies at a defined security domain. In addition, VFS allows the additions and removal of security domains as needed, providing scalability with the growth of the subscriber base.
The primary features for the Cisco 7600 Series Firewall Services Module include the following:
• High-performance firewall module-5.5 Gbps aggregate throughput, up to 1 million concurrent connections, and a connection rate of 100,000 new connections per second
• Up to 100 security contexts per module blade; up to 4 blades per chassis (aggregate throughput of 22 Gbps)
• Up to 1000 VLAN interfaces per blade spread across all the security contexts
• Interchassis as well as intrachassis stateful failover; interface tracking and monitoring for failover
• Resource limiting (absolute and rate-limited) to prevent a context from consuming all the system resources
• Controlled access between interfaces of same or different security level
• Telnet, Secure Shell (SSH) Protocol, HTTP, or IPSec access for management per context
• Fix-ups for a number of applications and protocols including Internet Control Message Protocol (ICMP), FTP, H.323, Media Gateway Control Protocol (MGCP), Session Initiation Protocol (SIP), Skinny Client Control Protocol (SCCP), etc., for up to 32 fix-ups per context
• AAA for device-access authentication and authorization, and network-access authentication, authorization, and accounting
• Dynamic, static, bidirectional, and policy NAT
• Filtering-Local as well as external (up to four external filtering servers per context)
High Availability and Load Balancing
The Cisco Network-Based Security Services solution supports numerous features that allow multiple options to deploy redundancy and load balancing. For smaller scale IPSec deployments, Hot Standby Router Protocol (HSRP) and Reverse Route Injection (RRI) can be used to provide redundancy while for larger deployments Cisco server load balancing (SLB) can be used to provide redundancy as well as load balancing:
• HSRP and RRI-RRI works with both dynamic and static crypto maps to simplify network designs for VPNs requiring either high availability or load balancing. Routes are created for each remote network or host on the headend device to allow for dynamic route propagation. HSRP and IPSec dynamically reroute traffic to provide maximum availability of services. For hosts that do not have the ability to switch to another router in the event of a primary router failure, HSRP provides continuous network access. In this case, the HSRP virtual IP address is used as the VPN tunnel endpoint to provide continuous availability for stateless failover of IPSec.
• SLB-Virtual servers can be defined to represent a group of physical servers in a cluster of network servers (a server farm). When a client initiates a connection to the virtual server, the Cisco IOS® Software chooses a physical server for the connection based on a configured load-balancing algorithm. In case of a failure of a physical server, the SLB dynamically reroutes all the incoming new IPSec sessions to the other server, thus providing redundancy.
For firewall services, Cisco 7600 Series routers support both interchassis as well as intrachassis stateful failover:
• Intrachassis failover-The Cisco Network-Based Security Services solution facilitates the deployment of multiple firewall service modules within the same chassis such that the standby module would take over the functions of a failed module, thus protecting the service against module failure.
· Interchassis failover-To protect against router-level failure, the firewall services modules can be installed across different Cisco 7600 Series routers. In this case the connection state information is sent between chassis.
During normal operation, the active unit continually passes per-connection state information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user applications are not required to reconnect and hence can keep the same communication session.
DEPLOYMENT ARCHITECTURES
The Cisco Network-Based Security Services solution can be deployed with one of the four VPN architectures:
• IPSec to IP/MPLS
• Virtual firewall with MPLS (supported with the Cisco 7600 and Cisco Catalyst 6500 series only)
• IPSec and virtual firewall to MPLS
• Provider edge-to-provider edge encryption (supported with the Cisco 7200 Series and Cisco 7301 only)
Note: All of these architectures can be implemented using either a 1-box model or a 2-box model. In the 1-box model, the same box performs both the functions of security services and MPLS provider edge. In the 2-box model, one box takes care of the security services and the second box acts as the MPLS provider edge.
IPSec-to-IP/MPLS VPN Deployment Architecture
In this deployment architecture, the service provider has an existing IP backbone network (using MPLS or Layer 2 Frame Relay or ATM conventions) and is offering VPN services that interconnect all customer sites including remote sites that are part of the VPN. This model helps enable secure off-net access to IP/MPLS VPNs through IPSec. It allows service providers with IP backbone networks to extend access to their on-net Frame Relay, ATM, or MPLS VPNs to include worldwide Internet access. The service provider's customers who wish to deploy a dynamic routing model can use generic routing encapsulation (GRE) combined with IPSec. For this deployment architecture, the service provider can use the same router to function as an IPSec termination device and also as a provider edge (Figure 1), or can segregate the two functions on two separate routers (Figure 2).
Figure 1
IPSec-to-IP/MPLS VPN Deployment Architecture (IPSec Aggregation and Provider Edge on Same Router)
Figure 2
IPSec-to-MPLS VPN Deployment Architecture (IPSec Aggregation and Provider Edge on Separate Routers)
Virtual Firewall with MPLS VPN Deployment Architecture
The Cisco 7600 Series Firewall Services Module helps enable the delivery of NAT and firewall security services to VPN customers accessing the Internet. This is an important service that can be offered to SMBs in all industries including finance and manufacturing, and also for enterprise customers including education institutions such as universities. Figure 3 shows a deployment model that provides virtual firewall functions with the firewall services module. The virtual firewall will scrub traffic that traverses between VRFs and the Internet. (This architecture is not supported for the Cisco 7200 Series or Cisco 7301 routers.)
Figure 3
Virtual Firewall with MPLS VPN Deployment Architecture
IPSec and Virtual Firewall to MPLS VPN Deployment Architecture
The service provider can provide MPLS VPN customers two forms of secure access to the Internet: one using IPSec, and one using firewall capabilities. If a service provider is already using a Cisco 7200 Series Router as an IPSec aggregator, a Cisco 7600 Series Router can be deployed to implement a firewall for the existing Cisco 7200 Series. The solution can be deployed in two ways:
• With dual access to the Internet: one for IPSec and the other for firewall services.
• With the same Internet-access solution for both IPSec and firewall service: The firewall services module should be in front of the IPSec routers, or in parallel with the IPSec routers.
If the service provider is already using the Cisco 7600 Series to provide both VRF-aware IPSec and virtual firewall service, the access to the Internet for both services can be accomplished using one physical interface (see Figure 4). The placement of the firewall services module and the VPN services module plays an important role. The two supported choices include:
• The logical placement of the firewall services module in front of the VPN services module.
• The logical placement of the firewall services module in parallel with the VPN services module.
Figure 4
IPSec and Firewall to MPLS VPN Deployment Architecture (IPSec Provided by Cisco 7200 Series; Firewall by Firewall Services Module)
The provider edge-to-provider edge encryption deployment architecture allows the service provider to encrypt traffic between the provider-edge devices across an MPLS network (Figure 5) while still maintaining traffic separation provided by MPLS. This encryption architecture, supported with the Cisco 7200 Series or Cisco 7301, can be accomplished by running label-switched path (LSP) across a GRE tunnel. All the packets flowing through the GRE tunnels will be encrypted.
Within the MPLS VPN network, a service provider's customers can also accomplish end-to-end encryption, from CPE to CPE, where CPE devices are directly connected to the MPLS network.
The Cisco 7200 Series and Cisco 7301 can serve as security services aggregators or provider-edge devices. The Cisco 7200 Series provides industry-leading serviceability and manageability features coupled with high-performance modular processors including the Cisco 7200 NPE-G1 Network Processing Engine. For broadband aggregation, the Cisco 7301 supports up to 16,000 subscribers sessions, making it ideal for pay-as-you-grow broadband deployment models.
With the latest release of the solution, the Cisco 7600 Series can also serve as security services aggregators or provider-edge devices. The Cisco firewall services module and Cisco IPSec VPNSM for the Cisco 7600 Series provide high-performance hardware implementations of primary functions for the delivery of firewall and security services, respectively. The service modules for the Cisco Catalyst 6500 Series switches are the same as those for the Cisco 7600 Series, and therefore, the Cisco Network-Based Security Services solution is also applicable to the Cisco Catalyst 6500 Series service modules. All of the available port adapters on the Cisco 7600 Series are supported as interfaces by the Cisco Network-Based Security Services solution.
RADIUS Server
For this component, service providers can use any RADIUS server that is compatible with Cisco AV pairs to authenticate and authorize remote access clients. If a 2-factor secure-ID-based authentication is required, a RSA algorithm server must be installed on the service-provider management network for local AAA or on the customer premises for proxy authentication.
Cisco VPN Client
The Cisco VPN Client has wide support on various operating systems including Microsoft Windows, Linux, Sun Solaris, and the Apple Mac OS. The Cisco VPN Client is provided for unlimited free distribution for use in conjunction with the Cisco Network-Based Security Services solution. Cisco Systems® has a broad range of hardware-based platforms capable of supporting the Cisco VPN Client protocol. These hardware alternatives include the Cisco VPN 3002 Hardware Client, the Cisco PIXÒ 501 Firewall, and any Cisco IOS Software-based router including models from the Cisco 800 Series Router up through the Cisco 3700 Series Multiservice Access Router.
Customer Premises Equipment
The Cisco Network-Based Security Services solution supports a broad range of VPN-enabled CPE: Cisco PIX Firewall, Cisco VPN 3002, Cisco 800 Series, Cisco 1700 Series Modular Access Router, Cisco 2600 Series Multiservice Platform, Cisco 3600 Series Multiservice Platform, and Cisco 7200 Series.
End-to-end Cisco IOS Software on the service provider network makes it possible to easily integrate the end user and corporate networks. The Cisco Network-Based Security Services solution requires Cisco IOS Software Release 12.2SX or later.
Cisco Easy VPN Client Software
Cisco Easy VPN clients support dynamic policy push, thereby providing flexible and decentralized provisioning for large-scale remote-access VPNs. The Cisco VPN Client has wide support on various operating systems including Microsoft Windows, Linux, Sun Solaris, and the Apple Mac OS. The Cisco VPN Client is provided for unlimited free distribution for use in conjunction with the Cisco Network-Based Security Services solution.
Cisco PIX Device Manager
The Cisco PIX Device Manager provides MPLS VPN service providers a customizable, centralized virtual firewall-management capability.
Cisco IP Solution Center 3.2
The Cisco IP Solution Center 3.2 (ISC 3.2) is the platform of choice to provision the MPLS VPNs in the core network. It can also be used to provision the VRF-aware IPSec component of the Cisco 7200 Series and Cisco 7301.
