The Cisco Globalisation Centre in Bangalore, India, is the company’s fifth management hub to support the Cisco Enterprise Class Teleworker (ECT) solution, enabling employees to securely telecommute to work from their homes. ECT nearly replicates the corporate office environment in employees’ home offices, and is a powerful productivity tool for work day extenders, part-time telecommuters, and full-time telecommuters alike.
“The ECT solution is available to up to 4,000 India teleworkers,” says Nate Ratzlaff, a Cisco business analyst. “A slight deployment delay in Bangalore was due to the company’s dilligence in ensuring the Indian government approved the shipment of Cisco 800 Integrated Services Routers (ISRs) into the country,” he says. These small office/home office (SOHO) routers contain embedded wireless LAN (WLAN) access points, and regulations vary from country to country concerning which frequencies wireless networks can occupy and their maximum power output levels. Each country government verifies local compliance and approves the use of wireless products before they can be deployed within the country’s borders.
Hardware versus Software VPNs
The Cisco ECT VPN is hardware based, and the connection and security are configured in the router rather than in a VPN software client on a user’s laptop. ECT provides an “always on” encrypted connection to the Cisco network for all the devices connected or associated with the trusted network of the router. By contrast, the client software-based VPN is more suited to traveling mobile workers. “To connect a single computer to the corporate network, VPN software users are required to authenticate every time they establish a VPN connection to the corporate network,” says Plamen Nedeltchev, a senior member of the technical staff in Cisco IT.
For at-home WLAN access to the corporate network, the ECT setup configures the 871 router’s access point with the same service set identifier (SSID) as the one in corporate offices worldwide. “This drastically improves the user experience, allowing users to move conveniently between the WLAN at the office and the home, because the same authentication mechanism is used to authorize the local wireless user’s access to the corporate resources,” Nedeltchev says.
Trusted and Nontrusted Subnets
When the Cisco ECT solution is configured employees and their family members can share one broadband Internet access connection. However, the solution also addresses the security issue of split tunneling, in which an IP subnet allows the user to gain access to both corporate network resources and direct access to the Internet. In such setups, an inbound attack directly from the public Internet might potentially allow an intruder to gain control of the employee’s router and access the corporate network.
In the Cisco ECT design, the router is partitioned with trusted and nontrusted subnets. Nontrusted devices (all non-Cisco managed devices) connect to a nontrusted port on the router and obtain IP addreses from the nontrusted network; trusted devices (all Cisco managed devices, such as Cisco-imaged laptops and Cisco IP phones) plug into the trusted router port and obtain an IP address from a trusted network. Only devices connected to the trusted ports or associated with the trusted WLAN are granted access to the corporate resources upon succesful authentication.
“For now, we don’t enable nontrusted wireless access for our users,” says Nedeltchev. If non-Cisco devices used by others in the household need wireless access, he suggests a two-box solution, whereby a Cisco Linksys wireless access point plugs into the nontrusted port of the 871 router.
The nontrusted part of the network, which other family members can use for public Internet access, supports network address translation (NAT) and Cisco Context-Based Access Control (CBAC), a feature in Cisco IOS Software that intelligently inspects TCP and UDP packets. These features provide a basic level of security to the home network and its applications, says Nedeltchev.
ECT Evolution
Cisco IT has provided the Cisco ECT solution to Cisco sites since 2004, and this year Cisco ranked #1 in the Fortune Magazine Telecommuting/Remote Working category for the second consecutive year. Cisco also ranked #6 on Fortune’s 2008 list of “100 Best Companies to Work For.”
Today, the ECT solution includes a Cisco IP Phone and Cisco 871 router with built-in WLAN configured at an employee’s home, and with the same security, voice service-quality levels, and connectivity capabilities of the office LAN. Cisco’s first-generation ECT solution used Cisco 831 routers, which had no wireless capabilities. Voice was initially delivered as best-effort traffic; now, the quality-of-service (QoS) capabilities in Cisco routers enable packet prioritization markings to be recognized even when the packet stream is encrypted. Security and QoS can be combined, then, to give voice packets highest priority for transmission across the WAN link. At the headend, Cisco Catalyst 6500 series switches and Cisco 7206VXR routers terminate sessions that are initiated and encrypted in the Cisco 871.
Looking ahead, Cisco IT plans to make more than one router and more services available to accommodate the specific needs of its teleworking employees. “The idea will be to accommodate varied geographic regions and their respective regulations, as well as WAN upgrades,” says Nedeltchev.
“The residential broadband offering worldwide will reach 15 to 25 Mbps in the next one to two years, so we will need higher performing routers,” he says. “Later this year we will offer two or three router options and a full variety of services for Cisco employees. ECT will be become one of the enablers for Unified Communications for home users and a major component of the Cisco strategy for crisis and business continuity management.”
For More Information
Cisco on Cisco
Cisco IT VPN Remote Access Solution Case Study