Virtual Private Networks have evolved overtime to become one of the business-driver for corporate communication. This is due to its ability to leverage ubiquity and low cost of internet access in addition to high performance and security. VPN extend the characteristics of WAN to small, medium and individual users.
VPNs are logical private networks deployed over public network infrastructure such as the internet. The exploding nature of the internet has presented an opportunity to build VPN on its vast infrastructure. Just like the way Email and web-browsing have brought internet to where it is today, business networking on global scale of commerce is what Internet VPN endears to bring to the business community. Frame Relay is an example of VPN service built on carrier networks and its business communication equivalent is Internet VPN.
VPN offers unparalleled benefits to the business community: reliability, security, and performance are some of the beneficial features it achieves contrary to the bandwidth-centric Frame Relay and Asynchronous Transfer Mode services.
Business entities are looking for service infrastructure robust and scalable enough to shift business traffic onto the internet. Their search is motivated by the premise that Internet can be made to deliver as they require, and achieving this confidence is the central point of the Internet VPN challenge. In this paper, we explore the network architecture that will give Internet VPN the ultimate killer application for corporate communication. The paper is based on Xedia Corporation, a pioneer and established company for bandwidth management and QoS solution for IP-based wide area networking. Its Access Point QVPN architecture is a second-generation VPN suitable for business-class networking over the Internet.
Today’s IT users need to build their own VPN solutions on top of generic Internet access and significant VPN growth will only be realized when clients begin to outsource their key IT capabilities such as Intranet, Extranet, and other IP applications. Major standards and technical specification and under development and ISP are investing enormous capital in building infrastructure, facilities. Following the massive investments made to make Internet indispensable, it is only expected that with time, IP will be adopted as the standard network protocol for audio, video and data services. This is facilitated by key drivers such as Internet Protocol Security IPSec and Differentiated Service (DiffServ) which lay the foundation for Quality of Service across the internet.
The concept of VPN has been in existence for some time now. However, the model is facing new challenges exacerbated by the ever dynamic networking needs of organizations intended to develop global touch. VPN services over Frame Relays and ATM used to be the de facto protocol for communication where logical partitioning of the network’s circuit alienates each customer’s bandwidth in an otherwise shared physical infrastructure. Compared to fixed private lines, theses services were cost effective but still exhibited considerable drawbacks in terms of flexibility, performance and scalability required to build the next generation of global business services.
VPN is founded on the provision of three fundamental components; Security, reliability and performance. These three aspects are the determinants of sufficient business communication in any organization. Internet has undoubtedly witnessed great improvements in terms of performance and reliability as indicated by Service Level Agreements announced by major players. This has enabled more bandwidth, advanced network provisioning capabilities and IETF-driven standards.
IPSec has sealed a major security gap while DiffServ has enabled high and predictable network performance founded on meeting explicit service level commitments to business customers. IPSec is a set of communication protocol defining the establishments, management and termination of secure communication channels across public IP networks. IPSec standards incorporate strong authentication and encryption protocols at the layer 3 platform, qualifying as the dominant role in implementation of Internet VPN.
Security is a matter of concern in VPN. The ability to separate and insulate client’s information such that other parties cannot access or compromise its contents is paramount. IPSec tunneling works by carving private end-to-end tunnels out of the internet which are subsequently encrypted to protect its integrity. IPSec is superior to other layer 2 protocols because, in addition, it allows native end-to-end tunneling and more scalability options.
IPSec gets an automatic slot for wide-area VPN and remote dial-in services due to its robust architecture. It wholly complements any underlying Layer 2 network architecture and with the additional security features, it is qualifies to be a fully fledged VPN service. The requirements for compliancy with the latest IPSec drafts, high performance encryption (90 Mbps throughput for wire speed T3 rate services), and scalability to industry-wide size (4,000 L2TP tunnels) are what defines the Access Point QVPN product from Xedia Corporation.
Access Point QVPN uses Internet Key Exchange protocol to automatically negotiate security association among gateway endpoints and Public Key Infrastructure through X.509 formatted certifications and interoperability with new Certificate Authorities for both site-to-site WAN and remote user dial-up VPN service.
PERFORMANCE - BRIDGING QoS TO VPNs
In terms of performance, Internet VPNs are required to deliver on two requirement platforms; one, guaranteed service levels applicable to VPN trunks across the backbone and at par with current established technologies such as Frame Relays Committed Information Rate, and two, control of bandwidth management and backbone traffic.
The two points of QoS control means that user applications and flows have distinct point of service they require as they traverse the Virtual private trunks.
Fig. 1 Multiple points of VPN control
QoS is a bandwidth management and backbone traffic requirement that is of concern at every network access point.
Xedia’s QVPN solution is extraordinary because it allows unique bandwidth management capabilities at both VPN performance levels. Differentiated Services is the IP backbone standard that provides QoS from end-to-end over the public wide area. Access Point QVPN uses DiffServ while also leveraging Xedia’s IP bandwidth management to ensure service level agreements over Internet VPN. With bandwidth borrowing capabilities, a customer trunk can burst beyond their CIR rates when idle traffic is available on the network. In the same manner, different traffic classes in the customers VPN link are able to borrow bandwidth from each other as required.
Fig. 2 Multiple boxes are naturally hard to configure and manage and double services such as routing and traffic management
Through Class Based Queuing Access Point QVPN’s implementation guarantee QoS. CBQ is an IP feature that allocates traffic to individual applications, users, or subnets based on granular network policies to meet their individual needs. CBQ is applied to each traffic class in a network to enhance bandwidth guarantees and borrowing privileges. Thus, bandwidth guarantee and borrowing privileges are accorded to each traffic class instantly.
DiffServ and CBQ is a unique combination from Xedia adopted by organizations to deliver bandwidth that will serve Internet VPNs in the most critical service business environments.
Simplicity, Scalability and High availability achieved through Access Point QVPN
Fig. 2 An implementation of QVP
ACCESS POINT QVPN IN ACTION
The Access Point is deployed as a service providers VPN gateway or an enterprise network between LAN and WAN to act as a router and a VPN gateway for establishing tunnels across any wide area backbone. The structure is also applicable to remote dial-up user supported through Internet access tunneling. Access Point QVPN uses the same criteria for security, bandwidth management and remote user traffic.
Traffic is identified according to QoS and bandwidth features and encrypted through any of the encryption techniques such as DES, IPSec OR L2TP. Network access is managed by an integrated firewall that filters traffic according to their source and destination address. NAT is also supported to ensure optimum security. In this way, NAT substitutes a tunneling address for IP traversing the WAN such that outsiders are bare from seeing the topology of customers network while internal users are restricted to only a single IP address for communication across the VPN. Network access is controlled by an integrated firewall that filters packets according to their source and destination IP address. It creates a state of informed firewall where the ports are remembered by each network connection and access to inactive ports is terminated.
It is clear that the integration of IP routing, QoS, and bandwidth management with security is what differentiates Access Point QVPN from other VPN gateway designs. The ability to scale to T3/E3 bandwidth and more than 4000 simultaneous network tunnels is another prime differentiator in the dominion of corporate industry VPN service requirements.
RELIABILITY AND EASE OF MANAGEMENT – ROUTING INTEGRATION VERSUS MULTIBOX COMPLEXITY
Internet VPNs is operated via the internet; therefore a robust and reliable routing protocol is desired at the access point. The anticipated solution should be easy to deploy, manage, and scale by the service provider in order to meet the dynamic needs of corporate entities.
Xedia understood this necessity and integrated an access router to support major IP routing protocols in the solution. Access Point QVPN provides multi-homing access to the internet using a BGP4 implementation and an added reliability support for Virtual Router Redundancy Protocol. Thus, it is more than a VPN gateway device. The two protocols give inherent redundancy across the network as well as mission-critical, scalable router for VPN services. First generation VPN platforms entailed the use of separate networking platforms such as routers, VPN gateways, bandwidth management devices and firewalls. Because each device presented a failure security risk, users had to double the hardware count as backup in order to counter any inefficiency. This presented complexity issues as well as reduced latency, reliability and performance. Access Point QVPN takes into consideration all these factors during design through integration of key elements in an architecture intended for large-scale VPN.
Multiplicity of platforms is what second generation developers had come up with, coupling together a VPN solution from the disparate parts available. Access Point QVPN integrates the capabilities of an all-in-one approach as indicated below.
Access Point QVPN is what the industry has been anticipating to fulfill scalability and security requirements and at the same time accommodate large enterprise broadband VPN architecture solution run over the Internet. Prospects are underway for a reliable solution that will give business entities an IP-based global product. Access Point QVPN delivers QoS and bandwidth management to suit IPs performances. Business traffic on the web is increasing, and the only solution that will guarantee performance and security is Access Point QVPN. An implementation of QVPN will see to it that multiple customers can be supported from a shared infrastructure without compromising security, performance, and scalability. The underlying flexibility of management is diminished as the network can be tailored to meet the needs of the user.
Hooper, H. (2012). CCNP Security VPN 642-648 Official Cert Guide. Cisco Press.
Matei, C. (2012). CCNP Security VPN 642-648 Quick Reference. Cisco Press.
World, N. (1998). Introducing the New QVPN service.
Xedia. (n.d.). QVPN Quality of Service in Virtual IP Private Networks.