IPSec-based VPN selection reference

According to the selection of IPSec-based VPN, more and more enterprises are seeking for flexible and secure wide-area communication methods. In the complex environment of internet connections and IP networks, these new communication requirements exceed the processing capabilities of traditional network solutions. Vpn is defined as a network that uses encryption and authentication technology to establish a dedicated Security Tunnel on a public network ". With the challenge of ip Security Standards and the ubiquitous ip network, vpn has become a feasible option for most enterprises. 1. vpn implementation methods: 1. manage it by yourself. Enterprises have and fully manage internet-based VPNs. This method provides enterprises with the flexibility to control the deployment and management of vpn. However, there are problems such as narrow networking scope, weak scalability, the need for infrastructure to support global e-commerce, and management services that require enterprises to perform seven days a week and 24 hours a day, these problems usually make enterprises reluctant to invest. 2. Comprehensive outsourcing. This is a management service that can be implemented by a series of partners, including internet service providers (ISPs) and security integration partners. In this way, the company can quickly deploy and easily implement global expansion without any daily network management problems. 3. Mixed or shared management methods. The partner is responsible for infrastructure deployment and management, while the enterprise maintains control over key aspects of policy definition and security management. Ii. Development Trend of vpn: With the accelerated development of vpn market, outsourcing is an important trend. Companies deploying these networks are choosing to outsource vpn deployment and maintenance to internet service providers (ISPs), application service providers (asp), and other connection providers. Outsourcing is motivated by the cost of building and running global networks, the hope to focus on core capabilities, and the improvement of network performance. 1. outsourcing brings the following benefits to enterprises (1) flexibility and scalability: When you need to add new sites or users to the vpn service, you only need to install a service provider with a client equipment (cpe) or the access link of the security client software. Service providers are responsible for any site and trunk-level activation required. The optimal vpn design requires only one connection for private intranet, semi-dedicated exists, and public internet access. This integration capability saves the cost for enterprises and also brings advantages to service providers, because service providers can expand services within and between the current private network and public network boundaries at a low cost. (2) Rapid Deployment and global reach: vpn geographic coverage can be easily expanded to connect individuals and multi-user offices around the world, while supporting popular applications and protocols. By leveraging the backbone of service providers rather than building their own backbone networks, enterprises can extend the network to external resources such as the internet. (3) reduce operating costs: the managed end-to-end vpn service provides comprehensive service quality (qos) and service level agreement (sla) performance, supporting the most demanding commercial applications. By leveraging the expertise and dedicated resources of outsourcing partners, enterprises no longer need to recruit technical experts. 2. Outsourcing also brings many benefits to service providers (1) Expanding revenue sources: adding value-added services such as virtual hosts, application hosting, and e-commerce support. (2) Rapid Deployment: because existing core networks do not need to be changed, new cpe-based services can be deployed quickly to increase market share. (3) Differentiated Services: the next-generation features, such as qos and routing and switching technologies that identify sla, will provide service providers with competitive advantages. (4) Adjust the strategic relationship with the customer: as the service supplier provides value-added services rather than bandwidth, the service supplier and the customer will establish a long-term relationship. Iii. Functions and standards covered by vpn because vpn products separate confidential data and network resources from unfriendly networks, it must be as strong as a firewall anywhere. Powerful authentication, password, x.509v3 digital certificate, and ics-certified firewall functions Ensure that vpn can protect data confidentiality. Vpn security policies are based on standards that are robust and stable. 1. service level agreement (sla ). As a key feature of the end-to-end vpn solution, it is equally important as network security. Sla provides specific performance standards to ensure that vpn can support reliable commercial services. It also provides valuable data for network performance planning and applications. The sla shall cover the overall performance of each link and between all customer sites. 2. qos function. The quality of service is crucial to the priority communication and management of vpn. 4. When selecting a vpn solution, pay attention to the differences between the vpn service based on the user end and the vpn service based on the network. The former includes cpe for real end-to-end security and performance management. The latter is mainly activated using devices in the service provider's business point (pop), and cannot provide the same protection in the last kilometer. Users should pay attention to the following key issues: 1. centralized policy management. This is the key to building a large-scale vpn solution. Centralized control is achieved through fully distributed vpn configuration and security policies, and policy management simplifies vpn opening and management. A supplier network becomes an integrated system, rather than a collection of different products. It can provide centralized support for any flexible service anywhere on the network. 2. Powerful security and authentication. Vpn solutions are as critical as firewalls. The service platform should be able to closely manage with other enterprise firewalls and intrusion detection systems. The Platform should include a tightly integrated, icsa-Certified Firewall. To implement user authentication, the platform should support securid tokens or x.509 digital certificates. Avoid using general operating systems as the basis for vpn devices because these operating systems may be full of security vulnerabilities. 3. Full integration. Because vpn is a network that ensures secure communication between business partners and enterprise customers, a complementary set of technologies and equipment must be fully integrated and managed in the product line. Vpn can be built using a dedicated vpn Router, or the vpn gateway can be attached to an existing router. The next-generation vpn Router will be dedicated and provide tightly integrated ip routing, security, firewall, and bandwidth management functions. Vpn gateway is usually a low-cost device that overwrites the previously installed IP network to provide functions such as tunnel encryption and firewall services. 4. comply with the standards. Vpn security adopts the internet Security Protocol (ipsec), which is an internet Engineering Task Team (ietf) standard, not all vendors have deployed managed vpn services with 128-bit ipsec Encryption technology. 5. Support from multiple certification centers (CAS. Enterprises should not be limited to proprietary authentication Centers (CAS) or authentication and registration protocols. By supporting multiple cas, such as entrust and verisign, network administrators can select the best public key infrastructure (pki) technology. 6. Hardware acceleration encryption. Encryption and decryption require intensive processing capabilities, especially when performing Automatic Key Exchange. For high-speed applications such as t-3, service platform should have hardware acceleration encryption function. Low-speed applications can run software-based encryption. 7. Expand capabilities. Most enterprises face changing network demands, including faster connections and more connections. After implementing the vpn solution, you do not have to replace all hardware and software. The vpn architecture should support at least dozens of vpn gateways and thousands of vpn clients. 5. Establish an end-to-end security vpn Longsight Security vpn series includes the following components: 1. Policy Management. The Security Management Server (lsms) and qvpn builder are integrated and centralized vpn policy management software, which is also the core of longxun Security vpn series. Lsms is optimized for remote access to applications. It can handle public key infrastructure, join the radius and securid user authentication server, manage vpn configuration files, firewall rules, and qos policy definitions. Lsms is integrated with qvpn builder to manage hundreds of vpn gateways, access points, pipeline, superpipe vpn routers, and thousands of ipsec clients. It can manage up to 24 thousand vpn tunnels at a time. 2. vpn firewall. This provides an economical vpn overlap method for IP networks, including firewall and hardware encryption services. The vpn firewall module provides a dedicated platform that uses hardware encryption technology to maintain the 3des throughput of 75 Mbps and supports a maximum of 2000 synchronous tunnels, it also supports advanced security features used by highly-confidential enterprise intranets, including icsa authentication and nsa authentication firewalls and powerful authentication and access control functions. 3. vpn Client. The longun ipsec client supports radius or securid authentication systems based on one-time tokens. When an ipsec client connects to any gateway in the secure vpn series, it automatically and transparently authenticates the user identity and executes the security policy. You can centrally manage configurations to ensure that access permissions are strictly implemented through lsms. 4. vpn Router. Access point and pipeline/superpipe routers integrate routing, bandwidth management, vpn, and firewall functions into a comprehensive service platform. These platforms can be deployed on the user end or service provider business point, and provide router and gateway functions for inter-site applications and remote access applications of any scale. Vi. Conclusion: Management vpn service expands the scope of enterprise control. In the hybrid vpn configuration, deploying and managing vpn policy definitions is too complicated for the company, and the company cannot effectively handle these problems internally. Therefore, outsourcing is the best choice for many enterprises.