Overview
Cisco® managed tunneless VPN enables you to offer new services to your enterprise customers and to encrypt their any-site-to-any-site communications more efficiently than you can now. In the first case, you generate more revenues. In the second, you cut costs.
Managed tunneless VPN relies on a new technology unique to Cisco known as group encrypted transport. This technology turns your multiprotocol label switching (MPLS) VPN into a managed tunneless VPN, equipping you to take advantage of two important trends: first, enterprises are spending more money than ever before on security and transport encryption, and second, enterprises are making it a priority to comply with data-security and privacy regulations.
Enterprise WAN technologies have traditionally forced companies to compromise transport security in exchange for network intelligence features that anchor voice and video quality. These features include QoS, routing, and multicasting. Fortunately, managed tunneless VPN removes the trade-offs between security and network intelligence. Consequently, your customers enjoy better security, enhanced performance, and simpler management - keys to dealing with today's increased network security risks and regulatory compliance requirements.
Managed tunneless VPN delivers these benefits by eliminating the need for point-to-point tunnels in VPNs. Without these tunnels, meshed networks can easily scale to accommodate new branches and yet still offer consistent, high-quality network intelligence. Managed tunneless VPN offers a new standards-based IP Security (IPsec) model based on the concept of "trusted" group members. Trusted member routers use a common security methodology that is independent of any point-to-point IPsec tunnel relationship.
You can use managed tunneless VPN in a variety of WAN environments, including IP and MPLS. MPLS VPNs that employ this encryption technology are highly scalable, manageable, and cost-effective, and they meet government-mandated encryption requirements. Moreover, the flexibility of managed tunneless VPNs allows enterprises to manage their own network security over your WAN service or to offload encryption services directly to your company. (A key server is required to manage encryption policy, and this server can be located at the customer site, or it can be hosted in your data center.) Either way, tunneless VPN offers an efficient method to secure large Layer 2 or MPLS networks that require partial or full-mesh connectivity.
Document Audience and Content
This white paper is written for service providers who offer managed services. If you provide managed IP VPN services, Cisco managed tunneless VPN can help you add services to your portfolio, generate new revenues and higher profits, and increase customer loyalty.
The paper starts by defining some important terms and then explains how managed tunneless VPN differs from IPsec VPN. Next it describes the market for managed VPN services and then profiles a typical managed tunneless VPN end user. The following section presents the benefits of managed tunneless VPN service, first to you and then to your enterprise customers. The paper concludes by describing four typical customer scenarios for managed tunneless VPN service and explaining how managed tunneless VPN works.
Defining Three Important Terms
To start, it is worthwhile defining three key terms:
1. Group encrypted transport is a new technology that makes security management more efficient by using the Group Domain of Interpretation (GDOI) protocol. Cisco implements GDOI (RFC 3547), a Cisco IOS® application, in its range of Integrated Services Routers (ISRs).
2. Tunneless VPN is an incremental VPN service that results when enterprises apply group encrypted transport to their IP or MPLS VPNs. Tunneless VPN enables organizations to efficiently manage and dynamically adapt security policies that apply to full mesh communication throughout their WANs. Tunneless VPN is not a standalone service. It is an incremental, value-added service for enterprises that already have IP VPNs or IP VPNs with MPLS.
3. Managed tunneless VPN service is offered by service providers. It is an alternative to the incremental tunneless VPN service that enterprises purchase and install on their integrated services routers. This paper focuses on managed tunneless VPN service.
For more information on how group encrypted transport works, please see the section at the end of this document.
How Does Tunneless VPN Differ from IPsec VPN?
"IP-header preservation" differentiates tunneless VPN from IPsec VPN. As Figure 1 illustrates, tunneless VPN preserves the original IP source and destination addresses of data packets whereas IPsec tunnel mode generates a new header for the original IP packet. In other words, a tunneless VPN-enabled security model uses the existing routing infrastructure rather than the traditional IPsec overlay.
Figure 1. Tunneless VPN Original IP Header Preservation
By preserving the original IP header in IPsec packets, tunneless VPN enables organizations to rely on the existing Layer 3 routing information. This reliance allows your customers to run multicast applications more efficiently and improve network performance.
Specifically, tunneless VPN reproduces the original (native) IP header and uses this header to guide the IPsec-encrypted packet to its destination. Preserving header bits that define QoS and multicasting features, this technique is similar to IPsec transport mode. However, in IPsec tunnel mode, the original IP packet header is encapsulated with the payload, so networks cannot support native QoS or multicast.
The Market for Managed VPN
In March 2007, investment advisors Merrill Lynch revealed that respondents to their survey of 50 North American chief information security officers intend to increase security spending by an average of five percent over the coming 12 to 18 months. The survey also revealed that security spending now represents almost six percent of IT budgets and that regulatory compliance was a key factor in driving this spending.
In 2006, the world market for IP VPN managed services was approximately US$13 billion. Ovum, a telecommunications research firm, projects that this market will grow by more than 15 percent per year to at least $19 billion in 2009. As Figure 2 shows, MPLS VPNs represent the largest segment of the IP VPN market. This fact bodes well for managed tunneless VPN because group encrypted transport technology is most likely to be implemented in MPLS VPNs.
Figure 2. Projected IP VPN Market Growth, 2005-2009
Additionally, because managed tunneless VPN addresses security and simplifies integrating IP voice in converged networks, this managed service may also attract security and voice telephony revenues. Over the 2005-2009 period, the market for security managed services is expected to increase by almost US$3 billion, and the market for managed IP voice services is forecast to rise by more than US$4 billion.
Moreover, Infonetics, an international market research firm, has found that some enterprises avoid implementing IP VPNs because of concerns about security and management overhead. Other enterprises question whether VoIP offers sufficient security and quality of service, doubts that further limit VoIP growth. VPN with group encrypted transport addresses these concerns, especially when deployed as a managed service. Consequently, group encrypted transport should encourage more enterprises to adopt IP VPN, generating revenue beyond even current forecasts.
Managed Tunneless VPN Customer Profile
Regardless of whether enterprises implement Cisco tunneless VPN on their own or subscribe to your managed tunneless VPN service, these customers will exhibit the following characteristics:
• Multiple branch offices connected by IP VPN or IP VPN with MPLS (or the strong intention to implement an IP VPN across multiple branch offices)
• Branch-to-branch communication and branch-to-head office (or data center) communication (i.e., full mesh communication)
• Significant amounts of real-time WAN traffic, such as voice and video
• A need for QoS management, security, and encryption, without compromise
Benefits of Deploying Cisco Managed Tunneless VPN
This section explores the benefits that both you and your enterprise customers can expect from a managed tunneless VPN service.
How Do You Gain from Managed Tunneless VPN?
By introducing managed tunneless VPN service, you add a powerful new dimension to your service portfolio. Whether you choose to offer managed tunneless VPN as part of your IP VPN service or as an option, you stand to boost both revenue and customer loyalty. You also stand to benefit from Cisco technology and comprehensive support.
Increased Revenue
Cisco managed tunneless VPN can help you earn revenue in several ways.
First, given that Cisco integrated services routers incorporate group encrypted transport technology, once you deploy these routers to offer managed tunneless VPN, you can sell other managed services at low or no incremental cost. These services include additional VPN, IPsec to remote workers, managed firewall, wireless LAN, and voice (hosted PBX).
Second, managed tunneless VPN service offers benefits that may justify premium prices (better security, enhanced performance, simpler management). Given that you can offer this service without investing substantially in management and equipment, managed tunneless VPN service is well positioned to generate ample profits.
And third, simply offering managed tunneless VPN service may compel certain customers to subscribe to basic managed services, such as Ethernet, IP VPN, MPLS, transparent LAN, and so on. Knowing that they can add managed tunneless VPN later can be a selling point.
Increased Customer Loyalty
Managed tunneless VPN service can also help you keep customers. Enterprises that grow accustomed to the advantages of your managed tunneless VPN service will be far less likely to switch providers. And if you price this incremental service attractively, enterprises will be less interested in implementing tunneless VPN solutions in house. By encouraging customers to rely on your services, managed tunneless VPN can therefore increase customer loyalty.
Cisco Support for Cisco Powered Network Members
When you implement managed tunneless VPN service on your network built with Cisco equipment, you receive excellent support from Cisco. The Cisco Powered Network Program offers you a potent variety of high performance resources that can shape and sharpen your managed services portfolio. Specifically, Cisco can help you succeed in several ways:
• By supporting your service implementation and providing ongoing technical assistance.
• By providing market intelligence and advice on pricing your service, estimating revenues, analyzing costs, and planning your launch.
• By working with you to market and brand your service so that you take advantage of the power of the Cisco name.
• By offering our professional services specialists to help you develop innovative services or deploy new networks.
By putting the Cisco Powered Network Program to work, you can properly launch your managed tunneless VPN service and bolster its long-term prospects.
How Do Your Enterprise Customers Gain from Managed Tunneless VPN?
Enterprises can also expect considerable advantages by deploying managed tunneless VPN: better security, enhanced performance, simpler management. Consequently, managed tunneless VPN may evolve to be the VPN security technology of choice.
Why are these benefits important? Two reasons stand out: first, regulatory compliance is pushing enterprises to adopt more stringent data encryption policies and procedures. And second, enterprises are increasing their use of any-to-any applications such as voice and video. These applications require a more scalable and efficient encryption technology than has been available to date.
That is where managed tunneless VPN comes in. This service offers your enterprise customers a number of important advantages:
Enhanced security and regulatory compliance
• Managed tunneless VPN security management complies with regulation.
• Enterprises enjoy improved security without compromising performance or QoS.
Efficient encryption
• Setting up encrypted links with a centralized key server is simple (many enterprises do not encrypt these links because of the hassle and administration overhead).
• Enterprises can take advantage of QoS management over the encrypted links (other technologies trade off security with QoS).
• Branch-to-branch voice and video-over-IP sessions can be rapidly connected (other technologies need significant time to set up calls).
• Encrypted multicast is carried with native headers, so enterprises avoid having to use the multiple parallel streams involved in IPsec tunnel mode encryption (this efficiency leads to lower costs and simpler administration).
Reduced cost
• Upfront cost for equipment and implementation services is lower than it would be if enterprises made these investments themselves.
Scalability
• Enterprises can implement managed tunneless VPN service immediately at sites that need efficient multicast encryption today.
• Enterprises can also scale the service to easily and economically add sites as their networks grow.
No risky learning curve
• You provide the new expertise needed.
Typical Deployment Scenarios for Managed Tunneless VPN
In this section we present four typical deployment scenarios. These scenarios illustrate how various organizations, industry and government alike, can use managed tunneless VPN to overcome business challenges.
1. A Nationwide Bank Adding Voice to Its IP Data Network
The background: To reduce voice toll charges, a nationwide bank plans to add VoIP to its data-only IP network. The project consolidates the company's voice and data traffic onto a single, multi-purpose IP network. Adding voice to the IP data network seems to be straightforward, but complications arise.
Why? Voice traffic is sensitive to packet delay and jitter. Unfortunately for the bank, their hub-and-spoke data network (a common data-network configuration) increases delay and jitter because packets travel through numerous routers. A fully meshed network would reduce this problem, but these networks are expensive. In addition, traditional security encryption significantly increases the time to set up calls. End users can expect poorer service as a result.
The solution: A managed tunneless VPN service equips the bank to enjoy the benefits of a fully-meshed network with instant, secure, spoke-to-spoke connectivity and acceptably low network management overhead.
2. A Worldwide Advertising Agency Wanting to Multicast Streaming Video to Numerous Locations
The background: An advertising agency is interested in multicasting video to many sites, but content security presents a concern.
When an organization wants to send large amounts of data, such as video, IP multicasting is more efficient than normal Internet transmission because a single server can broadcast content to multiple recipients simultaneously. The problem is that to multicast securely using tunnel-mode IPsec, each point-to-point transmission must be separately encrypted and tunneled. This separate encryption and tunneling increases network loading, thereby negating the main reason for multicasting in the first place.
The solution: Because managed tunneless VPN reuses an IP packet's native header, multicasting paths can be established just as if transmissions were un-encoded. This characteristic offers the advertising agency the cost efficiency of a native IP network along with the security of encrypted network transmission.
3. An Automobile Manufacturer Wanting to Include Its Suppliers and Distributors in its VPN Without Compromising Security
The background: An automobile manufacturer and its supply chain need to work together closely to coordinate just-in-time production processes and other lean-operation business models. Specifically, the auto company wants to share forecasts, production figures, and inventory data quickly and securely with its supply chain and deploy management applications with several partners.
The solution: Managed tunneless VPN service enables the automobile manufacturer to achieve these results easily and securely. The service not only protects transmissions but also uniquely specifies members of the supply chain, giving the company the network security and performance it seeks.
4. A Government Department Exchanging Personal Data About Citizens
The background: The department routinely transmits confidential and sensitive information between its offices. Should this information fall into the wrong hands it could be used illicitly, for instance, to acquire false identities. Consequently, the department needs to apply stringent security standards, but traditional encryption carries high management overhead and uses network capacity inefficiently.
The solution: Managed tunneless VPN simplifies encryption configuration and management without diluting security. By subscribing to a managed tunneless VPN service from a reputable supplier, the department can confidently focus on its core activities, knowing that security and performance will be delivered in accordance with a well-defined SLA.
How Managed Tunneless VPN Works
Managed Tunneless VPN relies on group encryption transport, an encryption-management approach that differentiates managed tunneless VPN from all other approaches to virtual private networking. Unlike other secure VPN solutions, Cisco managed tunneless VPN connects branches almost instantaneously, making it highly suitable for enterprise WANs that carry large amounts of branch-to-branch real-time communications such as voice and video.
Group encrypted transport simplifies security management by using a protocol known as Group Domain of Interpretation (GDOI) defined by the IETF's RFC 3547 standard. A centralized key server - a specially configured router - authenticates members of a group and uses GDOI to distribute encryption keys and policies to the group. These encryption keys and policies allow any member of that group to communicate securely with any other member. Encryption is applied in the sending group member's customer premises equipment rather than in network edge equipment such as an IPsec-enabled router.
A Cisco IOS application, group encrypted transport is implemented in the Cisco range of integrated services routers. These routers provide the secure encrypted VPN connections between branches and route unencrypted traffic to individual devices on your customers' LANs. You can deploy group encrypted transport over IP/MPLS or IP WANs, and you can apply Cisco IOS firewall functionality to virtual routing and forwarding interfaces if you configure a firewall on an edge router. This capability enables you to provide both managed tunneless VPN and managed firewall services to multiple customers.
To deliver high availability, managed tunneless VPN can use multiple cooperative key servers. In such a case, you would deploy one primary key server and at least one secondary key server to support multiple customers. Managed tunneless VPN can also scale to accommodate thousands of branches.
Conclusion
When enterprises subscribe to your managed tunneless VPN service, they no longer have to trade off security against network performance. These organizations can permit their branches to communicate with one another easily and yet still comply with security and privacy regulations. In short, managed tunneless VPN service enables enterprises to balance the desire for high-quality communications across their WANs with the need to safeguard the traffic that flows over these networks.
You also get the benefit of working with Cisco, the world's foremost internetworking company. We can help you turn your managed tunneless VPN service into a genuine success, one that you can build on for years to come.
For more information about how your company can take advantage of managed tunneless VPN service, contact your account manager or visit http://www.cisco.com/en/US/netsol/ns341/ns121/ns193/networking_solutions_solution.html.