Lippis Report 180: Cisco Delivers New VPN Design Options for Federal Government and Enterprise Networks
Cisco recently launched its VPN Internal Service Module or VPN ISM, which is a VPN accelerator for the Integrated Services Routers Generation 2 (ISR G2). The VPN ISM allows for greater VPN performance, meaning a larger number of faster VPN connections for both client-to-site and site-to-site communications. This module expands the range of branch office network design options allowing IT designers to architects lower cost and higher performance Wide Area Network (WAN) design paid for by arbitraging WAN facilities/operational cost and capital cost. In addition to the enterprise market, the VPN ISM supports the National Security Agency’s or NSA’s Suite B cryptographic algorithms in hardware, boosting performance of previous Suite B implementations by a factor of three to five, depending upon application. In this Lippis Report Research Note, we review the VPN ISM with a focus on the new WAN design options it affords for both federal government and enterprise IT departments.
PoE Jumps to 60W/Port to Power Virtualized Desktops and More
The ISR G2’s routing security portfolio is second to none, literally, and Cisco’s 70.3% market share is indicative of the market’s acceptance of this fact. The ISR G2 security portfolio boasts firewall, IPS, a range of VPN services, voice and video security plus the recent integration of ScanSafe cloud web security services. The previous G1 ISR was equipped with a VPN accelerator module, and many Cisco customers have been waiting for the same on the newer G2 platform. They need not wait any longer. The VPN ISM is the VPN accelerator for the ISR G2. The VPN ISM delivers two to three times performance increase, meaning a larger number of VPN connections supported as well as faster VPN processing. While this scaling up of VPN support is important, especially with the boom in mobile devices requiring VPN services, it’s the VPN ISM’s support for the NSA’s Suite B that will further open up federal government spend to Cisco.
Arista Network’s Ken Duda Explains VxLAN, the first Virtual Networking Protocol
U.S. Federal Government and Suite B
U.S. federal government VPN IPsec applications require the support of the NSA Suite B set of cryptographic algorithms. Suite B for IPsec VPN is defined in RFC 4869. The NSA defines a set of Suite B algorithms for a range of government communications spanning from proprietary or personal data, to critical but unclassified, to secret to top secret. In short, if a vendor wants to be part of the U.S. federal government network, it must support Suite B. There is a very large list of vendors that support Suite B at various levels, all of which can be found on the FIPS 140-1 and FIPS 140-2 vendor list here.
Cisco Universal Power over Ethernet: Unleash the Power of Your Network
As Cisco’s VPN ISM supports Suite B in hardware, it’s highly likely that it’s the fastest implementation in the industry for IPsec applications, but this needs to be verified via independent lab performance test. Cisco claims that its VPN ISM support of Suite B is three to five times faster than its previous implementation.
The Economics of Networking
Enterprise Branch Office IPsec/SSL VPN Design Options
For enterprise branch office networks, the VPN ISM in the ISR G2 delivers VPN acceleration that support a greater number of mobile VPN clients while also reducing backhaul requirements to corporate offices/data centers. In short, IT architects will be able to support a larger number of faster VPNs connections. And with Cisco web access security service, ScanSafe, offloading public cloud VPN connections from corporate networks to the internet, less bandwidth will be used between branch offices and data centers, freeing up WAN bandwidth for private corporate application access and communication use.
VMready: Virtual Machine-aware Networking
The VPN ISM also fits into Cisco’s SecureX architecture. One of the key attributes of SecureX is distributed security enforcement to the closest enforcement point. In essence, security enforcement is pushed out throughout the network avoiding the pitfalls and vulnerabilities of centralized enforcement, delivering security services efficiently via the network. ISR G2 with ScanSafe was a proof point of SecureX’s distributed enforcement architecture attribute. VPN ISM is another proof point. Rather than connecting to a centralized head-end (Adaptive Security Appliance) ASA 5500 residing within a data center for all IPsec VPN connections and slowing down the WAN, a local branch office VPN ISM providing VPN connections offloads some of this IPsec VPN traffic from traversing the WAN. So in essence, the VPN ISM lightens the WAN load of VPN traffic, increases VPN performance and distributes security enforcement to the closest user point of network access.
Fit-for-Purpose Data Center Networking
Site-to-Site VPN Connections
While the above discussion focuses on IPsec VPN support, site-to-site VPN connectivity offers both security as well as the option for IT architects to choose to run IP traffic either over private WAN bandwidth such as MPLS, Frame Relay or private lines, or the internet via broadband connections, etc., to ISPs. The VPN ISM offers a range of site-to-site VPN options, including DMVPN (Dynamic Multipoint VPN) and GETVPN (Group Encrypted Transport VPN). DMVPN is primarily used for internet-based site-to-site VPN traffic via dynamic routing on tunnels while GETVPN is used for the transport of VPN traffic over private WANs via dynamic routing. DMVPN offers peer-to-peer protection while GETVPN offers group protection, thanks to their different encryption styles. Just to round out Cisco’s VPN technology, its EzVPN is the basis for its client-to-site AnyConnect IPsec offering, supporting software client VPN access for mobile and fixed endpoints.
Building Cloud-Scale Networks Using Open Fabric Architectures
VPN Branch Network Design Options
With the addition of Cisco’s VPN ISM within its popular ISR G2 and the hardware support of Suite B, Cisco should find a warm welcome from the U.S. federal government as it looks to speed up the various VPN connections supported with Suite B. For enterprise IT architects and designers, this module, along with Cisco’s ScanSafe, provides a range of design options to support various kinds of VPN traffic, be it client based for mobile and fixed endpoints or site-to-site. The VPN ISM module ranges in price between $2.0 to $4.5K list, but this module will be acquired via router bundles by most which affords reduction in price by some 20 to 40%. The IT architect could cost justify this upgrade with WAN arbitrage. That is the reduction of backhaul traffic over private WANs and its associated cost trades off WAN facilities operational cost for capital cost, which is usually a favorable trade-off, especially if the capital investment reduces operational cost by 15% annually. But in addition to economics, there is increased performance and greater scale of VPN connections. The tools available to IT architects—such as siphoning off web/cloud bound traffic via ScanSafe, reducing backhaul traffic, distributing security, choice of internet or private WAN VPN, etc.—thanks to VPN ISM, offer a range of WAN/VPN design options to meet various cost reduction and performance enhancement goals.
Understanding VXLAN Virtual-Physical-Cloud L2/L3 Networks