ESTADO DEL ARTE DE LAS FACHADAS VENTILADAS

•

Using Cisco VPN products

Typical VPN Applications

The business applications that you choose to run on your VPNs go hand in hand with the type of VPN that you need to deploy. Remote access and extranet users can use interactive applica- tions such as e-mail, web browsers, or client/server programs. Intranet VPN deployments are designed to support data streams between business locations.

The benefits most often cited for deploying VPNs include the following:

•

Cost savings—Elimination of expensive dedicated WAN circuits or banks of dedicated modems can provide significant cost savings. Third-party Internet service providers (ISPs) provide Internet connectivity from anywhere at any time. Coupling ISP connectivity with the use of broadband technologies, such as digital subscriber line (DSL) and cable, not only cuts the cost of connectivity but can also deliver high-speed circuits.

•

Security—The cost savings from the use of public infrastructures could not be recognized if not for the security provided by VPNs. Encryption and authentication protocols keep corporate information private on public networks.

•

Scalability—With VPN technologies, new users can be easily added to the network. Corporate network availability can be scaled quickly with minimal cost. A single VPN implementation can provide secure communications for a variety of applications on diverse operating systems.

VPNs fall into three basic categories:

•

Remote access

•

Intranet

•

Extranet

The following sections cover these three areas in more detail.

Remote Access VPNs

Telecommuters, mobile workers, and remote offices with minimal WAN bandwidth can all benefit from remote access VPNs. Remote access VPNs extend the corporate network to these users over publicly shared infrastructures, while maintaining corporate network policies all the way to the user. Remote access VPNs are the primary type of VPN in use today. They provide secure access to corporate applications for telecommuters, mobile users, branch offices, and business partners. These VPNs are implemented over common public infrastructures using ISDN, dial, analog, mobile IP, DSL, and cable technology. These VPNs are considered ubiquitous because they can be established any time from practically anywhere over the Internet. E-mail is the primary application used by these connections, with database and office automation appli- cations following close behind.

Some of the advantages that might be gained by converting from privately managed networks to remote access VPNs are as follows:

•

Modems and terminal servers, and their associated capital costs, can be eliminated.

•

Long-distance and 1-800 number expenses can be dramatically reduced as VPN users dial

in to local ISP numbers, or connect directly through their always-on broadband connections.

•

Deployments of new users are simplified, and the increased scalability of VPNs allows

•

Turning over the management and maintenance of the dial-up network to third parties allows a corporation to focus on its business objectives rather than on circuit maintenance. Although there are many advantages, be aware of the following disadvantages when imple- menting a VPN solution:

•

IPSec has a slight overhead because it has to encrypt data as they leave the machine and decrypt data as they enter the machine via the tunnel. Though the overhead is low, it can impact some applications.

•

For users with analog modem connections to the Internet at 40 kbps or less, VPNs can cause a slight reduction to throughput speed because the overhead of IPSec takes time to process the data.

•

IPSec is sensitive to delays. Because the public Internet infrastructure is used, there is no guarantee of the amount of delay that might be encountered on each connection leg as the tunneled data traverse the Internet. This should not cause major problems, but it is some- thing to keep in mind. Users might need to periodically reestablish connections if delay thresholds are exceeded.

Remote access VPNs can initiate tunneling and encryption either on the dial-up client or on the network access server (NAS). Table 2-2 outlines some of the differences between the two approaches.

Table 2-2 Remote Access Models

Model Type Characteristics

Client-initiated model

Uses IPSec, Layer 2 Tunnel Protocol (L2TP), or Point-to-Point Tunneling Protocol (PPTP) for establishing the encrypted tunnel at the client.

Ubiquitous. ISP network is used only as a transport vehicle for the encrypted data, permitting the use of multiple ISPs.

Data is secured end to end from the point of origin (client) to the destination, permitting the establishment of VPNs over any infrastructure without fear of compromise.

Third-party security software packages, such as Cisco’s VPN Client, can be used to provide more enhanced security than system-embedded security software like PPTP. A drawback is that you must install a VPN Client onto every remote user’s system. The initial configuration and subsequent maintenance require additional resources from an organization.

NAS-initiated model

VPNs are initiated at the service provider’s point of presence (POP) using L2TP or Layer 2 Forwarding (L2F).

Eliminates the need for client-based VPN software, simplifying installation and reducing administrative cost.

A drawback is that the data circuits from the POP to the client remain unprotected. Another drawback is that you must use the same service provider end to end, eliminating the Internet as a transport vehicle.

Figure 2-2 depicts the two types of remote access VPNs that can be accommodated by Cisco equipment and software.

Figure 2-2 Remote Access VPNs

Site-to-Site Intranet VPNs

You can use site-to-site intranet VPNs to connect remote offices and branch offices to the headquarters internal network over a shared infrastructure. These connections typically use dedicated circuits to provide access to employees only. These VPNs still provide the WAN characteristics of scalability, reliability, and support for a variety of protocols at a reduced cost in a flexible manner.

Intranet VPNs are typically built across service provider-shared network infrastructures like Frame Relay, Asynchronous Transfer Mode (ATM), or point-to-point circuits. Some of the benefits of using intranet VPNs include the following:

•

Reduction of WAN costs, especially when used across the Internet.

•

Partially or fully meshed networks can be established, providing network redundancy across one or more service providers.

•

Ease of connecting new sites to the existing infrastructure.

IPSec - PPTP - L2TP - Tunnel L2TP - L2F - Tunnel VPN Cloud (Internet, IP) Public Switched Telephone Network Client-Initiated VPN NAS-Initiated VPN NAS Home Office

Figure 2-3 shows a diagram of a typical intranet VPN network. The corporation manages the edge routers, providing flexible management and maintenance opportunities over intranet VPNs.

Figure 2-3 Intranet VPNs

Business-to-Business Extranet VPNs

Business-to-business extranet VPNs are the VPNs that give corporate network access to customers, suppliers, business partners, or other interested communities who are not employees of the corporation. Extranet VPNs use a combination of the same infrastructures that are used by remote access and intranet VPNs. The difference is found in the privileges that are extended to the extranet users. Security policies can limit access by protocol, ports, user identity, time of day, source or destination address, or other controllable factors.

Fixed, business-to-business connections and ubiquitous dial-up or broadband Internet connections are depicted in Figure 2-4.

Home Office Remote Office Remote Office VPN VPN VPN Internet/IP

Figure 2-4 Extranet VPNs

In document Análisis de Medidas de Ahorro Energético (MAES), aplicables a un edificio universitario de bajo consumo energético (página 72-81)