Featured Products by Lucent Technologies

Features

• Centralized, policy-enabled VPN management
  Enables large-scale implementation of secure IP VPNs with centralized, policy-enabled provisioning of VPN security, firewall and Quality of Service (QoS) rules.

• Reduced complexity and cost of ownership
  Greatly reduces the provisioning time and expertise required by allowing an operator to centrally define simple policy-based rules.

• Secure, non-disruptive configuration management
  Policies are automatically translated into site-level configurations that are pushed to individual Access Point QVPN routers over a secure SNMP v3 link.

• Comprehensive traffic monitoring
  Provides real-time monitoring of VPN tunnel and firewall/QoS status, configuration state and VPN traffic levels.

The VPN Policy Management Challenge

Internet/IP Virtual Private Networks (VPNs) offer the prospect of broad, global reach with flexible any-to-any connectivity for an enterprise and its employees, business partners, and customers. Internet VPNs bring these benefits at a much lower cost than traditional network services. But until now the complexity associated with building large scale site-to-site VPNs has limited the widespread deployment of VPN services.

An important challenge has been the time, cost, and level of expertise required to provision the necessary VPN security profiles, firewall rules, and QoS attributes of even a modestly sized VPN. The manual, or at best, semi-automated tools typically available, require expert personnel and are prone to error. Even when configured correctly, loading configurations onto a VPN router is often disruptive. And the operational overhead is not confined to the initial configuration of the network. As new sites or user communities are added to the VPN the burden of moves, adds, and changes is similarly onerous. For a large network, just maintaining an accurate record of the network topology can be an administrative nightmare.

QVPN Builder addresses these challenges with a centralized VPN provisioning tool that eliminates the operational complexities associated with deploying large-scale site-to-site Internet VPNs. It provides the ability to define the tunnel and security profiles, firewall rules, and QoS policies of a VPN from a single, centralized provisioning station. Complex site-by-site configurations are replaced with simplified, policy level rules. QVPN Builder then automatically creates the necessary configurations and securely distributes them to the sites of the VPN.

QVPN Builder is a unique enabling technology that allows businesses and network service providers to realize the full potential of the Internet in building secure, high performance intranet, extranet and other e-business applications. It includes two major management application components:

• VPN Tunnel Manager builds and defines the profiles of the secure tunnels that form the VPN.

• Firewall/QoS Manager builds and manages firewall and bandwidth manager configurations.

VPN Tunnel Manager

To build a secure IP VPN, an IPSec tunnel must be explicitly defined for each pair of IP subnets that are to communicate securely over the network. A subnet could represent a department, such as finance, that needs a secure connection to finance groups at other sites around the enterprise. Every VPN endpoint (gateway or router) must be configured with a long list of parameters for each IPSec tunnel it terminates. While this is a minor irritation for a small number of sites, the magnitude of the problem increases geometrically with the number of sites. For example, a fully meshed VPN connecting 5 sites each with 2 subnets requires 40 tunnels to be defined; a VPN connecting 50 sites each with 3 subnets requires more than 11,000 tunnels to be configured!

VPN Tunnel Manager addresses this challenge by introducing centralized policy management to tasks that were previously carried out manually at a site-by-site level. The result is greatly reduced time and effort to provision a VPN. As an example, a 30-site VPN that takes over 60 hours to configure using existing procedures can take only 30 minutes with VPN Tunnel Manager. A new site can be added in less than five minutes. And best of all, service-to-users is improved, with no need to schedule downtime for network maintenance, and without disruption and degraded service from misconfiguration.

Building secure VPN tunnels

The VPN Tunnel Manager allows the administrator to create a VPN in three simple steps:

Step 1: Centrally define the VPN security policies

The VPN Tunnel Manager first allows the administrator to centrally create the policies associated with the VPN. The policies are defined on a network-wide basis in the form of high-level profiles that define the VPN participants, the topology of the VPN, and the security requirements. VPN members are identified by their IP address and by a list of local subnets to be included in the VPN. The basic VPN topology is then defined as a full mesh, hub and spoke, or hybrid of the two for the sites defined. The security profile defines the encryption algorithm and type of authentication, if any, to be used. It further identifies whether pre-shared keys are to be automatically generated on behalf of the administrator.

Step 2: Click to Build

One click, and QVPN Builder automatically translates the policy definitions into device specific configurations for the Access Point QVPN routers in the network. With a second click, it automatically distributes the configurations quickly and securely to the endpoint devices using SNMP v3, and loads them non-disruptively. The distribution process is completed within minutes.

Adding, deleting and changing definitions is quick and easy. Any tunnel definition can be modified without disrupting traffic flow elsewhere in the network. Once the modification is entered, it is downloaded to the appropriate sites upon operator command.

Step 3: Review the results

With VPN Tunnel Manager, network administration is greatly simplified. Network status is displayed in a clear and easily understandable form. Network activity is also monitored, and the traffic flow through each tunnel can even be displayed graphically.

Firewall/QoS Manager

In a large VPN, it is time-consuming and costly to create complex firewall configurations on a site-by-site basis. Each time new users, applications, or security policies are added, every node in the VPN must be updated. In addition, the more complex the rules, the more likely there are to be errors that introduce security holes into the network. The same operational challenges apply to implementing QoS policies. Once access is allowed, it may be important to restrict or monitor the bandwidth allowed for different VPN applications or users.

The Firewall/QoS Manager addresses this challenge by allowing firewall and QoS policies to be centrally provisioned using simple, policy level configuration rules. These policies are then translated automatically into specific firewall/bandwidth management configurations, and pushed securely and non-disruptively to the Access Point QVPN router sites around the network. The time, and therefore cost, of ownership, along with risk of configuration errors, are greatly reduced.

Building firewall and QoS configurations

With the QVPN Builder Firewall/QoS Manager, firewall and bandwidth QoS provisioning is reduced to three simple steps:

• The administrator first defines the rule sets and the communities to which the rules apply.

• Firewall/QoS Manager automatically translates these policies into configuration files for individual routers. These configurations can be modified where individual routers have specific requirements.

Step 1. Centrally define firewall/QoS rule

With Firewall/QoS Manager, the administrator separately defines the rule sets that apply to the VPN and the communities to which the rules are applied.

For example, each site might have a highly secure Corporate LAN and a separate demilitarized zone (DMZ) available for open Web and email access that would be uniquely defined by a set of IP addresses. These "associations" provide a simple, high-level definition of where a rule may be applied. The rules, or actions, are then defined in a single, centrally managed policy screen. For example, a network rule could only allow secure VPN traffic coming from the WAN to access the corporate LAN. A second policy could allow any traffic coming from the LAN to access the DMZ. A third policy might specify that traffic coming from the wide area to the Web can only access 256 Kbps of bandwidth to assure other bandwidth availability for high-priority secure VPN traffic.

Step 2: Click to build

One click, and Firewall/QoS Manager automatically translates the rule set into device specific configurations for the Access Point QVPN routers in the network. With another click, Firewall/QoS Manager then automatically distributes the configurations quickly and securely to the endpoint devices using SNMP v3, and loads them non-disruptively, completing the distribution process within minutes.

Adding, deleting and changing definitions is quick and easy. Any QoS/Firewall definition can be modified in definition view without disrupting traffic flow elsewhere in the network. Once the modification is entered, implementation is automatic and rapid.

Step 3: Review the results

Traffic through the routers is automatically monitored by each Access Point, and displayed by QVPN Builder in a clear and easily understandable form.

Benefits to Network Administrators

For network administrators, QVPN Builder improves operating margins by reducing the associated costs.

For network service providers with up to 1,000 sites supported per VPN customer definition, scalability is no longer an issue. This makes large-scale secure VPN services viable for the first time. With hundreds of customers supported per management system, multiple customers can be supported from a shared infrastructure. Since the underlying complexity is invisible to network administrators, the network can be tailored to meet the specific needs of each VPN customer network.

fraction of previous levels, network providers will benefit from a dramatic fall in operating costs, while staffing problems will be further reduced by the lower levels of expertise required. The elimination of manual configuration errors and disruptive site-by-site reboots will bring the direct financial gain that comes with superior customer service.

The outstanding benefit QVPN Builder brings is in expanding the market for VPN services. With QVPN Builder, enterprises can outsource applications they would otherwise have to retain in-house.

QVPN Builder Implementation

QVPN builder is a stand-alone Java-based application that runs on Solaris/UNIX and NT platforms.

Platform Requirements for Access Point QVPN Builder

• Windows NT 4.0
  Service Pack 3 or greater
  400 Mhz processor
  80 MB disk space
  128 MB memory

• Solaris 2.6
  Ultra Sparc 10
  100 MB disk space
  256 MB memory