vpn david newson

Information about vpn david newson

Published on November 29, 2007

Author: Natalya

Source: authorstream.com

Content

Overview of Hub & Spoke and Related N3 Services:  Overview of Hub & Spoke and Related N3 Services Dave Newson, N3SP Technical Team Doc Ref ID: N3-XXX-XXX-XXX Version No: Status: Issue Date: 8th February 2006 Overview:  Overview Brief overview of N3 Hub & Spoke 1:1 operation Hub & Spoke 1:many Remote access services QoS Slide3:  CPE Aggregator (Primary) Primary Secondary MPLS Core ISDN Access AS ISDN N3 PoP #1 N3 PoP #2 Aggregator (Backup) NASP/LSP DC c 50 sites 57 N3 PoPs 14,000 end-customer sites N3 Network Background:  Background BMA directive that all Patient Identifiable Data (PID) must be encrypted over a WAN Applies to a secure MPLS-based WAN - N3 ‘National Applications’ have application-layer encryption - not considered part of the original N3 contract Many surgeries run legacy systems with PID c1000 ‘hub’ surgeries have ‘spoke’ surgeries which require access to data on the ‘hub’ site 2 Approaches For Encryption:  2 Approaches For Encryption SSL (TLS) - application layer encryption. Easier to work with NAT Strong application dependency IPSec - network layer encryption Encryption at network layer Oblivious to application type May not work with NAT (e.g. Microsoft state it is incompatible) N3 Main & Branch:  N3 Main & Branch Use 3DES IPSec (168 bit encryption) IPSec tunnel from N3SP hardware on main-site to branch-site IPSec client not required on end-user PC Two Distinct Solutions:  Two Distinct Solutions 1) For sites with a single branch site off the main site (around 80+% of the total) - IPSec tunnel between existing CPE routers = Catalogue Service N3-12-2 2) For sites with >1 branch site off the main site (<20% of the total) - new hardware (Nortel Contivity 1050) on main site - encrypted tunnels from branch site CPE router to Contivity on main site N3-12-2:  N3-12-2 Design agreed to be between N3-2-12 at main site (private circuit), with N3-2-10 (DSL) at branch site However, many main sites rolled out with N3-2-11. Have to make solution work irrespective of underlying Catalogue Services. N3-12-2 has …..:  N3-12-2 has ….. No new CPE Uses underlying CPE Of main site and branch site It requires additional configuration on existing routers N3-12-2 (slide 2):  N3-12-2 (slide 2) Other Catalogue Services must already be provisioned process Consists of applying IPSec configuration on both routers to form tunnel Route appropriate traffic via the IPSec tunnel All other traffic uses standard link ADSL Limitation:  ADSL Limitation ADSL has capped upstream throughput, irrespective of downstream bit-rate ADSL on main site limits upstream throughput (288 kb/s). This bandwidth must be shared with National Applications, Internet, e-mail etc. This may affect customer experience, but has been raised to Authority (i.e. SLAs have been softened) Hence - recommendation that Catalogue Service with private circuit used at site with servers Compatible Site types:  Compatible Site types Service designed for Catalogue Services: N3-2-3, N3-2-4, N3-2-12, N3-2-13, N3-3-2 and N3-3-3 -private circuits as primary at hub site. N3 advises customers to consider and check their primary circuit utilisation: N3-2-1, N3-2-2, N3-2-10, N3-2-11, N3-2-18 and N3-2-19. i.e. ADSL used for the primary circuit. Also compatible with:-N3-2-5, N3-2-14 and N3-3-4. i.e. Catalogue Services with a 10 Mb/s Ethernet as primary connection. Incompatible Site Types:  Incompatible Site Types Two limits. 1) Must not have ADSL at hub-site 2) To protect router can’t have 100 Mb/s accesses On hub-site, N3-2-12, - 13 and -14 Public Key Infrastructure (PKI) IKE Authentication Architecture:  Public Key Infrastructure (PKI) IKE Authentication Architecture Use Verisign-based certificates If Verisign trust me and Verisign trust you, then I can trust you Provides daily certificate revocation list If router stolen don’t accept the certificate Encryption keys changed on a daily basis So Who Does What? …...:  So Who Does What? …... Roles In Commissioning:  Roles In Commissioning Type 1 - Main/branch inter-site link:  Type 1 - Main/branch inter-site link Main & branch site connected via existing leased line Type 2 Healthnet branch solutions:  Type 2 Healthnet branch solutions Inter-site link from serial card on Healthnet router - put on hold Type 3 - Undeclared Connection:  Type 3 - Undeclared Connection As type 2, but customer has added own cards to Healthnet router Type 4 NHSnet connection to branch site:  Type 4 NHSnet connection to branch site Currently no connection exists between main & branch Migrate branch to N3, then add VPN if requested Application Issues:  Application Issues CfH accept that the VPN is a ‘secure transport’ service End-user likely to require LAN reconfiguration This is not remit of N3SP Need to engage LAN support team - before moving to N3 ‘main & branch’ Likely need for IP addressing Application Issues (2):  Application Issues (2) Microsoft say ‘IPSec incompatible with NAT’ N3SP strongly recommend re-addressing But will support NAT at main site can’t guarantee that every application will work Windows Networking - WINS:  Windows Networking - WINS Windows networking uses broadcasts on ports 137 and 138 to resolve host-names On bridged network broadcasts sent to all hosts Microsoft introduced WINS to solve on routed network WINS is process which runs on Microsoft server (doesn’t need dedicated server) Maps names to network addresses Windows Networking (2):  Windows Networking (2) Also possible to input static mappings into each PC - edit ‘LMHOSTS’ file Works, but limited scalability Document produced summarising this Needs to be thought through before order placed Definitely before order delivered SLAs:  SLAs In QoS model (wait until later in talk), Main & Branch treated as Default class traffic Prioritised lower than National Applications traffic Main & Branch 2:5:  Main & Branch 2:5 Similar concept for ‘main & branch 1:1’ But for cases with more sites Deploy Nortel Contivity 1050 on main site PC-based architecture, size of hardback book, throughput of 10 Mb/s IPSec Licence of 1-5 and 6-30 tunnels Main & Branch 2:5:  Main & Branch 2:5 Conceptually similar to 1:1 Hub site load put onto separate device Plugged into second LAN port IPSec tunnel from main site Nortel Contivity to Cisco router on branch site Application issues (eg WINS) identical **ADSL uplink speed is even more acute** If an issue with a single branch site Compounded with multiple branch sites Must have private circuit on site with servers Main & Branch 2:5:  Main & Branch 2:5 Main & Branch 2:5:  Main & Branch 2:5 Pilot sites now been deployed Summary of Main & Branch:  Summary of Main & Branch Main & Branch 1:1 uses an IPSec tunnel between existing Catalogue Services Main & Branch 2:5 introduces Nortel hardware on main site Discussed config of the VPN and fault-finding. Fault-finding is likely to evolve with experience of migrating clinical applications Main & Branch …..:  Main & Branch ….. Encryption puts high CPU load on router Currently not supported on 100 Mb/s circuits to protect routers Main & Branch designed for GP community Few GPs will have 100 Mb/s access! N3SP recognise customer demand for transfer of PID in more scenarios Info available on help guides on CRM Remote Access Solutions:  Remote Access Solutions Technical Details:  Technical Details IPSec tunnel from end-user PC to central infrastructure Nortel Contivity solution. Software client, hardware in core RADIUS + SecurID token for authentication Load balancing - connect to virtual IP address Traffic is decrypted into N3 Technical Details (2):  Technical Details (2) ISP must support IPSec (some block this on ‘consumer’ products) Recommend Ethernet-based solution (otherwise client issues) IP addresses allocated pool per NHS ‘entity’ Users may have different IP addresses each time they connect Ranges allow firewall changes to be made Remote Access:  Remote Access Moving Forward:  Moving Forward Deliver according to requirements agreed with CfH Doesn’t solve the problem of getting PID to a remote user Doesn’t solve the problem of getting PID to a roving user Looking at ways to use existing infrastructure to extend IPSec tunnel onto a customer site Moving Forward (2):  Moving Forward (2) Effectively making remote access one of the tunnels on a ‘main & branch’ Discussed in Jonathan Hyde’s talk Quality of Service:  Quality of Service Why Do We Need QoS?:  Why Do We Need QoS? Internet has limited control of bandwidth All applications fight for available b/w Greedy applications will steal all bandwidth short round trip time VoIP/video - UDP No guarantees for critical applications Sporadic performance A set of tools to give better bandwidth utilisation Not a panacea - doesn’t invent bandwidth! What is Quality of Service (QoS)?:  What is Quality of Service (QoS)? Ability of a network to service applications efficiently without affecting its functions or performance All about guaranteeing performance in case of congestion Points of congestion Access (to & from network) – bandwidth in LAN and core typically larger than access Core – usually adequately dimensioned but congestion can occur in case of unexpected traffic patterns and core failures E.g. 10/100 Mbps Ethernet LAN connecting to 2 Mbps WAN link QoS (2):  QoS (2) QoS guarantees performance by prioritising applications on network performance requirements in case of congestion Performance or priority levels are called Classes of Service What is DiffServ?:  What is DiffServ? Architecture for scalable service differentiation in IP networks Uses first 6 bits in Type of Service (TOS) field in IP header 6 “Classes of Service” with recommended DSCP values defined Expedited Forwarding (EF) class for VoIP 4 Assured Forwarding (AF1..AF4) classes for guaranteed data Default class (DE) for best effort data Low drop probability (AFx1) Medium drop probability (AFx2) High drop probability (AFx3) Does not define end-to-end services; can be different for each implementation DiffServ Code Points (DSCP) ‘Per Hop Behaviours’ (PHBs) IETF standard DiffServ:  DiffServ Three priority levels within each AF class N3 DSCP 6-CoS Overview:  N3 DSCP 6-CoS Overview N3 Class of Service model based on Differential Services (DiffServ) standards Provides 6 Classes of Service for customer applications and separate class for management traffic N3 QoS Levels:  N3 QoS Levels The 6 classes:- VoIP class Multimedia class for real-time video applications Transactional National Applications Transactional Community Applications Bulk data transfer (eg PACS) Default class N3 DSCP 6-CoS Model:  N3 DSCP 6-CoS Model Voice Assured Data 4 Assured Data 1 Assured Data 2 Standard Data DiffServ PHB: EF DiffServ PHB: AF1 DiffServ PHB: AF2 DiffServ PHB: AF4 DiffServ PHB: DE ‘Toll quality’ Voice over IP applications Mission-critical data applications E.g. National Applications Standard data applications E.g. Mail, Web, FTP PACS, Community applications, multimedia Multimedia Assured Data 3 DiffServ PHB: AF3 Slide47:  In contract Out of contract Future Use Any Questions?:  Any Questions? Slide49:  Document Details: Version History: Distribution List:

Related presentations


Other presentations created by Natalya

Value Added Presentation
02. 10. 2007
0 views

Value Added Presentation

zly0105z1
09. 10. 2007
0 views

zly0105z1

N2TUG SW Roadmap1
28. 11. 2007
0 views

N2TUG SW Roadmap1

mastery learning
12. 12. 2007
0 views

mastery learning

12 Short term scheduling
12. 12. 2007
0 views

12 Short term scheduling

Dot Net Nuke at dot MUGS
25. 10. 2007
0 views

Dot Net Nuke at dot MUGS

haas intro
25. 10. 2007
0 views

haas intro

Rome intro 3 13 07 deu
30. 10. 2007
0 views

Rome intro 3 13 07 deu

punicwars
30. 10. 2007
0 views

punicwars

1515 1530 FASSINA
01. 11. 2007
0 views

1515 1530 FASSINA

AMOS
01. 11. 2007
0 views

AMOS

JCOMM SOT CO2 panel
05. 11. 2007
0 views

JCOMM SOT CO2 panel

Halloween Flyer 2007
06. 11. 2007
0 views

Halloween Flyer 2007

13 Bourquin Switzerland
25. 10. 2007
0 views

13 Bourquin Switzerland

Automotive Sweden
16. 11. 2007
0 views

Automotive Sweden

MADHYA PRADESH
20. 11. 2007
0 views

MADHYA PRADESH

RawMilk
21. 11. 2007
0 views

RawMilk

PROJECT
21. 12. 2007
0 views

PROJECT

M Flores
24. 12. 2007
0 views

M Flores

lrfd
28. 12. 2007
0 views

lrfd

Lect 11 Lexicography Terminology
05. 12. 2007
0 views

Lect 11 Lexicography Terminology

CIEE MSU CIP Pres Nov 2005
28. 12. 2007
0 views

CIEE MSU CIP Pres Nov 2005

More than H2O Presentation
02. 01. 2008
0 views

More than H2O Presentation

Solubility Equilibria
03. 01. 2008
0 views

Solubility Equilibria

TWB Mining Activities
23. 11. 2007
0 views

TWB Mining Activities

Power Quality Troubleshooting
05. 01. 2008
0 views

Power Quality Troubleshooting

Fuller
07. 01. 2008
0 views

Fuller

Jy EI
07. 01. 2008
0 views

Jy EI

The First Punic War
31. 10. 2007
0 views

The First Punic War

gramlect5
27. 11. 2007
0 views

gramlect5

Biodiesel Blending Quick Guide
07. 11. 2007
0 views

Biodiesel Blending Quick Guide

skos presentation xmluk 200512
06. 12. 2007
0 views

skos presentation xmluk 200512

DHawkins present
18. 12. 2007
0 views

DHawkins present

Meteorites 2
15. 11. 2007
0 views

Meteorites 2

ISAT501
24. 10. 2007
0 views

ISAT501

PresentationITEBELon s071005
24. 02. 2008
0 views

PresentationITEBELon s071005

molin
27. 02. 2008
0 views

molin

rutledge
05. 03. 2008
0 views

rutledge

1B Look at water and its cont
04. 01. 2008
0 views

1B Look at water and its cont

TELEBALT
14. 03. 2008
0 views

TELEBALT

tm4
27. 03. 2008
0 views

tm4

articles 58466 CAI
30. 03. 2008
0 views

articles 58466 CAI

4 9
13. 04. 2008
0 views

4 9

Agenda 6b ec volkan
26. 11. 2007
0 views

Agenda 6b ec volkan

Internet and Digital Print
12. 11. 2007
0 views

Internet and Digital Print

PhDSeminar
04. 01. 2008
0 views

PhDSeminar

malvezzi icatpp 2005 ppt
29. 10. 2007
0 views

malvezzi icatpp 2005 ppt

09 12 07
05. 11. 2007
0 views

09 12 07

BetterBartenderprese ntation
17. 12. 2007
0 views

BetterBartenderprese ntation

bncEDIIntro
05. 11. 2007
0 views

bncEDIIntro

Dubna05
14. 11. 2007
0 views

Dubna05

Neoclassicisme
01. 10. 2007
0 views

Neoclassicisme

class
29. 11. 2007
0 views

class

IV 2 3 Weidner PMO
06. 11. 2007
0 views

IV 2 3 Weidner PMO

12 30 06
26. 11. 2007
0 views

12 30 06

menou k
01. 12. 2007
0 views

menou k

P C Wkshopsb
23. 11. 2007
0 views

P C Wkshopsb

Europe1914on
23. 12. 2007
0 views

Europe1914on

Cyber Security Haunted House
02. 11. 2007
0 views

Cyber Security Haunted House

CCIRDec05v2
28. 11. 2007
0 views

CCIRDec05v2

ps Hawaii public version
27. 12. 2007
0 views

ps Hawaii public version