Cisco® Virtual Office is a highly scalable solution for medium and large organizations looking to provide teleworkers, small offices, and mobile users with office-like experience combining voice, video, wireless, and real-time data applications in a secure environment.
Cisco Virtual Office features zero-touch deployment, allowing enterprise IT staff to provision and manage large-scale deployments with improved efficiency. Multiple access methods for workers at home, workers at remote offices, or mobile workers can be aggregated into a converged VPN without the need for separate aggregation and management models. The solution integrates layered identity services that provide control over the devices and users that use the network, as well as the extent to which various users have access to resources in trusted and untrusted domains.
Cisco Virtual Office allows IT staff to extract full value out of the powerful technology integration within Cisco IOS® Software-based customer-premises-equipment (CPE) routers. The solution facilitates the deployment of voice, video, wireless, and security technologies as services that can be incrementally enabled on the CPE in response to changing business requirements. In addition, the solution achieves high scalability through addition of aggregation devices in a virtual farm in the data center. These devices help avoid additional truck rolls or expensive network upgrades and redesigns, reducing the total cost of ownership (TCO).
Cisco Virtual Office includes cookie-cutter design and implementation guides that render the solution fully deployable by customers. These best practices have been proven useful and have been refined over the years within Cisco's own successful teleworker deployment. In addition, advanced services from Cisco and partners provide life-cycle services for planning, design, implementation, remote management, and optimization.
Purpose and Scope
This document provides an overview of the Cisco Virtual Office solution components and capabilities, along with links to deployment guides containing configurations and image platform recommendations.
Requirements Addressed
Cisco Virtual Office is designed to meet the following challenges that medium to large organizations typically face:
• Scalability: As a business grows to new locations (national and international), the IP network services available to employees in various locations need to be consistent-allowing consistent secure access for users at corporate headquarters, remote sites, home offices, and public hotspots.
• A secure zero-touch deployment model is required to quickly proliferate CPE deployments to remote sites with no IT staff. Automation of ongoing operations through central network management, using push technology, is needed to simplify administration and keep costs low.
• Ability to deliver application performance required for latency and bandwidth-sensitive voice, video, and real-time data applications: This capability calls for advanced integration of VPN technologies with quality of service (QoS), IP Multicast, voice, and video services. The VPN architecture also needs to cater for CPE-based access as well as software-only access whether using IP Security (IPsec) or Secure Sockets Layer (SSL) VPN.
• Advanced threat defense solution covering proactive security, including firewalling and intrusion prevention system (IPS), as well as adaptive security to address new and unknown threats
• Complete control over the entities attempting to access the network at remote, off-campus locations where ascertaining physical identity is not possible: This control includes being able to limit access to certain devices or users, separate domains for employees and guests and families, and the ability to allow employees to use resources in untrusted domains without compromising security.
Cisco Virtual Office Solution Components
The Cisco Virtual Office solution consists of the following technology and services components:
• Zero-touch deployment (ZTD) and management: ZTD for IT and end users, the Cisco IOS Secure Device Provisioning (SDP) server, Cisco Configuration Engine, Cisco Security Manager, secure management tunnel, and central policy push and pull for changes
• Converged VPN: Dynamic Multipoint VPN (DMVPN) hub-and-spoke and spoke-to-spoke, spouse and kids, Easy VPN (IPsec VPN client and adaptive-security-appliance [ASA] interoperability), Enhanced Easy VPN with per-tunnel quality of service (QoS), and SSL VPN full-tunnel with Cisco Secure Desktop
• Layered identity: 802.1x, Authentication Proxy (Auth-Proxy), and public key infrastructure (PKI): Router, phone, and PC certificates; eTokens; stolen device and hacker lockout; Cisco Secure Access Control Server (ACS) (authentication, authorization, and accounting [AAA]); and Cisco IOS Certificate Authority Server
• Voice and video: IP phones, softphones, dual-mode cell phones with Session Initiation Protocol (SIP) or Skinny Client Control Protocol (SCCP) clients, Cisco Unified Video Advantage (UVA), Cisco Unified IP Phone 7985, Cisco IP/TV, SCCP video, H.323, QoS, and IP Multicast
• Wireless: Wireless access point; 802.11a/b/g; Wireless Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and WPA2 for enterprise and personal; and Cisco Secure Services Client with 802.1x
• Advanced Services: Planning, design and implementation services, remote management services, and security optimization service
These components are described in the following sections.
Zero-Touch Deployment and Management
The Cisco Virtual Office management solution is used for achieving zero-touch deployment, ongoing management, and "virtualization" for efficient use of server resources.
Cisco Security Manager and Cisco Configuration Engine Solution
For medium-sized and large deployments, you can provision the Cisco Virtual Office solution using the Cisco Security Manager. This enterprise VPN tool centrally provisions all aspects of device configurations and security policies for Cisco firewalls, VPNs, IPSs, and virtually any Cisco IOS Software feature through the use of flexible configuration templates.
Cisco Security Manager automatically configures Cisco Virtual Office spokes and hubs based on predefined global or individual policies. It audits device configuration for unallowed policy changes. It also allows the provisioning of thousands of devices. It can do deferred provisioning, meaning that it can prepare all policies for Cisco Virtual Office routers and be set in listening mode so that it automatically pushes policies when a spoke connects to the hub for the first time.
The Cisco Configuration Engine provides an automated and event-driven way to push predefined configuration files (or updates) to remote devices. It understands the Cisco Networking Services language and communicates with the spoke routers. It keeps track of all spokes connected to the corporate network, informing Cisco Security Manager of all events. It can also run tasks to automatically upgrade images for groups of devices.
Secure Device Provisioning Solution
Secure Device Provisioning is a critical component for achieving zero-touch deployment in the Cisco Virtual Office solution. It permits the end user to initiate the device provisioning from a remote site, without any Cisco Virtual Office administrator's touching the spoke, just starting with factory default configuration in the router.
You can use Secure Device Provisioning to securely push the initial bootstrap configuration to the remote-site router, install a new certificate, configure PKI trustpoint enrollment and IPsec VPN connectivity, and provision system attributes and other desired information to a new spoke router. The provisioning and bootstrap configuration establishes the management tunnel, and lets the spoke connect to the configuration engine to get the full configuration from there.
Secure Device Provisioning reduces the time and cost of deploying a secure network infrastructure by using a simple web-based enrollment and configuration-bootstrap interface. It involves less user intervention, thereby shortening provision time and lowering TCO.
More information about Zero-Touch Deployment and Management is available at:
The Converged VPN solution standardizes and scales the network by facilitating transparent integration of VPN technologies. You can integrate DMVPN, Easy VPN, and SSL VPN to provide a single, consolidated hub for the VPN deployment. This integration provides standardized and scalable support for all types of end users, including telecommuters, mobile workers, and workers at branch-office sites.
The baseline solution for teleworkers and small-office workers is based on Cisco DMVPN, which optimizes performance, reduces latency for real-time applications, and facilitates dynamic configuration. It reduces the maintenance and configuration on the hubs and uses QoS to provide the priority to the marked network and real-time sensitive applications.
Additional VPN designs that you can combine follow:
• DMVPN high-concentration hub: Cisco IOS Server Load Balancing (SLB) with integrated or distributed encryption
• Cisco Easy VPN for IPsec-based access for mobile users
• Cisco IOS SSL VPN for SSL-based access for mobile users
• Layer 2 Tunneling Protocol (L2TP) and IPsec for mobile phones capable of data VPN
In a Cisco Virtual Office solution, high-concentration hub services are recommended for larger networks (at least 3000 spokes) or for networks that require high bandwidth. If you want to maintain a single large network that allows spokes to belong to one DMVPN domain rather than splitting the network into multiple small segments, we recommend SLB-enabled hub stack support.
• SLB with distributed encryption: This type of encryption refers to the design wherein a Cisco Catalyst® 6500 running Cisco IOS SLB fronts a farm of Cisco 7200 Routers that perform termination of Internet Key Exchange (IKE), IPsec, DMVPN, Next Hop Resolution Protocol (NHRP), IP Multicast, and routing protocols. This model scales smoothly through the addition of Cisco 7200 Routers, maintaining N + 1 redundancy.
• SLB with integrated encryption: When customers want to incorporate hierarchical network design (for example, banking services in which certain branch offices terminate at a regional office and the regional offices terminate at the national office), a hub that has less capacity (in terms of the number of spokes it can handle) and that provides greater bandwidth is suitable. In this situation, a Cisco Catalyst 6500 Switch or Cisco 7600 Series Router with an IPsec VPN shared port adapter (SPA) for encryption is advised, along with a Cisco 7200 server farm for routing, NHRP, and multicast.
You can add modules such as the Cisco Catalyst 6500 Series Firewall Services Module (FWSM) and Intrusion Detection System Module 2 (IDSM-2) to further enhance security.
Easy VPN provides access to both software and hardware clients, complementing the other VPN deployments. You can combine Easy VPN with DMVPN for the deployment of the Cisco Virtual Office solution. Easy VPN provides access to both software and hardware clients, complementing the regular DMVPN deployment.
When an existing Easy VPN deployment is based on Cisco IOS Software and you want to add DMVPN to the same hub, you can add DMVPN configuration to the same hub without affecting the existing Easy VPN setup. The converse is also true.
A converged Easy VPN and DMVPN Cisco Virtual Office solution is beneficial when you want to provide full-scale integrated access to both small office or home office (SOHO) teleworkers and mobile users using the same end-to-end secure solution setup. For SOHO users, Easy VPN or DMVPN can run on a home router, providing corporate access to the computers and IP phones connected to the home network. For mobile users, the Easy VPN client (software VPN client) installed on a laptop provides the desired connectivity, because that client can work from any location and will integrate well with the same solution.
With the addition of IPsec Dynamic Virtual Tunnel Interface (DVTI), Enhanced Easy VPN now supports IP Multicast and QoS as well.
Cisco IOS SSL VPN provides full-tunnel, client-based, secure access to the corporate network and resources. Mobile users, retail brokers, and extranet partners gain access from hotspots. The solution also includes Cisco Secure Desktop, which provides endpoint security by creating a virtual desktop or "sandbox" within which the end user works.
If users sometimes need mobile access to the corporate intranet from a public Internet access location, you can deploy SSL VPN as a complement to the DMVPN solution. The full-tunnel client is downloaded automatically without user intervention. You can combine the SSL VPN and DMVPN configurations in the same hub; however, the two technologies are completely independent from each other.
The Cisco IOS Software Dial Backup feature uses dialup service over a regular telephone wire to provide backup Internet connectivity if the primary Internet service provider (ISP) connection fails. In a Cisco Virtual Office-based DMVPN solution, the Dial Backup feature provides connectivity to the data gateway using the dialup network if the primary ISP connection fails. The primary ISP connection is usually a broadband connection. The bandwidth and speed provided by a dialup network are low and should be used mainly to provide secondary connectivity. Whenever connection to the ISP is restored, the tunnel to the data gateway using dialup connectivity is torn down, and the tunnel using the ISP is restored.
Management-Gateway High Availability provides an infrastructure for reliable and secure networks to provide transparent availability for the management gateway, helping ensure the spoke routers are always able to reach the network operations center (NOC) and obtain the latest updates.
The layered identity concept provides various CPE-, device-, and user-level security mechanisms that, in conjunction with perimeter security at the CPE, helps define the securely integrated Cisco Virtual Office Solution framework.
• PKI facilitates CPE-level authentication as part of VPN tunnel establishment. RSA keys and digital certificates are used to authenticate and authorize each CPE before it becomes part of the trusted network.
• Standard 802.1x and its Layer 2 and Layer 3 extensions provide IP device-level security for both the switch- and routed-port CPE.
• Authentication Proxy (Auth-Proxy) provides end-user security by authenticating users with Cisco Secure ACS before they are allowed to access corporate networks.
• USB-based eTokens provide CPE security by providing a location to store critical information such as digital certificates, RSA keys, and secondary configurations. You can enable this information on the CPE by the eToken login, safeguarding against the "stolen-box" scenario and preventing unauthorized users from setting up VPN access back to corporate headquarters.
• Cisco Secure ACS supports RADIUS and TACACS+ and provides the AAA capabilities that a secure network requires. Cisco Secure ACS maintains a central database to validate the user and device authentication and authorization required by PKI, 802.1x, 802.11 wireless authentication, and Auth-Proxy.
Cisco IOS PKI provides certificate management to support security protocols such as IPsec, Secure Shell (SSH) Protocol, and SSL. As defined in the IPsec protocol, the peers must be authenticated during IKE phase 1 to identify the validity before establishing the secure communication.
For a small number of Cisco IOS routers configured as IPsec peers,you can use Pre-Shared Keys (PSKs) to allow them to authenticate each other. However, for medium- to large-sized networks, PSK configuration increases in complexity and becomes difficult to manage; PKI offers a much more secure and scalable method, whether it is a full mesh of security connections for DMVPN or newly supported xVPN technology.
PKI is also better for spoke-to-spoke communication, or for enterprises deploying site-to-site VPN for hundreds of remote branch offices needing to communicate with each other. PKI reduces management overhead and simplifies the deployment of the network infrastructure by using digital-certificates exchange in place of Pre-Shared Keys for device authentication.
Standard 802.1x and its Layer 2 and Layer 3 extensions provide IP device-level security for both the switch- and routed-port CPE.
Using this feature, all the IP devices are classified as trusted or nontrusted, based on the 802.1x authentication status. When a new device becomes active on the network, the router initiates an 802.1x exchange. Depending on the 802.1x client running on the user device, the user is prompted for credentials. The credentials are then passed on to the router, which uses them to get authentication from a RADIUS server. Once the authentication is passed, the access device is considered a trusted device and is given more privileges, such as access to the corporate network.
If the device fails the authentication or is a clientless device, it is considered a nontrusted device. This device can be given fewer privileges, such as IP addresses from a separate Dynamic Host Configuration Protocol (DHCP) pool with access only to the Internet.
You can use a USB eToken to securely store files. The eToken can store X.509 digital certificates, configuration files, and RSA keys for PKI support. USB eToken files are securely encrypted, and a personal identification number (PIN) is necessary to unlock access to the configuration, keys, and credentials.
For the Cisco Virtual Office solution, you can use eTokens with Cisco integrated services routers to securely store the full router configuration, just one part of it, or just RSA keys for PKI support. eToken can also hold the initial bootstrap configuration of an integrated services router, which can be transferred to the router using Cisco Router and Security Device Manager (SDM), which optionally ships with new routers.
By removing the eToken from an integrated services router, you can drop the secure VPN tunnels right away or after a defined time, if RSA keys are stored in the eToken. This use of eToken is the most common one with Cisco Virtual Office.
Cisco Secure ACS Solution
A RADIUS server is required for different components of the Cisco Virtual Office solution, namely 802.1x, Auth-Proxy, 802.11 wireless authentication, and PKI-AAA authentication of routers. The 802.1x standard was discussed in the preceding section.
The Auth-Proxy feature is used for end-user authentication. You are allowed access to the corporate site only if you provide valid credentials. The credentials need to be verified by a RADIUS server. Upon verification of the credentials, appropriate permit access control entries (ACEs) are downloaded and applied on the remote spoke, granting the appropriate level of access. You can use PKI-AAA authentication for device authentication to check the validity of Cisco Virtual Office routers as part of secure session setup.
Voice and video capabilities are extended to remote sites through a secure network. This network supports wired and wireless voice-over-IP (VoIP) phones as well as Cisco IP Communicator softphones and the Cisco VT Camera.
Support is provided for SCCP and SIP based on Cisco Unified IP Phones, which are ready to be plugged in behind the CPE. Support is also provided for Cisco IP Communicator, a PC-based Cisco IP softphone solution, which supports only SCCP. Cisco wireless IP phones can connect directly to the integrated wireless access point in the Cisco Virtual Office CPE.
Critical aspects of the Cisco Virtual Office solution include:
• Voice VLAN providing secure identity and domain isolation for voice
• SCCP firewall inspection: Integrated security in the form of SCCP firewall support for Cisco wired, wireless, and video phones; for example, the Cisco Unified IP Phone 7971G-GE and 7895 models and the Cisco Unified Wireless IP Phone 7921G
• ALG and AIC: Extended security in the form of SIP application layer gateway (ALG) and application inspection and control (AIC) for Cisco SIP phones
• Mobile phones: Transparent, secure support for iPhone and dual-mode phones for mobile users
Cisco IOS Software services such as QoS, IP Multicast, Network Address Translation (NAT), Optimized Edge Routing (OER), and Cisco IOS IP Service-Level Agreement (IP SLA) combine with security services to enable support for voice and video applications behind a CPE (such as a remote router) within a secured network.
• QoS offers prioritization of real-time and latency-sensitive traffic (such as voice). QoS must be initially enabled for voice traffic, based on uplink bandwidth available from the ISP. The bandwidth usage depends on the codec; the most popular codecs are G.729 and G.711.
• IP Multicast services provide solutions for the secure support of IP Multicast applications over VPN technologies. Initial support for securing multicast combines generic routing encapsulation (GRE) over site-to-site IPsec VPNs; however, scalability is a concern when additional devices are included within a domain.
With the advent of new technologies, including DMVPN and Enhanced Easy VPN, you can enjoy the benefits of improved IP Multicast performance and scalability-and easy deployment.
In DMVPN, multicast packets are encapsulated within the GRE header and then encrypted when sent over the tunnel. This feature supports routing protocols and multicast data forwarding, and simplifies configuration management and scalability. However, the packets are replicated and then encrypted, limiting the number of multicast receivers in a multipoint GRE (mGRE) interface based on the router platform and stream bandwidth.
Enhanced Easy VPN (DVTI) dynamically creates a virtual interface, similar to a point-to-point GRE tunnel, when the session is established. Multicast forwarding is possible using this virtual interface. All you need to do is enable the configuration for the virtual tunnel interface (VTI) server as multicast in the template configuration.
• Firewall: Although a firewall access control list (ACL) in a Cisco Virtual Office-enabled CPE will block anything needed for these voice services (except the control messages), other security features (such as 802.1x and Auth-Proxy) should also bypass authentication confirmation from VoIP phones. Firewall inspection will open necessary ports to permit voice traffic after a call has been initiated. Zone-based firewall allows the creation of explicit zones; for example, trusted, untrusted, and DMZ, simplifying the policies and rules.
• NAT allows Cisco Virtual Office spokes and hubs to reside behind existing NAT devices and also allows the spokes and hubs to support split tunneling.
• Optimized Edge Routing (OER) chooses the best path when two or more physical or logical paths are available.
• IP SLAs provide support for performing network performance measurements.
Integrated secure wireless managed services focus on enabling wireless applications behind the Cisco Virtual Office-enabled CPE within a secure network. Strong security policies, which protect the company from rogue access points, intruders, unauthorized users, and unauthorized viewing of transmitted data, are required for enterprise wireless LANs. Cisco supports IEEE 802.1x authentication and numerous Extensible Authentication Protocol (EAP) types, providing a centrally managed, standards-based, open wireless network security scheme in addition to some of the earlier 802.11 WEP implementations.
Integrated secure wireless managed services provide support for Temporal Key Integrity Protocol (TKIP), which provides enhancements to 128-bit encryption such as per-packet key hashing, digital certificates on every frame, and rotation of broadcast keys in wireless access points to encrypt both unicast and broadcast packets. Several EAP types are supported, including Cisco LEAP, EAP-Flexible Authentication via Secure Tunneling (EAP-FAST), EAP-Transport Layer Security (EAP-TLS), EAP-Tunneled TLS (EAP-TTLS), Protected EAP (PEAP), and EAP-Subscriber Identity Module (EAP-SIM). The WPA standards-based solution addresses wireless LAN vulnerabilities and provides enhanced protection from targeted attacks. WPA uses TKIP for encryption.
Proactive security services provide secure LAN and WAN infrastructures for the Cisco Virtual Office solution. These security services help secure the remote CPE, IP devices, IP-based applications, and end users, vendors, and customers. Technologies include:
• Cisco IOS Firewall provides perimeter security by blocking unauthorized access to the end devices sitting behind the spoke router, thereby protecting the internal networks from security attacks. Advanced filtering functions include zone-based firewall, user-group firewall, and object group ACLs.
• Cisco IOS IPS features further strengthen perimeter security by monitoring permitted traffic for any malicious signatures in real time, and taking appropriate action.
Adaptive Security
The Cisco IOS Software-based threat defense solution delivered in the Cisco Virtual Office solution addresses the reactive security services. This solution uses the service of some network monitoring tools to maintain constant network security, recognize internal and external threats, and respond to any threats while alerting users to the concerns:
• Threat Information Distribution Protocol (TIDP) controllers and TIDP Mitigation Services (TMS) consumers work together to provide the transport and rules distribution mechanism for threat mitigation services using dynamic ACLs, IPSs, and OER redirection.
• You can provide mitigation action by using the TIDP or TMS XML-based threat file or the Cisco Flexible Packet Matching (FPM) feature.
Realize the full value of Cisco Virtual Office with support for deployment, operation, and ongoing optimization through services from Cisco and our approved partners.
As part of the Cisco Virtual Office solution, we help you successfully deploy and integrate headend solution components and guide you through automating the deployment and management of remote sites by providing support for planning, design, and implementation. We also help you reduce operating costs; keep devices working efficiently; and continually assess, tune, and evolve your Cisco Virtual Office to keep pace with changes in your business and evolving security threats through ongoing operational support and optimization.
