Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

Security Services

Managed Secure MPLS Service

Downloads

Service Approach

Cisco® Managed Secure MPLS service enables service providers to gain new revenues by offering a VPN service that encrypts any-site-to-any-site communications more efficiently and cost-effectively than ever before. The Managed Secure MPLS solution relies on a technology unique to Cisco called Group Encrypted Transport (GET), a next-generation WAN encryption technology that:

• Eliminates the need for routing tunnels.

• Offers a new, standards-based IP Security (IPsec) model that enables VPNs to scale higher while maintaining network intelligence that is critical to voice, data and video quality, including quality of service (QoS), routing, and multicast.

• Can be used with both IP and IP/Multiprotocol Label Switching (IP/MPLS). However, with MPLS VPNs, the feature brings higher scalability, manageability, and cost-effectiveness, and meets regulatory encryption requirements.

Why Is the Managed Secure MPLS Service Important?

Enterprise WAN technologies have traditionally forced companies to sacrifice transport security in favor of the network-intelligence features that anchor voice and video quality. These features include QoS, routing, and multicasting. Managed Secure MPLS removes the tradeoffs between security and network intelligence, allowing customers to enjoy better security, enhanced performance, and simpler management. These features are important because companies are looking for solutions to protect themselves from today's increasing network security risks and regulatory compliance requirements.
Managed Secure MPLS delivers these benefits by eliminating the need for point-to-point tunnels in VPNs. Without the tunnels required in past VPNs, Managed Secure MPLS can easily scale to accommodate new branches and extranet sites and yet still offer consistent, high-quality network intelligence. This capability enables customers to secure their communications across distributed networks, creating a contiguous trust model across group members on the private WAN, or secure communities of interest..
Managed Secure MPLS offers a new standards-based IPsec security model based on the concept of "trusted" group members (in this case, routers). Trusted member routers use a common security methodology that is independent of any point-to-point IPsec tunnel relationship.

How Does Cisco GET VPN Work?

Cisco GET VPN is built on standards-based technologies and easily integrates routing and security into networks. Secure group members are managed through an Internet Engineering Task Force (IETF) standard, Group Domain of Interpretation (GDOI). Like the Internet Key Exchange (IKE), this key management protocol establishes security associations; however, whereas IKE establishes security associations per peer tunnel, GDOI performs the same function per authorized group.
GDOI alleviates the need to configure tunnel endpoints. A key server distributes keys and policies to all registered and authenticated member routers (Figure 1). By distributing policies from a centralized point and by sharing the same group security association with authenticated group members, service providers greatly simplify key distribution and management. The key server must be a Cisco "T" train router (preferably a Cisco 3800 Series Router with AIM-III/SSL or a Cisco 7200 Series Router with VAM2+ or VSA).
Up to eight redundant, geographically disbursed key servers can be deployed.

Figure 1. Key and Policy Distribution with GDOI

What Is the Cisco Managed Secure MPLS Service Offer?

The Cisco Managed Secure MPLS service is a good choice for businesses that need to protect data, voice, and video traffic across multiple locations and wish to deploy a VPN service that will encrypt traffic efficiently and more cost-effectively than businesses can do themselves.
MPLS VPN deployment for Managed Secure MPLS service includes four options, Figure 2.

Figure 2. Modular, Flexible Managed Secure MPLS Offers and Service Layering

GET VPN Group Member Offer:

• Includes Cisco 7200 Series Routers and 7301 Integrated Services Routers (ISRs) deployed as customer premises equipment (CPE).

• Customer manages the key (key should remain as caps throughout) server and policies.

• The customer gets a secure WAN link, any-to-any connectivity that optimizes response time for voice, native IP multicast that allows video to scale over the WAN, control over key server policies, and the ability to comply with security regulations such as Payment Card Industry (PCI) Data Security Standard.

Service Provider Hosted Key Server Offer:

• Includes Cisco 7200 Series Routers and 7301 ISRs with security bundle deployed as key server.

• Provides higher scalability because the key server is not a barrier for encrypting data.

• Allows customers to be placed in separate groups because multitenancy is built into the key server.

• The customer is able to fully outsource WAN encryption service, minimize the technology expertise they need onsite, and focus technical personnel on core business activities.

Off-Net Integration Offer:

• Extends access to the secure VPN to locations without MPLS at the provider edge

• Encrypts traffic end-to-end.

• Customer edge can be based on either standard IPsec or Dynamic Multipoint VPN (DMVPN) in a spoke architecture that supports dynamic routing updates.

• Customers can extend their MPLS network to remote locations with this offer, migrate to secure MPLS without losing off-net access functionality, and still comply with security regulations.

Encrypted Extranet Offer:

• Allows enterprise customers to create a secure extranet by extending the MPLS network out to suppliers, partners, and others.

• Lets customers restrict communications between partners (for example, enterprise-to-partner connections only).

• Satisfies customers currently deploying MPLS extranets, allowing them to migrate to secure MPLS without losing their extranet functionality.

Management of any of the Managed Secure MPLS service options is available through a customer portal that is managed and hosted by the service provider. Tools from UBIQube let the customer control provisioning, monitoring, and reporting for the managed service.

Solution Benefits for the Service Provider

Service providers can finally offer managed encryption for voice, data, and video applications without the provisioning or management hassles typically associated with VPNs. The Managed Secure MPLS service also:

Supports rapid time-to-market: Enables rapid addition of scalable and differentiated services to the service provider's managed services portfolio.

Simplifies instantaneous branch-to-branch communications: Helps ensure low latency and jitter by enabling full-time, direct communications between sites without requiring transport through a central hub.

Strengthens security: Provides encryption for MPLS networks while maintaining network intelligence such as full-mesh connectivity, natural routing path, and QoS and multicast support.

Offers management flexibility: Eliminates complex peer-to-peer key management with group encryption keys.

Simplifies security policy distribution: Using standards-based technologies, the Managed Secure MPLS solution integrates routing and security together in the network fabric, and GET eliminates the need to configure tunnel endpoints.

Operational simplicity and other benefits: Supports Lawful Intercept; optimizes network resource utilization for low overhead; the service provider edge and core are IPsec-independent; encryption support is not needed on provider-edge routers; encrypted traffic is demand-driven based on business "policy" enabled by the key server for user groups, providing greater solution flexibility; there is no need for "nailed-up" IPsec tunnels and no need for an Interior Gateway Protocol (IGP) overlay.

Solution Benefits for the Customer

With Managed Secure MPLS service, customers can enjoy better security, enhanced performance, and simpler management. Companies are faced with meeting regulatory compliance mandates for security and data integrity while at the same time seeing an increase in their use of performance-sensitive and real-time applications such as voice and video. In this environment, a more scalable and efficient encryption solution such as Cisco GET VPN is what businesses require.
For customers, the Managed Secure MPLS service:

Reduces capital costs: Upfront costs for equipment and implementation services with Managed Secure MPLS services are lower than they would be if companies made these investments and managed the service themselves.

Reduces operational costs: Encrypted multicast is carried with native IP headers, so enterprises avoid having to use the multiple parallel streams that IPsec tunnel-mode encryption involves, leading to lower costs and simpler administration.

Enables automated, integrated supply chains: Allows partners to easily extend their extranets into the private WAN, creating secure "communities of interest" or a contiguous trust model across the private and public networks.

Eliminates the learning curve: Service providers contribute the new expertise needed for customers to deploy and use the service and its associated products and technologies.

Enforces compliance with governmental regulations and privacy laws: Helps customers meet security compliance regulations by encrypting all WAN traffic without compromising network performance or QoS.

Makes encrypting traffic easier: Setting up encrypted links with a centralized key server is simple. Many enterprises do not encrypt these links because of the hassle and administrative overhead necessary.

Accelerates service setup: Branch-to-branch voice- and video-over-IP sessions can be rapidly connected. Other VPN technologies need significant time to set up calls.

Summary

When enterprises subscribe to the Managed Secure MPLS service, they no longer have to sacrifice security for network performance. Customers can allow their branches and partners to communicate with each another easily and yet still comply with security and privacy regulations by subscribing to the Managed Secure MPLS service.
Service providers that currently offer managed MPLS WAN service over Cisco technology are ideally positioned to easily deploy Managed Secure MPLS service using Cisco ISRs, which are already enabled for Cisco GET VPN VPN deployment. In addition, these same routers can be used to provide additional long-term, revenue-generating services including other VPN services, managed firewall, wireless LAN, and managed voice.

Additional Information

Cisco Group Encrypted Transport VPN
http://www.cisco.com/en/US/products/ps7180/index.html
Cisco Group Encrypted Transport VPN (GET VPN) Design and Implementation Guide
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps9370/ps7180/GETVPN_DIG_version_1_0_External.pdf
Cisco Managed Security Services
http://cisco.com/en/US/netsol/ns341/ns121/ns310/networking_solutions_solution.html