Product Overview
Today's networked applications such as voice and video are accelerating the need for instantaneous, branch-interconnected, and quality of service (QoS)-enabled WANs. And the distributed nature of these applications results in increased demands for scale. At the same time, enterprise WAN technologies force businesses to make a tradeoff between QoS-enabled branch interconnectivity and transport security. As network security risks increase and regulatory compliance becomes essential, Cisco® Group Encrypted Transport VPN, a next-generation WAN encryption technology, eliminates the need to compromise between network intelligence and data privacy.
With the introduction of Group Encrypted Transport, Cisco now delivers a new category of Virtual Private Network (VPN) that eliminates the need for tunnels. By removing the need for point to point tunnels, distributed branch networks are able to scale higher while maintaining network-intelligence features critical to voice and video quality, such as QoS, routing, and multicast. Group Encrypted Transport offers a new standards-based IP Security (IPsec) security model that is based on the concept of "trusted" group members. Trusted member routers use a common security methodology that is independent of any point-to-point IPsec tunnel relationship.
Group Encrypted Transport-based networks can be used in a variety of WAN environments, including IP and Multiprotocol Label Switching (MPLS). MPLS VPNs that use this encryption technology are highly scalable, manageable, and cost-effective, and meet regulatory-mandated encryption requirements. The flexible nature of Group Encrypted Transport allows security-conscious enterprises to manage their own network security over a service provider WAN service or to offload encryption services to their providers. Group Encrypted Transport simplifies securing large Layer 2 or MPLS networks requiring partial or full-mesh connectivity.
Key Features and Benefits
Group Encrypted Transport is built on standards-based technologies and easily integrates routing and security together in the network fabric. Secure group members are managed through an IETF standard, Group Domain of Interpretation (GDOI).
Simplifying the Security Policy Distribution
GDOI alleviates the need to configure tunnel endpoints. A key server distributes keys and policies to all registered and authenticated member routers (Figure 1).
Figure 1. Key and Policy Distribution with GDOI
By distributing policies from a centralized point and by sharing the same group security association with authenticated group members, key distribution and management are greatly simplified.
IP Routing Preservation
A Group Encrypted Transport-enabled security model uses the existing routing infrastructure rather than using the traditional IPsec overlay. Data packets maintain their original IP source and destination addresses (Figure 2). By preserving the original IP header in IPsec packets, Group Encrypted Transport enables organizations to rely on the existing Layer 3 routing information, thus providing the ability to address multicast replication inefficiencies and improving network performance.
Figure 2. IP Routing Comparison Between IPsec and Group Encrypted Transport
Additionally, Group Encrypted Transport helps ensure low latency and jitter for voice, video, and other latency-sensitive traffic by enabling direct, always-on communication between all sites without traversing a central hub site. Furthermore, it reduces traffic loads for multicast traffic across IP Layer 3 VPNs by eliminating the broadcast traffic replication usually required on IPsec-encrypted networks.
Table 1 summarizes the key Group Encrypted Transport VPN features.
Table 1. Key Features
Hardware Support
Hardware acceleration of IPsec encryption helps ensure that performance requirements are achieved. Cisco Systems® recommends hardware acceleration of IPsec whenever IPsec is employed. IPsec acceleration and the Group Encrypted Transport feature set are supported with the onboard encryption capabilities of the Cisco Integrated Services Routers, and the Cisco 7200 Series Routers and the Cisco 7301 Router with VPN modules. See Table 2 for acceleration support for Cisco routers.
Table 2. Cisco Hardware Support for GET VPN
* Cisco ISRs with Cisco AIM-VPN-HPII-PLUS, Cisco AIM-VPN-EPII-PLUS, Cisco AIM-VPN-BPII-PLUS are supported, however they do not accelerate the GDOI RFC 3547 functionalty
** Cisco VPN Services Adapter (VSA) is supported on the Cisco 7200 Series routers and requires NPE-G2. It supports GET VPN starting from 12.4(15)T5 onwards (with the Advanced Security feature set or higher).
Cisco Group Encrypted Transport Benefits
In extending GDOI by encrypting and authenticating both multicast and unicast traffic, the Group Encrypted Transport provides benefits to a variety of applications:
• Provides data security and transport authentication, helping to meet security compliance and internal regulation by encrypting all WAN traffic
• Enables high-scale network meshes and eliminates complex peer-to-peer key management with group encryption keys
• For MPLS networks, maintains the network intelligence such as full-mesh connectivity, natural routing path, and QoS
• Grants easy membership control with a centralized key server
• Helps ensure low latency and jitter by enabling full-time, direct communications between sites, without requiring transport through a central hub
• Reduces traffic loads on customer premises equipment (CPE) and provider-edge encryption devices by using the core network for replication of multicast traffic, avoiding packet replication at each individual peer site
Applications
Private WAN Environments
Increased network security risks and regulatory compliances have driven the need for WAN transport security. Enterprise organizations that are either self-managing their own MPLS network or have purchased MPLS or private WAN services from a service provider can self-employ Group Encrypted Transport to help ensure data privacy while maintaining the any-to-any connectivity intrinsic in many private WANs. In doing so, organizations attain a much needed balance of control over security between their businesses and service providers while maintaining compliance with security regulations.
Public Internet Environments
For enterprise IPsec VPNs that traverse the public Internet, Group Encrypted Transport enhances Dynamic Multipoint VPN (DMVPN) and GRE-based site-to-site VPNs by providing manageable, highly scalable network meshing cost-effectively by using the group shared key. In this way, Group Encrypted Transport simplifies key management in large network deployments.
For a comparison of Cisco IPSec site-to-site solutions available for either tunnel-less or tunnel-based environments, view the Cisco Site-to-Site At a Glance Document.
Management
In addition to providing monitoring and debugging capabilities for both group member routers and the key server, Cisco Group Encrypted Transport supports Easy Secure Device Deployment for secure device provisioning in PKI deployments. Future support will include Cisco Security Manager.
Feature Availability
Table 3 provides information about the availability of the Cisco Group Encrypted Transport feature set.
Table 3. Feature Availability
|
Feature |
Platform Support |
Availability |
Cisco IOS Software |
|
Group Encrypted Transport VPN |
Cisco 870, 1800, 2800, 3700, 3800, and 7200 Series, and 7301 Routers |
November 2006 |
Release 12.4(11)T |
Recommended Cisco IOS version: minimum of 12.4(15)T
To Download the Software
Visit the Cisco Software Center to download Cisco IOS Software.
The Cisco IOS Software Release 12.4(11)T Advanced Security Image and later contain the Cisco Group Encrypted Transport feature set.
For More Information
For more information about Cisco Group Encrypted Transport, visit http://www.cisco.com/go/getvpn or contact your local account representative.