`
`
`
`CH1Sa1m
`VJXSE0CS.1C
`fih
`
`lit
`
`1014
`
`Cisco Systems, Inc.
`Exhibit 1014
`Page 1 of 46
`
`

`

`
`
`
`
`
`
`Networks
`
`VirtualPrivate
`
`Making the Right Connection
`
`Dennis Fowler
`
`netWorker Magazine,
`Association for Computing Machinery
`
`M {4®
`
`MORGAN KAUFMANN PUBLISHERS, INC.
`San Francisco, California
`
`
`
`Cisco Systems, Inc.
`Exhibit 1014
`
`Page 2 of 46
`
`
`
`
`
`
`
`Cisco Systems, Inc.
`Exhibit 1014
`Page 2 of 46
`
`

`

`Senior Editor
`Director of Production and Manufacturing
`Production Editor
`Editorial Assistant
`Cover Design
`Cover Image
`TeXt Design
`Copyeditor
`Proofieader
`Composition and Illustration
`Indexer
`Printer
`
`Jennifer Mann
`Yonie Overton
`Cheri Palmer
`Karyn Johnson
`Ross Carron Design
`© Patrick Ingrand/Tony Stone Images
`Side by Side Studios
`Jeff Van Bueren
`Jennifer McClain
`Technologies ’n Typography
`Ty Koontz
`Courier Corporation
`
`Designations used by companies to distinguish their products are often claimed as trademarks
`or registered trademarks. In all instances where Morgan Kaufmann Publishers, Inc. is aware of a
`claim, the product names appear in initial capital or all capital letters. Readers, however, should
`contact the appropriate companies for more complete information regarding trademarks and
`registration.
`
`Morgan Kaufmann Publishers, Inc’.
`Editorial and Sales Office
`840 Pine Street, Sixth Floor
`San Francisco, CA 94104—3205
`USA
`
`Telephone
`Facsimile
`Email
`WWW
`Order toll free
`
`415 / 392-2665
`415 / 982-2665
`Inkp@ml<p. com
`http://wwwmkp. com
`800 / 745-7323
`
`© 1999 by Morgan Kaufmann Publishers, Inc.
`All rights reserved
`Printed in the United States of America
`
`0302010099 54321
`
`
`
`
`
`
`
`castsssxsvasa3y
`
`No part of this publication may be reproduced, stored in a retrieval system, or transmitted in
`any form or by any means—electronic, mechanical, photocopying, recording, or otherwise—
`without the prior written permission of the publisher.
`
`Library of Congress Cataloging-in—Publication Data
`
`Fowler, Dennis.
`Virtual private networks : making the right connection / Dennis
`Fowler.
`cm.
`p.
`Includes bibliographical references.
`ISBN 1-55860-575-4
`1. Extranets (Computer networks) 2. Business enterprises—computer networks.
`3. Internet (Computer network)
`4. Computer networks—S ecurity measures.
`I. Title.
`TK5105.875.E87F69 1999
`650’ .0285’46-DC21
`
`99-13845
`CIP
`
`'
`
`Cisco Systems, Inc.
`Exhibit 1014
`
`Page 3 of 46
`
`Cisco Systems, Inc.
`Exhibit 1014
`Page 3 of 46
`
`

`

`
`
`
`
`
`
`
`
`
`a lmost lost in the glare and thunder of the Web is the fact
`
`that, at its heart, the Internet is a communications me-
`dium. Like the telephone network, it can serve many
`functions. Several years ago a few pioneering businesses and organizations
`discovered that, by using the public infrastructure of the Internet and its ilk,
`they could tie offices and facilities together in a new, exciting, cost-effective
`way, no matter where they were located, by building virtual private networks
`(VPNs). VPNs use robust, redundant public networks such as the Internet, in-
`stead of expensive and vulnerable leased lines, for their Wide area networks
`and extranets. These businesses also discovered that, by letting their road
`warriors log on to the home network through the Internet, they could be freed
`from the expensive tyranny of long-distance dial-up telephone networks for
`remote access to the home network.
`'
`This interest caught the attention of Internet and networking service pro—
`viders and of major networking hardware and software developers and ven-
`dors, all of whom are now feeding this burgeoning market. These include
`communications giants such as AT&T, MCI, and Sprint,- networking hard—
`ware stalwarts such as Cisco and 8Com; software players such as Microsoft,
`\Check Point, and Novell; and hundreds of others.
`As VPN technologies have developed, so, too, has massive confusion—con-
`fusion as to just what a VPN is, what it can do for you, and how to implement V
`one.
`,
`
`This book is intended to clear away the confusion. It explains what VPNs
`are, what they can do for you, and how they work, and it lays out the choices
`you have in planning and implementing your own Virtual private network.
`The book also tells you what to expect once you have a VPN up and running.
`It covers both the positive side of VPNs and the pitfalls to avoid as you con-
`sider this technology.
`
`
`
`Cisco Systems, Inc.
`Exhibit 1014
`
`Page 4 of 46
`
`Cisco Systems, Inc.
`Exhibit 1014
`Page 4 of 46
`
`

`

`
`
`
`
`
`I PREFACE
`
`Audience
`
`The book is aimed at executives, managers, and upper—level technicians who
`are unfamiliar with VPNs and the technologies that make them possible. If
`you are a manager looking for a way to connect your office network in New
`York with the factory in Potstown, or you are trying to cut the phone bills of
`your reps around the country, this is the book for you. It shows you how you
`can give your mobile sales force direct access to the home office network so
`they have the latest product information. It explains how the Internet can be
`used to tie together the local area networks in your satellite facilities into one
`super network so that the entire workforce can be brought to bear on an op-
`, portunity or problem.
`
`A Road Map
`
`To simplify your reading, the book is divided into three sections. If you are a
`manager or an executive unfamiliar with VPNs, you should begin at the be-
`ginning. The first three chapters will show you just exactly what a VPN is
`and, drawing on real-life examples of VPNS in use today, what it can do for
`you. To keep you from getting too rosy a View of the situation, however, you
`will also see that VPNs have their risks, just as they have their rewards. We at—
`tempt to give you a balanced perspective so that you can make a reasonable
`decision as to whether a VPN is‘really what you want to get involved with.
`Chapter 4 is a bridging chapter, of interest to executives and managers as
`well as to the more technically oriented. It discusses the choices of networks
`you have for implementing your VPN. While it does carry information for the
`technically inclined, this information is also important for managers as well,
`to help them understand that the Internet is not necessarily the best choice
`for a VPN substrate, that there are other options that it is important to ex-
`plore, What those options are, how they work in comparison to the Internet,
`and the advantages and disadvantages of the available infrastructures.
`The middle section of the book, beginning with Chapter 5, is more tech-
`nically oriented and is aimed more at the technician,- it discusses the various
`elements that go into a VPN. One of the crucial problems is keeping your pri—
`vate data private as it traverses the public networks, and this is where encryp—
`tion comes into the VPN picture. In Chapter 5, you’ll get a thorough ground-
`ing in what encryption is, what the various types of encryption are, and how
`they are combined and implemented to protect your data. Chapter 6 contin-
`ues this theme by discussing the problems that encryption itself raises: au—
`thenticating users for access to data, verifying the integrity of the data after it
`
`
`
`Cisco Systems, Inc.
`Exhibit 1014
`
`Page 5 of 46
`
`
`
`
`
`Cisco Systems, Inc.
`Exhibit 1014
`Page 5 of 46
`
`

`

`
`PREFACE I
`
`has been transmitted, and ensuring that only the right people get the keys
`needed to decrypt the data. Chapter 7 ties all this together with a discussion of
`the various protocols there are to choose from to implement your VPN, proto—
`cols that incorporate encryption, authentication, and key management along
`with tunneling and other elements needed to provide secure connections
`through public networks. This chapter discusses the latest work of the
`Internet Engineering Task Force to bring order to the chaos of VPN protocols.
`Chapter 8 discusses the basic architecture decisions you will need to make,
`whether in hardware or software, which will strongly depend on your own
`situation.
`The book’s last two chapters get down to the nuts and bolts of implement-
`ing a VPN. Chapter 9 steps you through the process of planning your VPN. It
`discusses the many factors—technical, financial, and human—that you must
`consider as you embark on your project and the step-by—step planning you
`should follow so you can implement a VPN that meets your needs. Chapter 10
`tells you what to expect once you get your VPN up and running: the issues
`that you must be prepared to deal with and what you can expect when you are
`managing it.
`
`Content
`
`This book, quite deliberately, is not brand or product specific, although it does
`describe most of the proprietary and nonproprietary VPN solutions that are
`currently available. The market is changing too rapidly to be more specific.
`During the course of the writing of this book, new companies entered the
`market and others left; new protocols appeared and old ones faded. For exam-
`ple, it was just as the first draft was nearing completion that Sun Micro—
`systems introduced Sun.NET, a new java—based VPN technology.
`What this book seeks to do is show you the basic principles at work and the
`strengths and weaknesses of major products that will be available when you
`have this hard copy in your hands, to allow you to select those that will best
`meet your needs.
`'
`To help deal with the jargon, this book includes a glossary of Internet and
`VPN terms for easy reference. A bibliography gives recent literature, both cor-
`porate and public. There are also two appendices. Appendix A presents a list of
`VPN developers, vendors, and service providers. This is anything but a de—
`finitive list—again, the technology and market are changing too rapidly for
`that—but the list will offer a wide variety of contacts for you as you plan your
`project. Appendix B lists a number of resources you can tap into that relate to
`the Internet and VPNs.
`
`
`
`Cisco Systems, Inc.
`Exhibit 1014
`
`Page 6 of 46
`
`
`
`Cisco Systems, Inc.
`Exhibit 1014
`Page 6 of 46
`
`

`

`
`
`gli- XVIHEI
`I PREFACE
`
`Acknowledgments
`
`As with any book of this nature, there is no way that I could have done this
`alone. Throughout its creation I have been aided by many people. The willing-
`ness of busy IT professionals to share that most valuable resource, time, never
`ceases to astonish me. Foremost among them are Glenn Botkin of Galaxy
`Scientific Corporation, Pat Patterson of Mazzio’s Corporation, and Ariel
`Friedman, Earl Evans, and Mike Gentry.
`Then there was the assistance of those who are directly involved with mak—
`ing this technology available and workable: Mark Elliot and Keith R. Wilber of
`Check Point Software; Rob Spence, Director of Product Marketing, Aventail
`Corporation,- Christopher Ian Ogg and Steve May of The Wizard’s Gate;
`Tim Gerchar, Product Marketing Manager for Compatible Systems Corpo-
`ration; Kevin Kalajan of Sun Microsystems; and Carey Knapper 0f Lucent
`Technologies.
`For helping with the development of the original proposal and outline, and
`for their patient reviewing of my manuscript as it grew, I must particularly
`thank Glenn Botkin, PC Week Contributing Editor Brian D. Iaffe, DuPont’s
`Mike Minnich, Freelink Communication’s David Dennis, Sportsline’s Dan
`Leichtenschlag, and especially Marcus Ranum of Network Flight Recorder,
`Inc. for his vitally valuable assistance as I wrestled with the labyrinthine com-
`plexities of encryption, authentication, and key management. I’m also partic-
`ularly grateful to Susan Scheer Aoki of .Cisco Systems, not only for contribut-
`ing the Foreword for this book but also for her valuable suggestions, especially
`with regard to her insight on the developing trends in VPN technology.
`Finally, I must thank my editor at Morgan Kaufmann, Jennifer Mann, and
`her endlessly patient assistant, Karyn Johnson, and my production editor,
`Cheri Palmer, for bearing with me as, together, we beat this project into shape.
`
`
`
`
`
`Cisco Systems, Inc.
`Exhibit 1014
`
`Page 7 of 46
`
`
`
`
`
`Cisco Systems, Inc.
`Exhibit 1014
`Page 7 of 46
`
`

`

`
`
`Defining the Virtual
`Private Networks
`
`Virtualprivate networks (VPNS) havebecome ahot issue,
`
`the latest industry buzzword, one of the new "killer
`apps” of the Internet. Everything from extranets to work—
`group systems to electronic commerce solutions has been hit with the tag
`"virtual private network.” VPNs are being touted as incredible cost savers,
`infinitely flexible, and infinitely scalable. They can leap the broadest ocean
`and connect your most peripatetic account executive to the home network
`from anywhere in the world. Within reason, VPNs really are capable of all of
`those things. By leveraging the connective power of the Internet or other
`shared—backbone networking services, they do offer tremendous opportuni-
`ties for expansive but cost-effective connectivity.
`But beware of the hype. VPNs can offer awesome opportunities and bene—
`fits, but there are also some hidden costs and dangers, and some of the claims
`made for VPNs are exaggerations. Furthermore, the lack of standards has re-
`sulted in a welter of competing and not always compatible VPN products ar-
`riving on the market from firewall, router, and other network hardware ven—
`dors, as well as from software developers. Add to that the number of different
`ways there are to create a VPN, the variety of network services on which they
`can be created, the number of ways it is claimed they can be used, and the al-
`leged (and sometimes inflated) benefits asserted to accrue from VPNs, and the
`confusion is monumental.
`
`For example, marketers of network services other than the Internet will as—
`sure you the Internet is not the only medium on which a VPN can exist,
`which is true. However, this leads to VPNs also being sold by providers of net—
`working services often described as frame relay or asynchronous transfer
`mode (ATM) networks, networks that are frequently promoted or at least im-
`plied to be totally distinct from the Internet, which they may be. But part of
`the confusion on this score arises because the line between some of these
`
`
`
`
`
`Cisco Systems, Inc.
`Exhibit 1014
`
`Page 8 of 46
`
`
`
`Cisco Systems, Inc.
`Exhibit 1014
`Page 8 of 46
`
`

`

`VIRTUAL PRIVATE NETWORKS
`
` '
`
`1
`
`“private” public networks and the extremely “public” Internet as we think of
`it is anything but distinct; because these network service providers are fre-
`\ quently also Internet service providers, the confusion is further compounded.
`If you’ve done a search on the World Wide Web for the keywords Virtual pri—
`vate network or VPN, you’ve probably even discovered that for years compa-
`nies like Pacific Bell have been marketing an extended telephone service us—
`ing the same terms.
`>
`Thanks to all this confusion, it can be very hard to understand exactly what
`qualifies as a VPN, how a VPN can be implemented, and exactly what a VPN
`can and cannot do for you. That’s what we’ll explain for you here.
`
`1.1 What Is a VPN?
`
`Very simply put, a Virtual private network uses a public network’s infrastruc—
`ture to make the connections among geographically dispersed nodes, instead
`of using cables owned or leased exclusively for one single network’s use, as is
`typical for a wide area network (WAN). To the user, a VPN looks just like a pri—
`vate network, hence the Virtual in its name, even though it is sharing a web of
`cables with the traffic of hundreds or thousands of other users at the same
`time. It has all the characteristics of a private network—limited access to only
`authorized users, for example—even though it is sharing the same public in-
`frastructure with other users. Another way to describe it is that a VPN is a log—
`ical local area network (LAN) that connects an organization’s geographically
`dispersed sites in a way that makes them all appear to be part of one single
`network.
`There are a variety of public networks that can be employed to make a
`VPN’s connections, but the most prominent and most public network avail—
`able is, of course, the Internet. Because the Internet is everywhere and the
`Internet is where most of the VPN development is taking place, and because it
`is, as we’ll see, the most ubiquitous and cost—effective medium for a VPN,
`we’ll concentrate on VPNs running over it in this book. We will devote Chap-
`‘ter 4 to VPNs implemented through other networking services, and we will
`explain the differences in detail at that time, but since the Internet is the
`predominant medium and the technology is essentially the same regardless
`of the network being used, the Internet is Where we will concentrate our
`discussion.
`To illustrate how a VPN differs from a typical WAN, let’s look at a leased—
`line network, as shown in Figure 1—1, and then show how a VPN differs from
`it. For the sake of simplicity, this is only a three-node network, a company
`headquarters and two branch offices linked together with three leased lines.
`
`
`
`
`
`
`Cisco Systems, Inc.
`Exhibit 1014
`
`Page 9 of 46
`
`
`
`
`
`
`Cisco Systems, Inc.
`Exhibit 1014
`Page 9 of 46
`
`

`

`
`
`
`1.1 WHAT IS A VPN? I
`
`
`
`
`
`
`
`Company
`headquarters
`
`Leased
`lines
`
`Branch office
`
`Branch office
`
`Figure 1-1 A typical leased-line wide area network.
`
`Each office has to have a cable connecting it to each of the other facilities. An-
`other arrangement would be to have the leased lines go through a hub, perhaps
`in the company headquarters.
`Either way, with this type of network, the company actually owns the cable
`or pays a monthly fee for every mile of cable connecting its facilities, whether
`that cable is in use 10 % or 100% of the time, whether it is being used to capac-
`ity or only a fraction of the capacity they’re paying for. The costs escalate with
`every mile that separates the offices and with every node that is added to the
`network (requiring more strings of cable to connect it to the rest of the organi—
`zation). Economies of scale are limited to what you can negotiate with the
`line provider, who is trying to recover from you all the costs for those cables.
`Your message uses only those cables to get from point to point; there are no
`detours. Send a packet of data in one end of the cable and it travels right down
`that cable to the destination. It works much the same way the LAN connect-
`ing your office to the file server on your LAN does. This is a nice, secure con—
`nection, but it also means that if the cable is cut, perhaps by a backhoe opera-
`tor putting in an irrigation line in an Iowa cornfield, that connection is down
`for the count. It will stay down until either the break is repaired or the traffic
`is rerouted manually around the break (if your agreement with the service pro—
`vider offers that guarantee).
`In a similarly simple three—node VPN, as Figure 1-2 shows, leased lines are
`dispensed with in favor of connecting each site to a public network. Instead of
`the hardwired pipeline between nodes of a standard wide area network using
`dedicated connections, the connections of a VPN are made through the web of
`cables, what is often described as the “cloud,” of a public network such as the
`
`
`
`Cisco Systems, Inc.
`Exhibit 1014
`
`Page 10 of 46
`
`
`
`
`
`Cisco Systems, Inc.
`Exhibit 1014
`Page 10 of 46
`
`

`

`
`
`
`
`'7 l
`
`VIRTUAL PRIVATE NETWORKS
`
`
`
`
` Public network
`
`(Internet, frame relay,
`
`
`ATM, etc.)
`
`Branch office
`Branch office
`Figure 1-2 The same company using a VPN instead of leased lines.
`
`Internet. Each office requires a single connection, most commonly a leased
`line and commonly referred to as a local loop, to the nearest public network
`point ofpresence (POP). That POP may be only a few feet away or it may be
`miles away. From that POP the data is carried by the web of connections—the
`cables, routers, and switches that make up the public network—to the POP
`serving the destination office, then through the local loop at that end on to
`their final destination.
`As you can see, the connections—the local loops—between your com-
`‘ pany’s offices and the public network are dramatically shortened. They can
`even be the "dry copper” comiection provided by your local telephone service,
`perhaps an Integrated Services Digital Network (ISDN) connection. The costs
`for these short connections are correspondingly lower.
`Within the cloud, however, as opposed to the leased-line design, there is no
`one single connection between point A and point B. Instead there is a web or
`matrix of cables connected by routers that the messages travel through. Byus-
`ing a public network—the Internet, for example—a network shared by hun—
`dreds or thousands or millions of other users, the cost of all those miles of ca-
`ble is shared. We’ll see further on in this chapter that this sharing can produce
`impressive savings.
`\
`It is also much more fail-safe than a single leased line, since a message can
`take any one of a number of different routes to its destination. It provides a re~
`dundancy, a safety net, that Virtually guarantees that the traffic will continue
`to flow reasonably smoothly. If one cable is cut, the message will simply be
`routed automatically around the break to its destination, a service that is not
`generally available with a leased line.
`
`'
`
`Cisco Systems, Inc.
`Exhibit 1014
`
`Page 11 of 46
`
`
`
`
`
`
`Cisco Systems, Inc.
`Exhibit 1014
`Page 11 of 46
`
`

`

`
`
`
`
`
`1.2 WHAT A VPN IS GOOD FOR I
`
`1.2 What a VPN Is Good for and Why You Should
`Consider Building One
`
`There are several uses for a’VPN. It can be an extended intranet, connecting
`geographically distant facilities into a cohesive network. It can also be an
`extranet, linking, for example, customers and suppliers for increased efficien—
`cies, such as electronic data interchange (EDI). Looked at this way, a VPN can
`do Virtually anything that a more traditional leased—line WAN can do. In fact,
`so far it doesn’t seem to offer services much different from any WAN.
`But there is a third service that a VPN can offer that no leased-line WAN
`can offer, and that is in providing remote access services. A VPN lets road war—
`riors with their laptops connect into the home office through an Internet ser—
`vice provider, riding through the public Internet to log on to the office net—
`work, rather than running up long—distance charges by dialing up to a remote
`access server thousands of miles away. As we’ll see, that offers potentially im—
`pressive savings. While a VPN as an extranet or intranet offers some cost
`efficiencies over the typical WAN, the savings produced by using one for re-
`mote access are significant.
`Hence the excitement that has developed over VPNs. Building a VPN
`would seem, at first glance, to be simple common sense. Why not take advan-
`tage of an existing infrastructure for the connections, instead of going to the
`expense of stringing your own cable or paying someone else to drag fiber
`through conduit to tie your facilities together? Or Why go to the expense of
`leasing dedicated connections when they may only be used to a fraction of
`their capacity or for only a fraction of the time?
`It does make sense, but as you’ll see, there are downsides to VPNs. But be-
`fore we take a look at the potential negative points to VPNs, let’s see what the
`potential benefits are. As we said, there is a powerful logic to using an existing
`infrastructure to connect your facilities, rather than building your own.
`The claims made for VPNs make them sound like the greatest invention
`since the electric light. The primary advantage cited is that a VPN is vastly
`less expensive than a network using leased lines. As we already mentioned,
`the VPN is also claimed to be more flexible and scalable, compared to a tradi-
`tional WAN. Then, too, by using the international resources of the Internet,
`the vendors say that a VPN can offer connectivity virtually anywhere in the
`world. Finally, you’ll hear that a VPN is an extremely cost~effective way to
`service a mobile workforce of telecommuters and road warriors.
`To a degree, believe it or not, it’s safe to say that most of these claims are
`true. Fortunately, some of them, such as actual dollar savings, are even mea-
`surable, while others are less tangible but no less real.
`
`r
`
`
`
`Cisco Systems, Inc.
`Exhibit 1014
`
`Page 12 of 46
`
`
`
`Cisco Systems, Inc.
`Exhibit 1014
`Page 12 of 46
`
`

`

`
`
`VIRTUAL PRIVATE NETWORKS
`
` I
`
`l
`
`1.2.1 Economies of Sharing
`
`It’s a fact that a VPN escapes the cost of leasing the cables to connect your net-
`work. By using an existing public network for your VPN, you are sharing the
`cost of that public network with all the other customers. The cost of the pub-
`lic network is spread over a large customer base. You’re not paying every
`month, by yourself, for every mile of each leased line, whether it is fully
`loaded 24 hours a day, 7 days a week or not. In most cases you’re paying a flat,
`monthly fee that is a fraction of what you would pay for leased lines providing
`the same service.
`
`Compare it to your personal telephone service, for example. While you pay
`a base charge for the local loop between your home and the telephone com—
`pany’s central office a block or two away, whether you are using it or not, you
`do not pay for every inch of cable between your home in Poughkeepsie, New
`York, and your daughter’s dorm room at college in Palo Alto, California,
`Whether you are using it or not, at least not directly. That cable is shared by
`thousands of callers, each paying perhaps a dime a minute for the time they
`are actually "online."
`In the past, on long-distance telephone circuits, one call used one cir—
`cuit, which was one pair of Wires that could be traced from your home in
`Poughkeepsie to your daughter’s dorm in Palo Alto. When you hung up on
`that call another took its place on the long—distance trunk, so at least you were
`only paying for time used. Today calls are multiplexed on that long~distance
`circuit, with the “silence” between words being filled with parts of other con—
`versations. This spreads the cost of the wire over more than one customer, al-
`lowing each of them to enjoy the benefit of lower long-distance rates. From
`three dollars for 3 minutes the rates have dropped to three dimes for 3 min-
`utes. But your conversation will still be carried over one circuit between
`Poughkeepsie and Palo Alto.
`A packet—switched network such as the Internet allows even greater multi—
`plexing, and thus greater efficiency, as each message is broken up into pack-
`ets, and each packet is slotted in with others from other users and routed
`through a web of connections. No one circuit becomes overloaded, at least in
`theory, and every circuit, at any second, is efficiently utilized, carrying pieces
`of perhaps thousands of conversations. It also provides a safety net that a
`circuit-switched network or a leased line does not. If one link is overloaded or
`goes down, the traffic is automatically rerouted to its destination. (For a more
`complete description of how the Internet works, see Section 4.1.1.)
`More importantly, the cost of all the fiber and copper and switches and
`routers is being spread over the millions of customers the Internet serves. You
`are leveraging to your advantage the investment in the hundreds of thousands
`of miles of cables and the uncounted routers and switches that go into making
`
`
`
`Cisco Systems, Inc.
`Exhibit 1014
`
`Page 13 of 46
`
`
`
`
`
`Cisco Systems, Inc.
`Exhibit 1014
`Page 13 of 46
`
`

`

`
`
`
`1.2 WHAT A VPN IS GOOD FOR I
`
`up the Internet. Your major expenses are only the cost of that short loop that
`connects your office to the network access server (NAS) or POP of your Inter-
`net service provider (ISP) and your monthly Internet fee. The average price for
`a leased T1 (1.544 Mbps) connection is about $1,800. A typical connection
`from a company’s offices to the local ISP’s POP costs $400 to $500 a month,
`because the chances are you’ll actually use less than a full T1 line to your
`POP, perhaps even a 128 Kbps ISDN line or a digital subscriber line (DSL)
`of some sort at an even lower cost of $50 to $150 a month. If you’re a small op-
`eration, your cost may be a monthly subscription for a dial—in connection to
`your ISP.
`The savings can be considerable. According to a white paper by Infonetics
`Research, a study commissioned by Sun Microsystems estimated savings of
`from 20% to 47% by switching from leased lines to a VPN. In another analy-
`sis, Infonetics estimated savings of 20% to 40% for VPNs serving branch
`offices and 60% to 80% savings for a VPN serving remote access users. As
`we’ll see later on in this chapter, when we look at the remote access aspect of
`VPNs, every analysis of VPNs produces similar savings estimates. The experi-
`ences of VPN users bolster those findings, as we’ll see in Chapter 2.
`Another source, Data Communications magazine, in their May 21, 1997,
`issue, ran their own numbers on a VPN, comparing leased lines, a frame relay
`service (see Chapter 4), and an Internet-based VPN solution (Table 1-1). The
`sample scenario was to connect three sites in the United States (Boston, Los
`Angeles, and Houston), plus one, transatlantic link to London. All were con—
`nected at 64 Kbps. AT&T was the carrier and provided the charges, including
`local access circuits of 5 km to the nearest POP. Leased—line and frame relay
`figures were provided by Lynx Technologies, Inc. of Pairfield, New Jersey, a
`tariff tracking consultancy. Internet figures were based on average monthly
`ISP charges in the United States.
`As the Data Communications analysis shows, the frame relay first—year
`cost is only about 17% lower than the cost for leased lines, but about twice
`the first-year cost for the Internet VPN. However, much of the frame relay
`
`
`
`Frame relay
`Internet
`
`Leased line
`VPN
`VPN
`
`$89,998
`Annual charges
`$5,760
`Installation
`$16,000
`$16,000
`Four VPN encrypting devices
`$54,400
`$111,758
`$135,972
`Total cost, first year
`—-——-——————_—____
`
`$133,272
`$2,700
`
`$38,400
`
`
`
`Cisco Systems, Inc.
`Exhibit 1014
`
`Page 14 of 46
`
`
`
`Cisco Systems, Inc.
`Exhibit 1014
`Page 14 of 46
`
`

`

` ,8,
`l
`l
`
`VIRTUAL PRIVATE NETWORKS
`
`first-year cost is the one—time charge for installation and the encryption de—
`vices. The annual charges (operating costs) are about two thirds of those for
`leased lines, though still more than double the annual charges for an Internet
`VPN.
`
`By this analysis, the Internet is obviously the most economical choice for
`your VPN, but for the extra operating expense of the frame relay choice you do
`get added services that are not available on the Internet, as we’ll discuss in
`Chapter 4. If you need those services, you’ll see that, as economical as the
`Internet is, it is not the best choice for you.
`-
`Because of the way telephone charges are computed,rthe greater the dis—
`tances and the larger your user base, the greater the savings you’ll enjoy. Tele-
`phone charges are computed by the call, and the rates increase with the mile-
`age covered. Distance means nothing to the Internet, and Internet service is
`usually billed at a flat rate, regardless of the number of times you use it or the
`amount of data transmitted. In Chapter 2 we’ll look at some real-life VPNs
`and see how the savings can stack up in action.
`
`1.2.2 Flexibility
`
`It is true, also, that a VPN offers flexibility that is not available to a leased-
`line—based wide area network. To add a node to the latter requires leasing a
`new line, possibly more than one, perhaps even installing some cable. Leases
`have to be negotiated, perhaps rights-of—way arranged. Routers and switches
`have to be installed and configured.
`Let’s go back to our first three-node leased-line network. Your company,
`Giant Widgets, has long done business with Associated Grommets, a supplier
`of grommets for your widgets. Your company is flush with cash, the widgets
`market has been really strong lately, and you decide to buy the grommets fac-
`tory. Once you’ve acquired it you want to put it on your existing network. Fig—
`ure 1-3 shows what happens when you have to bring it into the loop of a
`leased-line network. Three new lines have to be leased and somehow inte-
`grated into your existing system.
`-
`Now let's take the same scenario if you’re running an Internet-based VPN
`(Figure 1—4). You've purchased the grommets factory, and it just happens to al-
`ready have a link to the Internet. They’ve been selling grommets through the
`Internet for years, after all. All that’s needed is to slide into place the VPN sys-
`tem, generally a hardware box or some software, and they’re on your network.
`Or suppose that instead of buying the Associated Grommets factory you just
`want to extend your VPN to it, turning your VPN from an intranet into an
`extranet. The scenario is essentially the same.
`If you already have an Internet link on the facility you want to link to the
`VPN—for a Web site, for example, or email—getting your VPN up may be as
`
`
`
`
`
`
`
`
`
`
`
`Cisco Systems, Inc.
`Exhibit 1014
`
`Page 15 of 46
`
`Cisco Systems, Inc.
`Exhibit 1014
`Page 15 of 46
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`1.2 WHAT A VPN IS GOOD FOR -
`
`
`
` Branch office
`
`Branch office
`
`Ass