Qwest Private Routed Network
Overview
Qwest® Private Routed Network (PRN) solution5 of a secure, managed, fully
interoperable, scalable suite of global IP-VPN services. It is based on high performance
platforms designed to minimize network management as well as operational and financial
burdens imposed by other wide area networking (WAN) and security technologies. The service
includes PRN ports, network layer features, Qwest Managed VPN Gateways, multi-link point-to-point
protocol (MLPPP) services, integrated customer premises equipment (CPE) solutions, Integrated
Management (IM) (a separate service) and the Qwest Control® Web-based management
tool. The service is a network-based VPN solution using Internet protocol security (IPSec)
for intra- and/or inter-company communications.
Private Routed Network ports
The PRN service is provided via a network-based security platform that resides in domestic
teraPOPs. The respective network operations centers (NOCs) have full visibility and control
of the platform with 24-hour management. To facilitate access into their VPN, customers have
the option to order PRN ports with a variety of port speeds, ranging from 64 Kbps to 45 Mbps.
Customers
may choose from three unique port types. Different features are included within each port
type. Incremental charges are only incurred when switching from one port classification to
another (for example, migrating a port from VPN to SIA). As customers require different levels
of feature functionality, they can switch to another port classification. The three port
types are:
- VPN Port – provides WAN connectivity between customer locations. Customers can
select a hub-n-spoke, partial-mesh or full-mesh (any-to-any) topology. Security between
locations is provided using IPsec. Customers have the option to apply null, data encryption
standard (DES) or triple DES (3DES) encryption to their traffic.
- Secure Internet
Access (SIA) Port – provides all of the functionality of a VPN port plus incremental
network layer features. Port connections may be configured to include Internet access with
standard firewall templates (firewall templates document available upon request) and many-to-one
network address translation (NAT).
- Premium Port – provides all of the functionality
of a SIA port plus incremental service customization. This includes the use of custom firewall
policies and one-to-one NAT or customized port address translation (PAT).
Customers are permitted to mix and match port types within their PRN. An SIA or Premium
Port is required if secure remote access or integrated CPE solutions are deployed at a particular
site. In international locations where PRN ports are not available, Qwest or customer may
provide IP port access where secure connectivity can be enabled using Qwest-managed CPE solutions
(see description herein). For each PRN port or IP port, Qwest provides associated local loop
access. Customer-provided access is also permitted with domestic ports.
Network layer features
Based upon PRN port type selection, customers have the option to apply specified features
incrementally. These features include IPsec, quality of service
(QoS), integrated Internet
access, firewall security services and NAT. In addition, customers will receive the Qwest
Control® management tool in association with PRN.
Internet Protocol security
IPsec provides a mechanism for secure
communication over an IP network infrastructure. This protocol ensures confidentiality,
data integrity and authenticity of communications over a shared IP network environment
such as the public Internet. Three major components of IPsec are authentication, encapsulation
and encryption.
Authentication involves configuring the network to allow specific locations
and users to communicate while denying communication with unauthorized users. Authorized
communication is protected by encapsulation—a
virtual private connection between locations and encryption—scrambling information
into a cipher. Qwest® offers the highest data encryption levels available.
Data is
encrypted by the Qwest network-based VPN gateways prior to entering the shared environment.
The first encryption option is DES. DES is a widely accepted method of data encryption
using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data. The
second encryption option, 3DES applies three keys in succession. Customers may also choose
null encryption (where data is encapsulated, but not encrypted).
Qwest uses shared key
encryption between source and destination PRN gateways using the Internet key exchange
(IKE) protocol to manage the establishment of shared keys. The gateways dynamically update
keys every 24 hours.
QoS
As enterprises
increasingly rely on real-time applications over their wide area networks (WAN), the network’s
QoS performance becomes a critical business mandate. Customers require an IP-based virtual
private network (VPN) to support QoS performance options beyond “best effort.” Qwest
PRN now offers QoS, a value-added service designed to mitigate end-to-end delay, delay
variation (jitter) and packet loss. QoS supports real-time application prioritization such
as IP phones and interactive multimedia environments. Qwest PRN enables real-time and critical
business traffic to receive traffic prioritization when congestion or other delay variation
is present on the network.
QoS options
Qwest PRN supports QoS in the following port types:
- VPN Port
- Secured Internet
Access (SIA) Port
- Premium Port
The QoS port feature provides three priority classes
that are used to prioritize IP traffic for customers who commonly run voice, video
and other data applications through the PRN.
Integrated Internet access
An advantage of IP-based VPNs is they inherently bring together
the power and breadth of Internet resources to wide-area corporate computing environments.
Specifically, the service gives a customer the option of restricting the access of participating
ports to their own VPN or opening the door for ports to also access the Internet over
the same facilities. The latter option provides substantially greater performance and
improved bandwidth utilization versus traditional hub-n-spoke configurations.
Firewall
security services
Firewall security services are provided using a network-based,
stateful inspection engine—it not only inspects packets, but application flows. It
extracts state-related information required from all application layers from the security
decision and interprets these packets into "conversations." It tracks the types
of connections that are made, and looks for any abnormal behavior in the conversation.
This service also includes:
- Anti-spoofing/source address verification – the network-based VPN firewall
provided by the PRN service inherently checks the source IP address of each packet.
This ensures that no packet with an IP address of an RFC 1918 private address is coming
into the network from the outside. It also ensures that any packets with a customer’s
IP subnet as the source address are only coming from inside that customer’s network.
This provides protection from hackers who try spoofing their IP address in order to
appear as if they are a part of the customer’s network.
- Denial of service (DoS) protection – the network-based VPN firewall inherently
provides protection for a number of DoS attacks, including distributed denial of
service (DDoS) attacks, ping of death, LAND attacks, flooding attacks, etc. DoS
protection blocks connections that are initiated from outside the VPN network,
unless configured to do otherwise.
Network address translation
NAT, an Internet standard (RFC 1631) defined in 1994,
is the translation of a set of IP addresses used within an internal network (RFC 1918) to
a second set of IP address used for external (i.e., Internet) traffic. One network is designated
the “inside” network
and the other is the “outside”. For example, an organization may map its non-registered
IP addresses to one or more global outside IP addresses and “unmaps” the global
IP addresses on incoming packets into local non-registered IP addresses.
NAT helps to ensure security since each outgoing or incoming request must go through a translation
process that also offers the opportunity to qualify or authenticate the request or match
it to a previous request. NAT conserves the number of global IP addresses and allows the
use of a single IP address in its communication with the world. NAT can also be used in conjunction
with policy routing. In addition, it can be statically defined or set up to dynamically translate
from and to a pool of IP addresses. The most common forms of NAT are:
- Many-to-one NAT – enables a local area network (LAN) to use one set of IP
addresses for internal traffic that is translated to one globally routable IP address for
externally, i.e., Internet routed traffic – effectively hiding the identity of internal
hosts. Port address translation (PAT) – also known as network address port translation – is
the port traffic version of NAT. PAT identifies traffic and routes it through a single
IP address and maps the source address of internal host connections to a single IP address
on an external interface. PAT selects and assigns the packets a new transmission control
protocol (TCP) or user datagram protocol (UDP) source port number. If a customer requires
customized PAT beyond “well known” ports, e.g., HTTP-80, customers must obtain
a PRN Premium port.
- One-to-one NAT – Enables each individual private IP address (versus a set) to be
translated to a globally routable IP address for externally routed traffic. This implementation
does not conserve public IP address space to the degree that many-to-one NAT does as multiple
public IP addresses are required.
Qwest® Managed VPN Gateways
Qwest Managed VPN Gateways are an integrated component
of Private Routed Network, making it possible for remote users to securely access host networks
from anywhere in the world via any IP access method. This access is made secure using IPsec
client software placed on each remote user’s personal computer. User credentials are
established, so each remote user can authenticate into the PRN architecture. Qwest Managed
VPN Gateways require a minimum of one SIA or Premium Port or Qwest iQ Networking® Internet
Port.
Qwest Managed VPN Gateways are easy to use and manage. Customers can have Qwest perform
authentication of end users or have Qwest proxy authenticate to their remote authentication
dial-in user service (RADIUS) infrastructure. If authentication is performed by Qwest, customers
establish user credentials through Qwest Control®. These credentials are based on a shared
secret key established through the IKE protocol.
Qwest® Remote Access services, obtained as a component of Qwest Managed VPN Gateways,
feature one of the largest lists of dial access points of presence (POPs) in the industry.
The service includes an easy-to-use Remote Office Virtual Assistant (ROVA®) client application
with an integrated phone-book directory.
For business continuity in the case of a failure, Qwest provides the option to purchase
more than one secure remote access termination device. These devices may be located at different
physical locations. If one of the devices or the connectivity to the device fails for any
reason, end users connect to the back-up remote access termination device. The failover option
allows customers to ensure the availability of their Qwest Managed VPN Gateways. See Qwest
Managed VPN Gateways service description for more detailed explanation.
Multi-link point-to-point protocol (MLPPP)
MLPPP allows Qwest PRN customers to package up to eight DS-1 ports across multiple DS-1 local
loops at a specified location. MLPPP implementations with Qwest PRN are currently available
anywhere in or out of region. MLPPP is available using either a Tasman® or Cisco® device
on customer’s premises, managed by Qwest IM.
Integrated CPE solutions
A Qwest® PRN solution enables customers to deliver secure connectivity
to locations via dedicated IP connectivity from any service provider around the world. Customers
are free to contract for IP access either through Qwest or any alternative Internet service
provider (ISP). IPsec connections are established between CPE and a Qwest PRN gateway to
facilitate participation in the customer’s private routed network. Customers have the
option to choose between two robust integrated CPE solutions.
Qwest-managed Nokia®/Check Point®
One option is a premises-based VPN gateway comprised
of a Nokia hardware appliance that is enabled with Check Point software. Qwest delivers the
Qwest-supplied CPE in “plug-and-play” mode. Customers are responsible for physical
connection of the Qwest-supplied CPE into Qwest-provided or alternative IP access with a
Qwest installation engineer providing remote phone assistance, if necessary. After the Nokia
equipment is installed on their network, change requests are processed on an as-needed basis.
Qwest will perform ongoing management, monitoring and reporting for the service.
Customer-managed Cisco® Systems
Another option is a premises-based solution using hardware
and software from Cisco Systems. Qwest provides customers with configuration information
for Qwest-permissible routers/premises-based VPN gateways. Customers purchase and support
the CPE at their location and connect it to Qwest-provided or alternative IP access. Qwest® establishes
the secure connection between the Cisco CPE and a Qwest PRN gateway.
Integrated Management
Qwest PRN can be packaged with IM. This provides organizations with
a comprehensive service, including an integrated ordering process, invoice and customer care/NOC
support. This managed service is one more way that Qwest PRN brings value to its customers.
The best part of the offer is that the service uses in-band VPN monitoring/management tools
that eliminate the need for a separate dedicated circuit. As most Qwest PRN customers require
routers for their external network connection, a robust portfolio of CPE options is also
available.
IM is a fully integrated package of products and services that offers comprehensive solutions
for managing voice, data and video networks. Backed by a highly trained team of Qwest technicians
and experts with proven expertise and experience in network management and maintenance, as
well as by a strong group of allies, a Qwest solution eliminates the need to manage the many
different pieces of the network puzzle.
Qwest’s long track record in network design and integration provides the extensive
experience and knowledge necessary to develop methods, procedures and tools to cohesively
and comprehensively manage your data network. See IM for PRN service description for more
detailed explanation.
Qwest Control®
Qwest can eliminate the need for customers to build customized network
management tools or to manage resources to perform network modifications. Now customers can
have direct control of network elements and service components via an easy-to-use, Web-based
interface for PRN management. The primary management tool is Qwest Control.
Qwest Control is a proprietary Web-based application that provides customers with complete
management control over their billing, network and trouble management needs across a wide
range of Qwest® data, IP and voice services.
For Qwest Private Routed Network solutions,
the Qwest Control management tool provides customers with online forms to configure their
service. Customers can view firewall security and NAT policies, configure their network and
administer end-user remote access security credentials. This functionality complements a
set of directory-enabled, policy-based, “self-service” implementation
tools that function as a part of robust operational support systems/business support systems
(OSS/BSS) with flow-through provisioning built to enable efficient ordering, provisioning
and lifecycle management. |
