Mobile VPN Access

White Paper

Mobile VPN Access (MVA) A new solution for Business Mobility

Technical Product

This white paper was created on the basis of currently known parameters. The technical solution may still be subject to last-minute changes. We are available for questions or comments about this white paper.

Contents 1 Market and technology development .......................................................................................... 2 1.1 Posing the problem of existing solutions ................................................................................... 2 1.2 Remarkable bandwidth increase ............................................................................................... 2 1.3 Reduced complexity at limited costs thanks to Mobile VPN Access ............................................ 3 2 Business Continuity with Mobile VPN Access ............................................................................... 3 2.1 Basic service offering................................................................................................................. 3 2.2 The MVA components in detail ................................................................................................. 5 2.3 Security options......................................................................................................................... 5 3

Mobile VPN Access versus customer self-made solution............................................................... 7

4

Summary and outlook ................................................................................................................. 8

5

Glossary ...................................................................................................................................... 8

Swisscom (Switzerland) AG Corporate Business P.O. Box CH - 3050 Bern

Free phone Free fax E-Mail Internet

0800 800 900 0800 800 905 info. [email protected]

Document Version

White Paper Mobile VPN Access 2.0

File

WP_MVA2_E_v1_151209.doc

http://www.swisscom.ch/corporatebusiness

Date

01.04.2010

Page 1/8

Mobile VPN Access

1

Market and technology development

1.1

Posing the problem of existing solutions

The interest in flexible forms of working has increased significantly during the last few years. The trend goes clearly towards “Working whenever and wherever you like”. These forms of working meet the actual customer needs in the business and private area the most. Thus it is possible to carry out pending tasks at the appropriate residence. Swisscom has followed this trend not only as one of the largest employers in Switzerland. Moreover, its customers use Swisscom’s top-equipped and fully developed network and IT infrastructure. It enables their customers to introduce mobile working places. Therefore „Business Mobility“ is much more than a buzzword. In transit outside the office, working with the highest possible connectivity conjoined with a high data transmission security, means a real added value for our customers. In this context it should be mentioned that up to now a slow mobile transmission speed or costs which have been perceived as too high have inhibited a higher dispersion of mobile data communications.

1.2

Remarkable bandwidth increase

Strongly increasing bandwidth demands became already apparent in fixed networks. Swisscom faces these demands through a massive expansion of its networks. With FTTH (Fibre to the Home), bandwidths of 100 Mbit/s and more are realised. What started in fixed networks continues in mobile networks. The data volumes transported on Swisscom’s mobile networks tripled within one year – and their increase continues. With the lately introduction of HSPA (High Speed Packet Access) nothing gets any more in the way for the full mobile connectivity of notebooks which are distributed all over the network. At Swisscom, HSPA is a fixed part of the UMTS network and improves its characteristics for the mobile data transmission significantly. HSPA consists auf two parts, a fast downstream called HSDPA (High Speed Downlink Packet Access) and an upstream named HSUPA (High Speed Uplink Packet Access). Depending on the location, with HSDPA transmission speeds up to 14.4 Mbit/s are possible, whereas HSUPA offers up to 1.4 Mbit/s. The latest evolutionary step represents at some locations HSPA+, which offers up to 28 Mbit/s. To achieve this, more powerful software has to be installed in the mobile network and new hardware is added to the radio base stations. To get these high bit rates into the network, the radio base station locations are equipped with fibre cables step by step. Already today the achievable speeds and the network extension are outstanding – particularly compared to competitors. Swisscom today accommodates already more than 93% of the Swiss population with HSPA and 99.8 % with EDGE (Enhanced Data Rates for the GSM Evolution). As EDGE practically offers 100-200 kbit/s all over Switzerland, (at a maximum of 256 kbit/s), Swisscom customers do not have to fall back to GPRS bit rates at max. 53.6 kbit/s outside the UMTS coverage. In its practical use GPRS (General Packet Radio Service) is only adequate for minimal bandwidth requirements e.g. for the mobile download of e-mail headers. For GSM networks, EDGE offers here much more, but it is provided only by a quarter of all GSM operates worldwide including Swisscom. In mobile networks without EDGE and without UMTS or HSPA coverage, no other alternative remains except the slow and relatively outmoded GPRS.

Swisscom (Switzerland) AG Corporate Business P.O. Box CH - 3050 Bern

Free phone Free fax E-Mail Internet

0800 800 900 0800 800 905 info. [email protected]

Document Version

White Paper Mobile VPN Access 2.0

File

WP_MVA2_E_v1_151209.doc

http://www.swisscom.ch/corporatebusiness

Date

01.04.2010

Page 2/8

Mobile VPN Access

1.3

Reduced complexity at limited costs thanks to Mobile VPN Access

All these network technologies build the communicative backbone for the Mobile VPN Access (MVA). Within this service offering even a number of advantages are affiliated in one product – the best mobile coverage nationwide, a low product complexity and access to company data even from foreign countries – and all this at fixed easy-to-calculate costs. A remarkable simplification represents the integrative use of the Cisco® VPN Client within the Unlimited Data Manager (UDM). The customer works exclusively with the UDM, a software from Swisscom which is been installed on the notebook and which controls all data connections automatically. The employee’s computer gets a fully secured access to data on the company’s network via a Virtual Private Network (VPN) from anywhere. For this purpose, the UDM connects to the company’s network either directly via the mobile network or via the internet. The UDM starts the Cisco® VPN-Client who builds up a connection via the internet to the company’s VPN gateway. After authorising successfully, the employee has unrestricted access to the company’s network – from within or outside Switzerland. The protection of mobile exchanged data is carried out independently of the currently used network type (e.g. EDGE/GSM, HSPA/UMTS, WLAN or a local Ethernet). The IT executive at the customer site sets the priorities within the network type in the menu “network profiles” through simple „drag & drop“. The UDM allows an enduring network connection with automatic switching between the networks without any action taken by the customer – a real contribution to reduce complexity! Therefore, some steps a sufficient to stay productive in transit. Event the integration of mobile working places into a company-specific IT infrastructure succeeds with the help of existing tools. Via the customer Extranet access the administration of mobile users takes place in a comfortable and easy way. Diverse reporting tools complement the possibilities of the customer Extranet. The last critical point was up to now the incalculable costs. A component depending on the usage was always forming the basis for the billing, e.g. the duration of the usage or the transferred amount of data. The bills sent by the network operator unrarely led to the proverbial bill shock. The MVA subtends it with a flat rate for the usage of mobile data connections within Switzerland including an unlimited data volume. The customer acknowledges the „Fair Use Policy“ which shall prevent any fraudulent use of the conceded flat rate. An excessive usage could mean large downloads (e.g. videos, Mobile TV, software distribution, backup etc.) which will be prevented.

2

Business Continuity with Mobile VPN Access

2.1

Basic service offering

The Mobile VPN Access (MVA) is an option to the existing LAN-I-Service, which connects different customer locations at continuously high quality and security coupled with high coverage. The MVA enhances the well proven LAN-I product with a mobility component. Thanks to that component Swisscom customers can work securely and continuously, everywhere and independent of the time of day. The MVA is an allcomprehensive package for mobile working places which can be combined with different security components. The mobile access never passes the public internet, but always runs via so called „Trusted

Swisscom (Switzerland) AG Corporate Business P.O. Box CH - 3050 Bern

Free phone Free fax E-Mail Internet

0800 800 900 0800 800 905 info. [email protected]

Document Version

White Paper Mobile VPN Access 2.0

File

WP_MVA2_E_v1_151209.doc

http://www.swisscom.ch/corporatebusiness

Date

01.04.2010

Page 3/8

Mobile VPN Access Networks“, these are Swisscom’s own data networks. Foreign networks are excluded for any transmission. The field workforce does not access the internet directly, but via the company’s own firewall. Additionally all data transmitted on the mobile network is encrypted. Malicious invaders have thus no chance to get on the intranet from the outside. Any costly investment in new security equipment is not necessary. All MVA users can be centrally administrated via Swisscom’s customer extranet. It is possible to register new users, block an already existing access or administer the access rights. The real-time reporting procures a quick overview about active sessions or about current traffic data as a degree for the intensity of usage. The fixed price per month and per mobile access is specifically attractive and makes budgeting easy. Additional investments in hard- or software are normally not necessary, but depend on the existing customer’s infrastructure. Standard clients with standard software are used as end-user equipment. These can be both, integrated solutions (so called “Embedded Notebooks” of different manufacturers) or card solutions. For the latter, the user has the choice between PCMCIA- or Express Cards or an USB Stick, depending on the customer’s preference. The superuser can download the latest version of the standard software directly from Swisscom’s web server for free.

Infrastructure for the Mobile VPN Access (MVA) The MVA is a well functioning complete solution that allows enterprises to set up and operate mobile accesses in a cost-efficient manner. The prerequisite on the customer side for the use of the MVA is a LAN-I connection. On Swisscom’s side a LAN-I gateway and a RADIUS server infrastructure belong to the basic set-up. Thanks to data communications running exclusively over secured networks, data integrity and transmission security are guaranteed at any time – even during the access from abroad (roaming).

Swisscom (Switzerland) AG Corporate Business P.O. Box CH - 3050 Bern

Free phone Free fax E-Mail Internet

0800 800 900 0800 800 905 info. [email protected]

Document Version

White Paper Mobile VPN Access 2.0

File

WP_MVA2_E_v1_151209.doc

http://www.swisscom.ch/corporatebusiness

Date

01.04.2010

Page 4/8

Mobile VPN Access

2.2

The MVA components in detail

The following components are part of the MVA:

2.3

•

Hardware: On customer request, a PCMCIA Card, an Express Card or an USB stick as a pluggable module to an existing notebook is delivered by Swisscom. If the customer on the contrary prefers an embedded notebook with an integrated radio module, he by himself is responsible for its procurement.

•

SIM-Card: In addition to the normal authentication the MVA SIM-card comes with a so-called Forced-on-Net-Function. With that function, only connections upon Swisscom’s infrastructure within Switzerland – or on request from abroad (with roaming) – are possible.

•

Connecting Software: The UDM provides both, connectivity between the notebook and the company’s network and an easy handling of the profile management. The administrator can download this software with a dedicated MVA INI-File via the customer extranet. The software rollout as well as available updates are executed by the customer’s MVA administrator independently.

•

VPN Client Software: The UDM accesses the Cisco® VPN Client Software via an API. It provides the access to the company’s network and cares for the IPsec encryption. An additional validation can result from the use of the option „Strong Authentication“ via a token (see 2.3).

•

Extranet Portal: The customer can administrate his MVA via Swisscom’s extranet independently. A superuser who was trained adequately by Swisscom beforehand can: •

view a list of his MSAPs (Mobile Service Access Point) and users with the associated information and selected options (e.g. for end-users the use of the option „Strong Authentication”, see item 2.3 below) and export this list as a file in the formats PDF or CSV;

•

order, block or terminate MSAPs;

•

change the profile of existing users, for instance to order or to delete additional options (costrelevant options however only via order);

•

view reports which are generated daily. A report contains the number of MSAPs and of the assigned options „Strong Authentication“. An additional report is created about the usage with details about the data volume per MSAP, the online-time per MSAP, the data volume and the online-time per user, the IP address per session;

•

assign users to any groups (e.g. to a cost centre or to a department).

Security options Option 1: Strong Authentication Firstly the MVA user is authenticated through his SIM-card and the PIN. Another authentication follows within the RADIUS-environment based on the user name and his password of the UDM

Swisscom (Switzerland) AG Corporate Business P.O. Box CH - 3050 Bern

Free phone Free fax E-Mail Internet

0800 800 900 0800 800 905 info. [email protected]

Document Version

White Paper Mobile VPN Access 2.0

File

WP_MVA2_E_v1_151209.doc

http://www.swisscom.ch/corporatebusiness

Date

01.04.2010

Page 5/8

Mobile VPN Access client. As an additional protection the user can access company internal applications via the optional „Strong Authentication“ (One Time Password). Here a hardware token (password generator) provides every 60 seconds a new password, which secures the access to the intranet in addition to the SIM- and the user authentication. Alternatively a SMS Token can be used which is requested via UDM per mouse click. The token will then be sent to the user device (handy, notebook, PDA) via SMS. The login procedure runs fully automatically or manually and is managed by the IT administrator. The alternative hardware token is continued to be offered. It is recommended especially when using the MVA abroad. Advantage of this option:

Security practically at a hundred percent (point-to-point-protection); no security infrastructure or know-how-development required on the customer’s side.

Disadvantage of this option: Additional step required during login procedure to the intranet.

Corporate applications MVA User Mobile Access

Files

Trusted Networks

(HSPA/UMTS, WLAN, EDGE/GSM)

E-Mail

ID

Token

+

Fixed username

/

Strong Authentication

Hardware-/SMS-Token (New password for each login)

Database

Swisscom Infrastructure

Additionally secured access with the option “Strong Authentication”

Option 2: Authentication on Customer Server With the alternatively offered option „Authentication on Customer Server“ customers can authenticate their users on their own server. The common Windows login (username and password) is used for the authentication. However it is advised to include a certified IT specialist because of the complexity emerging from the set-up of this option. Advantage of this option:

The customer operates only one database for the user administration.

Disadvantage of this option: Additional time and effort evolves from enhancing the security infrastructure and from constituting the appropriate know-how.

Swisscom (Switzerland) AG Corporate Business P.O. Box CH - 3050 Bern

Free phone Free fax E-Mail Internet

0800 800 900 0800 800 905 info. [email protected]

Document Version

White Paper Mobile VPN Access 2.0

File

WP_MVA2_E_v1_151209.doc

http://www.swisscom.ch/corporatebusiness

Date

01.04.2010

Page 6/8

Mobile VPN Access

3

Mobile VPN Access versus customer self-made solution

Mobile VPN Access

Customers self made solution

Customer experience

Complete solution for an easy, unlimited and secure access with the notebook on the company’s network

Own solution, often consisting of a number of single components from different manufacturers

Prerequisite

LAN Interconnect (LAN-I) from Swisscom is already in use at the customer’s site

The whole networking subject matter has to be discussed and solved with providers/partners by the customer

Smoothness

• One order, one contract, one SLA • Multiple orders, contracts and SLAs • One contact for operations and • Multiple contact persons for support for the complete solution operations and support of the single components (with a higher • One Reporting (Customer Extranet) effort for co-ordination) • Different reportings have to be obtained and aligned

Access security

• Secure access to company data via Swisscom’s own infrastructure

Security Policy

No threat for the company’s security policy through misconfiguration or misuse possible. With the MVA the user is integrated directly into the company network. The access to the Internet is always been carried out via the company network and the company’s own firewall. User administration via web-based customer extranet; data in real-time administrable; reporting data immediately and at every time viewable

Administration and Reporting

• Access to company data via the public Internet • Additional security solutions at the customer’s site required Through misconfiguration or misuse the user can access the Internet directly whereby the company’s security policy is endangered.

User administration through internal contact persons, reporting data have to be extracted from self- or externally developed solutions

Infrastructure and cost

No investments and no constitution of Customer must build up and operate know-how necessary. The complete its own infrastructure (RADIUS solution is immediately available! infrastructure, server, gateway etc.).

Data amount

No limits for the amount of data

Swisscom (Switzerland) AG Corporate Business P.O. Box CH - 3050 Bern

Free phone Free fax E-Mail Internet

Limited depending on the conditions of the provider

0800 800 900 0800 800 905 info. [email protected]

Document Version

White Paper Mobile VPN Access 2.0

File

WP_MVA2_E_v1_151209.doc

http://www.swisscom.ch/corporatebusiness

Date

01.04.2010

Page 7/8

Mobile VPN Access

4

Summary and outlook

The Mobile VPN Access meets the customer needs for mobility, security, easiness and limited costs with an optimised service adapted to his individual requirements. It is offered as an option to the well proven LAN-I service. Additional security components of the user’s choice complement the MVA in an optimised way. Meanwhile the technological evolution continues. The GSM technology with its roots in the early 1990s aspires towards the end of its lifecycle. Towards 2015 the Swiss GSM licences will expire and the 900MHz wave band will be ready for use by new applications. UMTS then will already have passed a decade and will be experienced an ongoing improvement. New coding schemes with 64 instead of 16 QAM (Quadrature Access Modulation) raise the number of usable Codes and the parallel active links remarkable. In addition, a number of transmission channels per wireless link will be at the user’s disposal with the help of multiantenna technologies called MIMO (Multiple Input, Multiple Output) which makes an intentional use of multipath effects for parallel transmission. MIMO increases the transmission speed and the network capacity significantly. Additionally it minimises the exposure to radiation because the sender operates with the lowest possible sending power. With the help of Corporate Wireless LANs (CWLAN) larger office buildings are supplied with mobile radio services. Finally femtocells – these are small UMTS sender for indoor coverage – improve the reception at home or in small offices considerably. Swisscom will continue to use the latest technologies not as an end in itself, but for the customer’s benefit. The use of the broad service choice rather shall ensure the customer’s benefit and a great experience when using a service – independent if on the fixed network or in transit with high mobility. The MVA is an additional brick on the way there. Additional information under: http://www.swisscom.com/solutions/mobile-vpn-access.htm

5

Glossary

ADSL

Asymmetric Digital Subscriber Line

PIN

API

Application Programming Interface

PWLAN Public Wireless Local Area Network

EDGE

Enhanced Data Rates for the GSM Evolution

QAM

Quadrature Access Modulation

SIM

Subscriber Identity Module

GPRS

General Packet Radio Service

SLA

Service Level Agreement

GSM

Global System for Mobile Communications

VDSL

Very High Speed Digital Subscriber Line

HSPA

High Speed Packet Access

VPN

Virtual Private Network

UDM

Unlimited Data Manager

UMTS

Universal Mobile Telecommunications System

HSDPA High Speed Downlink Packet Access HSUPA High Speed Uplink Packet Access LAN-I

Local Area Network Interconnect

MIMO

Multiple Input, Multiple Output

MSAP

Mobile Service Access Point

MVA

Mobile VPN Access

Swisscom (Switzerland) AG Corporate Business P.O. Box CH - 3050 Bern

Free phone Free fax E-Mail Internet

Personal Identification Number

0800 800 900 0800 800 905 info. [email protected]

Document Version

White Paper Mobile VPN Access 2.0

File

WP_MVA2_E_v1_151209.doc

http://www.swisscom.ch/corporatebusiness

Date

01.04.2010

Page 8/8