600 likes | 718 Views
Cisco Security Routers Protecting your business while reducing costs. Draft 1 v1. Attacks on the Rise, Cause Substantial Damage 95% of respondents detected at least 10 web site security incidents in 2005*
E N D
Cisco Security RoutersProtecting your business while reducing costs Draft 1 v1
Attacks on the Rise, Cause Substantial Damage 95% of respondents detected at least 10 web site security incidents in 2005* Losses due to theft of proprietary information doubled in the past 12 months to $355K per incident* Security is the highest spending priority for CIOs 58% of CIOs expect spending increases in security over next 12 months† Security Trends * CSI/FBI Security Study, 2005 † Deutsche Bank February CIO Poll, March 2005
Defending Business Operations Mandatory Disclosure Corporate Espionage Theft of Customer Data Extortion Audio Conferencing Calendar Web Application E-Mail Self-Defending Network Voice Messaging IP Telephony Wireless Instant Messaging IP Network Information Harvesting Organized Crime Blackmail Scams Fraud
A C B D • Secure Connectivity • Encrypted VPN between sites or partners • Encrypted POS • Secure remote access • Secure Voice & Wireless • Convergence of Voice and Data services • Integration of Wired and Wireless • Data & Identity Protection • Perimeter defense • Outbreak prevention • Admission control • Business Continuity • WAN backup • Network foundation protection Typical Network Requirements Business Services Need Continuous Connectivity, Requiring the Network to be Secure and Available Services Connectivity Secure Available
“The top emerging technology trend, regardless of site type or time frame, is the integrationof security features like firewall, VPN, IDS, etc into routers.”Infonetics, 2005 Network Admission Control Network Foundation Protection Application Firewall Intrusion Prevention URL Filtering IP Telephony WAN Backup VPN Wireless Cisco Security RoutersAll-In-One Security for the WAN Security Integrated Into the Network
Security integrated into the network infrastructure Extends value of network • Industry leading VPN connectivity, high-performance Enables new applications • Continual integration of Advanced Technologies e.g. Voice, Wireless, SSL VPN, NAC, Outbreak Prevention Future proof investment • High market acceptance—millions of units deployed, fastest growing, largest network security segment Low technology adoption risk • Single device to configure and manage Reduces complexity, OpEx Cisco Security Routers—Driving Industry Growth Through Value “Worldwide VPN and Firewall growth was again driven by Cisco’s strength in hardware secure routers (up 25% this quarter)”Infonetics Research, 2005
Feature Breadth and Scale at Highest Performance Cisco Security Router Portfolio WAN Aggregation 7600 Series 7200 Series INTEGRATED SERVICES ROUTERS Performance and Services Density 3800 Series High Density and Performance for Concurrent Services 2800 Series Embedded, Advanced Voice, Video, Data and Security Services 1800 Series 800 Series Embedded Wireless, Security and Data Small Branch SMB Small Office and Teleworker Branch Office Head Office
Cisco 7200 and 7301 RoutersEnterprise Head-End and SP-Edge with Security Services • Cisco 7200 Series : Up to OC3 performance with integrated services • Cisco 7301 : 1RU platform with onboard GE • Target : Enterprise core and Service Provider edge • Diverse deployment applications: • WAN aggregation, Managed Security, IBM datacenter, SAA management, Broadband aggregation, MPLS PE, and Route Reflector • Modular engine options for improved performance • Onboard GE, High-density Port Adapters (supported across Cisco 7000 portfolio) • Hot swappable interfaces, Redundant power • Cisco IOS T, S and Mainline release support • Release options to meet cutting-edge enterprise features or stability as key requirements New! • SA-VAM2+ • Hardware acceleration for AES wide keys (192 – 256 bit) • Provides >260 Mbps 3DES • Up to 5000 IPSec tunnels • Hardware accelerated IPPCP compression
Power + 802.3af VPN AIM AIM USB USB GE GE DSP DSP DSP NME HWIC HWIC HWIC HWIC EVM Cisco Integrated Security ArchitectureIntegrated Hardware Security Services • Built-in VPN acceleration • High-performance crypto offload • 3DES/AES encryption • 4x faster than previous platforms • Secure voice • PVDM modules • Support for SRTP • High-performance AIM • Optional AIM-VPN PLUS • 3DES, AES, and compression • 10x faster than previous platforms • USB port • Removable • Secure credentials Common Hardware Architecture Modular Design Investment Protection
Cisco ISR – Integrated Wireless AccessOptimized for Secure Mobility Integrated Wireless Access for 1841, 2800, 3800 Cisco 1800 Series (Fixed Configuration) Cisco 870 Series • Wire Speed Performance • Stateful Firewall, VPN, IPS, Antivirus, NAC • Integrated back up port for redundant WAN links and load balancing • 802.11aand 802.11b/g option, multiple antennas • 8-port 10/100 managed switch, internal power supply, optional internal POE • Up to 8 VLANs Cisco 850 Series • Higher performance • Stateful Firewall, VPN, IPS, Antivirus, NAC • 802.11b/g option, multiple antennas • Advanced QoS features • 4-port 10/100 managed switch • Up to 3 VLANs • Stateful Firewall and VPN • 4-port 10/100 switch • 802.11b/g option, single fixed antenna
Deploy Security On Your Routers Up Front Reduce Costs, Worries • Choose Cisco Security Router Bundles • Proactive measure to protect your network • Set up secure foundation for voice, wireless deployment • Bundle discounts provide compelling ROI to buy security now versus adding later • Migration programs offer credit towards Cisco and competitive equipment
Secure Connectivity A Site-to-Site VPN • Network intelligence (routing, QoS, multicast) enables Voice, Video & Data • Centralized cookie-cutter configuration (Easy VPN) • Scalable full / partial mesh (DMVPN) • Simplified PKI deployment (CA Server, USB eTokens) Remote Access VPN • Full service network access with centralized policy-based management (Easy VPN) • Clientless secure access (SSL VPN) High Performance VPN • High performance and resiliency for larger sites • Strongest encryption (hardware-accelerated AES) Business Requirements • Encrypted VPN connectivity between sites or partners • Secure remote access • Encrypted Point-of-Sale transactions • Site-to-Site VPN • Interconnect branch offices over IP • High-Performance VPN • For larger sites including head office aggregation Secure Tunnel Branch Office Internet Corporate Office • Remote Access VPN • Hardware VPN for small offices & telecommuters • Software VPN for mobile users Small Branch Small Office & Telecommuter
Business Requirements Analysis A • Have you reviewed on-going costs of Leased Line or Frame Relay links? • Are you considering migrating to VPN? • Is your business regulated by HIPPA, SOX, EU Directive 95/46? • Are you planning to offer secure remote access to employees or partners? NO YES • Many businesses are migrating for cost savings and/or broadband performance • Show Case Study and ROI analysis • Businesses need encryption to ensure compliance with legislation • With external entities and internally between buildings or groups • Select a Secure WAN bundle based on performance and services • Less expensive to purchase the Cisco Secure WAN solution now, versus upgrading later • Schedule a demo of appropriate VPN solutions • EZ VPN, DMVPN, SSL VPN
Compelling ROI for VPN Migration A Before – Frame Relay After – IP VPN 1.5M (512k CIR) port speed 30 sites 10% mesh ~ 2 PVCs per site Access Charge/Site = $4,354 Management = $635 Total Branch Access = $4,989 Head End Access = $10,800 Total Cost/month (80%) = $124,384 1.5M port speed 30 sites Cost of 2811 x 29 sites = $78,800 Cost of 3845 head-end = $12,700 Total Nonrecurring Cost = $91,500 Access Charge/Site = $1,420 Management = $ 550 Total Branch Access = $1,970 Head End Access = $10,800 Total Cost per month = $67,930 $56K Per Month Savings Equipment Paid Off in 2 Months
High Performance Security Bundles TCO A Cheaper to Buy Now vs. Later • CapEx savings alone $2,000 - $10,000 • Additional OpEx savings (typically 10-50% price of platform) not included above
Secure Connectivity Case Study—Data Encryption for Frame Relay or Leased Lines A Business Problem • Reduce risk of exposing customer data (e.g. credit card), avoid painful disclosure and negative publicity Real-Life Example • Online retailer with WAN connectivity via Frame Relay • Their Service Provider mis-provisioned a DLCI change • Another company’s network overlapped into their network… • Notification of Risk to Personal Data (NORPDA) mandates that all customers be notified of breach Solution • Customer now encrypts all traffic over their WAN • Un-encrypted traffic is denied entrance to their FR network • Ensures security of customer data
Why AES? * Assume a machine could try 255 keys per second - NIST • The Secretary of Commerce approved the adoption of the AES as an official Government standard, effective May 26, 2002 • US Federal Government and other large Enterprise and Servie Provider customers are migrating their 3DES IPSec to AES • AES is designed to replace DES / 3DES
2. Where is 2? 5. Ring Call Site 2 1. Static public IP address Send 2’s public IP address 3. On-Demand Tunnel (spoke-to-spoke) 4. Dynamic, Permanent Tunnel (spoke-to-hub) Dynamic (or static) public IP addresses • Improved performance • Easy to deploy and maintain • Reduced latency and jitter • Increased scalability Dynamic Multipoint VPN and VoIP Auto-meshing with Dynamic Routing Site 1 Hub Site n Site 2
IPSEC+GRE vs DMVPN Hub to Spoke DMVPN Hub to Spoke Benefits + Simplified and Smaller Configs for Hub and Spoke + Zero touch provisioning for adding spokes to the VPN + Easily supports dynamically addressed CPEs
IPSEC+GRE vs DMVPN Spoke to Spoke Static Full Mesh vs Virtual Full Mesh DMVPN Spoke to Spoke Benefits + On demand spoke to spoke tunnels – avoids dual encrypts/decrypts + Smaller spoke CPE can participate in the virtual full mesh
Dynamic Multipoint VPN – Benefits • Simplified configuration • Spokes use a proven registration protocol to connect to the hubs, then dynamic routing builds the network topology automatically • Configuration files are much smaller and easy to manage • No new hub provisioning for each new spoke added – zero touch for lower admin costs and higher up-time • Complete application (multicast/QoS) and authentication support • Coming soon: Dynamic VPN creation between spoke routers based on user traffic
EasyVPN - Overview Central Site Branch Office Internet Legend: Home Office Cisco VPN S/W Client on PC/MAC/Unix • Remote device contacts central-site router/concentrator, and provides authentication credentials. • If credentials are valid, central-site “pushes” configuration data securely to the remote device and VPN is established.
IPSec Virtual Tunnel Interface (VTI) • Simplifies VPN configuration by eliminating crypto maps, ACLs, GRE • Simplifies VPN design: • 1:1 relationship between tunnels and sites with a dedicated logical interface • More scalable alternative to GRE (Generic Router Encapsulation) for VPN tunnel creation • VTI can support QoS, Multicast, and other routing functions that previously required GRE • Improves VPN interoperability with other vendors 192.168.2.0/24 192.168.1.0/24 192.168.100.0/30 .1 Tunnel 0 .2 .1 .1
Benefits Support dynamic connections with VPN Enable small or large deployments without user intervention Enforce consistent VPN Policy on all remote devices Interoperability across Cisco access and security devices No head end changes when adding extra devices Cisco VPN Client is the only FIPS certified client in the industry! Policy Attributes Pushed Today Dynamic VPN IP Address (via Pool) Internal NetMask Internal DNS and WINS Servers Split tunnel mode New Attributes Pushed starting in IOS12.2(18)SXD Static VPN IP Address via RADIUS Idle Timeouts Split DNS Max tunnels per VPN Group VPN Group Lock Personal Firewall (Are You There) Check Include Local LAN Save Password Control Backup Head-End GW List Per User AAA Attributes Easy VPN IPSec Remote Access Dynamic Policy Push for Scalable Services HQ Central Site 6500 / 7600 Teleworker / Small Branch Office VPN functions are assigned IKE Mode Config Attributes; several parameters at once VPN VPNSM Mobile Workers Cisco Easy VPN Server on Central Site 6500 or 7600
Cisco IOS PKI Certificate Server • Router can now be Certificate Authority Server (CA) • Eliminates complexity of installing separate PKI/CA Server • Key Rollover for Certificate Renewal • Allows the certificate renewal request to be made before certificate expires • Easy VPN now works with PKI Certificates • Can use Cisco IOS CA server for enrollment Branch Office A CA Server Internet Corporate Headquarters CA Server Branch Office B Branch Office C
USB Secure Token & Flash Storage Integrated USB Ports (Integrated Services Routers) Support for Secure Token and FLASH Memory • Simplified Provisioning • Zero-touch Deployment • Distribution and Storage of VPN credentials • Easy to provision and distribute encryption keys • Encryption keys are securely stored and removable • Bulk Flash for image distribution/storage • Alternative to Compact Flash deployment 2 USB Ports:3800, 2851, 2821, 2811, 1811, 1812, 871 1 USB Port:2801, 1841 Available from Aladdin 28
Data & Identity Protection B Perimeter Defense • Segregate network assets into trusted & untrusted zones • Application-aware inspection and defense against port 80, IM, P2P misuse Outbreak Prevention • Network-based protection against virus/worm/trojans and other threats • Distributed protection across entire network at minimum cost • Rapid response to emerging threats Controlled Access • Controls who/what gets access to the network and what they can do • Detects and isolates non-compliant devices Business Requirements • Defend against worms, viruses, trojans, hacks • Enforce policy-based control to network assets • Perimeter Defense • Policy Firewall (L3) • Transparent Firewall (L2) • Application Firewall (L4-7) • Outbreak Prevention • Intrusion Prevention • Distributed Threat Mitigation • Incident Control Branch Office Internet Corporate Office • Identity & Controlled Access • Network Admission Control • URL Filtering • Port-Level Security (802.1x) Small Branch Small Office & Telecommuter
Business Requirements Analysis B • Need perimeter protection against worms, viruses and trojans? • Concerned with unauthorized access, security posture of laptops & PCs? • Need to comply with information privacy laws e.g. SOX, HIPAA, EU Directive 95/46? • Required to enforce Internet surfing policies, prevent illegal downloads? NO YES • Mitigating infections at the perimeter conserves WAN bandwidth, allows faster response • Companies need to protect their customer records and privacy to pass security audits • URL filtering monitors and enforces surfing policies, reduces legal risks • Check case study and ROI analysis • Select the right Secure WAN bundle • Less expensive to purchase the Cisco Secure WAN solution now, versus upgrading later • Schedule a demo of the appropriate Data & Identity Protection solutions • Application firewall, IPS, DTM, NAC, URL filtering
Data & Identity Protection Drivers—Loss of Data, Time B Annual Loss from Unauthorized Access to Information The Total Cost of a Major Security Incident* * Source: CSI/FBI Computer Crime and Security Surveys, Morgan Stanley Research * Source: UK Study, 2004
Sarbanes-Oxley, Section 404 Severe CEO / Corporate penalties for non-compliance Health Insurance Portability & Accountability Act (HIPAA) Affects health care Up to $250,000 in fines and 5 years in Jail – per violation Gramm-Leach-Bliley Act (GLBA) Affects financial services CIO Level Staff can be held personally liable plus penalties and class action suits Notification of Risk to Personal Data Act (NORPDA) ALL customers must be notified of breach SB1386 (California) ALL customers must be notified of breach Data & Identity Protection Drivers—Legislation B
Data & Identity Protection Case Study B Business Problem • Compliance with government regulations Real-Life Example • Infineon – Large global semiconductor Enterprise • Required maximum security for Intellectual Property Solution • Network security integration, low OpEx • Single chassis Catalyst 6500 for VPN, Security, Routing, Switching • IPSec VPN over LAN and encrypted multicast • IPSec VPN Shared Port Adapter • AES encryption in line with federal and government agency standards • High performance data security, wireless • Service Modules for Firewall, Intrusion Detection, Network Analysis, WLAN
Cisco IOS IPSNew Features and Engines – All Inline! • Router-based IPS enables broadly-deployed worm and threat mitigation services -- even to remote branch offices • String Engines enablecustom matching of any string in the packet • Customize signatures for quick reaction to new threats • TCP String, UDP String, ICMP String, Trend Micro • 400 worm and attack signatures added – an ever-increasing number of signaturesfrom which to dynamically select • Supports Trend Micro Signatures
Internet Companies Are Opening Port 80 Attacks Enter Through Web-enabled Applications Internal Users “…75% of successful attacks against Web servers are entering through applications and not at the network level.” 98% Internet access 43% Rich media IM traffic 43% 55% Web enabled apps Port 80 FireWall Web services 43% 80 – HTTP 64% of enterprises have opened Port 80 on their firewalls for their growing web application traffic John Pescatore, VP and Research Director, Gartner, June 2002. Source: Aug 2002 InfoWorld/Network Computing survey of IT Professionals
Payload Payload Port 25 Port 80 Cisco IOS Firewall Advanced Application Inspection and Control I am email traffic… honest! HTTP Inspection Engine • Delivers application level control through inspection of port 80 tunneled traffic • Convergence of Cisco IOS Firewall and Inline IPS technologies • Control port 80 misuse by rogue apps that hide traffic inside http to avoid scrutiny • Example: Instant messaging and peer-to-peer applications such as Kazaa I am http web traffic… honest! Corporate Office Server Farm Email Inspection Engine • Control misuse of email protocols • SMTP, ESMTP, IMAP, POP inspection engines Inspection Engines provide protocol anomaly detection services
INTERNET IPSEC TUNNEL Integrated Content SecurityURL Filtering and Content Engine Network Module Content Engine Network Module Cisco IOS URL Filtering • Internet Proxy Cache • URL Filtering Application Server • Pre-loaded OEM Websense and Smartfilter filtering applications • Enforces Application Use Policy • Traffic logging and reporting • Anti-Virus Gateway (ICAP) to scan, clean, and cache Web content • Integrated with Cisco IOS Firewall • Supports Websense and N2H2 Web filtering clients • Works with external Websense and N2H2servers • Static “good” list / “bad” list URL filtering in IOS Branch Office Internet Corporate Headquarters NM-CE Server X Server ULR Database NM-CE URL Database IOS FW www.hackershomepage.com
IPsec “Virtual” Interface VRF-Aware “Virtual” Firewall Engineering Cisco IOS FW Internet Corporate LAN Accounting .1 Tunnel 0 .2 .1 .1 Cisco IOS Virtualized ServicesVRF-Aware “Virtual” Firewall & IP Sec “Virtual” Interface • Simplified IPsec VPN configuration and design (Network-aware IPsec) • Easier and scalable management, and faster deployment of IPsec technology • Enhanced support for V3PN applications through Multicast, QoS and Routing support • VRF supports multiple independent contexts (addressing, routing and interfaces) at the branch location for separation of departments, subsidiaries, or customers • VRF-Aware FW allows customers to add FW to the list of services available at the individual context level
Corporate Headquarters 802.1x Identity Authentication Support • Support for 802.1x Authentication • New 4 & 9 Port EtherSwitch HWIC and current 16 and 36 Port NM all Support 802.1x AND Power over Ethernet (POE) • All new router Ethernet ports also support 802.1x • Survivable Remote User Authentication HWIC-ESW4 and 9 port Hi-Speed WAN Interface Card NM-ESW16 and 36 ports of 10/100 Ethernet 802.1x Identity Enforcement AAA Server Router Branch Router with 4 Port EtherSwitch Network Branch Router with 802.1x
Network Admission Control (NAC)Delivering Collaborative Security Systems Coalition of market-leading vendors NAC Solution: Leverages the network to intelligently enforce access privileges based on endpoint security posture Focused on limiting damage from viruses and worms Hosts Attempting Network Access Policy Server Decision Points 3800, 2800, 1800, or 800 Router Limits network access to compliant, trusted endpoints Policy (AAA) Server Vendor Server Credentials Credentials Credentials Restricts network access by noncompliant devices RADIUS Supports multiple AV vendors & Cisco Security Agent Notification Access Rights Comply? Cisco Trust Agent The 3800, 2800, and 1800 Security Bundles ship with NAC capability Enforcement www.cisco.com/go/nac
Secure Wireless • Dual-band wireless (802.11 a, b/g) • Public wireless hotspot • Secure Voice • Integrated IP-PBX and PSTN gateway • Voice, video & data over VPN Secure Voice and Wireless C Secure Voice • Business ready voice: local call processing & audio conferencing (CCME) • High-performance encrypted voice and video (V3PN) • Security for voice and data applications (Policy Firewall) • Reduced TCO (Toll-bypass, network/equipment consolidation) Secure Wireless • Extensive wireless security (.1x, WPA, EAP-TLS, TKIP) • Integrated wired/wireless (VLANs, QoS) • Reduced infrastructure cost (inline power EtherSwitch) Business Requirements • Security & convergence of Voice and Data services • Security & integration of Wired and Wireless Employee Mobility Guest Access IP Video Internet PSTN POS Registers IP Phone
Increased ROI with Secure Voice – Example C Before – 17XX & 26XX After – 2800 ISR } Same Requirements CapEx Reduced 3xOpEx Reduced Due to Single Box Solution
Secure Voice (V3PN) Bundles TCO C Cheaper to Buy Now vs. Later • V3PN Bundles include: • Router, AIM-VPNII PLUS, DSPs • Cisco IOS Advanced IP Services Feature Set • Cisco Call Manager Express, Voice Mail (Optional)
The ROI of Wireless C The Business Benefits: 2003 NOP Study Shows Rise in Productivity from 2001 Study Source: NOP World Technology, Sep 2001 and 2003
Business Requirements Analysis C • Are you considering IP Communication applications at your campus or branch office? • Do you need Wireless Access for employees, guests, customers? • Do you plan to reduce telecom costs by consolidating voice and WAN links? NO YES • Many businesses are implementing IP Telephony and Wireless services for cost savings and improved productivity • Check Case Study and ROI analysis • Existing investment in voice and WLAN equipment could be further leveraged through consolidation of separate networks onto ISRs • For voice, consider V3PN bundles—high application performance & resiliency • Less expensive to purchase Secure WAN bundle now, versus upgrading later • Schedule a demo of Secure Voice & Wireless solutions
Secure Voice Case Study C Business Problem • Secure voice & data for remote sites Real-Life Example • ePlus – Financial solutions & enterprise software • Needed to unify dispersed nationwide workforce Solution • Voice functions integrated into Cisco ISRs • Replaced 35 disparate phone systems • Now employees reach co-workers anywhere with four-digit extension • Connectivity costs cut by $840K per year by migrating from Frame Relay to DMVPN • Future video conferencing, content caching, intrusion prevention and NAC services • Quick business expansion – cookie-cutter deployment, phones for new sites up in 2 hours “The Cisco ISRs allow us to centralize everything into a router. By the time we have completed our deployment, we will have doubled …our organization, while reducing maintenance and circuit costs.” Chris Fairbanks, Principal Network Architect, ePlus Inc.
V3PN: Secured Site-to-Site Multi-Service VPN Based on GRE/IPSec Delivering voice and video over an IPSec VPN requires more than just encrypting RTP packets Cisco IOS VPN Routers provide: • Reliable voice quality in network congestion • Voice-centric QoS w/ IPSec– basic queuing alone does not ensure voice and video quality • Support for multicast voice and video applications • IPSec can break multicast IP Telephony and Video applications • Resiliency at all points in the network • Telephony and VPN resiliency at all sites • Cisco Powered Network “IP VPN-Multiservice” designation for V3PN • Ensures quality for enterprises
Business Continuity D WAN Backup • Seamless recovery from link failures • Stateful head-end failover minimizes application interruption • Independent remote site telephony operation during disasters (SRST) Network Foundation Protection • Device availability • Control Plane Protection, AutoSecure, rate limiting • Secure management access • SSL, SSHv2 for CLI • SDM for web-based • Security incident analysis • Syslog, NetFlow, IP Source Tracker Business Requirements • Uninterrupted operation of business-critical applications • Network must stay up in the face of attacks & disasters • WAN Backup • Backup VPN over Broadband (DSL, Cable) or Dial (PSTN, ISDN) • Head-end redundancy • Survivable remote telephony Branch Office Internet Corporate Office • Network Foundation Protection • DDoS protection • Secure remote management • Forensics Small Branch Small Office & Telecommuter
Business Requirements Analysis D • Do you have a disaster recovery plan that includes your business critical network services? • Are you considering using IP VPN as a backup for Frame Relay / Leased Lines? • Do you have a plan to protect your network infrastructure from DDoS attacks, or targeted attacks? NO YES • Network downtime due to natural or man-made disasters impacts uninterrupted access to mission-critical applications • Many businesses use IP VPN as a backup – flexible and cost-effective • If you are migrating to Broadband (xDSL), leverage existing Dial/ISDN links for Dial backup • Check Case Study and ROI analysis • Select the right Secure WAN bundle based on performance and services • Less expensive to purchase the Cisco Secure WAN solution now, versus upgrading later • Schedule a demo of appropriate Business Continutity solutions • Dial backup, Stateful failover, SRST, CPP, AutoSecure, SDM
Cost of downtime $205 per employee hour More than just revenue impacted Impaired performance Damaged reputation Employee frustration Business Continuity Drivers—Industry Averages for Costs of Downtime D Revenue/ Employee-Hour Revenue/ Hour Industry Sector Energy $2,817,846 $569 Telecommunications $2,066,245 $186 Manufacturing $1,610,654 $134 Financial institution $1,495,134 $1,079 Insurance $1,202,444 $370 Retail $1,107,274 $244 Transportation $668,586 $107 Average $1,010,536 $205 Source: META Group, April 2004
Business Continuity Case StudyBackup for Frame Relay Using VPN D Business Problem • Business continuity through VPN backup for WAN Real-Life Example • Network Appliance – Unified storage solutions • Rapid growth – Adding new offices, moving several large locations • Needed flexibility and security to use connectivity options available at each site Solution • Field offices have direct WAN and ISP connections • If WAN link goes down, traffic re-routed to hub sites over the ISP link • ISRs provide single solution for T1/E1, DSL, Cable and DS3 • Scales incrementally – can deploy multiple DS-3 links to each router without having to replace the router itself • Built-in Security and QoS