Foundation TopicsCisco VPN Product Line VPNs are typically deployed to provide improved access to corporate resources while providing tighter control over security at a reduced cost for
Trang 118 Chapter 2: Overview of VPN and IPSec Technologies
6 What are the two modes of operation for AH and ESP?
7 How many Security Associations (SAs) does it take to establish bidirectional IPSec communications between two peers?
8 What is a message digest?
9 Which current RFCs define the IPSec protocols?
10 What message integrity protocols does IPSec use?
11 What is the triplet of information that uniquely identifies a security association?
Trang 212 You can select to use both authentication and encryption when using the ESP protocol Which is performed first when you do this?
13 What five parameters are required by IKE Phase 1?
14 What is the difference between the deny keyword in a crypto Access Control List (ACL) and the deny keyword in an access ACL?
15 What transform set would allow SHA-1 authentication of both AH and ESP packets and would also provide Triple Data Encryption Standard (3DES) encryption for ESP?
16 What are the five steps of the IPSec process?
Trang 320 Chapter 2: Overview of VPN and IPSec Technologies
The answers to this quiz are listed in Appendix A, “Answers to the “Do I Know This Already?” Quizzes and Q&A Sections.” The suggestions for your next steps, based on quiz results, are as follows:
• 2 or less score on any quizlet—Review the appropriate portions of the “Foundation
Topics” section of this chapter, based on Table 2-1 Proceed to the “Foundation Summary” section and the “Q&A” section
• 8 or less overall score—Read the entire chapter, including the “Foundation Topics,”
“Foundation Summary” sections, and the “Q&A” section
• 9 to 12 overall score—Read the “Foundation Summary” section and the “Q&A” section
If you are having difficulty with a particular subject area, read the appropriate portion of the “Foundation Topics” section
• 13 or more overall score—If you feel that you need more review on these topics, go to
the “Foundation Summary” section, then to the “Q&A” section Otherwise, skip this chapter and go to the next chapter
Trang 4Foundation Topics
Cisco VPN Product Line
VPNs are typically deployed to provide improved access to corporate resources while providing tighter control over security at a reduced cost for WAN infrastructure services Telecommuters, mobile users, remote offices, business partners, clients, and customers all benefit because corporations see VPNs as a secure and affordable method of opening access to corporate information
Surveys have shown that most corporations implementing VPNs do so to provide access for telecommuters to access the corporate network from home They cite security and reduced cost
as the primary reasons for choosing VPN technology and single out monthly service charges as the cost justification for the decision
VPN technology was developed to provide private communication wherever and whenever needed, securely, while behaving as much like a traditional private WAN connection as possible Cisco offers a variety of platforms and applications that are designed to implement VPNs The next section looks at these various products and Cisco’s recommended usage in the deployment of VPNs
Enabling VPN Applications Through Cisco Products
Through product development and acquisitions, Cisco has a variety of hardware and software components available that enable businesses of all sizes to quickly and easily implement secure VPNs using IPSec or other protocols The types of hardware and software components you choose to deploy depend on the infrastructure you already have in place and on the types of applications that you are planning to use across the VPN
This section covers the following topics:
• Typical VPN applications
• Using Cisco VPN products
Typical VPN Applications
The business applications that you choose to run on your VPNs go hand in hand with the type
of VPN that you need to deploy Remote access and extranet users can use interactive applica-tions such as e-mail, web browsers, or client/server programs Intranet VPN deployments are designed to support data streams between business locations
1 Cisco products enable a secure VPN
Trang 522 Chapter 2: Overview of VPN and IPSec Technologies
The benefits most often cited for deploying VPNs include the following:
• Cost savings—Elimination of expensive dedicated WAN circuits or banks of dedicated
modems can provide significant cost savings Third-party Internet service providers (ISPs) provide Internet connectivity from anywhere at any time Coupling ISP connectivity with the use of broadband technologies, such as digital subscriber line (DSL) and cable, not only cuts the cost of connectivity but can also deliver high-speed circuits
• Security—The cost savings from the use of public infrastructures could not be recognized
if not for the security provided by VPNs Encryption and authentication protocols keep corporate information private on public networks
• Scalability—With VPN technologies, new users can be easily added to the network
Corporate network availability can be scaled quickly with minimal cost A single VPN implementation can provide secure communications for a variety of applications on diverse operating systems
VPNs fall into three basic categories:
• Remote access
• Intranet
• Extranet
The following sections cover these three areas in more detail
Remote Access VPNs
Telecommuters, mobile workers, and remote offices with minimal WAN bandwidth can all benefit from remote access VPNs Remote access VPNs extend the corporate network to these users over publicly shared infrastructures, while maintaining corporate network policies all the way to the user Remote access VPNs are the primary type of VPN in use today They provide secure access to corporate applications for telecommuters, mobile users, branch offices, and business partners These VPNs are implemented over common public infrastructures using ISDN, dial, analog, mobile IP, DSL, and cable technology These VPNs are considered ubiquitous because they can be established any time from practically anywhere over the Internet E-mail
is the primary application used by these connections, with database and office automation appli-cations following close behind
Some of the advantages that might be gained by converting from privately managed networks
to remote access VPNs are as follows:
• Modems and terminal servers, and their associated capital costs, can be eliminated
• Long-distance and 1-800 number expenses can be dramatically reduced as VPN users dial
in to local ISP numbers, or connect directly through their always-on broadband connections
• Deployments of new users are simplified, and the increased scalability of VPNs allows new users to be added without increased infrastructure expenses
Trang 6• Turning over the management and maintenance of the dial-up network to third parties allows a corporation to focus on its business objectives rather than on circuit maintenance Although there are many advantages, be aware of the following disadvantages when imple-menting a VPN solution:
• IPSec has a slight overhead because it has to encrypt data as they leave the machine and decrypt data as they enter the machine via the tunnel Though the overhead is low, it can impact some applications
• For users with analog modem connections to the Internet at 40 kbps or less, VPNs can cause a slight reduction to throughput speed because the overhead of IPSec takes time to process the data
• IPSec is sensitive to delays Because the public Internet infrastructure is used, there is no guarantee of the amount of delay that might be encountered on each connection leg as the tunneled data traverse the Internet This should not cause major problems, but it is some-thing to keep in mind Users might need to periodically reestablish connections if delay thresholds are exceeded
Remote access VPNs can initiate tunneling and encryption either on the dial-up client or on the network access server (NAS) Table 2-2 outlines some of the differences between the two approaches
Table 2-2 Remote Access Models
Model Type Characteristics
Client-initiated model
Uses IPSec, Layer 2 Tunnel Protocol (L2TP), or Point-to-Point Tunneling Protocol (PPTP) for establishing the encrypted tunnel at the client.
Ubiquitous ISP network is used only as a transport vehicle for the encrypted data, permitting the use of multiple ISPs.
Data is secured end to end from the point of origin (client) to the destination, permitting the establishment of VPNs over any infrastructure without fear of compromise.
Third-party security software packages, such as Cisco’s VPN Client, can be used to provide more enhanced security than system-embedded security software like PPTP.
A drawback is that you must install a VPN Client onto every remote user’s system The initial configuration and subsequent maintenance require additional resources from an organization.
NAS-initiated model
VPNs are initiated at the service provider’s point of presence (POP) using L2TP or Layer 2 Forwarding (L2F).
Eliminates the need for client-based VPN software, simplifying installation and reducing administrative cost.
A drawback is that the data circuits from the POP to the client remain unprotected Another drawback is that you must use the same service provider end to end, eliminating the Internet as a transport vehicle.
Trang 724 Chapter 2: Overview of VPN and IPSec Technologies
Figure 2-2 depicts the two types of remote access VPNs that can be accommodated by Cisco equipment and software
Figure 2-2 Remote Access VPNs
Site-to-Site Intranet VPNs
You can use site-to-site intranet VPNs to connect remote offices and branch offices to the headquarters internal network over a shared infrastructure These connections typically use dedicated circuits to provide access to employees only These VPNs still provide the WAN characteristics of scalability, reliability, and support for a variety of protocols at a reduced cost
in a flexible manner
Intranet VPNs are typically built across service provider-shared network infrastructures like Frame Relay, Asynchronous Transfer Mode (ATM), or point-to-point circuits Some of the benefits of using intranet VPNs include the following:
• Reduction of WAN costs, especially when used across the Internet
• Partially or fully meshed networks can be established, providing network redundancy across one or more service providers
• Ease of connecting new sites to the existing infrastructure
IPSec - PPTP - L2TP - Tunnel
L2TP - L2F - Tunnel
VPN Cloud (Internet, IP)
Public Switched Telephone Network
Client-Initiated
VPN
NAS-Initiated
VPN
NAS
Home Office
Trang 8Figure 2-3 shows a diagram of a typical intranet VPN network The corporation manages the edge routers, providing flexible management and maintenance opportunities over intranet VPNs
Figure 2-3 Intranet VPNs
Business-to-Business Extranet VPNs
Business-to-business extranet VPNs are the VPNs that give corporate network access to customers, suppliers, business partners, or other interested communities who are not employees
of the corporation Extranet VPNs use a combination of the same infrastructures that are used
by remote access and intranet VPNs The difference is found in the privileges that are extended
to the extranet users Security policies can limit access by protocol, ports, user identity, time of day, source or destination address, or other controllable factors
Fixed, business-to-business connections and ubiquitous dial-up or broadband Internet connections are depicted in Figure 2-4
Home Office
Remote Office
Remote Office
VPN VPN
VPN Internet/IP
Trang 926 Chapter 2: Overview of VPN and IPSec Technologies
Figure 2-4 Extranet VPNs
Using Cisco VPN Products
Cisco can supply hardware and software to cover almost every possible VPN requirement From routers and firewalls for intranet applications to VPN concentrators and clients for remote access applications, this section introduces you to some of the key features of Cisco VPN products
Internet/IP
Public Switched Telephone Network
Dial-Up Business Partner
Business Partner
NAS
VPN VPN
Home Office
Trang 10Cisco VPN Routers
Cisco VPN routers are the best choice for constructing intranet or extranet site-to-site VPNs These routers use Cisco IOS Software and can be used to deliver multicast, routing, and multi-protocol across the VPN You can enable quality of service (QoS) on these devices, and the firewall feature option can turn these routers into robust firewalls Some routers also have inte-grated DSL and cable modems to provide VPN access to small offices/home offices (SOHOs) Some VPN routers can be equipped with special modules to handle encryption processing for VPN tunnels These modules free memory and CPU cycles that can then be used for switching packets, which is the routers’ primary function
These VPN routers offer the full range of VPN protocols and services Table 2-3 shows some
of the Cisco routers that are available for VPN service and identifies the application where they would most likely be applied
Table 2-3 Cisco VPN Routers
SOHO Remote access VPN Extranet VPN
Cisco 827H ADSL Router
384 kbps
Up to 50 tunnels
Fixed configuration Integrated DSL modem 4-port 10BaseT hub Support for EzVPN Remote SOHO
Remote access VPN Extranet VPN
Cisco uBR905 Cable Router
6 Mbps
Up to 50 tunnels
Fixed configuration Integrated cable modem 4-port 10BaseT hub Support for EzVPN Remote and Server
SOHO Remote access VPN Extranet VPN
Cisco 806 Broadband Router
384 kbps
Up to 50 tunnels
Fixed configuration Installed behind broadband modem
10BaseT Ethernet WAN interface
4-port 10BaseT LAN hub Support for EzVPN Remote SOHO
Remote access VPN Extranet VPN
Cisco 1710 Router 3 Mbps
Up to 100 tunnels
Fixed configuration 10/100 Fast Ethernet port 10BaseT Ethernet port Support for EzVPN Remote and Server
continues