| 0 comments ]

Overview

Add a note hereThis chapter introduces the concepts of site-to-site virtual private networks using Cisco IOS features and covers the following topics:

  • Add a note hereConcepts, technologies, and terms that IPsec VPNs use

  • Add a note hereSite-to-site IPsec VPN configuration using the command-line interface

  • Add a note hereSite-to-site IPsec VPN configuration using Cisco Security Device Manager

Add a note hereThe IP Security (IPsec) virtual private network (VPN) is an essential tool for providing a secure network for business communication. This chapter addresses the different protocols and algorithms that IPsec uses and the different security services that IPsec provides. This chapter also introduces the different VPN technologies and examines the various Cisco products available and the best practices that you should use with them.

VPN Overview

Add a note hereHistorically, a VPN was an IP tunnel. Therefore, a generic routing encapsulation (GRE) tunnel is technically a VPN, even though GRE does not encrypt. Point-to-Point Tunnel Protocol (PPTP) is another good example of a VPN. With PPTP, a client makes a Point-to-Point Protocol (PPP) dial-up connection to an Internet service provider (ISP). Once connected to the ISP, the client sends IP packets, which carries PPP frames. This second connection is established from the client to the PPTP server at his corporate head office, as an example.

Add a note hereToday, the use of a VPN implies the use of encryption. With a VPN, the information from a private network is transported over a public network, such as the Internet, to form a virtual network instead of using a dedicated Layer 2 connection, as shown in Figure 5-1. To remain private, the traffic is encrypted to keep the data confidential. For the purposes of this chapter, a VPN is defined as an encrypted connection between private networks over a public network, usually the Internet.

Image from book
Add a note hereFigure 5-1: Where VPNs Are Found

Add a note hereTable 5-1 lists the primary Cisco products that can be used for VPN connectivity. Ensure that the router runs an IOS that supports VPN connectivity.

Add a note hereTable 5-1: Cisco VPN Products
Open table as spreadsheet

Add a note hereVPN Application

Add a note hereAppropriate Cisco Product Choice

Add a note hereDedicated VPN

Add a note hereCisco VPN 3000 series concentrators (Note that the VPN 3000 is end-of-sale.)

Add a note hereCisco 7200 series routers

Add a note hereVPN-enabled routers series

Add a note hereCisco SOHO 70 series routers and Cisco 800 series routers

Add a note hereCisco 1700 series modular access routers and Cisco 2600 series multiservice platforms

Add a note hereCisco 3700 series multiservice access routers and Cisco 3600 multiservice platforms

Add a note hereCisco 1800 series, Cisco 2800 series, and Cisco 3800 series integrated services routers

Add a note hereCisco 7200 series routers and Cisco 7300 series routers

Add a note hereCisco Catalyst 6500 series switches and Cisco 7600 series routers

Add a note here(Note that the SOHO 70, Cisco 800, 2600, and 3600 are end-of-sale.)

Add a note hereFirewall VPN

Add a note hereCisco ASA 5500 series adaptive security appliances

Add a note hereCisco PIX 500 series security appliances

Add a note hereVPNs have many benefits:

  • Add a note hereCost savings: VPNs enable organizations to use cost-effective third-party Internet transport to connect remote offices and remote users to the main corporate site, thus eliminating expensive dedicated WAN links and modem banks. Furthermore, with the advent of cost-effective high-bandwidth technologies, such as digital subscriber line (DSL), organizations can use VPNs to reduce their connectivity costs while simultaneously increasing remote connection bandwidth.

  • Add a note hereSecurity: VPNs provide the highest level of security by using advanced encryption and authentication protocols that protect data from unauthorized access.

  • Add a note hereScalability: VPNs enable corporations to use the Internet infrastructure within ISPs and devices, which makes it easy to add new users. Therefore, corporations are able to add large amounts of capacity without adding significant infrastructure.

  • Add a note hereCompatibility with broadband technology: VPNs allow mobile workers, telecommuters, and people who want to extend their workday to take advantage of high-speed, broadband connectivity, such as DSL and cable, to gain access to their corporate networks, providing workers significant flexibility and efficiency. Furthermore, high-speed broadband connections provide a cost-effective solution for connecting remote offices.

Add a note hereVPN Types

Add a note hereTwo basic types of VPN networks exist:

Site-to-Site VPNs

Add a note hereA site-to-site VPN, shown in Figure 5-2, is an extension of a classic WAN network. Site-to-site VPNs connect entire networks to each other; for example, they can connect a branch office network to a company headquarters network. In the past, a leased line or Frame Relay connection was required to connect sites, but because most corporations now have Internet access, these connections can be replaced with site-to-site VPNs.

Image from book
Add a note hereFigure 5-2: Site-to-Site VPNs

Add a note hereIn a site-to-site VPN, hosts do not have Cisco VPN Client software; they send and receive normal TCP/IP traffic through a VPN “gateway,” which could be a router, firewall, Cisco VPN concentrator, or Cisco ASA 5500 series adaptive security appliance. The VPN gateway is responsible for encapsulating and encrypting outbound traffic for all the traffic from a particular site and sending it through a VPN tunnel over the Internet to a peer VPN gateway at the target site. Upon receipt, the peer VPN gateway strips the headers, decrypts the content, and relays the packet toward the target host inside its private network.

Remote-Access VPNs

Add a note hereRemote access is an evolution of circuit-switching networks, such as Plain Old Telephone Service (POTS) or Integrated Services Digital Network (ISDN). Remote-access VPNs, shown in Figure 5-3, can support the needs of telecommuters, mobile users, and extranet consumer-to-business traffic. Remote-access VPNs connect individual hosts who must access their company network securely over the Internet.

Image from book
Add a note hereFigure 5-3: Remote-Access VPN

Add a note hereIn the past, corporations supported remote users by using dial-in networks and ISDN. With the advent of VPNs, a mobile user simply needs access to the Internet to communicate with the central office. In the case of telecommuters, their Internet connectivity is typically a broadband connection such as DSL or cable.

Add a note hereIn a remote-access VPN, each host typically has Cisco VPN Client software. Whenever the host tries to send any traffic, the Cisco VPN Client software encapsulates and encrypts that traffic before sending it over the Internet to the VPN gateway at the edge of the target network. Upon receipt, the VPN gateway behaves as it does for site-to-site VPNs.

Add a note hereCisco IOS Secure Sockets Layer (SSL)-based VPN, shown in Figure 5-4, is a maturing technology that provides remote-access connectivity from almost any Internet-enabled location using a web browser and its native SSL encryption. SSL VPN provides the flexibility to support secure access for all users, regardless of the endpoint host from which they establish a connection. If application access requirements are modest, SSL VPN does not require a software client to be preinstalled on the endpoint host. This capability enables companies to extend their secure enterprise networks to any authorized user by providing remote-access connectivity to corporate resources from any Internet-enabled location.

Image from book
Add a note hereFigure 5-4: SSL VPN

Add a note hereSSL VPNs allow users to access web pages and services, including the ability to access files, send and receive email, and run TCP-based applications, without IPsec VPN Client software. SSL VPNs are appropriate for user populations that require per-application or per-server access control, or access from non-enterprise-owned desktops.

Add a note hereSSL VPN currently delivers two modes of SSL VPN access:

  • Add a note hereClientless: In clientless mode, the remote user accesses the corporate network using the web browser on the client machine, so no applications needs to be installed locally on the user’s laptop.

  • Add a note hereThin client: In thin-client mode, the remote user downloads a Java applet by clicking the link provided on the corporate portal page or it could be configured for the Java applet to be downloaded. The Java applet acts as a TCP proxy on the client machine for the services made available to remote users.

Add a note hereIn many cases, IPsec and SSL VPN are complementary because they solve different problems. This complementary approach allows a single device to address all remote-access user requirements.

Add a note hereThe primary benefit of SSL VPN is that it is compatible with Dynamic Multipoint VPNs (DMVPN), Cisco IOS firewalls, IPsec, intrusion prevention systems (IPS), Cisco Easy VPN, and Network Address Translation (NAT).

Add a note hereThe primary restriction of SSL VPN was that it was supported only in software, where the router CPU processed the SSL VPN connections. It used to be that the onboard VPN acceleration that was available in integrated services routers (ISR) accelerated only IPsec connections. However, the newer generation of VPN acceleration for ISR now also accelerates SSL connections.


Caution

Add a note hereSSL VPN does not support the same level of cryptographic security that IPsec supports.

Add a note hereCisco VPN Product Family

Add a note hereThe Cisco VPN product family, listed in Table 5-2, includes remote and site-to-site Cisco IOS VPN and firewall security routers, Cisco VPN 3000 series concentrators, Cisco PIX 500 series security appliances, and Cisco ASA 5500 series adaptive security appliances. Note that both the PIX and VPN 300 are end-of-sale. Cisco Catalyst 6500 series switches with VPN service modules (not shown in Table 5-2) were also part of the VPN product family. It is now end-of-sale and was replaced by the Cisco 7600 series/Catalyst 6500 Series Services Shared Port Adapter (SPA) Carrier-400, which can be configured with up to two Cisco IPsec VPN SPAs.

Add a note hereTable 5-2: Cisco VPN Products
Open table as spreadsheet

Add a note hereProduct Choice

Add a note hereRemote-Access VPN

Add a note hereSite-to-Site VPN

Add a note hereCisco VPN 3000 series concentrators

Add a note herePrimary role

Add a note hereSecondary role

Add a note hereCisco VPN-enabled routers

Add a note hereSecondary role

Add a note herePrimary role

Add a note hereCisco PIX 500 series security appliances

Add a note hereEnhances existing Cisco PIX with VPN remote-access solution

Add a note hereSecurity organization owns the VPN solution

Add a note hereCisco ASA 5500 series adaptive security appliances

Add a note hereSupports Cisco VPN 3000 concentrator features and more

Add a note hereSecurity organization owns the VPN solution

Add a note hereCharacteristics of the different platforms include the following:

  • Add a note hereCisco VPN-enabled routers and switches: Cisco VPN security routers and switches represent the best options for customers of all sizes looking to take advantage of their existing network infrastructures to deploy VPNs and security while integrating all services into a single device with the widest selection of WAN and LAN interfaces.

  • Add a note hereCisco VPN 3000 series concentrators: Cisco VPN 3000 series concentrators offer both IPsec and SSL VPN connectivity on a single platform without the expense of individual feature licensing.


    Note

    Add a note hereCisco VPN 3000 series concentrators and the PIX are end-of-sale. For details on the specifics for end-of-sale and end-of-life devices, refer to Cisco.com.

  • Add a note hereCisco ASA 5500 series adaptive security appliances: The Cisco ASA 5500 series adaptive security appliances are all-in-one security appliances that deliver enterprise-class security and IPsec VPNs to small and medium-sized businesses and large enterprise networks in a modular, purpose-built appliance. Cisco ASA 5500 series adaptive security appliances incorporate a wide range of integrated security services, including firewall, IPSs, and VPNs in an easy-to-deploy, high-performance solution, along with built-in hardware VPN acceleration. By integrating VPN and security services, the Cisco ASA 5500 series adaptive security appliances provide secure VPN connectivity and communications. Cisco ASA 5500 series adaptive security appliances are ideal for clients who are looking for the best-of-breed firewall combined with comprehensive VPN support. Cisco PIX 500 series security appliances are also an excellent option for organizations whose security policies recommend separate management of the security infrastructure to set a clear demarcation between security and network operation.

  • Add a note hereCisco PIX 500 series security appliances: Cisco PIX 500 series security appliances provide robust, enterprise-class, integrated network security services, including stateful inspection firewall, deep protocol and application inspection, IPsec VPNs, multivector attack protection, and rich multimedia and voice security.


    Note

    Add a note hereIn most networks, you will find some devices already in place. In this case, it is important to verify whether interoperability between the different devices is possible. In a customer network, there may be a Cisco ASA 5500 series adaptive security appliance at one site and a Cisco router at another. A VPN tunnel can be established between these two devices as long as the software is at a minimum version. This site-to-site VPN interoperability is possible by choosing, at a minimum, the following software versions—Cisco IOS Release 12.2(8)T and Cisco ASA 5500 series adaptive security appliance Version 8.0. Note that the Cisco PIX does not support SSL VPN.

Cisco VPN-Enabled IOS Routers

Add a note hereWith Cisco routers running Cisco IOS Software, organizations can easily deploy and scale site-to-site VPNs of any topology (from hub-and-spoke VPNs to the more complex, fully meshed VPNs). In addition, the Cisco IOS security features combine the VPN feature set with firewall, intrusion prevention, and extensive Cisco IOS capabilities, including quality of service (QoS), multiprotocol, multicast, and advanced routing support.

Add a note hereCisco provides a suite of VPN-optimized routers. Cisco IOS Software for routers combines rich VPN services with industry-leading routing, delivering a comprehensive solution. The Cisco VPN software adds strong security using encryption and authentication. These Cisco VPN-enabled routers provide high performance for site-to-site, intranet, and extranet VPN solutions.

Add a note hereThe Cisco IOS feature sets incorporate many VPN features:

  • Add a note hereVoice and Video Enabled VPN (V3PN): Integrates IP telephony, QoS, and IPsec, providing an end-to-end VPN service that helps ensure the timely delivery of latency-sensitive applications such as voice and video.

  • Add a note hereIPsec stateful failover: Provides fast and scalable network resiliency for VPN sessions between remote and central sites. With both stateless and stateful failover solutions available, options such as dead peer detection (DPD), Hot Standby Router Protocol (HSRP), Reverse Route Injection (RRI), and Stateful Switchover (SSO) help ensure maximum uptime of mission-critical applications.

  • Add a note hereDMVPN: Enables the autoprovisioning of site-to-site IPsec VPNs, combining three Cisco IOS Software features: Next Hop Resolution Protocol (NHRP), multipoint GRE, and IPsec VPN. This combination eases the provisioning challenges for customers and provides secure connectivity between all locations.

  • Add a note hereIPsec and Multiprotocol Label Switching (MPLS) integration: Enables ISPs to map IPsec sessions directly into an MPLS VPN. You can deploy this solution on colocated edge routers that are connected to a Cisco IOS Software MPLS provider edge (PE) network. This approach enables the ISP to securely extend its VPN service beyond the boundaries of the MPLS network by using the public IP infrastructure that securely connects enterprise customer remote offices, telecommuters, and mobile users from anywhere to the corporate network.

  • Add a note hereCisco Easy VPN: Simplifies VPN deployment for remote offices and teleworkers. The Cisco Easy VPN solution centralizes VPN management across all the Cisco VPN devices, thus reducing the management complexity of VPN deployments.

Cisco Adaptive Security Appliances

Add a note hereFor VPN services, Cisco ASA 5500 series adaptive security appliances offer flexible technologies that deliver tailored solutions to suit remote-access and site-to-site connectivity requirements. Cisco ASA 5500 series adaptive security appliances provide easy-to-manage IPsec and SSL VPN-based remote-access and network-aware site-to-site VPN connectivity, enabling businesses to create secure connections across public networks to mobile users, remote sites, and business partners.

Add a note hereThe Cisco ASA 5500 series adaptive security appliances form a high-performance, multifunction security appliance family delivering converged firewall, IPS, network antivirus, and VPN services. As a key component of the Cisco Self-Defending Network, Cisco ASA 5500 series adaptive security appliances provide proactive threat mitigation that stops attacks before they spread through the network, control network activity and application traffic, and deliver flexible VPN connectivity while remaining cost-effective and easy to manage.

Add a note hereCompared to Cisco PIX 500 series security appliances, Cisco ASA 5500 series adaptive security appliances offer additional services, such Cisco SSL VPN, and in some models an expansion slot that can be populated with modules that provide intrusion prevention, or advanced inspection or increased port density. The following are some of the features of Cisco ASA 5500 series adaptive security appliances:

  • Add a note hereFlexible platform: Offers both IPsec and SSL VPN on a single platform, eliminating the need to provide parallel solutions. In addition to VPN services, Cisco ASA 5500 series adaptive security appliances offer application inspection firewall and intrusion prevention services.

  • Add a note hereResilient clustering: Allows remote-access deployments to scale cost-effectively by evenly distributing VPN sessions across all the Cisco ASA 5500 series adaptive security appliances and Cisco VPN 3000 series concentrators without requiring any user intervention.

  • Add a note hereCisco Easy VPN: Delivers uniquely scalable, cost-effective, and easy-to-manage remote-access VPN architecture. Cisco ASA 5500 series adaptive security appliances dynamically push the latest VPN security policies to remote VPN devices and clients, making sure that those endpoint policies are current before a connection is established.

  • Add a note hereAutomatic Cisco VPN Client updates: Provides VPN client software the capability to automatically update, which enables Cisco VPN Client software operating on remote desktops to be automatically upgraded.

  • Add a note hereCisco SSL VPN: Offers Cisco SSL VPN with clientless and thin-client Cisco SSL VPN capabilities.

  • Add a note hereVPN infrastructure for contemporary applications: Provides a VPN infrastructure capable of converged voice, video, and data across a secure IPsec network by combining robust site-to-site VPN support with rich inspection capabilities, QoS, routing, and stateful failover features, allowing businesses to take advantage of the many benefits that converged networks deliver.

  • Add a note hereIntegrated web-based management: Provides management of the Cisco ASA 5500 series adaptive security appliances using the integrated web-based Cisco Adaptive Security Device Manager (ASDM). Cisco ASDM manages all the security and VPN functions of the appliances.

Add a note hereEach Cisco ASA 5500 series adaptive security appliance supports a different number of VPN peers:

  • Add a note hereCisco ASA 5505: 10 IPsec VPN peers and 25 SSL VPN peers with the Base license. The Cisco ASA 5505 can be upgraded to the Security Plus license, which supports up to 25 concurrent remote-access clients (IPsec), and 25 VPN peers (IPsec or SSL).

  • Add a note hereCisco ASA 5510: 250 IPsec VPN peers and 10 SSL VPN peers. Up to 250 SSL VPN peers by installing an SSL VPN upgrade license.

  • Add a note hereCisco ASA 5520: 750 IPsec VPN peers and 10 SSL VPN peers. Up to 750 SSL VPN peers by installing an SSL VPN upgrade license.

  • Add a note hereCisco ASA 5540: 5000 IPsec VPN peers and 10 SSL VPN peers. Up to 2500 SSL VPN peers with the SSL VPN upgrade license.

  • Add a note hereCisco ASA 5550: 5000 IPsec VPN peers and 10 SSL VPN peers. Up to 5000 SSL VPN peers with the SSL VPN upgrade license.

  • Add a note hereCisco ASA 5580: 10,000 IPsec VPN peers and 10 SSL VPN peers. Up to 10,000 SSL VPN peers with the SSL VPN upgrade license.

VPN Clients

Add a note hereCisco remote-access VPNs are able to use three IPsec clients: the Cisco VPN Software Client, the Cisco VPN 3002 Hardware Client, and the Certicom IPsec client, which is no longer sold but still works.

  • Add a note hereThe Cisco VPN 3002 Hardware Client (legacy equipment): A network appliance that connects small office, home office (SOHO) LANs to the VPN. The device comes in either a single-port or an eight-port switch version. The VPN 3002 Hardware Client replaces traditional Cisco VPN Client applications on individual SOHO computers.

  • Add a note hereThe Cisco VPN Software Client: Software that is loaded on the PC or laptop of an individual. The Cisco VPN Client, shown in Figure 5-5, allows organizations to establish end-to-end, encrypted VPN tunnels for secure connectivity for mobile employees or teleworkers. The Cisco Easy VPN feature allows the Cisco VPN Client to receive security policies from the central-site VPN device, the Cisco Easy VPN Server, when a VPN tunnel connection is made, minimizing configuration requirements at the remote location.

    Add a note hereImage from book
    Add a note hereFigure 5-5: Cisco VPN Software Client

  • Add a note hereThe Certicom client: A wireless client that is loaded onto wireless personal digital assistants (PDA) running the Palm or Microsoft Windows Mobile operating systems. Certicom wireless client software enables companies to extend critical enterprise applications, such as email and customer relationship management (CRM) tools, to mobile professionals by enabling handheld devices to connect to corporate VPN gateways for secure wireless access.

Add a note hereCisco has recently released a new generation of VPN client: the Cisco AnyConnect VPN Client. The Cisco AnyConnect VPN Client provides remote users with secure VPN connections to the Cisco 5500 Series adaptive security appliance running Cisco ASA Software Version 8.0 and later or Cisco ASDM Version 6.0 and later, using SSL VPN, and therefore it does not connect with a Cisco PIX device or with a Cisco VPN 3000 series concentrator. The Cisco AnyConnect VPN Client supports Windows Vista, Windows XP, Windows 2000, Mac OS X (Version 10.4 or later) on either Intel or PowerPC, and Red Hat Linux (Version 9 or later).

Cisco Hardware-Based Encryption

Add a note hereTo enhance the performance and offload the encryption task to specialized hardware, the Cisco VPN family of devices offers the following hardware acceleration modules:

  • Add a note hereAIM: A broad range of Cisco routers can be equipped with AIM. The AIM modules are installed inside the router chassis and offload encryption tasks from the router CPU.

  • Add a note hereCisco IPsec VPN Shared Port Adapter (Cisco IPsec VPN SPA): The Cisco IPsec VPN SPA, shown in Figure 5-6, delivers scalable and cost-effective VPN performance for Cisco Catalyst 6500 series switches and Cisco 7600 series routers. Using the Cisco 7600 series/Catalyst 6500 Series Services SPA Carrier-400, each slot of the Cisco Catalyst 6500 series switch or Cisco 7600 series router can support up to two Cisco IPsec VPN SPAs.

    Add a note hereImage from book
    Add a note hereFigure 5-6: Cisco IPsec VPN SPA

  • Add a note hereEnhanced Scalable Encryption Processing (SEP-E): You can upgrade Cisco VPN 3000 series concentrators with SEP-E modules. The modules perform hardware encryption of Data Encryption Standard (DES) 0, Triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES) traffic.

  • Add a note hereCisco PIX VPN Accelerator Card+ (VAC+): The PIX Firewall VAC+ delivers hardware acceleration up to 425 Mb/s of DES, 3DES, or AES IPsec encryption throughput.




0 comments

Post a Comment