Cisco Secure VPN Exam Certification Guide - Cisco press
.pdf
Exam Topics Discussed in This Chapter
This chapter covers the following topics, which you need to master in your pursuit of certification as a Cisco Certified Security Professional:
5Overview of the Cisco VPN 3000 Concentrator Series
6Cisco VPN 3000 Concentrator Series models
7Benefits and features of the Cisco VPN 3000 Concentrator Series
8Cisco VPN 3000 Concentrator Series Client support
C H A P T E R 3
Cisco VPN 3000 Concentrator
Series Hardware Overview
Ever striving to meet the needs of its customers, Cisco has put together a complete lineup of VPN products. As you learned in Chapter 2, “Overview of VPN and IPSec Technologies,” the Cisco IOS Software feature set used on Cisco routers offers robust IP Security (IPSec) capability for site-to-site VPN requirements. The Cisco Secure PIX Firewall also provides VPN capability, moving the CPU-intensive encryption operations away from the busy border routers.
With the introduction of the Cisco VPN 3000 Concentrator Series, Cisco has implemented solutions that are built for the unique purpose of remote access VPNs. These versatile, reliable systems are designed to only process VPNs, and to process them quickly and efficiently.
Five models are available in the Cisco VPN 3000 Concentrator line: 3005, 3015, 3030, 3060, and 3080. The 3005 is a fixed configuration, while the others share the same chassis and are configurable, providing an unrestricted upgrade path from the 3015 model all the way to the 3080 model. These configurable models also allow for the use of multiple Scalable Encryption Processor (SEP) modules that offload processor-intensive encryption activities from the central processor of the concentrator.
This chapter present the products in this concentrator series and analyzes their benefits and features. Additionally, the chapter introduces the clients that support these products.
How to Best Use This Chapter
By taking the following steps, you can make better use of your time:
•Keep your notes and answers for all your work with this book in one place for easy reference.
•Take the “Do I Know This Already?” quiz, and write down your answers. Studies show retention is significantly increased through writing facts and concepts down, even if you never look at the information again.
•Use Figure 3-1 to guide you to the next step.
80 Chapter 3: Cisco VPN 3000 Concentrator Series Hardware Overview
Figure 3-1 How to Use This Chapter
|
|
|
|
|
|
|
|
|
Take |
|
|
|
|
|||||
|
|
|
|
"Do I Know This Already?" |
|
|
|
|
||||||||||
|
|
|
|
|
|
|
|
|
Quiz |
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Low |
|
|
|
|
|
|
|
|
|
|
|
High |
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
Score? |
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||
|
|
|
|
|
|
|
|
|
|
Medium |
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
Read |
|
|
|
|
|
|
|
Review |
|
|
|
|
||||||
|
|
|
|
|
|
Chapter |
|
|
|
|
||||||||
Foundation |
|
|
|
|
|
|
|
|
|
|
|
|||||||
|
|
|
|
|
|
Using |
|
|
|
|
||||||||
Topics |
|
|
|
|
|
|
|
|
|
|
|
|||||||
|
|
|
Charts and Tables |
|
|
|
|
|||||||||||
|
|
|
|
|
|
|
|
|
|
|||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Want |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
Review |
|
|
Yes |
||||||
|
|
|
|
|
|
|
|
|
|
|
|
|||||||
|
|
|
|
|
|
|
|
Foundation |
|
|
More |
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||
|
|
|
|
|
|
|
|
|
Summary |
|
|
|
|
Review? |
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
No |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
Perform |
|
|
|
|
|||||
|
|
|
|
|
|
|
End-of-Chapter |
|
|
|
|
|||||||
|
|
|
|
|
|
Q&A and Scenarios |
|
|
|
|
||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
Go To |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Next |
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
Chapter |
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
“Do I Know This Already?” Quiz
The purpose of the “Do I Know This Already?” quiz is to help you decide what parts of the chapter to use. If you already intend to read the entire chapter, you do not need to answer these questions now.
This 18-question quiz helps you determine how to spend your limited study time. The quiz is sectioned into three smaller “quizlets,” which correspond to the three major topic headings in the chapter. Figure 3-1 outlines suggestions on how to spend your time in this chapter based on your quiz score. Use Table 3-1 to record your scores.
“Do I Know This Already?” Quiz 81
Table 3-1 |
Score Sheet for Quiz and Quizlets |
|
|
|
|
|
|
|
|
|
Quizlet |
Foundations Topics Section Covering These |
|
|
|
Number |
Questions |
Questions |
Score |
|
|
|
|
|
|
1 |
Overview of the Cisco VPN 3000 Concentrator Series |
1–6 |
|
|
|
Cisco VPN 3000 Concentrator Series models |
|
|
|
|
|
|
|
|
2 |
Benefits and features of the Cisco VPN 3000 Concentrator |
7–12 |
|
|
|
Series |
|
|
|
|
|
|
|
|
3 |
Cisco VPN 3000 Concentrator Series Client support |
13–18 |
|
|
|
|
|
|
|
All questions |
|
1–18 |
|
|
|
|
|
|
1What models are available in the Cisco VPN 3000 Concentrator Series?
2What is the maximum number of simultaneous sessions that can be supported on the Cisco VPN 3015 Concentrator?
3What is the maximum number of simultaneous sessions that can be supported on the Cisco VPN 3080 Concentrator?
4On a Cisco VPN 3005 Concentrator, what does a blinking green system LED indicate?
82 Chapter 3: Cisco VPN 3000 Concentrator Series Hardware Overview
5What is the maximum encryption throughput rate for the VPN 3000 series?
6What tunneling protocols do Cisco VPN 3000 Concentrators support?
7How do VPN concentrators reduce communications expenses?
8What other authentication capability exists if standard authentication servers are not available?
9What routing protocols do the Cisco VPN 3000 Concentrators support?
10What protocol permits multichassis redundancy and failover?
“Do I Know This Already?” Quiz 83
11List some of the methods that can be used to interface with the embedded Cisco VPN Manager software on VPN concentrators?
12What four options are available under the Configuration menu of the VPN Manager?
13What mechanism is used by Cisco VPN Clients to monitor firewall activity between the client and the concentrator?
14What optional feature on the Cisco VPN 3002 Hardware Client allows you to connect Ethernet devices to the client?
15During large-scale implementations, how can VPN 3000 Concentrators be configured to simplify client configuration?
16Which of Cisco’s client offerings has no limitations with regard to the types of client operating systems it can support?
84 Chapter 3: Cisco VPN 3000 Concentrator Series Hardware Overview
17What two operating modes can a Cisco VPN 3002 Hardware Client be configured to support?
18What operating systems does the Cisco VPN Client support?
The answers to this quiz are listed in Appendix A, “Answers to the “Do I Know This Already?” Quizzes and Q&A Sections.” The suggestions for your next steps, based on quiz results, are as follows:
•10 or less overall score—You should read the entire chapter, including the “Foundation Topics” and “Foundation Summary” sections, as well as the “Q&A” section.
•11 to 14 overall score—Read the “Foundation Summary” section and the “Q&A” section. If you are having difficulty with a particular subject area, read the appropriate section in the “Foundation Topics” section.
•15 or more overall score—If you feel you need more review on these topics, go to the “Foundation Summary” section, then the “Q&A” section. Otherwise, skip this chapter and go to the next chapter.
Major Advantages of Cisco VPN 3000 Series Concentrators 85
Foundation Topics
In January 2000, Cisco purchased Altiga Networks of Franklin, Massachusetts. With that purchase, Cisco acquired Altiga’s nifty line of VPN concentrators, client software, and webbased management software. These products became the Cisco VPN 3000 Series Concentrators and supporting software. Since that time, Cisco has enhanced the product line by adding a topend concentrator and a hardware client, and has made improvements to the software client. This chapter explores the advantages, features, and specifications of the Cisco VPN 3000 Concentrator Series.
Major Advantages of Cisco VPN 3000 Series
Concentrators
5 Overview of the Cisco VPN 3000 Concentrator Series
7 Benefits and features of the Cisco VPN 3000 Concentrator Series
The Cisco VPN 3000 Series Concentrators are extremely versatile, delivering high performance, security, and fault tolerance. The centralized management tool is standards-based and enables real-time statistics gathering and reporting. These devices allow corporations to reduce communications expenses by permitting clients to connect to corporate assets through local ISP connections to the Internet rather than through long-distance or 800 number connections to access servers. VPNs provide the productivity-enhancing ability to access corporate network assets while reducing expenses.
Dial-up connections using modems are prevalent throughout many corporate communities, especially on laptop systems. For some types of users, however, broadband VPN services provide speed and always-on connectivity that permit corporations to extend their office LANs into small office/home office (SOHO) environments. The popularity of cable modems and DSL modems has made broadband services commonplace for the home office user. Connecting these high-speed networks to the corporate network via IPSec tunnels gives SOHO users secure, full access to network assets at speeds up to 25 times faster than 56-kbps modems. Figure 3-2 shows typical modem and broadband connectivity to a VPN concentrator.
86 Chapter 3: Cisco VPN 3000 Concentrator Series Hardware Overview
Figure 3-2 Remote Access Types
Laptop |
|
|
|
|
|
|
|
Desktop |
||||||
|
|
|
Internet |
|
|
|
|
|
||||||
|
|
|
|
|
|
|
|
|||||||
Low-Speed Remote User |
|
|
|
|
|
|||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
High-Speed Remote User |
||||||||
VPN Access |
|
|
|
|
|
|
||||||||
|
|
|
|
|
|
VPN Access |
||||||||
Via Modem |
|
|
|
|
|
|
||||||||
|
|
|
|
|
|
Via Broadband |
||||||||
|
|
|
|
|
|
|
|
|
||||||
|
|
|
|
|
|
|
|
|
Cable Modem / DSL |
|||||
|
|
|
|
|
|
|
|
|
VPN |
|||||
|
|
|
|
|
|
|
|
|
||||||
|
|
|
|
|
|
|
|
|
||||||
|
|
|
|
|
|
|
|
|
Concentrator |
|||||
|
|
|
|
|
|
|
|
|
||||||
|
|
|
|
|
|
|
|
|
||||||
Corporate Network 
Private Enterprise Network
Not shown in Figure 3-2, wireless VPN clients provide an additional layer of encryption security to wireless communications. IPSec encryption end-to-end between client and concentrator can be combined with the encryption provided by the wireless Wired Equivalent Privacy (WEP) standard to enable a high level of security for wireless communications. IPSec with 3DES encryption for wireless communications is one of the recommendations of Cisco’s SAFE security guidelines.
NOTE SAFE is the Cisco secure blueprint for enterprise networks that provides information to interested parties on the best practices to use for designing and implementing secure networks.
The Cisco VPN 3000 Series Concentrators are versatile, full-featured systems. Some of the characteristics that make them so popular are as follows:
•
•
•
•
•
•
Ease with which you can deploy them
Performance and scalability
Security
Fault tolerance
Management interface
Ease with which you can upgrade them
The following sections cover these areas in more detail.
Major Advantages of Cisco VPN 3000 Series Concentrators 87
Ease of Deployment and Use
The Cisco VPN 3000 Series Concentrators were designed to be inserted into the current network without forcing infrastructure changes. These concentrators work with existing Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access Control System Plus (TACACS+), NT Domain, or Security Dynamics servers. This capability presents the same authentication interface to the users as they attempt to connect to the network. When these authentication servers are not available, the VPN concentrators have the ability to authenticate users from an internal database.
One of the interesting capabilities of the Cisco VPN 3000 Concentrator is its flexibility in placement. These systems can be installed in front of, behind, or in parallel with a firewall. The Cisco VPN Concentrator has firewall features that make it possible to customize the access permitted to individual connections coming through the concentrator. To avoid static route configurations on neighboring devices when inserting these concentrators into routed networks, the Cisco VPN 3000 Series Concentrators are routers, supporting RIP versions 1 and 2 and OSPF.
The VPN concentrators are equipped with numerous LED indicator lights that make it easy to verify system status. These indicators can even be “viewed” remotely through the web-based VPN 3000 Concentrator Series Manager software so that you can perform a quick system health check from your desk.
The Cisco VPN 3000 Series Concentrators are standards-based systems that can easily mesh with existing tunneling protocols such as Point-to-Point Tunneling Protocol (PPTP) in the Microsoft environment, or IPSec when more security is desired. The Cisco VPN concentrators can push the client policies to the user when they first connect through the concentrator. The Cisco VPN Client is shipped with the VPN concentrators and includes an unlimited distribution license, which means you do not have to worry about whether you have enough client licenses.
Performance and Scalability
The 3DES-encrypted throughput on the Cisco VPN Concentrators is rated at up to 100 Mbps without performance degradation. This is accomplished by using Scalable Encryption Processors (SEPs) on the modular devices. These SEPs are powered by programmable digital signal processors (DSPs) in the encryption engine. Each SEP provides 25 Mbps of 3DES encryption, making the VPN concentrators scalable.
The software-based DSPs give Cisco the ability to respond to changing standards without the need for customers to replace cards or chipsets in the VPN devices. DSPs also enable Cisco developers to tune the software to maximize performance for various applications. For the Cisco VPN 3000 Series Concentrators, that means maximizing the remote access performance characteristics. Hardware-assisted encryption makes these VPN concentrators extremely fast in comparison to software-based encryption devices.