Cisco Secure VPN Exam Certification Guide - Cisco press
.pdf
108 Chapter 3: Cisco VPN 3000 Concentrator Series Hardware Overview
Cisco Secure VPN Client Features
8 Cisco VPN 3000 Concentrator Series Client support
Cisco now offers two types of clients that can be used to negotiate and maintain IPSec VPN tunnels with Cisco VPN 3000 Series Concentrators, as well as equipment from other hardware vendors that support the full standards-based implementation of IPSec. The Cisco VPN Client is shipped with every VPN concentrator that Cisco sells. The Cisco VPN Client is supplied at no extra charge, is licensed for an unlimited number of installations, and can be used on most popular operating systems.
A new entry into the field, the Cisco VPN 3002 Hardware Client has no limitations as far as the operating systems it can support. As long as the attaching client can support TCP/IP, the VPN 3002 Hardware Client can provide secure IPSec communications. The next sections provide a brief overview of the VPN 3002 Hardware Client and the Cisco VPN Client. More information on the VPN Client is given in Chapter 4, “Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys,” and Chapter 6, “Configuring the Cisco VPN Client Firewall Feature.” The VPN 3002 Hardware Client is discussed in Chapter 8, “Configuring Cisco 3002 Hardware Client for Remote Access,” and Chapter 9, “Configuring Scalability Features of the Cisco VPN 3002 Hardware Client.”
This section covers the following topics:
•
•
Cisco VPN 3002 Hardware Client
Cisco VPN Client
Cisco VPN 3002 Hardware Client
The Cisco VPN 3002 Hardware Client was designed for remote office environments that normally have little direct IT support. These facilities need an easy-to-install, scalable, reliable, stable platform that can support any attached TCP/IP device, regardless of the operating system. The VPN 3002 is just such a device. Figure 3-18 shows the Cisco VPN 3002 Hardware Client equipped with the optional 8-port Ethernet switch.
Cisco Secure VPN Client Features 109
Figure 3-18 Cisco VPN 3002 Hardware Client
The Cisco VPN 3002 Hardware Client is a full-featured VPN client. It supports IPSec and other VPN protocols. With IPSec, it supports both DES and 3DES encryption, providing either 56-bit or 168-bit encryption. The client can be configured in either a client mode or a network mode. The VPN 3002 uses Easy VPN and uses a push policy that enables it to scale to large numbers. The optional 8-port 10/100BaseTX switch allows immediate connection to local network devices.
Cisco VPN Client
The client that is included with every VPN concentrator, the Cisco VPN Client, is easy to deploy and operate. The client can connect with any Easy VPN server and can be preconfigured to simplify mass deployments, requiring little user intervention. For these deployments, the VPN access policies and configurations are pulled from the central gateway and pushed to the client upon initial connection. This highly scalable client supports the full range of Microsoft Windows operating systems, including Windows 95, 98, Me, NT 4.0, 2000, and XP. The Cisco VPN Client also supports Linux (Intel), Solaris (UltraSparc-32bit), and MAC OS X 10.1. Figure 3-19 shows the initial screen of the Windows version of the Cisco VPN Client.
The VPN client is easy to deploy throughout a large corporation. The client installation is customizable, where the configuration can be preconfigured and installation can be automated. In addition, installation via CD-ROM can be automatically started using the autorun feature. By using this autorun feature, it requires no intervention from the user. Whenever possible, the client should connect to the VPN concentrator using the Cisco VPN Client because it provides the highest available security mechanism using IPSec and 3DES encryption.
110 Chapter 3: Cisco VPN 3000 Concentrator Series Hardware Overview
Figure 3-19 Cisco VPN Client
Other Client Software
Non-Cisco client software can also be used to establish a VPN connection to the Cisco VPN 3000 Concentrator. Microsoft provides a client called Microsoft L2TP/IPSec client that can be used to connect to the concentrator. However, using this client limits the client to an L2TP connection with IPSec. Microsoft also has the capability to establish a connection with the concentrator using Point-to-Point Tunneling Protocol (PPTP).
Table of Cisco VPN 3000 Concentrators 111
Foundation Summary
The Foundation Summary is a collection of tables and figures that provides a convenient review of many key concepts in this chapter. For those of you who are already comfortable with the topics in this chapter, this summary can help you recall a few details. For those of you who just read this chapter, this review should help solidify some key facts. For anyone doing his or her final preparation before the exam, these tables and figures are a convenient way to review the material the day before the exam.
Table of Cisco VPN 3000 Concentrators
The features of the Cisco VPN 3000 Concentrators are shown in Table 3-11.
Table 3-11 Cisco VPN 3000 Series Concentrators
Feature |
Cisco 3005 |
Cisco 3015 |
Cisco 3030 |
Cisco 3060 |
Cisco 3080 |
|
|
|
|
|
|
Typical application |
Small to |
Small to |
Medium to |
Large |
Large |
|
medium |
medium |
large |
|
|
|
|
|
|
|
|
Simultaneous users |
100 |
100 |
1500 |
5000 |
10,000 |
|
|
|
|
|
|
Encryption |
4 Mbps |
4 Mbps |
50 Mbps |
100 Mbps |
100 Mbps |
throughput |
|
|
|
|
|
|
|
|
|
|
|
Encryption method |
Software |
Software |
Hardware |
Hardware |
Hardware |
|
|
|
|
|
|
Encryption (SEP) |
0 |
0 |
1 |
2 |
4 |
module |
|
|
|
|
|
|
|
|
|
|
|
Redundant SEP |
N/A |
N/A |
Option |
Option |
Yes |
|
|
|
|
|
|
Available |
0 |
4 |
3 |
2 |
N/A |
expansion slots |
|
|
|
|
|
|
|
|
|
|
|
Upgrade capability |
No |
Yes |
Yes |
N/A |
N/A |
|
|
|
|
|
|
System memory |
32 MB (fixed) |
128 MB |
128 MB |
256 MB |
256 MB |
|
|
|
|
|
|
Hardware |
1U, fixed |
2U, scalable |
2U, scalable |
2U, scalable |
2U |
|
|
|
|
|
|
Power supply |
Single |
Single or dual |
Single or dual |
Single or dual |
Dual |
|
|
|
|
|
|
Client license |
Unlimited |
Unlimited |
Unlimited |
Unlimited |
Unlimited |
|
|
|
|
|
|
Processor |
Motorola |
Motorola |
Motorola |
Motorola |
Motorola |
|
PowerPC |
PowerPC |
PowerPC |
PowerPC |
PowerPC |
|
|
|
|
|
|
Console port |
Async DB9 |
Async DB9 |
Async DB9 |
Async DB9 |
Async DB9 |
|
|
|
|
|
|
Flash |
32 MB |
Redundant |
Redundant |
Redundant |
Redundant |
|
SRAM |
|
|
|
|
|
|
|
|
|
|
Memory |
Fixed |
Variable |
Variable |
Variable |
Variable |
|
|
|
|
|
|
112 Chapter 3: Cisco VPN 3000 Concentrator Series Hardware Overview
Table of Cisco VPN 3000 Concentrator Capabilities
Table 3-12 shows the various protocols that are supported by the Cisco VPN 3000 Series Concentrators.
Table 3-12 Cisco VPN 3000 Concentrator Series Capabilities
Description |
Specification |
|
|
|
|
Compatibility |
Client Software |
Cisco VPN Client (IPSec) for Windows 95, 98, Me, |
|
Compatibility |
NT 4.0, 2000, and XP, including centralized split- |
|
|
tunneling control and data compression. |
|
|
Cisco VPN 3002 Hardware Client. |
|
|
Microsoft PPTP/MPPE/MPPC. |
|
|
Microsoft L2TP/IPsec for Windows 2000. |
|
|
MovianVPN (Certicom) Handheld VPN Client |
|
|
with ECC. |
|
|
|
|
Tunneling Protocols |
IPSec, PPTP, L2TP, L2TP/IPsec, NAT Transparent |
|
|
IPSec. |
|
|
|
|
Encryption/Authentication |
IPSec Encapsulating Security Payload (ESP) using |
|
|
DES/3DES (56/168-bit) with MD5 or SHA; MPPE |
|
|
using 40/128-bit RC4. |
|
|
|
|
Key Management |
Internet Key Exchange (IKE). |
|
|
Perfect Forward Secrecy (PFS). |
|
|
|
|
Routing Protocols |
RIP, RIP2, OSPF, Static, automatic endpoint discovery, |
|
|
Network Address Translation (NAT), classless |
|
|
interdomain routing (CIDR). |
|
|
|
|
Third-Party Compatibility |
Certicom, iPass Ready, Funk Steel Belted RADIUS |
|
|
certified, NTS TunnelBuilder VPN Client (Mac and |
|
|
Windows), Microsoft Internet Explorer, Netscape |
|
|
Communicator, Entrust, GTE Cybertrust, Baltimore, |
|
|
RSA Keon, VeriSign. |
|
|
|
|
High Availability |
VRRP protocol for multichassis redundancy and |
|
|
failover. |
|
|
Destination pooling for client-based failover and |
|
|
connection reestablishment. |
|
|
Redundant SEP modules (optional), power supplies, |
|
|
and fans (3015–3060). |
|
|
Redundant SEP modules, power supplies, and fans |
|
|
(3080). |
|
|
|
|
|
|
Table of Cisco VPN 3000 Concentrator Capabilities 113 |
||
|
|
|
|
||
Table 3-12 Cisco VPN 3000 Concentrator Series Capabilities (Continued) |
|||||
|
|
|
|
|
|
|
Description |
|
|
Specification |
|
|
|
|
|
|
|
|
Management |
Configuration |
|
Embedded management interface is accessible via |
|
|
|
|
|
console port, Telnet, SSH, and Secure HTTP. |
|
|
|
|
|
Administrator access is configurable for five levels of |
|
|
|
|
|
authorization. Authentication can be performed |
|
|
|
|
|
externally via TACACS+. |
|
|
|
|
|
Role-based management policy separates functions for |
|
|
|
|
|
service provider and end-user management. |
|
|
|
|
|
|
|
|
|
Monitoring |
|
Event logging and notification via e-mail (SMTP). |
|
|
|
|
|
Automatic FTP backup of event logs. |
|
|
|
|
|
SNMP MIB-II support. |
|
|
|
|
|
Configurable SNMP traps. |
|
|
|
|
|
Syslog output. |
|
|
|
|
|
System status. |
|
|
|
|
|
Session data. |
|
|
|
|
|
General statistics. |
|
|
|
|
|
|
|
|
Security |
Authentication and |
|
Support for redundant external authentication servers: |
|
|
|
Accounting Servers |
|
• |
RADIUS |
|
|
|
|
• Microsoft NT Domain authentication |
|
|
|
|
|
• RSA Security Dynamics (SecurID Ready) |
|
|
|
|
|
Internal Authentication server for up to 100 users. |
|
|
|
|
|
TACACS+ Administrative user authentication. |
|
|
|
|
|
X.509v3 Digital Certificates. |
|
|
|
|
|
RADIUS accounting. |
|
|
|
|
|
|
|
|
|
Internet-Based Packet |
|
Source and destination IP address. |
|
|
|
Filtering |
|
Port and protocol type. |
|
|
|
|
|
||
|
|
|
|
Fragment protection. |
|
|
|
|
|
FTP session filtering. |
|
|
|
|
|
|
|
|
|
Policy Management |
|
By individual user or group |
|
|
|
|
|
• |
Filter profiles |
|
|
|
|
• Idle and maximum session timeouts |
|
|
|
|
|
• Time and day access control |
|
|
|
|
|
• Tunneling protocol and security authorization |
|
|
|
|
|
|
profiles |
|
|
|
|
• |
IP pool |
|
|
|
|
• |
Authentication servers |
|
|
|
|
|
|
114 Chapter 3: Cisco VPN 3000 Concentrator Series Hardware Overview
Chapter Glossary
The following terms were introduced in this chapter or have special significance to the topics within this chapter:
Are You There (AYT) A process where the VPN Client enforces firewall policy defined on the local firewall by monitoring that firewall to make sure it is running. The client sends periodic “Are you there?” messages to the firewall. If no response is received, the VPN Client terminates the connection to the VPN concentrator.
classless interdomain routing (CIDR) Technique supported by BGP4 and based on route aggregation. CIDR allows routers to group routes together to reduce the quantity of routing information carried by the core routers. With CIDR, several IP networks appear to networks outside the group as a single, larger entity. With CIDR, IP addresses and their subnet masks are written as four octets, separated by periods, followed by a forward slash and a two-digit number that represents the subnet mask.
demilitarized zone (DMZ) Network that is isolated from a corporation’s production environment. The DMZ is often used as a location for public-access servers, where the effects of successful intrusion attempts can be minimized and controlled.
digital signal processor (DSP) Segments the voice signal into frames and stores them in voice packets.
Elliptic Curve Cryptosystem (ECC) A public-key cryptosystem for mobile/wireless environments. ECC uses smaller key sizes to provide security equivalent to cryptosystems like RSA, resulting in faster computations, lower power consumption, and reduced memory and bandwidth use. ECC is particularly well suited for mobile devices that have limited CPU and memory capabilities.
Internet Engineering Task Force (IETF) Task force consisting of over 80 working groups responsible for developing Internet standards. The IETF operates under the auspices of the ISOC.
Layer 2 Forwarding Protocol (L2FP) Protocol that supports the creation of secure virtual private dial-up networks over the Internet.
Layer 2 Tunneling Protocol (L2TP) An Internet Engineering Task Force (IETF) standards track protocol defined in RFC 2661 that provides tunneling of PPP. Based on the best features of L2F and PPTP, L2TP provides an industry-wide interoperable method of implementing VPDN.
Microsoft Point-to-Point Compression (MPPC) A compression protocol used to compress Point-to-Point Protocol (PPP) packets between Cisco and Microsoft client devices. This protocol optimizes bandwidth usage to support multiple simultaneous connections.
Chapter Glossary 115
Microsoft Point-to-Point Encryption (MPPE) An encryption technology that was developed to encrypt point-to-point links over dial-up lines or VPN tunnels. MPPE works as a subfeature of MPPC.
Network Address Translation (NAT) Mechanism for reducing the need for globally unique IP addresses. NAT allows an organization with addresses that are not globally unique to connect to the Internet by translating those addresses into globally routable address space. Also known as Network Address Translator.
Open Shortest Path First (OSPF) Link-state, hierarchical IGP routing algorithm proposed as a successor to RIP in the Internet community. OSPF features include least-cost routing, multipath routing, and load balancing. OSPF was derived from an early version of the Intermediate System–to–Intermediate System (IS-IS) Protocol.
Perfect Forward Secrecy (PFS) Cryptographic characteristic associated with a derived shared secret value. With PFS, if one key is compromised, previous and subsequent keys are not compromised because subsequent keys are not derived from previous keys.
Point-to-Point Tunneling Protocol (PPTP) A protocol that enables secure data transfer between remote clients and enterprise servers by creating on-demand, multiprotocol VPNs across TCP/IP-based public data networks, such as the Internet.
Remote Authentication Dial-In User Service (RADIUS) A standards-based protocol for authentication, authorization, and accounting (AAA).
Reverse Route Injection (RRI) Used to populate the routing table of an internal router running OSPF or RIP for remote VPN clients or LAN-to-LAN sessions.
Scalable Encryption Processing (SEP) VPN concentrator modules that perform hardwarebased cryptographic functions, including random number generation, hash transforms (MD5 and SHA-1) for authentication, and encryption and decryption (DES and Triple-DES).
Secure Shell (SSH) Sometimes called Secure Socket Shell, a UNIX-based command interface and protocol for gaining access to a remote computer securely.
Secure Sockets Layer (SSL) Encryption technology for the web used to provide secure transactions, such as the transmission of credit card numbers for e-commerce.
Terminal Access Controller Access Control System Plus (TACACS+) A Cisco proprietary protocol for authentication, authorization, and accounting (AAA).
Virtual Router Redundancy Protocol (VRRP) In installations of two or more VPN concentrators in a parallel, redundant configuration, VRRP provides automatic switchover to a backup system in case the primary system is out of service, thus ensuring user access to the VPN.
Wired Equivalent Privacy (WEP) An encryption protocol used on data signals transmitted between wireless LAN (WLAN) devices.
116 Chapter 3: Cisco VPN 3000 Concentrator Series Hardware Overview
Q&A
As mentioned in Chapter 1, these questions are more difficult than what you should experience on the CCSP exam. The questions do not attempt to cover more breadth or depth than the exam; however, the questions are designed to make sure you know the answer. Rather than allowing you to derive the answer from clues hidden inside the question itself, your understanding and recall of the subject are challenged. Questions from the “Do I Know This Already?” quiz from the beginning of the chapter are repeated here to ensure that you have mastered the chapter’s topic areas. Hopefully, these questions will help limit the number of exam questions on which you narrow your choices to two options and guess!
The answers to this quiz are listed in Appendix A, “Answers to the “Do I Know This Already?” Quizzes and Q&A Sections.”
1How do VPN concentrators reduce communications expenses?
2What are two of the standard authentication servers that Cisco VPN 3000 Concentrators can use for authentication?
3What other authentication capability exists if standard authentication servers are not available?
4With respect to firewalls, where can you install Cisco VPN 3000 Concentrators?
Q&A 117
5What routing protocols do the Cisco VPN 3000 Concentrators support?
6During large-scale implementations, how can Cisco VPN 3000 Concentrators be configured to simplify client configuration?
7What is the maximum encryption throughput rate for the VPN 3000 Concentrator Series?
8What hardware device is required to achieve maximum encryption throughput on the Cisco VPN 3000 Concentrators?
9What element on SEPs permits them to be so fast and flexible?
10Why are Cisco VPN Concentrators so good at supporting VPN communications?
11What tunneling protocols do Cisco VPN 3000 Concentrators support?