How This Book Is Organized


The organization of the book is formatted in a layered approach, starting with a basic explanation of the motivation behind IPsec's development and the types of organizations that rely on IPsec to secure data transmissions. The book then proceeds to outline the basic IPsec/Internet Security Association and Key Management Protocol (ISAKMP) fundamentals that were developed to meet demand for secure data transmission. The book proceeds to cover the design and implementation of IPsec VPN architectures using an array of Cisco products, starting with basic concepts and proceeding to more advanced topics, including HA solutions and public key infrastructure (PKI). Sample topology diagrams and configuration examples are provided to help reinforce the fundamentals expressed in the text, and to assist the reader in translating explained IPsec concepts into practical working deployment scenarios. Case studies are incorporated throughout the text in order to map the topics and concepts discussed to real-world solutions.

Chapters 1 through 4 compose Part I of this book, covering the most basic concepts required to develop an understanding of IPsec VPNs. The chapter content provided in Part I aims to help the reader achieve the following objectives:

  • Understand the background of IPsec VPN development

  • Differentiate IPSEC/SSL VPN from other VPN technologies

  • Understand the underlying cryptographic technologies that compose an IPsec VPN

  • Understand basic IPsec VPN configuration techniques

  • Understand common issues that can affect all IPsec designs

After you are familiar with the content of Part I, you should have the working knowledge of IPsec VPNs necessary to begin building a knowledge base surrounding the fundamentals of IPsec VPN High Availability using the design concepts provided in Part II. The chapters in Part I include:

  • Chapter 1, "Introduction to VPN Technologies" This chapter includes an introduction to various VPN technologies, discusses how VPNs are utilized in today's networks, and identifies the drivers for business migration to VPN technologies. The discussion in this chapter provides the reader with a high-level overview of VPN, particularly with a comparison between Multiprotocol Label Switching (MPLS), Virtual Private Dialup Network (VPDN), Secure Sockets Layer (SSL), and IPsec VPNs. After a brief comparison of the VPN technologies, the focus turns to the business drivers for VPN, which include both economics and security.

  • Chapter 2, "IPsec Fundamentals" This chapter focuses on the underlying components and mechanics of IPsec, including cryptographic components, Internet Key Exchange (IKE), and IPsec. This chapter includes basic configuration examples (not step-by-step) to demonstrate the concepts.

  • Chapter 3, "Basic IPsec VPN Topologies and Configurations" This chapter demonstrates building of basic VPN topologies using the knowledge gained in the previous chapters. Three basic topologies are discussed: hub-and-spoke without generic routing encapsulation (GRE), hub-and-spoke VPN with GRE, and remote-access VPN.

  • Chapter 4, "Common IPsec VPN Issues" IPsec deployments can involve a number of potential pitfalls if not properly addressed. Chapter 4 discusses the common IPsec VPN issues that a network engineer should take into consideration during the design and deployment process. It discusses common troubleshooting techniques to diagnose these problems should they occur in your network. Design solutions to the common VPN issues presented in this chapter are provided, along with the appropriate design verification techniques.

Part II consists of Chapters 5 through 10. The topics discussed here build on the introductory concepts from Part I, extending them to encompass a common architectural goal: High Availability. Additional architectural variations are provided so as to present a comprehensive scope of design options available. The chapters in Part II include:

  • Chapter 5, "Designing for High Availability" This chapter discusses the basic principles of an HA VPN design. Based on these principles, subsequent chapters develop solutions for local and geographical HA and discuss issues and options for achieving HA in multi-vendor VPN environments.

  • Chapter 6, "Solutions for Local Site-to-Site High Availability" This chapter uses concepts previously described to develop solutions for local HA, including the use of highly available interface for IPsec tunnel termination, stateless tunnel termination HA, and stateful tunnel termination HA.

  • Chapter 7, "Solutions for Geographic Site-to-Site High Availability" This chapter uses concepts previously described to develop solutions for geographic HA. This chapter discusses RRI, IPsec with GRE tunnels, and Dynamic Multipoint VPN.

  • Chapter 8, "Handling Vendor Interoperability with High Availability" Unfortunately, current IPsec standards do not address HA. This leads to interoperability issues among vendors. This chapter discusses common issues and details the options that exist to handle these scenarios.

  • Chapter 9, "Solutions for Remote Access VPN High Availability" This chapter discusses the HA concepts previously discussed in Chapters 6 and 7 in the context of RAVPN deployments. Additionally, it covers other HA tools commonly found in RAVPNs, including the use of VPN concentrator clustering with VCA and DNS-based load balancing.

  • Chapter 10, "Further Architectural Options for IPsec" This chapter discusses other architectural variations in designing VPN solutions. It describes each option with usage considerations and finishes with case studies of each.

IPsec VPN design concepts range from fundamental cryptographic operations to dynamic spoke-to-spoke peering and MPLS VPN routing and forwarding (VRF)-Aware IPsec VPNS. Although the scope of this book is firmly centered around the fundamental concepts of IPsec VPN design, the chapters included in Part III provide design guidance around two advanced topics of IPsec that are quite commonly deployed in today's enterprise-class IP networks:

  • Chapter 11, "Public Key Infrastructure and IPsec VPNs" This chapter discusses the usage of public key infrastructure (PKI) to authenticate IPsec peers via Rivest, Shamir, and Adelman (RSA) signatures. This method uses a certificate authority as a trusted third party to secure and scale IKE authentication. As organizations become more Public Key Infrastructure (PKI)-aware, this will become the de facto authentication mechanism.

  • Chapter 12, "Solutions for Handling Dynamically Addressed Peers" Dynamic peers allow network administrators to ensure network connectivity when remote network peers are either not known in advance or change to an unknown value over time. Dynamic peers also require less administrative effort than do static peers. This chapter addresses IPsec dynamic peering options, some of which are less commonly used, and others that are more prolific in various architectures.




IPsec Virtual Private Network Fundamentals
IPSec Virtual Private Network Fundamentals
ISBN: 1587052075
EAN: 2147483647
Year: N/A
Pages: 113

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net