The following sections look at the specific solutions that Cisco offers for VPN connectivity. Specifically, they examine the Cisco Router IOS, PIX firewall, VPN 3000 Concentrators, and the Cisco 3002 hardware and software clients and considers their functionality in the previously described VPN network types. Also, it is imperative to determine which products should be implemented in small office/home office (SOHO) environments, a remote office/branch office (ROBO) workplace, or enterprise central sites/service providers. Cisco VPN-Enabled IOS RoutersCisco offers several different models for VPN connectivity employing Cisco IOS routers, starting from the 800 series SOHO routers all the way up to the 7200 enterprise router. In addition, Cisco offers hardware encryption modules and cards to offload the processing and memory responsibilities for encrypting and decrypting traffic that traverses the VPN tunnel. The VPN routers can terminate several remote access tunnels; however, the Cisco IOS VPN routers are predominantly used for intranet and extranet site-to-site connections. Table 2.1 lists the available Cisco models, along with their features and throughput.
Cisco PIX Firewall SeriesWhen the security administration in the organization controls the VPN deployment, the Cisco PIX firewall might be the solution of choice for any intranet or extranet site-to-site needs. Similar to the Cisco IOS routers, the PIX firewall models can be upgraded with a VPN accelerator card. Table 2.2 lists the various PIX models and their respective features.
Cisco VPN 3000 Concentrator SeriesThe VPN 3000 Concentrator provides a robust solution for providing termination for remote-access tunnels. Also capable of creating LAN-to-LAN connections to other concentrators or IPSec gateways, the VPN 3000 is a highly versatile device capable of handling up to 10,000 simultaneous sessions.
Many of the 3000 series also support field-swappable hardware encryption modules called scalable encryption processors (SEPs). These SEP modules contain programmable digital signal processing (DSP), which can be updated for future enhancements. Although they are discussed in greater detail later, Table 2.3 familiarizes you with the Cisco VPN 3000 Concentrators and their capabilities.
Cisco VPN Software ClientBundled with the 3000 Concentrator, the Cisco VPN 3000 Software Client (often referred to as the Unity Client) enables end stations with dissimilar operating systems to establish a secure VPN tunnel to the central site's concentrator. The Unity Client is discussed in greater detail in Chapter 10. Cisco VPN 3002 Hardware ClientWhen faced with a SOHO with a multitude of clients requiring encrypted tunnels back to the main office, it is superfluous to install the VPN software client on each system in the office. Assuming you do not already own a VPN gateway router or similar VPN-capable device, you can implement the Cisco 3002 Hardware Client to act as a client and encrypt traffic on behalf of the end stations. The Cisco VPN 3002 is available in a single Ethernet LAN model or as the 3002-8E model, which has an embedded 8-port switch in it for LAN connectivity. Certicom IPSec ClientThe Certicom movian Client is a wireless client for devices such as PDAs and other handheld mobile devices. These clients use elliptical curve cryptography (discussed later), which is faster and less processor-intensive for these small processor devices. |