Cisco 3000 series concentrators support features that provide high performance, scalability, enhanced security, high availability, and many other benefits. Here's a brief list of features:
- High performance is provided by SEP modules for hardware-based encryption.
- Scalability is provided by the Cisco Virtual Cluster Agent (VCA) load balancing technology and a modular design with four SEP slots.
- Enhanced security is provided by internal and external (AAA RADIUS, Microsoft's NT Domain and Active Directory, and RSA's SDI) user authentication, firewall policies, user and group management features, and detailed logging.
- High availability is provided by redundant SEPs, redundant chassis failover with VCA or VRRP, and SNMP management and monitoring.
- VPN implementations include WebVPN, IPsec, PPTP, L2TP, L2TP over IPsec, and these features: NAT-T, IPsec over UDP, and IPsec over TCP.
- VPN remote access policy features include (by group or user) filtering, idle and maximum session timeouts, time of day access control, authorization profiles, firewall policies, split tunneling, client and network extension modes, addressing pools, and different authentication methods per group.
- VPN technologies supported include ESP; GRE (for PPTP only); DES, 3DES, and AES; MD5 and SHA-1; MPPE with 40- or 128-bit RC4; ISAKMP and IKE; DH groups 1, 2, 5, and 7; SCEP; and X.509 digital certificates.
- Routing protocols supported include RIP v1 and v2, OSPF, RRI, static routing, and network auto discovery (NAD).
- The concentrators are compatible with the following remote access clients: WebVPN via a web browser or the Cisco SSL VPN Client; Cisco VPN Client for IPsec on Windows 98, ME, NT 4.0, 2000, XP, Linux for Intel, Solaris for UltraSparc, and MAC OS X 10.x; Microsoft's PPTP/MPPE/MPPC client with MS-CHAP or EAP; Microsoft's L2TP over IPsec for Windows 98, ME, NT 4.0, 2000, and XP.
- Management features include access via the console port, Telnet, SSHv1, HTTP, and HTTPS; authentication, authorization, and accounting of administrators through AAA TACACS+; access control of management sessions, logging via the console, a logging buffer, syslog, SNMP, and e-mail; automatic backup of logs via FTP; address translation with NAT and PAT; and packet filtering.
The following sections will discuss some important features that were introduced in newer versions of the concentrator's software. The Cisco 3.0 code release is the first major update of the software since Cisco acquired Altiga. Because this was a handful of years ago, I'll start with 3.5 and work my way up with the new features.
Why I prefer Cisco concentrators
I have worked with many VPN gateway products in my time, including all of the Cisco productsrouters, PIXs and ASAs, and concentrators. And out of all the VPN gateway products I've ever dealt with, Cisco VPN 3000 series concentrators are my favorite for remote access solutions. From a feature perspective, there's nothing else in the marketplace in a single chassis that offers all of the features that Cisco has bundled with their concentrators. When it comes to configuration, the GUI interface is very intuitive and much easier to use than a CLI like Cisco routers and PIXs (the concentrator does support a menu-based CLI). And when it comes to troubleshooting VPN connections, the logging functions of the concentrator far surpass anything else I've used. The logging output is customizable to 13 different levels and the output is written, for the most part, in layman's terms, making troubleshooting a simple process.
Version 3.5 Features
I'll start with version 3.5 and its sub-versions first. In this and the following sections, I'll mention features only as they relate to the major version, like 3.5, instead of the specific release in which they became available, like 3.5.6.
In 3.5 and its sub-versions, the following features were developed:
- The personal firewall is a feature added to the Cisco VPN client softwareit's a DLL from Zone Labs that functions as a simple stateful firewall for the software client. This firewall is referred to as the Cisco Integrated Client (CIC) firewall.
- The Are You There (AYT) feature is a policy defined on the concentrator and pushed to the Cisco VPN software client during IKE Mode Config. It causes the software client to poll the existence and operation of a supported firewall on the client. If one is not found and is not operating, the software client will drop any VPN session to the concentrator.
- The backup server feature for IPsec allows you to define up to ten Easy VPN Servers as backup gateways for Cisco 3002 clients.
- External user authentication with RADIUS as the authentication option now supports the function of a user changing an NT Domain password when it is about to expire.
- Interactive Unit Authentication and Individual User Authentication are authentication policies defined on the concentrator and pushed to hardware clients. Instead of storing the username and password on the hardware client, with interactive unit authentication, a user behind the hardware client is prompted for the user authentication information, and the hardware client uses this for user authentication functions; once the tunnel is up, any user behind the hardware client can use the tunnel. Individual user authentication has the hardware client prompt each user for a username and password and lets only authenticated users access the tunnel to the concentrator.
- IPsec over TCP allows client connections to use TCP as a transport for IPsec ESP packets to pass through address translation devices and firewalls.
- RRI allows a client to advertise its internal address (in client mode) or the network number of its private/inside interface (in network extension mode) to the VPN gateway in ISAKMP/IKE Phase 1. The concentrator can advertise these static routes via RIP or OSPF.
- SCEP allows you to acquire certificates in-band from a CA.
- Statistics on statistic screens on the concentrator can be reset (set to 0) for temporary monitoring and then restored back to the current statistical values.
- XML can be used to upload or download data files from the concentrator's Flash memory.
Version 3.6 Features
The following are features added to the concentrator in the 3.6 versions of software:
- Use of network extension mode by hardware clients can be controlled on a group-by-group basis on the concentrator.
- The bandwidth management feature allows you to apply simple bandwidth policies to the concentrator's interfaces and to groups of users or site-to-site sessions. There are two bandwidth management policies:
- Bandwidth policing: Policing limits traffic to a specified traffic rate; traffic exceeding this rate is dropped.
- Bandwidth reservation: Bandwidth reservation allows you to reserve a minimum amount of bandwidth for a user.
- The DHCP relay feature allows wireless clients to obtain their network configuration information before the tunnel is established. With this feature, the concentrator forwards DHCP requests from clients (typically wireless) to a DHCP server.
- The DHCP Intercept feature allows the concentrator to reply directly to Microsoft client DHCP inform messages for L2TP/IPsec clients.
- NAT-T uses a discovery process to determine if address translation is being performed between the client and concentrator. If so, the devices will wrap the ESP packets in UDP; otherwise, ESP packets are sent out normally. NAT-T is also supported for site-to-site connections.
- AES allows encryption to be performed with fewer processing cycles than 3DES and provides better security. In 3.6, AES is only supported in software4.0 with the SEP-Es can perform AES in hardware.
- DH group 5 was added (group 1, 2, 5, and 7 DH keys are supported).
- CRLs can be obtained via HTTP. You also have the ability to specify backup CRL distribution points in case the CRL location listed on the CA's certificate is not reachable. Plus, the concentrator can cache CRLs in RAM locally instead of downloading them each time it needs them.
- Split DNS allows a client to use the corporate DNS server for corporate DNS resolutions and the ISP DNS server for other resolutions; this policy, along with the list of corporate domain names and corporate DNS servers, are defined on the concentrator and pushed to the client during IKE mode config.
- Dynamic DNS allows the concentrator to take the hostname found in a DHCP request and send this, along with the client's DHCP address, to a Dynamic DNS server, which will update the DNS resolution for the client on a DNS server.
- L2TP over IPsec can now use EAP/TLS and EAP/SDI for user authentication of Microsoft's VPN clients.
- You can change the MTU size from 681,500 bytes on the Ethernet interfaces. This might be necessary for the public interface where VPN sessions are being terminated and VPN overhead is causing fragmented packets. You can also define IPsec fragmentation policies concerning what should happen if packets need to be fragmented.
- You can use Secure Copy (SCP) to back up concentrator files to an SCP server.
- You can create a filter and apply it to a site-to-site session. You can also define address translation policies for site-to-site sessions when there are overlapping addresses at the two sites.
- You can now see the operating system and version of the remote access client that connects to the concentrator.
- If you used digital certificates before Version 3.6, you had to use the Organizational Unit (OU) field, sometimes called Department, to represent the name of the group that the user belongs to. In 3.6 you can use distinguished name (DN) group matching, where you can define rules about what is used on a certificate and how this is mapped to a particular group.
- The backup server feature now supports the Cisco VPN software client.
Version 4.0 Features
The following are features added to the concentrator in the 4.0 versions of software:
- The 3020 concentrator was introduced in this version of software.
- You can now install 64 MB of RAM in the 3005s, which allows it to support up to 200 remote access sessions. You can also install up to 512 MB of RAM in the 3060s and 3080s. (See Table 6-1 for more information.)
- The SEP-E module was introduced, allowing supported concentrators to perform DES, 3DES, and AES encryption in hardware.
- If using CiscoSecure ACS (CSACS) RADIUS for remote access user authentications, you can download predefined ACLs and apply them to a user's remote access session instead of defining the filters locally on the concentrator.
- You can specify backup peers for site-to-site sessions.
- Remote access users can now be authenticated using Active Directory/Kerberos for user authentication of remote access sessions.
- The Sygate Personal Firewall, Personal Firewall Pro, and Security agent were added to the AYT feature.
- You can change the dead peer detection (DPD) timeout value to detect dead IPsec remote access client or site-to-site sessions.
Version 4.1 Features
The following are features added to the concentrator in the 4.1 versions of software:
- The main enhancement of 4.1 is WebVPN: clientless and thin client. Not all functionality for WebVPN was introduced with the first sub-version; many features, such as Internet Explorer Proxy, were added in later sub-versions of 4.1.
- You can now define a period of time for when an internal address assigned to a remote access client such as IPsec is released, until it is returned to the address pool to be used by someone else. Also, the concentrator will do an ARP for an internal address to ensure that it's not being used, before assigning it to a remote access client.
- The Cisco VPN 4.6 software client was introduced. The concentrator now has the ability to update the software client automatically; previously, only the 3002 supported automatic updates.
- You can restrict remote access sessions by forcing users to use supported client types and software versions; this applies to Easy VPN clients.
Version 4.7 Features
Version 4.7 was a major update to the concentrators, in which many features were added. The two main ones are the SSL VPN Client and the Cisco Secure Desktop (CSD). The following are some of the features added to the concentrator in the 4.7 versions of software:
- The SSL VPN Client is a major enhancement to WebVPN, allowing the protection of network-layer traffic and above from the user's desktop to the concentrator. The SSL VPN Client installs a virtual desktop on the user's PC and all applications and protocols initiated from the virtual desktop are protected by an SSL VPN.
- CSD was introduced for WebVPN. It can be combined with network access control (NAC) and AYT to define policies that restrict client connections: clients have to meet prerequisites, such as having antivirus software, personal firewall software, and Windows service updates installed. CSD is used with the SSL VPN Client. Another security of CSD is that it looks for a key-stroke-logging program, such as a Trojan horse, at the beginning and during the SSL VPN sessionif one is found, the user is prompted to take action to remove it. CSD also removes all data involved with the SSL VPN session, such as downloaded temporary files and cookies, once the SSL VPN terminates through a Department of Defense (DoD) sanitization algorithm.
- Terminal support for Citrix was introduced for WebVPN port forwarding (thin client).
I'll discuss how to configure most of the features that I've talked about here in later chapters on the concentrator, software client, and hardware client configuration.