Comparing IPsec Remote Access VPNs with Other Types of Remote Access VPNs

Before deciding to implement IPsec remote access VPNs, it is important to understand their advantages and disadvantages, as well as how they compare to other types of remote access VPN.

Some of the main advantages and disadvantages of IPsec remote access VPNs are as follows:

  • IPsec can provide strong security for remote access VPN traffic.

    The precise level of security offered by IPsec depends on a number of factors, including the type of Internet Key Exchange (IKE) phase 1 negotiation (main or aggressive mode), the type of IKE phase 1 authentication, the form of any preshared keys, the types and levels of security associated with any Public Key Infrastructure (PKI), the type of user authentication, the type (and key lengths) of encryption and hashing algorithms, whether Perfect Forward Secrecy (PFS) is used, and the duration of security association (SA) lifetimes.

    L2TP/IPsec (RFC 3193) and SSL remote access VPNs offer similar security to IPsec remote access VPNs.

  • Extensions to IPsec that provide additional functionality such as IKE Extended Authentication (Xauth) and ISAKMP Configuration Method (Mode Config) are not industry standards, and therefore are not implemented on all operating systems or devices (this might cause some vendor interoperability issues).

    L2TP/IPsec remote access VPNs, on the other hand, rely on industry (IETF) standards.

    Secure Sockets Layer (SSL) versions 2 and 3 are de facto standards, and Transport Layer Security (TLS) is an industry (IETF) standard.

  • The Cisco VPN Client (which provides IPsec remote access VPN functionality) must be installed (and administered) on each remote access VPN client workstation.

    Operating systems such as Windows 2000, Windows XP, and MacOS X include an L2TP/IPsec remote access VPN client by default.

    Clientless SSL remote access VPNs do not require the installation of specific VPN client software.

  • IPsec remote access VPNs, L2TP/IPsec remote access VPNs, and SSL remote access VPNs using the Cisco SSL VPN Client offer a similar level of functionality for remote users that they would experience if they were at their office or central site. Clientless SSL remote access VPNs, on the other hand, offer only a subset of this functionality.
  • IPsec remote access VPNs provide IP unicast transport between VPN clients and gateways. L2TP/IPsec remote access VPNs, on the other hand, offer multiprotocol (IP, IPX, and so on) unicast and multicast transport between VPN clients and gateways.
  • The Cisco VPN Client allows the integration of features such as enforcement of firewall type, antivirus software type and level, and OS service pack level on client operating systems, as well as the enforcement of split-tunneling (and split-DNS) policies. Additionally, Cisco VPN Client software can be auto-updated when remote access VPN users connect to a Cisco remote access VPN gateway such as the Cisco VPN 3000 concentrator or the Cisco ASA 5500.

Part I: Understanding VPN Technology

What Is a Virtual Private Network?

Part II: Site-to-Site VPNs

Designing and Deploying L2TPv3-Based Layer 2 VPNs

Designing and Implementing AToM-Based Layer 2 VPNs

Designing MPLS Layer 3 Site-to-Site VPNs

Advanced MPLS Layer 3 VPN Deployment Considerations

Deploying Site-to-Site IPsec VPNs

Scaling and Optimizing IPsec VPNs

Part III: Remote Access VPNs

Designing and Implementing L2TPv2 and L2TPv3 Remote Access VPNs

Designing and Deploying IPsec Remote Access and Teleworker VPNs

Designing and Building SSL Remote Access VPNs (WebVPN)

Part IV: Appendixes

Designing and Building SSL Remote Access VPNs (WebVPN)

Appendix B. Answers to Review Questions

Comparing, Designing, and Deploying VPHs
Comparing, Designing, and Deploying VPNs
ISBN: 1587051796
EAN: 2147483647
Year: 2007
Pages: 124
Authors: Mark Lewis © 2008-2020.
If you may any questions please contact us: