Summary

Previous page
Table of content
Next page

VPNs comprise secure connections between two endpoints and utilizes protocols such as L2TP, PPTP, and IPSec. VPNs can fall into three categories: remote access, site-to-site intranet, and business-to-business extranet. Remote access VPNs are used by telecommuters and mobile users to connect to a central office. Site-to-site intranet VPNs are characterized by interjoining remote offices and the central office via a secure VPN tunnel. Business-to-business extranet VPNs are secure tunnels to external business partners or suppliers that are not part of the corporation.

Cisco offers several solutions for VPN connectivity, depending on the size of the location, the performance, and the number and type of VPN sessions required. Table 2.4 summarizes the Cisco VPN products.

Table 2.4. Cisco VPN Products
 

Remote Access

Site-to-Site Routers

Site-to-Site PIX

SOHO

3002 Client, Software Client

800, uBR900

501, 506

Small ROBO

3005, 3015

1700,2600,3600

506, 515

Medium ROBO

3030

3600, 7100

515

Main Office, SP

3060, 3080

7100, 7200

525, 535

IPSec is used to provide a secure pathway between a pair of IPSec gateways or hosts and gateways. IPSec's functionality entails the following: confidentiality, integrity, peer authentication, and anti-replay services.

IPSec confidentiality is synonymous with secure data encryption. Encryption entails securing data by running an encryption algorithm with an encryption key to produce cipher text. Key algorithms can either be symmetric or asymmetric. Symmetric keys are characterized by the way they utilize matching keys for encrypting the data and decrypting it on the remote end. Asymmetric keys contain a public and private key pair. The private key is never communicated and is kept secret, whereas the public key is communicated to IPSec peers that wish to encrypt data destined for your device. Data is encrypted locally with the remote peer's public key and decrypted by the remote using its private key. Cisco supports 56-bit DES and 168-bit 3DES for symmetric key algorithms, and RSA (variable bit) and ECC (variable bit) for asymmetric key alogrithms. Cisco also supports symmetric algorithm AES in software version 3.6 and above, which has keys of 128, 192, or 256 bits in length. Cisco keys can be exchanged manually or automatically via Diffie-Hellman groups 1 (768-bit), 2 (1024-bit), 5 (1536-bit), or 7 (variable bit).

IPSec integrity is obtained through HMACs. IPSec devices create and send a keyed message digest to the far-end peer, along with the actual message. If any bit was changed in the data transmission, the remote detects it when it performs the same hash on the message and they do not match. Cisco supports the HMAC variant of MD5 (128-bit) and SHA-1 (160-bit).

IPSec peer authentication is a crucial step in IKE phase 1, in which the IPSec device validates the remote peer. Cisco supports the following three methods of peer authentication: preshared keys, RSA signatures, and RSA encrypted nonces. Preshared keys are manually configured on both devices of the IPSec tunnel. RSA signatures are a dynamic authentication in which the IPSec device encrypts identification information with its own private key, which is validated by the remote through the use of the sender's public key. RSA-encrypted nonces utilize a pseudorandom number to validate the remote IPSec peer.

Anti-replay services in IPSec entail sequence numbers to ensure that the IPSec device is not receiving out-of-sync or duplicate data from an intruder.

The IPSec protocol is actually a framework consisting of a collection of secure protocols and standards. IPSec uses two primary protocols for its confidentiality and integrity services. AH is a protocol used for data integrity and sender authentication only. ESP can be utilized for encryption, as well as data integrity and authentication.

IKE is a protocol responsible for the preliminary phase of IPSec communication, in which SAs are established for IKE and IPSec. This entails encryption and hash algorithms, transform sets, Diffie-Hellman key exchange, SA lifetimes, tunnel modes, and SA lifetimes.

IPSec can exist in one of two modes, determined in the IPSec transform set negotiation of IKE phase 2. Tunnel mode consists of encrypting and authenticating the entire original payload, whereas transport mode maintains the original IP header and protects only the upper-layer payload.

Communications with IPSec can be summarized in five steps:

  1. Determining interesting traffic

  2. IKE phase 1 negotiation, DH key exchange, and peer authentication

  3. IKE phase 2 IPSec transform set negotiation

  4. Encrypting IPSec traffic

  5. Tunnel termination

Previous page
Table of content
Next page
CSVPN Exam Cram 2 (Exam 642-511)
CCSP CSVPN Exam Cram 2 (Exam Cram 642-511)
ISBN: 078973026X
EAN: 2147483647
Year: 2002
Pages: 185
Authors: David Minutella
BUY ON AMAZON
Agile Project Management: Creating Innovative Products (2nd Edition)
C++ GUI Programming with Qt 3
C++ How to Program (5th Edition)
Mapping Hacks: Tips & Tools for Electronic Cartography
Quantitative Methods in Project Management
Special Edition Using FileMaker 8
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy