A VPN is a secure connection between two or more networks across a public infrastructure. Know the three types of VPN: Remote Access VPNs Mobile users connecting to a main office by using IPSec, L2TP, and PPTP as tunneling protocols Site-to-Site Intranet VPNs Remote offices within the same corporation connecting entire networks with VPN tunnels Business-to-Business Extranet VPNs Business partners not in the corporation connecting networks to with VPN tunnels
Know the VPN 3000 Concentrator's capabilities: Model | Performance (Maximum Bandwidth) | Hardware Encryption | Remote Tunnels | Site-to-Site Tunnels | Standard Memory |
---|
3005 | 4Mbps | NA | 100 | 100 | 32MB | 3015 | 4Mbps | NA | 100 | 100 | 64MB | 3030 | 50Mbps | 1 SEP Module | 1500 | 500 | 128MB | 3060 | 100Mbps | 2 SEP Modules | 5000 | 1000 | 256MB | 3080 | 100Mbps | 4 SEP Modules | 10,000 | 1000 | 256MB |
Know the VPN product solutions for a given location. | Remote Access | Site-to-Site Routers | Site-to-Site PIX |
---|
SOHO | 3002 Client, Software Client | 800, uBR900 | 501, 506 | Small ROBO | 3005, 3015 | 1700,2600,3600 | 506, 515 | Medium ROBO | 3030 | 3600, 7100 | 515 | 7100, 7200 | 525, 535 | | Main Office, SP 3060, 3080 |
IPSec is a secure framework of protocols that is used to establish tunnels between VPN gateways and hosts. IPSec provides the following services: Confidentiality You can protect data from being compromised by using encryption algorithms to encrypt clear text data. Data Integrity IPSec ensures that the data was not manipulated in transit by using Keyed Hashed Message Authentication Codes (HMAC). Authentication Preshared keys, RSA/DSA digital certificates, and encrypted nonces all serve as a form of machine-level authentication during initial IPSec tunnel initiation. Anti-Replay IPSec utilizes sequence numbers to ensure that there are no instances of packet replication.
Symmetric encryption keys entail matching keys in which the sender encrypts and the receiver decrypts data. Asymmetric encryption keys involve different keys in which the sender encrypts data with the receiver's public key and the receiver decrypts the data with his private key. Diffie-Hellman is used for symmetric key exchange over an insecure medium. Matching secret keys are generated, which can be used to encrypt the symmetric key's keying materials for safe transmission. Cisco supports Diffie-Hellman Group 1 (768 bit), Group 2 (1024 bit), Group 5 (1536 bit), and Group 7 (variable bit used for Certicom Movian Wireless Clients). DES (56 bit), 3DES (168 bit), and AES (variable bit) are all symmetric encryption algorithms. RSA and DSA are asymmetric algorithms that are also used for digital signatures. Cisco supports the two hashing algorithms: Message Digest 5 (MD5) and Secure Hash Algorithm-1 (SHA-1). IPSec contains AH and ESP protocols as part of its framework. AH is solely for data integrity and ESP can be used for both data integrity and data confidentiality. ESP and AH can run in transport mode or tunnel mode. Transport mode is usually between end systems and places the AH and ESP header behind the original IP header. Tunnel mode is usually implemented between two gateways or a host and gateway and is characterized by encapsulating the original IP packet and placing an additional header for routability. IKE is a protocol responsible for the preliminary phase of IPSec communication in which SAs are established for IKE and IPSec. This entails encryption and hash algorithms, transform sets, Diffe-Hellman key exchange, SA lifetimes, tunnel modes, and SA lifetimes. IKE Phase 1 negotiates IKE SAs and can operate in main mode or quick mode. Main mode has three two-way exchanges, whereas aggressive mode entails only two exchanges but is less secure. IKE Phase 2 is used for unidirectional IPSec SAs and has only one mode, called quick mode. IPSec communications entail the following five steps: Determining interesting traffic IKE phase 1 negotiation, DH key exchange, and peer authentication IKE phase 2 IPSec transform set negotiation Encrypting IPSec traffic Tunnel termination
A typical IPSec remote-access tunnel entails four components: a remote client, VPN Concentrator, PPPor equivalent Layer 2 protocol, and the IPSec protocol. |