18 Chapter 2: Overview of VPN and IPSec Technologies 6 What are the two modes of operation for AH and ESP? 7 How many Security Associations (SAs) does it take to establish bidirectional IPSec communications between two peers? 8 What is a message digest? 9 Which current RFCs define the IPSec protocols? 10 What message integrity protocols does IPSec use? 11 What is the triplet of information that uniquely identifies a security association? CCSP.book Page 18 Friday, February 28, 2003 3:43 PM “Do I Know This Already?” Quiz 19 12 You can select to use both authentication and encryption when using the ESP protocol. Which is performed first when you do this? 13 What five parameters are required by IKE Phase 1? 14 What is the difference between the deny keyword in a crypto Access Control List (ACL) and the deny keyword in an access ACL? 15 What transform set would allow SHA-1 authentication of both AH and ESP packets and would also provide Triple Data Encryption Standard (3DES) encryption for ESP? 16 What are the five steps of the IPSec process? CCSP.book Page 19 Friday, February 28, 2003 3:43 PM 20 Chapter 2: Overview of VPN and IPSec Technologies The answers to this quiz are listed in Appendix A, “Answers to the “Do I Know This Already?” Quizzes and Q&A Sections.” The suggestions for your next steps, based on quiz results, are as follows: • 2 or less score on any quizlet—Review the appropriate portions of the “Foundation Topics” section of this chapter, based on Table 2-1. Proceed to the “Foundation Summary” section and the “Q&A” section. • 8 or less overall score—Read the entire chapter, including the “Foundation Topics,” “Foundation Summary” sections, and the “Q&A” section. • 9 to 12 overall score—Read the “Foundation Summary” section and the “Q&A” section. If you are having difficulty with a particular subject area, read the appropriate portion of the “Foundation Topics” section. • 13 or more overall score—If you feel that you need more review on these topics, go to the “Foundation Summary” section, then to the “Q&A” section. Otherwise, skip this chapter and go to the next chapter. CCSP.book Page 20 Friday, February 28, 2003 3:43 PM Enabling VPN Applications Through Cisco Products 21 Foundation Topics Cisco VPN Product Line VPNs are typically deployed to provide improved access to corporate resources while providing tighter control over security at a reduced cost for WAN infrastructure services. Telecommuters, mobile users, remote offices, business partners, clients, and customers all benefit because corporations see VPNs as a secure and affordable method of opening access to corporate information. Surveys have shown that most corporations implementing VPNs do so to provide access for telecommuters to access the corporate network from home. They cite security and reduced cost as the primary reasons for choosing VPN technology and single out monthly service charges as the cost justification for the decision. VPN technology was developed to provide private communication wherever and whenever needed, securely, while behaving as much like a traditional private WAN connection as possible. Cisco offers a variety of platforms and applications that are designed to implement VPNs. The next section looks at these various products and Cisco’s recommended usage in the deployment of VPNs. Enabling VPN Applications Through Cisco Products Through product development and acquisitions, Cisco has a variety of hardware and software components available that enable businesses of all sizes to quickly and easily implement secure VPNs using IPSec or other protocols. The types of hardware and software components you choose to deploy depend on the infrastructure you already have in place and on the types of applications that you are planning to use across the VPN. This section covers the following topics: • Typical VPN applications • Using Cisco VPN products Typical VPN Applications The business applications that you choose to run on your VPNs go hand in hand with the type of VPN that you need to deploy. Remote access and extranet users can use interactive applica- tions such as e-mail, web browsers, or client/server programs. Intranet VPN deployments are designed to support data streams between business locations. 1 Cisco products enable a secure VPN CCSP.book Page 21 Friday, February 28, 2003 3:43 PM 22 Chapter 2: Overview of VPN and IPSec Technologies The benefits most often cited for deploying VPNs include the following: • Cost savings—Elimination of expensive dedicated WAN circuits or banks of dedicated modems can provide significant cost savings. Third-party Internet service providers (ISPs) provide Internet connectivity from anywhere at any time. Coupling ISP connectivity with the use of broadband technologies, such as digital subscriber line (DSL) and cable, not only cuts the cost of connectivity but can also deliver high-speed circuits. • Security—The cost savings from the use of public infrastructures could not be recognized if not for the security provided by VPNs. Encryption and authentication protocols keep corporate information private on public networks. • Scalability—With VPN technologies, new users can be easily added to the network. Corporate network availability can be scaled quickly with minimal cost. A single VPN implementation can provide secure communications for a variety of applications on diverse operating systems. VPNs fall into three basic categories: • Remote access • Intranet • Extranet The following sections cover these three areas in more detail. Remote Access VPNs Telecommuters, mobile workers, and remote offices with minimal WAN bandwidth can all benefit from remote access VPNs. Remote access VPNs extend the corporate network to these users over publicly shared infrastructures, while maintaining corporate network policies all the way to the user. Remote access VPNs are the primary type of VPN in use today. They provide secure access to corporate applications for telecommuters, mobile users, branch offices, and business partners. These VPNs are implemented over common public infrastructures using ISDN, dial, analog, mobile IP, DSL, and cable technology. These VPNs are considered ubiquitous because they can be established any time from practically anywhere over the Internet. E-mail is the primary application used by these connections, with database and office automation appli- cations following close behind. Some of the advantages that might be gained by converting from privately managed networks to remote access VPNs are as follows: • Modems and terminal servers, and their associated capital costs, can be eliminated. • Long-distance and 1-800 number expenses can be dramatically reduced as VPN users dial in to local ISP numbers, or connect directly through their always-on broadband connections. • Deployments of new users are simplified, and the increased scalability of VPNs allows new users to be added without increased infrastructure expenses. CCSP.book Page 22 Friday, February 28, 2003 3:43 PM Enabling VPN Applications Through Cisco Products 23 • Turning over the management and maintenance of the dial-up network to third parties allows a corporation to focus on its business objectives rather than on circuit maintenance. Although there are many advantages, be aware of the following disadvantages when imple- menting a VPN solution: • IPSec has a slight overhead because it has to encrypt data as they leave the machine and decrypt data as they enter the machine via the tunnel. Though the overhead is low, it can impact some applications. • For users with analog modem connections to the Internet at 40 kbps or less, VPNs can cause a slight reduction to throughput speed because the overhead of IPSec takes time to process the data. • IPSec is sensitive to delays. Because the public Internet infrastructure is used, there is no guarantee of the amount of delay that might be encountered on each connection leg as the tunneled data traverse the Internet. This should not cause major problems, but it is some- thing to keep in mind. Users might need to periodically reestablish connections if delay thresholds are exceeded. Remote access VPNs can initiate tunneling and encryption either on the dial-up client or on the network access server (NAS). Table 2-2 outlines some of the differences between the two approaches. Table 2-2 Remote Access Models Model Type Characteristics Client-initiated model Uses IPSec, Layer 2 Tunnel Protocol (L2TP), or Point-to-Point Tunneling Protocol (PPTP) for establishing the encrypted tunnel at the client. Ubiquitous. ISP network is used only as a transport vehicle for the encrypted data, permitting the use of multiple ISPs. Data is secured end to end from the point of origin (client) to the destination, permitting the establishment of VPNs over any infrastructure without fear of compromise. Third-party security software packages, such as Cisco’s VPN Client, can be used to provide more enhanced security than system-embedded security software like PPTP. A drawback is that you must install a VPN Client onto every remote user’s system. The initial configuration and subsequent maintenance require additional resources from an organization. NAS-initiated model VPNs are initiated at the service provider’s point of presence (POP) using L2TP or Layer 2 Forwarding (L2F). Eliminates the need for client-based VPN software, simplifying installation and reducing administrative cost. A drawback is that the data circuits from the POP to the client remain unprotected. Another drawback is that you must use the same service provider end to end, eliminating the Internet as a transport vehicle. CCSP.book Page 23 Friday, February 28, 2003 3:43 PM 24 Chapter 2: Overview of VPN and IPSec Technologies Figure 2-2 depicts the two types of remote access VPNs that can be accommodated by Cisco equipment and software. Figure 2-2 Remote Access VPNs Site-to-Site Intranet VPNs You can use site-to-site intranet VPNs to connect remote offices and branch offices to the headquarters internal network over a shared infrastructure. These connections typically use dedicated circuits to provide access to employees only. These VPNs still provide the WAN characteristics of scalability, reliability, and support for a variety of protocols at a reduced cost in a flexible manner. Intranet VPNs are typically built across service provider-shared network infrastructures like Frame Relay, Asynchronous Transfer Mode (ATM), or point-to-point circuits. Some of the benefits of using intranet VPNs include the following: • Reduction of WAN costs, especially when used across the Internet. • Partially or fully meshed networks can be established, providing network redundancy across one or more service providers. • Ease of connecting new sites to the existing infrastructure. IPSec - PPTP - L2TP - Tunnel L2TP - L2F - Tunnel VPN Cloud (Internet, IP) Public Switched Telephone Network Client-Initiated VPN NAS-Initiated VPN NAS Home Office CCSP.book Page 24 Friday, February 28, 2003 3:43 PM Enabling VPN Applications Through Cisco Products 25 Figure 2-3 shows a diagram of a typical intranet VPN network. The corporation manages the edge routers, providing flexible management and maintenance opportunities over intranet VPNs. Figure 2-3 Intranet VPNs Business-to-Business Extranet VPNs Business-to-business extranet VPNs are the VPNs that give corporate network access to customers, suppliers, business partners, or other interested communities who are not employees of the corporation. Extranet VPNs use a combination of the same infrastructures that are used by remote access and intranet VPNs. The difference is found in the privileges that are extended to the extranet users. Security policies can limit access by protocol, ports, user identity, time of day, source or destination address, or other controllable factors. Fixed, business-to-business connections and ubiquitous dial-up or broadband Internet connections are depicted in Figure 2-4. Home Office Remote Office Remote Office VPN VPN VPN Internet/IP CCSP.book Page 25 Friday, February 28, 2003 3:43 PM 26 Chapter 2: Overview of VPN and IPSec Technologies Figure 2-4 Extranet VPNs Using Cisco VPN Products Cisco can supply hardware and software to cover almost every possible VPN requirement. From routers and firewalls for intranet applications to VPN concentrators and clients for remote access applications, this section introduces you to some of the key features of Cisco VPN products. Internet/IP Public Switched Telephone Network Dial-Up Business Partner Business Partner NAS VPN VPN Home Office CCSP.book Page 26 Friday, February 28, 2003 3:43 PM Enabling VPN Applications Through Cisco Products 27 Cisco VPN Routers Cisco VPN routers are the best choice for constructing intranet or extranet site-to-site VPNs. These routers use Cisco IOS Software and can be used to deliver multicast, routing, and multi- protocol across the VPN. You can enable quality of service (QoS) on these devices, and the firewall feature option can turn these routers into robust firewalls. Some routers also have inte- grated DSL and cable modems to provide VPN access to small offices/home offices (SOHOs). Some VPN routers can be equipped with special modules to handle encryption processing for VPN tunnels. These modules free memory and CPU cycles that can then be used for switching packets, which is the routers’ primary function. These VPN routers offer the full range of VPN protocols and services. Table 2-3 shows some of the Cisco routers that are available for VPN service and identifies the application where they would most likely be applied. Table 2-3 Cisco VPN Routers Site Model VPN Performance Features SOHO Remote access VPN Extranet VPN Cisco 827H ADSL Router 384 kbps Up to 50 tunnels Fixed configuration Integrated DSL modem 4-port 10BaseT hub Support for EzVPN Remote SOHO Remote access VPN Extranet VPN Cisco uBR905 Cable Router 6 Mbps Up to 50 tunnels Fixed configuration Integrated cable modem 4-port 10BaseT hub Support for EzVPN Remote and Server SOHO Remote access VPN Extranet VPN Cisco 806 Broadband Router 384 kbps Up to 50 tunnels Fixed configuration Installed behind broadband modem 10BaseT Ethernet WAN interface 4-port 10BaseT LAN hub Support for EzVPN Remote SOHO Remote access VPN Extranet VPN Cisco 1710 Router 3 Mbps Up to 100 tunnels Fixed configuration 10/100 Fast Ethernet port 10BaseT Ethernet port Support for EzVPN Remote and Server continues CCSP.book Page 27 Friday, February 28, 2003 3:43 PM . NAS VPN VPN Home Office CCSP. book Page 26 Friday, February 28, 2003 3:43 PM Enabling VPN Applications Through Cisco Products 27 Cisco VPN Routers Cisco VPN. VPN VPN VPN Internet/IP CCSP. book Page 25 Friday, February 28, 2003 3:43 PM 26 Chapter 2: Overview of VPN and IPSec Technologies Figure 2-4 Extranet VPNs