Cisco VPN 3000 Series Concentrator Hardware Chapter 3

1
Lecture 3

• Cisco VPN 3000 Series Concentrator
  HardwareChapter 3

2
Lecture 3 - Objectives

• Identify VPN 3000 Concentrator Series Models
• List Major Advantages of Cisco VPN 3000
  Concentrator Series Models
• Define Remote Access Types
• List VPN Characteristics
• Define Ease of Employment and Use
• Describe Performance and Scalability
• List Routing Protocols VPN 3000 Concentrators
  support and standards

3
Lecture 3 Objectives (cont.)

• Determine placement options of the VPN
  Concentrator in the network
• Define Fault Tolerance
• List the three management areas of the Management
  Interface
• Identify Compare VPN 3000 Concentrator Series
  Models
• Identify VPN Concentrators Features
• Define VPN Clients that operate with VPN 3000
  Concentrators

4
Chapter 3 VPN 3000 Concentrators Overview

• In January 2000, Cisco purchased Altiga Networks
  of Franklin, Massachusetts acquiring
• VPN concentrators
• Client software
• Web-based management software
• Cisco has enhanced the product line
• Top-end concentrator
• Hardware client (3002 Concentrator)
• Improvements the software client

5
Chapter 3 - Major Advantages of Cisco VPN 3000
Series Concentrators

• Extremely versatile
• High performance
• Secure
• Fault tolerant
• High-Speed Internet access offers SOHO users
  secure, full access to network access at speeds
  up to 25 times faster than dial-up

6
Chapter 3 - Major Advantages of Cisco VPN 3000
Series Concentrators

• VPN 3000 Concentrator series consists of six
  models ranging from SOHO applications to large
  company applications
• Standards-based centralized management tool
  enables real-time statistics gathering and
  reporting
• Work with existing RADIUS, TACACS, NT Domain, or
  Security Dynamics servers
• Firewall features make it possible to customize
  access permitted to individual connections coming
  through concentrator

7
Chapter 3 - Remote Access Types

• Low-Speed Remote users
• Dial-up
• Broadband
• Cable Modem
• DSL
• Wireless
• VPN clients provide an additional layer of
  encryption security to wireless communications.
  IPSec encryption end-to-end between client and
  concentrator can be combined with the encryption
  provided by the wireless Wired Equivalent Privacy
  (WEP). IPSec with 3DES encryption for wireless
  communications is one of the recommendations of
  Cisco

Figure 3.2 Remote Access Types
8
Chapter 3 - VPN Characteristics

• Ease with which you can deploy them
• Performance and scalability
• Security
• Fault tolerance
• Management interface
• Ease with which you can upgrade them

9
Chapter 3 Ease of Deployment and Use

• No infrastructure changes
• Works with existing Authentication servers
• Remote Authentication Dial-In User Service
  (RADIUS)
• Terminal Access Controller Access Control System
  Plus (TACACS)
• NT Domain
• Security Dynamics servers
• Or
• VPN concentrators have the ability to
  authenticate users from an internal database

10
Chapter 3 Performance and Scalability

• 3DES-encrypted throughput on the Cisco VPN
  Concentrators is rated at up to 100 Mbps
• Scalable Encryption Processors (SEPs) on the
  modular devices
• SEPs are powered by programmable digital signal
  processors (DSPs) in the encryption engine
• Each SEP provides 25 Mbps of 3DES encryption
  making the VPN concentrators scalable
• Hardware-assisted encryption makes these VPN
  concentrators extremely fast in comparison to
  software-based encryption devices

11
Chapter 3 - Supports Routing Protocols

• RIP versions 1 and 2
• OSPF
• Static routes

12
Chapter 3 - Supports Standards-Based Tunneling
Protocols

• Internet Protocol Security (IPSec)
• Point-to-Point Tunneling Protocol (PPTP)
• Layer 2 Tunneling Protocol (L2TP)
• L2TP/IPSec
• Network Address Translation (NAT) Transparent
  IPSec

13
Chapter 3 - VPN Concentrator Security and
Placement Options

• 3DES with IPSec
• Authentication servers
• Digital certificates
• Tokens
• In front of a firewall
• Behind a firewall
• In parallel with a firewall
• In the DMZ of a firewall

14
Chapter 3 - VPN Concentrator Security and
Placement Options

• In front of or without a firewall
• Behind a firewall
• In parallel with a firewall
• On a DMZ

15
Chapter 3 - VPN Concentrator Security and
Placement Options

• In front of or without a firewall
• Useful for configuring remote access over
  Internet when local site does not require
  external Internet access.
• Concentrator is in data path so all outbound
  traffic traverses concentrator
• Concentrator can serve as firewall

Figure 3.3 VPN Concentrator in Front of Firewall
16
Chapter 3 - VPN Concentrator Security and
Placement Options

• Behind a firewall
• Firewall is first line of defense
• Need to allow IKE and ESP/AH traffic from any
  source address
• Concentrator is in data path so all traffic must
  traverse the concentrator

Figure 3.4 VPN Concentrator Behind Firewall
17
Chapter 3 - VPN Concentrator Security and
Placement Options

• In parallel with a firewall
• Preferred option
• Concentrator is not in data path
• VPN users connect to Concentrator without going
  through the firewall
• Concentrator and Firewall are publicly addressed

Figure 3.5 VPN Concentrator Parallel with Firewall
18
Chapter 3 - VPN Concentrator Security and
Placement Options

• On a DMZ
• IKE and ESP/AH must be allowed from any source
  address
• Private interface on Concentrator connects
  directly to inside network

Figure 3.6 VPN Concentrator in DMZ
19
Chapter 3 - VPN Concentrator Security and
Placement Options

• Permit or deny all types of traffic
• Handshake with client-based firewalls
• Can push firewall settings to the VPN Client,
  which then monitors firewall activity through an
  enforcement mechanism called Are You There (AYT).
  The AYT policy causes the client to poll the
  firewall every 30 seconds. If the firewall
  doesnt respond, the VPN client drops the
  connection

20
Chapter 3 - VPN Concentrator Security and
Placement Options

• Centralized management of concentrators and
  clients
• The VPN manager is a web-based management tool
  that can be secured using HTTPS or through an
  encrypted tunnel
• The Cisco VPN 3000 Concentrators and the Cisco
  VPN Client also provide additional security by
  providing end-to-end encryption security 3DES
  encryption over IPSec for wireless transmissions

21
Chapter 3 - Fault Tolerance

• The mean time between failure (MTBF) is slightly
  over 22 years
• Failover protocol
• Virtual Router Redundancy Protocol (VRRP)

Figure 3.7 VPN Concentrators and VRRP
22
Chapter 3 - Management Interface

• Command-line interface (CLI)
• initial configuration stages
• Web interface
• Intuitive menu systems
• onscreen help
• drop-down-box selection windows
• error checking
• security

23
Chapter 3 - Management Interface VPN Concentrator
Manager

• Configuration
• Administration
• Monitoring

Figure 3.8 VPN Concentrator Manager Main Page
24
Chapter 3 - Management Interface VPN Concentrator
Manager

• Configuration

Figure 3.9 VPN Concentrator Manager -
Configuration
Figure 3.10 VPN Concentrator Manager -
Configuration\Interfaces
25
Chapter 3 - Management Interface VPN Concentrator
Manager

• Administration

Figure 3.11 VPN Concentrator Manager -
Administration
26
Chapter 3 - Management Interface VPN Concentrator
Manager

• Monitoring

Figure 3.12 VPN Concentrator Manager - Monitoring
27
Chapter 3 - Ease of Upgrades

• Two basic chassis
• 1U-high fixed-configuration box, used for the
  3005 Concentrator
• 2U-high modular box, used for all others
• The 3005 is not upgradeable

28
Chapter 3 Cisco VPN 3000 Concentrators
Figure 3.13 Cisco VPN Concentrator
29
Chapter 3 - VPN 3000 Concentrators for small- to
mid-sized companies

• 3005 3015
• 4 Mbps throughput
• 200 Simultaneous users/100 Site-to-site tunnels
• Software based encryption processing
• 3005
• 32MB Memory 2 Network interfaces
• 3015
• 64MB Memory 3 Network interfaces
• Redundant power supplies possible
• Field Upgradeable

30
Chapter 3 - VPN 3000 Concentrators for small- to
mid-sized companies
Figure 3.14 Cisco VPN 3005 Concentrator
Figure 3.15 Cisco VPN 3015 Concentrator
31
Chapter 3 - VPN 3000 Concentrators for medium- to
large-sized companies

• 3020 3030
• 50 Mbps throughput
• 128MB Memory 3 Network interfaces
• 1 Hardware based encryption processing module
• 3020
• 750 Simultaneous users/500 Site-to-site tunnels
• Not upgradeable no redundant power supply
• 3030
• 1,500 Simultaneous users/500 Site-to-site tunnels
• Field Upgradeable to 3060

32
Chapter 3 - VPN 3000 Concentrators for
large-sized companies

• 3060 3080
• 256MB Memory 3 Network interfaces
• Redundant Power Supplies
• 3060
• 5,000 Simultaneous users/1,000 Site-to-site
  tunnels
• 2 Hardware based encryption processing modules
• Field Upgradeable to 3080
• 3080
• 10,000 Simultaneous users/1,000 Site-to-site
  tunnels
• 4 Hardware based encryption processing modules

33
Chapter 3 - VPN 3000 Concentrators for
large-sized companies
Figure 3.16 Cisco VPN Concentrator 3015-3080
Front Led Display Panel
34
Chapter 3 - VPN 3000 Concentrators Features

• Hardware based encryption performed with SEP
  (Scalable Encryption Processor) or SEP-E for use
  with AES (Advanced Encryption Standard) hardware
  encryption
• Offloads DES and 3DES encryption tasks
• Models 3015 and above support up to four SEP
  modules. Two modules are online and others are
  hot-running spares.

35
Chapter 3 - VPN Hardware Clients

• Cisco VPN 3002 Hardware Client
• Built in Unity Client software
• Two models
• 3002
• one private and one public interface
• 3002 8E
• One public interface
• Private interface with built in 8 port Auto MDIX
  10/100 Ethernet switch
• Operate in client mode or network extension mode

36
Chapter 3 - VPN Hardware Clients

• Cisco VPN 3002 Hardware Client

37
Chapter 3 - VPN Clients

• Software Clients
• Cisco VPN Software Client (Cisco Unity Client)
• Shipped with every concentrator
• Unlimited license
• Non Cisco VPN Client support
• Microsoft L2TP/IPSec
• Microsoft PPTP
• Centricom VPN Client software
• Generates key in less than 5 seconds (movianVPN)
• Other third-party IPSec clients

38
Chapter 3 - VPN Clients

• Cisco VPN Software Client
• Supported operating systems
• Microsoft Windows (98-Second edition/Me/2000/XP)
• Linux / Solaris / Mac OS X
• Support for firewall feature with release 3.5 and
  later using one of three modes
• AYT (Are You There) verifies presence of
  firewall before allowing tunnels to be built
• Stateful firewall (always on)
• CPP While client is connected applies policies
  set by administrator to allow or drop traffic.

39
Chapter 3 - VPN Clients

• Cisco VPN Software Client

40
Lecture 3 - Summary

• Identify VPN 3000 Concentrator Series Models
• List Major Advantages of Cisco VPN 3000
  Concentrator Series Models
• Define Remote Access Types
• List VPN Characteristics
• Define Ease of Employment and Use
• Describe Performance and Scalability
• List Routing Protocols VPN 3000 Concentrators
  support and standards

41
Lecture 3 - Summary (cont.)

• Determine placement options of the VPN
  Concentrator in the network
• Define Fault Tolerance
• List the three management areas of the Management
  Interface
• Identify Compare VPN 3000 Concentrator Series
  Models
• Identify VPN Concentrators Features
• Define VPN Clients that operate with VPN 3000
  Concentrators

42
Lecture 3 - Labs

• Lab 2a Introduction to the VPN Concentrator
• Lab 2b Saving and restoring configuration files