Professional Documents
Culture Documents
Infosecurity 2002
Agenda
Perche VPN Architettura di riferimento Soluzioni VPN Cisco Security keys: eToken e SmartCards Demo track
Presentation_ID
Perche VPN
Architetture di riferimento
Branch Office LAN-LAN VPN
Remote Access VPN for Dialup and Roaming Users T1/E1, Ethernet
Internet
Analog, ISDN Router
out
Cable, DSL
out DMZ 1
DMZ 1 DMZ 2 in in
Presentation_ID
Soluzioni interoperabili
PIX <-> IOS Client -> PIX IOS <-> VPN conc Client -> VPN PIX <-> VPN conc Client -> IOS (Unity client)
Presentation_ID
Progettato per i servizi VPN di Enterprise Scalabilita modulare e upgradabile Prestazioni encryption in hardware Flessibilita VPN per remote access, LAN-LAN, extranet. Completamente interoperabile con PIX e IOS High availability - redundant power, redundant Encryption Processors, dual flash, VRRP, Load balancing
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.
Management Interfaccia grafica Web Based Security suporto dei maggiori protocolli VPN Facilita di implementazione
Inserimento non disruptivo in reti esistenti Router, firewall, authentication servers, etc
Client software incluso con unlimited license e preconfigurabile per linstallazione remota
Presentation_ID
Internet
Analog, ISDN Router
out
Cable, DSL
out DMZ 1
DMZ 1 DMZ 2 in in
Presentation_ID
10
3005
Tunnels Encryption Performance Memory SEPs Installed Redundant PS Redundant SEPs Upgradeable
Presentation_ID
3015
100 S/W 4 Mbps 64 MB 0 Option N/A Yes
3030
1,500 H/W 50 Mbps 128 MB 1 Option Option Yes
3060
5,000 H/W 100 Mbps 256 MB 2 Option Option No
3080
10,000 H/W 100 Mbps 256 MB 4 Included Included No
11
? Configurazione Fissa ? Encryption in software ? Ottimale per: ? Branch Office ? Medium Business
Presentation_ID
12
Presentation_ID
13
Security
Caratteristiche Algoritmi di encryption
56 bit DES 168 bit Triple-DES Microsoft Encryption (MPPE) - 40/128 bit RC4
14
Security
Caratteristiche
Supporto di Certificati Digitali Entrust, Baltimore, CyberTrust, Verisign, RSA Keon, Microsoft Win2K, PGP Supporto Token e Smartcards
Testato con: Gemplus, Activcard (Schlumberger cards), eAladdin
Packet Filtering, Security e Personal Firewall Profili definiti per User o Group Filtri per source/destination address, port, e protocol Controllo centralizzato della applicazione delle politiche di Sicurezza e di Personal Firewall sul VPN Client Authenticazione Database interno, RADIUS, SDI (new card and next PIN code) NT Domain, MS-CHAP v1 & v2
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.
15
High Availability
Caratteristiche
? ? ? ? 200,000+ hrs. MTBF Alimentazioni e Fans ridondati, Dual Image Flash Memory Hot swap, Service Encryption Processors (SEP) ridondati Remote Access Backup server per VPN Client v3.5 per Microsoft, Linux, Sun Solaris, MacOS Backup server list per hardware client VPN 3002 v3.5 ? LAN to LAN Virtual Router Redundancy Protocol (VRRP) e Load Balancing Automatic Recovery Stesso IP Addresses, MAC Addresses
Presentation_ID
16
Redundancy
Caratteristiche
? Remote Access
Con client software per Microsoft, Linux, Sun Solaris, MacOS
? LAN to LAN
Virtual Router Redundancy Protocol (VRRP) e Load Balancing Automatic Recovery Stesso IP Addresses, MAC Addresses
Peer = A
Branch Office
Internet
T1/T3
A
IP Address List: A, B, C
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.
IP Address List: B, A, C
17
Management
Caratteristiche
? Multi-Level Control
Role-based management
? FTP/TFTP support
Presentation_ID
18
Console/Telnet Interface
Menu-Driven a caratteri
Presentation_ID
19
NETWORK COMPUTING ..has a great overall management architecture with configuration options laid out in a logical tree structure, a hierarchical profile managment and excellent troubleshooting tools.
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.
20
21
22
Supporto Smartcards
Gemplus, Activcard (Schlumberger cards), Aladdin
Presentation_ID
23
IPsec/UDP e IPSec/TCP
Consentono la realizzazione di tunnel IPSec in ambienti con NAT intermedi tipicamente Extranet.
Presentation_ID
24
Single-Click Installation
File .INI preconfigurato
Presentation_ID
25
Central Site
Router
Remote User
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.
26
27
Presentation_ID
28
Front
Basic 3002 w/o Switch 3002 unit con 8 Port 10/100 Switch Power supply esterno Console RS-232 con connettore RJ-45 Porte Ethernet 10/100 Mbps Switch con Auto-MDIX eliminando i cavi x-over Reset switch per riportare lunita alla configurazione di default 6x8x2 size con flat top e wall mount key holes Silent, convection cooled operation FCC Class B Certification, CISPR, CUL, others
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.
29
Security
3002 consente solo apertura di sessioni in uscita Supports pre-shared secret e cert digitali Politiche gestite e imposte dal VPN Concentrator
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.
30
178.168.0.52 Concentrator Assigned to Client (thinks it is on 3030 network locally) Public Private
Yahoo site
As DHCP Server, 3002 maintains pool of addresses to assign to the stations on the private network (eq) this station is served an address of 192.168.5.1 with a subnet mask of 255.255.255.0 NAT/PAT Outbound hides stations
In Client mode, le stazioni dietro il 3002 sono invisibili al mondo esterno indipendentemente dalluso dello split tunnel In Network Extension mode, le stazioni dietro il 3002 sono visibili solo dal Central SIte Viene sempre usato PAT per connettersi a Internet via split tunneling Sono ammesse solo connessioni outbound
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.
31
32
Aladdin
Caratteristiche Inserire una sola slide di riferimento al Partner Aladdin che terra poi la sua sessione
Presentation_ID
33
Demo track
34
Demo track
Inserire lo schema e la track della Demo
Presentation_ID
35
Presentation_ID
36