Scribd Logo
Upload

Welcome to Scribd!

  • Cisco Press VPN Solutions

    Uploaded by

    Mariana Frunze
    55 views36 pages
    Cisco Systems, Inc. All rights reserved. Cisco VPN basate su Serie 3000 Architettura Branch Office LAN-LAN VPN Remote Access VPN for Dialup and Roaming Users T1 / E1, Ethernet Remote Access VPN for SOHO and Broadband Users Internet Analog, ISDN Router out Intranet Servers, File Servers.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Cisco Systems, Inc. All rights reserved. Cisco VPN basate su Serie 3000 Architettura Branch Office LAN-LAN VPN Remote Access VPN for Dialup and Roaming Users T1 / E1, Ethernet Remote Access VPN for SOHO and Broadband Users Internet Analog, ISDN Router out Intranet Servers, File Servers.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    55 views36 pages

    Cisco Press VPN Solutions

    Uploaded by

    Mariana Frunze
    Cisco Systems, Inc. All rights reserved. Cisco VPN basate su Serie 3000 Architettura Branch Office LAN-LAN VPN Remote Access VPN for Dialup and Roaming Users T1 / E1, Ethernet Remote Access VPN for SOHO and Broadband Users Internet Analog, ISDN Router out Intranet Servers, File Servers.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 36

    Cisco VPN solutions

    Infosecurity 2002

    Course Number Presentation_ID

    2001, Cisco Systems, Inc. All rights reserved.

    Agenda
    Perche VPN Architettura di riferimento Soluzioni VPN Cisco Security keys: eToken e SmartCards Demo track

    Presentation_ID

    2001, Cisco Systems, Inc. All rights reserved.

    Perche VPN

    Riduzione dei costi Miglioramento in


    Produttivita Flessibilita di comunicazione Network management

    Fonte: Gartner Group Fall 2001


    Presentation_ID
    2001, Cisco Systems, Inc. All rights reserved.

    Architetture di riferimento
    Branch Office LAN-LAN VPN

    Remote Access VPN for Dialup and Roaming Users T1/E1, Ethernet

    Remote Access VPN for SOHO and Broadband Users

    Internet
    Analog, ISDN Router
    out

    Cable, DSL

    out DMZ 1

    DMZ 1 DMZ 2 in in

    Intranet Servers, File Servers..

    Presentation_ID

    2001, Cisco Systems, Inc. All rights reserved.

    Soluzioni VPN Cisco


    Cisco VPN basate su funzionalita IOS (IPSec VPN)
    Router Cisco per soluzioni VPN Ipsec site-to-site

    Cisco VPN Firewall-to-Firewall


    PIX Firewall come terminatori di tunnel IPSec

    Cisco VPN basate su VPN concentrator e VPN client


    Appliance dedicata ad elevate prestazioni per soluzioni LAN-toLAN e di accesso via Client

    Soluzioni interoperabili
    PIX <-> IOS Client -> PIX IOS <-> VPN conc Client -> VPN PIX <-> VPN conc Client -> IOS (Unity client)

    Presentation_ID

    2001, Cisco Systems, Inc. All rights reserved.

    Cisco VPN 3000 Concentrator v 3.5

    Course Number Presentation_ID

    2001, Cisco Systems, Inc. All rights reserved.

    Serie VPN 3000: Caratteristiche


    Purpose-Built

    Progettato per i servizi VPN di Enterprise Scalabilita modulare e upgradabile Prestazioni encryption in hardware Flessibilita VPN per remote access, LAN-LAN, extranet. Completamente interoperabile con PIX e IOS High availability - redundant power, redundant Encryption Processors, dual flash, VRRP, Load balancing
    Presentation_ID
    2001, Cisco Systems, Inc. All rights reserved.

    Serie VPN 3000: Caratteristiche


    Purpose-Built

    Management Interfaccia grafica Web Based Security suporto dei maggiori protocolli VPN Facilita di implementazione
    Inserimento non disruptivo in reti esistenti Router, firewall, authentication servers, etc

    Client software incluso con unlimited license e preconfigurabile per linstallazione remota

    Presentation_ID

    2001, Cisco Systems, Inc. All rights reserved.

    VPN basata su Serie 3000


    Architettura
    Branch Office LAN-LAN VPN

    Remote Access VPN w/ Cisco VPN Client T1/E1, Ethernet

    SOHO and Broadband Users W/ Cisco VPN Client

    Internet
    Analog, ISDN Router
    out

    Cable, DSL

    out DMZ 1

    DMZ 1 DMZ 2 in in

    Intranet Servers, File Servers..

    Presentation_ID

    2001, Cisco Systems, Inc. All rights reserved.

    10

    VPN 3000 Concentrator v 3.5


    Modulare ed espandibile

    3005
    Tunnels Encryption Performance Memory SEPs Installed Redundant PS Redundant SEPs Upgradeable
    Presentation_ID

    3015
    100 S/W 4 Mbps 64 MB 0 Option N/A Yes

    3030
    1,500 H/W 50 Mbps 128 MB 1 Option Option Yes

    3060
    5,000 H/W 100 Mbps 256 MB 2 Option Option No

    3080
    10,000 H/W 100 Mbps 256 MB 4 Included Included No
    11

    100 S/W 4 Mbps 32 MB N/A No N/A No

    2001, Cisco Systems, Inc. All rights reserved.

    Caratteristiche della piattaforma


    Modello 3005

    ? Configurazione Fissa ? Encryption in software ? Ottimale per: ? Branch Office ? Medium Business

    Presentation_ID

    2001, Cisco Systems, Inc. All rights reserved.

    12

    Caratteristiche della piattaforma


    Modelli 3015, 3030, 3060, 3080

    ? Modulare ? Espandabile ? Ridondabile ? Hardware Encryption

    Presentation_ID

    2001, Cisco Systems, Inc. All rights reserved.

    13

    Security
    Caratteristiche Algoritmi di encryption
    56 bit DES 168 bit Triple-DES Microsoft Encryption (MPPE) - 40/128 bit RC4

    IPSec: algoritmi di autenticazione


    HMAC (Hashed Message Authentication Coding) w/ MD5 HMAC with SHA-1

    Gestione delle Chiavi


    IKE con Diffie-Hellman Certificati Digitali, Smartcards e Token Cards Supporto SCEP per CA enrolment
    Presentation_ID
    2001, Cisco Systems, Inc. All rights reserved.

    14

    Security
    Caratteristiche
    Supporto di Certificati Digitali Entrust, Baltimore, CyberTrust, Verisign, RSA Keon, Microsoft Win2K, PGP Supporto Token e Smartcards
    Testato con: Gemplus, Activcard (Schlumberger cards), eAladdin

    Packet Filtering, Security e Personal Firewall Profili definiti per User o Group Filtri per source/destination address, port, e protocol Controllo centralizzato della applicazione delle politiche di Sicurezza e di Personal Firewall sul VPN Client Authenticazione Database interno, RADIUS, SDI (new card and next PIN code) NT Domain, MS-CHAP v1 & v2
    Presentation_ID
    2001, Cisco Systems, Inc. All rights reserved.

    15

    High Availability
    Caratteristiche
    ? ? ? ? 200,000+ hrs. MTBF Alimentazioni e Fans ridondati, Dual Image Flash Memory Hot swap, Service Encryption Processors (SEP) ridondati Remote Access Backup server per VPN Client v3.5 per Microsoft, Linux, Sun Solaris, MacOS Backup server list per hardware client VPN 3002 v3.5 ? LAN to LAN Virtual Router Redundancy Protocol (VRRP) e Load Balancing Automatic Recovery Stesso IP Addresses, MAC Addresses

    Presentation_ID

    2001, Cisco Systems, Inc. All rights reserved.

    16

    Redundancy
    Caratteristiche
    ? Remote Access
    Con client software per Microsoft, Linux, Sun Solaris, MacOS

    ? LAN to LAN
    Virtual Router Redundancy Protocol (VRRP) e Load Balancing Automatic Recovery Stesso IP Addresses, MAC Addresses

    Peer = A
    Branch Office

    Internet

    T1/T3

    A
    IP Address List: A, B, C
    Presentation_ID
    2001, Cisco Systems, Inc. All rights reserved.

    IP Address List: B, A, C
    17

    Management
    Caratteristiche

    ? Gestione Web based e XML


    Telnet/SSL ( a caratteri ) HTTP/HTTPS ( VPN device manager integrato )

    ? Multi-Level Control
    Role-based management

    ? FTP/TFTP support

    Presentation_ID

    2001, Cisco Systems, Inc. All rights reserved.

    18

    Console/Telnet Interface
    Menu-Driven a caratteri

    Presentation_ID

    2001, Cisco Systems, Inc. All rights reserved.

    19

    VPN Device Manager (VDM)


    HTML Based

    NETWORK COMPUTING ..has a great overall management architecture with configuration options laid out in a logical tree structure, a hierarchical profile managment and excellent troubleshooting tools.
    Presentation_ID
    2001, Cisco Systems, Inc. All rights reserved.

    20

    Cisco VPN Client v 3.5

    Course Number Presentation_ID

    2001, Cisco Systems, Inc. All rights reserved.

    21

    VPN 3000 Client 3.5


    Caratteristiche Ampio supporto di sistemi operativi
    Windows 95 OSR2+/98/ME/NT4/W2K/XP Linux Intel (Command Line Only) Solaris ULTRASparc-32bit (Command Line Only) MAC OS X 10.1 (Command Line Only)

    Cisco VPN 3000 Client Software


    IPSec compliant Unlimited license per tutti i modelli Easy Deployment Installation wizard Backup server support Politiche controllate dal VPN concentrator
    Presentation_ID
    2001, Cisco Systems, Inc. All rights reserved.

    22

    VPN 3000 Client 3.5


    Personal Firewall e Smartcards

    Integrated Personal Firewall (Stateful)


    Zone Labs Technology Zone Alarm
    Due modi: Always On default policy (configurabile dallutente) Central Protection Policy CPP (policy controllate e gestite centralmente)

    Supporto Smartcards
    Gemplus, Activcard (Schlumberger cards), Aladdin

    Presentation_ID

    2001, Cisco Systems, Inc. All rights reserved.

    23

    VPN 3000 Client 3.5


    Authentication e supporto NAT

    NT Password Expiration con MSCHAPv2


    Richiede allutente il cambio password quando la password scade. Il concentratore VPN utilizza la v3.5 & RADIUS MSCHAPv2 authentication con il server (ad es Cisco Secure ACS v3.0, MS IAS)

    IPsec/UDP e IPSec/TCP
    Consentono la realizzazione di tunnel IPSec in ambienti con NAT intermedi tipicamente Extranet.

    Presentation_ID

    2001, Cisco Systems, Inc. All rights reserved.

    24

    VPN 3000 Client 3.5


    Istallazione e Gestione

    Single-Click Installation
    File .INI preconfigurato

    Gestione centralizzata della Configurazione & delle Politiche di Sicurezza


    Autoinstallante senza interventi utente Configurazione e politiche vengono spinte dal concentrator

    Presentation_ID

    2001, Cisco Systems, Inc. All rights reserved.

    25

    VPN 3000 Client


    Caratteristiche avanzate Split Tunneling ( opzionale )
    IPSec tunnels per traffico Enterprise-specific (i.e.- email, file servers, etc.) Traffico Clear-text per accesso a Internet tradizionale (i.e.- web surfing, newsgroups, etc.)
    Stockmaster.com

    Central Site

    Router

    Cisco VPN 3000 Client Cisco VPN 3000 Concentrator Router

    Remote User
    Presentation_ID
    2001, Cisco Systems, Inc. All rights reserved.

    26

    Cisco VPN 3002 Hardware Client Series

    Course Number Presentation_ID

    2001, Cisco Systems, Inc. All rights reserved.

    27

    Cisco VPN 3002 Hardware Client


    Definizione 3002 Hardware Client:
    Il Cisco VPN 3002 Hardware Client puo essere utilizzato al posto del software client e come il client sw ma in hardware! Il 3002 ha due funzione primarie: Viene diffuso con la stessa semplicita del client Scalabile (>50,000 units) Il 3002 e in due versioni hardware: Ethernet Ethernet w/ 8 port 10/100 Mbps AUTO-MDIX switch

    Presentation_ID

    2001, Cisco Systems, Inc. All rights reserved.

    28

    Cisco VPN 3002 Hardware Client


    Caratteristiche fisiche

    Front

    Basic 3002 w/o Switch 3002 unit con 8 Port 10/100 Switch Power supply esterno Console RS-232 con connettore RJ-45 Porte Ethernet 10/100 Mbps Switch con Auto-MDIX eliminando i cavi x-over Reset switch per riportare lunita alla configurazione di default 6x8x2 size con flat top e wall mount key holes Silent, convection cooled operation FCC Class B Certification, CISPR, CUL, others
    Presentation_ID
    2001, Cisco Systems, Inc. All rights reserved.

    29

    Cisco VPN 3002 Hardware Client


    Caratteristiche Simple Deployment
    3002 include un DHCP Client/Server, fino a 253 stationi The 3002 include 2 modalita operative: -Client Mode - drop in deployment, invisibile, per reti non-ruotabili - Network Extension Mode per reti routabili Configurazione via Web o Porta Console Throughput fino a 1.5Mbps in 3DES Operativita Unity Client, puo connettersi a VPN 3000, PIX, IOS

    Security
    3002 consente solo apertura di sessioni in uscita Supports pre-shared secret e cert digitali Politiche gestite e imposte dal VPN Concentrator
    Presentation_ID
    2001, Cisco Systems, Inc. All rights reserved.

    30

    Cisco VPN 3002 Hardware Client


    DHCP e NAPT Firewall
    Central Site Remote Office/Satellite Office
    One Address for entire network behind 3002

    172.168.0..x Int. Pvt Net

    178.168.0.52 Concentrator Assigned to Client (thinks it is on 3030 network locally) Public Private

    Cisco VPN 3030 Concentrator


    As DHCP Client, 3002 acquires address (eq) 24.128.46.83 from cable modem, ISP, etc.

    Yahoo site

    Cisco VPN 3002 Hardware Client

    As DHCP Server, 3002 maintains pool of addresses to assign to the stations on the private network (eq) this station is served an address of 192.168.5.1 with a subnet mask of 255.255.255.0 NAT/PAT Outbound hides stations

    In Client mode, le stazioni dietro il 3002 sono invisibili al mondo esterno indipendentemente dalluso dello split tunnel In Network Extension mode, le stazioni dietro il 3002 sono visibili solo dal Central SIte Viene sempre usato PAT per connettersi a Internet via split tunneling Sono ammesse solo connessioni outbound
    Presentation_ID
    2001, Cisco Systems, Inc. All rights reserved.

    31

    Security keys: eToken e SmartCards

    Course Number Presentation_ID

    2001, Cisco Systems, Inc. All rights reserved.

    32

    Aladdin
    Caratteristiche Inserire una sola slide di riferimento al Partner Aladdin che terra poi la sua sessione

    Presentation_ID

    2001, Cisco Systems, Inc. All rights reserved.

    33

    Demo track

    Course Number Presentation_ID

    2001, Cisco Systems, Inc. All rights reserved.

    34

    Demo track
    Inserire lo schema e la track della Demo

    Presentation_ID

    2001, Cisco Systems, Inc. All rights reserved.

    35

    Presentation_ID

    1999, Cisco Systems, Inc.

    36

    You might also like