Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW) Module 3.1.

Published byAvice Gordon Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW) Module 3.1."— Presentation transcript:

1 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW) Module 3.1

2 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 2 Major Concepts in Module 3  Describe the purpose and operation of VPN types  Describe the purpose and operation of GRE VPNs  Describe the components and operations of IPsec VPNs  Configure and verify a site-to-site IPsec VPN with pre- shared key authentication using CLI  Configure and verify a site-to-site IPsec VPN with pre- shared key authentication using SDM  Configure and verify a Remote Access VPN

3 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 3 Module 3 Objectives Upon completion of this lesson, the successful participant will be able to: 1.Describe the purpose and operation of VPNs 2.Differentiate between the various types of VPNs 3.Identify the Cisco VPN product line and the security features of these products 4.Configure a site-to-site VPN GRE tunnel 5.Describe the IPSec protocol and its basic functions 6.Differentiate between AH and ESP 7.Describe the IKE protocol and modes 8.Describe the five steps of IPSec operation

4 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 4 Module 3 Objectives ctd … 9.Describe how to prepare IPSec by ensuring that ACLs are compatible with IPSec 10.Configure IKE policies using the CLI 11.Configure the IPSec transform sets using the CLI 12.Configure the crypto ACLs using the CLI 13.Configure and apply a crypto map using the CLI 14.Describe how to verify and troubleshoot the IPSec configuration 15.Describe how to configure IPSec using SDM 16.Configure a site-to-site VPN using the Quick Setup VPN Wizard in SDM 17.Configure a site-to-site VPN using the step-by-step VPN Wizard in SDM

5 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 5 Module 3 Objectives ctd … 18.Verify, monitor and troubleshoot VPNs using SDM 19.Describe how an increasing number of organizations are offering telecommuting options to their employees 20.Differentiate between Remote Access IPSec VPN solutions and SSL VPNs 21.Describe how SSL is used to establish a secure VPN connection 22.Describe the Cisco Easy VPN feature 23.Configure a VPN Server using SDM 24.Connect a VPN client using the Cisco VPN Client software

6 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 6 What is a VPN? Virtual: Information within a private network is transported over a public network. Private: The traffic is encrypted to keep the data confidential. VPN Firewall CSA Regional branch with a VPN enabled Cisco ISR router SOHO with a Cisco DSL Router VPN Mobile Worker with a Cisco VPN Client Business Partner with a Cisco Router Corporate Network WAN Internet

7 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 7 Layer 3 VPN  Generic routing encapsulation (GRE)  Multiprotocol Label Switching (MPLS)  IPSec SOHO with a Cisco DSL Router VPN Internet IPSec

8 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 8 Types of VPN Networks MARS VPN Iron Port Firewall IP S Web Server Email Server DNS CSA Regional branch with a VPN enabled Cisco ISR router SOHO with a Cisco DSL Router VPN Mobile Worker with a Cisco VPN Client Business Partner with a Cisco Router Site-to-Site VPNs Remote-access VPNs Internet WAN

9 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 9 Site-to-Site VPN MARS VPN Iron Port Firewall IP S Web Server Email Server DNS CS A Regional branch with a VPN enabled Cisco ISR router SOHO with a Cisco DSL Router VP N Business Partner with a Cisco Router Site-to-Site VPNs Internet WAN Hosts send and receive normal TCP/IP traffic through a VPN gateway

10 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 10 Remote-Access VPNs MARS VPN Iron Port Firewall IPS Web Server Email Server DNS CSA Mobile Worker with a Cisco VPN Client Remote-access VPNs Internet

11 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 11 VPN Client Software R1 R1-vpn-cluster.span.com “R1” In a remote-access VPN, each host typically has Cisco VPN Client software

12 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 12 Cisco IOS SSL VPN  Provides remote-access connectivity from any Internet-enabled host  Uses a web browser and SSL encryption  Delivers two modes of access: Clientless Thin client

13 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 13 Cisco VPN Product Family Product Choice Remote-Access VPN Site-to-Site VPN Cisco VPN-Enabled Router Secondary rolePrimary role Cisco PIX 500 Series Security Appliances Secondary rolePrimary role Cisco ASA 5500 Series Adaptive Security Appliances Primary roleSecondary role Cisco VPN 3000 Series Concentrators Primary roleSecondary role Home Routers Primary role

14 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 14 Cisco VPN-Optimized Routers Remote Office Cisco Router Regional Office Cisco Router SOHO Cisco Router Main Office Cisco Router Internet VPN Features: Voice and video enabled VPN (V3PN) IPSec stateful failover DMVPN IPSec and Multiprotocol Label Switching (MPLS) integration Cisco Easy VPN

15 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 15 Cisco ASA 5500 Series Adaptive Security Appliances  Flexible platform  Resilient clustering  Cisco Easy VPN  Automatic Cisco VPN  Cisco IOS SSL VPN  VPN infrastructure for contemporary applications  Integrated web-based management Extranet Business-to-Business Intranet Remote User Remote Site Central Site Internet

16 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 16 IPSec Clients Small Office Internet Cisco AnyConnect VPN Client Certicom PDA IPsec VPN Client Internet Cisco VPN Software Client Router with Firewall and VPN Client A wireless client that is loaded on a pda Software loaded on a PC A network appliance that connects SOHO LANs to the VPN Provides remote users with secure VPN connections

17 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 17 Hardware Acceleration Modules  AIM  Cisco IPSec VPN Shared Port Adapter (SPA)  Cisco PIX VPN Accelerator Card+ (VAC+)  Enhanced Scalable Encryption Processing (SEP-E) Cisco IPsec VPN SPA

18 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 18 GRE VPN Overview

19 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 19 Encapsulation Original IP Packet Encapsulated with GRE

20 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 20 Configuring a GRE Tunnel R1(config)# interface tunnel 0 R1(config–if)# ip address 10.1.1.1 255.255.255.252 R1(config–if)# tunnel source serial 0/0 R1(config–if)# tunnel destination 192.168.5.5 R1(config–if)# tunnel mode gre ip R1(config–if)# R2(config)# interface tunnel 0 R2(config–if)# ip address 10.1.1.2 255.255.255.252 R2(config–if)# tunnel source serial 0/0 R2(config–if)# tunnel destination 192.168.3.3 R2(config–if)# tunnel mode gre ip R2(config–if)# Create a tunnel interface Assign the tunnel an IP address Identify the source tunnel interface Identify the destination of the tunnel Configure what protocol GRE will encapsulate

21 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 21 Using GRE User Traffic IP Only ? Use GRE Tunnel No Yes No Yes Unicast Only? Use IPsec VPN GRE does not provide encryption

22 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 22 IPSec Topology  Works at the network layer, protecting and authenticating IP packets. It is a framework of open standards which is algorithm-independent. It provides data confidentiality, data integrity, and origin authentication. Business Partner with a Cisco Router Regional Office with a Cisco PIX Firewall SOHO with a Cisco SDN/DSL Router Mobile Worker with a Cisco VPN Client on a Laptop Computer ASA Legacy Concentrator Main Site Perimeter Router Legacy Cisco PIX Firewall IPsec POP Corporate

23 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 23 IPSec Framework Diffie-Hellman DH7

24 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 24 DH7 Diffie-Hellman Confidentiality Key length: - 56-bits Key length: - 56-bits (3 times) Key length: - 160-bits Key lengths: -128-bits -192 bits -256-bits Least secure Most secure

25 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 25 DH7 Diffie-Hellman Integrity Key length: - 128-bits Key length: - 160-bits) Least secure Most secure

26 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 26 DH7 Diffie-Hellman Authentication

27 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 27 DH7 Diffie-Hellman Pre-shared Key (PSK) [JG1]It?[JG1] At the local device, the authentication key and the identity information (device-specific information) are sent through a hash algorithm to form hash_I. One-way authentication is established by sending hash_I to the remote device. If the remote device can independently create the same hash, the local device is authenticated. The authentication process continues in the opposite direction. The remote device combines its identity information with the preshared-based authentication key and sends it through the hash algorithm to form hash_R. hash_R is sent to the local device. If the local device can independently create the same hash, the remote device is authenticated.

28 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 28 RSA Signatures At the local device, the authentication key and identity information (device-specific information) are sent through the hash algorithm forming hash_I. hash_I is encrypted using the local device's private encryption key creating a digital signature. The digital signature and a digital certificate are forwarded to the remote device. The public encryption key for decrypting the signature is included in the digital certificate. The remote device verifies the digital signature by decrypting it using the public encryption key. The result is hash_I. Next, the remote device independently creates hash_I from stored information. If the calculated hash_I equals the decrypted hash_I, the local device is authenticated. After the remote device authenticates the local device, the authentication process begins in the opposite direction and all steps are repeated from the remote device to the local device.

29 © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 29 Diffie-Hellman Secure Key Exchange DH7

Download ppt "© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW) Module 3.1."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.

Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Kapitel 7: Securing Site-to-Site Connectivity

Kapitel 7: Securing Site-to-Site Connectivity
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 1 Implementing Secure Converged Wide Area Networks (ISCW)
VIRTUAL PRIVATE NETWORKS (VPN). GROUP MEMBERS ERVAND AKOPYAN ORLANDO CANTON JR. JUAN DAVID OROZCO.

VIRTUAL PRIVATE NETWORKS (VPN). GROUP MEMBERS ERVAND AKOPYAN ORLANDO CANTON JR. JUAN DAVID OROZCO.
1 IP VPN Nikolay Scarbnik. 2 Agenda Introduction………………………………………………………….3 VPN concept definition……………………………………………..4 VPN advantages……………...…………………………………….5.

1 IP VPN Nikolay Scarbnik. 2 Agenda Introduction………………………………………………………….3 VPN concept definition……………………………………………..4 VPN advantages……………...…………………………………….5.
In this section, we'll cover one of the foundations of network security issues, It talks about VPN (Virtual Private Networks). What..,Why..,and How….?

In this section, we'll cover one of the foundations of network security issues, It talks about VPN (Virtual Private Networks). What..,Why..,and How….?
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Implementing Secure Converged Wide Area Networks (ISCW)
CCNA 5.0 Planning Guide Chapter 7: Securing Site-to-Site Connectivity

CCNA 5.0 Planning Guide Chapter 7: Securing Site-to-Site Connectivity

Similar presentations

Ads by Google