The 3DES-encrypted throughput on the Cisco VPN Concentrators is rated at up to 100 Mbps without performance degradation. This is accomplished by using Scalable Encryption Proces-sors (SEPs) on the modular devices. These SEPs are powered by programmable digital signal processors (DSPs) in the encryption engine. Each SEP provides 25 Mbps of 3DES encryption, making the VPN concentrators scalable.
The software-based DSPs give Cisco the ability to respond to changing standards without the need for customers to replace cards or chipsets in the VPN devices. DSPs also enable Cisco developers to tune the software to maximize performance for various applications. For the Cisco VPN 3000 Series Concentrators, that means maximizing the remote access performance characteristics. Hardware-assisted encryption makes these VPN concentrators extremely fast in comparison to software-based encryption devices.
The Cisco VPN Concentrators were designed specifically as VPN communication devices.
They are not performing the function as an afterthought. Cisco VPN Concentrators have been optimized for connectivity, throughput, management, and standards support.
The Cisco VPN Concentrators support the following tunneling protocols:
•
Internet Protocol Security (IPSec)•
Point-to-Point Tunneling Protocol (PPTP)•
Layer 2 Tunneling Protocol (L2TP)•
L2TP/IPSec•
Network Address Translation (NAT) Transparent IPSecThe Cisco VPN 3000 Series Concentrators are true routers and offer the following routing options:
•
Network Address Translation (NAT)•
Classless interdomain routing (CIDR)•
Reverse Route Injection (RRI)Table 3-2 lists additional important features of these concentrators.
Table 3-2 Cisco VPN 3000 Concentrator Series Capabilities
Description Specification
Compatibility Client Software Compatibility
Cisco VPN Client (IPSec) for Windows 95, 98, Me, NT 4.0, and 2000, including centralized split-tunneling control and data compression.
Cisco VPN 3002 Hardware Client.
Microsoft Point-to-Point Tunneling Protocol (PPTP)/Microsoft Point-to-Point Encryption
(MPPE)/Microsoft Point-to-Point Compression (MPPC).
Microsoft L2TP/IPsec for Windows 2000.
MovianVPN (Certicom) Handheld VPN Client with ECC.
Compatibility (Continued)
Encryption/Authentication IPSec Encapsulating Security Payload (ESP) using DES/3DES (56/168-bit) with Message Digest 5 (MD5) or Secure Hash Algorithm (SHA); MPPE using the 40/128-bit RC4 encryption algorithm from RSA.
Key Management Internet Key Exchange (IKE).
Perfect Forward Secrecy (PFS).
Third-Party Compatibility Certicom, iPass Ready, Funk Steel Belted RADIUS certified, NTS TunnelBuilder VPN Client (Mac and Windows), Microsoft Internet Explorer, Netscape Communicator, Entrust, GTE Cybertrust, Baltimore, RSA Keon, VeriSign.
High Availability VRRP protocol for multichassis redundancy and failover.
Destination pooling for client-based failover and connection reestablishment.
Redundant SEP modules (optional), power supplies, and fans (3015–3060).
Redundant SEP modules, power supplies, and fans (3080).
Management Configuration Embedded management interface is accessible via console port, Telnet, Secure Shell (SSH), and Secure HTTP.
Administrator access is configurable for five levels of authorization. Authentication can be performed externally via TACACS+.
Role-based management policy separates functions for service provider and end-user management.
Monitoring Event logging and notification via e-mail (SMTP).
Automatic FTP backup of event logs.
SNMP MIB-II support. Table 3-2 Cisco VPN 3000 Concentrator Series Capabilities (Continued)
Description Specification
Security
Because the Cisco VPN Concentrators have such a high throughput level for encrypted com-munications, you can set up all your users for the highest security levels without a loss of functionality or performance. Currently, the highest security option would be IPSec with 3DES encryption. Robust authentication options permit you to set up authentication using either an internal database or external authentication servers. Digital certificates and tokens can also be used to add an extra measure of security.
With the integral firewall capabilities, you have options in where you can locate the concentrators.
You can augment the protection of your existing firewall by placing the VPN concentrator in front of or behind the existing firewall. Additionally, you can allow the concentrator to provide its own firewall protection by placing the VPN concentrator in parallel with your existing firewall.
Security Authentication and Accounting Servers
Support for redundant external authentication servers:
• RADIUS
• Microsoft NT Domain authentication
• RSA Security Dynamics (SecurID Ready) Internal Authentication server for up to 100 users.
TACACS+ Administrative user authentication.
X.509v3 Digital Certificates.
RADIUS accounting.
Internet-Based Packet Filtering
Source and destination IP address.
Port and protocol type.
Fragment protection.
FTP session filtering.
Policy Management By individual user or group:
• Filter profiles
• Idle and maximum session timeouts
• Time and day access control
• Tunneling protocol and security authorization profiles
• IP Pool
• Authentication servers Table 3-2 Cisco VPN 3000 Concentrator Series Capabilities (Continued)
Description Specification
Many firewalls also provide an isolated network called a demilitarized zone (DMZ), which is often used to house public access facilities such as Internet web servers. When the firewall does provide a DMZ, the VPN concentrator can be placed there, providing a fourth method of install-ing the Cisco VPN 3000 Concentrator in conjunction with a firewall. The followinstall-ing figures illustrate the four methods of implementing a VPN concentrator with a firewall.
Figure 3-3 shows the VPN concentrator placed in front of the firewall.
Figure 3-3 VPN Concentrator in Front of Firewall
Figure 3-4 shows the VPN concentrator placed behind the firewall.
Internal LAN
Internet
VPNConcentrator
DMZ
ServerWeb
Application Server
Firewall Internet
Router
Figure 3-4 VPN Concentrator Behind Firewall
Figure 3-5 shows the VPN concentrator placed parallel with the firewall.
Figure 3-5 VPN Concentrator Parallel with Firewall
Internal LAN
Internet
VPN Concentrator
DMZ
Web Server
Application Server
Firewall Internet
Router
Internal LAN
Internet
VPN Concentrator
DMZ
Web Server
Application Server
Firewall Internet
Router
Figure 3-6 shows the VPN concentrator placed in the firewall’s DMZ.
Figure 3-6 VPN Concentrator in DMZ
You can establish filters to permit or deny almost any kind of traffic, and you can handshake with client-based firewalls. The Cisco VPN 3000 Series Concentrators can push firewall settings to the VPN Client, which then monitors firewall activity through an enforcement mechanism called Are You There (AYT). The AYT policy causes the client to poll the firewall every 30 seconds. If the firewall doesn’t respond, the VPN client drops the connection.
Centralized management of concentrators and clients is another powerful security feature. The VPN manager is a web-based management tool that can be secured using HTTPS or through an encrypted tunnel.
The Cisco VPN 3000 Concentrators and the Cisco VPN Client also provide additional security by providing 3DES encryption over IPSec for wireless transmissions. While the wireless WEP protocol provides some encryption for a portion of the connection, IPSec with 3DES enables end-to-end encryption security from the client to the concentrator.
Internal LAN
Internet
ConcentratorVPN
DMZ
ServerWeb
Application Server
Firewall Internet
Router