Table 3-12 shows the various protocols that are supported by the Cisco VPN 3000 Series Concentrators.
Table 3-12 Cisco VPN 3000 Concentrator Series Capabilities
Description Specification
Compatibility Client Software Compatibility
Cisco VPN Client (IPSec) for Windows 95, 98, Me, NT 4.0, 2000, and XP, including centralized split-tunneling control and data compression.
Cisco VPN 3002 Hardware Client.
Microsoft PPTP/MPPE/MPPC.
Microsoft L2TP/IPsec for Windows 2000.
MovianVPN (Certicom) Handheld VPN Client with ECC.
Tunneling Protocols IPSec, PPTP, L2TP, L2TP/IPsec, NAT Transparent IPSec.
Encryption/Authentication IPSec Encapsulating Security Payload (ESP) using DES/3DES (56/168-bit) with MD5 or SHA; MPPE using 40/128-bit RC4.
Key Management Internet Key Exchange (IKE).
Perfect Forward Secrecy (PFS).
Routing Protocols RIP, RIP2, OSPF, Static, automatic endpoint discovery, Network Address Translation (NAT), classless interdomain routing (CIDR).
Third-Party Compatibility Certicom, iPass Ready, Funk Steel Belted RADIUS certified, NTS TunnelBuilder VPN Client (Mac and Windows), Microsoft Internet Explorer, Netscape Communicator, Entrust, GTE Cybertrust, Baltimore, RSA Keon, VeriSign.
High Availability VRRP protocol for multichassis redundancy and failover.
Destination pooling for client-based failover and connection reestablishment.
Redundant SEP modules (optional), power supplies, and fans (3015–3060).
Redundant SEP modules, power supplies, and fans (3080).
Management Configuration Embedded management interface is accessible via console port, Telnet, SSH, and Secure HTTP.
Administrator access is configurable for five levels of authorization. Authentication can be performed externally via TACACS+.
Role-based management policy separates functions for service provider and end-user management.
Monitoring Event logging and notification via e-mail (SMTP).
Automatic FTP backup of event logs.
SNMP MIB-II support.
Support for redundant external authentication servers:
• RADIUS
• Microsoft NT Domain authentication
• RSA Security Dynamics (SecurID Ready) Internal Authentication server for up to 100 users.
TACACS+ Administrative user authentication.
X.509v3 Digital Certificates.
RADIUS accounting.
Internet-Based Packet Filtering
Source and destination IP address.
Port and protocol type.
Fragment protection.
FTP session filtering.
Policy Management By individual user or group
• Filter profiles
• Idle and maximum session timeouts
• Time and day access control
• Tunneling protocol and security authorization profiles
• IP pool
• Authentication servers Table 3-12 Cisco VPN 3000 Concentrator Series Capabilities (Continued)
Description Specification
Chapter Glossary
The following terms were introduced in this chapter or have special significance to the topics within this chapter:
Are You There (AYT) A process where the VPN Client enforces firewall policy defined on the local firewall by monitoring that firewall to make sure it is running. The client sends periodic
“Are you there?” messages to the firewall. If no response is received, the VPN Client terminates the connection to the VPN concentrator.
classless interdomain routing (CIDR) Technique supported by BGP4 and based on route aggregation. CIDR allows routers to group routes together to reduce the quantity of routing information carried by the core routers. With CIDR, several IP networks appear to networks outside the group as a single, larger entity. With CIDR, IP addresses and their subnet masks are written as four octets, separated by periods, followed by a forward slash and a two-digit number that represents the subnet mask.
demilitarized zone (DMZ) Network that is isolated from a corporation’s production environ-ment. The DMZ is often used as a location for public-access servers, where the effects of successful intrusion attempts can be minimized and controlled.
digital signal processor (DSP) Segments the voice signal into frames and stores them in voice packets.
Elliptic Curve Cryptosystem (ECC) A public-key cryptosystem for mobile/wireless environments. ECC uses smaller key sizes to provide security equivalent to cryptosystems like RSA, resulting in faster computations, lower power consumption, and reduced memory and bandwidth use. ECC is particularly well suited for mobile devices that have limited CPU and memory capabilities.
Internet Engineering Task Force (IETF) Task force consisting of over 80 working groups responsible for developing Internet standards. The IETF operates under the auspices of the ISOC.
Layer 2 Forwarding Protocol (L2FP) Protocol that supports the creation of secure virtual private dial-up networks over the Internet.
Layer 2 Tunneling Protocol (L2TP) An Internet Engineering Task Force (IETF) standards track protocol defined in RFC 2661 that provides tunneling of PPP. Based on the best features of L2F and PPTP, L2TP provides an industry-wide interoperable method of implementing VPDN.
Microsoft Point-to-Point Compression (MPPC) A compression protocol used to compress Point-to-Point Protocol (PPP) packets between Cisco and Microsoft client devices. This protocol optimizes bandwidth usage to support multiple simultaneous connections.
Microsoft Point-to-Point Encryption (MPPE) An encryption technology that was devel-oped to encrypt point-to-point links over dial-up lines or VPN tunnels. MPPE works as a subfeature of MPPC.
Network Address Translation (NAT) Mechanism for reducing the need for globally unique IP addresses. NAT allows an organization with addresses that are not globally unique to connect to the Internet by translating those addresses into globally routable address space. Also known as Network Address Translator.
Open Shortest Path First (OSPF) Link-state, hierarchical IGP routing algorithm proposed as a successor to RIP in the Internet community. OSPF features include least-cost routing, multipath routing, and load balancing. OSPF was derived from an early version of the Intermediate System–to–Intermediate System (IS-IS) Protocol.
Perfect Forward Secrecy (PFS) Cryptographic characteristic associated with a derived shared secret value. With PFS, if one key is compromised, previous and subsequent keys are not compromised because subsequent keys are not derived from previous keys.
Point-to-Point Tunneling Protocol (PPTP) A protocol that enables secure data transfer between remote clients and enterprise servers by creating on-demand, multiprotocol VPNs across TCP/IP-based public data networks, such as the Internet.
Remote Authentication Dial-In User Service (RADIUS) A standards-based protocol for authentication, authorization, and accounting (AAA).
Reverse Route Injection (RRI) Used to populate the routing table of an internal router running OSPF or RIP for remote VPN clients or LAN-to-LAN sessions.
Scalable Encryption Processing (SEP) VPN concentrator modules that perform hardware-based cryptographic functions, including random number generation, hash transforms (MD5 and SHA-1) for authentication, and encryption and decryption (DES and Triple-DES).
Secure Shell (SSH) Sometimes called Secure Socket Shell, a UNIX-based command interface and protocol for gaining access to a remote computer securely.
Secure Sockets Layer (SSL) Encryption technology for the web used to provide secure transactions, such as the transmission of credit card numbers for e-commerce.
Terminal Access Controller Access Control System Plus (TACACS+) A Cisco proprietary protocol for authentication, authorization, and accounting (AAA).
Virtual Router Redundancy Protocol (VRRP) In installations of two or more VPN concen-trators in a parallel, redundant configuration, VRRP provides automatic switchover to a backup system in case the primary system is out of service, thus ensuring user access to the VPN.
Wired Equivalent Privacy (WEP) An encryption protocol used on data signals transmitted between wireless LAN (WLAN) devices.
Q&A
As mentioned in Chapter 1, these questions are more difficult than what you should experience on the CCSP exam. The questions do not attempt to cover more breadth or depth than the exam;
however, the questions are designed to make sure you know the answer. Rather than allowing you to derive the answer from clues hidden inside the question itself, your understanding and recall of the subject are challenged. Questions from the “Do I Know This Already?” quiz from the beginning of the chapter are repeated here to ensure that you have mastered the chapter’s topic areas. Hopefully, these questions will help limit the number of exam questions on which you narrow your choices to two options and guess!
The answers to this quiz are listed in Appendix A, “Answers to the “Do I Know This Already?”
Quizzes and Q&A Sections.”
1 How do VPN concentrators reduce communications expenses?
2 What are two of the standard authentication servers that Cisco VPN 3000 Concentrators can use for authentication?
3 What other authentication capability exists if standard authentication servers are not available?
4 With respect to firewalls, where can you install Cisco VPN 3000 Concentrators?
5 What routing protocols do the Cisco VPN 3000 Concentrators support?
6 During large-scale implementations, how can Cisco VPN 3000 Concentrators be configured to simplify client configuration?
7 What is the maximum encryption throughput rate for the VPN 3000 Concentrator Series?
8 What hardware device is required to achieve maximum encryption throughput on the Cisco VPN 3000 Concentrators?
9 What element on SEPs permits them to be so fast and flexible?
10 Why are Cisco VPN Concentrators so good at supporting VPN communications?
11 What tunneling protocols do Cisco VPN 3000 Concentrators support?
12 In addition to RIP and OSPF, what other routing capabilities do Cisco VPN Concentrators have?
13 What encryption and authentication protocols do Cisco VPN 3000 Concentrators support?
14 What protocol permits multichassis redundancy and failover?
15 What hardware items can be made redundant on Cisco VPN 3000 Concentrators?
16 What are some of the methods that can be used to interface with the embedded Cisco VPN Manager software on VPN concentrators?
17 What are the most secure forms of authentication that can be used with Cisco VPN 3000 Series Concentrators?
18 What mechanism is used by Cisco VPN Clients to monitor firewall activity between the client and the concentrator?
19 What is the rated mean time between failure (MTBF) for Cisco VPN 3000 Concentrators?
20 You have installed two Cisco VPN 3000 Concentrators in parallel on your network. Both devices have redundant power supplies, fans, and SEPs. You need to ensure 99.9% uptime.
How can you achieve this rate of fault tolerance?
21 During the initial configuration of the VPN concentrators, what management interface must you use?
22 What do you need to do to activate configuration changes to Cisco VPN Concentrators that are made through the Cisco VPN Manager?
23 What four options are available under the Configuration menu of the VPN Manager?
24 What is the hierarchical order of property inheritance on Cisco VPN Concentrators?
25 What options are available on the Administration menu of the Cisco VPN Manager?
26 What options are available on the Monitoring menu of the Cisco VPN Manager?
27 Where in the Cisco VPN Manager could you go to view the current IP address for the private interface on a Cisco VPN 3000 Concentrator?
28 What models are available in the Cisco VPN 3000 Concentrator Series?
29 Which of the Cisco VPN 3000 Series Concentrators is a fixed configuration that is not upgradeable?
30 How can purchasers of a Cisco VPN 3000 Series Concentrator obtain a license for the Cisco VPN Client?
31 What is the maximum number of simultaneous sessions that can be supported on the Cisco VPN 3005 Concentrator?
32 What is the maximum number of simultaneous sessions that can be supported on the Cisco VPN 3015 Concentrator?
33 What is the maximum number of simultaneous sessions that can be supported on the Cisco VPN 3030 Concentrator?
34 What is the maximum number of simultaneous sessions that can be supported on the Cisco VPN 3060 Concentrator?
35 What is the maximum number of simultaneous sessions that can be supported on the Cisco VPN 3080 Concentrator?
36 Which of the Cisco VPN 3000 Series Concentrators is only available in a fully redundant configuration?
37 On a Cisco VPN 3005 Concentrator, what does a blinking green system LED indicate?
38 On a Cisco VPN 3000 Concentrator, what does a blinking amber system LED indicate?
39 What does a blinking green Ethernet link status LED indicate on a Cisco VPN Concentrator?
40 What does an amber SEP status LED indicate?
41 Which of Cisco’s client offerings has no limitations with regard to the types of client operating systems it can support?
42 What optional feature on the Cisco VPN 3002 Hardware Client allows you to connect Ethernet devices to the client?
43 What two operating modes can a Cisco VPN 3002 Hardware Client be configured to support?
44 What operating systems does the Cisco VPN Client support?
Exam Topics Discussed in This Chapter
This chapter covers the following topics, which you need to master in your pursuit of certification as a Cisco Certified Security Professional:
9 Overview of remote access using preshared keys
10 Initial configuration of the Cisco VPN 3000 Concentrator Series for remote access
11 Browser configuration of the Cisco VPN 3000 Concentrator Series 12 Configuring users and groups
13 Advanced configuration of the Cisco VPN 3000 Concentrator Series 14 Configuring the IPSec Windows Client