Lecture CCNA Security - Chapter 8: Implementing Virtual Private Networks

Chia sẻ: You Can | Ngày: | Loại File: PDF | Số trang:124

Thêm vào BST

Báo xấu

75
lượt xem 5
download

Download Vui lòng tải xuống để xem tài liệu đầy đủ

Upon completion of this lesson, the successful participant will be able to: Describe the purpose and operation of VPNs, differentiate between the various types of VPNs; identify the Cisco VPN product line and the security features of these products; configure a site-to-site VPN GRE tunnel;... Inviting you to refer.

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: Lecture CCNA Security - Chapter 8: Implementing Virtual Private Networks

Chapter 8- Implementing Virtual Private Networks CCNA Security
Major Concepts • Describe the purpose and operation of VPN types • Describe the purpose and operation of GRE VPNs • Describe the components and operations of IPsec VPNs • Configure and verify a site-to-site IPsec VPN with pre- shared key authentication using CLI • Configure and verify a site-to-site IPsec VPN with pre- shared key authentication using CCP • Configure and verify a Remote Access VPN
Lesson Objectives Upon completion of this lesson, the successful participant will be able to: 1. Describe the purpose and operation of VPNs 2. Differentiate between the various types of VPNs 3. Identify the Cisco VPN product line and the security features of these products 4. Configure a site-to-site VPN GRE tunnel 5. Describe the IPSec protocol and its basic functions 6. Differentiate between AH and ESP 7. Describe the IKE protocol and modes 8. Describe the five steps of IPSec operation
Lesson Objectives 9. Describe how to prepare IPSec by ensuring that ACLs are compatible with IPSec 10. Configure IKE policies using the CLI 11. Configure the IPSec transform sets using the CLI 12. Configure the crypto ACLs using the CLI 13. Configure and apply a crypto map using the CLI 14. Describe how to verify and troubleshoot the IPSec configuration 15. Describe how to configure IPSec using CCP 16. Configure a site-to-site VPN using the Quick Setup VPN Wizard in CCP 17. Configure a site-to-site VPN using the step-by-step VPN Wizard in CCP
Lesson Objectives 18. Verify, monitor and troubleshoot VPNs using CCP 19. Describe how an increasing number of organizations are offering telecommuting options to their employees 20. Differentiate between Remote Access IPSec VPN solutions and SSL VPNs 21. Describe how SSL is used to establish a secure VPN connection 22. Describe the Cisco Easy VPN feature 23. Configure a VPN Server using SDM 24. Connect a VPN client using the Cisco VPN Client software Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
What is a VPN? Refer to 8.1.1.1 • A VPN is a private network that is created via tunneling over a public network, usually the Internet. • Instead of using a dedicated physical connection, a VPN uses virtual connections routed through the Internet from the organization to the remote site. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
What is a VPN? • Virtual ? • Private ? Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
What is a VPN? 1. What is the Tunnel ? 2. Does the VPN always include authentication and encryption ? 3. How does a network administrator prevent eavesdropping of data in a VPN? Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Benefits of VPN 1. Cost savings: – VPNs eliminate expensive dedicated WAN links and modem banks. – Additionally, with the advent of cost-effective, high-bandwidth technologies, such as DSL, organizations can use VPNs to reduce their connectivity costs while simultaneously increasing remote connection bandwidth. 2. Security: – Use advanced encryption and authentication protocols that protect data from unauthorized access. 3. Scalability – VPNs use the Internet infrastructure. So it is easy to add new users, corporations can add significant capacity without adding significant infrastructure 4. Compatibility with broadband technology – DSL, Cable, broadband wireless… Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Layer 3 VPN Refer to 8.1.1.2 • VPN can be made at either Layer 2 or Layer 3 of the OSI model. Establishing connectivity between sites over a Layer 2 or Layer 3 is the same. This chapter focuses on Layer 3 VPN technology. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Layer 3 VPN IPSec VPN IPSec Internet SOHO with a Cisco DSL Router 1. Generic routing encapsulation (GRE): point-to-point site connections 2. Multiprotocol Label Switching (MPLS): they can establish any-to-any connectivity to many sites. 3. IPSec: point-to-point site connections Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Types of VPN Networks 1. Site-to-site 2. Remote-Access Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Site-to-Site VPN Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Site-to-Site VPN • A site-to-site VPN is created when connection devices on both sides of the VPN connection are aware of the VPN configuration in advance. • The VPN remains static, and internal hosts have no knowledge that a VPN exists. • Frame Relay, ATM, GRE, and MPLS VPNs are examples of site-to-site VPNs. • In a site-to-site VPN, hosts send and receive normal TCP/IP traffic through a VPN gateway, which can be a router, firewall, Cisco VPN Concentrator, or Cisco ASA 5500 Series Adaptive Security Appliance. • The VPN gateway is responsible for encapsulating and encrypting outbound traffic from a particular site and sending it through a VPN tunnel over the Internet to a peer VPN gateway at the target site. • Upon receipt, the peer VPN gateway strips the headers, decrypts the content, and relays the packet toward the target host inside its private network Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Remote-Access VPNs Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Remote-Access VPNs • A remote-access VPN is created when VPN information is not statically set up, but instead allows for dynamically changing information and can be enabled and disabled. • Remote-access VPNs can support the needs of telecommuters, mobile users, and extranet consumer-to-business traffic. • Remote-access VPNs support a client / server architecture where a VPN client (remote host) requires secure access to the enterprise network via a VPN server device at the network edge. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
VPN Client Software R1 R1-vpn-cluster.span.com “R1” In a remote-access VPN, each host typically has Cisco VPN Client software Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Cisco IOS SSL VPN Refer to 8.1.2.5 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Cisco IOS SSL VPN • Provides remote-access connectivity from almost any Internet-enabled host using a web browser and its native Secure Sockets Layer (SSL) encryption. • Delivers three modes of access: – Clientless: A remote client needs only an SSL-enabled web browser to access HTTP- or HTTPS- enabled web servers on the corporate LAN. – Thin client: A remote client must download a small, Java- based applet for secure access of TCP applications that use static port numbers. UDP is not supported in a thin client environment. – Full Client • SSL VPNs are appropriate for user populations that require per-application or per-server access control, or access from non-enterprise-owned desktops. SSL VPNs are not a complete replacement for IPsec VPNs. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Cisco VPN Product Family Remote-Access Product Choice Site-to-Site VPN VPN Cisco VPN-Enabled Router Secondary role Primary role Cisco PIX 500 Series Security Appliances Secondary role Primary role Cisco ASA 5500 Series Adaptive Security Primary role Secondary role Appliances Cisco VPN Primary role Secondary role 3000 Series Concentrators Home Routers (SOHO Routers) Primary role Secondary role Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com