© 2006 Cisco Systems, Inc. All rights reserved. SND v Building IPsec VPNs Defending Your Network with the Cisco VPN Product Family

© 2006 Cisco Systems, Inc. All rights reserved. SND v Outline Overview Secure ConnectivityVPN Solutions Secure ConnectivityCisco VPN Product Family Secure ConnectivityVPN Product Positioning Cisco VPN Best Practices Summary

© 2006 Cisco Systems, Inc. All rights reserved. SND v IPsec VPN Central Site: Cisco VPN 3000 Series Concentrator Cisco ASA 5500 Series Adaptive Security Appliance Cisco IOS Router Site-to-Site VPN Applications for Cisco VPN-Enabled Devices Cisco VPN Software Client with Firewall Small and Home Office VPN with Firewall Cisco VPN Hardware Client Router with VPN and Firewall Router with Firewall and VPN PIX Security Appliance Cisco ASA Cisco VPN Concentrator Enterprise Edge (Perimeter Option) Enterprise Campus Remote Site (Perimeter Option) ISP Remote Access Web VPN

© 2006 Cisco Systems, Inc. All rights reserved. SND v Site-to-Site VPNs Intranet Extranet Business-to-Business Router Remote SiteCentral Site POP* Internet DSL Cable *POP = Post Office Protocol

© 2006 Cisco Systems, Inc. All rights reserved. SND v DSL Cable Mobile Extranet Consumer-to-Business Telecommuter Remote-Access VPNs Router Remote-Access ClientCentral Site POPPOP* Internet *POP = Post Office Protocol

© 2006 Cisco Systems, Inc. All rights reserved. SND v Security Appliance-Based VPN Solutions Intranet Central SiteRemote Site Internet Extranet Business-to-Business

© 2006 Cisco Systems, Inc. All rights reserved. SND v Building Cisco IPsec VPNs Product ChoiceRemote-Access VPNSite-to-Site VPN Cisco VPN 3000 Series Concentrators Primary roleSecondary role Cisco VPN- Enabled Router Secondary rolePrimary role Cisco PIX 500 Series security appliances Enhance your existing Cisco PIX Security Appliance with the VPN remote-access solution Security organization owns the VPN solution Cisco ASA 500 Series Adaptive security appliances Supports Cisco VPN 3000 features Security organization owns the VPN solution

© 2006 Cisco Systems, Inc. All rights reserved. SND v Cisco VPN Product Family Remote-Access VPN Concentrators Site-to-Site VPN and Firewall Routers Cisco PIX 500 Series Security Appliance and Cisco ASA 5500 Series Adaptive Security Appliance Cisco 800 Series Cisco 1800 Series Cisco 2800 Series Cisco 3800 Series Cisco PIX 501 Cisco PIX 506E Cisco PIX 515E Cisco PIX 525 Cisco PIX 535 Cisco ASA 5510 Cisco ASA 5520 Cisco ASA

© 2006 Cisco Systems, Inc. All rights reserved. SND v Cisco VPN Product Family (Cont.) VPN products: Cisco VPN-Enabled routers and switches Cisco VPN 3000 Series Concentrators Cisco ASA 5500 Series Adaptive Security Appliances Cisco PIX 500 Series Security Appliances Hardware acceleration: AIM Cisco IPsec VPN SPA SEP VAC

© 2006 Cisco Systems, Inc. All rights reserved. SND v Cisco IOS VPN Enabled Routers V3PN –Quality of service –IP telephony and video IPsec –IPsec stateful failover DMVPN IPsec and MPLS integration Cisco Easy VPN

© 2006 Cisco Systems, Inc. All rights reserved. SND v Cisco VPN 3000 Series Concentrators Customized application access Cisco Secure Desktop Fully clientless Citrix support Integrated web-based management Clustering and load-balancing capabilities Broad user authentication support

© 2006 Cisco Systems, Inc. All rights reserved. SND v Cisco ASA 5500 Series Adaptive Security Appliances Features of the Cisco PIX 500 Series Security Appliance plus advanced VPN features include: Resilient clustering Cisco Easy VPN Cisco VPN Client updates Cisco IOS WebVPN VPN infrastructure for converged networks Integrated web-based management

© 2006 Cisco Systems, Inc. All rights reserved. SND v Cisco ASA Features 5500 Series Adaptive Security Appliances The Cisco ASA 5500 Series Adaptive Security Appliances are multifunction security appliances with: Adaptive identification and mitigation architecture Adaptive Threat Defense capabilities –Application security –Anti-X defenses –Containment and control Secure connectivity capabilities Remote access and Site-to-Site connectivity Converged security and VPN management

© 2006 Cisco Systems, Inc. All rights reserved. SND v Positioning the Cisco ASA 5500 Series Adaptive Security Appliance Platforms Small and Medium Business Small EnterpriseEnterpriseLarge Enterprise Performance and Services ASA 5520 ASA 5510 Security Plus ASA 5520 VPN Plus ASA 5540 VPN Plus ASA 5540 VPN Premium Three models: Cisco ASA 5510 Adaptive Security Appliances Cisco ASA 5520 Adaptive Security Appliances Cisco ASA 5540 Adaptive Security Appliances

© 2006 Cisco Systems, Inc. All rights reserved. SND v Cisco ASA 5500 Series Adaptive Security Appliance Platforms Customer typeRemote accessSite-to-siteFirewall-based 5510 Security Plus 5520 VPN Plus 5540 VPN Plus 5540 VPN Premium Simultaneous WebVPN (clientless) users Site-to-site tunnels and RAS VPN peers Encrypted throughput (Mbps) Firewall throughput Hardware encryptionYes

© 2006 Cisco Systems, Inc. All rights reserved. SND v Cisco PIX 500 Series Security Appliances Spoke-to-spoke VPN support VPN NAT transparency Cisco VPN Client security posture enforcement Cisco VPN Client blocking by operating system and type OSPF dynamic routing Over VPN VPN hardware acceleration

© 2006 Cisco Systems, Inc. All rights reserved. SND v VPN Product Placement Cisco VPN-enabled routers Leverage existing infrastructure Broad choice of interfaces Feature-rich Cisco IOS software (routing, QoS, and so on) Cisco ASA 5500 Series Security Appliances All-in-one security appliance Purpose-built appliance High-performance solution IPsec and SSL VPN capabilities Cisco PIX 500 Series Security Appliances Purpose-built application inspection firewall Clear demarcation between security and network operation Robust, enterprise-class firewall Cisco VPN 3000 Series Concentrators Feature-rich remote-access platform IPsec and SSL VPN capabilities No individual feature licensing

© 2006 Cisco Systems, Inc. All rights reserved. SND v Cisco VPN Product Positioning Site-to-Site VPNIPsec Remote-Access VPN SSL Remote-Access VPN Cisco VPN-enabled router Cisco ASA 5500 Series Adaptive Security Appliances Cisco VPN 3000 Series Concentrators Cisco PIX 500 Series Security Appliances Cisco VPN-enabled router Cisco VPN 3000 Series Concentrators Cisco PIX 500 Series Security Appliances Cisco VPN Product Matrix Products are ranked top to bottom

© 2006 Cisco Systems, Inc. All rights reserved. SND v Cisco VPN Product Positioning (Cont.) Remote AccessSite-to-SiteCisco PIX 500 Series Security Appliance based Cisco ASA 5500 Series Adaptive Security Appliance based Large enterpriseCisco VPN 3060 and 3080 Concentrators Cisco Catalyst 6500, 7600 Series Switches Series Routers PIX 535 Security Appliance Medium enterprise Cisco VPN 3030 Concentrator 3700 Multiserivice Access Routers, 3800 Series Integrated Service Routers, 7000 Series Routers PIX 515E, 525 Security Appliances ASA 5540, ASA 5520 Small business or remote office with branch office Cisco VPN 3005 and 3015 Concentrators 1700, 1800; 2600 Series Multiservice Access Routers, 2800 Integrated Service Routers PIX 506 Firewall, 515E Security Appliance ASA 5510 SOHO marketCisco VPN software and hardware Client 800 Series Routers, 1700 Series Integrated Services PIX 501 Security Appliance, 506 Firewall ASA 5510

© 2006 Cisco Systems, Inc. All rights reserved. SND v Cisco VPN Design Objectives A Cisco IPsec VPN should emulate the functional requirements of your network. These design objectives should guide your decision making: Secure connectivity Reliability, performance, and scalability Options for high availability Authentication of users and devices in VPN secure management Security and attack mitigation before and after IPsec

© 2006 Cisco Systems, Inc. All rights reserved. SND v Identity and IPsec Access Control Best Practices Preshared keys –Group preshared keys are applicable only to remote access. –Do not use wildcard preshared keys for site-to-site device authentication. Digital certificates –Scale better than unique preshared keys –Use if the network of the VPN grows beyond 20 devices –Ensure that devices have the correct time of day

© 2006 Cisco Systems, Inc. All rights reserved. SND v Identity and IPsec Access Control Best Practices (Cont.) Certificate revocation lists –Enable checking CRLs on remote and headend devices when digital certificates are deployed. –Consider a third-party managed CA when deploying an extranet VPN. Consider using a hardware-based solution to protect digital certificates and preshared key material. Use inbound ACLs on the VPN devices for site-to-site traffic.

© 2006 Cisco Systems, Inc. All rights reserved. SND v IPsec Best Practices Use both encryption and integrity. Do not use single DES for data encryption. Use 3DES or AES for data encryption. Use SHA. Strong encryption algorithms cannot be exported to some countries or some customers. Do not change the SA lifetimes or to enable PFS unless the sensitivity of the data mandates it.

© 2006 Cisco Systems, Inc. All rights reserved. SND v NAT Best Practices Avoid the application of NAT to VPN traffic Use address ranges for your sites that do not overlap with other devices that you will connect via IPsec. When address translation occurs, make sure that a protocol- aware device carries out the address translation. Do not hide the public peer addresses of the VPN devices. When a remote-access client is not able to connect because of NAT-related issue, consider enabling NAT traversal mode. Use ESP tunnel mode and avoid NAT whenever possible.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Single-Purpose vs. Multipurpose Devices Selection Considerations When deciding which option to select, weigh your decision based on the capacity and functionality available on the appliance versus the functionality advantage of the integrated device. IPsec is a demanding function. As the size of the network increases, so does the likelihood that a VPN appliance needs to be selected over an integrated router or firewall.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary Cisco has a range of products to support site-to-site VPN, remote-access VPN, and remote-access web-based VPN solutions. The product portfolio supporting VPN consists of Cisco VPN- enabled routers, Cisco VPN 3000 Series Concentrators, Cisco PIX 500 Series Security Appliances, Cisco ASA 5500 Series Security Appliances, and Cisco Catalyst 6500 Series Switches. Placement of a VPN device depends on the functionality, the intended use, the supported features, and the required performance. A well-designed Cisco VPN solution needs to provide private, ubiquitous communications to the locations and users that require it.

© 2006 Cisco Systems, Inc. All rights reserved. SND v