Cisco Press VPN solutions

Citation preview

Cisco VPN solutions Infosecurity 2002

Course Number Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

2

Agenda • Perche’ VPN • Architettura di riferimento • Soluzioni VPN Cisco • Security keys: eToken e SmartCards • Demo track

Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

3

Perche’ VPN

• Riduzione dei costi • Miglioramento in Produttivita’ Flessibilita’ di comunicazione Network management

Fonte: Gartner Group Fall 2001 Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

4

Architetture di riferimento Branch Office LAN-LAN VPN

Remote Access VPN for Dialup and Roaming Users

Remote Access VPN for SOHO and Broadband Users T1/E1, Ethernet

Internet Analog, ISDN

out

Cable, DSL

out

Router

DMZ 1 DMZ 1 DMZ 2

in

in

Intranet Servers, File Servers…..

Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

5

Soluzioni VPN Cisco • Cisco VPN basate su funzionalita’ IOS – (IPSec VPN) Router Cisco per soluzioni VPN Ipsec site-to-site

• Cisco VPN Firewall-to-Firewall PIX Firewall come terminatori di tunnel IPSec

• Cisco VPN basate su VPN concentrator e VPN client Appliance dedicata ad elevate prestazioni per soluzioni LAN-toLAN e di accesso via Client

• Soluzioni interoperabili

Presentation_ID

PIX IOS

IOS VPN conc

PIX VPN conc

Client -> PIX

Client -> VPN

Client -> IOS (Unity client)

© 2001, Cisco Systems, Inc. All rights reserved.

6

Cisco VPN 3000 Concentrator v 3.5

Course Number Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

7

Serie VPN 3000: Caratteristiche Purpose-Built

• Progettato per i servizi VPN di Enterprise • Scalabilita’ – modulare e upgradabile • Prestazioni – encryption in hardware • Flessibilita’ – VPN per remote access, LAN-LAN, extranet. • Completamente interoperabile con PIX e IOS • High availability - redundant power, redundant Encryption Processors, dual flash, VRRP, Load balancing Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

8

Serie VPN 3000: Caratteristiche Purpose-Built

• Management – Interfaccia grafica Web Based • Security – suporto dei maggiori protocolli VPN • Facilita’ di implementazione Inserimento non disruptivo in reti esistenti Router, firewall, authentication servers, etc

• Client software incluso con unlimited license e preconfigurabile per l’installazione remota

Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

9

VPN basata su Serie 3000 Architettura Branch Office LAN-LAN VPN

Remote Access VPN w/ Cisco VPN Client T1/E1, Ethernet

SOHO and Broadband Users W/ Cisco VPN Client

Internet Analog, ISDN

out

Cable, DSL

out

Router

DMZ 1 DMZ 1 DMZ 2

in

in

Intranet Servers, File Servers…..

Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

10

VPN 3000 Concentrator v 3.5 Modulare ed espandibile

3005

3015

3030

3060

3080

Tunnels

100

100

1,500

5,000

10,000

Encryption

S/W

S/W

H/W

H/W

H/W

Performance

4 Mbps

4 Mbps

50 Mbps

100 Mbps

100 Mbps

Memory

32 MB

64 MB

128 MB

256 MB

256 MB

SEPs Installed

N/A

0

1

2

4

Redundant PS

No

Option

Option

Option

Included

Redundant SEPs

N/A

N/A

Option

Option

Included

Upgradeable

No

Yes

Yes

No

No

Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

11

Caratteristiche della piattaforma Modello 3005

?Configurazione Fissa ?Encryption in software ?Ottimale per: ?Branch Office ?Medium Business

Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

12

Caratteristiche della piattaforma Modelli 3015, 3030, 3060, 3080

?Modulare ?Espandabile ?Ridondabile ?Hardware Encryption

Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

13

Security Caratteristiche • Algoritmi di encryption 56 bit DES 168 bit Triple-DES Microsoft Encryption (MPPE) - 40/128 bit RC4

• IPSec: algoritmi di autenticazione HMAC (Hashed Message Authentication Coding) w/ MD5 HMAC with SHA-1

• Gestione delle Chiavi IKE con Diffie-Hellman Certificati Digitali, Smartcards e Token Cards Supporto SCEP per CA enrolment Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

14

Security Caratteristiche • Supporto di Certificati Digitali Entrust, Baltimore, CyberTrust, Verisign, RSA Keon, Microsoft Win2K, PGP • Supporto Token e Smartcards Testato con: Gemplus, Activcard (Schlumberger cards), eAladdin

• Packet Filtering, Security e Personal Firewall Profili definiti per User o Group Filtri per source/destination address, port, e protocol Controllo centralizzato della applicazione delle politiche di Sicurezza e di Personal Firewall sul VPN Client • Authenticazione Database interno, RADIUS, SDI (new card and next PIN code) NT Domain, MS-CHAP v1 & v2 Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

15

High Availability Caratteristiche ?

200,000+ hrs. MTBF

?

Alimentazioni e Fans ridondati, Dual Image Flash Memory

?

Hot swap, Service Encryption Processors (SEP) ridondati

?

Remote Access – Backup server per VPN Client v3.5 per Microsoft, Linux, Sun Solaris, MacOS – Backup server list per hardware client VPN 3002 v3.5

? LAN to LAN – Virtual Router Redundancy Protocol (VRRP) e Load Balancing • Automatic Recovery • Stesso IP Addresses, MAC Addresses

Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

16

Redundancy Caratteristiche ? Remote Access – Con client software per Microsoft, Linux, Sun Solaris, MacOS

? LAN to LAN – Virtual Router Redundancy Protocol (VRRP) e Load Balancing • Automatic Recovery • Stesso IP Addresses, MAC Addresses

Peer = A Branch Office

Internet

T1/T3

A IP Address List: A, B, C Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

C

B

IP Address List: B, A, C 17

Management Caratteristiche

? Gestione Web based e XML • Telnet/SSL ( a caratteri ) • HTTP/HTTPS ( VPN device manager integrato )

? Multi-Level Control • Role-based management

? FTP/TFTP support

Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

18

Console/Telnet Interface Menu-Driven a caratteri

Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

19

VPN Device Manager (VDM) HTML Based

NETWORK COMPUTING “..has a great overall management architecture with configuration options laid out in a logical tree structure, a hierarchical profile managment and excellent troubleshooting tools.” Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

20

Cisco VPN Client v 3.5

Course Number Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

21

VPN 3000 Client 3.5 Caratteristiche • Ampio supporto di sistemi operativi Windows 95 OSR2+/98/ME/NT4/W2K/XP Linux Intel (Command Line Only) Solaris ULTRASparc-32bit (Command Line Only) MAC OS X 10.1 (Command Line Only)

• Cisco VPN 3000 Client Software IPSec compliant Unlimited license per tutti i modelli Easy Deployment Installation wizard Backup server support Politiche controllate dal VPN concentrator Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

22

VPN 3000 Client 3.5 Personal Firewall e Smartcards

• Integrated Personal Firewall (Stateful) Zone Labs Technology – Zone Alarm Due modi: Always On default policy (configurabile dall’utente) Central Protection Policy – CPP (policy controllate e gestite centralmente)

• Supporto Smartcards Gemplus, Activcard (Schlumberger cards), Aladdin

Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

23

VPN 3000 Client 3.5 Authentication e supporto NAT

• NT Password Expiration con MSCHAPv2 Richiede all’utente il cambio password quando la password scade. Il concentratore VPN utilizza la v3.5 & RADIUS MSCHAPv2 authentication con il server (ad es Cisco Secure ACS v3.0, MS IAS)

• IPsec/UDP e IPSec/TCP Consentono la realizzazione di tunnel IPSec in ambienti con NAT intermedi– tipicamente Extranet.

Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

24

VPN 3000 Client 3.5 Istallazione e Gestione

• Single-Click Installation File .INI preconfigurato

• Gestione centralizzata della Configurazione & delle Politiche di Sicurezza Autoinstallante senza interventi utente Configurazione e politiche vengono ‘spinte’ dal concentrator

Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

25

VPN 3000 Client Caratteristiche avanzate • Split Tunneling ( opzionale ) IPSec tunnels per traffico Enterprise-specific (i.e.- email, file servers, etc.) Traffico Clear-text per accesso a Internet ‘tradizionale’ (i.e.- web surfing, newsgroups, etc.) Stockmaster.com

Central Site

Router

Cisco VPN 3000 Client Cisco VPN 3000 Concentrator

Router

Remote User Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

26

Cisco VPN 3002 Hardware Client Series

Course Number Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

27

Cisco VPN 3002 Hardware Client Definizione 3002 Hardware Client: • Il Cisco VPN 3002 Hardware Client puo’ essere utilizzato al posto del software client – e’ come il client sw ma in hardware! • Il 3002 ha due funzione primarie: Viene diffuso con la stessa semplicita’ del client Scalabile (>50,000 units) • Il 3002 e’ in due versioni hardware: Ethernet Ethernet w/ 8 port 10/100 Mbps AUTO-MDIX switch

Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

28

Cisco VPN 3002 Hardware Client Caratteristiche fisiche

Front

Basic 3002 w/o Switch 3002 unit con 8 Port 10/100 Switch • Power supply esterno • Console RS-232 con connettore RJ-45 • Porte Ethernet 10/100 Mbps • Switch con Auto-MDIX eliminando i cavi x-over • Reset switch per riportare l’unita’ alla configurazione di default • 6x8x2” size con flat top e wall mount key holes • Silent, convection cooled operation • FCC Class B Certification, CISPR, CUL, others Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

29

Cisco VPN 3002 Hardware Client Caratteristiche • Simple Deployment 3002 include un DHCP Client/Server, fino a 253 stationi The 3002 include 2 modalita’ operative: -Client Mode - “drop in” deployment, invisibile, per reti non-ruotabili - Network Extension Mode – per reti routabili Configurazione via Web o Porta Console Throughput fino a 1.5Mbps in 3DES Operativita’ “Unity Client”, puo’ connettersi a VPN 3000, PIX, IOS

• Security 3002 consente solo apertura di sessioni in uscita Supports pre-shared secret e cert digitali Politiche gestite e imposte dal VPN Concentrator Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

30

Cisco VPN 3002 Hardware Client DHCP e NAPT Firewall Remote Office/Satellite Office

Central Site

One Address for entire network behind 3002

178.168.0.52 Concentrator Assigned to Client (thinks it is on 3030 network locally)

172.168.0..x Int. Pvt Net

Public

Private

Cisco VPN 3030 Concentrator As DHCP Client, 3002 acquires address (eq) 24.128.46.83 from cable modem, ISP, etc.

Yahoo site

Cisco VPN 3002 Hardware Client

As DHCP Server, 3002 maintains pool of addresses to assign to the stations on the private network (eq) this station is served an address of 192.168.5.1 with a subnet mask of 255.255.255.0 NAT/PAT Outbound hides stations

• In Client mode, le stazioni dietro il 3002 sono invisibili al mondo esterno indipendentemente dall’uso dello split tunnel • In Network Extension mode, le stazioni dietro il 3002 sono visibili solo dal Central SIte • Viene sempre usato PAT per connettersi a Internet via split tunneling • Sono ammesse solo connessioni ‘outbound’ Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

31

Security keys: eToken e SmartCards

Course Number Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

32

Aladdin Caratteristiche • Inserire una sola slide di riferimento al Partner Aladdin che terra’ poi la sua sessione

Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

33

Demo track

Course Number Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

34

Demo track • Inserire lo schema e la track della Demo

Presentation_ID

© 2001, Cisco Systems, Inc. All rights reserved.

35

Presentation_ID

© 1999, Cisco Systems, Inc.

36