Titel: IPsec Virtual Private Network Fundamentals
Autor/en: James Henry Carmouche
Juli 2006 - kartoniert - 460 Seiten
An introduction to designing and configuring Cisco IPsec VPNs
Understand the basics of the IPsec protocol and learn implementation best practices
Study up-to-date IPsec design, incorporating current Cisco innovations in the security and VPN marketplace
Learn how to avoid common pitfalls related to IPsec deployment
Reinforce theory with case studies, configuration examples showing how IPsec maps to real-world solutions
IPsec Virtual Private Network Fundamentals provides a basic working knowledge of IPsec on various Cisco routing and switching platforms. It provides the foundation necessary to understand the different components of Cisco IPsec implementation and how it can be successfully implemented in a variety of network topologies and markets (service provider, enterprise, financial, government). This book views IPsec as an emerging requirement in most major vertical markets, explaining the need for increased information authentication, confidentiality, and non-repudiation for secure transmission of confidential data. The book is written using a layered approach, starting with basic explanations of why IPsec was developed and the types of organizations relying on IPsec to secure data transmissions. It then outlines the basic IPsec/ISAKMP fundamentals that were developed to meet demand for secure data transmission. The book covers the design and implementation of IPsec VPN architectures using an array of Cisco products, starting with basic concepts and proceeding to more advanced topics including high availability solutions and public key infrastructure (PKI). Sample topology diagrams and configuration examples are provided in each chapter to reinforce the fundamentals expressed in text and to assist readers in translating concepts into practical deployment scenarios. Additionally, comprehensive case studies are incorporated throughout to map topics to real-world solutions.
Contents Introduction Part I Introductory Concepts and Configuration/Troubleshooting Chapter 1 Introduction to VPN Technologies VPN Overview of Common Terms Characteristics of an Effective VPN VPN Technologies Virtual Private Dialup Networks Multiprotocol Label Switching VPNs IPsec VPNs Transport Layer VPNs Common VPN Deployments Site-to-Site VPNs Remote Access VPNs Business Drivers for VPNs Remote Access VPN Business Drivers-A Practical Example Site-to-Site VPN Business Drivers-A Practical Example IPsec VPNs and the Cisco Security Framework Summary Chapter 2 IPsec Fundamentals Overview of Cryptographic Components Asymmetric Encryption Symmetric Encryption Message Authentication, Message Integrity, and Sender Nonrepudiation Mechanisms Public Key Encryption Methods RSA Public-Key Technologies Diffie-Hellman Key Exchange The IP Security Protocol (IPsec) IPsec Modes IPsec Transforms IPsec SA IPsec Configuration Elements Manual Keying The Need for Security Association and Key Management IKE and ISAKMP IKE and ISAKMP Terminology and Background IKE SA Negotiation and Maintenance IPsec Diffie-Hellman Shared Secret Key Generation Using IKE IKE Authentication Services IKE Phase I Negotiation IKE Phase II Negotiation Configuring ISAKMP IKE with RAVPN Extensions Summary Chapter 3 Basic IPsec VPN Topologies and Configurations Site-to-Site IPsec VPN Deployments Site-to-Site VPN Architectural Overview for a Dedicated Circuit Site-to-Site Architectural Overview over a Routed Domain Site-to-Site IPsec VPN Deployments and GRE (IPsec+GRE) Site-to-Site IPsec+GRE Architectural Overview Site-to-Site IPsec+GRE Sample Configurations Hub-and-Spoke IPsec VPN Deployments Hub-and-Spoke Architectural Overview Standard Hub-and-Spoke Design without High Availability Clustered Spoke Design to Redundant Hubs Redundant Clustered Spoke Design to Redundant Hubs Remote Access VPN Deployments RAVPN Architectural Overview RAVPN Clients Standalone VPN Concentrator Designs Clustered VPN Concentrator Designs Summary Chapter 4 Common IPsec VPN Issues IPsec Diagnostic Tools within Cisco IOS Common Configuration Issues with IPsec VPNs IKE SA Proposal Mismatches IKE Authentication Failures and Errors IPsec SA Proposal Mismatches Crypto-Protected Address Space Issues (Crypto ACL Errors) Architectural and Design Issues with IPsec VPNs Troubleshooting IPsec VPNs in Firewalled Environments NAT Issues in IPsec VPN Designs The Influence of IPsec on Traffic Flows Requiring QoS Solving Fragmentation Issues in IPsec VPNs The Effect of Recursive Routing on IPsec VPNs Summary Part II Designing VPN Architectures Chapter 5 Designing for High Availability Network and Path Redundancy IPSec Tunnel Termination Redundancy Multiple Physical Interface HA with Highly Available Tunnel Termination Interfaces Tunnel Termination HA Using HSRP/VRRP Virtual Interfaces HA with Multiple Peer Statements RP-based IPSec HA Managing Peer and Path Availability Peer Availability Path Availability Managing Path Symmetry Load Balancing, Load Sharing, and High Availability Load-Sharing with Peer Statements Routing Domain Name System (DNS) Cisco VPN3000 Concentrator Clustering IPSec Session Load-Balancing Using External Load Balancers Summary Chapter 6 Solutions for Local Site-to-Site High Availability Using Multiple Crypto Interfaces for High Availability Impact of Routing Protocol Reconvergence on IPsec Reconvergence Impact of Stale SAs on IPsec Reconvergence Impact of IPsec and ISAKMP SA Renegotiation on IPsec Reconvergence Stateless IPsec VPN High-Availability Alternatives Solution Overview for Stateless IPsec High Availability Stateless High Availability Failover Process Stateful IPsec VPN High-Availability Alternatives Solution Overview for Stateful IPsec High Availability Stateful High Availability Failover Process Summary Stateless IPsec VPN High Availability Design Summary Stateful IPsec VPN High Availability Design Summary Chapter 7 Solutions for Geographic Site-to-Site High Availability Geographic IPsec VPN HA with Reverse Route Injection and Multiple IPsec Peers Solution Overview for RRI with Multiple IPsec Peers Geographic IPsec VPN High Availability with IPsec+GRE and Encrypted Routing Protocols Solution Overview for IPsec+GRE with Encrypted Routing Protocols Dynamic Multipoint Virtual Private Networks DMVPN Solution Design Drivers DMVPN Component-Level Overview and System Operation Summary Chapter 8 Handling Vendor Interoperability with High Availability Vendor Interoperability Impact on Peer Availability The Inability to Specify Multiple Peers Lack of Peer Availability Mechanisms Vendor Interoperability Impact on Path Availability IPSec HA Design Considerations for Platforms with Limited Routing Protocol Support IPSec HA Design Considerations for Lack of RRI Support IPSec HA Design Considerations for Lack of Generic Routing Encapsulation (GRE) Support Vendor Interoperability Design Considerations and Options Phase 1 and 2 SA Lifetime Expiry SADB Management with Quick Mode Delete Notify Messages Invalid Security Parameter Index Recovery Vendor Interoperability with Stateful IPSec HA Summary Chapter 9 Solutions for Remote-Access VPN High Availability IPsec RAVPN Concentrator High Availability Using Virtual Interfaces for Tunnel Termination IPsec RAVPN Concentrator High Availability Using VRRP IPsec RAVPN Concentrator HA Using HSRP IPsec RAVPN Concentrator HA Using the VCA Protocol IPsec RAVPN Geographic HA Design Options VPN Concentrator Session Load Balancing Using DNS VPN Concentrator Redundancy Using Multiple Peers Summary Chapter 10 Further Architectural Options for IPsec IPsec VPN Termination On-a-Stick IPsec with Router-on-a-Stick Design Overview Case Study: Small Branch IPsec VPN Tunnel Termination with NAT On-a-Stick In-Path Versus Out-of-Path Encryption with IPsec Out-of-Path Encryption Design Overview Case Study: Firewalled Site-to-Site IPsec VPN Tunnel Termination Separate Termination of IPsec and GRE (GRE-Offload) GRE-Offload Design Overview Case Study: Large-Scale IPsec VPN Tunnel Termination with GRE Offload Summary Part III Advanced Topics Chapter 11 Public Key Infrastructure and IPsec VPNs PKI Background PKI Components Public Key Certificates Registration Authorities Certificate Revocation Lists and CRL Issuers Certificate Authorities PKI Cryptographic Endpoints Life of a Public Key Certificate RSA Signatures and X.509v3 Certificates Generating Asymmetric Keypairs on Cryptographic Endpoints Registration and Endpoint Authentication Receipt and Authentication of the CA's Certificate Forwarding and Signing of Public Keys Obtaining and Using Public Key Certificates PKI and the IPSec Protocol Suite-Where PKI Fits into the IPSec model OCSP and CRL Scalability OCSP Case Studies and Sample Configurations Case Study 1: PKI Integration of Cryptographic Endpoints Case Study 2: PKI with CA and RA Case Study 3: PKI with Redundant CAs (CA Hierarchy) Summary Chapter 12 Solutions for Handling Dynamically Addressed Peers Dynamic Crypto Maps Dynamic Crypto Map Impact on VPN Behavior Dynamic Crypto Map Configuration and Verification Tunnel Endpoint Discovery TED Configuration and Verification Case Study-Using Dynamic Addressing with Low-Maintenance Small Home Office Deployments Summary Appendix A Resources Books RFCs Web and Other Resources Index
James Henry Carmouche, CCIE No. 6085, currently works for Cisco Systems Enterprise Systems Engineering group in Research Triangle Park, North Carolina where he is responsible for building, validating, and evangelizing new and emerging security integration concepts in new network architectures and solution reference designs. Prior to joining ESE, Henry served as a technical marketing engineer in Cisco's Government Systems Unit in Research Triangle Park, NC, where he is responsible for bringing advanced security products to market, building technical marketing collateral and presentations, and designing new product introduction training for the GSU's newly introduced security platforms.