Integrated Services Router with the "AIM-VPN/SSL" Module



Similar documents
Cisco Cisco 3845 X X X X X X X X X X X X X X X X X X

Integrated Services Router with the "AIM-VPN/SSL" Module

Cisco VPN Internal Service Module for Cisco ISR G2

VPN Modules for Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers

CCNA Security 1.1 Instructional Resource

Cisco Integrated Services Routers Performance Overview

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Introduction to Security and PIX Firewall

IP Security. Ola Flygt Växjö University, Sweden

Case Study for Layer 3 Authentication and Encryption

The BANDIT Products in Virtual Private Networks

Licenses are not interchangeable between the ISRs and NGX Series ISRs.

(d-5273) CCIE Security v3.0 Written Exam Topics

Network Security Features on the Cisco Integrated Services Routers

Cisco Group Encrypted Transport VPN: Tunnel-less VPN Delivering Encryption and Authentication for the WAN

Cisco IOS SSL VPN: Router-Based Remote Access for Employees and Partners

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Cisco IPsec and SSL VPN Solutions Portfolio

Remote-Access VPNs: Business Productivity, Deployment, and Security Considerations

Cisco Site-to-Site VPN Lab 3 / GRE over IPSec VPNs by Michael T. Durham

Cisco Which VPN Solution is Right for You?

SNRS. Securing Networks with Cisco Routers and Switches. Length 5 days. Format Lecture/lab

SSL VPN Technical Primer

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Site to Site Virtual Private Networks (VPNs):

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Cisco IOS SSL VPN: Router-Based Remote Access for Employees and Partners

Virtual Private Networks

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

Network Security Part II: Standards

Objectives. Remote Connection Options. Teleworking. Connecting Teleworkers to the Corporate WAN. Providing Teleworker Services

Securing Networks with Cisco Routers and Switches 1.0 (SECURE)

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Release Notes. NCP Secure Entry Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3. Known Issues

VPN. VPN For BIPAC 741/743GE

SSL-Based Remote-Access VPN Solution

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Unified Services Routers

Chapter 7 Transport-Level Security

Release Notes. NCP Secure Entry Mac Client. Major Release 2.01 Build 47 May New Features and Enhancements. Tip of the Day

VPN SECURITY. February The Government of the Hong Kong Special Administrative Region

Cisco VPN 3000 Concentrator Series

Cisco SR 520-T1 Secure Router

TABLE OF CONTENTS NETWORK SECURITY 2...1

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

Cisco IOS SSL VPN: Router-Based Remote Access for Employees and Partners

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0

Gigabit Multi-Homing VPN Security Router

Remote Connectivity for mysap.com Solutions over the Internet Technical Specification

Cisco RV082 Dual WAN VPN Router Cisco Small Business Routers

Application Note: Onsight Device VPN Configuration V1.1

Overview. SSL Cryptography Overview CHAPTER 1

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

VPN. Date: 4/15/2004 By: Heena Patel

IPsec Simplified. Peter J. Welcher. Introduction. Just a Very Wee Bit of Cryptology. First, a couple of personal and company news items:

Technical papers Virtual private networks

How To Use The Cisco Wide Area Application Services (Waas) Network Module

Cisco 1-Port ISDN BRI U High-Speed WAN Interface Card

Understanding the Cisco VPN Client

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Introduction of Quidway SecPath 1000 Security Gateway

IPSec vs. SSL: Why Choose?

GNAT Box VPN and VPN Client

LinkProof And VPN Load Balancing

A Performance Analysis of Gateway-to-Gateway VPN on the Linux Platform

BUY ONLINE AT:

Chapter 4 Virtual Private Networking

IP Security. IPSec, PPTP, OpenVPN. Pawel Cieplinski, AkademiaWIFI.pl. MUM Wroclaw

Branch Office VPN Tunnels and Mobile VPN

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Securing IP Networks with Implementation of IPv6

Cisco RV220W Network Security Firewall

Cisco ASA 5500 Series IPS Solution

Unified Services Routers

Security vulnerabilities in the Internet and possible solutions

Network Security Features for Cisco Integrated Services Routers Generation 2 Platform

Windows in a Browser Secure Remote Access with HOB RD VPN

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

Network Security. Lecture 3

Cisco Certified Security Professional (CCSP)

Virtual Private Networks Secured Connectivity for the Distributed Organization

IPSec or SSL VPN? Copyright 2004 Juniper Networks, Inc. 1

Cisco Wireless Security Gateway R2

Triple DES Encryption for IPSec

Cisco RV 120W Wireless-N VPN Firewall

Novell Access Manager SSL Virtual Private Network

Secure Network Design: Designing a DMZ & VPN

High speed Ethernet WAN: Is encryption compromising your network?

SSL VPN. Virtual Private Networks based on Secure Socket Layer. Mario Baldi. Politecnico di Torino. Dipartimento di Automatica e Informatica

Cisco Intrusion Detection System Services Module (IDSM-2)

McAfee Firewall Enterprise 8.2.1

Secure Network Foundation 1.1 Design Guide for Single Site Deployments

Release Notes. NCP Secure Client Juniper Edition. 1. New Features and Enhancements. 2. Problems Resolved

Transcription:

Virtual Private Network (VPN) Advanced Integration Module (AIM) for the 1841 Integrated Services Router and 2800 and 3800 Series Integrated Services Routers The VPN Advanced Integration Module (AIM) for the 1841 Integrated Services Router and 2800 and 3800 Series Integrated Services Routers optimizes the Integrated Services Router platforms for virtual private networks in both IP Security (IPSec) and Secure Sockets Layer (SSL) Web and VPN deployments. Figure 1. Integrated Services Router with the "VPN/SSL" Module Integrated Services Routers deliver advanced security services, including industry-leading VPN for site-to-site and remote-access connectivity. To facilitate robust IPsec VPN deployments such as Dynamic Multipoint VPN (DMVPN) or optimize IOS WebVPN SSL VPN performance, the VPN and SSL AIM provides hardware encryption acceleration for the 1841 and 2800 and 3800 Series routers. (See Figure 1) The VPN and SSL AIM provides up to 40 percent better performance for IPsec VPN over the built-in IPsec encryption, and up to twice the performance for SSL Web VPN encryption. The VPN and SSL AIM supports all three of these functions in hardware: SSL encryption in hardware, VPN IPsec encryption in hardware using either Data Encryption Standard (DES) or Advanced Encryption Standard (AES), and the IP Payload Compression Protocol (IPPCP) in hardware. Integrated Services Routers with the VPN and SSL AIM are ideal for use in small and medium-sized businesses (SMBs) and small and large enterprise branch offices to connect remote offices, mobile users, and partner extranets. Integrated Services Routers offer the flexibility to deploy both IPsec and SSL VPN in a single-device solution, thus reducing the total cost of ownership, unlike other vendors' products requiring multiple devices and management systems. In addition, the VPN and SSL AIM is designed for service providers, offering highly scalable managed security services with zero-touch deployment ease. Integrated Services Routers together with the VPN and SSL AIM and the IOS Advanced Security features offer a rich integrated package of routing, firewall, intrusion-protection, and VPN functions and are an integral component of the Self-Defending Network. Table 1 lists the VPN module hardware and features supported by each platform. Table 2 describes the features supported by the VPN and SSL AIM. Table 3 describes the benefits of the VPN and SSL AIMfeatures. All contents are Copyright 1992 2007 Systems, Inc. All rights reserved. This document is Public Information. Page 1 of 8

Table 1. Supported Modules and Features, by Platform Modul e Part Numb ers 1841 2801, 2811, 2821, and 2851 3725 3825 3745 3845 AES and Triple Data Encryption Standard (3DES) IPPC P Web VPN SSL Encry ption IPv6 Cryptogr aphy in Hardware VPN/S SL-1 VPN/S SL-2 VPN/S SL-3 X X X X X X X X X X X X X X X X X X Table 2. Feature Physical Supported Features of VPN and SSL AIM Description The VPN and SSL AIM fits in any open AIM slot in the Integrated Services Router. Platform Support Hardware Prerequisites IPSec Encryption Supported Hardware SSL Encryption Supported IPSec Hardware-Based Compression Software Prerequisites Number of Encryption Modules per Router Minimum IOS Software Version Required Maximum Number of IPSec Encrypted Tunnels Maximum Number of IOS WebVPN SSL VPN Users with VPN and SSL AIM Standards Supported The VPN and SSL AIM supports the 1841 and the 2800, 3700, and 3800 Series. An AIM slot for the 1841 and the 2800, 3700, and 3800 Series is required. All modules support IPSec DES and 3DES; Authentication: Rivest, Shamir, and Adelman (RSA) and Diffie Hellman; data integrity: Secure Hash Algorithm 1 (SHA-1) and Message Digest Algorithm 5 (MD5); and DES, 3DES, and AES key sizes: AES128, AES192, and AES256. Only the VPN and SSL AIM in the 1841 and the 2800, 3700, and 3800 Series supports SSL Web VPN encryption. The VPN and SSL AIM uses Layer 3 IPPCP compression. The VPN and SSL AIM uses the IOS Software with the Advanced Security, Advanced IP, or Advanced Enterprise feature set. The VPN and SSL AIM uses one encryption module per router. The VPN and SSL AIM requires IOS Software Version 12.4(9)T or higher. The VPN and SSL AIM supports up to 800 tunnels on the 1841, up to 1500 tunnels on the 2800 Series, and up to 2000 tunnels on the 3800 Series. The Maximum Tunnel Scalability test is done with no data passing over the tunnels to only determine maximum number. For site-to-site design, recommends you consult with your account team or a authorized reseller and also review the DMVPN Design Guide at: http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0 080739fd3.pdf Only the VPN and SSL AIM supports the IOS WebVPN SSL VPN. On the 1841 and 2801, it supports 50 users; on the 2811 and 2821, it supports 100 users; on the 2851, it supports 150 users; on the 3725 and 3745, it supports 150 users; and on the 3825 and 3845, it supports 200 users. The IOS WebVPN SSL VPN requires the purchase of a user license. (All supported platforms include a two-user demo license at no additional cost.) The VPN and SSL AIM supports the IPSec Internet Key Exchange (IKE): RFCs 2401 to 2410, 2411, and 2451. All contents are Copyright 1992 2007 Systems, Inc. All rights reserved. This document is Public Information. Page 2 of 8

Table 3. Feature Features and Benefits of the VPN and SSL AIM Benefit High Overhead IPSec Processing from the Main Processor IPSec MIB Certificate Support to Facilitate Automatic Authentication using Digital Certificates Easy Integration of VPN Modules into Existing 1841 and 2800, 3700, and 3800 Series Routers Confidentiality, Data Integrity, and Data Origin Authentication through IPSec IOS WebVPN Compression Reserves critical processing resources for other services such as routing, firewall, and voice Allows IPSec configuration monitoring and can be integrated into a variety of VPN management solutions Scales encryption use for large networks requiring secure connections between multiple sites Significantly reduces system costs, management complexity, and deployment effort compared to multiple-device solutions Facilitates secure use of public switched networks and the Internet for WANs Allows businesses to securely and transparently extend their networks to any Internet-enabled location using SSL VPN; the IOS WebVPN supports clientless access to applications such as HTML-based intranet content, e- mail, network file shares, and Citrix and to the SSL VPN Client, enabling full network access remotely to virtually any application VPN and SSL AIM provides hardware support for IPSec Layer 3 IPPCP and can compress a packet before encryption. This allows for higher throughput for Wide Area Networks (WAN) links VPN and SSL AIM Performance IPSec VPN The 1841 Series Module (VPN/SSL-1) can provide hardware-based IPSec encryption services of 25 and 95 Mbps in the 1841 (IPSec Internet mix [IMIX] and 1400-byte packets).1 The 2800 Series Module (VPN/SSL-2) can provide hardware-based IPSec encryption services of 30 and 90 Mbps in the 2801, 35 and 100 Mbps in the 2811, 90 and 125 Mbps in the 2821, and 100 and 150 Mbps in the 2851 (IPSec IMIX and 1400-byte packets).1 The 3800 Series Module (VPN/SSL-3) can provide hardware-based IPSec encryption services of 160 and 185 Mbps in the 3825 and 190 and 210 Mbps in the 3845 (IPSec IMIX and 1400-byte packets).1 All contents are Copyright 1992 2007 Systems, Inc. All rights reserved. This document is Public Information. Page 3 of 8

WebVPN SSL VPN The 1841 Series Module (VPN/SSL-1) can provide Web/VPN SSL hardwarebased of 5 Mbps with a Maximum of 50 Users 1 The 2800 Series Module (VPN/SSL-2) can provide Web/VPN SSL hardwarebased of 5Mbps with a Max of 50 users in the 2801, 5 Mbps with a Max of 75 users in the 2811, 10 Mbps with a Max of 100 users in the 2821, and 14 Mbps with a Max of 150 users in the 2851 routers. 2 The 3800 Series Module (VPN/SSL-3) can provide Web/VPN SSL hardwarebased encryption of 20 Mbps with a Max of 175 Users in the 3825,and 26 Mbps with a Max of 200 Users in the 3845 routers.2 Features SSL Web VPN The VPN and SSL AIM offloads the SSL encryption processing, allowing improved IOS WebVPN performance. The IOS WebVPN is the first router-based solution that offers SSL VPN remoteaccess connectivity integrated with security and industry-leading routing features on a converged data, voice, and wireless platform. SSL VPN is compelling because the security is transparent to the end user and easy for IT personnel to administer. Using only a Web browser, companies can extend their secure enterprise networks to any Internet-enabled location, including home computers, Internet kiosks, and wireless hotspots, thereby facilitating higher employee productivity and protecting corporate data while providing transient partner and consultant network access. IOS WebVPN supports both clientless and full-network-access SSL VPN capabilities. For further information about IOS WebVPN, refer to http://www.cisco.com/go/ioswebvpn. IPSEC VPN Systems fully supports the entire set of RFCs that describe IPSec and related protocols: RFCs 2401 to 2410. In particular, supports the following features: DES, 3DES, and AES-the National Institute of Standards and Technology (NIST) created AES as a Federal Information Processing Standard (FIPS) publication to replace DES, IPSec and IKE. AES has a variable key length; the algorithm can specify a 128-bit key (default), a 192-bit key, or a 256-bit key. For details about AES, refer to http://csrc.nist.gov/encryption/aes/. 1 IPSec numbers are maximum values based on the Spirent IPSec IMIX definition and 1400-byte packet size. Each test is performed with a single tunnel. Customers are urged to consult with the account team and review all VPN solution design guides for greater detail on deployment options and scaling. recommends IPsec user to also review the Solution Design Guides for more specific information on scaling: http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080739fd3.pdf and http://www.cisco.com/en/us/netsol/ns656/networking_solutions_design_guidances_list.html 2 Customers are urged to consult the account team and review all Web VPN solution design guides for greater detail on deployment options and scaling. The IOS SSLVPN performance will vary based on which client is setup. SSLVPN client users will have higher overall performance than the SSLVPN clientless setup, which will have slightly lower performance. All contents are Copyright 1992 2007 Systems, Inc. All rights reserved. This document is Public Information. Page 4 of 8

IPSec-this protocol uses encryption technology to provide data confidentiality, integrity, and authenticity between participating peers in a private network. provides full Encapsulating Security Payload (ESP) and authentication header support. IKE-Using the Internet Security Association Key Management Protocol (ISAKMP) or Oakley, IKE provides security association management. IKE authenticates each peer in an IPSec transaction, negotiates security policy, and handles the exchange of session keys. Certificate management- fully supports the X509.V3 certificate system for device authentication and the Simple Certificate Enrollment Protocol (SCEP), a protocol for communicating with certificate authorities. Several vendors, including Verisign, Entrust Technologies, and Microsoft, support SCEP, and their products can operate with devices. RSA signatures and Diffie-Hellman-RSA and Diffie-Hellman are used every time an IPSec tunnel is established to authenticate the IKE security association. Diffie-Hellman is used to derive the shared secret encryption key for the protection of data across the IKE security association, including the negotiation of the IPSec policy to be used. Enhanced security-hardware-based cryptography offers several security advantages over software-based solutions, including enhanced protection of keys. For further information about IOS IPSec VPN, refer to http://www.cisco.com/en/us/products/ps6635/products_ios_protocol_group_home.html. Certifications is committed to maintaining an active product certification and evaluation program for customers worldwide. recognizes that certifications and evaluations are important to its customers, and the company continues to be a leader in providing certified and evaluated products to the marketplace. also will continue to work with international security standards bodies to help shape the future of certified and evaluated products and will work to accelerate certification and evaluation processes. Certification and evaluation are considered at the earliest part of the company's product development cycle, and will continue to position its security products to ensure that customers have a variety of certified and evaluated products to meet their needs. pursues ICSA, Common Criteria (EAL), and FIPS 140-2 Certification see (Figure 2). Figure 2. All contents are Copyright 1992 2007 Systems, Inc. All rights reserved. This document is Public Information. Page 5 of 8

FIPS The VPN modules have been designed to meet FIPS 140-2 Level 2 security. Currently, only specific models have FIPS 140-2 certification. See product certifications by certification type for the current status of products certified for FIPS: http://www.cisco.com/en/us/netsol/ns340/ns394/ns171/networking_solutions_audience_bu siness_benefit0900aecd8009a16f.html http://csrc.nist.gov/cryptval/ ICSA IPSec The Internet Computer Security Association (ICSA) is a commercial security certification body that offers ICSA IPSec and ICSA Firewall certification for various types of security products. participates in ICSA's IPSec and Firewall certification programs. See product certifications by certification type for the current status of products certified for ICSA: http://www.cisco.com/en/us/netsol/ns340/ns394/ns171/networking_solutions_audience_business_ benefit0900aecd8009a16f.html Common Criteria Common Criteria is an international standard for evaluating IT security. It was developed by a consortium of countries to replace numerous existing country-specific security assessment processes and was intended to establish a single standard for international use. Currently, 14 countries officially recognize the Common Criteria. Several versions of the ISR Routers are now being evaluated under the Information Technology Security Evaluation Criteria (ITSEC) and the Common Criteria. See product certifications by certification type For the current status of products certified for Common Criteria: http://www.cisco.com/en/us/netsol/ns340/ns394/ns171/networking_solutions_audience_business_ benefit0900aecd8009a16f.html http://www.commoncriteriaportal.org/ 1841 and 2800, 3700, and 3800 Series VPN Module Software With a VPN module installed, the router will run with any feature set for the IOS Software, but the module is used only with IPSec or SSL Web VPN feature sets. Export Regulations for the VPN Module DES, 3DES, and AES software for the VPN module is controlled by U.S. export regulations for encryption products. The module itself is not controlled. U.S. regulations require the recording of names and addresses of recipients of DES and 3DES software. The ordering process for DES and 3DES software enforces these requirements. All contents are Copyright 1992 2007 Systems, Inc. All rights reserved. This document is Public Information. Page 6 of 8

Specifications Table 4. Feature Specifications Specification Part Number and Description IPSec RFC Support Environmental VPN/SSL-1: 1841 DES, 3DES, AES, SSL, and Layer 3 (IPPCP) Compression VPN Encryption VPN/SSL-2: 2800 Series DES, 3DES, AES, SSL, and Layer 3 (IPPCP) Compression VPN Encryption VPN/SSL-3: 3800 Series DES, 3DES, AES, SSL, and Layer 3 (IPPCP) Compression VPN Encryption VPN/BPII-PLUS: DES, 3DES, AES, and Layer 3 (IPPCP) Compression VPN Encryption VPN/EPII-PLUS: DES, 3DES, AES, and Layer 3 (IPPCP) Compression VPN Encryption VPN/HPII-PLUS: DES, 3DES, AES, and Layer 3 (IPPCP) Compression VPN Encryption IPSec (RFCs 2401 to 2410) IPSec ESP using DES and 3DES (RFC 2406) IPSec authentication header using MD5 or SHA (RFCs 2403 to 2404) IKE (RFCs 2407 to 2409) Operating temperature: 32 to 104 F (0 to 40 C) Nonoperating temperature: -4 to 149 F (-20 to 65 C) Relative humidity: 10 to 85% noncondensing operating; 5 to 95% noncondensing, nonoperating safety Dimensions and Weight Table 4 lists dimensions and weight by platform. Table 5. Dimensions and Weight Module VPN/BPII- PLUS VPN/EPII- PLUS VPN/HPII- PLUS VPN/SLL-1 VPN/SSL-2 VPN/SSL-3 Width Height Depth Weight Regulatory Compliance, Safety, EMC, Telecom, and Network Homologation When installed in a 1700, 1800 (modular), 2600, 2800, 3600, 3700, or 3800 Series router, the VPN module does not change the standards (Regulatory Compliance, Safety, EMC, Telecom, or Network Homologation) of the router itself. Refer to data sheets for the 1700, 1800 (modular), 2600, 2800, 3600, 3700, and 3800 Series routers. To Download the Software Visit the Software Center to download the IOS Software. All contents are Copyright 1992 2007 Systems, Inc. All rights reserved. This document is Public Information. Page 7 of 8

Service and Support offers a wide range of services programs to accelerate customer success. These innovative services programs are delivered through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. services help you protect your network investment, optimize network operations, and prepare your network for applications to extend network intelligence and the power of your business. For more information about services, refer to Technical Support Services or Advanced Services. For More Information For more information about the VPN modules, visit http://www.cisco.com or contact your local account representative. Printed in USA C78-353932-02 4/07 All contents are Copyright 1992 2007 Systems, Inc. All rights reserved. This document is Public Information. Page 8 of 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information