Cisco Ip Security
Cisco Ip Security
Cisco Ip Security
Presented by
Dr. Peter J. Welcher, Chesapeake Netcraftsmen
Slide 1
Slide 2
Slide 3
Why Do We Care?
• Many organizations are trying to use
IPSec VPN to reduce costs and simplify
new connections
• VPN allows
– Shared Internet and Enterprise access
– Reduced access line costs
– Ease of provisioning, flexibility
– Increased security
Slide 4
Slide 5
Agenda
• Introduction and Motivation
• IPSec Basics
• Enterprise IPSec VPN
• Managing VPN
• Wrap-up
Slide 6
Slide 7
Message Hashing
• Message Hashing is used to detect altered
messages
– Message bits a secret key are combined into short
hash code
– Hash code sent in header
– If received message hash doesn’t match,
message was altered
– Two forms: SHA and MD5
– SHA is a bit stronger
Slide 8
Slide 9
IPSec Tunnel
Slide 10
Slide 11
Slide 12
Slide 13
Design Assumptions
• High availability and failover with fast
convergence
• Support for dynamic routing
• Ability to carry diverse traffic, including IP
multicast, multi-protocol
• Conservative CPU levels
• Router-based (versus VPN concentrator)
Slide 14
Slide 15
ISP
Remote Central
Offices Site(s)
Slide 16
Slide 17
Overhead
• Cost (GRE + IPSec): 24 more bytes of
header (overhead)
• Total headers added: 76 bytes
Slide 18
Slide 19
Slide 20
Slide 21
Other Recommendations
• Have a summarizable addressing scheme
– It can makes crypto ACL’s simpler, less of an issue with GRE
– Use route summarization
• For central DHCP, use helper addresses remotely
• Use IPSec Tunnel Mode with 3DES
• Don’t use IKE keepalives
• Base number of head-end devices on number of
remote sites and throughput
• Use appropriate (recent) Cisco IOS releases
• Avoid IPSec through NAT points
Slide 22
Slide 23
Service Provider
ISP
Need good
Remote service here! Central
Offices Site(s)
Slide 24
Slide 25
SLA’s
• CPN Multi-service VPN standards:
– Jitter – less than or equal to 20 msec
– Delay – less than or equal to 60 msec one way
– Packet Loss – less than or equal to 0.5 percent
Slide 26
Slide 27
192.168.2.2 ISP
10.0.0.5
10.60.60.1
192.168.1.1
10.0.0.6
Slide 28
Slide 29
Slide 30
Slide 31
Slide 32
Slide 33
Agenda
• Introduction and Motivation
• IPSec Basics
• Enterprise IPSec VPN
• Managing VPN
• Wrap-up
Slide 34
Slide 35
Agenda
• Introduction and Motivation
• IPSec Basics
• Enterprise IPSec VPN
• Managing VPN
• Wrap-up
Slide 36
Slide 37
Summary
• Use GRE + IPSec in a hub and spoke
design for easily managed IPSec VPN
with redundancy and failover
• Cisco has tested performance under load
for 240 remote branch routers going to 2
central routers
• Fragment before IPSec for much better
performance
Slide 38
Slide 39
A Word From Us …
• We can provide
– Network design review: how to make what you have work better
– Periodic strategic advice: what’s the next step for your network or staff
– Network management tools & procedures advice: what’s right for you
– Implementation guidance (your staff does the details) or full
implementation
• We do
– Small- and Large-Scale Routing and Switching (design, health check,
etc.)
– IPsec VPN and V3PN (design and implementation)
– QoS (strategy, design and implementation)
– IP Telephony (preparedness survey, design, and implementation)
– Call Manager deployment
– Security
– Network Management (design, installation, tuning, tech transfer, etc.)
Slide 40
Chesapeake Netcraftsmen
is certified by Cisco in:
• IP Telephony
• Network Management
• Wireless
• Security
• (Routing and Switching)
Slide 41