1 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Deploying and Managing Enterprise IPsec VPNs Ken Kaminski Cisco Systems Consulting Systems Engineer.

Slides:



Advertisements
Similar presentations
Cisco Router as a VPN Server. Agenda VPN Categories of VPN – Secure VPNs – Trusted VPN Hardware / Software Requirement Network Diagram Basic Router Configuration.
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.
1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer
Guide to Network Defense and Countermeasures Second Edition
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 Controlling Network Boundaries.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Prototyping the WAN Designing and Supporting Computer Networks – Chapter 8.
Module 5: Configuring Access for Remote Clients and Networks.
SCSC 455 Computer Security Virtual Private Network (VPN)
Agenda VPN tunnels Configuration of basic core network components Maintenance of Cisco devices Exercises & troubleshooting.
Middleware for Building Adaptive Systems Via Configuration An SAIC Company S. Narain R. Vaidyanathan S. Moyer A. Shareef K. Parmeswaran Internet Architecture.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 1 Implementing Secure Converged Wide Area Networks (ISCW)
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Implementing Secure Converged Wide Area Networks (ISCW)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW)
WiNG 5.3.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.
Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
Virtual Private Network
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Securing Site-to-Site Connectivity Connecting Networks.
What Is Needed to Build a VPN? An existing network with servers and workstations Connection to the Internet VPN gateways (i.e., routers, PIX, ASA, VPN.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
RE © 2003, Cisco Systems, Inc. All rights reserved.
Implementing VPN Solutions Laurel Boyer, CCIE 4918 Presented, June 2003.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Implementing Secure Converged Wide Area Networks (ISCW) Module 3.2.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 7 – Secure Network Architecture and Management.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
Generic Routing Encapsulation GRE  GRE is an OSI Layer 3 tunneling protocol: Encapsulates a wide variety of protocol packet types inside.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Chapter 8: Implementing Virtual Private Networks
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 4 City College.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNP 1 v3.0 Module 1 Overview of Scalable Internetworks.
Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 8 City College.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW) Module 3.1.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
Security fundamentals Topic 10 Securing the network perimeter.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-1 Lesson 15 Configuring PIX Firewall Remote Access Using Cisco Easy VPN.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—3-1 Lesson 3 Cisco PIX Firewall Technology and Features.
Virtual Private Network Configuration
Lesson 12 Configuring Security Appliance Remote Access Using Cisco Easy VPN © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-1.
Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 IPsec.
K. Salah1 Security Protocols in the Internet IPSec.
WELCOME LAN TO LAN VPN LAN to LAN VPN also known as Site to Site VPN is the most basic and the most simplest of all the VPN’s used on CISCO devices. It.
CERTIFICATION EXAM QUESTIONS DESIGNING CISCO NETWORK SERVICE ARCHITECTURE (ARCH) V 2.1 Presented By : com.
100% Exam Passing Guarantee & Money Back Assurance
Security fundamentals
Module 4: Configuring Site to Site VPN with Pre-shared keys
Now you don’t need to take any stress about the Cisco Exam
100% Exam Passing Guarantee & Money Back Assurance
The sign of success.
VCE Questions Dumps -VceTests
Presentation transcript:

1 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Deploying and Managing Enterprise IPsec VPNs Ken Kaminski Cisco Systems Consulting Systems Engineer – Security/VPN Northeast

222 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Security Enforcement, Firewall, IDS Network Topology Routing (OSPF, EIGRP) design High Availability Performance QoS Path MTU Discovery Network Management IPsec - more than just crypto !

333 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 IPsec Design Options IPsec Design Issues IPsec Management Agenda

444 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Product Function Matrix Site-to-Site RoleRemote Access Role IOS PIX 3000 Scales for large deployments PDM 2.0 includes VPN management Primary Role Full fledged remote access solution With recent addition of Cisco VPN Client now supported with good feature set Not recommended for large- scale use due to lack of QOS, SLA monitoring, and multiprotocol routing Integrated firewall and VPN device Primary Role Full fledged Site-to-Site

555 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Agenda IPsec Design Options IPsec IPsec Remote Access (EzVPN) IPsec/GRE IPsec Design Issues IPsec Management

666 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Basic IPsec Example Internet / /24 IKE Policy (Phase I) crypto isakmp policy 1 authentication pre-shared hash sha encryption 3des crypto isakmp key cisco123isabadkey address crypto isakmp key passwordisiabadkey address /

777 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Basic IPsec Example IPsec Policy (Phase II) crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! access-list 102 permit ip access-list 103 permit ip Internet / / /

888 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Basic IPsec Example IPsec Policy (Phase II) crypto map IPSEC 20 ipsec-isakmp set peer match address 102 set transform-set ESP-3DES-SHA crypto map IPSEC 30 ipsec-isakmp set peer match address 103 set transform-set ESP-3DES-SHA Internet / / /

999 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Basic IPsec Example Apply Crypto Map interface serial 0 crypto map IPSEC ! ip route serial 0 Internet / / /

10 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Basic IPsec Summary Supported by IOS, Pix, VPN 3000 and several other vendors Either side can initiate tunnel No support for routing protocol, multicast

11 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Agenda IPsec Design Options IPsec IPsec Remote Access (EzVPN) IPsec/GRE IPsec Design Issues IPsec Management

12 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 IPsec Remote Access (EzVPN) Internet Head office ? ? Client - Server Architecture Client always initiates IPsec connection Client may have dynamic ip address Very easy to configure ! Very scalable, no routing expertise required ! IOS PIX VPN 3K VPN Client IOS PIX VPN 3002

13 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 IPsec Remote Access (EzVPN) Internet Head office ? Client extension mode : Packets from all devices behind EzVPN Client are PATted to one ip address (then tunneled in IPsec). Network extension mode : Packets from all devices behind EzVPN client are tunneled in IPsec (no PAT before IPsec) IOS Pix VPN 3K

14 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 EzVPN Configuration example Internet Head office ? ? Remote Office crypto ipsec client ezvpn hw-client group engineering-1 key secret mode client peer ! interface Ethernet1 description connected to INTERNET ip address crypto ipsec client ezvpn hw-client

15 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Agenda IPsec Design Options IPsec IPsec Remote Access (EzVPN) IPsec/GRE IPsec Design Issues IPsec Management

16 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 IPsec/GRE : Scalable Site-to-site VPNs Internet Frame Relay Routing Protocol (OSPF, EIGRP...) necessary ! Routing (or multicast) not specified by IPsec Supported in IOS using GRE/IPsec

17 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 IPsec/GRE Example Internet ? IKE Policy (Phase I) crypto isakmp policy 1 authentication pre-shared hash sha encryption 3des crypto isakmp key cisco123isabadkey address crypto isakmp key passwordisiabadkey address ? ? Same as without GRE

18 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 IPsec/GRE Example IPsec Policy (Phase II) crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport access-list 102 permit gre host host access-list 103 permit gre host host Internet ? ? ? tunnel 2003 tunnel 2002

19 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 IPsec/GRE Example crypto map IPSEC 20 ipsec-isakmp set peer match address 102 set transform-set ESP-3DES-SHA crypto map IPSEC 30 ipsec-isakmp set peer match address 103 set transform-set ESP-3DES-SHA Internet ? ? ? tunnel 2003 tunnel 2002

20 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 IPsec/GRE Example Internet ? int tunnel 2002 ip address tunnel source serial 0 tunnel destination crypto map IPSEC int tunnel 2003 ip address tunnel source serial 0 tunnel destination crypto map IPSEC ? ? tunnel /24 tunnel /24

21 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 IPsec/GRE Example int serial 0 ip address crypto map IPSEC ! ip route serial 0 ip route serial 0 ! router ospf 1 network area 1 Internet ? ? ? tunnel /24 tunnel /24

22 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 IPsec/GRE Summary IOS only (not Pix, VPN 3000) Enables Routing over IPsec protected Tunnels Enables IPsec protected multicast Enables Multi-Protocol (IPX...) Easy to configure thanks to trivial ACLs Reduces the number of SAs Uses standards : RFC 240x (IPsec), RFC 2784 (GRE) IPinIP (RFC 2003) is an alternative to GRE

23 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Agenda IPsec Design Options IPsec Design Issues Topologies High Availability Split Tunneling Device Placement IPsec Management

24 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Internet Site-to-Site Full Mesh N * (N-1) / 2 tunnels Scaling issues with provisioning and routing protocols (....future Cisco features may help here...)

25 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Dynamic Multipoint VPN (DMVPN) 12.2(13)T Objective : Easy to configure full mesh IPsec VPN Uses multi-point GRE interfaces Uses NHRP (Next Hop Resolution Protocol) Only configure hub connection Spoke learns about spoke peer dynamically

26 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Dynamic Multipoint VPN - DMVPN Spoke Dynamic (or static) public IP addresses = Dynamic & Permanent spoke-to-hub IPsec tunnels = Dynamic&Temporary Spoke-to-spoke IPsec tunnels Static public IP address (13)T

27 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 MPLS-VPN/ Frame Relay Dynamically discover tunnel endpoint (peer) IOS since 12.0T Only works with routable (public) ip address Must be enabled in all peer routers Full Mesh :Tunnel Endpoint Discovery (TED)

28 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 TED Example Alice Bob IP: A to B A to B must be protected No SA -> Send Probe X Y IKE A to B (proxy X) IKE Y to X Traffic to B must be protected No SA -> Block &Answer probe Z Clive X(config)# crypto dynamic-map DYN 10 set transform-set ESP-3DES-SHA match address 100 ! crypto map IPSEC 99 ipsec-isakmp dynamic discover ! access-list 100 permit ip

29 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 IPsec Migration Today 1. IPsec - time no communication possible - 2. IPsec IPsec - all encrypted - Problem : Migration to IPsec in large networks

30 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 IPSEC Passive Mode 1. passive - 2. passive passive 3. active passive 4. active active time now all router are on passive - - now all router are running normal IPsec (13)T # crypto ipsec optional

31 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Agenda IPsec Design Options IPsec Design Issues Topologies High Availability Split Tunneling Device Placement IPsec Management

32 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 High-Availability Design Stateless options today: IPsec and Dead Peer Detection IPsec and HSRP IPsec/GRE : Routing Protocols Head-End Remote HE-2 HE-1 Internet Corporate Intranet VPN

33 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 S1 Dead Peer Detection (IKE keepalives) Supported on IOS, Pix, VPN 3000, Cisco VPN Client hellos are sent between IKE peers that have active tunnels established Will detect dead peers (stale IPsec SAs) On the third hello packet failure, IKE attempts to set up a new tunnel to the next peer in list Head-End R1 HE-2 HE-1 Internet Corporate Intranet S2 P1 VPN Client Hello

34 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 DPD is an optimization to IKE keepalives : "I don't bother to check peer by sending keepalive, if I am receiving data from peer" DPD compatibility : IOS 12.2(8)T and later Pix 6.0 and later VPN and later Dead Peer Detection vs IKE keepalives

35 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 High Availability with Dead Peer Detection Head-End Remote HE-2 HE-1 Internet Corporate Intranet X crypto map IPSEC 10 match address 10 set peer set peer set transform-set ESP-3DES-SHA

36 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 IPsec and HSRP+ Supported on IOS HSRP address used as tunnel endpoint Active device terminates IPsec tunnel In the event of failure, standby device takes over (SAs will be renegotiated) Head-End Remote HE-2 HE-1 Internet Corporate Intranet X

37 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 High Availability with IPsec and HSRP+ Remote HE-2 HE-1 Internet Corporate Intranet X crypto map IPSEC 10 match address 10 set peer set transform-set ESP-3DES-SHA interface Ethernet1/0 ip address standby 1 ip standby 1 priority 200 standby 1 preempt standby 1 name VPNHA standby 1 track Ethernet1/1 150 crypto map VPN redundancy VPNHA

38 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Reverse Route Injection (RRI) Because IOS is active-active, and it is not possible for the next-hop- device to know which router “has” the active tunnel, Reverse Route Injection (RRI) is required for state tracking Works with DPD and HSRP+ 12.2(8)T Head-End Remote HE-2 HE-1 Internet Corporate Intranet who should I send traffic to for ?

39 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Reverse Route Injection Example Head-End Remote HE-2 HE-1 Internet Corporate Intranet X crypto isakmp keepalive 10 ! crypto map vpn 20 ipsec-isakmp set peer set transform-set ESP-3DES-SHA match address 102 reverse-route !

40 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 RRI In Action RRI triggers when SA goes down Head-End Remote Internet /24 P S (1)SA Established To Primary Sending IKE Keepalives (2) Router P RRI:“I can reach ” (3) /24 via P (8) /24 via S (5) Secondary Active (6) New SA Established To Secondary Sending IKE Keepalives (7) Router S RRI:“I can reach ” = Unscheduled Immediate Memory Initialization Routine (4)

41 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 High Availability with IPsec/GRE Just plain routing ! (OSPF, EIGRP...) Routing copes with some failures other methods can't detect Local and Geographical redundancy possible Except under failure conditions: The IPsec and GRE tunnels are always up since routing protocols are always running Head-End Remote HE-2 HE-1 Internet Corporate Intranet

42 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 High Availability with IPsec/GRE Head-End Remote HE-2 HE-1 Internet Corporate Intranet Remote : ! int tunnel ip ospf cost ! int tunnel ip ospf cost tunnel 1 tunnel 2 HE-1 ! int tunnel ip ospf cost HE-2 ! int tunnel ip ospf cost

43 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Local/Geographical Failover/Load- Balancing The Cisco VPN Client supports the notion of backup servers for high availability PIX, 3000, and IOS compatible The 3000 Concentrator also supports local clustering Supports local load sharing (not geographical) DNS resolution based load balancing could also be used as the client resolves the FQDN of the head-end device (geographical)

44 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Key: DPD = Dead Peer Detection; RP = Routing Protocol; RRI = Reverse Route Injection Remote Device Head-end Device IOSPIX3000 IOS PIX Failover 3000 RP DPD (RRI) HSRP+ (RRI) DPD DPD(RRI) DPD DPD(RRI) HSRP+ (RRI) DPD (RRI) HSRP+ (RRI) DPD (RRI) High Availability Summary

45 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Agenda IPsec Design Options IPsec Design Issues Topologies High Availability Split Tunneling Device Placement IPsec Management

46 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Internet Split Tunneling Split-Tunneling Enabled VPN Client No NAT for corporate traffic NAT for Internet traffic VPN HW

47 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Split Tunneling Should it be allowed ? Policy Decision ! If allowed, firewall is needed at remote end Cisco VPN Client - $0 firewall Default stops incoming connections; allows outgoing connections Firewall active even when VPN client is not connected Firewall policies can be pushed from VPN 3000 concentrator

48 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Agenda IPsec Design Options IPsec Design Issues Topologies High Availability Split Tunneling Device Placement IPsec Management

49 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 VPN Device with separate Firewall To WAN Edge To Campus VPN VPN Termination L4–L7 Stateful Inspection and Filtering DoS Mitigation Focused Layer 4–7 Analysis Nothing To See (crypto-wise) Stateless L3 Filtering (IKE, ESP) DMZ

50 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Agenda IPsec Design Options IPsec Design Issues IPsec Management

51 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 VPN Management Nothing dramatically new - configuration management - performance management - fault management - sw updates Many of the same tools apply : SNMP, TFTP, SSH Management traffic should be encrypted ( IPsec vs SSH)

52 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 VPN Management Applications Device Managers (on the box) PDM—PIX Device Manager VDM—VPN Device Manager for IOS and 3000 VPN/Security Management Solution (VMS) 2.1 IOS, IDS, PIX Multiple Device Centers VPN Solution Center (VPNSC) Primary focus : Service Providers

53 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 VPN/Security Management Solution 2.1 Management Centers (MCs) for VPN Routers Pix Firewall IDS Sensors

54 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 VMS 2.1 / Router MC Web based IOS IPsec/GRE (Hub/Spoke topologies) Workflow approach (create task/approve task) Grouping of devices/apply policy on group

55 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 VMS 2.1 / VPN Monitor Performance Monitoring of IOS and VPN 3000 Number of tunnels Status/Performance of tunnels Performance threshold violations

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.