View
217
Download
1
Category
Preview:
Citation preview
2Course NumberPresentation_ID © 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.
Cisco VPN solutionsInfosecurity 2002
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 3Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 3Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 3
Agenda
• Perche’ VPN
• Architettura di riferimento
• Soluzioni VPN Cisco
• Security keys: eToken e SmartCards
• Demo track
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 4Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 4Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 4
Perche’ VPN
• Riduzione dei costi
• Miglioramento in
Produttivita’
Flessibilita’ dicomunicazione
Network management
Fonte: Gartner Group Fall 2001
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 5Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 5Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 5
Branch Office LAN-LAN VPN
Router
Intranet Servers, File Servers…..
Remote Access VPN for SOHOand Broadband Users
Cable, DSLAnalog, ISDN
Remote Access VPN forDialup and Roaming Users
T1/E1, Ethernet
Internet
DMZ 1
out
in
DMZ 1
DMZ 2
out
in
Architetture di riferimentoArchitetture di riferimento
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 6Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 6Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 6
Soluzioni VPN Cisco
• Cisco VPN basate su funzionalita’ IOS – (IPSec VPN)Router Cisco per soluzioni VPN Ipsec site-to-site
• Cisco VPN Firewall-to-FirewallPIX Firewall come terminatori di tunnel IPSec
• Cisco VPN basate su VPN concentrator e VPN client
Appliance dedicata ad elevate prestazioni per soluzioni LAN-to-LAN e di accesso via Client
• Soluzioni interoperabili
PIX <-> IOS IOS <-> VPN conc PIX <-> VPN conc
Client -> PIX Client -> VPN Client -> IOS (Unity client)
7Course NumberPresentation_ID © 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.
Cisco VPN 3000 Concentrator v 3.5
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 8Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 8Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 8
Serie VPN 3000: CaratteristichePurpose-Built
• Progettato per i servizi VPN di Enterprise
• Scalabilita’ – modulare e upgradabile
• Prestazioni – encryption in hardware
• Flessibilita’ – VPN per remote access, LAN-LAN,extranet.
• Completamente interoperabile con PIX e IOS
• High availability - redundant power, redundantEncryption Processors, dual flash, VRRP, Loadbalancing
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 9Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 9Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 9
Serie VPN 3000: CaratteristichePurpose-Built
• Management – Interfaccia grafica Web Based
• Security – suporto dei maggiori protocolli VPN
• Facilita’ di implementazioneInserimento non disruptivo in reti esistenti
Router, firewall, authentication servers, etc
• Client software incluso con unlimited license epreconfigurabile per l’installazione remota
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 10Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 10Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 10
Branch Office LAN-LAN VPN
Router
Intranet Servers, File Servers…..
SOHO and Broadband UsersW/ Cisco VPN Client
Cable, DSLAnalog, ISDN
Remote Access VPNw/ Cisco VPN Client
T1/E1, Ethernet
Internet
DMZ 1
out
in
DMZ 1
DMZ 2
out
in
VPN basata su Serie 3000Architettura
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 11Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 11Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 11
VPN 3000 Concentrator v 3.5
IncludedOptionOptionN/AN/ARedundant SEPs
IncludedOptionOptionOptionNoRedundant PS
NoNoYesYesNoUpgradeable
4210N/ASEPs Installed
256 MB256 MB128 MB64 MB32 MBMemory
100 Mbps100 Mbps50 Mbps4 Mbps4 MbpsPerformance
H/WH/WH/WS/WS/WEncryption
10,0005,0001,500100100Tunnels
30803060303030153005
Modulare ed espandibile
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 12Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 12Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 12
Caratteristiche della piattaformaModello 3005
?Configurazione Fissa?Encryption in software?Ottimale per:?Branch Office?Medium Business
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 13Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 13Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 13
Caratteristiche della piattaformaModelli 3015, 3030, 3060, 3080
?Modulare?Espandabile?Ridondabile?Hardware Encryption
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 14Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 14Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 14
SecurityCaratteristiche
• Algoritmi di encryption56 bit DES
168 bit Triple-DES
Microsoft Encryption (MPPE) - 40/128 bit RC4
• IPSec: algoritmi di autenticazioneHMAC (Hashed Message Authentication Coding) w/ MD5
HMAC with SHA-1
• Gestione delle ChiaviIKE con Diffie-Hellman
Certificati Digitali, Smartcards e Token Cards
Supporto SCEP per CA enrolment
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 15Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 15Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 15
SecurityCaratteristiche
• Supporto di Certificati Digitali
Entrust, Baltimore, CyberTrust, Verisign, RSA Keon, MicrosoftWin2K, PGP
• Supporto Token e SmartcardsTestato con: Gemplus, Activcard (Schlumberger cards), eAladdin
• Packet Filtering, Security e Personal Firewall
Profili definiti per User o Group
Filtri per source/destination address, port, e protocol
Controllo centralizzato della applicazione delle politiche di Sicurezzae di Personal Firewall sul VPN Client
• Authenticazione
Database interno, RADIUS, SDI (new card and next PIN code)
NT Domain, MS-CHAP v1 & v2
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 16Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 16Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 16
High AvailabilityCaratteristiche
? 200,000+ hrs. MTBF
? Alimentazioni e Fans ridondati, Dual Image Flash Memory
? Hot swap, Service Encryption Processors (SEP) ridondati
? Remote Access
– Backup server per VPN Client v3.5 per Microsoft, Linux, SunSolaris, MacOS
– Backup server list per hardware client VPN 3002 v3.5
? LAN to LAN
– Virtual Router Redundancy Protocol (VRRP) e Load Balancing
• Automatic Recovery
• Stesso IP Addresses, MAC Addresses
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 17Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 17Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 17
RedundancyCaratteristiche
? Remote Access– Con client software per Microsoft, Linux, Sun Solaris,MacOS
? LAN to LAN– Virtual Router Redundancy Protocol (VRRP) e LoadBalancing
• Automatic Recovery
• Stesso IP Addresses, MAC Addresses
Internet T1/T3Branch Office
B
IP Address List: B, A, CCIP Address List: A, B, C
A
Peer = A
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 18Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 18Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 18
ManagementCaratteristiche
? Gestione Web based e XML• Telnet/SSL ( a caratteri )
• HTTP/HTTPS ( VPN device manager integrato )
? Multi-Level Control• Role-based management
? FTP/TFTP support
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 19Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 19Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 19
Console/Telnet InterfaceMenu-Driven a caratteri
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 20Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 20Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 20
NETWORK COMPUTING“..has a great overall management architecture with configurationoptions laid out in a logical tree structure, a hierarchical profilemanagment and excellent troubleshooting tools.”
VPN Device Manager (VDM)HTML Based
21Course NumberPresentation_ID © 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.
Cisco VPN Client v 3.5
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 22Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 22Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 22
VPN 3000 Client 3.5Caratteristiche
• Ampio supporto di sistemi operativiWindows 95 OSR2+/98/ME/NT4/W2K/XP
Linux Intel (Command Line Only)
Solaris ULTRASparc-32bit (Command Line Only)
MAC OS X 10.1 (Command Line Only)
• Cisco VPN 3000 Client SoftwareIPSec compliant
Unlimited license per tutti i modelli
Easy Deployment
Installation wizard
Backup server support
Politiche controllate dal VPN concentrator
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 23Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 23Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 23
VPN 3000 Client 3.5Personal Firewall e Smartcards
• Integrated Personal Firewall (Stateful)Zone Labs Technology – Zone Alarm
Due modi:
Always On default policy (configurabile dall’utente)
Central Protection Policy – CPP
(policy controllate e gestite centralmente)
• Supporto SmartcardsGemplus, Activcard (Schlumberger cards),
Aladdin
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 24Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 24Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 24
VPN 3000 Client 3.5Authentication e supporto NAT
• NT Password Expiration con MSCHAPv2Richiede all’utente il cambio password quando la passwordscade.
Il concentratore VPN utilizza la v3.5 & RADIUS MSCHAPv2authentication con il server (ad es Cisco Secure ACS v3.0, MSIAS)
• IPsec/UDP e IPSec/TCPConsentono la realizzazione di tunnel IPSec in ambienti conNAT intermedi– tipicamente Extranet.
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 25Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 25Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 25
VPN 3000 Client 3.5Istallazione e Gestione
• Single-Click Installation
File .INI preconfigurato
• Gestione centralizzata dellaConfigurazione & delle Politiche diSicurezza
Autoinstallante senza interventi utente
Configurazione e politiche vengono ‘spinte’dal concentrator
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 26Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 26Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 26
VPN 3000 ClientCaratteristiche avanzate
• Split Tunneling ( opzionale )
IPSec tunnels per traffico Enterprise-specific
(i.e.- email, file servers, etc.)
Traffico Clear-text per accesso a Internet ‘tradizionale’
(i.e.- web surfing, newsgroups, etc.)
Central Site
RouterCisco VPN 3000
Concentrator
RemoteUser
Cisco VPN 3000Client
Router
Stockmaster.com
27Course NumberPresentation_ID © 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.
Cisco VPN 3002 HardwareClient Series
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 28Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 28Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 28
Cisco VPN 3002 Hardware ClientDefinizione
• Il Cisco VPN 3002 Hardware Client puo’ essere utilizzato al posto delsoftware client – e’ come il client sw ma in hardware!
• Il 3002 ha due funzione primarie:
Viene diffuso con la stessa semplicita’ del client
Scalabile (>50,000 units)
• Il 3002 e’ in due versioni hardware:
Ethernet
Ethernet w/ 8 port 10/100 Mbps AUTO-MDIX switch
3002 Hardware Client:
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 29Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 29Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 29
Cisco VPN 3002 Hardware ClientCaratteristiche fisiche
Front
Basic 3002 w/o Switch 3002 unit con 8 Port 10/100 Switch• Power supply esterno• Console RS-232 con connettore RJ-45• Porte Ethernet 10/100 Mbps• Switch con Auto-MDIX eliminando i cavi x-over• Reset switch per riportare l’unita’ alla configurazione di default• 6x8x2” size con flat top e wall mount key holes• Silent, convection cooled operation• FCC Class B Certification, CISPR, CUL, others
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 30Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 30Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 30
Cisco VPN 3002 Hardware ClientCaratteristiche
• Simple Deployment3002 include un DHCP Client/Server, fino a 253 stationi
The 3002 include 2 modalita’ operative:
-Client Mode - “drop in” deployment, invisibile, per reti non-ruotabili- Network Extension Mode – per reti routabili
Configurazione via Web o Porta Console
Throughput fino a 1.5Mbps in 3DES
Operativita’ “Unity Client”, puo’ connettersi a VPN 3000, PIX, IOS
• Security
3002 consente solo apertura di sessioni in uscita
Supports pre-shared secret e cert digitali
Politiche gestite e imposte dal VPN Concentrator
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 31Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 31Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 31
Cisco VPN 3002 Hardware ClientDHCP e NAPT Firewall
As DHCP Server,3002 maintains pool ofaddresses to assign to thestations on the private network (eq) this station is served an address of 192.168.5.1 witha subnet mask of 255.255.255.0
Central Site
Cisco VPN 3030Concentrator
Yahoo site
172.168.0..xInt. Pvt Net
Cisco VPN 3002Hardware Client
Remote Office/SatelliteOffice
One Address for entire network behind 3002
NAT/PAT Outbound hides stations
Public Private
As DHCP Client,3002 acquiresaddress (eq) 24.128.46.83from cable modem, ISP, etc.
178.168.0.52Concentrator Assigned to Client
(thinks it is on 3030 network locally)
• In Client mode, le stazioni dietro il 3002 sono invisibili al mondo esterno indipendentemente dall’uso dello split tunnel
• In Network Extension mode, le stazioni dietro il 3002 sono visibili solo dal Central SIte• Viene sempre usato PAT per connettersi a Internet via split tunneling• Sono ammesse solo connessioni ‘outbound’
32Course NumberPresentation_ID © 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.
Security keys: eToken eSmartCards
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 33Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 33Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 33
AladdinCaratteristiche
• Inserire una sola slide di riferimento al Partner Aladdinche terra’ poi la sua sessione
34Course NumberPresentation_ID © 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.
Demo track
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 35Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 35Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 35
Demo track
• Inserire lo schema e la track della Demo
36Presentation_ID © 1999, Cisco Systems, Inc.
Recommended