2Course NumberPresentation_ID © 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.

Cisco VPN solutionsInfosecurity 2002

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 3Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 3Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 3

Agenda

• Perche’ VPN

• Architettura di riferimento

• Soluzioni VPN Cisco

• Security keys: eToken e SmartCards

• Demo track

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 4Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 4Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 4

Perche’ VPN

• Riduzione dei costi

• Miglioramento in

Produttivita’

Flessibilita’ dicomunicazione

Network management

Fonte: Gartner Group Fall 2001

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 5Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 5Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 5

Branch Office LAN-LAN VPN

Router

Intranet Servers, File Servers…..

Remote Access VPN for SOHOand Broadband Users

Cable, DSLAnalog, ISDN

Remote Access VPN forDialup and Roaming Users

T1/E1, Ethernet

Internet

DMZ 1

out

in

DMZ 1

DMZ 2

out

in

Architetture di riferimentoArchitetture di riferimento

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 6Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 6Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 6

Soluzioni VPN Cisco

• Cisco VPN basate su funzionalita’ IOS – (IPSec VPN)Router Cisco per soluzioni VPN Ipsec site-to-site

• Cisco VPN Firewall-to-FirewallPIX Firewall come terminatori di tunnel IPSec

• Cisco VPN basate su VPN concentrator e VPN client

Appliance dedicata ad elevate prestazioni per soluzioni LAN-to-LAN e di accesso via Client

• Soluzioni interoperabili

PIX <-> IOS IOS <-> VPN conc PIX <-> VPN conc

Client -> PIX Client -> VPN Client -> IOS (Unity client)

7Course NumberPresentation_ID © 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.

Cisco VPN 3000 Concentrator v 3.5

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 8Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 8Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 8

Serie VPN 3000: CaratteristichePurpose-Built

• Progettato per i servizi VPN di Enterprise

• Scalabilita’ – modulare e upgradabile

• Prestazioni – encryption in hardware

• Flessibilita’ – VPN per remote access, LAN-LAN,extranet.

• Completamente interoperabile con PIX e IOS

• High availability - redundant power, redundantEncryption Processors, dual flash, VRRP, Loadbalancing

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 9Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 9Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 9

Serie VPN 3000: CaratteristichePurpose-Built

• Management – Interfaccia grafica Web Based

• Security – suporto dei maggiori protocolli VPN

• Facilita’ di implementazioneInserimento non disruptivo in reti esistenti

Router, firewall, authentication servers, etc

• Client software incluso con unlimited license epreconfigurabile per l’installazione remota

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 10Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 10Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 10

Branch Office LAN-LAN VPN

Router

Intranet Servers, File Servers…..

SOHO and Broadband UsersW/ Cisco VPN Client

Cable, DSLAnalog, ISDN

Remote Access VPNw/ Cisco VPN Client

T1/E1, Ethernet

Internet

DMZ 1

out

in

DMZ 1

DMZ 2

out

in

VPN basata su Serie 3000Architettura

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 11Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 11Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 11

VPN 3000 Concentrator v 3.5

IncludedOptionOptionN/AN/ARedundant SEPs

IncludedOptionOptionOptionNoRedundant PS

NoNoYesYesNoUpgradeable

4210N/ASEPs Installed

256 MB256 MB128 MB64 MB32 MBMemory

100 Mbps100 Mbps50 Mbps4 Mbps4 MbpsPerformance

H/WH/WH/WS/WS/WEncryption

10,0005,0001,500100100Tunnels

30803060303030153005

Modulare ed espandibile

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 12Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 12Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 12

Caratteristiche della piattaformaModello 3005

?Configurazione Fissa?Encryption in software?Ottimale per:?Branch Office?Medium Business

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 13Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 13Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 13

Caratteristiche della piattaformaModelli 3015, 3030, 3060, 3080

?Modulare?Espandabile?Ridondabile?Hardware Encryption

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 14Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 14Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 14

SecurityCaratteristiche

• Algoritmi di encryption56 bit DES

168 bit Triple-DES

Microsoft Encryption (MPPE) - 40/128 bit RC4

• IPSec: algoritmi di autenticazioneHMAC (Hashed Message Authentication Coding) w/ MD5

HMAC with SHA-1

• Gestione delle ChiaviIKE con Diffie-Hellman

Certificati Digitali, Smartcards e Token Cards

Supporto SCEP per CA enrolment

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 15Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 15Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 15

SecurityCaratteristiche

• Supporto di Certificati Digitali

Entrust, Baltimore, CyberTrust, Verisign, RSA Keon, MicrosoftWin2K, PGP

• Supporto Token e SmartcardsTestato con: Gemplus, Activcard (Schlumberger cards), eAladdin

• Packet Filtering, Security e Personal Firewall

Profili definiti per User o Group

Filtri per source/destination address, port, e protocol

Controllo centralizzato della applicazione delle politiche di Sicurezzae di Personal Firewall sul VPN Client

• Authenticazione

Database interno, RADIUS, SDI (new card and next PIN code)

NT Domain, MS-CHAP v1 & v2

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 16Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 16Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 16

High AvailabilityCaratteristiche

? 200,000+ hrs. MTBF

? Alimentazioni e Fans ridondati, Dual Image Flash Memory

? Hot swap, Service Encryption Processors (SEP) ridondati

? Remote Access

– Backup server per VPN Client v3.5 per Microsoft, Linux, SunSolaris, MacOS

– Backup server list per hardware client VPN 3002 v3.5

? LAN to LAN

– Virtual Router Redundancy Protocol (VRRP) e Load Balancing

• Automatic Recovery

• Stesso IP Addresses, MAC Addresses

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 17Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 17Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 17

RedundancyCaratteristiche

? Remote Access– Con client software per Microsoft, Linux, Sun Solaris,MacOS

? LAN to LAN– Virtual Router Redundancy Protocol (VRRP) e LoadBalancing

• Automatic Recovery

• Stesso IP Addresses, MAC Addresses

Internet T1/T3Branch Office

B

IP Address List: B, A, CCIP Address List: A, B, C

A

Peer = A

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 18Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 18Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 18

ManagementCaratteristiche

? Gestione Web based e XML• Telnet/SSL ( a caratteri )

• HTTP/HTTPS ( VPN device manager integrato )

? Multi-Level Control• Role-based management

? FTP/TFTP support

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 19Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 19Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 19

Console/Telnet InterfaceMenu-Driven a caratteri

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 20Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 20Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 20

NETWORK COMPUTING“..has a great overall management architecture with configurationoptions laid out in a logical tree structure, a hierarchical profilemanagment and excellent troubleshooting tools.”

VPN Device Manager (VDM)HTML Based

21Course NumberPresentation_ID © 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.

Cisco VPN Client v 3.5

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 22Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 22Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 22

VPN 3000 Client 3.5Caratteristiche

• Ampio supporto di sistemi operativiWindows 95 OSR2+/98/ME/NT4/W2K/XP

Linux Intel (Command Line Only)

Solaris ULTRASparc-32bit (Command Line Only)

MAC OS X 10.1 (Command Line Only)

• Cisco VPN 3000 Client SoftwareIPSec compliant

Unlimited license per tutti i modelli

Easy Deployment

Installation wizard

Backup server support

Politiche controllate dal VPN concentrator

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 23Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 23Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 23

VPN 3000 Client 3.5Personal Firewall e Smartcards

• Integrated Personal Firewall (Stateful)Zone Labs Technology – Zone Alarm

Due modi:

Always On default policy (configurabile dall’utente)

Central Protection Policy – CPP

(policy controllate e gestite centralmente)

• Supporto SmartcardsGemplus, Activcard (Schlumberger cards),

Aladdin

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 24Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 24Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 24

VPN 3000 Client 3.5Authentication e supporto NAT

• NT Password Expiration con MSCHAPv2Richiede all’utente il cambio password quando la passwordscade.

Il concentratore VPN utilizza la v3.5 & RADIUS MSCHAPv2authentication con il server (ad es Cisco Secure ACS v3.0, MSIAS)

• IPsec/UDP e IPSec/TCPConsentono la realizzazione di tunnel IPSec in ambienti conNAT intermedi– tipicamente Extranet.

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 25Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 25Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 25

VPN 3000 Client 3.5Istallazione e Gestione

• Single-Click Installation

File .INI preconfigurato

• Gestione centralizzata dellaConfigurazione & delle Politiche diSicurezza

Autoinstallante senza interventi utente

Configurazione e politiche vengono ‘spinte’dal concentrator

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 26Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 26Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 26

VPN 3000 ClientCaratteristiche avanzate

• Split Tunneling ( opzionale )

IPSec tunnels per traffico Enterprise-specific

(i.e.- email, file servers, etc.)

Traffico Clear-text per accesso a Internet ‘tradizionale’

(i.e.- web surfing, newsgroups, etc.)

Central Site

RouterCisco VPN 3000

Concentrator

RemoteUser

Cisco VPN 3000Client

Router

Stockmaster.com

27Course NumberPresentation_ID © 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.

Cisco VPN 3002 HardwareClient Series

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 28Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 28Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 28

Cisco VPN 3002 Hardware ClientDefinizione

• Il Cisco VPN 3002 Hardware Client puo’ essere utilizzato al posto delsoftware client – e’ come il client sw ma in hardware!

• Il 3002 ha due funzione primarie:

Viene diffuso con la stessa semplicita’ del client

Scalabile (>50,000 units)

• Il 3002 e’ in due versioni hardware:

Ethernet

Ethernet w/ 8 port 10/100 Mbps AUTO-MDIX switch

3002 Hardware Client:

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 29Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 29Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 29

Cisco VPN 3002 Hardware ClientCaratteristiche fisiche

Front

Basic 3002 w/o Switch 3002 unit con 8 Port 10/100 Switch• Power supply esterno• Console RS-232 con connettore RJ-45• Porte Ethernet 10/100 Mbps• Switch con Auto-MDIX eliminando i cavi x-over• Reset switch per riportare l’unita’ alla configurazione di default• 6x8x2” size con flat top e wall mount key holes• Silent, convection cooled operation• FCC Class B Certification, CISPR, CUL, others

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 30Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 30Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 30

Cisco VPN 3002 Hardware ClientCaratteristiche

• Simple Deployment3002 include un DHCP Client/Server, fino a 253 stationi

The 3002 include 2 modalita’ operative:

-Client Mode - “drop in” deployment, invisibile, per reti non-ruotabili- Network Extension Mode – per reti routabili

Configurazione via Web o Porta Console

Throughput fino a 1.5Mbps in 3DES

Operativita’ “Unity Client”, puo’ connettersi a VPN 3000, PIX, IOS

• Security

3002 consente solo apertura di sessioni in uscita

Supports pre-shared secret e cert digitali

Politiche gestite e imposte dal VPN Concentrator

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 31Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 31Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 31

Cisco VPN 3002 Hardware ClientDHCP e NAPT Firewall

As DHCP Server,3002 maintains pool ofaddresses to assign to thestations on the private network (eq) this station is served an address of 192.168.5.1 witha subnet mask of 255.255.255.0

Central Site

Cisco VPN 3030Concentrator

Yahoo site

172.168.0..xInt. Pvt Net

Cisco VPN 3002Hardware Client

Remote Office/SatelliteOffice

One Address for entire network behind 3002

NAT/PAT Outbound hides stations

Public Private

As DHCP Client,3002 acquiresaddress (eq) 24.128.46.83from cable modem, ISP, etc.

178.168.0.52Concentrator Assigned to Client

(thinks it is on 3030 network locally)

• In Client mode, le stazioni dietro il 3002 sono invisibili al mondo esterno indipendentemente dall’uso dello split tunnel

• In Network Extension mode, le stazioni dietro il 3002 sono visibili solo dal Central SIte• Viene sempre usato PAT per connettersi a Internet via split tunneling• Sono ammesse solo connessioni ‘outbound’

32Course NumberPresentation_ID © 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.

Security keys: eToken eSmartCards

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 33Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 33Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 33

AladdinCaratteristiche

• Inserire una sola slide di riferimento al Partner Aladdinche terra’ poi la sua sessione

34Course NumberPresentation_ID © 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.

Demo track

Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 35Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 35Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. 35

Demo track

• Inserire lo schema e la track della Demo

36Presentation_ID © 1999, Cisco Systems, Inc.