Table of Contents

Overview of Business Scenarios
Considerations
Assumptions

Before You Begin

This chapter provides an overview of the business scenarios covered in this guide, items you should consider before attempting to configure a Virtual Private Network (VPN) on your Cisco 7100 series router, and the assumptions this guide makes.

This chapter includes the following sections:

• Overview of Business Scenarios

• Considerations

• Assumptions

Overview of Business Scenarios

The intranet and extranet scenarios explained in this guide provide a remote office and a business partner access to a corporate headquarters network through secure generic routing encapsulation (GRE) or IP Security Protocol (IPSec) tunnels. The remote access scenario provides a remote user access to a corporate headquarters network through secure IPSec, Point-to-Point Tunneling Protocol (PPTP), or Layer 2 Tunnel Protocol (L2TP) tunnels. (See Figure 2-1.)

Note For detailed information on configuring network access server (NAS)-initiated access VPNs using the Layer 2 Forwarding (L2F) tunneling protocol, refer to the Access VPN Solutions Using Tunneling Technology publication.

In each scenario, a tunnel is constructed, encryption is applied on the tunnel, and different traffic types (for example, IP, User Datagram Protocol [UDP], and Transmission Control Protocol [TCP]) are either permitted or denied access to the tunnel. This controls the level of access the remote office and business partner have to the corporate intranet and secures the data exchanged between the sites.

The intranet VPN business scenario explained in "Intranet and Extranet VPN Business Scenarios" links the corporate headquarters to a remote office using connections across the Internet. Users in the remote office are able to access resources as if they were part of the private corporate intranet.

The extranet VPN business scenario explained in "Intranet and Extranet VPN Business Scenarios" builds on the VPN scenario by linking the same corporate headquarters to a business partner using connections across the Internet; however, the business partner is given limited access to the headquarters network---the business partner can access only the headquarters' public Web server.

The remote access VPN business scenario, explained in "Remote Access VPN Business Scenario" provides a remote user access to the corporate headquarters network through a secure IPSec, PPTP, or L2TP tunnel that is initiated by the remote user running VPN client software on a PC. In this scenario, the user can access the corporate network remotely.

Note Although supported by Cisco 7100 series routers, this guide does not explain how to configure your router for use with the Cisco Secure VPN Client. For detailed information on client-initiated VPNs using Cisco Secure VPN Client software, refer to the Cisco  Secure VPN Client Solutions Guide  publication. If you have an account on Cisco Connection Online (CCO), you can access the Cisco  Secure VPN Client Solutions Guide  publication from CCO by logging on and selecting Technical Documents: Cisco Product Documentation: Internet Service Unit (ISU) Documentation: Cisco Secure VPN Client: Cisco Secure VPN Client Solutions Guide.

Considerations

The following are considerations to observe when configuring a VPN on your Cisco 7100 series router:

• Syslog---Set up a syslog host, such as a CiscoWorks Essentials Workstation, and configure all the routers in the network to use the syslog host. By logging all syslog messages from the routers, you can determine when significant events, like configuration changes, occurred.

• Telnet and console access---In client-initiated or network access server (NAS)-initiated access VPN environments, implement Terminal Access Controller Access Control System Plus (TACACS+) or Remote Access Dial-In User Service (RADIUS) security for Telnet and console access to the router. Doing so logs all access to the router. The addition of access lists to only allow Telnet access from particular source IP addressees helps to secure the router.

• Access lists---Use access list numbers and names consistently to help manage and troubleshoot configurations.

• Template configurations---Use a configuration template when deploying many routers that require consistent configurations.

• Tunneling---Observe the following when configuring tunneling:

  • To avoid anomalies that occur on physical interfaces, configure each tunnel source and destination on a loopback interface. A loopback interface is a virtual interface that is always up and allows routing protocols to stay up even if the physical interface is down.

  • Process switching and fast switching of the GRE, IPSec, L2F, and L2TP tunneling protocols, and Cisco Express Forwarding (CEF) of the IPSec tunneling protocol is supported on Cisco 7100 series routers in Cisco IOS Release 12.0(4)XE or a later 12.0 XE software release, or Cisco IOS Release 12.0(6)T or a later 12.0 T software release.

  • Be careful not to violate access control lists. You can configure a tunnel with a source and destination that are not restricted by firewall routers.

  • Routing protocols that make their decisions based solely on hop count will often prefer a tunnel over a multipoint real link. A tunnel might appear to be a one-hop, point-to-point link and have the lowest-cost path, but may actually cost more.

• IPSec---Observe the following when configuring IPSec:

  • IPSec works with the following serial encapsulations: High-Level Data Link Control (HDLC), Point-to-Point Protocol (PPP), and Frame Relay. IPSec also works with the GRE and IPinIP Layer 3, L2F, and L2TP tunneling protocols; however, multipoint tunnels are not supported. Other Layer 3 tunneling protocols (data-link switching [DLSw], source-route bridging [SRB], and so forth) are currently not supported for use with IPSec.

  • IPSec and Internet Key Exchange (IKE) must be configured on the router and a crypto map must be assigned to all interfaces that require encryption services from the Integrated Service Module (ISM) of Cisco 7100 series routers.

  • When using tunnel mode, IPSec can be applied to unicast IP datagrams only. Because the IPSec Working Group has not yet addressed the issue of group key distribution, IPSec does not currently work with multicasts or broadcast IP datagrams. When using IPSec with GRE or L2TP, this restriction does not apply.

  • If you use Network Address Translation (NAT), you should configure static NAT redundant so that IPSec works properly. In general, NAT should occur before the router performs IPSec encapsulation; in other words, IPSec should be working with global addresses.

• Firewall---Observe the following when configuring Cisco IOS firewall features (when configuring your Cisco 7100 series router as a firewall):

  • When setting passwords for privileged access to the firewall, use the enable secret command rather than the enable password command, which does not have as strong an encryption algorithm.

  • Configure a password on the console port. In authentication, authorization, and accounting (AAA) environments, use the same authentication for the console as for elsewhere. In a non-AAA environment, at a minimum, configure the login and password password commands.

  • Think about access control before you connect a console port to the network in any way, including attaching a modem to the port. Be aware that a break on the console port might give total control of the firewall, even with access control configured.

  • Apply access lists and password protection to all virtual terminal ports. Use access lists to limit who can Telnet into your router.

  • Do not enable any local service (such as Simple Network Management Protocol [SNMP] or Network Time Protocol [NTP]) that you do not plan to use. Cisco Discovery Protocol (CDP) and NTP are on by default, and you should turn these off if you do not need them.

  To turn off CDP, enter the no cdp run global configuration command. To turn off NTP, enter the ntp disable interface configuration command on each interface not using NTP.
  

  If you must run NTP, configure NTP only on required interfaces, and configure NTP to listen only to certain peers.
  

  Any enabled service could present a potential security risk. A determined, hostile party might be able to find creative ways to misuse the enabled services to access the firewall or the network.
  

  For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring access lists to deny packets for the services at specific interfaces.
  

  • Protect against spoofing: protect the networks on both sides of the firewall from being spoofed from the other side. You could protect against spoofing by configuring input access lists at all interfaces to pass only traffic from expected source addresses and to deny all other traffic.

  You should also disable source routing. For IP, enter the no ip source-route global configuration command. Disabling source routing at all routers can also help prevent spoofing.
  

  You should also disable minor services. For IP, enter the no service tcp-small-servers and no service udp-small-servers global configuration commands.
  

  • Prevent the firewall from being used as a relay by configuring access lists on any asynchronous Telnet ports.

  • Normally, you should disable directed broadcasts for all applicable protocols on your firewall and on all your other routers. For IP, use the no ip directed-broadcast command. Rarely, some IP networks do require directed broadcasts; if this is the case, do not disable directed broadcasts.

  Directed broadcasts can be misused to multiply the power of denial-of-service attacks, because every denial-of-service packet sent is broadcast to every host on a subnet. Furthermore, some hosts have other intrinsic security risks present when handling broadcasts.
  

  • Configure the no proxy-arp command to prevent internal addresses from being revealed. (This is important to do if you do not already have NAT configured to prevent internal addresses from being revealed).

  • Whenever possible, keep the firewall in a secured (locked) room.

• VPN management---Implement one or more of the following applications on your Cisco 7100 series router for centralized, end-to-end management of both the services (for example, QoS and security features) and hardware (for example, device configuration and performance) across your VPN:

  • CiscoWorks 2000 and CiscoView enable management of device security, configuration, and performance monitoring.

  • CiscoWorks 2000 Access Control List Manager enables management of access control lists.

  • Cisco QoS Policy Manager enables management of advanced bandwidth policies.

  • Cisco Internetwork Performance Monitor 2.0 enables monitoring of service-level agreements across the service provider network.

Assumptions

This guide assumes the following:

• You have successfully installed, powered on, and initially configured your Cisco 7100 series router for network connectivity based on the procedures explained in the Cisco  7100 Series VPN Router Installation and Configuration Guide.

• You are configuring a service provider transparent VPN, whereby the tunnel endpoints are outside of the service provider network (on the headquarters and remote site routers).

• You are configuring your VPN based on IP, a routing mechanism, cryptography, and tunneling technologies such as IPSec and GRE.

• You have Certification Authority (CA) interoperability configured on your Cisco 7100 series router, and you are using a routing mechanism to exchange initial keys. CA interoperability is provided by the ISM in support of the IPSec standard. It permits Cisco IOS devices and CAs to communicate so that your Cisco IOS device can obtain and use digital certificates from the CA. Although IPSec can be implemented in your network without the use of a CA, using a CA provides manageability and scalability for IPSec.

Posted: Thu Jun 29 13:39:43 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.