The following summarizes the features and benefits provided
by the Cisco VPN 3000 Concentrator devices. Chapter 14 addresses those that
require configuration.
Modular Design (Models 3015 to 3080)
The Cisco SEP modules provide hardware-based encryption,
ensuring consistent performance throughout the rated capacity for models 3030
through 3080. With multiple SEP modules, the devices became
distributed-processing architecture, providing enhanced performance and
increased reliability through redundancy. This modular design provides
investment protection, redundancy, and a simple upgrade path, plus it minimizes
the impact on rack space and power supply allocation.
Digital Design
The all-digital design of the VPN 3000 device provides
high-degree reliability with solid, long-term performance, while providing
24-hour continuous operation. Incorporated into each unit is a robust
instrumentation package for real-time monitoring and alerts.
Windows Compatibility
The VPN 3000 series’ close support for Microsoft hosts,
including Windows 2000/XP clients, makes large-scale client deployment and
seamless integration with related network systems. The VPN 3000 supports the
following Microsoft protocols:
-
Microsoft PPTP/MPPE/MPPC, MSCHAPv1/v2, and EAP/RADIUS
pass-through for EAP/TLS and EAP/GTC support
-
Microsoft L2TP/IPsec for Windows 2000/XP (including XP DHCP
option for route population)
-
Microsoft L2TP/IPsec for Windows 98, Windows Millennium
(Me), and Windows NT Workstation 4.0
VPN 3000 Release 3.6 added three improvements to support
Microsoft’s Integrated VPN Client including
-
Microsoft L2TP/IPSec Extensible Authentication Protocol
(EAP) pass-through support (TLS and GTX/SDI) for working from behind a PAT/NAT
device with the VPN Client
-
DHCP—XP route list population (split tunneling)
-
IPSec/User Datagram Protocol (UDP) NAT-T compatibility
(expected release by Microsoft in 2003)
-
Support for Windows Installer (MSI) installation (Windows
NT/20000XP only), providing the system administrator with the capability to
customize installation packages and track system changes made during client
installation
Security
The VPN 3000 Series support for current and emerging
security standards, including RADIUS, NT Domain Authentication, RSA SecurID,
one-time passwords (OTP), and digital certificates offering large-scale client
deployment and seamless integration with external authentication systems, as
well as interoperability with third-party products.
VPN 3000 release 3.6 offers two notable enhancements to
concentrator encryption and security, including
-
Advanced Encryption Standard (AES) addition to the
concentrator offers a stronger encryption option and provides performance
benefits for both the Cisco VPN 3002 Hardware Client and the Cisco VPN
Client.
-
RSA SecurID (SDI) Version 5.0 support. Users can now take
advantage of the load balancing and resiliency features found in the RSA SecurID
Version 5.0.
Advanced packet-filtering capabilities provide additional network
security. Filtering options include source and destination IP address (Layer 3),
port and protocol type (Layer 4), fragment protection, time and day access
control, and FTP session filtering.
User and group-level policy management can be implemented for
maximum flexibility and granularity in controlling network and feature access
control.
High Availability
The VPN 3000 Series’ redundant subsystems and multichassis
failover capabilities help to ensure maximum system uptime and remote user
connectivity. Redundant SEP and power supply options within individual devices
promote reliability in a single or multidevice configuration. Multiple
concentrators can be configured for both load-balancing and failover redundancy,
providing protection and capacity to high-volume critical systems.
Extensive instrumentation and monitoring capabilities, as well as
support for Cisco network management software applications, provide network
managers with real-time system status and early-warning alerts.
A new feature in Release 3.6 is improved bandwidth limiting
and traffic-shaping capabilities on the Cisco VPN 3000 Concentrators. This
allows network administrators to assign minimum and maximum bandwidth parameters
on a per-user basis. The administrator can establish limits on users with
high-bandwidth use.
Robust Management
The Cisco VPN 3000 Concentrator can be managed using
web-based applications from any standard web browser using HTTP or HTTPS. The
VPN 3000s also support CLI commands using Telnet, Secure HTTP, SSH, and via a
console port.
The VPN concentrator devices support configuration and monitoring
capabilities for both the enterprise user and the service provider.
VPN concentrator device access levels can be configured per
user and/or per group allowing configuration and maintenance control consistent
with the organization security policies.
Monitoring and Logging
The Cisco VPN 3000 Concentrators support the following
technologies for providing monitoring and logging services:
-
Syslog output
-
Configurable SNMP traps
-
Event logging and notification via e-mail (SMTP) and,
therefore, pager
-
Automatic FTP backup of event logs
-
SNMP MIB-II support
General Statistics
System Status
Session Data (including Client Assigned IP, Encrypted Type
Connection Duration, Client OS, Version, and so forth)
Sections
Comments (0 posted)
Syndication
