CCSP-Cisco Certified Security Professional

The Configuration | User Management | Base Group screen with the IPSec tab selected is used to configure IP Security Protocol parameters that apply to the base group. This section would apply if IPSec or L2TP over IPSec were selected ... [full story]

Setting Group and User Defaults While modifying the Base Group default settings isn’t absolutely necessary, Cisco’s default setting might not match the network or company security policy. The Configuration | User Management | Base Group screen shows a series of tabs—currently ... [full story]

Configuring Groups and Users VPN features and configurations are assigned and “pushed” down to clients on the basis of group and user assignment and configuration. As with basic network-resource sharing, this is always most scalable and easier to administer if features ... [full story]

Use the Configuration | System | Address Management | Pools menu to add or modify the inside address pool to be used by remote users, making them part of the inside network. Initially, the IP Pool Entry box is empty. ... [full story]

Command-Line Interface (CLI) Basics The VPN 3000 Concentrator CLI is a built-in, menu-driven configuration, administration, and monitoring system, which can be accessed via the device console port or a Telnet (or Telnet over SSL) session. Both Telnet options are enabled by ... [full story]

Introduction to Cisco Easy VPN Cisco Easy VPN is a component of the Cisco Unified Client Framework, in which VPN management is centralized across all Cisco VPN devices. This strategy simplifies VPN deployment for remote offices and telecommuters, reduces deployment complexity, ... [full story]

Task 2 Configure IKE The second major task in configuring the IPSec VPN is to configure the IKE parameters gathered in Task 1, Step 2. Configuring IKE involves the following four steps: Step 2-1 Enable or disable IKE Step 2-2 Create IKE policies Step ... [full story]

Step 4�"IPSec Data Transfer Information is exchanged via the IPSec session based on the method for defining interesting traffic. Packets are encrypted and decrypted at the IPSec peers using any encryption specified in ... [full story]

Step 3�"IKE Phase Two IKE Phase Two has only one mode, Quick mode, which occurs after IKE has established the secure tunnel in Phase One. In Quick mode, IKE ... [full story]

CAs and Digital Certificates CAs and Digital Certificates are covered in greater detail in Chapter 11, but for our purposes here, they represent a digital identification system whereby an independent third party vouches for them. Conceptually, this is similar to ... [full story]

RSA Encryption Authentication The RSA-encrypted nonces authentication method uses the RSA encryption public key cryptography algorithm. This technology requires that each party generate a pseudorandom number (a nonce) and encrypt it (and possibly other publicly and privately available information), using ... [full story]

RSA Signature Authentication RSA Signature Authentication is a public-key cryptosystem supported by IPSec for IKE Phase One authentication. This technology was developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. RSA is the first letter of each developer’s last ... [full story]

Preshared Key Authentication With this method, the same preshared key is configured on each IPSec peer. These IKE peers can authenticate each other by generating a hash of their ID, plus the key appended to the ID before transmission. If the ... [full story]

Peer Authentication Would-be IPSec peers must authenticate themselves to each other before IKE can proceed. IKE Phase One has three methods to authenticate IPSec peers in Cisco products. The two peers must negotiate a common authentication protocol from the following choices: Preshared ... [full story]

Aggressive Mode As the name implies, in the Aggressive mode, only a single three-way exchange is performed. In the initial exchange, the sender defines the proposed IKE SA values and adds their DH public key, a nonce to be signed by ... [full story]

Main Mode Main mode has three two-way exchanges between the peers to create the secure connection and develop the common SAs, while protecting the identities of the IPSec peers. First exchange The security algorithms and hash methods to be used to secure ... [full story]

Step 2—IKE Phase One IKE is a key management protocol standard used in conjunction with IPSec. While IPSec can be configured without IKE, the use of IKE enhances the IPSec with additional features and makes it scalable. IKE authenticates each peer ... [full story]

IPSec Support in Cisco Systems Products The choice of Cisco VPN technology depends on the type of VPN being developed, remote-access or site-to-site, plus the current and projected size of the resulting network. ... [full story]

This pages looked at steps involved in configuring IPSec with preshared keys. The steps and related commands are summarized in the following task list. Task 1 Prepare for IKE and IPSec Step 1-1 Identify IPSec peers Step 1-2 Determine the IKE (IKE Phase ... [full story]

This chapter looked at how VPNs can be used to extend the corporate networks securely using public networks, such as the Internet. The two basic VPN types are remote access and site-to-site. The three types of VPN connectivity are access ... [full story]

Step 1-6 Ensure Access Control Lists Are Compatible with IPSec Make certain any existing access lists on VPN device and perimeter router don’t block IPSec traffic. Perimeter routers frequently implement restrictive security policies using ACLs. These policies often deny all inbound ... [full story]

Step 1-5 Ensure the Network Works Without Encryption All peer-to-peer connectivity must be verified before configuring IPSec encryption. Basic troubleshooting techniques become more difficult, if not impossible, once encryption is in place. While the router ping command can be used to verify ... [full story]

Step 1-4 Check the Current Configuration It’s important to check the current Cisco router configuration to see if any existing IPSec policies are configured that could be useful for, or interfere with, the new IPSec policies. If appropriate, previously configured IKE ... [full story]

Step 1-3 Determine the IPSec (IKE Phase 2) Policies Once the choices are made for IKE Phase 1, it’s time to turn to those parameters required to complete IKE Phase 1. This is where the IPSec tunnel is negotiated and, ultimately, ... [full story]

Develop the Parameter Preferences To complete the IKE planning process, what would make sense is to create a table of the preferred combination of security features, plus one or more fallback options for those devices or locations that can’t support the ... [full story]

Step 1-2 Determine the IKE (IKE Phase 1) Policies IKE is a hybrid protocol that implements the Oakley key exchange and the Skeme key exchange inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. (ISAKMP, Oakley, and Skeme are ... [full story]

Step 1-1 Identify IPSec Peers An important part of defining a comprehensive IPSec policy is to identify the IPSec peer pairs that must be configured. In the chapter scenario, expanded in Figure 10-2, each remote site will connect only to the ... [full story]

Task 1 Prepare for IKE and IPSec Successful implementation of an IPSec network requires testing of the existing network and advance planning before any configuration begins. Insufficient testing and planning can lead to troubleshooting problems or configuration errors. Some preparation and ... [full story]

Configure IPSec Encryption Tasks The good news is only four tasks are required to configure IPSec for preshared keys. The bad news is each task has multiple tasks that can initially seem overwhelming. The four tasks Cisco uses, which you can ... [full story]

Cisco IOS IPSec for Preshared Keys In this chapter, you will learn to: Configure IPSec encryption tasks Configure IPSec manually Using Internet Key Exchange (IKE) with preshared keys for authentication of IP Security (IPSec) sessions is relatively easy to configure, but it doesn’t scale ... [full story]

Step 1—Determine Interesting Traffic Data communications covers a wide gamut of topics, sensitivity, and security requirements. Just as all rumors you hear aren’t worth repeating, often much network traffic isn’t worth securing, such as an employee’s personal web browsing. Any security ... [full story]

Five Steps of IPSec Revisited This section discusses the individual steps required for a successful IPSec data exchange in greater detail. While IPSec incorporates many component technologies and offers multiple encryption options, the basic operation can be broken down into the ... [full story]