© 1999, Cisco Systems, Inc. 14-1 Chapter 14 Cisco Secure VPN Client. - презентация

1 © 1999, Cisco Systems, Inc Chapter 14 Cisco Secure VPN Client

2 © 1999, Cisco Systems, Inc. MCNS Objectives Install the Cisco Secure VPN Client. Configure the Cisco Secure VPN Client. Operate the Cisco Secure VPN Client in a VPN Session. Request & Import CA certificates. After completing this course you will be able to complete the following tasks.

3 © 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Overview of the Client

4 © 1999, Cisco Systems, Inc. MCNS CA Server PIX Firewall Web Surfer Remote Branch Internet Web Server Protected DMZ Dirty DMZ NetRanger Sensor Dialup NAS ClientServer Campus Router Bastion Host SMTP Server DNS Server IS NetRanger Director NetSonar Windows NT PC Sales XYZ Companys VPN Plan Bastion Host Perimeter Router Internet NT Server: CiscoSecure, Web, FTP, TFTP, Syslog Server TACACS+ or RADIUS protocol

5 © 1999, Cisco Systems, Inc. MCNS Provides Virtual Private Networking (VPN) capability on a desktop or laptop computer. Based on the latest industry- standard IPSec recommendations. Enables secure client-to-gateway communications over TCP/IP networks. What is the Cisco Secure VPN Client?

6 © 1999, Cisco Systems, Inc. MCNS Pentium Processor Windows MB RAM Windows MB RAM Windows NT 4.0 (SP 3 or 5) - 32 MB RAM 9 MB of available disk space CD - ROM Drive Non-encrypting modem Microsoft TCP/IP stack and Microsoft Dialer (only) System Requirements

7 © 1999, Cisco Systems, Inc. MCNS Full compliance with IPSec and related standards Support for Tunnel Mode or Transport Mode security Supports DES, 3DES, MD-5, and SHA-1 algorithms Internet Key Exchange (IKE) using ISAKMP/Oakley Handshake and Key Agreement Interoperates with virtually all PC Windows communications devices Intuitive GUI Easy to install and transparent to the user Security policy can be exported and protected Features

8 © 1999, Cisco Systems, Inc. MCNS Cisco Systems IPSec enabled routers and PIX Firewalls Cisco Secure Access Control Server for AAA services Compatible with X.509 CAs including Verisign Onsite and Netscape Certificate Management System (CMS) using the Cisco Certificate Enrollment Protocol (CEP) and the Entrust CA Server - with limitations Interoperability

9 © 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Network Design Issues

10 © 1999, Cisco Systems, Inc. MCNS Network Design Issues Before you can configure the client you need to know which of the following configurations is in use. Digital CA Certificates vs. Pre-Shared Keys Import or Configure Security Policies Method for Updating Certificate Revocation Lists (CRL)

11 © 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Installing and Configuring the Client

12 © 1999, Cisco Systems, Inc. MCNS The VPN Client is a standard MS Windows, wizard-based installation. Installation

13 © 1999, Cisco Systems, Inc. MCNS Four Elements to Configure Four major areas that must be configured: Global Policy Setting Securing Connections Identity Individual Security Policies

14 © 1999, Cisco Systems, Inc. MCNS Configuring the Connection You must configure the following options to secure each connection: Connection Security Remote Party Identity and Addressing Port and Protocol Secure Gateway Tunnel Option

15 © 1999, Cisco Systems, Inc. MCNS Configuring Connection Security This window allows you to select the connection security. Secure Non-secure Block

16 © 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Configuring Your Identity

17 © 1999, Cisco Systems, Inc. MCNS Configuring Your Identity Configuring your identity consists of specifying three parameters: Certificate Port Name

18 © 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Configuring Security Policies PHASE 1

19 © 1999, Cisco Systems, Inc. MCNS Overview During phase 1, individuals reveal their identities and negotiate how they will secure phase 2 communications. Phase 1 can be either Main Mode or Aggressive Mode.

20 © 1999, Cisco Systems, Inc. MCNS Configuring authentication Once you have started configuring a security policy for all or individual connections, you must then configure the authentication and key exchange proposals for that policy.

21 © 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Configuring Key Exchange PHASE 2

22 © 1999, Cisco Systems, Inc. MCNS Configuring Key Exchange Similar to authentication, several proposals can be created for each connection. The client compares each proposal in descending order until it finds a match with the remote system.

23 © 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Working with Certificates

24 © 1999, Cisco Systems, Inc. MCNS Working with Certificates Certificates identify you to people and hosts that you communicate with.

25 © 1999, Cisco Systems, Inc. MCNS Certificate Authorities Netscape Communications Baltimore Technologies PKI/Certificate Authority Partners Entrust Technologies VeriSign

26 © 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Lab Exercise

27 © 1999, Cisco Systems, Inc. MCNS Lab Objectives Upon completion of this lab, you will be able to perform the following task: Configure the Cisco Secure VPN client

28 © 1999, Cisco Systems, Inc. MCNS PIXX Firewall Protected DMZ Dirty DMZ X.0 /24.2 Outside X.0/24.1 DMZ Inside.3 NASX IS.1 10.X.2.1 /24 10.X.2.2 to 10.X.2.10 /24 Windows NT PC NTX NT Server: CiscoSecure NT, IIS FTP and Web Server Cisco Security Manager, Syslog Server, TFTP Server.4 Instructor NT Server: FTP, HTTP, CA / X.1 /30 PerimeterX Router 10.X.1.0 /24 Bastion Host: Web Server FTP Server.3 Sales Dialup Frame Relay (Internet) Telco Simulator 100X MCNS Lab Environment Generic.1.2 X = POD #

29 © 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Lesson Summary and Review Questions

30 © 1999, Cisco Systems, Inc. MCNS Summary The Cisco Secure VPN client is compatible with the following CA vendors: –Verisign –Netscape –Baltimore –Entrust (with limitations for V-1.0) Fully IPSec-compliant Supports Tunnel Mode or Transport Mode security Security policy can be exported and protected

31 © 1999, Cisco Systems, Inc. MCNS Review Questions 1. What are the encryption algorithms supported by the client? DES, 3DES, MD-5, and SHA-1 2. What are the major areas to configure when installing the client? Global Policy Setting Securing Connections Identity Individual Security Policies

32 © 1999, Cisco Systems, Inc. MCNS Review Questions (cont.) 3. What parameters must be configured for the connection? Connection Security Remote Party Identity and Addressing Port and Protocol Secure Gateway and Tunnel Option 4. What parameters are needed to configure your identity? Certificate Port Name

33 © 1999, Cisco Systems, Inc. MCNS Review Questions (cont.) 5. Can Phase 1 negotiations be either Aggressive or Main modes? Yes 6. What are some of the reasons to use certificates? Verify identity Provide non-repudiation for transactions Security

34 © 1999, Cisco Systems, Inc. MCNS Blank for pagination