2. Copyright 2003, Cisco Systems, Inc. All rights reserved.
Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and
fax numbers are listed on the Cisco Web site at www.cisco.com/go/offices.
Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica Croatia • Czech
Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary
India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands
New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania • Russia • Saudi Arabia
Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden • Switzerland • Taiwan • Thailand • Turkey Ukraine •
United Kingdom • United States • Venezuela • Vietnam • Zimbabwe
Copyright 2003, Cisco Systems, Inc. All rights reserved. CCIP, the Cisco Powered Network mark, the
Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, Internet Quotient, iQ
Breakthrough, iQ Expertise, iQ FastTrack, the iQ logo, iQ Net Readiness Scorecard, Networking Academy,
ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We
Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to Increase Your Internet Quotient,
and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP,
CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco
Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation,
Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, IOS, IP/TV, LightStream, MGX, MICA, the
Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast,
StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc.
and/or its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use
of the word partner does not imply a partnership relationship between Cisco and any other company. (0203R)
Printed in the USA
3. Table of Contents
COURSE INTRODUCTION 1-1-1
Overview 1-1-1
Course Objectives 1-1-2
Course Agenda 1-1-4
ENCRYPTION 1-1-1
Overview 1-1-1
Overview 1-1-3
Symmetric and Asymmetric Encryption Algorithms 1-1-7
DES 1-1-17
3DES 1-1-28
AES 1-1-33
Rivest Ciphers (RC2/4/5/6) 1-1-37
RSA 1-1-40
Summary 1-1-48
Quiz: Encryption 1-1-49
HASHING ALGORITHMS 1-2-1
Overview 1-2-1
Overview of Hash Algorithms and HMACs 1-2-3
MD5 1-2-13
SHA-1 1-2-15
Summary 1-2-20
Quiz: Hashing Algorithms 1-2-21
DIGITAL SIGNATURES 1-3-1
Overview 1-3-1
Overview 1-3-3
Overview of Signature Algorithms 1-3-5
RSA 1-3-10
DSS 1-3-14
Summary 1-3-19
Quiz: Digital Signatures 1-3-20
KEY GENERATION AND STORAGE 2-1-1
Overview 2-1-1
Key Management 2-1-3
Copyright 2003, Cisco Systems, Inc. Table of Contents v
4. Manual Key Generation 2-1-11
Key Generation Using Random Numbers 2-1-13
Natural Sources of Randomness 2-1-16
Key Storage in Memory 2-1-18
Key Storage in Non-Volatile Memory 2-1-22
Key Storage on Smart Cards 2-1-24
Summary 2-1-27
Quiz: Key Generation and Storage 2-1-28
KEY EXCHANGE AND REVOCATION 2-2-1
Overview 2-2-1
Overview 2-2-3
Manual Key Exchange 2-2-4
The Diffie-Hellman Algorithm 2-2-6
Secret Key Exchange Using Public Key Cryptography 2-2-11
Key Refresh 2-2-14
Key Revocation Definition 2-2-19
Manual Key Revocation 2-2-21
Automated Key Revocation 2-2-23
Summary 2-2-25
Quiz: Key Exchange and Revocation 2-2-26
PKI DEFINITION AND ALGORITHMS 3-1-1
Overview 3-1-1
Public Key Distribution Problem 3-1-3
Trusted Third-Party Protocol 3-1-12
PKI Terminology and Components 3-1-21
PKI Enrollment Procedure 3-1-34
PKI Revocation Procedure 3-1-40
Summary 3-1-44
Quiz: Definition and Algorithms 3-1-45
PKI STANDARDS 3-2-1
Overview 3-2-1
Overview 3-2-3
X.509 3-2-5
PKIX 3-2-10
PKCS 3-2-12
Summary 3-2-18
Quiz: PKI Standards 3-2-19
DIAL CONNECTIVITY ANALYSIS 1-1-1
Overview 1-1-3
Researching Customer’s Requirements 1-1-5
vi Designing VPN Security 1.0 Copyright 2003, Cisco Systems, Inc.
5. Identifying Customer’s Current Situation 1-1-9
Example Scenarios 1-1-13
Summary 1-1-16
Quiz: Dial Connectivity Analysis 1-1-17
DESIGN GUIDELINES FOR SECURE DIAL SOLUTIONS 1-2-1
Overview 1-2-1
Dial Network Security Analysis 1-2-3
Authentication, Authorization, and Accounting Security Guidelines 1-2-8
Product Guidelines 1-2-17
Example Scenario 1-2-21
Summary 1-2-27
Quiz: Design Guidelines for Secure Dial Solutions 1-2-28
GENERIC ROUTING ENCAPSULATION 2-1-1
Overview 2-1-1
Definition and Protocols 2-1-3
Applications 2-1-11
Security Functionality 2-1-23
Example Scenario 2-1-28
Summary 2-1-33
Quiz: Generic Routing Encapsulation 2-1-34
POINT-TO-POINT TUNNELING PROTOCOL AND LAYER 2 TUNNELING
PROTOCOL 2-2-1
Overview 2-2-1
PPTP 2-2-4
L2TP 2-2-16
Applications of PPTP and L2TP 2-2-27
Security Functionality 2-2-30
Example Scenario 2-2-33
Summary 2-2-35
Quiz: Point-to-Point Tunneling Protocol and Layer 2 Tunneling Protocol 2-2-36
MPLS VPNS 2-3-1
Overview 2-3-1
Definition and Protocols 2-3-3
Applications 2-3-8
Quality of Service 2-3-15
Security Functionality 2-3-17
MPLS VPN Deployment Example Scenarios 2-3-25
Summary 2-3-30
Quiz: MPLS VPNs 2-3-31
Copyright 2003, Cisco Systems, Inc. Table of Contents vii
6. IPSEC 2-4-1
Overview 2-4-1
Definition and Protocols 2-4-3
Applications 2-4-9
Quality of Service 2-4-18
Security Functionality 2-4-20
Summary 2-4-24
Quiz: IPSec 2-4-25
IPSEC/IKE CONCEPTS AND CONFIGURATION REFRESHER 3-1-1
Overview 3-1-1
Security Associations (SA) and Encapsulation Protocols 3-1-3
IPSec Modes 3-1-11
Crypto Maps and Interfaces 3-1-17
Manual SA Configuration 3-1-21
IKE Function and Session Protection 3-1-25
IKE Policy Configuration and IPSec Hooks 3-1-34
Incoming Dynamic Crypto Maps 3-1-42
Summary 3-1-47
Quiz: IPSec/IKE Concepts and Configuration Refresher 3-1-48
IKE MODES 4-1-1
Overview 4-1-1
Overview 4-1-3
IKE Modes Overview 4-1-4
Main Mode 4-1-5
Aggressive Mode 4-1-11
Quick Mode 4-1-16
Example Scenarios 4-1-22
Summary 4-1-25
Quiz: IKE Modes 4-1-26
IKE EXTENSIONS 4-2-1
Overview 4-2-1
Overview 4-2-3
Extended Authentication (XAUTH) 4-2-4
Cisco IOS Configuration of XAUTH 4-2-8
Mode Configuration 4-2-11
Cisco IOS Configuration of Mode Config 4-2-23
Tunnel Endpoint Discovery (TED) 4-2-28
Cisco IOS Configuration of TED 4-2-33
Dead Peer Detection (DPD) 4-2-36
Cisco IOS Configuration of DPD 4-2-40
Summary 4-2-43
viii Designing VPN Security 1.0 Copyright 2003, Cisco Systems, Inc.
7. Quiz: IKE Extensions 4-2-44
IKE-PKI INTEROPERABILITY 4-3-1
Overview 4-3-1
Overview 4-3-3
PKI Refresher 4-3-4
IKE PKI-Facilitated Authentication 4-3-14
Cisco IOS PKI Trustpoint Definition 4-3-18
Cisco IOS Enrollment Procedures 4-3-26
Cisco IOS PKI Revocation Procedures 4-3-32
Cisco IOS Advanced PKI-Enabled Features Configuration 4-3-37
Cisco IOS PKI Monitoring and Troubleshooting 4-3-45
Cisco PIX and VPN 3000 PKI Features 4-3-48
Summary 4-3-49
Quiz: IKE-PKI Interoperability 4-3-50
SCALABILITY AND MANAGEABILITY CONSIDERATIONS 5-2-1
Overview 5-2-1
Peer Authentication Scalability 5-2-4
Configuration Manageability in Fully Meshed Networks 5-2-15
Dynamic Multipoint VPN 5-2-27
Designing and Implementing DMVPNs 5-2-41
Routing in DMVPNs 5-2-47
Product Guidelines 5-2-53
Summary 5-2-57
Quiz: Scalability and Manageability Considerations 5-2-58
HIGH AVAILABILITY CONSIDERATIONS 5-3-1
Overview 5-3-1
VPN High Availability Scenarios 5-3-3
Mitigating VPN Link Failure 5-3-10
Mitigating VPN Device Failure 5-3-19
Mitigating VPN Path Failure 5-3-31
Product Guidelines 5-3-36
WAN Augmentation Example Scenario 5-3-40
Mixed VPN Example Scenario 5-3-54
High Available Full Mesh Example Scenario 5-3-65
Summary 5-3-69
Quiz: High Availability Considerations 5-3-70
SECURITY CONSIDERATIONS 5-4-1
Overview 5-4-1
Choice of Protection and Tunneling Protocol 5-4-3
Copyright 2003, Cisco Systems, Inc. Table of Contents ix
8. Integration of VPNs with Perimeter Devices 5-4-14
Summary 5-4-24
Quiz: Security Considerations 5-4-25
APPLICATION CONSIDERATIONS 5-5-1
Overview 5-5-1
Multimedia Applications 5-5-3
Multiprotocol VPNs 5-5-13
Product Guidelines 5-5-16
Summary 5-5-25
Quiz: Application Considerations 5-5-26
QUALITY OF SERVICE CONSIDERATIONS 5-6-1
Overview 5-6-1
Classification and Marking 5-6-4
Bandwidth and Delay Management 5-6-10
IP Payload Compression 5-6-18
Product Guidelines 5-6-20
VPN QoS Deployment Example Scenario 5-6-22
Summary 5-6-27
Quiz: Quality of Service Considerations 5-6-28
PERFORMANCE CONSIDERATIONS 5-7-1
Overview 5-7-1
Cryptographic Performance 5-7-3
Load Balancing 5-7-9
IP Fragmentation 5-7-14
Product Guidelines 5-7-24
Summary 5-7-30
Quiz: Performance Considerations 5-7-31
REMOTE ACCESS VPN ANALYSIS 6-1-1
Overview 6-1-1
Researching Customer Requirements 6-1-3
Identifying Current Customer Situation 6-1-7
Remote Access VPN Example Scenario 6-1-9
Summary 6-1-11
Quiz: Remote Access VPN Analysis 6-1-12
HIGH AVAILABILITY CONSIDERATIONS 6-2-1
Overview 6-2-1
VPN High Availability Scenarios 6-2-3
Mitigating VPN Interface Failure 6-2-7
Mitigating VPN Peer Failure 6-2-9
x Designing VPN Security 1.0 Copyright 2003, Cisco Systems, Inc.
9. Mitigating VPN Connectivity Failure 6-2-13
High Availability Deployment Example Scenario 6-2-18
Summary 6-2-25
Quiz: High Availability Considerations 6-2-26
SECURITY CONSIDERATIONS 6-3-1
Overview 6-3-1
Choice of Protection and Tunneling Protocol 6-3-3
Integration of VPNs with Perimeter Devices 6-3-8
Summary 6-3-22
Quiz: Security Considerations 6-3-23
SCALABILITY AND MANAGEABILITY CONSIDERATIONS 6-4-1
Overview 6-4-1
Peer Authentication Scalability 6-4-3
Configuration Manageability in Hub-and-spoke Networks 6-4-12
Product Guidelines 6-4-30
Summary 6-4-32
Quiz: Scalability and Manageability Considerations 6-4-33
APPLICATION CONSIDERATIONS AND QUALITY OF SERVICE 6-5-1
Overview 6-5-1
Multimedia Applications 6-5-3
Multiprotocol VPNs 6-5-6
Summary 6-5-8
Quiz: Application Considerations and Quality of Service 6-5-9
PERFORMANCE CONSIDERATIONS 6-6-1
Overview 6-6-1
Load Balancing and Backup 6-6-3
Implementing Load Balancing 6-6-12
Product Guidelines 6-6-19
Summary 6-6-23
Quiz: Performance Considerations 6-6-24
SECURE CONNECTIVITY VPN MANAGEMENT 7-1-1
Overview 7-1-1
VPN Device Manager 7-1-3
Management Center for PIX Firewalls 7-1-5
PIX Device Manager 7-1-7
Management Center for VPN Routers 7-1-9
VPN Monitor 7-1-11
VPN Solution Center 7-1-13
Other Management Products 7-1-15
Copyright 2003, Cisco Systems, Inc. Table of Contents xi
10. Summary 7-1-19
Quiz: Secure Connectivity VPN Management 7-1-20
WIRELESS NETWORK SECURITY ANALYSIS 8-1-1
Overview 8-1-1
Researching Customer Requirements 8-1-3
Identifying Customer Current Situation 8-1-6
Inter-client Communication Example Scenario 8-1-12
Summary 8-1-15
Quiz: Wireless Network Analysis 8-1-16
DESIGN GUIDELINES FOR SECURE WIRELESS SOLUTIONS 8-2-1
Overview 8-2-1
Wired Equivalent Privacy Security Analysis 8-2-3
Client and Access Point Authentication 8-2-12
Security Design Guidelines for Native Wireless Networks 8-2-24
Product Guidelines 8-2-29
Enhancing Security with VPN Integration 8-2-31
Example Scenarios 8-2-36
Summary 8-2-43
Quiz: Design Guidelines for Secure Wireless Solutions 8-2-44
VPN QOS EXAMPLE SCENARIO 5-6-1
Objective 5-6-1
Current Situation 5-6-2
VPN QOS EXAMPLE SCENARIO SOLUTION GUIDELINES 5-6-1
Objective 5-6-1
Solution Guidelines 5-6-2
SITE-TO-SITE VPN DESIGN EXAMPLE SCENARIO #1 5-7-1
Objective 5-7-1
Current Situation 5-7-2
SITE-TO-SITE VPN DESIGN EXAMPLE SCENARIO #1
SOLUTION GUIDELINES 5-7-1
Objective 5-7-1
Solution Guidelines 5-7-2
SITE-TO-SITE VPN DESIGN EXAMPLE SCENARIO #2 5-7-1
Objective 5-7-1
Current Situation 5-7-2
xii Designing VPN Security 1.0 Copyright 2003, Cisco Systems, Inc.
11. SITE-TO-SITE VPN DESIGN EXAMPLE SCENARIO #2
SOLUTION GUIDELINES 5-7-1
Objective 5-7-1
Solution Guidelines 5-7-2
REMOTE ACCESS VPN DESIGN EXAMPLE SCENARIO
SOLUTION GUIDELINES 6-7-1
Objective 6-7-1
Solution Guidelines 6-7-2
Copyright 2003, Cisco Systems, Inc. Table of Contents xiii
12. xiv Designing VPN Security 1.0 Copyright 2003, Cisco Systems, Inc.
13. Course Introduction
Overview
This chapter includes the following topics:
Course objectives
Course agenda
Participant responsibilities
General administration
Graphic symbols
Participant introductions
Cisco security career certifications
21. Encryption
Overview
Importance
Encryption is the foundation for many security implementations, and is used to provide
confidentiality of data, when data might be exposed to untrusted parties. Understanding the
basic mechanisms, and some of the tradeoffs involved in choosing a particular encryption
method, is important.
Lesson Objective
Upon completion of this lesson the learner will be able to describe the various encryption
algorithms, their features and limitations, and provide guidelines to an organizations on
selecting the appropriate encryption algorithm.