Components of IPSec

Protocol or Function Description
IKE
Internet Key Exchange
is a general term used to define how keys are
exchanged and tunnels are authenticated. It is defined in RFC 2409,
which is recommended reading for anyone deploying IPSec VPNs.
3DES Triple Data Encryption Standard performs three DES hash processes
with three keys in sequence to encrypt data. DES (Data Encryption
Standard) performs a single hash process.
AES Advanced Encryption Standard will likely replace DES and 3DES
because the processing power required for AES is significantly lower
than that for 3DES.
AH The
Authentication Header
option ensures authenticity and data integrity,
but it does not encrypt the payload—thus the name reference to
“authenticating the header.” It is defined in RFC 2402.
Tunnel mode
Tunnel mode
protects the entire IP packet—including the original
header—and appends a new 20-byte IP header. Tunnel mode must be
used for VPN applications involving hosts behind the IPSec peers,
which is the most common configuration.
Transport mode
Transport mode
protects only the IP payload via encryption, and the
original header information is left unencrypted.
ESP
Encapsulating Security Payload
protects the data within the datagram,
but does nothing to the header. It is defined in RFC 2406 and is best
remembered via the term
payload
in its title.

Because IPSec is the leading VPN technology, we will spend a moment discussing the
configuration of this technology; however, please note that the current exam does not
include configuration in scope.
The primary functions of IPSec address four key areas of concern for most data transmissions:

The confidential transmission of the data. This is provided by the encryption of the payload
as it crosses the network and is important to prevent confidential data compromises.

The integrity of the data. Receivers in IPSec can validate that the payload has not been
altered in transmission.

The authentication of the transmission source. IPSec receivers can authenticate the source
of the packets to validate that they are from a trusted source.

Protection from replay. The IPSec functions can support detection and rejection of packets
that are replayed. This function is useful in preventing the retransmission of a packet containing
a password for later authentication.

IPSec 2

IPSec is a generic description of a set of protocols that establish the parameters and encryption
for a tunnel between two end points, but IPSec itself provides none of these functions. The standard
is defined in RFCs 2401 through 2411 and in RFC 2451; this is recommended reading for
anyone supporting or installing a large-scale IPSec VPN. The elements that comprise many
IPSec functions are outlined in Table 28.2.


NOTE:Many configurations of IPSec have difficulties with Network Address Translation
(NAT), described in Chapter 32, “Centralized Security in Remote Access
Networks.” A new feature—IPSec NAT Transparency—has been introduced
with IOS version 12.2(13)T and should be evaluated for installations that
require NAT and IPSec support.

Virtual Private Networks 2

You might be questioning the inclusion of a section on virtual private network (VPN) technologies
in a chapter presenting cable modems. It is true that VPN is technology agnostic and will
operate over DSL, Frame Relay, or any other transport. However, cable modems and VPNs are
both covered briefly on the Remote Access exam, and neither seems to warrant a chapter on its
own. In addition, many cable modem installations for business customers leverage VPN tunnels
to provide connectivity.
A
virtual private network
is a logical tunnel across a physical topology. This physical layer
could be the Internet, or it could be a corporate network or other private network. The tunnel
need not be encrypted to be private, but this is a method of providing privacy. In reality, however,
so long as the data is not visible to non-recipients, the tunnel has a certain degree of protection.
As such, VPNs are commonly thought of as IPSec, L2TP (Layer 2 Tunneling Protocol),
SSL-VPN, and MPLS constructions, but Frame Relay and ATM PVCs, in addition to 802.1Q
and GRE (generic routing encapsulation) can also be considered VPNs. This is discussed in
greater detail later in this chapter.
By far the most common VPN technology deployed today is IPSec, or IP Security Protocol.
Quickly gaining momentum is an alternative technology that has been used for years for webbased
security, Secure Sockets Layer (SSL).

Cisco Cable Manager

To help customers configure and monitor large cable modem infrastructures, Cisco has developed
Cisco Cable Manager (CCM). This Solaris-based product is beyond the scope of the exam,
but it provides a centralized interface for managing up to 100,000 devices, and it provides autotopology
and polling features.