Understand how cable modems can be used as part of a remote access solution.
Be able to
compare cable modem technologies to other remote access methods, including DSL. Also
understand the internal characteristics of cable modem, including DOCSIS.
Understand VPN technologies such as IPSec.
Know the differences in various VPN technologies,
including the modes of IPSec and its encryption benefits.
Know how to configure cable modems and IPSec.
Understand the protocols and relationships
between IPSec components, including AH, ESP, and tunnel and transport mode. Knowing how to
configure IPSec can help this, but is not required for the exam.
IT Certification CCIE,CCNP,CCIP,CCNA,CCSP,Cisco Network Optimization and Security Tips
Remote Access with Cable Modems and Virtual Private Networks Summary
This chapter examined cable modem technology and presented VPN services, including IPSec.
Cable modems offer the administrator an alternative low-cost technology for remote access,
and they can provide longer-range connections than DSL. Although cable modems use a
shared medium, the overall performance is comparable to the switched DSL in real-world
deployments. The key to cable modem services is DOCSIS and the incorporated security and
other services that this standard provides.
Most remote access users will map IPSec tunnels over the cable modem network to allow
for corporate access. Although not the only VPN technology, IPSec is currently the most
popular and provides for encrypted tunneling of IP data between locations. We also briefly
noted a number of other tunneling technologies that provide solutions for remote access.
Cable modems offer the administrator an alternative low-cost technology for remote access,
and they can provide longer-range connections than DSL. Although cable modems use a
shared medium, the overall performance is comparable to the switched DSL in real-world
deployments. The key to cable modem services is DOCSIS and the incorporated security and
other services that this standard provides.
Most remote access users will map IPSec tunnels over the cable modem network to allow
for corporate access. Although not the only VPN technology, IPSec is currently the most
popular and provides for encrypted tunneling of IP data between locations. We also briefly
noted a number of other tunneling technologies that provide solutions for remote access.
VPN Technologies
Other VPN Technologies
As noted in the introduction to this chapter, VPNs can be composed of any tunneling technology
to varying degrees. Some other VPN technologies include those listed
VPN Technologies
Technology Description
Generic router encapsulation
(GRE)
GRE is not really a private technology because the data is not
encrypted, but it is a tunneling technology, and the data contained
within is somewhat transparent to the overall network.
One common use of GRE is to tunnel IPX or other non-IP traffic
over an IP-only backbone.
Virtual circuit (VC) VCs can be permanent or switched, and are found in Frame Relay
and ATM. Traffic within a VC is not encrypted, but could be considered
a tunnel and can be marketed as a virtual private network.
802.1Q in Q 802.1Q in Q also lacks privacy because the data is not encrypted,
but, like a virtual circuit, data that is tagged in one logical VLAN
is private from other VLANs. The technology for Q in Q is the
same as 802.1Q itself, except for a second .Q header being
added. This second header is controlled by the service provider.
One advantage to this model is that the original customer tag
is not changed. For those familiar with ATM, an analogy is the
virtual path identifier.
L2TP Layer 2 Tunneling Protocol is an extension to PPP, discussed in
Chapter 24, “Point-to-Point Protocol.” L2TP allows for the tunneling
of packets independent of layer 3.
Multi-Protocol Label
Switching (MPLS)
MPLS is quickly gaining as the standard service tagging model.
Many service providers are converting their data networks to
MPLS, which is simply a dynamic tag added to the front of the
packet. Again, the data is not encrypted, but vendors are selling
the service as a managed VPN. In reality, it has little functional
difference when compared to other technologies, except for the
significant benefit that it is transport agnostic. Most other technologies
require a specific set of physical layer technologies.
MPLS can also provide rapid fault detection and correction
compared to other technologies.
IPSec IP Security is a set of protocols that encrypt and authenticate the
integrity of the data between two points.
SSL Secure Sockets Layer is a popular encryption technology used for
many HTTP business transactions (HTTPS). However, the protocol
is not limited to HTTP/HTTPS and is now used for remote control
and other remote access functions, and the protocol can be used
for other services. The most significant advantage of SSL is that
the client requires no preconfiguration and the network is transparent
to the entire flow. Each end station is responsible for
encryption and decryption, and only the payload is protected.
Frame Relay and ATM These PVC-based technologies can create private paths across
the public network. Although not typically thought of in VPN
concepts, they are rightfully included in this list.
As noted in the introduction to this chapter, VPNs can be composed of any tunneling technology
to varying degrees. Some other VPN technologies include those listed
VPN Technologies
Technology Description
Generic router encapsulation
(GRE)
GRE is not really a private technology because the data is not
encrypted, but it is a tunneling technology, and the data contained
within is somewhat transparent to the overall network.
One common use of GRE is to tunnel IPX or other non-IP traffic
over an IP-only backbone.
Virtual circuit (VC) VCs can be permanent or switched, and are found in Frame Relay
and ATM. Traffic within a VC is not encrypted, but could be considered
a tunnel and can be marketed as a virtual private network.
802.1Q in Q 802.1Q in Q also lacks privacy because the data is not encrypted,
but, like a virtual circuit, data that is tagged in one logical VLAN
is private from other VLANs. The technology for Q in Q is the
same as 802.1Q itself, except for a second .Q header being
added. This second header is controlled by the service provider.
One advantage to this model is that the original customer tag
is not changed. For those familiar with ATM, an analogy is the
virtual path identifier.
L2TP Layer 2 Tunneling Protocol is an extension to PPP, discussed in
Chapter 24, “Point-to-Point Protocol.” L2TP allows for the tunneling
of packets independent of layer 3.
Multi-Protocol Label
Switching (MPLS)
MPLS is quickly gaining as the standard service tagging model.
Many service providers are converting their data networks to
MPLS, which is simply a dynamic tag added to the front of the
packet. Again, the data is not encrypted, but vendors are selling
the service as a managed VPN. In reality, it has little functional
difference when compared to other technologies, except for the
significant benefit that it is transport agnostic. Most other technologies
require a specific set of physical layer technologies.
MPLS can also provide rapid fault detection and correction
compared to other technologies.
IPSec IP Security is a set of protocols that encrypt and authenticate the
integrity of the data between two points.
SSL Secure Sockets Layer is a popular encryption technology used for
many HTTP business transactions (HTTPS). However, the protocol
is not limited to HTTP/HTTPS and is now used for remote control
and other remote access functions, and the protocol can be used
for other services. The most significant advantage of SSL is that
the client requires no preconfiguration and the network is transparent
to the entire flow. Each end station is responsible for
encryption and decryption, and only the payload is protected.
Frame Relay and ATM These PVC-based technologies can create private paths across
the public network. Although not typically thought of in VPN
concepts, they are rightfully included in this list.
Commands Used for IPSec Command Function crypto isakmp policy 10
This command creates an IKE process on the router. You
must have an IOS version that supports the IPSec feature set.
The priority number can be anything from 1 to 10,000, and 1
is the highest priority. As with other elements such as route
maps, the convention is to start with 10 and increment by 10
to allow for future changes. You are now in ISAKMP policy
configuration command mode.
hash md 5
This command specifies that you will use a preshared key
and the MD5 hash algorithm for packet authentication. It is
possible to configure a key dynamically using RSA public
key signatures, but that requires a certificate server and
other infrastructure.
group 2
This parameter is generally set to 2 to reflect the Diffie-
Hellman group number to use for key negotiation. Group 1
uses a 768-bit key exchange, and group 2 uses 1,024 bits. A
complete list of the group numbers and their related parameters
is available at
www.cisco.com/en/US/customer/
products/hw/vpndevc/ps2286/products_user_guide_
chapter09186a008015d00c.html
.
lifetime 3600
The
lifetime
parameter defines how long a security association
will last. It is defined in seconds and can range from
one minute to one day. A value of 3,600 seconds is equal
to one hour. Longer lifetimes might compromise security
but can reduce overhead.
crypto isakmp key tyler
address 10.1.1.1
This configuration command defines the key to be used and
the IP address of the far-end Ethernet segment that services
as the termination of the tunnel. In this instance, the key is
tyler and the IP address is 10.1.1.1. This key will be defined on
both routers, is case-sensitive, and can be up to 128 characters
long. Security can be enhanced by using longer keys
with alphanumeric characters.
crypto IPSec transform-set
tunnel-A ah-md5-hmac esp-des
This command defines the transforms that will be used. This
command defines AH (MD5) and ESP (56-des), but other
combinations might include specifying triple DES or LZS
compression. Depending on the choices selected, the administrator
can select up to three transforms. IOS will prevent
incompatible values.
crypto map map-A localaddress
Ethernet0
Here we define a crypto-map called map-A. It is bound to
the Ethernet 0 interface; recall that we are going to create a
tunnel from one Ethernet interface to another.
crypto map map-A 10 ipsecisakmp
This command enters crypto-map configuration mode with a
map numbered 10. Again, this is a definable value.
set peer 10.1.1.1
Here we set the peer by again defining the IP address of the
remote. This is for the map and not the key, but it would be
nice if Cisco would simplify this relationship.
set transform-set tunnel-A
This command links the map to the transform set previously
defined.
match address 110
This defines the ACL to be used in determining what traffic is
encrypted. Please note that ACLs 100 through 102 are reserved
for use by the DOCSIS configuration file and should not be
used with cable modems.
interface Ethernet0
This selects the Ethernet interface.
ip address 10.1.2.1
255.255.255.0
This defines the local IP address of 10.1.2.1/24.
interface cable-modem0
This selects the cable modem interface.
crypto map map-A
This defines that crypto-map map-A is to be used.
access-list 110 permit ip
10.1.2.0 0.0.0.255 10.1.1.0
0.0.0.255
This defines access list 110, which was assigned to
tunnel-A. This defines that all traffic destined for 10.1.1/24
from 10.1.2/24 should be encrypted. Remember that this
uses wildcard mask rules.
That’s it. Of course, a real configuration would also need routing and other parameters to
be defined. The cable modem would also require an IP address. The opposing router would
require a comparable configuration as well to establish the tunnel.
must have an IOS version that supports the IPSec feature set.
The priority number can be anything from 1 to 10,000, and 1
is the highest priority. As with other elements such as route
maps, the convention is to start with 10 and increment by 10
to allow for future changes. You are now in ISAKMP policy
configuration command mode.
hash md 5
This command specifies that you will use a preshared key
and the MD5 hash algorithm for packet authentication. It is
possible to configure a key dynamically using RSA public
key signatures, but that requires a certificate server and
other infrastructure.
group 2
This parameter is generally set to 2 to reflect the Diffie-
Hellman group number to use for key negotiation. Group 1
uses a 768-bit key exchange, and group 2 uses 1,024 bits. A
complete list of the group numbers and their related parameters
is available at
www.cisco.com/en/US/customer/
products/hw/vpndevc/ps2286/products_user_guide_
chapter09186a008015d00c.html
.
lifetime 3600
The
lifetime
parameter defines how long a security association
will last. It is defined in seconds and can range from
one minute to one day. A value of 3,600 seconds is equal
to one hour. Longer lifetimes might compromise security
but can reduce overhead.
crypto isakmp key tyler
address 10.1.1.1
This configuration command defines the key to be used and
the IP address of the far-end Ethernet segment that services
as the termination of the tunnel. In this instance, the key is
tyler and the IP address is 10.1.1.1. This key will be defined on
both routers, is case-sensitive, and can be up to 128 characters
long. Security can be enhanced by using longer keys
with alphanumeric characters.
crypto IPSec transform-set
tunnel-A ah-md5-hmac esp-des
This command defines the transforms that will be used. This
command defines AH (MD5) and ESP (56-des), but other
combinations might include specifying triple DES or LZS
compression. Depending on the choices selected, the administrator
can select up to three transforms. IOS will prevent
incompatible values.
crypto map map-A localaddress
Ethernet0
Here we define a crypto-map called map-A. It is bound to
the Ethernet 0 interface; recall that we are going to create a
tunnel from one Ethernet interface to another.
crypto map map-A 10 ipsecisakmp
This command enters crypto-map configuration mode with a
map numbered 10. Again, this is a definable value.
set peer 10.1.1.1
Here we set the peer by again defining the IP address of the
remote. This is for the map and not the key, but it would be
nice if Cisco would simplify this relationship.
set transform-set tunnel-A
This command links the map to the transform set previously
defined.
match address 110
This defines the ACL to be used in determining what traffic is
encrypted. Please note that ACLs 100 through 102 are reserved
for use by the DOCSIS configuration file and should not be
used with cable modems.
interface Ethernet0
This selects the Ethernet interface.
ip address 10.1.2.1
255.255.255.0
This defines the local IP address of 10.1.2.1/24.
interface cable-modem0
This selects the cable modem interface.
crypto map map-A
This defines that crypto-map map-A is to be used.
access-list 110 permit ip
10.1.2.0 0.0.0.255 10.1.1.0
0.0.0.255
This defines access list 110, which was assigned to
tunnel-A. This defines that all traffic destined for 10.1.1/24
from 10.1.2/24 should be encrypted. Remember that this
uses wildcard mask rules.
That’s it. Of course, a real configuration would also need routing and other parameters to
be defined. The cable modem would also require an IP address. The opposing router would
require a comparable configuration as well to establish the tunnel.
IPSec Configuration
Cisco could have made configuration of IPSec a little easier than they did, but unfortunately
they didn’t. This section defines a common IPSec configuration and illustrates some of the
options available to the administrator, including the use of Data Encryption Standard (DES) or
3DES. The code sample in Table 28.3 is the basis for our configuration.
Subscribe to:
Posts (Atom)