Working with Cisco VPN Concentrator

Enterprise Networks & Servers, Sep 2004 by Welcher, Peter J

Last month's article looked at "clever" addressing schemes. I do hope it was an interesting excursion into wildcard masks and planning ahead with address assignments. The article can be found at www.netcraftsmen.net/welcher/papers/addressing.html.

This month I happen to have a VPN Concentrator handy, so that's going to be our topic. Overall, the documentation is pretty clean and clear, with good screen captures (as is not the case for some other Cisco software products). There were a couple of surprises (to me, anyway) in setting up the VPN Concentrator, so I thought I'd pass along some tips. I do have to go pack for vacation, so the length of this article is going to observe a sharp cap.

What Does a VPN Concentrator Do?

The VPN Concentrator is used for Remote Access VPNs. In typical use, a Remote Access VPN allows users to use an encrypted tunnel to securely access a corporate or other network via the Internet (Figure 1).

Different VPN Concentrator (VPNC) models are used for different numbers of users and amounts of throughput. While the VPNC can be used for limited site-to-site VPNs (interconnecting LANs rather than connecting a single remote computer), a PIX or router may be better suited for that form of connectivity.

Another current use of the VPNC is to encrypt WLAN or wired traffic, especially for certain users (e.g. faculty or administrators on a college campus) where there is concern about the consequences should login/password be captured. Remote Access VPN with WLAN usage is popular in the short term where administrators don't want to have to deal with driver installs and OS support issues, WPA, 802.11 i, etc. Note that IPSec also buys robust confidential user/PC authentication, the other area where WLAN WEP is somewhat lacking (see my previous WLAN articles).

The Cisco VPN Concentrator 3000 series provides Remote Access VPN connectivity using either IPSec or SSL for the VPN. User authentication can be via RADIUS, Kerberos or MS Active Directory, RSA SDI, digital certificates, or the built-in authentication server. It also allows access lists (ACLs) to be applied to remote user sessions.

The VPN Concentrator (VPNC) can be configured and administered via command line interface (CLI) or Web interface. It provides useful Web pages showing active user sessions and statistics.

The following URLs will get you to the relevant documentation on Cisco's pages.

Remote Access VPN At-A-Glance page

www.cisco.com/application/pdf/en/us/guest/netsol/ns 125/c643/ cdccont_0900aecd800ef549.pdf

Cisco VPN Concentrator page

www.cisco.com/en/US/products/hw/vpndevc/ps2284/index.html

Cisco VPN Client page

www.cisco.com/en/US/products/sw/secursw/ps2308/index.html

Cisco IPSec page

www.cisco.com/warp/public/732/Tech/security/ipsec/

IPSec Simplified

www.netcraftsmen.net/welcher/papers/ipsecl .html

IPSec Simplified - Part 2

www.netcraftsmen.net/welcher/papers/ipsec2.html

IPSec Versus SSL

IPSec has the advantage of essentially making the remote computer part of the corporate network. This is good, in that applications run without awareness that any encryption or Internet routing is happening. It can be a drawback, in that any security exposure on the remote computer becomes a risk to the corporate network. For this reason, Cisco's client offers various security controls which can be configured centrally.

SSL (WebVPN) has become a popular alternative. It provides encrypted Web access to Web-enabled corporate applications. It has become popular because it can be clientless, with much simpler setup and use and lower administration cost. The drawback is that it only enables use of a more limited set of applications, which may not fit all environments. One security concern with WebVPN is Web caching and private information left on a computer used for Web access to corporate resources. The Cisco client goes to some lengths to prevent compromise of user information, even on a public shared computer used for WebVPN access.

Designing for the VPN Concentrator

One of the frequently asked questions with the VPN Concentrator is where to place it in the network. The answer is that it depends on how you're planning to use the VPNC. Figure 2 shows the typical deployment.

I've put in red dotted lines since you have a choice of connecting the VPNC inside, private interface, to a PIX interface or to the inside switch. The PIX interface allows you to do some firewalling of your remote access users.

The case for putting the VPNC in parallel with the PIX is that this offloads work from the PIX, if you trust the VPN and your remote users. If you connect the VPNC to a Remote Access DMZ interface on the PIX, you're putting more work on the PIX, but also possibly obtaining benefits from ACLs, NAT, etc.

Yet another approach is to just put the VPNC totally inside the network. Have the PIX allow IKE and IPSec to the VPNC, also doing NAT from the internal VPNC public address to an address out of the Internet public address block for the site. Of course, doing NAT like this imposes more work on the PIX.