The Cisco VPN 3002 Hardware Client was specifically designed for those organizations with many remote users and sites that need to operate as secure clients in a VPN environment. The 3002 combines the ease of configuration and installation, plus the scalability of a software VPN client, with the stability and reliability of a hardware platform.
The VPN 3002 Hardware Client eliminates the need to install and configure VPN client software on the local workstation(s), plus it supports workstations running any OS, including Windows, Sun Solaris UNIX, Mac, and Linux. Each 3002 client appliance can connect one or more devices, including workstations, servers, hubs, cash registers, printers, and IP telephones to a company’s central network. Figure 13-1 shows the book- sized (2 ? 8.6 ? 6.5 inches) 3002 device.
The VPN 3002 is designed with simplicity and reliability of installation. It has few local setup parameters that must be configured. Additional parameters and policy are “pushed” to the device from the central site (head-end) device with the first connection. In Chapter 15, you see how little installation configuration must be done to connect to the corporate network.
The user simply plugs the minimally configured VPN 3002 device into a DSL/cable connection, router, or other wide area network (WAN) access devices at the remote site. The central site VPN concentrator takes over, using push policy features to centrally set policy, manage, and upgrade the device. This central control and management approach minimizes the need to rely on remote users to deploy or maintain the unit. Tunnel setup and policy configuration is automated, so companies needn’t dedicate IT staff to configure individual devices manually. Troubleshooting aids and centralized monitoring features are built into the 3002 software to ensure proper operation after the unit is set up.
This ease of installation and because the 3002 can coexist with other types of VPN clients on the network make it an ideal choice for the organization that needs to set up and support dozens, or even thousands, of remote end users who need secure network connections from geographically dispersed branch or home office sites. Some examples that might fit this business model include fast food outlets, grocery store-based banking operations, retail chains, insurance or brokerage offices, employment offices, vehicle dealerships, drugstores, and the like.
In calculating return on investment (ROI), larger enterprises typically find the initial price of the hardware client is more than offset by the savings from reduced or eliminated service calls common with supporting software VPN clients. The same is true when compared to supporting expanding LAN-to-LAN networks with their complex configuration requirements at central and remote sites, particularly if on-site support is limited.
The 3002 Client, a small-footprint, book-sized device designed for wall mount or table top operation, currently comes in two models. The CPVN3002-K9 has two 10/100 Mbps RJ-45 Ethernet autosensing interfaces: one for the outside or public connection and one for the inside or private connection. This makes the device ideal for placement between a DSL or a cable modem, either connected directly to a workstation or to multiple hosts via a separate switch or hub.
The CVPN3002-K9 sports a single 10/100 Mbps RJ-45 Ethernet autosensing interface for the public connection plus eight 10/100 Mbps Ethernet autosensing interfaces via an integrated switch. This device can provide simplified installation for the small office or home that needs to connect several computers to the network, or the switch can connect to additional switches, providing connections for up to 253 host devices. Figure 13-2 shows the back of the 8E unit.
The Cisco VPN 3002 supports two modes of operation to offer implementation choices based on flexibility, security, and easy configuration. Those modes are
Network Extension mode
A large VPN implementation might frequently have both types of operation.
In Client mode, the VPN 3002 emulates the VPN client software appearing to the main network like a remote user. The private hosts protected behind the VPN 3002 are a separate network that remains invisible and nonroutable to the central site. The local hosts are assigned their IP addresses from the VPN 3002 Dynamic Host Control Protocol (DHCP) server feature, while the public port can use the VPN 3002 DHCP client feature to acquire its IP address from an ISP. From a cost and address preservation standpoint, it would make sense for the local IP addresses to be private IP addresses.
To help secure the local network and to allow local hosts to travel out of the network in Client mode, the VPN 3002 uses Port Address Translation (PAT). Because all traffic to the central network will have the public interface IP address, PAT supplies and manages unique port number mappings to be used in combination with the IP address.
Split tunneling is a useful feature that provides the capability to have a secure tunnel to the central site, while simultaneously maintaining a clear text tunnel to the Internet through the ISP. The VPN 3002 uses PAT to protect the local workstations during split tunneling to the Internet. If the organization security policy prohibits split tunneling, it can be blocked by creating a policy on the central site device, which is then pushed down to the 3002 Client.
The VPN 3002 Client can only create outbound connections, so no way exists for an outside source to initiate a connection with the VPN 3002 or through it to the stations behind.
In Network Extension mode, the VPN 3002 establishes a secure site-to-site connection with the central site device. The local stations behind the VPN 3002 are fully routable and the local network is visible to the central site. As the name implies, the local network becomes part of the organization’s intranet. VPN and 3002 configuration and security policies are pushed from the central site.
In Network Extension mode, the private addresses are assigned manually and permanently, allowing central site host and applications to reliably reach any local server, printer, POS terminal, IP phone, or other device critical to the business.
PAT provides security for local host traffic heading to the Internet through split tunneling. This outbound PAT on the VPN 3002 provides centralized security control because no configuration parameters exist for local users to adjust, which could possibly cause the central site to be compromised.
To support fast, easy, and reliable deployment and scalability to thousands of sites, the Cisco VPN 3002 Hardware Client is a full-featured VPN client that incorporates IPSec and other industry standards. The 3002 support for the Cisco VPN Client Release 3.5 software, using the Unified Client Framework, enables it to connect to any Cisco central-site VPN Concentrator, including the Cisco 3000 Series VPN Concentrators, PIX Firewalls, and Cisco IOS–based routers.
The 3002 supports the following standards and protocols. The details of configuring these features are covered in Chapter 15.
DHCP client and server services are supported. DHCP client implementation allows the public interface to be assigned an IP address from the head-end device on first connection. This is both easier and more reliable than end-to-end statically assigned addresses, which are typically required for LAN-to-LAN devices. DHCP server support allows the private interface(s) to assign IP addresses to up to 253 stations behind the Cisco VPN 3002.
Three methods of NAT Transparent IPSEC, including the UDP method implemented in the original product release, IPSec/TCP method, and ratified IPSec/UDP NAT-T specification, which includes autodetection and fragmentation avoidance.
PAT can be configured on the 3002 to hide the stations behind the Cisco VPN 3002 private interface(s) from external view and attack.
IPSec encryption protocols, including 56-bit DES or 168-bit Triple DES for securing the data transmissions.
MD5, SHA-1, HMAC with MD5, and HMAC with SHA-1 authentication algorithms.
IPSec tunneling protocol with Internet Key Encryption (IKE) key management.
AAA RADIUS accounting and security from the central site.
H.323 support allows users to host and access NetMeeting sessions or to access other H.323 applications, such as voice-over IP (VoIP).
Embedded web management interface accessible via local web browser, Secure Shell (SSH)/Secure Socket Layer (SSL), or conventional console port.
SNMP MIB-II for monitoring, configuration, and event logging.
The following summarizes the features and benefits provided by the Cisco VPN 3002 Hardware Client devices. Those requiring configuration are addressed in Chapter 15, when configuring the client is covered or, because many features are “pushed” down from the central site, they’re enabled and configured in Chapter 14.
The client update feature was added in version 3.0 for the VPN 3002 Hardware Client and version 3.1 for the Cisco VPN software client. If the central device supports the feature (v3.0 for VPN Concentrators), the central device can be used to upgrade the software and configuration on the client. In the case of the VPN 3002 Hardware Client, firmware upgrades can also be pushed down to the client.
For VPN 3002 Hardware Clients, the client update allows administrators to update software and firmware automatically for the 3002 device. If an upgrade is needed, the unit upgrades automatically from an internal TFTP server specified on the central site VPN Concentrator. The process of maintaining security, managing the system, and upgrading it is transparent to the end user.
For Cisco VPN software clients the process is a little less automatic. This is more of a notification mechanism with an assisted upgrade. The client update for the Cisco VPN software clients allows central location administrators to notify the client users automatically when it’s time to update. Then action is required on the part of users to retrieve and install the newer software.
The VPN 3002 supports the following two levels of client authentication mechanism that supplies a high level of security for both the VPN 3002 and the users behind the VPN 3002:
Interactive Unit Authentication
Individual User Authentication
The VPN 3002 Interactive Unit Authentication technology uses Saved or One Time Passwords to reauthenticate itself to the head-end device. With Saved passwords, the 3002 client device needn’t reauthenticate if the tunnel cycles. With One Time passwords, the device must be reauthenticated each time the tunnel cycles. The VPN 3002 supports preshared secrets, digital certificates, and tokens for this authentication.
The VPN 3002 Individual User Authentication feature can be set to require each user behind the VPN device to authenticate before traversing the tunnel. This feature can require the users behind the 3002 to use preshared secrets or tokens to authenticate. The individual authentication can be used by itself or in conjunction with Interactive Unit Authentication to maximize security.
To simplify the process and make it as transparent as possible to the end users, this technology automatically intercepts any user attempting to traverse the VPN tunnel and redirects them to a browser page to authenticate. The user needn’t initiate or remember to initiate the security authentication because this is done automatically. If a user is only attempting to access the Internet via split tunneling, that user isn’t prompted to authenticate.
The VPN 3002 hardware device (release 3.5) and the Cisco VPN software client (v3.0) both support Cisco’s VPN 3000 load-balancing strategy. To implement load balancing, multiple concentrators are grouped together logically on the same private LAN-to-LAN network in a virtual cluster. These VPN Concentrators can be configured to direct session traffic transparently to the least-loaded device, thus distributing the load among all devices. In addition to increasing efficient use of system resources, this strategy provides increased performance, high availability, and reliability.
The VPN 3002 supports up to 10 back-up concentrators, in case the primary location is down or otherwise unavailable. The 3002 cycles through each backup concentrator in order until it makes a successful connection, maximizing network availability to the client.
Point-to-Point Protocol over Ethernet (PPPoE) is a specification for connecting Ethernet users to the Internet using a common broadband medium, such as a DSL line, a cable modem, or a wireless device. Many ISPs now require PPPoE authentication for DSL or other access to their networks. The VPN 3002 supports PPPoE Client mode to access these networks. Users need only to authenticate to the PPPoE server the first time and VPN 3002 then authenticates for all the user’s subsequent attempts.