VPN technology part of the problem solution _ Server

Source: Internet
Author: User
Tags failover vpn router cisco security
1. Why does Cisco push the second-tier tunneling protocol, rather than the third-tier tunneling protocol?
Both options are available from Cisco. Cisco did not highlight that one. The second-tier tunneling protocol is primarily used to access VPN schemes, while the third-tier tunneling protocol provides VPN support for intranets and extranets. The third-tier tunneling protocol can also be used for some VPN-access scenarios, such as the client-initiated tunneling model and the Internet's large-scale access solution.
2. What is a third-tier tunnel?
The third-tier tunnel is not a new technology. The GRE defined in RFC1701 has existed for a long time. Cisco has supported this technology since iOS version 9.21. IPSec is the new IETF standard that is defined to support encrypted tunneling. Cisco has supported this feature since iOS version 11.3 (3) T. Cisco supports mobile IP in iOS version 12.0 (1) T.
What is the main function of 3.GRE?
GRE is an ip-based tunneling technology that can be used to transmit data traffic of multiple protocols, such as IPX, AppleTalk, etc., on an ip-based backbone network. At the same time, GRE can also be used to transmit broadcast and multicast information, such as routing updates, through tunnels over internet networks. It should be noted that prior to the use of GRE, you need to configure the physical interface as a VPN endpoint device, and then you can use security measures such as IPSec to protect the tunnel.
4. are voice and data-integrated data streams capable of being well transmitted through VPNs, which of the Cisco devices support this feature?
In general, without hardware acceleration, compression, and excellent QoS mechanisms, it is almost unimaginable to use encryption mechanisms such as IPSec to transmit voice. At present, we have been away from the VPN transmission of encrypted voice and data streams of combined data flow of the goal is getting closer, in the 7100 series routers using hardware encryption technology has become a reality, in the near future, this feature will be in Cisco7200, 3600, Implemented in routers in 2600 and 1700 series. In addition, the use of Lzs compression techniques and QoS mechanisms for IPSec packets, such as Nbar, will accelerate the VPN transmission of speech.
5. What are the advantages and disadvantages of using a VPN based firewall solution compared to using an IPSec based router solution?
Advantage:
* Integrated solutions without the need to install additional equipment.
* Reduce the cost of equipment investment, reduce equipment support and maintenance work.
Insufficient:
* The firewall may not support routing and other features, such as QoS.
* The ability to perform both firewalls and encryption on the same device will affect the performance of the device.
* The number of VPN tunnels supported on a particular VPN device is too large.
What's 6.IPSec? Is it a new form of encryption?
IPSec is a set of protocol formats used for secure communication through a public IP network, including data format protocol, key exchange and encryption algorithm. IPSec provides secure communication between IPSec-compliant devices, even if the devices may be supplied by different vendors.
What is the role of 7.L2TP and IPSec in the implementation of VPN access?
L2TP provides tunnel setup or encapsulation, as well as second-level validation. IPSec provides encryption of the L2TP tunnel, which provides security for the session. Users can use the IPSec feature themselves in tunnel mode, but L2TP can provide better user authentication capabilities.
8. Comparison of IPSec and CET?
The answer lies in your request. If you need a Cisco router to Cisco router data encryption, you can use CET, he is a more mature, more high-speed solution. If you need to provide support for multi-vendor and remote client access connections based on industry standards, you should use IPSec. Furthermore, if you want to support data authentication with or without encryption, IPSec is also the right choice. If you want, you can configure both CET and IPSec on the network, even on the same device. Cisco devices can support both the CET secure session and the IPSec security session for multiple terminals.
Does the hardware VPN feature be supported on the 9.CISCO1700 series router and what is the hardware product number?
Support, the hardware VPN function module is: Mod1700-vpn.
10. What are the characteristics of the CISCO1700 series routers with VPN modules compared to the 1700 routers that implement VPN functionality by IPSec software and the isco800, 1600 series VPN routers?
CISCO1700 series routers with IPSec software without a VPN module can have 3DES encryption with 256 bytes of data packets, and 1700 routers with VPN modules will have a 3400kbps encryption rate for packets of the same size. The Cisco800 and 1600 series VPN routers only support 56KDES encryption and do not support 3DES. The rate that can be achieved is suitable for isdn128k connections.
11. Can Cisco1700 series routers with VPN modules interoperate with VPN products provided by other vendors?
Although IPSec standards have been established among many different vendors for VPN, such as PKI and digital authentication, there are still many vendors who design and implement VPNs more or less exceed this standard. As a result, you may encounter problems when interoperating between this.
How many remote mobile users can the 12.Cisco series VPN routers typically support?
The CISCO1700 series VPN router can support 20-30 users, and if hardware acceleration technology is used, 100 or so users can be supported. The CISCO2600/3600 series VPN router can support around 100-500 users. For VPN applications with more than 500 users, the CISCO7XXX series VPN router is recommended.
Can 13.Cisco VPN software support multiple protocols (such as IP, IPX, etc.) in the same connection?
If the VPN supports Multi-Protocol tunneling features, such as GRE, L2TP, or PPTP (both supported in the Ciscoios software), then multiple protocols can be supported.
14. What is Ciscovpnclient?
Ciscovpnclient is a software that accesses the server side of the enabling VPN product. He provides support for windows95,98,nt4.0, and 2000,XP.
15. What is a CISCOvpn3002 hardware client?
The CISCOVPN3002 hardware client is a small hardware system that acts as a client in a VPN environment. Instead of software clients based on Msdos,windows and NT platforms.
Security products part of the solution
1.ciscopix What kind of algorithm does the fire wall use? How is the data forwarded through the firewall?
The Ciscopix fire wall is an adaptive security algorithm, which is closely related to the connection of the equipment to the security detection method. Each packet entering the fire wall is checked by an adaptive security algorithm and an in-memory connection state information. This connection-oriented dynamic firewall device enables simultaneous processing of 500,000 concurrent connections and up to 1Gbps throughput. It is conceivable that this method of connection state is more secure than just checking packets (such as access lists) for filtering. When an outgoing packet arrives at a high level interface for a PIX fire wall, the PIX fire Wall uses an adaptive security algorithm to check whether the packet is valid, regardless of which host the previous package came from. If not, the package belongs to a new connection, and the PIX fire wall creates a conversion slot for the connection in the State table. PIX Arson Wall The information stored in the conversion slot includes the internal IP address and the globally unique IP address, which is assigned by Nat,pat, or identity. PIX Fire Wall Then change the source address of the package to a globally unique address, modify the checksum as required, and forward the packet to a lower security level excuse.
2. Ciscopixfailover's role?
Using PIX version 5.0, if you have a 100Mbps LAN interface, you can select the Statefulfailover option with the. Such a connection state is automatically passed between the two set of fire-wall parts. The two parts in the failover pair are communicated through the failover cable. The failover cable is a modified RS-232 serial cable that transmits data at a rate of 9600. The data provides the main part or the identification number from the part, another part power state, and acts as a communication link between the two parts of the different failover.
3. The role of AAA?
Access control is used to control which people are allowed access to the server, and once they have access to the server, and once they have access to the server, the method that allows them to use which services. AAA is a structure that uses the same way to configure three separate security features. It provides a modular approach to completing the following services: Authentication-a method for identifying users, including registration and password dialogs, queries and responses, message support, and encryption based on the security protocol chosen. Authorization-a way to provide remote access control includes one-time authorization or individual service licensing, each user account list and profile, user package support, and Ip,ipx,arp and Telnet support. Accounting-a way to collect and send information to a secure server, which is used to list bills, to audit and form reports, such as user identification, start and stop times, commands to execute, number of packages, and number of bytes.
4. RADIUS?
RADIUS is a distributed client/server system that protects the network from unauthorized access. In the Cisco implementation, the RADIUS client runs on the router and issues a authentication request to the central RADIUS server, where the central server contains all the user authentication and network service access information. Cisco can also use its AAA security mode support Radius,radius for other AAA security protocols, such as Tacacs,kerberos or local username lookup, and all Cisco platforms support RADIUS.
5. How is Cisco encryption technology implemented?
Network data encryption is provided at the IP packet level, and only IP packets can be encrypted. This packet is encrypted/decrypted only if the package satisfies the conditions established when the encryption is configured on the router. When encrypted, a single packet can be detected while it is being transmitted, but the contents of the IP packet cannot be read. IP headers and upper-layer protocol headers are not encrypted, but all net-load data in TCP or UDP packets are encrypted and therefore cannot be read during transmission.
How does 6.IPSec work?
IPSec provides a secure tunnel for two identical-bit bodies (routers). The user defines which packages will be considered sensitive information and will be routed by these secure tunnels. The parameters of these tunnels are defined to be used to protect these sensitivities by specifying their parameters. Then, when IPSec sees such a sensitive packet, it will establish a corresponding safe tunnel through which the packet is transmitted to the distal same body.
7. Tacacs+ 's role?
Tacacs+ is a secure application that provides centralized authentication for a user to gain access to a router or network access server. The tacacs+ service is maintained in the database of the tacacs+ daemon, which typically runs on UNIX or windowsnt workstations. You must be able to access and configure the tacacs+ server before the tacacs+ feature configured for the network access server is available.
8. What kinds of authorization types does the Ciscoios software support?
1 EXEC authorization-applicable to properties related to user exec terminal dialogs.
2 command authorization-applicable to the EXEC mode command issued by the user. The command authorization attempts to use the specified privilege level authorization for all EXEC mode commands.
3 Network Authorization-Applies to network connections, including Ppp,slip or arap connections.
9. Ciscoios manage accounting on the network?
The command to manage accounting on the network. With accounting management, you can track network resources used by individual users and network resources for group users. With the AAA billing feature, you can track not only the services that users access, but also the amount of network resources they consume.
10. The role of Kerberos?
Kerberos is the secret key network authentication protocol, which uses the data Encryption Standard encryption algorithm for encryption and authentication. Kerberos is designed to authenticate requests for network resources. Like other secret key systems, Kerberos is based on a trusted third party concept that performs security authentication for users and services.
11. What is the role of locking and key?
Lock and Key is a traffic filtering security feature that dynamically filters IP protocol traffic. Locks and keys are configured using an IP dynamic extended access list that can be used in conjunction with other standard visit lists or static access lists.
12. Ciscosecurescanner's role?
Ciscosecurescanner is an enterprise-class software tool that provides excellent network system identification, innovative data management, flexible user-defined vulnerability rules, comprehensive security reporting capabilities, and cisco24*7 global support.
13. Ciscosecurepolicymanager's role?
Ciscosecurepolicymanager is a powerful, scalable security policy management system for Cisco Fire walls, IPSec virtual gateway routers, and intrusion detection systems sensor.
14. What is the role of Cisco security Intrusion detection system?
Cisco security intrusion Detection system can provide a series of high-performance security monitoring and monitoring scheme for enterprise and service provider network.
15. What is the role of the Ciscosecure access control server?
The Ciscosecure access control server is designed to address the security aspects of the Internet and the rapid development of networks such as all shared, dedicated networks or external enterprise networks for users to control, authorize and charge for network access.
16. What is the role of Ciscoios firewalls?
The Ciscoios firewall integrates robust fire-wall functionality and intrusion detection for each network perimeter, enriching the security features of Cisco Software.
17.PIX firewall information about the license.
The license of the PIX Firewall has a unrestricted,restricted,andfail-over of three configurations. These basic configurations can be vpndes and 3DES to enhance security. The unrestricted-operation in ur mode allows the PIX firewall to support the maximum number of interfaces and the maximum supported memory. Your license supports hot backup redundancy, minimizing the time of down network. restricted-the PIX Firewall in R mode limits the number of interfaces supported and the amount of memory supported. Restrictive licensing features provide a firewall solution for the application price optimization of those small networks. The restricted license attribute does not support redundant fo properties. The fail-over-operation in the FO mode PIX firewall works with another firewall with your license to provide a structure for a hot redundancy backup. The FO license provides a state-based fault tolerant feature that enables a highly available network structure. The PIX firewall in fo mode maintains the same real-time state of the connection as the main fire, minimizing connection failures due to a device or network failure. Your and fo licenses have exactly the same characteristics and performance indices. Fail-over cables are needed in the middle of your and FO's firewalls. The current PIX firewall is a license based on the attribute set, which limits which features are available and which are not. The previous PIX Fire wall supports a cryptographic system based on the number of connections, which is the maximum number of connections supported by the PIX fire wall. For unified and manageable purposes, the current PIX firewall supports the license based on the attribute set.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.