VPN Technical Questions

1. Why does CISCO force the second-tier tunnel protocol instead of the third-tier tunnel protocol?
CISCO provides both solutions. CISCO did not emphasize that one. The second layer tunnel protocol is mainly used to access the VPN scheme, while the third layer tunnel protocol provides VPN Scheme support for Intranet and exists. The layer-3 tunnel protocol can also be used for some VPN access solutions, such as the tunnel mode initialized by the client and large-scale Internet access solutions.
2. What is the third-tier tunnel?
The layer-3 tunnel is not a new technology. The GRE defined in RFC1701 has existed for a long time. CISCO has supported this technology since ios 9.21. Ipsec is a new IETF standard defined to support encrypted tunnels. CISCO supports this feature since ios 11.3 (3) T. CISCO 12.0 (1) T supports mobile IP addresses in ios versions.
3. What is the main role of GRE?
GRE is an IP-based tunneling technology that can be used to transmit data traffic of multiple protocols on an IP-based backbone network, such as IPX and AppleTalk. At the same time, GRE can also be used to transmit broadcast and multicast information over the Internet through tunnels, such as route update information. Before using GRE, you must configure the physical interface as the VPN destination device. Then, you can use security measures such as IPSec to protect the tunnel.
4. Can data streams of voice and data integration be transmitted through VPN? Which devices of Cisco support this function?
Generally speaking, without hardware acceleration, compression, and excellent QOS mechanisms, it is almost impossible to transmit voice using encryption mechanisms such as IPSec. At present, we are getting closer and closer to the goal of transmitting the combined data stream of voice and data encrypted through VPN. using hardware encryption technology in vrouters of series 7100 has become a reality, and in the near future, this function will be implemented in the Cisco7200, 3600, 2600, and 1700 series routers. In addition, both the LZS compression technology and QOS mechanism for IPSec data packets, such as NBAR, will accelerate the VPN transmission of speech.
5. What are the advantages and disadvantages of VPN-based firewall solutions compared with IPSec-based Router solutions?
Advantages:
* The integrated solution does not require additional devices to be installed.
* Reduces device investment costs and equipment support and maintenance.
Disadvantages:
* The firewall may not support routing and other features, such as QOS.
* The firewall and encryption functions on the same device affect the performance of the device.
* The number of VPN tunnels supported on a specific VPN device is too large.
6. What is IPSec? Is it a new form of encryption?
IPSec is a set of protocol formats used for secure communication over public IP networks, including data format protocols, key exchanges, and encryption algorithms. IPSec provides secure communication between devices that comply with the IPSec standards, even if these devices may be provided by different vendors.
7. What role does L2TP and IPSec play in VPN access implementation?
L2TP provides tunneling, encapsulation, and Layer 2 verification. IPSec provides L2TP tunnel encryption to ensure session security. Users can use the IPSec function in tunneling mode, but L2TP can provide better user verification functions.
8. What is the comparison between IPSEC and CET?
The answer lies in your requirements. If you need data encryption from a CISCO router to a CISCO router, you can use CET, a more mature and fast solution. If you need to provide support for access connections between multiple vendors and remote customers based on industry standards, you should use IPSEC. In addition, if you want to support data authentication with or without encryption, IPSEC is also the correct choice. If you want to, you can configure CET and IPSEC in the network at the same time, even on the same device. CISCO devices support CET and IPSEC Security sessions for multiple terminals at the same time.
9. Does the Cisco1700 series router support the hardware VPN function? What is the hardware product number?
Supported, the hardware VPN function module is: MOD1700-VPN.
10. What are the characteristics of the Cisco1700 series vro with VPN Module compared with the 1700 vro with IPSec software implementing the VPN function and the isco800 and 1600 series VPN vrouters?
Cisco1700 series routers with IPSec software and without a VPN Module can encrypt 3DES with 256 bytes of data packets reaching kbps, the 1700 vro with a VPN module encrypts data packets of the same size at a rate of kbps. Cisco800 and 1600 series VPN routers can only support 56KDES encryption, but not 3DES. The maximum speed is suitable for ISDN128K connections.
11. Can Cisco1700 series routers with VPN modules communicate with VPN products provided by other vendors?
Although IPSec standards have been formed for VPN between many different vendors, such as PKI and digital verification, however, many vendors still design and implement VPN more or less than this standard. Therefore, problems may occur during interoperability.
12. How many remote mobile users does a Cisco VPN Router support?
Cisco1700 series VPN routers can support 20-30 users. If hardware acceleration technology is used, it can support about 100 users. Cisco2600/3600 series VPN routers support about-users. For VPN applications with more than 500 users, we recommend using the Cisco7XXX series VPN Router.
13. Can Cisco VPN software support multiple protocols (such as IP and IPX) in the same connection )?
If VPN supports multi-protocol tunneling, such as GRE, L2TP, or PPTP (all supported in CiscoIOS software), you can support multiple protocols.
14. What is CiscoVPNClient?
CiscoVPNclient is a software used to access the server end of the VPN product. He provides support for Windows 95, 98, NT4.0, 2000, and XP.
15. What is the CISCOvpn3002 Hardware Client?
The CISCOvpn3002 Hardware Client is a small hardware system and serves as a client in a VPN environment. Instead of software clients based on MSDOS, WINDOWS, and NT platforms.
Security Product FAQs
1. What algorithm is used for the ciscopix fire wall? How is data forwarded through the firewall?
The Ciscopix firewall adopts an adaptive security algorithm, which is a security detection method that is closely related to the connection status of the device. Each data packet entering the fire wall should be checked through the adaptive security algorithm and the connection status information in the memory. With this connection-oriented dynamic firewall device, it can simultaneously process 500000 concurrent connections and up to 1 Gbps Throughput. It is conceivable that this method is more secure than simply checking data packets (such as Access Lists) for filtering. When a packet sent to the outside reaches a higher-level interface of the Pix fire wall, regardless of whether the previous package comes from any host, the Pix fire wall uses an adaptive security algorithm to check whether the package is valid. If not, the package belongs to a new connection, and the Pix fire wall will create a switch slot for the connection in the status table. The information stored in the switch slot in the Pix Firewall includes the internal IP address and the globally unique IP address, which is allocated by NAT, PAT, or identity. The Pix Firewall then changes the package source address to a globally unique address, modifies the checksum and other domain addresses as required, and forwards the package to lower-level security excuses.
2. What is the role of Ciscopixfailover?
If you have a 5.0 Mbps LAN interface, you can use the StatefulFailover option. In this way, the connection status is automatically transmitted between two fire wall components. The two parts in the failover pair communicate through the failover Cable. The failover cable is a modified RS-232 serial cable that transmits data at 9600 rate. The data provides the identification number of the master part or slave part, the power status of the other part, and serves as the communication link between different failovers of the two parts.
3. What is the role of AAA?
Access control is used to control who are allowed to access the server, and once they are able to access the server, and once they are able to access the server, what service methods are allowed for them to use. AAA is a structure for configuring three independent security functions in the same way. It provides a modular method to complete the following services: Authentication-a method to identify users, including registration and Password dialog box, inquiry and response, message support and encryption based on the selected security protocol. Authorization-a method to provide remote access control includes one-time authorization or single service authorization, a list and description of each user account, user package support, and IP, IPX, ARP, and Telnet support. Accounting-a method used to collect and send information to the security server to provide services. This information is used to list bills, audit and form reports, such as user identification, start time, and stop time, the number of executed commands, packages, and bytes.
4. RADIUS?
RADIUS is a distributed client/server system that protects the network from unauthorized access. In Cisco implementation, the Radius client runs on a router and sends an authentication request to the Central RADIUS server. The central server contains all user authentication and Network Service access information. Cisco uses its AAA security mode to support RADIUS. RADIUS can also be used for other AAA security protocols, such as TACACS, KERBEROS, or local user name search. All Cisco platforms support RADIUS.
5. How Does Cisco encryption technology work?
Network Data Encryption is provided at the IP packet level. Only IP packets can be encrypted. This data packet will be encrypted/decrypted only when the packet meets the conditions set for configuring encryption on the router. After encryption, a single packet can be detected during transmission, but the content of the IP packet cannot be read. The IP header and the upper-layer protocol header are not encrypted, but all the net load data in the TCP or UDP packet is encrypted. Therefore, they cannot be read during transmission.
6. How does IPSec work?
IPSec provides a secure tunnel for two routers. It is up to users to define which packages will be considered as sensitive information and will be transmitted through these security tunnels. You can also specify the tunnel parameters to define the parameters used to protect these sensitive parameters. Then, when IPSec sees such a sensitive packet, it establishes a corresponding security tunnel through which the packet is transmitted to the remote same-bit body.
7. What is the role of TACACS +?
TACACS + is a security application that provides centralized verification for access to routers or network access servers. The TACACS + service is maintained in the database of TACACS + background program, which typically runs on UNIX or WindowsNT workstation. Before the TACACS + feature configured for the network access server is available, you must be able to access and configure the TACACS + server.
8. Which authorization types does CiscoIOS support?
1) EXEC authorization-applies to properties related to user EXEC terminal conversations.
2) command authorization-applicable to user-issued EXEC mode commands. Command authorization attempts to authorize all EXEC mode commands with the specified privilege level.
3) network authorization-applies to network connections, including PPP, SLIP, and ARAP connections.
9. How does CiscoIOS manage billing on the network?
The billing management command on the network. You can use billing management to track the network resources used by a single user and the network resources of group users. Using the AAA accounting function, you can track not only the services accessed by users, but also the number of network resources they consume.
10. What is the role of Kerberos?
Kerberos is a secret key network authentication protocol that uses standard data encryption algorithms for encryption and authentication. Kerberos is designed to authenticate network resource requests. Like other secret key systems, Kerberos performs security authentication on users and services based on a trusted third-party concept.
11. What are the roles of locking and keys?
Locking and keys are a security feature of traffic filtering. They dynamically filter IP protocol traffic. Locks and keys are configured by dynamically expanding the IP address access list. They can be used together with other standard access lists or static access lists.
12. What is the role of ciscosecuretries?
Ciscosecure7 is an enterprise-level software tool that provides excellent network system identification, innovative data management, flexible user-defined vulnerability rules, comprehensive security reporting, and global support for Cisco24 x 7.
13. What is the role of CiscoSecurePolicyManager?
CiscoSecurePolicyManager is a powerful and scalable Security Policy Management System for Cisco Firewall, IPSec virtual gateway router, and intrusion detection system Sensor.
14. What is the role of the Cisco Security Intrusion Detection System?
The Cisco Security intrusion detection system provides a series of high-performance security monitoring and monitoring solutions for enterprises and service providers.
15. What is the role of the CiscoSecure Access Control Server?
The CiscoSecure Access Control Server aims to solve the rapid development of the Internet and all Internet shared, dedicated networks, external enterprise networks, and other networks to control network access, authorization and recording of specific security solutions.
16. What is the role of CiscoIos firewall?
The CiscoIos firewall integrates robust firewall functions and Intrusion Detection for each network perimeter, enriching the security features of Cisco Software.
17. license information about the PIX Firewall.
The license of the PIX Firewall has three configurations: Unrestricted, Restricted, and andFail-Over. These basic configurations can be enhanced with VPNDES and 3DES. Unrestricted-in UR mode, the PIX Firewall allows maximum number of interfaces and maximum memory. UR's License supports Hot Backup Redundancy to minimize down network time. Restricted-in R mode, the PIX Firewall limits the number of supported interfaces and the supported memory size. The restricted licensing feature provides a firewall solution that optimizes the price of applications on small networks. The restricted licensing feature does not support redundant FO features. Fail-Over-operate the PIX Firewall in FO mode to work with another firewall with UR license to provide a hot redundant backup structure. The FO license provides state-based fault tolerance to enable a highly available network structure. In FO mode, the PIX Firewall maintains the real-time connection state exactly the same as that of the master and fire, thus minimizing connection failures caused by device or network failures. UR and FO licenses have exactly the same features and performance indexes. Fail-over cables are required between UR and FO firewalls. The current PIX Firewall is based on a feature set license. This type of license key specifies which features are available and which features are unavailable. In the past, the PIX fire wall supported the connection-based key system, which is the maximum number of connections supported by the PIX fire wall. For the purpose of unification and ease of management, the current PIX Firewall supports feature set-based licenses.