18 Chapter 2: Overview of VPN and IPSec Technologies
6
What are the two modes of operation for AH and ESP?
7
How many Security Associations (SAs) does it take to establish bidirectional IPSec
communications between two peers?
8
What is a message digest?
9
Which current RFCs define the IPSec protocols?
10
What message integrity protocols does IPSec use?
11
What is the triplet of information that uniquely identifies a security association?
CCSP.book Page 18 Friday, February 28, 2003 3:43 PM
“Do I Know This Already?” Quiz 19
12
You can select to use both authentication and encryption when using the ESP protocol.
Which is performed first when you do this?
13
What five parameters are required by IKE Phase 1?
14
What is the difference between the deny keyword in a crypto Access Control List (ACL)
and the deny keyword in an access ACL?
15
What transform set would allow SHA-1 authentication of both AH and ESP packets and
would also provide Triple Data Encryption Standard (3DES) encryption for ESP?
16
What are the five steps of the IPSec process?
CCSP.book Page 19 Friday, February 28, 2003 3:43 PM
20 Chapter 2: Overview of VPN and IPSec Technologies

The answers to this quiz are listed in Appendix A, “Answers to the “Do I Know This Already?”
Quizzes and Q&A Sections.” The suggestions for your next steps, based on quiz results, are as
follows:
•
2 or less score on any quizlet—Review the appropriate portions of the “Foundation
Topics” section of this chapter, based on Table 2-1. Proceed to the “Foundation Summary”
section and the “Q&A” section.
•
8 or less overall score—Read the entire chapter, including the “Foundation Topics,”
“Foundation Summary” sections, and the “Q&A” section.
•
9 to 12 overall score—Read the “Foundation Summary” section and the “Q&A” section.
If you are having difficulty with a particular subject area, read the appropriate portion of
the “Foundation Topics” section.
•
13 or more overall score—If you feel that you need more review on these topics, go to
the “Foundation Summary” section, then to the “Q&A” section. Otherwise, skip this
chapter and go to the next chapter.
CCSP.book Page 20 Friday, February 28, 2003 3:43 PM
Enabling VPN Applications Through Cisco Products 21
Foundation Topics
Cisco VPN Product Line
VPNs are typically deployed to provide improved access to corporate resources while providing
tighter control over security at a reduced cost for WAN infrastructure services. Telecommuters,
mobile users, remote offices, business partners, clients, and customers all benefit because
corporations see VPNs as a secure and affordable method of opening access to corporate
information.
Surveys have shown that most corporations implementing VPNs do so to provide access for
telecommuters to access the corporate network from home. They cite security and reduced cost
as the primary reasons for choosing VPN technology and single out monthly service charges as

the cost justification for the decision.
VPN technology was developed to provide private communication wherever and whenever
needed, securely, while behaving as much like a traditional private WAN connection as
possible. Cisco offers a variety of platforms and applications that are designed to implement
VPNs. The next section looks at these various products and Cisco’s recommended usage in the
deployment of VPNs.
Enabling VPN Applications Through Cisco Products
Through product development and acquisitions, Cisco has a variety of hardware and software
components available that enable businesses of all sizes to quickly and easily implement secure
VPNs using IPSec or other protocols. The types of hardware and software components you
choose to deploy depend on the infrastructure you already have in place and on the types of
applications that you are planning to use across the VPN.
This section covers the following topics:
•
Typical VPN applications
•
Using Cisco VPN products
Typical VPN Applications
The business applications that you choose to run on your VPNs go hand in hand with the type
of VPN that you need to deploy. Remote access and extranet users can use interactive applica-
tions such as e-mail, web browsers, or client/server programs. Intranet VPN deployments are
designed to support data streams between business locations.
1 Cisco products enable a secure VPN
CCSP.book Page 21 Friday, February 28, 2003 3:43 PM
22 Chapter 2: Overview of VPN and IPSec Technologies
The benefits most often cited for deploying VPNs include the following:
•
Cost savings—Elimination of expensive dedicated WAN circuits or banks of dedicated
modems can provide significant cost savings. Third-party Internet service providers (ISPs)
provide Internet connectivity from anywhere at any time. Coupling ISP connectivity with

the use of broadband technologies, such as digital subscriber line (DSL) and cable, not
only cuts the cost of connectivity but can also deliver high-speed circuits.
•
Security—The cost savings from the use of public infrastructures could not be recognized
if not for the security provided by VPNs. Encryption and authentication protocols keep
corporate information private on public networks.
•
Scalability—With VPN technologies, new users can be easily added to the network.
Corporate network availability can be scaled quickly with minimal cost. A single VPN
implementation can provide secure communications for a variety of applications on
diverse operating systems.
VPNs fall into three basic categories:
•
Remote access
•
Intranet
•
Extranet
The following sections cover these three areas in more detail.
Remote Access VPNs
Telecommuters, mobile workers, and remote offices with minimal WAN bandwidth can all
benefit from remote access VPNs. Remote access VPNs extend the corporate network to these
users over publicly shared infrastructures, while maintaining corporate network policies all the
way to the user. Remote access VPNs are the primary type of VPN in use today. They provide
secure access to corporate applications for telecommuters, mobile users, branch offices, and
business partners. These VPNs are implemented over common public infrastructures using
ISDN, dial, analog, mobile IP, DSL, and cable technology. These VPNs are considered ubiquitous
because they can be established any time from practically anywhere over the Internet. E-mail
is the primary application used by these connections, with database and office automation appli-
cations following close behind.

Some of the advantages that might be gained by converting from privately managed networks
to remote access VPNs are as follows:
•
Modems and terminal servers, and their associated capital costs, can be eliminated.
•
Long-distance and 1-800 number expenses can be dramatically reduced as VPN users dial
in to local ISP numbers, or connect directly through their always-on broadband connections.
•
Deployments of new users are simplified, and the increased scalability of VPNs allows
new users to be added without increased infrastructure expenses.
CCSP.book Page 22 Friday, February 28, 2003 3:43 PM