Register your product to gain access to bonus material or receive a coupon.
The definitive design and deployment guide for secure virtual private networks
Among the many functions that networking technologies permit is the ability for organizations to easily and securely communicate with branch offices, mobile users, telecommuters, and business partners. Such connectivity is now vital to maintaining a competitive level of business productivity. Although several technologies exist that can enable interconnectivity among business sites, Internet-based virtual private networks (VPNs) have evolved as the most effective means to link corporate network resources to remote employees, offices, and mobile workers. VPNs provide productivity enhancements, efficient and convenient remote access to network resources, site-to-site connectivity, a high level of security, and tremendous cost savings.
IPSec VPN Design is the first book to present a detailed examination of the design aspects of IPSec protocols that enable secure VPN communication. Divided into three parts, the book provides a solid understanding of design and architectural issues of large-scale, secure VPN solutions. Part I includes a comprehensive introduction to the general architecture of IPSec, including its protocols and Cisco IOS® IPSec implementation details. Part II examines IPSec VPN design principles covering hub-and-spoke, full-mesh, and fault-tolerant designs. This part of the book also covers dynamic configuration models used to simplify IPSec VPN designs. Part III addresses design issues in adding services to an IPSec VPN such as voice and multicast. This part of the book also shows you how to effectively integrate IPSec VPNs with MPLS VPNs.
IPSec VPN Design provides you with the field-tested design and configuration advice to help you deploy an effective and secure VPN solution in any environment.
This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.
Download related content from TechRepublic.com
11 of 11 people found the following review helpful
A Definitive Design and Deployment Guide,
This review is from: IPSec VPN Design (Paperback)IPSec VPN Design (ISBN 1587051117) focuses on the design and implementation of IPSec VPNs. The authors consider this the "definitive design and deployment guide for secure virtual private networks." There are many theoretical publications covering the foundations of network security, but VPN security design is especially challenging. There are so many variables that even knowing the theoretical concepts, models, tradeoffs, and scalability, it can still be a daunting task. This book is for the advanced/expert in the network security field.
Because of the advanced topics presented in this guide, considerable network management and/or a network engineer level of experience is needed to use the wealth of information presented by authors Vijay Bollapragada (CCIE), Mohamed Khalid (CCIE), and Scott Wainner. It is expected that the reader will have a working knowledge of IP routing, architectures, WAN technologies, Cisco IOS, and network security. The introductory chapters... Read more
1 of 1 people found the following review helpful
Great for IPV4 - No mention of IPV6,
This review is from: IPSec VPN Design (Paperback)This was a great book if your implementation of IPSec were to be solely on IPV4, however, there is not one mention of the changes that affect Cisco networks with IPSec such as no support for IPSec in the transport mode etc. If IPv6 is not a concern, this book is the best available.
Falls short on key topics,
This review is from: IPSec VPN Design (Paperback)IPSec VPN Design is not a bad technical book. It's what I call a "Cool Whip" book. It looks good, but there is little that is useful or original. It claims to be "the definitive design and deployment guide". It is not. Most of the explanations are academic and dry. There are many examples. Some are useful. Some are not. Many are outdated.
My primary complaint is that it does not cover Pix 7.0. This is a huge oversight for a Cisco Press book published in April 2005. There are several important features in 7.0 such as "hairpinning" or the ability for one spoke (or remote access client) to access another spoke in the hub and spoke model. The book states that hairpinning is not possible and most of the designs are based on this premise.
I was also disappointed to find that the book failed to cover ACLs and VPNs. This is an critical topic in VPN design. Too many network administrators simply allow full access of one private network to another using... Read more
IPSec VPN Design
Reviewer Name: Penny Jakes, Faculty, The University of Montana
Reviewer Certification: CCNP, CCAI
Rating: ***** out of *****
IPSec VPN Design focuses on the design and implementation of IPSec VPNs. The authors consider this the "definitive design and deployment guide for secure virtual private networks." There are many theoretical publications covering the foundations of network security, but VPN security design is especially challenging. There are so many variables that even knowing the theoretical concepts, models, tradeoffs, and scalability, it can still be a daunting task. This book is for the advanced/expert in the network security field.
Because of the advanced topics presented in this guide, considerable network management and/or a network engineer level of experience is needed to use the wealth of information presented by authors Vijay Bollapragada (CCIE), Mohamed Khalid (CCIE), and Scott Wainner. It is expected that the reader will have a working knowledge of IP routing, architectures, WAN technologies, Cisco IOS, and network security. The introductory chapters briefly "review"” knowledge that the authors expect users to have, which results in getting everyone focused on the starting point of this technical guide.
The concept of network security is not the same in all environments as each VPN will have different connectivity and integration platforms. This guide to designing an IPSec type of VPN is Cisco based. The configuration examples and troubleshooting output are Cisco IOS. Many design principlesefficient, reliable, cost effective, fault-tolerant, and scalablehave commonality in several environments, but again, all illustrations and examples use Cisco technology. This book does design IPSec VPNs from many perspectives.
The organization of IPSec VPN Design is organized into three units: introduction and concepts; design and deployment; service enhancements. This organizes technical material as it moves from a brief review of technologies that use VPNs, to an overview of IPSec architecture, protocols, components, and concludes by examining advanced issues such as voice, multicast, and network-based VPNs.
As an introduction to this topic, an IPSec VPN is configured and packet processing is explained step-by-step using Cisco IOS. The illustrations and diagrams of the topology, end-to-end packet processing, and configuration command output (from show and debug commands) is very helpful to the reader. IPSec protocols and the differences between tunnel mode and transport mode are described.
After an introduction to authentication and security, the authors move into considerable detail and enhanced features of IPSec, scalability, and fault tolerance with dead peer detection or control plane keepalives. There are always unique challenges to implementing VPNs, and this book gives examples from the authors' experience to handle situations for interaction with NAT (Network Address Translation) or PMTUD (Path Maximum Transmission Unit Detection). To end the introduction/concepts unit, authentication/authorization models for remote access users discusses XAUTH (Extended Authentication) and MODE-CFG (Mode-configuration). Cisco's EzVPN connection model and digital certification conclude this unit. The authors then move to applying these concepts to VPN design.
The design and deployment phase considers hub and spoke architecture, failover, fault tolerance, and alleviation of complexity in large-scale situations using TED (Tunnel End-Point Discovery) and DMVPN (Dynamic Multipoint VPN). Advanced enhancements include quality of service (QoS), interoperability with voice and video, and a new type of VPN service known as the network-based VPN.
Topics move from general introductory concepts (Chapters 1-4) to specific design and deployment (Chapters 5-7), and concludes with advanced/integrated service enhancements (Chapters 8-9). The authors have taken care to explain pros and cons of various designs and give alternatives. The "notes" sections illustrate advantages and disadvantages or add relevant comments from the author’s experience. Illustrations are appropriate, easily read, and well-designed. There is an abundance of configuration examples, complete with resulting show and debug output, and all with highlighting to assist the learner. These types of real-world examples are easier to learn from than the traditional technical documentation. The index is complete; there is not a glossary, which might have been helpful for some readers.
Throughout this guide, Bollapragada, Khalid, and Wainner have managed to write at a level that is appropriate for an advanced topic while using examples that are easily understood. Some network managers may not actually design an IPSec VPN, but still need to understand the principles of security, be able to communicate with technical support, and work with network engineers and service providers in maintaining/troubleshooting the VPN. Advanced understanding and good troubleshooting skills are contained in this guide.
IPSec VPN Design is a well-written, concise guide to designing VPNs in general and IPSec VPNs specifically. It would be helpful to individuals taking their networking skills to another level or those studying for CCIE or Security certifications. It targets network engineers and network designers working at the corporate level or working for the service provider. Bollapragada, Khalid, and Wainner each brought their expertise and considerable experience into the collaboration while authoring this book.
An excellent book published by Cisco Press, which deserves a rating of 5 on a 1-5 scale.
Download - 67 KB -- Index
Chapter 1 Introduction to VPNs
Motivations for Deploying a VPN
Layer 2 VPNs
Layer 3 VPNs
Remote Access VPNs
Chapter 2 IPSec Overview
IPSec Security Protocols
IPSec Transport Mode
IPSec Tunnel Mode
Encapsulating Security Header (ESP)
Authentication Header (AH)
Key Management and Security Associations
The Diffie-Hellman Key Exchange
Security Associations and IKE Operation
IKE Phase 1 Operation
IKE Phase 2 Operation
IPSec Packet Processing
Chapter 3 Enhanced IPSec Features
Dead Peer Detection
Reverse Route Injection
RRI and HSRP
IPSec and Fragmentation
IPSec and PMTUD
Look Ahead Fragmentation
GRE and IPSec
IPSec and NAT
Effect of NAT on AH
Effect of NAT on ESP
Effect of NAT on IKE
IPSec and NAT Solutions
Chapter 4 IPSec Authentication and Authorization Models
Extended Authentication (XAUTH) and Mode Configuration (MODE-CFG)
Easy VPN (EzVPN)
EzVPN Client Mode
Network Extension Mode
Digital Certificates for IPSec VPNs
Chapter 5 IPSec VPN Architectures
IPSec VPN Connection Models
The GRE Model
The Remote Access Client Model
IPSec Connection Model Summary
Using the IPSec Model
Transit Spoke-to-Spoke Connectivity Using IPSec
Scalability Using the IPSec Connection Model
Transit Site-to-Site Connectivity
Transit Site-to-Site Connectivity with Internet Access
Scalability of GRE Hub-and-Spoke Models
Remote Access Client Connection Model
Easy VPN (EzVPN) Client Mode
EzVPN Network Extension Mode
Scalability of Client Connectivity Models
Native IPSec Connectivity Model
Chapter 6 Designing Fault-Tolerant IPSec VPNs
Link Fault Tolerance
Backbone Network Fault Tolerance
Access Link Fault Tolerance
Access Link Fault Tolerance Summary
IPSec Peer Redundancy
Simple Peer Redundancy Model
Virtual IPSec Peer Redundancy Using HSRP
IPSec Stateful Failover
Peer Redundancy Using GRE
Virtual IPSec Peer Redundancy Using SLB
Server Load Balancing Concepts
IPSec Peer Redundancy Using SLB
Cisco VPN 3000 Clustering for Peer Redundancy
Peer Redundancy Summary
Intra-Chassis IPSec VPN Services Redundancy
Stateless IPSec Redundancy
Stateful IPSec Redundancy
Chapter 7 Auto-Configuration Architectures for Site-to-Site IPSec VPNs
IPSec Tunnel Endpoint Discovery
Principles of TED
Limitations with TED
TED Configuration and State
TED Fault Tolerance
Dynamic Multipoint VPN
Multipoint GRE Interfaces
Next Hop Resolution Protocol
Dynamic IPSec Proxy Instantiation
Establishing a Dynamic Multipoint VPN
DMVPN Architectural Redundancy
DMVPN Model Summary
Chapter 8 IPSec and Application Interoperability
QoS-Enabled IPSec VPNs
Overview of IP QoS Mechanisms
IPSec Implications for Classification
IPSec Implications on QoS Policies
VoIP Application Requirements for IPSec VPN Networks
IPSec VPN Architectural Considerations for VoIP
Decoupled VoIP and Data Architectures
VoIP over IPSec Remote Access
VoIP over IPSec-Protected GRE Architectures
VoIP Hub-and-Spoke Architecture
VoIP over DMVPN Architecture
VoIP Traffic Engineering Summary
Multicast over IPSec VPNs
Multicast over IPSec-protected GRE
Multicast on Full-Mesh Point-to-Point GRE/IPSec Tunnels
DMVPN and Multicast
Multicast Group Security
Multicast Encryption Summary
Chapter 9 Network-Based IPSec VPNs
Fundamentals of Network-Based VPNs
The Network-Based IPSec Solution: IOS Features
The Virtual Routing and Forwarding Table
Operation of Network-Based IPSec VPNs
A Single IP Address on the PE
Front-Door and Inside VRF
Configuration and Packet Flow
Termination of IPSec on a Unique IP Address Per VRF
Network-Based VPN Deployment Scenarios
IPSec to MPLS VPN over GRE
IPSec to L2 VPNs
Download - 121 KB -- Chapter 4: IPSec Authentication and Authorization Models
Errata -- 23 KB
This book includes free shipping!
This book includes free shipping!
Get access to thousands of books and training videos about technology, professional development and digital media from more than 40 leading publishers, including Addison-Wesley, Prentice Hall, Cisco Press, IBM Press, O'Reilly Media, Wrox, Apress, and many more. If you continue your subscription after your 30-day trial, you can receive 30% off a monthly subscription to the Safari Library for up to 12 months. That's a total savings of $199.