By Brent Whitmore
In ancient times if you wanted to travel within the Roman Empire, you would have a multitude of route options to get to your destination. You had the many treacherous dirt roads or the several paved Roman highways. The paved Roman roads offered stability and safe passage.
Cisco is much like the ancient Roman Empire and its network of paved roads. As Rome controlled its road network, Cisco controls much of the border/edge Enterprise market, as well as the internal switch/router fabric of most medium to large companies. Investments, toolsets, skills, and salaries ride on this Roman road.
Okay, so you may have already paid the Roman tribute and invested in the usual assortment of Cisco equipment installed inside your headquarters "province." You now are looking at more efficient ways of connecting your hubs of business, travelers, and business partners by using the public byways, or the Internet.
As a consultant,
At first look, some Cisco product groups seem to compete with other Cisco product groups, don't they? Perform a simple search on VPN on the Cisco site, and you will see what I mean. At one subsite, Cisco espouses that a certain product is "best of breed" in virtual private networking. Yet another Cisco subsite states that its product offers the "ideal VPN solution." So which option do you choose from the confusing and contradictory Cisco claims?
Well, in the spirit of "not one size fits all," I will attempt to minimize the confusion and clarify for you the current VPN gateway mainstream offerings from Cisco. I'll also share with you some observed strengths and weaknesses of each VPN gateway solution.
Types of VPNs
First of all, let's define what a VPN is: a way to let users and sites privately and securely access internal network resources using a public Internet connection.
Cisco recognizes 3 types of VPNs:
- Remote access: Think of roaming users attaching privately to internal network resources from any outside internet connection.
- Site-to-site access: Think of using the Internet to privately link multiple locations together in a fully meshed or hub-and-spoke topology for cents on the dollar compared to Frame Relay.
- Extranet: Think of the best way to securely connect and control a business partner's "controlled" network connection to your business.
VPN gateway options
Which road to Rome? A road has a start and destination. We will briefly look at the destination options first. These VPN headends or gateways are typically located at a company's headquarters.
Remember that VPN is still a pretty new technology. Some of you may remember seeing VPN features show up in 1998 or so. Cisco realizes that VPNs are growing up and is not stopping its product development to consolidate and streamline product offerings. Currently in fall of 2002, there are three different means with which to connect your systems over the Internet: VPN concentrators, VPN-enabled IOS routers, and VPN enabled PIX firewalls. Let's take a look at some current offerings that address a typical enterprise VPN of about 1000 concurrent VPN user/site sessions, or tunnels.
3030 VPN Concentrator: This is my first choice for a multi-purpose dedicated VPN. Cisco realized it needed a remote access VPN offering and bought Altiga's solution in early 2000. It offers an easy out-of-the-box configuration and support of up to 1500 concurrent VPN tunnels. It uses VRRP for redundancy and offers a push policy option for its clients using the Cisco Unified Client Framework. Note that this year Cisco announced the discontinuation of the 5000 VPN concentrator.
- Offers a dedicated easy way to extend remote access and site to site access
- All in one bundle; you don't have to worry about buying extra feature sets, modules, or acceleration cards
- This model offers built in hardware encryption via SEPs, where hardware-based encryption is a defacto standard for serious VPN designs
- Unlimited VPN user license with Cisco VPN client distribution
- VPN load balancing capability when used in a cluster shared pool
- Automatic upgrading with minimal manual intervention
- This model needs a $20K upgrade to move to 5000 concurrent tunnels
- Does not support advanced routing protocol options, stateful packet inspection, or intrusion detection (see other gateway options)
- No VoIP over VPN support yet
- Is not IOS based, for you CCxx's out there
- Extra perimeter design challenge -- where do you place it? Outside, parallel, or inside of the perimeter firewall?
IOS-based 7140 VPN router: This was Cisco's first integrated VPN solution before the 3000 VPN came upon the scene. This router offers many traditional IOS options that Cisco hardliners will appreciate, such as modular board support, multiprotocol routing, multiple software feature set options, etc. I would highly recommend that you utilize the extra VAM or ISA boards to offload the encryption from the main processor. Also look at the newer 7400 VPN router, which offers WAN-edge VPN connectivity and integrates the Cisco IOS router with hardware-based VPN acceleration and CBAC firewalling all in one box.
- Offers the most traditional IOS interface and features such as HSRP, EIGRP support over VPNs, QoS, etc.
- Hardware encryption out of the box with the ISM
- Works best if you need a unified "all-in-one-box" solution, where you can use the device as a scalable edge router along with the VPN capability. Also offers firewalling and IDS in feature set
- Stateful packet inspection with the add-ons; ICSA certified stateful firewall
- Offers 2000 simultaneous tunnels, 3000 with add-on card
- Costs almost twice as much as the 3040 concentrator. As with any intermediate Cisco router, you pay extra for necessary features like the 3DES feature set and the FW/IDS features set. Consider that you may not need some features like routing if you dedicate it to VPN usage.
PIX 515E/525: Everyone has come to know and trust PIX for excellent security and management. This solution will terminate VPN tunnels as well as provide firewall capabilities. Cisco recently bought VPN accelerator maker Allegro Systems, so we should see Allegro products being integrated into Cisco VPN products soon.
- Offers an "all-in-one" solid VPN/firewall secure solution with simple designs and administration
- This model has built-in hardware encryption via SEPs, where hardware-based encryption is an emerging necessity for serious VPNers
- PIX was designed to be a firewall in 1994. VPNs are 2000 phenomena. Firewalls are designed to keep people out, whereas VPNs are meant to allow trusted users access to internal resources. These strategies tend to collide
- Product does not offer some of the IOS options (such as QoS, EIGRP, and advanced management features) that other options offer
- Cost -- think of nickels and dimes until you get what you need for a firewall VPN solution. You might need to add an acceleration card, as well as a 3DES feature set to the solution
- PIXs only offer a two-node failover cluster, which does not support stateful failover of tunnels. Clients will have to reconnect.
That covers the major options that Cisco currently has to offer for VPN gateway products. Which one is best for you? I'm going to play the consultant and tell you that it is very much up to your current and future business needs and budget. I will say that Cisco offers these guidelines: For site-to-site VPNs, consider using Cisco VPN-optimized routers like the 800, 1700, 2600, 3600, 7100, and 7200. For remote access VPNs, the Cisco VPN 3000 Concentrator series is an excellent choice.
You should also work up a solid VPN design that matches your needs and security policies. A good place to start is Cisco's VPN primer.
If you already have a high-end router or PIX, look at some of its key utilizations, such as processor and RAM. If you are worried about performance hits once you turn on your VPN option, you could possibly upgrade it to adapt to a VPN hub-and-spoke design and accommodate several hundred users without much impact. When using 168-bit 3DES encryption, make sure to keep a close check on those resources, in case you need to scale.
If you are just fine with your existing site-to-site solution and want to move your broadband or roaming users and maybe test a site or two in a dedicated solution, move ahead with the 3030 VPN concentrator. First, use the online Cisco VPN calculator and drive home the solution to management by providing an excellent ROI plan to get the funds you need to get your dedicated VPN. Then, once the VPN is tested and installed, move all of your remote users to the VPN and show management how wise they were in choosing this efficient plan. Next, you can start moving your leased or Frame Relay sites one by one onto your VPN, and gain more popularity from the boardroom. Be careful to properly engineer your security perimeter with the concentrator. You can place the gateway in parallel with your firewall, or behind it, and your decision should be based on your company's security policy. Remember that IPsec has issues with NAT devices.
Back on the road again
While it can be frustrating to negotiate through the many Cisco VPN offerings, use the knowledge you get to your advantage. Take the bull by the horns and fashion your Roman chariot, er, VPN solution on your own, according to your own needs. Take advantage of some of the scaling tools and calculators to look at your particular situation. Don't let Cisco dictate what solution is best for you; see the many solutions as your advantage to take ownership and customize the solution that has the best business and cost benefits to your organization, and to the boardroom. All roads may lead to Rome, but the best path is determined by your foresight and wisdom of knowing your own organization, and of course, being cognizant of the technical options. Hopefully, I've helped you with the second part, and remember, your mileage on the Cisco road may vary!
About the author:
Brent Whitmore, a CCNA, CCDA, MCSE, is a consultant in the Infrastructure Practice at BORN, a national IT consulting firm that offers a broad portfolio of technology and business solutions. He enjoys rich pure espresso, traipsing through Rockies trails, and being a tender warrior with his boys. You can reach him at firstname.lastname@example.org.
This was first published in September 2002