A virtual private network (VPN) is an extension of a network. It is virtual because it does not use reserved circuits. A VPN may pass over a circuit that is used only for VPN traffic, but this is not a requirement It is private because it is a tunnel. This tunnel does not need to be encrypted or have any sort of protection for the data, although it can use encryption and other security measures.
A device can be configured to allow only certain types of traffic to access the tunnel. It is a network because it extends an existing network past its natural boundaries.
Major Types of VPNs
There are many types of VPNs, but they are usually defined by how they are created and what purpose they serve. (This is similar to how two pickup trucks may be categorized differently by the Department of Motor Vehicles because one is for commercial use and one is for residential.)
The following are three major types of VPNs:
1. Access VPN – A VPN used to connect to the network over a shared medium like the Internet. People dialing the modem on their PC and connecting to a modem at work are crossing the shared medium of the public telephone system. People connecting to their ISP to use the Internet to transport VPN traffic are connecting to two shared mediums. They first use DSL, cable, or dial-up connections to access their ISP, and then use the Internet to go the rest of the way.
2. Intranet VPN – A VPN used to connect two trusted locations to each other over a dedicated connection. An example would be a VPN between the corporate headquarters in Maine and a manufacturing facility in Thailand. The key elements are the trusted locations and connection dedicated to VPN traffic.
3. Extranet VPN – A VPN used to connect untrusted locations to each other over a dedicated connection. An example would be the headquarters office in Maine using VPN to connect to the ordering system of a supplier in Ohio. There is a certain amount of trust, but not as much as there would be if both sides were part of the same corporate infrastructure.
A VPN is a tunnel, and each tunnel must begin and end somewhere. Cisco has many devices that can act as one end of a VPN tunnel or manage it, including CISCO routers, the PIX Firewall, Cisco VPN Concentrators and the Cisco Secure VPN client software.
Cisco devices don’t need to talk to just other Cisco devices. A Cisco router can talk VPN to a Windows 2000 server, a non-Cisco router, or another IPSec device. IPSec is a standard, and as long as both vendors follow the instructions in the standard and both devices are set up with the correct configuration, they should be able to form a tunnel.
Let’s take a closer look at each type of Cisco VPN device and its capabilities.
1. Cisco Routers
Cisco routers come in various flavors and have the ability to do different tasks based on the available hardware and software. Different IOS feature sets will give more or fewer options for creating a VPN tunnel. Cisco routers began supporting IPSec with IOS 11.3(T). Prior to this, they used Cisco Encryption Technology (CET), which should not be used if IPSec is available.
Cisco IOS software is capable of forming many different types of tunnels. Along with IPSec tunnels, Cisco routers can build Layer 2 Forwarding (L2F), Layer 2 Tunneling Protocol (L2TP), Point-to-Point Tunneling Protocol (PPTP), and Generic Routing Encapsulation (GRE) tunnels.
Even low-end routers can do encryption, but what type of encryption depends on the type of router, the version of IOS, and the amount of memory. Newer routers with enough flash and NVRAM can use an IOS image that allows for triple Data Encryption Standard (3DES) encryption. A 1600-series router or a 2500-series router doesn’t have the processing ability and is limited to basic DES encryption. Some 800-series routers are capable of using 3DES.
It is normally not a good idea to terminate many VPN connections are even a robust router because of the amount of processing that goes on in the encryption and decryption process. The exception to this rule is when your router is outfitted with VPN module. This module offloads the processing from the CPU, keeping valuable CPU cycles free for other tasks.
2. The PIX Firewall
Cisco has a number of PIX Firewall models available, from the low-end 501 to the high-end 535. The PIX Firewall has supported IPSec since version 5.0. This firewall can form a tunnel with other devices that speak IPSec, including Cisco routers, firewalls, and VPN Concentrators.
Suggested Read: List of Commonly Used Well-known Ports
All PIX Firewalls are capable of using DES and 3DES encryption, but the device must be licensed for it.
3. The Cisco VPN Concentrator
The Cisco VPN Concentrator, formerly the Altiga VPN concentrator, is designed to terminate many client VPN connections. It can also form a tunnel with a router, firewall, or another concentrator. You should use the VPN Concentrator if you have more than a few users who want to access a network via a VPN tunnel. The concentrator is a stand-alone network device that offloads the task of processing VPN tunnels from routers and firewalls. The VPN Concentrator can be managed via the command-line interface (CLI) or an HTML-based graphical user interface (GUI).
The 3000-series VPN Concentrators can terminate up to 10,000 user tunnels. The 5000-series VPN Concentrators can terminate up to 50,000 tunnels.
4. VPN Client Software
VPN client software is used on PCs and servers in order for those devices to serve as one end of a tunnel. When users create a VPN from their home PC, it terminates at a router, firewall, or concentrator.
The Cisco Secure VPN client comes in two flavors. The older one is the safeNet client that Cisco used to connect client PCs to routers and firewalls. There are two versions: 1.0 (which cannot use a certificate from a Windows 2000 certificate authority) and version 1.1 (which can use a certificate from a Windows 2000 certificate authority).
The other type of client is the concentrator client, often referred to as the Altiga client. It is used to connect client PCs to the VPN Concentrator. There are two major versions of this client: 2.5 and 3.0. Use whichever version of the client matches the software version on the concentrator, for example, use a 2.5 client if you have version 2.5 software on the concentrator.
Cisco realized that requiring two different clients when only one can be installed at a time was problematic. The company has merged the two into the Unified Client. The latest version of the Unified Client as of this writing is 3.5, which allows for VPNs to general Cisco devices. This version even comes with a transparent stateful firewall for the client. If you are using Windows XP, you must use version 3.1 or higher.