Welcome to the Cisco Networking Professionals Connection Ask the Expert conversation. This is an opportunity to discuss secure network architectures for E-Business with Cisco expert Sean Convery. Sean is a Cisco Certified Internetworking Engineer and a technical marketing engineer who focuses on VPN and security architectures. Feel free to post any questions relating to secure network architectures for E-Business.
Sean may not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. When posting a question, please be sure it is as specific as possible. Sean will be unable to address questions that require significant time commitments, such as requests for entire network designs or configurations, or vague questions that require follow-up with the poster.
This event lasts through December 1. Visit this forum often to view responses to your questions and the questions of other community members.
We have the ability to log into our corporate intranet via CSCO VPN. Unfortunately my corporation provided very little information on using VPN from home. I am having trouble using the web through my VPN connection.
I am using a cable modem connection to access the web. I am able to log in to the secure server with no problem and connect to it. But after that I can not get mail or use the browser for intranet connections. Are ther specific settings I need to configure my browser to?
If you are coming in over an IPSec tunnel for VPN access to your corporation you shouldn't need to make any changes to your browser. Your VPN client on your PC should be redirecting traffic into the tunnel and on to your corporate VPN gateway. The client configuration is pretty painless and is controlled mostly by the head-end gateway in the event your organization uses the VPN 3000 platform. The only thing that would require a browser change would be if you were going through some sort of proxy. If that was the case you would need to set your proxy server settings in your browser. Unfortunately, without more information there isn't much help I can provide. I'd suggest getting in touch with your IT group and have them contact Cisco TAC if necessary.
My agency uses dedicated communications for Intelligent Transportation System (ITS) applications. We transmit video, data and voice over fiber and twisted pair cabling. Mainly an analog system. We also use modems, channel banks, sonet and crossconnects. How can VPN's be used? Do you have any customers with a similar applications with an all digital ITS architecture using VPN, routers, IP addressing? We may need to reoverhaul our system in a few years.
There are some challenges when deploying voice and video over a VPN. Of paramount concern is maintaining the quality of the signal as it traverses the VPN. There are a number of different QoS technologies that can mark the VPN traffic as being higher priority, but those markings need to be honored as they cross potentially several different ISP backbones as they reach the different VPN endpoints. ISPs today are starting to offer SLA agreements and QoS services to their customers, so if you stayed on a particular ISPs backbone the entire time it would be viable. This would require that all your sites used the same ISP. However, by the time you overhaul your network a new technology called differentiated services (diff-serv) may be available. This promises to offer a method for ISPs to have QoS arrangements with one another across the public Internet.
Hi Sean we are going to launch Cisco Pix firewall 520 with unlimited user licences and i dont feel myself comfortable with pix firewall softwre i would like if you advise me how to implement pix firewall solution we have almost 12 web server and 8 sql server conncted with cisco 7507 and catalyst 5500 in ATM environment,i hope you will understand the network structure.
WOW! technologies, Inc.
I'd have to know more about your environment, policies, and risks before I could recommend a specific solution using the PIX. In general, the PIX has up to 8 interfaces with different levels of trust. You can segment the type of traffic on each interface very easily. Once the systems are separated in a way that makes sense, you can define the access rules for the different types of traffic. The SAFE white paper details an enterprise e-commerce security solution, it can be found at the following URL: http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safe_wp.htm
Hi sean environment is not that complicated let me explain you the whole scenario currently the security is controlled by extended ip access-list but very soon we are going to implement pix firewall solution we just want internet users just access the demo web servers after authentication they can access everything which is limited to web servers only, beside this we want administrators have full access to every single device in a network from internet incase of a network failure(troubleshooting purpose).I hope this information will be sufficient for you to understand the environment.
WOW! Technologies, Inc.
Sean, we are working in a project that should give access to both, customers and internal personel our ERP.
The idea is to establish E-B2B commerce with the customers plus enabling sales representatives to interact directly with the Information system through the web.
We are planning to use a Pix, VPNs, Cisco Secure and Token authentication.
The question is the following: ¿Should the customers and the sales representatives access two separated servers in different DMZs, or there is no big risk in using the same web server?
It all comes down to the methods of access to the ERP system. The issue you have is two different types of users need to access the same data but in different ways. This could certainly be accomplished using the same system if things were appropriately locked-down at the application level. I'm a big fan of separation of functions in security environments so I'd prefer to see different hosts on separate networks for the two types of users. The question to ask yourself is "What happens if one of those systems is completely compromised?" Usually by separating the access to two systems you can mitigate some of your risk. The SAFE white paper may also be of interest to you. http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safe_wp.htm
Inside the SAFE Whitepaper, you mention a couple times that work needs done for smaller environments. I working for such a smaller environment, and while the SAFE Architecture looks awesome, we would never implement due to cost, it is just too massive. Have you or anyone else workied out a less ambitious plan.
BTW, excellently written whitepaper, now if all the whitepapers and example config's were that comprehensive.
My company will implement B2B/marketplace for next year. How to combine VPN technology and B2B for creating robust network ?
The question to ask is how much security is present in the application layer already? I've seen marketplace deployments using VPN and those that rely completely on the application layer. Application security can include SSL or other technologies designed to increase the security of transactions. VPN can have a place in these architectures when more security is needed out to key suppliers or customers. Requiring VPN for all participants of the marketplace can create logistical issues depending on the number of participants involved. For example, using network based VPNs generally requires an IPSec gateway at each end point. Having this as a barrier to entry for each customer / supplier may be difficult. However, if the security of the applications is not sound, there may not be any alternative. Thanks, Sean
I have question.
What exactly is the difference between IPSec and VPN.?
I am looking from the technological and cost perspective for the above two questions.
VPN stands for Virtual Private Network. IPSec stands for IP Security. VPNs can be generally described as a means for providing communications over a public network with the same security, privacy, quality, and availability you would expect over a private network. IPSec is merely a means with which to provide the privacy element of a VPN. It defines standards for doing encrypted, authenticated communications over IP. Many of today's VPN solutions utilize IPSec but not all of them. Thanks, Sean
Our company, Datanet Systems, is Cisco Premier Partner and is the only Security Specialized Partner in Romania.
Currently we have a problems with integrating smart cards with VPN Cisco Products. On Windows 95, 98, NT, 2000 we want to store the certificate on the smart card and Cisco VPN Client, Altiga Client and W2K IPSec client to use this certificate.
On every platform I installed the Schlumberger smart card reader with success, but no client can see the certificate.
As you know 95, 98, NT does not have built in support, so I installed the driver from the producer, and the test programs tell me that all is OK, but I think that something else have to be installed so that the VPN clients access the certificate stored on the card.
Do you have any ideea where I can find more information about the integration of Cisco products with smart cards?
Cisco's smart card solutions are under development. Today your best bet is to work with one of our partners, F-Secure who has developed a VPN client that is more tightly integrated with smart card technology. This client can communicate with our gateways and will provide you the best solution today. http://www.fsecure.com Thanks, Sean
Hi Sean, Can you please briefly explain how the latest CSPM 2.2+ configure, manage and monitor the IDS sensors? Does this mean we can do away with IDS Director? and if not why? Regards, Murali
The new CSPM can manage IDS sensors without the need for the IDS director. It currently does not support tiered director deployments so it may not be applicable for the largest deployments. I've used the new interface in CSPM and it provides a great way to view alarms. I actually prefer it over the HP OpenView IDS director. It uses IDS profiles which define alarm levels and responses. These profiles can be applied to a number of different sensors allowing easy deployment of sensors with different roles. Thanks, Sean
I want to build a WAN for clients to access their accounting records and view reports on-line through our web browser using - I'm assuming - some kind of necessary interfaced software like Cisco. I want to have a dedicated server in our office with clients' accounting systems and records stored on it. They must have ability to dial in to our server to access those records.
How expensive would a Cisco solution be for us, and is it overkill, or???
Thank you very much....
You can use a software like MRTG which can provide the desired solution. It's a freeware and it's very easy to implement.You can get more details
on website www.mrtg.org
You referred to "dial in" so I'm going to assume you dont mean a dedicated connection. In that case, it would be relatively simple to setup an network access server (NAS) to allow clients to dial-up remotely to view this information. Depending on the number of users something as small as a Cisco 2600 router could be used on up through our Access Server (AS) series of dial up servers. If you are already connected to the Internet you may consider using VPN technologies to achieve the same result. Our VPN 3000 series would allow remote users to connect securely to your gateway and view these records after authenticating. This would allow your clients to use their existing Internet connection to connect to their information, rather than calling a separate number. Thanks, Sean
We want to make an ISP; we look for good solutions, so it can support more then 100,000 users to login to the Internet and we need to interconnect 85 small branch offices through a VPN.
How we can get help and informations,
I don't have enough information to answer your question with any degree of accuracy. I would suggest contacting your closest Cisco sales office for guidance. Cisco's website provides quite a lot of excellent information on network design as well. Thanks, Sean
We want to use VPN's with a PIX 506 with IOS 5.1(1) and VPN-Client 1.1 .
For this Reason i looked around the Cisco-Homepage and on www.cisco.com/warp/public/110/A.htm i found a simple configuration example that fits my testing-needs.
I put the config to the PIX and configured the vpn-client just like in the example. The only thing i changed where the ip addresses. I did not change the local address-pool addresses.
[PC]--[C3524XL]--[PIX]--[C3524CL (with http-server)]
The normal funktion of the pix is given. Traffic goes out the secure net. Pings are responded. Trying to reach the webserver (a Cisco 3524XL-Switch) over it's mapped unsecure address ist successful.
When i switche the vpn client to secure-mode, nothing happens on the pix. no debugging-information is generated, no ping to the secure net works. All inbound traffic is denied just like before.
I do not know much about configuring a pix jet. So my question is: is something wrong with the example? Or does the pix not work with an default route set to its outside interface address?
The configurations provided there should work. If you are interested in more logging messages you can try turning on the debug messages or type "log console 7" from configuration mode to send all error messages to the console port. I haven't specifically tried setting the default route on a PIX to the local interface address but since the PC is directly connected on the same subnet, it shouldn't matter. If you continue to have problems after trying the debug, double check the configs on both the PIX and the client and give our technical assistance center (TAC) a call. Thanks, Sean
Hi. I have a question concerning Cisco VPN Client 3000 (unsure of exact version, might be 2.5 Beta 1). When I installed the new version of AOL (6) with the VPN client installed it caused all kinds of problems. Items kept getting added to my network configuration. I would have 2 or 3 occurances of my tcpip items, etc. This was not a problem if I installed AOL 6.0 without the VPN software loaded. Any comments or suggestions?
Sorry, I haven't run into that specific problem. I would recommend contacting our Technical Assistance Center (TAC). Thanks, Sean
Is there a way for me to keep employees from utilizing corporate resources to surf the net AND ensure they have a secure client connection (i.e. no open back doors) while utilizing our VPN? My understanding is that the split tunneling feature on 3000's makes this impossible unless I have a firewall on each client.
By turning off split tunneling on the VPN client you can ensure that all traffic from the workstation will travel over your network. Once it arrives at your network you can filter access to the web using third party URL filtering tools like Web Sense or Surf Control. The Cisco SAFE white paper details such an architecture. More information can be found here: http://www.cisco.com/go/safe . Thanks, Sean