The PIX will do VPN so no you don't have to have a VPN Concentrator. I would say the minimum equipment required for a VPN from a Cisco perspective would be the software client and a hardware head-end device such as a router a PIX or the VPN Concentrator. Clientless (SSL) VPN will soon be available on the VPN Concentrator. I would guess it is coming for the PIX and routers at some point as well.
The most secure architecture is somewhat subjective. Cisco offers a SAFE blueprint on their official recommendations about it.
1. A ton of cisco devices can be a vpn backend these days. A vpn 3000 has some traffic management, encapsulation and other features. PIX is a great solution for many small businesses - basically - if you already have a pix, deploy it/study it until you convince yourself that it cannot meet your vpn needs.
2. A pix 501, 10 user license, is 400ish US - that is the cheapest, if you mean that for minimum equipment.
3. They all do IPSec. Some configurations are more and less secure - sharing a group password among many users is less secure on average. Using usernames and passwords is less secure than using digital certificates on average. These get to be very theoretical distinctions though - a theoretically secure configuration running a version of IOS or PIX os with a security hole is less secure than a theoretically less secure config with a updated version of software. So, in general I recommend paying some attention to the theoretical issues, but also concerning oneself with bugs, holes, and deployment issues.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :