Monday, 30 September 2013

Remote-Access VPN

Defining Remote-Access VPNs
Remote-access VPNs allow secure access to corporate resources by establishing an encrypted tunnel across the Internet. The ubiquity of the Internet, combined with today's VPN technologies, allows organizations to cost-effectively and securely extend the reach of their networks to anyone, anyplace, anytime.
VPNs have become the logical solution for remote-access connectivity for the following reasons:
• Provides secure communications with access rights tailored to individual users, such as employees, contractors, or partners
• Enhances productivity by extending corporate network and applications
• Reduces communications costs and increases flexibility
Using Remote-Access VPNs to Improve Business Productivity
Anytime, anyplace network access gives employees great flexibility regarding when and where they perform their job functions. VPNs accommodate "day extenders", employees who desire network access from home after hours and weekends to perform business functions such as answering e-mail or using networked applications. Using VPN technology, employees can essentially take their office wherever they go, thus improving response times and enabling work without interruptions present in an office environment.
VPNs also provide a secure solution for providing limited network access to non-employees, such as contractors or business partners. With VPNs, contractor and partner network access can be limited to the specific servers, Webpages, or files they are allowed access to, thus extending them the network access they need to contribute to business productivity without compromising network security.
Technology Options: IPsec and SSL VPNs
There are two primary methods for deploying remote-access VPNs: IP Security (IPsec) and Secure Sockets Layer (SSL). Each method has its advantages based on the access requirements of your users and your organization's IT processes. While many solutions only offer either IPsec or SSL, Cisco® remote-access VPN solutions offer both technologies integrated on a single platform with unified management. Offering both IPsec and SSL technologies enables organizations to customize their remote-access VPN without any additional hardware or management complexity.
SSL-based VPNs provide remote-access connectivity from almost any Internet-enabled location using a Web browser and its native SSL encryption. It does not require any special-purpose client software to be pre-installed on the system; this makes SSL VPNs capable of "anywhere" connectivity from company-managed desktops and non-company-managed desktops, such as employee-owned PCs, contractor or business partner desktops, and Internet kiosks. Any software required for application access across the SSL VPN connection is dynamically downloaded on an as-needed basis, thereby minimizing desktop software maintenance.
SSL VPNs provide two different types of access: clientless and full network access. Clientless access requires no specialized VPN software on the user desktop. All VPN traffic is transmitted and delivered through a standard Web browser; no other software is required or downloaded. Since all applications and network resources are accessed through a Web browser, only Web-enabled and some client-server applications-such as intranets, applications with Web interfaces, e-mail, calendaring, and file servers-can be accessed using a clientless connection. This limited access, however, is often a perfect fit for business partners or contractors who should only have access to a very limited set of resources on the organization's network. Furthermore, delivering all connectivity through a Web browser eliminates provisioning and support issues since no special-purpose VPN software has to be delivered to the user desktop.
SSL VPN full network access enables access to virtually any application, server, or resource available on the network. Full network access is delivered through a lightweight VPN client that is dynamically downloaded to the user desktop (through a Web browser connection) upon connection to the SSL VPN gateway. This VPN client, because it is dynamically downloaded and updated without any manual software distribution or interaction from the end user, requires little or no desktop support by IT organizations, thereby minimizing deployment and operations costs. Like clientless access, full network access offers full access control customization based on the access privileges of the end user. Full network access is a natural choice for employees who need remote access to the same applications and network resources they use when in the office or for any client-server application that cannot be delivered across a Web-based clientless connection.
IPsec-based VPNs are the deployment-proven remote-access technology used by most organizations today. IPsec VPN connections are established using pre-installed VPN client software on the user desktop, thus focusing it primarily on company-managed desktops. IPSec-based remote access also offers tremendous versatility and customizability through modification of the VPN client software. Using APIs in IPsec client software, organizations can control the appearance and function of the VPN client for use in applications such as unattended kiosks, integration with other desktop applications, and other special use cases.
Both IPsec and SSL VPN technologies offer access to virtually any network application or resource. SSL VPNs offer additional features such as easy connectivity from non-company-managed desktops, little or no desktop software maintenance, and user-customized Web portals upon login. Table 1 compares the two technologies.
Table 1. Comparing IPsec and SSL VPN Technologies

Characteristics

Application and Network Resource Access

• SSL (using full network access) and IPsec VPNs offer broad access to virtually any application or network resource

End-User Access Method

• SSL VPNs are initiated using a Web browser

• IPsec VPNs are initiated using pre-installed VPN client software

End-User Access Device Options

• SSL VPN enables access from company-managed, employee-owned, contractor and business partner desktops, as well as Internet kiosks

• IPsec VPN enables access primarily from company-managed desktops

Desktop Software Requirements

• Only a Web browser is required for SSL VPN

• IPsec VPN requires proprietary pre-installed client software

Desktop Software Updates

• Basic SSL VPN access can operate without any special-purpose desktop software, thus no updates are required. Full network application access is provided using software that automatically installs and updates without any user knowledge or intervention.

• IPsec VPNs can automatically update, but is more intrusive and requires user input

Customized User Access

• SSL VPNs offer granular access policies to define what network resources a user has access to, as well as user-customized Web portals

• IPsec offers granular access policies, but no Web portals
Which To Deploy: Choosing Between IPsec and SSL VPNs
IPsec is a widely deployed technology that is well-understood by end users and has established IT deployment support processes. Many organizations find that IPsec meets the requirements of users already using the technology. But the advantages of dynamic, self-updating desktop software, ease of access for non-company-managed desktops, and highly customizable user access make SSL VPNs a compelling choice for reducing remote-access VPN operations costs and extending network access to hard-to-serve users like contractors and business partners. As such, organizations often deploy a combination of SSL and IPsec approaches. IPsec is commonly left in place for the existing installed base. SSL is deployed for new users, users with "anywhere" access requirements, contractors, and extranet business partners. By offering both technologies on a single platform, Cisco remote-access VPN solutions make the choice simple-deploy the technology that is optimized for your deployment and operating environment. Table 2 summarizes the issues to consider when evaluating which VPN technology best fits your operating environment.
Table 2. Choosing a Remote-Access VPN Technology

SSL VPN

IPsec VPN

"Anywhere" Access from Non-Company-Managed Devices, such as Employee-Owned Desktops and Internet Kiosks

X

Business Partner Access

X

User-Customized Access Portals

X

Minimized Desktop Support and Software Distribution

X

Greatest Flexibility to the End-Users

X

X

Greatest VPN Client Customizability

X

Ability to Maintain Existing IT Deployment and Support Processes

X
Remote-Access VPN Security Considerations
Worms, viruses, spyware, hacking, data theft, and application abuse are considered among the greatest security challenges in today's networks. Remote-access and remote-office VPN connectivity are common points of entry for such threats, due to how VPNs are designed and deployed. For both new and existing IPsec and SSL VPN installations, VPNs are often deployed without proper endpoint and network security. Unprotected or incomplete VPN security can lead to the following network threats:
• Allows remote-user VPN sessions to bring malware into the main office network, causing virus outbreaks that infect other users and network servers
• Allows users to generate unwanted application traffic, such as peer-to-peer file sharing, into the main office network causing slow network traffic conditions and unnecessary consumption of expensive WAN bandwidth
• Enables theft of sensitive information, such as downloaded customer data, from a VPN user desktop
• Enables hackers to hijack remote-access VPN sessions, providing the hacker access to the network as if they were a legitimate user
To combat these threats, the user desktop and the VPN gateway that the user connects to must be properly secured as part of the VPN deployment. User desktops should have endpoint security measures such as data security for data and files generated or downloaded during the VPN session, anti-spyware, antivirus, and personal firewall. The VPN gateway should offer integrated firewall, antivirus, anti-spyware, and intrusion prevention. Alternatively, if the VPN gateway does not provide these security functions, separate security equipment can be deployed adjacent to the VPN gateway to provide appropriate protection.
Cisco remote-access VPN solutions offer threat-protected VPN services with full firewall, antivirus, anti-spyware, intrusion prevention, application control, and full endpoint security capabilities. These security services are integrated into the VPN platform, delivering a threat-protected VPN solution without any additional equipment, design, deployment, or operational complexity.
Steps to Securing the Remote-Access VPN
Technologies required for mitigating malware such as worms, viruses, and spyware and for preventing application abuse, data theft, and hacking exist in the security infrastructure of many organizations' networks. In most cases, however, they are not deployed in such a way that they can protect the remote-access VPN, due to the native encryption of VPN traffic. While additional security equipment may be purchased and installed to protect the VPN, the most cost-effective and operationally efficient method of securing remote-access VPN traffic is to look for VPN gateways that offer native malware mitigation and application firewall services as an integrated part of the product (Figure 1).
Figure 1. Securing the Remote-Access VPN-External Security Equipment or Security Services Integrated on the VPN Gateway
Cisco Remote-Access VPN Solutions
Cisco Systems® offers a variety of remote-access VPN solutions customized for small, medium-sized, and large organizations. Available on the Cisco ASA 5500 Series VPN Edition and Cisco integrated services routers, Cisco remote-access solution features include Web-based clientless access and full network access without pre-installed desktop VPN software, threat-protected VPN to guard against malware and hackers, cost-effective pricing with no hidden "per-feature" licenses, and single-device solutions for both SSL and IPSec-based VPNs that deliver robust remote access and site-to-site VPN services from a single platform.
The Cisco ASA 5500 Series Security Appliance is Cisco's most advanced SSL VPN solution, delivering concurrent user scalability from 10 to 10,000 sessions per device and tens of thousands of sessions per cluster through integrated load balancing. Converging VPN services with comprehensive threat defense technologies, the ASA 5500 Series delivers highly customizable remote network access while providing fully secured connectivity.

Cisco Integrated Services Routers enable organizations to use their existing router deployment to provide full tunnel SSL VPN capabilities to as many as 200 concurrent users. Integrating security, industry-leading routing, and converged data, voice, and wireless with Cisco IOS® SSL VPN provides a highly manageable and cost-effective network solution for small and medium-sized businesses and organizations.

firewall Trusted Devices

Selecting any of the Trusted devices allows access to your system for all traffic from that device; it becomes excluded from the firewall rules. For example, if you are running a local network, but are connected to the Internet via a PPP dialup, you can check eth0 and any traffic coming from your local network is allowed. Selecting eth0 as trusted means all traffic over the Ethernet is allowed, but the ppp0 interface is still firewalled. To restrict traffic on an interface, leave it unchecked.
You may have noticed a sit0 device in the Trusted devices section. This device stands for simple internet transition, which encapsulates IPv6 traffic into IPv4 traffic, and then is tunneled. For basic firewall rules, this device can be ignored and left as an untrusted device.
ImportantImportant
 
It is not recommended that you make any device that is connected to public networks, such as the Internet, a Trusted device.

firewall Trusted Services

Enabling options in the Trusted services list allows the specified service to pass through the firewall.
WWW (HTTP)
The HTTP protocol is used by Apache (and by other Web servers) to serve webpages. If you plan on making your Web server publicly available, enable this option. This option is not required for viewing pages locally or for developing webpages. You must have the httpd package installed to serve webpages.
Enabling WWW (HTTP) will not open a port for HTTPS, the SSL version of HTTP.
FTP
The FTP protocol is used to transfer files between machines on a network. If you plan on making your FTP server publicly available, enable this option. The vsftpd package must be installed for this option to be useful.
SSH
Secure Shell (SSH) is a suite of tools for logging into and executing commands on a remote machine. To allow remote access to the machine via ssh, enable this option. The openssh-server package must be installed to access your machine remotely using SSH tools.
Telnet
Telnet is a protocol for logging into remote machines. Telnet communications are unencrypted and provide no security from network snooping. Allowing incoming Telnet access is not recommended. To allow inbound Telnet access, you must have the telnet-server package installed.
Mail (SMTP)
To allow incoming mail delivery through your firewall so that remote hosts can connect directly to your machine to deliver mail, enable this option. You do not need to enable this if you collect your mail from your ISP's server using POP3 or IMAP, or if you use a tool such as fetchmail. Note that an improperly configured SMTP server can allow remote machines to use your server to send spam.

Enabling and Disabling the Firewall

  • Disable firewall — Disabling the firewall provides complete access to your system and does no security checking. Security checking is the disabling of access to certain services. This should only be selected if you are running on a trusted network (not the Internet) or plan to do more firewall configuration later.
    WarningWarning
    If you have a firewall configured or any customized firewall rules in the /etc/sysconfig/iptables file, the file is deleted by selecting Disable firewall and clicking OK to save the changes.
  • Enable firewall — This option configures the system to reject incoming connections that are not in response to outbound requests, such as DNS replies or DHCP requests. If access to services running on this machine is needed, you can choose to allow specific services through the firewall.

Firewall Security Level Configuration Tool

During the Firewall Configuration screen of the Red Hat Enterprise Linux installation, you were given the option to enable a basic firewall as well as to allow specific devices, incoming services, and ports.
After installation, you can change this preference by using the Security Level Configuration Tool.
To start the application, select Main Menu Button (on the Panel) => System Settings => Security Level or type the command system-config-securitylevel from a shell prompt (for example, in an XTerm or a GNOME terminal).

Basic Firewall Configuration

Just as a firewall in a building attempts to prevent a fire from spreading, a computer firewall attempts to prevent computer viruses from spreading to your computer and to prevent unauthorized users from accessing your computer. A firewall exists between your computer and the network. It determines which services on your computer remote users on the network can access. A properly configured firewall can greatly increase the security of your system. It is recommended that you configure a firewall for any Red Hat Enterprise Linux system with an Internet connection

Cisco Modules

Cisco Modules & Cards 
Cisco Application Networking Services Modules
Cisco Ethernet Switching Network Modules
Cisco High Density Voice/Fax Network Modules
Cisco High-Speed WAN Interface Cards
Cisco Interface Cards / Interface Processors
Cisco Voice/Fax Network Modules
Cisco Multiprocessor WAN Application Modules
Cisco Network Modules / Cisco Line Cards
Cisco Network Processing Engines
Cisco Network Processor Modules
Cisco Optical Services Modules/Transponders
Cisco Port Adapters Cisco Route Processors Route Switch Processors
Cisco Security Modules
Cisco Service Adapters / Cisco Services Modules
Cisco Services-Ready Engine (SRE) Modules
Cisco Shared Port Adapters SPA Interface Processors
Cisco Storage Networking Modules
Cisco Transceiver Modules
Cisco Universal Broadband Router Line Cards
Cisco Versatile Interface Processors
Cisco Voice Modules and Interface Cards
Cisco WAN Interface Cards / Switching Modules


Cisco Modules & Cards
• Router HWIC WAN Card
• Router WIC WAN Card
• VIC VIC2 VIC3 Voice Card
• Router VWIC2 VWIC Card
• NM NME EM Network Module
• Router AIM Modules
• PVDM Voice/FAX Module
• Router ISR G2 SM Module
• Router NPE Engines
• 4500 Switch Module
• 6500 Switch Module
• Cisco 7200 Module
• Cisco 7600 Module

Cisco IP Phones

Cisco IP Phones VOIP
Cisco ATA 180 Series Analog Telephone Adaptors 
Cisco IP Communicator 
Cisco SIP IP Phone Software 
Cisco Small Business IP Phones 
Cisco Small Business Pro SPA 500 Series IP Phones 
Cisco Small Business Voice Accessories 
Cisco Unified IP Phone 9900 and 8900 Series Accessories Cisco Unified IP Phone 8900 Series 
Cisco Unified IP Phone 7900 Series 
Cisco Unified IP Phone 6900 Series 
Cisco Unified IP Phone 500 Series 
Cisco Unified IP Phones 9900 Series 
Cisco Unified SIP Phone 3900 Series 
Cisco Unified Video Advantage

< Cisco IP Phones VOIP
• Cisco 7900 IP Phone
• Unified IP Phone 6900
• Unified IP Phone 8900
• Unified IP Phone 9900

Cisco Firewalls


Cisco Firewalls Security
Email and Web Security 
Network Security 
Secure Access Control 
Secure Mobility 
Security Management

< Cisco Firewalls Security
• Cisco ASA 5500 Series
• Cisco PIX Firewall
• Cisco IPS 4200 Series Sensor
• Email and Web Security
• Cisco ASA 5500 Licenses

Cisco Switches

Cisco Switches
• LAN Switches - Access 
• LAN Switches - Core 
• LAN Switches - Small Business 
• Service Provider Switches - Aggregation 
• Service Provider Switches - Ethernet Access 
• WAN Switches 
• ATM Switches 
• Blade Switches 
• Data Center Switches 
• EnergyWise 
• Industrial Ethernet Switches 
• InfiniBand Switches 
• LAN Network Management 

< Cisco Switches
• Cisco Switch Catalyst 2960
• Cisco Switch Catalyst 3560
• Cisco Switch Catalyst 3750
• Cisco Switch Catalyst 4500
• Cisco Switch Catalyst 6500
• Cisco 4900 4900M Series
• Cisco Nexus 5000 Series
• Cisco Nexus 7000 Series

Cisco Routers Series


Cisco Routers
• Cisco Router 800 Series
• Cisco Router 1800 Series
• Cisco Router 1900 Series
• Cisco Router 2800 Series
• Cisco Router 2900 Series
• Cisco Router 3800 Series
• Cisco Router 3900 Series
• Cisco Router 7200 Series
• Cisco Router 7600 Series
• Cisco Router ASR 1000
• Cisco Router ASR 9000
• XR 10000 12000 Router

Cisco 850 Series and Cisco 870 Series Access Routers


Community member Nazim Nabiye shared his Packet Tracer Lab

Community member Nazim Nabiye shared his Packet Tracer Lab... "configured interfaces, DHCP with DNS , rip v2 and NAT on routers 5 , 6 and 3 ....and rip v2 on another routers...and we have successful ping from PC8 to PC2, which is a four hop". What do you think? 
configured interfaces , DHCP with DNS , rip v2 and NAT on routers 5 , 6 and 3 ....and rip v2 on another routers...and we have successful ping from PC8 to PC2 , which is a four hop

IPv4 & IPv6

What is IPv4?
A: IPv4 stands for Internet Protocol version 4. It is the underlying technology that makes it possible for us to connect our devices to the web. Whenever a device access the Internet (whether it's a PC, Mac, smartphone or other device), it is assigned a unique, numerical IP address such as 99.48.227.227. To send data from one computer to another through the web, a data packet must be transferred across the network containing the IP addresses of both devices.
Without IP addresses, computers would not be able to communicate and send data to each other. It's essential to the infrastructure of the web.
What is IPv6?
A: IPv6 is the sixth revision to the Internet Protocol and the successor to IPv4. It functions similarly to IPv4 in that it provides the unique, numerical IP addresses necessary for Internet-enabled devices to communicate. However, it does sport one major difference: it utilizes 128-bit addresses. I'll explain why this is important in a moment.
Why are we running out of IPv4 addresses?
A: IPv4 uses 32 bits for its Internet addresses. That means it can support 2^32 IP addresses in total — around 4.29 billion. That may seem like a lot, but all 4.29 billion IP addresses have now been assigned to various institutions, leading to the crisis we face today.
Let's be clear, though: we haven't run out of addresses quite yet. Many of them are unused and in the hands of institutions like MIT and companies like Ford and IBM. More IPv4 addresses are available to be assigned and more will be traded or sold (since IPv4 addresses are now a scarce resource), but they will become a scarcer commodity over the next two years until it creates problem for the web.
How does IPv6 solve this problem?
A: As previously stated, IPv6 utilizes 128-bit Internet addresses. Therefore, it can support 2^128 Internet addresses — 340,282,366,920,938,000,000,000,000,000,000,000,000 of them to be exact. That's a lot of addresses, so many that it requires a hexadecimal system to display the addresses. In other words, there are more than enough IPv6 addresses to keep the Internet operational for a very, very long time.
So why don't we just switch?
A: The depletion of IPv4 addresses was predicted years ago, so the switch has been in progress for the last decade. However, progress has been slow — only a small fraction of the web has switched over to the new protocol. In addition, IPv4 and IPv6 essentially run as parallel networks — exchanging data between these protocols requires special gateways.
To make the switch, software and routers will have to be changed to support the more advanced network. This will take time and money. The first real test of the IPv6 network will come on June 8, 2011, World IPv6 Day . Google, Facebook and other prominent web companies will test drive the IPv6 network to see what it can handle and what still needs to be done to get the world switched over to the new network.
How will this affect me?
A: Initially, it won't have a major impact on your life. Most operating systems actually support IPv6, including Mac OS X 10.2 and Windows XP SP 1. However, many routers and servers don't support it, making a connection between a device with an IPv6 address to a router or server that only supports IPv4 impossible. IPv6 is also still in its infancy; it has a lot of bugs and security issues that still need to be fixed, which could result in one giant mess.

mac address

What Is a MAC Address?
The MAC address is a unique value associated with a networkadapter. MAC addresses are also known as hardware addresses or physical addresses. They uniquely identify an adapter on a LAN.
MAC addresses are 12-digit hexadecimal numbers (48 bits in length). By convention, MAC addresses are usually written in one of the following two formats:
MM:MM:MM:SS:SS:SS

MM-MM-MM-SS-SS-SS
The first half of a MAC address contains the ID number of the adapter manufacturer. These IDs are regulated by an Internet standards body (see sidebar). The second half of a MAC address represents the serial number assigned to the adapter by the manufacturer. In the example,
00:A0:C9:14:C8:29
The prefix
00A0C9
indicates the manufacturer is Intel Corporation.
Why MAC Addresses?
Recall that TCP/IP and other mainstream networking architectures generally adopt the OSI model. In this model, network functionality is subdivided into layers. MAC addresses function at the data link layer (layer 2 in the OSI model). They allow computers to uniquely identify themselves on a network at this relatively low level.
MAC vs. IP Addressing
Whereas MAC addressing works at the data link layer, IP addressing functions at the network layer (layer 3). It's a slight oversimplification, but one can think of IP addressing as supporting the software implementation and MAC addresses as supporting the hardware implementation of the network stack. The MAC address generally remains fixed and follows the network device, but the IP address changes as the network device moves from one network to another.

cisco packet tracer scenario and configuration

in this senario ,i will provide three cases

case 1
one of cisco router interfaces will be DHCP client

case 2
cisco router will act as DHCP server provide ip address,subnetmask , default gateway,dns address and tftp address 

case 3
cisco router will act as DHCP rely agent btween DHCP client and DHCP server on different network address


case 1 commands :
Router(config-if)#exit
Router(config)#interface Ethernet1/0
Router(config-if)#ip add dhcp
Router(config-if)#no sh


case 2 commands :
Router(config)#interface Ethernet1/1
Router(config-if)#ip address 13.0.0.1 255.0.0.0
Router(config)#ip dhcp pool net4
Router(dhcp-config)#network 13.0.0.0 255.0.0.0
Router(dhcp-config)#default-router 13.0.0.1
Router(dhcp-config)#dns-server 10.0.0.2
Router(dhcp-config)#option 150 ip 10.0.0.2
Router(dhcp-config)#exit
Router(config)#ip dhcp excluded-address 13.0.0.1 13.0.0.10
Router(config)#ip domain-name 10.0.0.2


case 3 commands:
Router(config)#interface FastEthernet0/0
Router(config-if)#ip address 10.0.0.1 255.0.0.0
Router(config-if)#ip helper-address 10.0.0.2
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface FastEthernet0/1
Router(config-if)#ip address 11.0.0.1 255.0.0.0
Router(config-if)#ip helper-address 10.0.0.2
Router(config-if)#no shutdown

i made all these cases on one Packet tracer lab , i attached the pkt file with this document.

toplogy used