Chapter 2. Introduction to Virtual Private Networks (VPN)

This chapter covers the following subjects:

VPN Offerings: This section provides an overview of various remote access and site-to-site VPN options.

VPN Technology Components: This section provides a review of essential components that make up a VPN solution.

VPN Protocols: This section introduces protocols commonly used with a VPN architecture.

Cisco VPN Portfolio: This section looks at protocols and technology related to Cisco’s VPN portfolio.

Cisco Security Appliance Management: This section reviews options for managing Cisco VPN technology.

VPN Logging: This section introduces logging options for Cisco VPN technology.

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say

—Edward Snowden

This chapter covers the following exam objectives:

• 1.0 Site-to-site Virtual Private Networks on Routers and Firewalls

• 1.1 Describe GETVPN

• 1.2 Describe DMVPN

• 1.3 Describe FlexVPN

• 4.0 Secure Communications Architectures

• 4.1 Describe functional components of GETVPN, FlexVPN, DMVPN, and IPsec for site-to-site VPN solutions

• 4.2 Describe functional components of FlexVPN, IPsec, and Clientless SLL for remote access VPN solutions

• 4.6 Design site-to-site VPN solutions

• 4.6.a VPN technology considerations based on functional requirements

• 4.7 Design remote access VPN solutions

• 4.7.a VPN technology considerations based on functional requirements

• 4.7.b High availability considerations

Virtual private networks (VPNs) require three key ingredients to function in a secure manner: confidentiality, integrity, and availability (also known as the CIA triad). Failing to enforce the CIA triad can lead to unwanted exposure and loss of data. Enforcing the CIA triad on your data could keep your social media accounts from being compromised, prevent your bank accounts from being liquidated by unauthorized parties, and ensure that company classified or personal data is not leaked to dark markets. VPN technologies can assist in ensuring CIA and preventing data catastrophes.

Learning beyond the SVPN concepts:

• General VPN Overview Concepts

• VPN Portfolio – Cisco Firepower and Cisco Meraki concepts

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz enables you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 2-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes.”

Table 2-1Do I Know This Already?” Foundation Topics Section-to-Question Mapping

Images

1. Which of the following is not a deployment model for a site-to-site VPN architecture?

a. Full mesh

b. Hub-and-spoke

c. Mesh-to-spoke

d. Spoke-to-spoke

2. What can a Cisco Integrated Services Router device offer?

a. Site-to-site VPN capabilities

b. Remote access capabilities

c. Both site-to-site and remote access capabilities

d. Cisco routers do not provide VPN services.

3. Which of the following is not a VPN protocol?

a. VAM

b. IKEv2

c. L2TP

d. SSTP

e. PPTP

4. Which of the following is not a Cisco VPN option?

a. FlexVPN

b. IKEv2 VPN

c. DMVPN

d. SSLVPN

e. GETVPN

5. Which of the following are tunnel-less VPN options? (Choose two.)

a. DMVPN

b. EasyVPN

c. IPsec VPN

d. GRE-based VPN

6. Which of the following is not an option for managing a Cisco security device?

a. Cisco SecureX

b. Cisco Security Manager (CSM)

c. Cisco Adaptive Security Device Manager (ASDM)

d. Cisco Defense Orchestrator

7. What is the purpose of DART?

a. Diagnostics and reporting

b. Data and resilience

c. Detection and response

d. Data and return

8. Which of the following options support a remote access client? (Choose two.)

a. DMVPN

b. SSLVPN

c. GETVPN

d. FlexVPN

e. Static IPsec

9. Which protocol is L2TP always paired with?

a. PPTP

b. IPsec

c. SSL

d. IKE

10. Which of the following are reasons to use SSL for a VPN? (Choose two.)

a. Many host-based security capabilities are needed.

b. There is no need for high-end security.

c. It runs over HTTPs ports.

d. It uses a web browser.

Foundation Topics

VPN Offerings

A virtual private network (VPN) is two or more remote devices that transmit data to each other securely over an unsecured network, such as the Internet. VPNs leverage tunnels to encapsulate data packets, most commonly within IP packets for transmission over IP-based networks. Encryption is used to ensure data privacy, and authentication is enforced to protect the integrity and confidentiality of the data. This means an employee using a laptop, smartphone, or IoT device can connect through a VPN to the corporate network from anywhere in the world and maintain data privacy. In addition, virtual tunnels can be set up between different offices to allow data to be shared over the untrusted Internet.

VPN Technologies vs. Services

Many flavors of VPN technology are available for organizations to choose from. Our first method for categorizing all available VPN technologies is grouping offerings into VPN technologies and VPN services. The following is how each of these VPN groups can be defined:

VPN technologies: A VPN technology is a tool that provides encryption between endpoints. VPN technology is the primary focus of this book.

VPN services: A VPN service is a package that includes one or more VPN services, where you do not own the technology providing the service. An example of a VPN service is a website management service that includes a VPN encryption option for transferring data between a host and the server hosting the website. For example, the user interface could be a web front end hiding the VPN and web transfer technology. A user can simply drag files into a web page, and within minutes, their data appears in a management portal and is transferred to storage space within the cloud. The user is not responsible for configuring or managing the backend VPN technology. Managing the VPN technology is the responsibility of the service provider. VPN services is not the focus of this book.

Some VPN service providers enable you to choose the type of VPN that is used. In other cases, the service provider handles any technology selection, setup, and maintenance. Figure 2-1 shows an advertisement for TunnelBear, which is an example of a VPN service provider. A TunnelBear customer does not have to maintain hardware or deal with complicated VPN configuration. TunnelBear provides the VPN service and is responsible for all backend requirements.

Images

Figure 2-1 An Advertisement for the TunnelBear VPN Service

This book focuses on VPN technologies that you configure and maintain. The Secure Solutions with Virtual Private Networks exam (SVPN 300-730 exam) covers VPN technologies and requires you to understand how to design and configure these technologies.

This brings us to the next level of grouping we use in this book to further define the types of available VPN technologies to organizations. There are two main categories:

Remote access VPNs: Remote users or devices use these VPNs to connect to a network.

Site-to-site VPNs: These VPNs provide connections between one or more networks.

Chapters 3 through 6 focus on site-to-site VPN technology, and Chapters 7 through 10 focus on remote access VPN. You will find that many concepts covered apply to both types of VPN technology, and we narrow down such repetitive data once a topic is covered. We also include technology that falls within these categories but is not part of the SVPN exam based on what is used in organizations around the world. The focus of this book is to pass the SVPN exam; however, we also want to provide real-world VPN concepts that extend beyond the exam to help you be a well-rounded VPN professional. We identify when material is not on the current version of the SVPN exam, but know that the SVPN learning objectives can change.

Remote Access VPNs

A remote access VPN provides access to devices outside of a trusted network. For example, remote users leveraging specific endpoint devices such as laptops, tablets, and smartphones and requiring access to the inside corporate network would use a remote access VPN. Essentially, a remote access VPN enables a computer to connect to a secured network from an untrusted network. For example, an employee using a coffee shop’s unsecured network can use a remote access VPN to transfer information between her laptop and her company’s internal network.

Remote Access VPN Use Cases

There are dozens of use cases for remote access VPNs. One very common use case for a remote access VPN is allowing external users to access resources that are available only in a secured environment. Say that a traveling salesperson needs to update confidential sales records that are accessible only when an employee is connected to the internal network. A remote access VPN can allow that salesperson to perform work and can limit the person’s access to only his business needs. This book covers many of the options for building remote access VPNs. Figure 2-2 shows a basic design of a remote access VPN architecture.

Images

Figure 2-2 Generic Remote Access VPN

Another use case for a remote access VPN is allowing a user to browse the Internet while maintaining privacy, with all traffic leaving the host encrypted through a VPN tunnel. Imagine that our traveling salesperson goes to a coffee shop and uses the coffee shop network to connect to his company’s internal network to modify the secret business records. Even if a device such as a Wi-Fi Pineapple (refer to Chapter 1, “Implementing Secure Solutions with Virtual Private Networks SVPN 300-730 Exam”) were able to perform a man-in-the-middle attack and capture the traffic between the traveling salesperson and the corporate network, all that traffic would be encrypted, keeping the salesperson’s session secured.

A remote access VPN can also be used in other scenarios, such as to bypass local security controls. For example, countries like China strictly filter certain types of websites, such as Facebook. A user in China who attempts to access Facebook will be blocked by filtering technology deployed by the Chinese government. That user could use a remote access VPN to bypass the Chinese filtering and access a system outside the Chinese network and connect to Facebook. For example, a traveling salesperson could go to China and use a VPN to connect to his U.S.-based organization. He would be able to access Facebook through the VPN tunnel.


Note

We do not recommend or encourage any behavior that could be considered illegal, including bypassing local security solutions by using a VPN.


You will be expected to know some specific remote access VPN topics to pass the SVPN 300-730 exam. For example, you need to understand client-based VPNs using Cisco AnyConnect with both IKEv2 and Secure Sockets Layer (SSL), clientless VPNs, and FlexVPN. You need to understand how to configure these technologies by using certain Cisco tools, such as the Cisco Adaptive Security Appliance (ASA) configured through the Cisco Adaptive Secure Device Manager (ASDM). This book covers these topics and more.

Site-to-Site VPNs

A site-to-site VPN connects different locations over untrusted networks. The goal is typically to give multiple users or devices at one location access to resources at another location. For example, imagine an organization that has several offices and needs to share data between each location while maintaining security.

Hub-and-Spoke Design

There are three basic designs for a site-to-site VPN. The first design is a hub-and-spoke design, in which one location, such as the main headquarters, acts as the hub and connects to multiple branch offices, which are the spokes. For this VPN design, a separate VPN tunnel is established between the hub and each individual remote office. Spoke offices can communicate with other spoke offices only if traffic travels through the headquarters hub location. Figure 2-3 shows a basic example of a hub-and-spoke VPN.

Images
Images

Figure 2-3 Generic Hub-and-Spoke VPN

Spoke-to-Spoke Design

Another site-to-site VPN design option is a spoke-to-spoke VPN architecture, in which two devices communicate directly with each other. Either site can initiate a connection, as long as connectivity can be established between the locations. Figure 2-4 shows the hub-and-spoke design from Figure 2-3 with spoke-to-spoke connections added between the branch offices as well as the remote office. Essentially, Figure 2-4 shows a hybrid of a hub-and-spoke architecture for communication with HQ and a spoke-to-spoke architecture used between the smaller locations.

Images
Images

Figure 2-4 Hub-and-Spoke VPN with Spoke-to-Spoke Connections

Full Mesh Design

Another site-to-site VPN architecture is a full mesh. In a full mesh architecture, every VPN device in the network communicates with every other VPN device by using a unique VPN tunnel. This means every VPN device has a direct peer relationship with all other VPN devices. This enables smooth communication because a bottleneck can’t form at a single VPN gateway; it also reduces overhead because a gateway does not have to handle all the encryption and decryption. The full mesh approach is ideal when multiple peers need to communicate with each other and resources are available to support this approach. A full mesh is the most reliable type of VPN and includes the most redundancy.

Hybrid Design

In the example shown in Figure 2-4, all locations except one have a VPN connection established between the remote location and a branch office. Figure 2-5 shows that missing connection added, so every location has a VPN tunnel to every other location. As you can see, this is the most ideal architecture from a redundancy viewpoint; however, it might not be possible due to the cost and upkeep required to maintain this type of VPN architecture. As discussed later in this chapter, technologies such as DMVPN, FlexVPN, and GETVPN can simplify the deployment of full mesh connectivity.

Images
Images

Figure 2-5 Generic Full Mesh VPN

As you have seen in the previous examples, site-to-site VPN architectures can be combined to form hybrid designs. In a partial mesh architecture, some devices use the full mesh approach, and other devices use a hub-and-spoke or a spoke-to-spoke design. A partial mesh does not provide the same level of redundancy as a full mesh but can be less expensive to implement. An organization may use a partial mesh approach when it has deployed a full mesh between branch locations and wants to add a less important network such as a small office.

Tiered Hub-and-Spoke Design

Another hybrid site-to-site architecture is a tiered hub-and-spoke architecture, which connects different hub-and-spoke networks together. In this design, traffic is permitted from the spoke or hub groups to their most immediate hub, depending on how VPN connections are established. An example could be two different organization networks that need to connect to a single headquarters due to a recent acquisition. The headquarters would represent the first tier of this design, and the main branch offices would be the second tier. The branch offices could also be connected with each other; however, networks that are spokes off each branch office could be designed in a hub-and-spoke architecture, and those spokes would be the third tier. Figure 2-6 shows an example of this approach.

Images
Images

Figure 2-6 Hybrid Site-to-Site VPN Design

The SVPN 300-730 exam requires you to know about some specific site-to-site VPN topics. For example, you need to understand and know how to deploy and troubleshoot GETVPN, DMVPN, and FlexVPN, which can be configured over a hub-and-spoke or spoke-to-spoke network and can leverage IPv4 or IPv6. This book covers these and other site-to-site VPN topics you need to know for the exam.

The best way to choose a VPN architecture is to validate the requirements of the VPN being considered, such as required equipment, the cost of the solution, supported protocols, the expected version of software that will be needed for the project to be successful, and, most importantly, the desired outcome.

VPN Technology Components

The type of VPN you plan to use may depend on the available physical or virtual technology. VPN components can include the system providing the VPN service and, sometimes, software such as a client that is used to establish a VPN connection when a remote access VPN is being used. With a clientless remote access design, a client is not required for the remote access VPN.

Hardware VPN Support

When it comes to hardware supporting VPN capabilities, routers commonly support site-to-site VPN capabilities, and security-focused tools tend to support remote access VPN capabilities. Customers often desire unified products—that is, multifunctional tools—and hybrid technology is becoming popular to provide everything from security and remote access VPN capabilities to networking and site-to-site VPN capabilities, all on the same appliance. Hybrid technology offering both remote access and site-to-site VPN capabilities is most commonly used in small business solutions. Larger enterprise technology tends to provide either routing and site-to-site VPN capabilities or security defense capabilities along with remote access VPN options. We look at these technology trends in more detail shortly.

The SVPN 300-730 exam focuses on technologies you need to know. The general concepts involved in setting up, troubleshooting, and maintaining a VPN are vendor agnostic. As long as you understand the technology, the protocols used, and how things are supposed to work, you should be able to build a VPN on most vendor or open-source platforms. The following sections look at different categories of technology that can offer VPN capabilities, beginning with routers. You will not be required to know the models of Cisco technology being used in the SVPN exam; however, you will be required to know how to work with such technology.

Routers

By definition, a router is a network device that forwards data packets between computer networks. Over time, routers have become a lot more capable, offering various features ranging from voice to security capabilities. In regard to security capabilities expected from a router, supporting site-to-site VPN functionality is always at the top of the list. It is common for routers to send traffic across untrusted networks, prompting concerns about loss of confidently and integrity of any data that is sent. To address data compromise concerns, a site-to-site VPN encrypts traffic between routers.

Router VPN Use Cases

Routers can be used for remote access VPN services, but they are more commonly used with site-to-site VPNs. Routers used in homes and small offices more commonly offer remote access capabilities than do routers used for larger enterprises and service providers. A smaller location with limited space for equipment and a relatively small budget is likely to want a single solution that provides a range of network and security needs. A smaller router may be used to connect back to the enterprise using a site-to-site connection while also enabling users who are away from their home office to connect back to the home router; in such a case, the router may also send remote access traffic to the larger enterprise through a site-to-site VPN connection. Such solutions work in smaller environments but can’t scale to larger networks. Therefore, a larger office may use enterprise routers for site-to-site VPN services and leverage separate security appliances or other dedicated solutions for remote access VPN services. In general, the remote access VPN capabilities on security appliances are more feature rich than on routers.

For the SVPN 300-730 exam, you need to know how to work with a few Cisco router models. Cisco IOS and IOS XE software includes both IP Security (IPsec) and Transport Layer Security (TLS) encryption technologies within the following routing platforms that you should be familiar with for the exam:

• Cisco ISR (Integrated Services Router) for branch offices

• Cisco ASR (Aggregation Services Router) 1000 Series for data centers and other headend locations

• Cisco CSR (Cloud Services Router) 1000V Series


Note

The specifics of how to configure a VPN vary for different Cisco technologies. For the SVPN 300-730 exam, you do not need to memorize the management GUI layout for each Cisco product. You do need to know how to configure, maintain, and troubleshoot VPN technology, and the same concepts apply across multiple Cisco technologies. We highly recommend focusing on what and why each step is being performed when configuring a VPN rather than on where steps are located within a specific Cisco product management GUI for the SVPN 300-730 exam.


Router VPN Capabilities

Our focus in this book is on the VPN capabilities of routers. Most Cisco routers support Group Encrypted Transport VPN (GETVPN), Dynamic Multipoint VPN (DMVPN), GRE-based VPN (also known as Point-to-Point VPN), and standards-based IPsec VPN for site-to-site VPNs. Some models support both IPsec and SSLVPN for remote access, and others do not. SSL support depends on the version of code and licenses being used.

Cisco ISR Series routers come in many shapes and sizes and are the go-to option for branch offices. As their name indicates, these routers offer many services, including WAN connectivity, software-defined networking (SD-WAN), NetFlow export, security monitoring, and Wi-Fi access. While smaller options such as Cisco ISR routers offer remote access VPN capabilities, larger branch option routers such as the ASR 1000 Series do not. The ASR 1000 targets the data center and large enterprise market and does not offer remote access VPN capabilities. The performance of a router depends on the model, platform, and the services enabled.

The following list provides a quick summary of Cisco routers that offer VPN capabilities:


Note

Learn more about Cisco branch routers at https://www.cisco.com/c/en/us/products/routers/branch-routers/index.html.


Cisco ISR 4000 Series: This series of routers is designed for large enterprise branch offices. They do not support SSLVPN.

Image

Cisco ISR 1000 Series: This series of routers targets small to medium-size businesses. They can support SSLVPN for remote access if the right license is enabled.

Image

Cisco ISR 900 Series: These routers are designed for small and home offices. They can support SSLVPN for remote access if the right license is enabled.

Image

Cisco ISR 800 Series: The 800 series targets small to medium size businesses looking for routing, voice, video, security, application performance, wireless and cloud connection all in one solution. These routers can support SSLVPN for remote access if the right license is enabled.

Image

Cisco 5000 Enterprise Network Compute System Series: This series of router is designed to be a hybrid platform including a traditional router sand server with small infrastructure footprint. They do not support SSLVPN.

Image

ASR 1000 Series: These routers are designed to sit at the edge of a data center or large office connecting to a WAN; they can also be used as service provider points of presence (POPs). This series can provide SD-WAN with encryption and traffic management at 2.5 to 200 Gbps. For remote VPN support, IKEv2 can be used; SSL-based remote access is not supported.

Image

Cisco CSR Series: The Cisco CSR is a virtual-form-factor router that delivers WAN gateway and network services functions in virtual and cloud environments. Features offered include routing, firewall, Network Address Translation (NAT), QoS, application visibility, failover, WAN optimization, and VPN capabilities. The CSR Series supports both SSL and IKEv2 for remote access VPNs.


Note

The SVPN 300-730 exam will not test you on the physical components of a Cisco router.


Security Appliances

A security appliance can be dedicated to a specific capability (for example, a firewall) or offer multiple capabilities (for example, a firewall and VPN in one solution). The combination of capabilities in a security appliance has led to many industry terms, such as unified threat management (UTM) and next-generation (NG). We address the history of the term next generation shortly, but first we step back and look at the Cisco history of offering VPN technology in security appliances.

History of Cisco VPN Technology

Cisco first offered VPN capabilities in appliances around the year 2000, when Cisco acquired Altiga Networks. This acquisition led to the Cisco VPN 5000 and Cisco VPN 3000 Series. The 5000 Series appliances were eliminated in 2002, however, and the VPN 3000 became the industry standard for remote access VPN requirements. The VPN 3000 Series was so successful that it led to the creation of the industry-recognized SSLVPN category, which any competitor would have to support if they wanted to have a chance at winning remote access VPN business. Around 2005, Cisco found that many customers that were looking for remote access VPN capabilities where also interested in acquiring firewall appliances. In response to customer demand, Cisco released the Cisco ASA (Adaptative Security Appliance) Series, which provided a hybrid solution including Cisco PIX firewall and VPN 3000 features. When the ASA product line had been on the market for some time, Cisco announced end of sale for all PIX and VPN 3000 products.


Note

The SVPN 300-730 exam does not cover the VPN 3000 product line as it is no longer sold.


Over time, Cisco has increased its focus on security through acquisitions of companies like Sourcefire and Meraki, and these acquisitions have impacted the VPN offerings in Cisco security products. At the time of this publication, the Cisco security-focused product lines that provide VPN capabilities are the ASA Series, Meraki security appliances, and Cisco Secure Firewall offerings. For the SVPN 300-730 exam, you need to understand how to configure various VPN features using either a Cisco router or Cisco ASA, even though options such as Cisco Secure Firewall can run similar VPN configurations. This book provides examples of both ASA and Cisco Secure Firewall and Meraki options to prepare you for both the exam and real-world environments.


Note

The Cisco Secure Firewall can provide various VPN capabilities, depending on the model and software used. We highly recommend monitoring changes in the SVPN 300-730 exam for additional learning requirements targeting the Cisco Secure Firewall appliances.



Note

On the SVPN 300-730 exam, you should expect the remote access VPN questions to be related to the Cisco ASA technology, because routers are not commonly used for remote access VPNs except in smaller environment.


VPN Clients

Another component of some remote access VPN deployments is the client installed on the endpoint, which can be used for IPsec or SSL/TLS. For example, a remote access IPsec VPN consists of a VPN client and a VPN headend device, commonly called the VPN gateway. The VPN client resides on the user’s workstation or mobile device and initiates the VPN tunnel to the remote network via the VPN gateway waiting to accept connections. When a VPN client initiates a connection to the VPN gateway device, negotiation starts with authenticating the user and the user’s device. As an example of this negotiation, IPsec uses Internet Key Exchange (IKE) followed by IKE Extended Authentication (Xauth) to perform the negotiation process. For IPsec, after the negotiation completes, a profile is pushed to the client, and a security association is created to complete the connection. For SSL connections, a TLS or DTLS tunnel is established to complete the connection.

The process for an IPsec VPN depends on the protocols used and how the VPN technology is set up. Because SSL/TLS VPNs can be reached by public computers, it can be complicated to keep endpoints protected with these clients. Vendors like Cisco offer various controls to combat this challenge, including integration with network access control (NAC) technology to ensure that devices are safe before permitting VPN connections. In addition, there are remote access VPN options that do not use VPN clients; these options are commonly referred to as clientless. This book covers setup, maintenance, and troubleshooting for both client-oriented and clientless remote access VPN architectures.

Cisco AnyConnect

The Cisco flagship multiple-purpose security client is known as Cisco AnyConnect Secure Mobility Client. This client can be installed on desktop or mobile devices and provides features such as web security, malware defense, phishing protection, command and control blocking, 802.1x supplicant services, and VPN capabilities. AnyConnect was created to be used as a VPN client, but its capabilities have grown, and AnyConnect’s deployment base as a multifunctional security endpoint has expanded.

End users can an obtain AnyConnect a number of ways. They can download the AnyConnect software from a web or file server or obtain it from an enterprise software management system. AnyConnect can also be pushed down from a Cisco ASA appliance, Secure Firewall appliance, or Cisco ISE server. For example, when a workstation attempts to connect to the corporate network, Cisco ISE can be configured with a posture check, which will push AnyConnect to any workstation that does not have AnyConnect installed. Another example would be a workstation connecting to the Cisco ASA appliance over the Internet, with the ASA redirecting users to download AnyConnect as part of establishing a remote access VPN. Figure 2-7 shows an example of a Cisco ASA pushing down the option to download the AnyConnect client.

Images

Figure 2-7 Cisco ASA Offering AnyConnect to an Endpoint

AnyConnect Capabilities

The Cisco AnyConnect core client is included with the default AnyConnect package. Additional modules are also included with the default package, but extra licenses and configuration may be required to enable certain features. Also, configuration settings such as client profiles can also be included with the AnyConnect software and downloaded as a single package. Alternatively, client profiles can be added as part of the update process after the AnyConnect client is installed and a connection with the VPN gateway is established. We cover specific AnyConnect configuration steps in Chapter 8 and troubleshooting steps in Chapter 10.

Other VPN Clients

A variety of open-source VPN options that are available on the market include VPN gateways and clients. Most modern browsers also include native VPN clients. One example of an open-source VPN option is Openswan, which is an IPsec VPN option for Linux. tcpcrypt is another example that is supported on both Windows and macOS. Cisco equipment supports OpenConnect, which is not officially associated with Cisco. For the SVPN 300-730 exam, you only need to be familiar with the Cisco AnyConnect client.

VPN Protocols

Regardless of whether you use a Cisco or non-Cisco option for your VPN deployment, you need to choose which VPN protocol to leverage. Some hardware and VPN designs have limited options for protocol support, and others give you different options that will impact the performance and level of security obtained from the VPN setup.

There are five different protocol options you can use when choosing how to encrypt traffic with a VPN. It is important to choose a VPN that supports the right protocol for your business needs because the protocol used determines the level of security provided by the VPN. The VPN protocol may also rely on certain ports, which can limit its usability on certain networks that block such ports. Some VPN protocols can leverage port 443, which is used for normal encrypted Internet traffic and allows a VPN to hide within other encrypted traffic to bypass censorship and other filtering enabled on a network security tool such as a firewall. Each protocol’s encryption strength is based on many factors; the more resistant a protocol is to cracking, the lower your risk of data exposure.


Note

We do not condone using a VPN to bypass security when it is illegal or unethical to do so.


A number of popular protocols are available in most commercial VPN solutions. The following sections discuss PPTP, SSTP, SSL/TLS, OpenVPN, L2TP/IPsec, and IKEv2.

Point-to-Point Tunneling Protocol (PPTP)

Point-to-Point Tunneling Protocol (PPTP), which dates back to the late 1990s, was the first VPN protocol widely available to the public. It uses Microsoft Point-to-Point Encryption (MPPE) along with MS-CHAP for authentication. Because PPTP has been around for so many years, many solutions have PPTP built in to their platforms. PPTP is simple to set up and enables a wide range of device support because it doesn’t require any additional software. In some situations, such as with legacy platforms, PPTP is the only available protocol. For example, PPTP may be the only protocol option with an older piece of factory equipment. PPTP is very fast compared to other protocol options.

PPTP Pitfalls

If security is crucial, PPTP is not the best protocol choice. Security experts, including Microsoft, have deemed PPTP obsolete due to its vulnerability to various attacks. If you are using PPTP, anybody from a nation-state to a general hacker can snoop on your connections. Two tools available for Kali Linux, thc-pptp-bruter and asleap, can be used to brute-force attack endpoints that use PPTP. Figure 2-8 shows an example of launching a wordlist-based brute-force attack by using thc-pptp-bruter within Kali Linux.

Images

Figure 2-8 Brute-Force Attack Using thc-pptp-bruter

PPTP requires port 1721 and Generic Routing Encapsulation (GRE) protocol, both of which can be blocked by security platforms such as firewalls, so the use of PPTP is limited. PPTP may be fast on a reliable connection. However, with a connection that experiences packet loss, PPTP may generate a massive number of TCP retransmit attempts, dramatically slowing down the experience. In short, PPTP is not recommended.

Secure Socket Tunneling Protocol (SSTP)

Microsoft has provided a new and improved version of PPTP known as Secure Socket Tunneling Protocol (SSTP), which was first available in Windows Vista SP1 in 2008. SSTP uses Secure Sockets Layer (SSL) 3.0, which is much better than PPTP and fully integrated into Windows. SSTP is predominantly a Windows-based VPN protocol but has also been used on other operating systems from time to time. SSTP overcomes the dependencies on port 1721 by using TCP port 443, so local security tools are not likely to prevent it. One issue with SSTP is that it relies on SSL 3.0, which has been deprecated by the Internet Engineering Task Force (ITF) due to its vulnerability to POODLE attacks. Unless Microsoft changes SSTP so it does not rely on SSL 3.0, SSTP is not recommended.


Note

Learn more about a POODLE attack on SSL 3.0 at https://www.us-cert.gov/ncas/alerts/TA14-290A.


SSL/TLS

These protocols leverage web browsers or client applications to provide secure remote access VPN capabilities. For the purposes of SSLVPNs, SSL has been replaced by its successor, Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). Modern SSLVPNs rely on the TLS protocol to encrypt and authenticate data. One major advantage to SSLVPNs is their capability to use TCP 443 for the transmission of data. Because TCP 443 is commonly allowed by networks, users are more likely to be successful connecting with an SSLVPN client over TCP 443 than with a VPN client using IPsec. This is one of the major reasons, along with many other reasons that will be covered later in this book, that SSLVPNs are the primary method for connecting to Cisco ASA firewalls. You can expect to see a large number of SSLVPN questions on the SVPN 300-730 exam.

IPsec with IKE

Internet Key Exchange (IKE) is a deprecated protocol used to set up security associations in the IPsec protocol suite. IKE uses pre-shared or X.509 certificates for authentication and leverages Diffie-Hellman key exchange to set up a shared session secret from which cryptographic keys are created. Diffie-Hellman groups such as 1, 2, 5, 22, 23, and 24 are also considered deprecated algorithms.

IKEv1 was deprecated for a number of reasons. Due to their age, systems supporting IKEv1 are much more likely to contain implementation vulnerabilities that will never be patched. Second, due to vulnerabilities in IKEv1, systems supporting IKEv1 can be used for packet amplification attacks. Finally, IKEv1 systems are likely to have been configure for the weak Diffie-Hellman Groups 2 and 5 and are likely not capable of supporting modern algorithms to secure data communications, such as AES-GCM. No new improvements have been made to IKEv1 in more than a decade since the industry has pointed all IKE deployments to use Version 2. Nonetheless, the protocol is still widely deployed, so you need to understand it.

IPsec with IKEv2

Internet Key Exchange Version 2 (IKEv2) was developed through a partnership between Microsoft and Cisco, with the goal of developing a secure and flexible tunneling protocol option. By itself, IKEv2 is just a negotiation protocol. However, it can be paired with IPsec encryption to provide security capabilities for VPN connections. IKEv2 is popular because it is available in any Windows platform from Windows 7 on, as well as in mobile platforms such as Apple iOS and Blackberry. In addition, open-source versions of IKEv2 are supported by platforms like Linux and Android.

One huge benefit of IKEv2 is its stability. It supports Mobility and Multihoming Protocol (MOBIKE), which makes quick reconnections possible when switching between different connections. This is ideal for people who travel often and for mobile devices. IKEv2 is a reliable alternative to OpenVPN due to its dependability and availability in many Windows and mobile platforms. We recommend using IKEv2 if it is available, and you need to understand this protocol for the SVPN 300-730 exam.

Easy VPN

Easy VPN (EzVPN) is an IPsec VPN option supported on older Cisco routers and security appliances that uses the Unity client protocol, which allows many IPsec VPN parameters to be defined at an IPsec gateway, which can also be the EzVPN server. EzVPN simplifies VPN deployments by having security polices defined at the headend (that is, the EzVPN server) and pushed to remote VPN devices. This practice ensures that clients have up-to-date policies in place before establishing VPN connections. EzVPN simplifies VPN deployment for remote offices and mobile employees. Newer Cisco routers such as the ISR 1000 Series do not support EzVPN; only the ASA 5505 supports EzVPN. IKEv2 is preferred over EzVPN for new deployments.

L2TP

Layer 2 Tunneling Protocol (L2TP) was released at around the same time as PPTP. Like PPTP, L2TP is widely available and can run on most major platforms. L2TP is a tunneling protocol that doesn’t provide any encryption. It is almost always paired with IPsec for encryption, so when you hear somebody mention L2TP or IPsec for a VPN, it is likely a combination of L2TP and IPsec. L2TP also uses AES ciphers; 3DES ciphers are no longer recommended as a collision attack has proven them obsolete.


Note

This article from threatpost provides details on a collision attack against 3DES: https://threatpost.com/new-collision-attacks-against-3des-blowfish-allow-for-cookie-decryption/120087/.


L2TP has similar limitations to PPTP in that it requires certain ports—such as UDP 500 and UDP 4500—to be open. If a security tool such as a firewall filters these ports, L2TP will not work. Over time, L2TP has fallen out of favor due to rumors that well-funded security agencies can exploit the protocol. So while there is no proof that L2TP has been compromised, many people avoid it for this reason. L2TP may be an option for casual use; however, there are better options, such as OpenVPN and IKEv2.

VPN Protocol Comparison

After reviewing the VPN protocols, you should come to the following conclusions:

• Avoid using PPTP and SSTP whenever possible.

• SSL/TLS is a good option for reliable connectivity. Most AnyConnect deployments today use SSLVPN.

• EzVPN is an option for ensuring that the latest updates are pushed to remote systems and providing simplicity in deploying a VPN to remote devices and offices; however, it is being phased out, and IKEv2 is a better option.

• IKEv2 is a strong option for VPNs; however, in some cases, IKEv1 may be the only supported option.

• L2TP can work if it is properly set up, but it is not recommended if IKEv2 or SSL/TLS is available.

We look more closely at each of these protocols as we review the configurations of various VPN options. Know that some VPN options offer only one protocol, whereas others offer multiple protocol options. We recommend not using a VPN option that supports only one protocol unless that protocol is OpenVPN or IKEv2.

Cisco VPN Portfolio

The SVPN 300-730 exam focuses on VPN options supported in Cisco solutions. For the exam, you need to know VPN options such as DMVPN, GETVPN, FlexVPN, and SSLVPN. The following sections quickly review each of these options. You will learn a lot more about each of these topics later in this book.

DMVPN

Dynamic Multipoint VPN (DMVPN) is a Cisco IOS software solution for building scalable IPsec VPNs (that is, router-based site-to-site VPNs). DMVPN uses multipoint Generic Routing Encapsulation (mGRE) for overlay and IKEv1 or IKEv2 for authentication and key exchange. DMVPN is supported on both IPv4 and IPv6 (that is, it can be dual-stacked) and allows hub-to-spoke as well as on-demand spoke-to-spoke communication. DMVPN enables a branch to communicate with other branches over a public WAN or the Internet but doesn’t require a permanent VPN connection between sites.

DMVPN Use Cases

One popular use case for DMVPN is for deploying voice and/or video across different networks over a DMVPN connection. Another common use case is for connecting many branch offices over a public network such as the Internet or a private network using MPLS. DMVPN is known for its zero-touch configuration, which translates to reduced complexity in deploying and supporting site-to-site requirements. Another common use case for DMVPN is to provide resiliency for applications based on DMVPN by incorporating routing with standards-based IPsec technology. We dive into DMVPN in detail in Chapter 5.

Group Encrypted Transport VPN (GETVPN)

Group Encrypted Transport VPN (GETVPN) is a tunnel-less VPN solution that provides highly secure communication between systems that are grouped together in a network. GETVPN addresses some of the limitations of DMVPN. For example, DMVPN supports direct spoke-to-spoke traffic, but when a spoke wants to send traffic to another spoke, it first must create a new IPsec security association, which can take time and cause delays. GETVPN solves the scalability issue by using a single IPsec security association for all routers in a group rather than using individual security associations. GETVPN also supports multicast traffic natively, without using GRE, whereas other options have to use GRE for encapsulation. GETVPN is ideal for private networks like MPLS VPNs. We look more closely at GETVPN in Chapter 4. In addition, Chapter 3 covers more details about security associations.

FlexVPN

Unlike DMVPN and GETVPN, FlexVPN is an IPsec-based VPN technology used on Cisco IOS devices that can support different site-to-site or remote access VPN options. FlexVPN is based on IKEv2 for origin authentication and key exchange; unlike DMVPN, FlexVPN does not support IKEv1. FlexVPN uses a centralized policy management infrastructure with the RADIUS framework. FlexVPN supports both IPv4 and IPv6 for transport and overlay protocols, and these concepts are likely to be on the SVPN exam. FlexVPN is newer than DMVPN, and we look more closely at FlexVPN in Chapter 6.

SSLVPN

SSLVPN is a remote access encryption solution that uses Transport Layer Security (TLS) to protect data communication between a software client (such as AnyConnect) and a corporate network. SSL/TLS functions are ubiquitous in modern web browsers. This means that, unlike with IPsec (which is a client-based VPN technology), SSL can provide remote access VPN capabilities without having a client installed (that is, it is a clientless VPN solution) or can use a combination of client and web services to provide VPN capabilities. SSLVPNs are commonly called web VPNs, based on the use of the client’s web browser.

SSLVPN Use Cases

There are popular use cases for SSLVPNs. One huge advantage of using SSL is its ease of use for end users. Client-based VPN options such as IPsec are likely to have different implementation and configuration requirements, whereas SSL just requires a modern web browser but could also use a client such as AnyConnect. Because SSL runs over the standard HTTPs port, it isn’t blocked by security tools such as firewalls. Variations of SSLVPNs can overcome some security risks. For example, it is possible to validate that a system being permitted an SSLVPN connection is authorized for that connection and allowing only authorized devices while denying authorized users attempting to connect to an SSLVPN with a personal computer. This book covers different SSL architectures and SSL features available in Cisco products. It also compares SSL client VPNs with SSL clientless VPNs to help you decide when to use either approach when considering SSL as a VPN approach.

Site-to-Site VPN Comparison

Table 2-2 compares a number of different site-to-site VPN options. This table summarizes the benefits of each option, when it makes sense to use each VPN option, which systems support each VPN option, how well the options can scale, management options, and topology options. The table also addresses routing options, QoS options, multicast support, non-IP protocol support, private IP address support, and high availability options. You should know these data points for the SVPN 300-730 exam.

Images

Table 2-2 Comparison of Site-to-Site VPN Options

Images
Images

Table 2-3 compares some of the other VPN topics covered in this chapter, including remote access VPN options. We recommend being familiar with these topics before moving on to other chapters in this book.

Table 2-3 Comparing VPN Options

Images
Images
Images

Cisco ASA Licensing

The Cisco ASA product line has been on the market since 2005. Over the years, there have been changes to the hardware and license structures, which impact what type and how many site-to-site VPN sessions can be supported. Cisco ASA appliances offer different variations of licenses, including permanent and time-based licenses. A permanent license, which applies only to the appliance on which the license is installed, never expires. Such a license typically applies a permanent activation key, and an ASA can have only one key installed at any given time. If new desired features are needed for a permanent license, a new activation key needs to be created for those features.

You can see the current activation key by using the command show activation-key, which provides information like the following:

Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000
0x00000000 0x00000000
Time-Based License

The time-based license functions shown in this example are valid for only a specific time. You can install one or more time-based activation keys, but only one key can apply to one feature. This means you can install multiple time-based keys as long as each key applies to a different feature. When a time-based key is within 30 days of expiration, the ASA generates daily system log messages alerting you of the situation. If a license expires, certain features may be deactivated or features may be reduced. A license’s expiration log looks like this:

%ASA-4-444005: Timebased license key 0x8c9911ff 0x715d6ce9 0x590258cb

0xc74c922b 0x17fc9a will expire in 29 days.

Note

With Cisco ASA Version 8.3(1) and later, time-based key expiration does not depend on the configured system time and date. The license countdown automatically occurs based on the actual uptime of the ASA. This is ideal if an ASA isn’t used for a period of time because it means you won’t lose license time if the ASA is not being used.


Licensing Options

The number of licenses required for an ASA deployment depends on the type of license being used. Cisco ASA appliances used to use a Base, Security Plus, and Premium option format but licensing has been simplified into two tiers. The first tier is AnyConnect Plus, which includes basic VPN services such as device and per-application VPN, trusted network detection, basic device context collection, and Federal Information Processing Standards (FIPS) compliance. The second tier is AnyConnect Apex Licensing, which includes everything in Plus as well as more advanced services such as endpoint posture checks, network visibility, next-generation VPN encryption, and clientless remote access VPN. Table 2-4 highlights a comparison between AnyConnect Plus and Apex licensing. We cover licensing in more detail in Chapter 8.

Table 2-4 AnyConnect Plus and Apex License Feature Comparison

Images
Managing Licensing

Note

Learn more about ASA and Secure Firewall licensing at https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/licenseroadmap.html.


One final ASA license concept to cover is how licenses are managed. The traditional method for applying licenses is by obtaining license keys from Cisco or authorized resellers and applying those keys to the associated ASA by using the command line or a GUI management platform. The license file that you obtain is called a product authorization key (PAK) license. Cisco also offers smart software licensing for certain models, such as the ASAv, ASA on Secure Firewall, and Secure Firewall appliances; this type of licensing enables you to manage a pool of licenses centrally. Smart licensing does not require a PAK, which also means licenses are not bound to an ASA serial number. Smart licensing simplifies the processes of deploying and retiring ASAs without requiring management of each unit’s license key.


Note

Learn more about Cisco smart licensing at https://www.cisco.com/c/en/us/products/software/smart-accounts/software-licensing.html.


Cisco Secure Firewall Series for Site-to-Site VPNs

In addition to the ASA Series, two other Cisco security product lines offer site-to-site VPN capabilities: the Cisco Secure Firewall Series and Meraki. As with the ASA Series, there are different Secure Firewall series hardware models that offer different amounts of VPN session support as you increase in appliance size. Licensing for the Cisco Secure Firewall Series is similar to licensing for the ASA Series in that there is the classic approach of installing a PAK file or using Cisco smart licensing. The good news for site-to-site VPN support on a Cisco Secure Firewall solution is that the Cisco Secure Firewall Series does not require additional licenses; basic Cisco Secure Firewall licensing provides support for site-to-site VPN capabilities.

Cisco Secure Firewall Limitations

There are limitations to the VPN features offered on a Cisco Secure Firewall Series solution for a site-to-site VPN. The following options were available as of the time of this publication:

• Both IPsec IKEv1 and IKEv2 are supported.

• Certificates and automatic or manual pre-shared keys for authentication are supported.

• IPv4 and IPv6 are supported.

• Static and dynamic interfaces are supported.

• The VPN alerts when the tunnel goes down.

• Point-to-point (PTP), hub-and-spoke, and full mesh deployments are available.

• Network objects with a range option are not supported in a VPN.

• Cisco Secure Firewall VPNs are only backed up using the Cisco Secure Firewall Management Center backup options.

• There is not a per-tunnel or per-device edit option for Cisco Secure Firewall VPNs; only the whole topology can be edited at the time of publication.

• Cisco Secure Firewall VPNs are not supported in a clustered environment at the time of this publication.

• VPN tunnel status is not updated in real time but at an interval of 5 minutes in the Cisco Secure Firewall Management Center at the time of this publication.

• Transparent mode is not supported. Only tunnel mode is supported.

The Cisco Secure Firewall Series product line is continuously being updated. We highly recommend that you validate the current data sheet associated with the Cisco Secure Firewall model you are considering for your site-to-site VPN project to ensure that all required features and licenses are obtained. We talk more about Cisco Secure Firewall in Chapter 7. Know that Cisco Secure Firewall is not part of the current version of the SVPN learning objectives, but that could change with a future version of the exam.

Cisco Meraki Licensing

The last security appliance option in the Cisco catalog that supports site-to-site VPNs is the Cisco Meraki Series. In particular, VPN capabilities are available in Cisco Meraki MX Series devices. A popular Cisco Meraki VPN feature is site-to-site VPN tunnel creation using a single mouse click. Meraki focuses on simplifying deployment and management by leveraging an appliance-to-cloud-management architecture. Essentially, all Meraki appliances must be licensed and managed using the Meraki cloud management center. This simplified architecture can allow for capabilities such as single-click enablement of a site-to-site VPN. With this approach, it is possible to generate an automatic mesh site-to-site VPN solution.

Cisco Meraki VPN Options

With a site-to-site VPN in a Meraki MX-Z device, you can provide the following with one click:

• Advertise the local subnets that are participating in the VPN.

• Advertise the WAN IP addresses on Internet 1 and Internet 2 ports.

• Download the global VPN route table from the dashboard. This occurs automatically, based on each MX’s advertised WAN IP/local subnet in the VPN network.

• Download the pre-shared key for establishing the VPN tunnel and traffic encryption.

The Meraki MX series offers three configuration options for setting up a VPN automatically:

Off: The specified MX-Z will not participate in the site-to-site VPN.

Hub (or Mesh): The MX-Z device will establish VPN tunnels to all remote Meraki VPN peers that are also configured in this mode.

Spoke: The MX-Z will establish direct tunnels only to the specified remote MX-Z devices.

The Meraki MX series offers the following additional options:

• Two tunneling options: split tunnel and full tunnel

• Automatic and manual (port forwarding) NAT

• Limited VPN subnet translation

• OSPF route advertisement

• Three IPsec policies: Default, Amazon VPC, or Microsoft Azure Instance

• Phase 1 and 2 encryption support for AES-128, AES-192, AES-256, and 3DES

• Authentication with MD5 or SHA-1

Like other Cisco security solutions, the Meraki Series product line is continuously being updated. We highly recommend that you validate the current data sheet associated with the Meraki model you are considering for your site-to-site VPN project to ensure that all required features and licenses are obtained. We look more at the Cisco Meraki VPN capabilities in Chapter 7. Cisco Meraki is not part of the current SVPN learning objectives, but that could change with a future version of the exam.

Cisco Security Appliance Management

Our next topic to review is how Cisco security devices are managed. Smaller organizations will use a local management option, meaning they will log in to each security appliance and perform individual configurations. As organizations grow, the need for a centralized manager comes into play. Larger organizations need a way to standardize configurations by enforcing templates for how they want their technology to function as well as consolidate events and logs, so the security operation center and network operations teams are able to keep up with the workload.

Cisco Security Management Options

There are a few options for managing Cisco security devices:

Images

Cisco Security Manager (CSM): Provides centralized management for Cisco ASA appliances, Cisco 4200 and 4500 Series sensors, and the AnyConnect Secure Mobility Client. CSM is an older option for those that leverage specific Cisco security technologies.

Cisco Secure Firewall Management Center (FMC): FMC provides centralized management of Cisco Firepower Next Generation Firewall (NGFW), Cisco Firepower Next Generation IPS (NGIPS), and Cisco AMP (Advanced Malware Protection) for networks as well as threat correlation for network sensors and AMP for Endpoints.

Cisco Secure Firewall Device Manager (FDM): FDM can manage multiple 1000 Series and 2100 Series devices and select 5500-x Series devices running the Cisco Secure Firewall (FTD) software image. Each FTD image is managed individually through FDM.

Cisco Adaptive Security Device Manager (ASDM): ASDM is one of the management options for Cisco ASA appliances. It can also manage the Cisco AnyConnect Secure Mobility Client. ASDM is a free GUI used to configure, monitor, and troubleshoot Cisco firewall appliances and service modules; it targets small deployments because it can manage only one firewall at a time. ASDM includes setup wizards to help simplify firewall and VPN configuration tasks, offers real-time log viewing for troubleshooting and checking on the health of services, as well as other troubleshooting tools, such as debugging, packet tracking, and packet capturing tools, as well as the ability to do software upgrades.

Cisco Defense Orchestrator (CDO): CDO offers cloud-based management of Cisco security devices ranging from the ASA Series to other firewall and network devices. The demand for cloud management continues to increase. CDO is expected to eventually enable management of all Cisco Secure Firewall and ASA options in the near future.

Meraki cloud management: All Cisco Meraki solutions are managed from a cloud-based GUI that provides centralized visibility and control without any additional costs. Meraki’s approach to management offers many values, including licensing and configuring devices before they are connected to a network for the first time; automation of monitoring and alerting; quick feature updates; support for large, dispersed networks; and one of the simplest approaches to providing networking and security services on the market. The demand for cloud management continues to increase, and Meraki’s entire platform is built around its cloud management strategy.

Chapter 3, “Site-to-Site VPNs,” walks through the configuration of a site-to-site VPN using local command-line options as well as Cisco ASDM. You will need to understand both options for the SVPN 300-730 exam as well as to deploy a site-to-site VPN in real life. Some of the steps shown in Chapter 3 can be simplified using other Cisco management options, including setup wizards. In Chapter 3 you will see how to build VPNs both with and without setup wizards so you can get a feel for different approaches to configuring site-to-site VPNs.

VPN Logging

Logging can be extremely useful for troubleshooting and monitoring what occurs during a VPN session. Imagine the impact to a business that suddenly can’t access resources. If a site-to-site connection between a major branch goes offline, think of the number of employees who would complain that “the network is down” and blame the team responsible for the network. This scenario is a common nightmare for network administrators and one you want to avoid by using best practices for redundancy and failover within VPN solutions. Every architecture can go down and, in the end, logging is what enables you to view what is going on. In situations that impact a large group of people, such as a branch office going down, every minute matters, and having the right logs can make the difference between quickly remediating the issue and having a failure in VPN turn into a major incident.

Logging Collection Points

Logging can occur in different parts of a VPN solution. The VPN gateway provides information about users accessing the remote access VPN, details on the VPN session (from how it is established to how it is terminated), and data on how a site-to-site VPN is performing, members of the VPN group, and many other details, depending on the technology and type of VPN being used. Most Cisco devices use syslog service for logs; however, solutions such as Cisco Secure Firewall Management Center use eStreamer. A logging service in a Cisco device accepts messages and stores them in files, prints them on the screen, or sends them externally, depending on the device configuration. Logs can be collected by a centralized logging system to be analyzed or exported to a data repository for data archiving purposes. Many government organizations have data archiving requirements such as storing remote access VPN logs for three to five years.

ASA Logging

The Cisco ASA Series comes with logging controls to help reduce some of the clutter and allow administrators to zero in on events that matter. Logging types can be enabled or disabled based on severity levels. For example, any notification logs could be ignored, while more severe events impacting the performance of a VPN could be exported to a centralized logging system or sent directly to the administration team. Log messages can be sent via an SNMP management station, sent to specific email addresses, viewed within an ASA management tool such as ASDM, or seen via Telnet and SSH sessions. Log buffer settings can be configured to specify what logs are stored locally on the Cisco solution and indicate when logs are either deleted or exported to an external source. Figure 2-9 shows an example of using the ASDM Real-Time Log Viewer to monitor AnyConnect remote access VPN logs. This example shows many of the logs that are generated just from a single user connecting to a network from a remote location. As you can imagine, filtering capabilities are essential to any logging system. Having logs is good, but if you can’t read them, the value of logging quickly diminishes as the log data becomes unmanageable.

Images

Figure 2-9 Real-Time Log Viewer Example

When it comes to pulling log data from a VPN gateway, it is common to have system-level and security logs delivered to a centralized logging solution. Centralizing log collection makes it possible to view all logs in one spot as well as aggregate event details to better troubleshoot a situation that impacts one or more devices.

SIEM

Most customers we meet with use a security information and event management (SIEM) tool as a centralized log collection solution. The biggest values from using a SIEM tool include simplifying the process of searching through huge amounts of log data, correlating multiple events from different logs into one single entry, and developing reports that cover the state of security and performance for the entire organization. Some SIEM tools are better at mining log data and doing security information management, and others are more threat focused, leaning toward security event management.

Figure 2-10 shows an example of Splunk viewing Cisco ASA AnyConnect data associated with a remote access VPN deployment. Splunk, which can digest huge amounts of log data, allows an administrator to search data in much the same way it is possible to search the Internet using a web browser. In the example shown in Figure 2-10, searching on the term “VPN” and the field “Cisco_ASA_user” filters out all log data outside any event associated with a Cisco AnyConnect VPN log.

Images

Figure 2-10 Splunk Managing Cisco AnyConnect Logs

VPN Client Logging

Another source for log data is the VPN client (if one is being used). Most VPNs create log files on the client systems, and these files contain details regarding the entire VPN session, from connection to termination. For example, OpenVPN can be found at C:\Program Files (x86)\OpenVPN Technologies\OpenVPN Client\etc\log\openvpn_(unique_name).log on a Windows system. This file can contain details regarding the entire life cycle of OpenVPN usage unless the user or administrator purges the records or the system runs out of storage space.

Cisco AnyConnect generates verbose events that are logged by the host system and that can be exported or read directly from a client device. Details include information about communication between the client and VPN gateway, as long as the client’s records have not been purged. Figure 2-11 shows an example of viewing such log details with Cisco AnyConnect after a VPN connection is established. You can view details related to the VPN and information about each step the VPN takes during its life cycle, as well as other useful log details. You can also choose to export the data to a text file, which is a much simpler way to view the log details.

Images

Figure 2-11 Cisco AnyConnect Message Details

DART

Another approach to analyzing Cisco AnyConnect files and connections is by using the Diagnostic and Reporting Tool (DART). DART is a wizard that bundles all client logs and configuration and diagnostic information for analyzing and troubleshooting the AnyConnect client connection. When the wizard completes, results are exported to a single .zip file that can be shared with an administrator. Figure 2-12 shows an example of the DART wizard. In later chapters, you will find more details regarding collecting and viewing Cisco AnyConnect logs using tools like DART.

Images

Figure 2-12 The Cisco AnyConnect DART Wizard

Logging Challenges

Sometimes logging is seen as a bad thing. Unwanted logging—that is, collecting and viewing information about a VPN connection and all associated user data without the involved parties knowing or approving—can be a violation of privacy. Imagine how employees would feel if they were told their organization is collecting information about whom they speak with. Some employees might find this offensive, and it could even be illegal in certain countries. It is highly recommended that you be open about what data you are collecting with your VPN solutions as well as any other network policies that must be followed upon establishing a remote access VPN session, as well as any other network services you plan to offer. Cisco AnyConnect has banner features that can be used for these alerting purposes.

Regarding site-to-site VPN logging awareness, we recommend having a formal policy for any internal network usage; this policy should state what is considered non-approved behavior as well as how logging is enabled to monitor for such behavior. An acceptable use policy (AUP) is a digital document that users accept upon accessing a network. Figure 2-13 shows an example of a Cisco AnyConnect banner that acts as an AUP, which the user must accept before the VPN connection is established. We highly recommend having a legal professional validate your AUP to provide the maximum legal protection possible and be compliant with local laws.

Images

Figure 2-13 Cisco AnyConnect Banner/AUP

Logging concerns can also come into play when levering a VPN service provider. Many people seek a VPN for privacy reasons, so it should make sense that customers might be upset if they do not get the privacy they are seeking when they use a VPN service. Providers that stress a no-logging policy tend to be hosted from exotic locations such as Panama (NordVPN), the British Virgin Islands (ExpressVPN), and Romania (CyberGhost). There haven’t been any documented privacy violations from VPN service providers that are based in countries like the United States, but this doesn’t mean you shouldn’t be concerned. We recommend doing research and asking a service provider if privacy is something you should be concerned about when using its VPN service. Some VPN service providers are transparent about logging. For example, TunnelBear publishes what it stores (see Figure 2-14), so customers know where they stand regarding logging.

Images

Figure 2-14 TunnelBear Data Collection and Use Policy

Summary

This chapter provides a high-level overview of VPN technology to prepare you to dive deeper into VPN concepts. This chapter looks at various VPN technology categories, including site-to-site VPNs and remote access VPNs. It looks at VPN hardware, software protocols, and logging possibilities, with a focus on technologies offered by Cisco.

At this point, you should have a broad understanding of what VPN options are available in today’s market, including the VPN capabilities that Cisco offers. The following chapters continue to focus on Cisco VPN technology concepts that are specific to the SVPN 300-730 exam, and they also discuss third-party and open-source concepts that are relevant to real-world architectures.

Chapters 3 through 6 focus on site-to-site VPN concepts, and Chapters 7 through 10 dive into remote access VPN concepts. Chapters 3 and 7 serve as a general review of the technology category while the chapters that follow dive deep into specific VPN topics you need to know for the SVPN exam. Make sure to first master the concepts in the introduction chapters before moving to the deeper focused chapters.

Now we are ready to take on the first major VPN technology category, which is a closer look at site-to-site VPN technology.

References

Anand, Adity (July 14, 2018). SSL Strip & How Awesome It Is! Retrieved from https://medium.com/bugbountywriteup/ssl-strip-how-awesome-it-is-a0eb79e28bcc

Document ID 1458444803226729 (March 13, 2015). Cisco Easy VPN Q&A. Retrieved from https://www.cisco.com/c/en/us/products/collateral/security/ios-easy-vpn/eprod_qas0900aecd805358e0.html

Document ID 1456177868598773 (February 22, 2016). Cisco IOS SSL VPN: Router-Based Remote Access for Employees and Partners Data Sheet. Retrieved from https://www.cisco.com/c/en/us/products/collateral/security/ios-sslvpn/product_data_sheet0900aecd80405e25.html

@merakisimon (March 20, 2016). VPN Made Easy for All. Retrieved from https://meraki.cisco.com/blog/2016/03/vpn-made-easy-for-all/

Mimoso, Michael (August 29, 2016). New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption. Retrieved from https://threatpost.com/new-collision-attacks-against-3des-blowfish-allow-for-cookie-decryption/120087/

Exam Preparation Tasks

As mentioned in the section “How to Use This Book” in the Introduction, you have a couple of choices for exam preparation: the exercises here, Chapter 11, “Final Preparation,” and the exam simulation questions in the Pearson Test Prep practice test software.

Review All Key Topics

Review the most important topics in the chapter, noted with the key topics icon in the outer margin of the page. Table 2-5 lists these key topics and the page number on which each is found.

Images

Table 2-5 Key Topics for Chapter 2

Images

Complete Tables and Lists from Memory

Print a copy of Appendix C, “Memory Tables” (found on the companion website), or at least the section for this chapter, and complete the tables and lists from memory. Appendix D, “Memory Tables Answer Key” (also on the companion website), includes completed tables and lists to check your work.

Define Key Terms

Define the following key terms from this chapter and check your answers in the glossary:

remote access VPN

site-to-site VPN

full mesh

Point-to-Point Tunneling Protocol (PPTP)

Secure Socket Tunneling Protocol (SSTP)

Secure Sockets Layer (SSL)

Datagram Transport Layer Security (DTLS)

Internet Key Exchange (IKE)

Internet Key Exchange Version 2 (IKEv2)

Easy VPN (EzVPN)

Layer 2 Tunneling Protocol (L2TP)

Dynamic Multipoint VPN (DMVPN)

Group Encrypted Transport VPN (GETVPN)

FlexVPN

Cisco Secure Firewall Management Center (FMC)

Cisco Secure Firewall Device Manager (FDM)

Cisco Adaptive Security Device Manager (ASDM)

Cisco Defense Orchestrator (CDO)