Overview: Secure Connectivity


First Published: July 31, 2009

Contents

About This Guide

Related Documents

About This Guide

The Cisco IOS XE Security Configuration Guide: Secure Connectivity describes how you can use IP security (IPsec) with Internet Key Exchange (IKE), Public Key Infrastructure (PKI), and virtual private network (VPN) technologies to manage and secure your networks and to deliver reliable transport for complex mission-critical traffic, such as voice and client-server applications, without compromising communications quality.

This chapter includes the following:

IPsec

IKE

PKI

VPNs

IPsec

IPsec provides security for transmission of sensitive information over unprotected networks such as the Internet. IPsec provides data authentication and anti-replay services in addition to data confidentiality services.

IKE

IKE is a key management protocol standard that is used in conjunction with the IPsec standard. IPsec can be configured without IKE, but IKE enhances IPsec by providing additional features, flexibility, and ease of configuration for the IPsec standard.

PKI

PKI offers a scalable method of securing networks, reducing management overhead, and simplifying the deployment of network infrastructures by deploying Cisco IOS XE security protocols, including IPsec and secure shell (SSH). Cisco IOS XE software can also use PKI for authorization using access lists and authentication resources.

VPNs

VPN solutions are built on five underlying VPN technologies: Standard IPsec, Dynamic Multipoint VPN (DMVPN), Easy VPN, generic routing encapsulation (GRE) tunneling, and Group Encrypted Transport VPN (GET VPN). Each technology has its benefits and is customized to meet specific deployment requirements. Table 1 provides a comparison of these technologies.

Table 1 Comparison of VPN Solutions 

Standard IPsec VPN

Benefits

Provides encryption between sites.

Supports quality of service (QoS).

When to Use

When multivendor interoperability is required.

Cisco DMVPN

Benefits

Simplifies encryption configuration and management for point-to-point GRE tunnels.

Provides on-demand spoke-to-spoke tunnels.

Supports QoS, multicast, and routing.

When to Use

To simplify configuration for hub-and-spoke VPNs while supporting QoS, multicast, and routing.

To provide low-scale, on-demand meshing.

Cisco Easy VPN

Benefits

Simplifies IPsec and remote-site device management through dynamic configuration policy-push.

Supports QoS.

When to Use

When simplifying overall VPN and management is the primary goal (but only if limited networking features are required).

To provide a simple, unified configuration framework for a mix of Cisco VPN products.

Cisco GRE-Based VPN

Benefits

Enables transport of multicast and the routing of traffic across an IPsec VPN.

Supports non-IP protocols.

Supports QoS.

When to Use

When routing must be supported across the VPN.

For the same functions as hub-and-spoke DMVPN but when a more detailed configuration is required.

Cisco GET VPN

Benefits

Simplifies encryption integration on IP and Multiprotocol Label Switching (MPLS) WANs.

Simplifies encryption management through use of group keying instead of point-to-point key pairs.

Enables scalable and manageable any-to-any connectivity between sites.

Supports QoS , multicast, and routing.

When to Use

To add encryption to MPLS or IP WANs while preserving any-to-any connectivity and networking features.

To enable scalable, full-time meshing for IPsec VPNs.

To enable participation of smaller routers in meshed networks.

To simplify encryption key management while supporting QoS, multicast, and routing.


Related Documents

In addition to this document, there are other documents on Cisco.com about secure connectivity, too numerous to list here. For more information about or additional documentation for secure connectivity, search Cisco.com, specifying the desired subject or title.