Overview: Secure Connectivity
First Published: March 31, 2009
Last Updated: March 31, 2009
Contents
•About This Guide
•Related Documents
About This Guide
The Cisco IOS Security Configuration Guide: Secure Connectivity describes how you can use IP security (IPsec) with Internet Key Exchange (IKE), Public Key Infrastructure (PKI), and virtual private network (VPN) technologies to manage and secure your networks and to deliver reliable transport for complex mission-critical traffic, such as voice and client-server applications, without compromising communications quality.
This chapter includes the following:
•IPsec
•IKE
•PKI
•VPNs
IPsec
IPsec provides security for transmission of sensitive information over unprotected networks such as the Internet. IPsec provides data authentication and anti-replay services in addition to data confidentiality services.
IKE
IKE is a key management protocol standard that is used in conjunction with the IPsec standard. IPsec can be configured without IKE, but IKE enhances IPsec by providing additional features, flexibility, and ease of configuration for the IPsec standard.
PKI
PKI offers a scalable method of securing networks, reducing management overhead, and simplifying the deployment of network infrastructures by deploying Cisco IOS security protocols, including IPsec, secure shell (SSH), and secure socket layer (SSL). Cisco IOS software can also use PKI for authorization using access lists and authentication resources.
VPNs
VPN solutions are built on five underlying VPN technologies: Standard IPsec, Dynamic Multipoint VPN (DMVPN), Easy VPN, generic routing encapsulation (GRE) tunneling, and Group Encrypted Transport VPN (GET VPN). Each technology has its benefits and is customized to meet specific deployment requirements. Table 1 provides a comparison of these technologies.
Table 1 Comparison of VPN Solutions
|
Benefits •Provides encryption between sites. •Supports quality of service (QoS). |
When to Use •When multivendor interoperability is required. |
|
Benefits •Simplifies encryption configuration and management for point-to-point GRE tunnels. •Provides on-demand spoke-to-spoke tunnels. •Supports QoS, multicast, and routing. |
When to Use •To simplify configuration for hub-and-spoke VPNs while supporting QoS, multicast, and routing. •To provide low-scale, on-demand meshing. |
|
Benefits •Simplifies IPsec and remote-site device management through dynamic configuration policy-push. •Supports QoS. |
When to Use •When simplifying overall VPN and management is the primary goal (but only if limited networking features are required). •To provide a simple, unified configuration framework for a mix of Cisco VPN products. |
|
Benefits •Enables transport of multicast and the routing of traffic across an IPsec VPN. •Supports non-IP protocols. •Supports QoS. |
When to Use •When routing must be supported across the VPN. •For the same functions as hub-and-spoke DMVPN but when a more detailed configuration is required. |
|
Benefits •Simplifies encryption integration on IP and Multiprotocol Label Switching (MPLS) WANs. •Simplifies encryption management through use of group keying instead of point-to-point key pairs. •Enables scalable and manageable any-to-any connectivity between sites. •Supports QoS , multicast, and routing. |
When to Use •To add encryption to MPLS or IP WANs while preserving any-to-any connectivity and networking features. •To enable scalable, full-time meshing for IPsec VPNs. •To enable participation of smaller routers in meshed networks. •To simplify encryption key management while supporting QoS, multicast, and routing. |
Related Documents
In addition to this document, there are other documents on Cisco.com about secure connectivity, too numerous to list here. For more information about or additional documentation for secure connectivity, search Cisco.com, specifying the desired subject or title.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2009 Cisco Systems, Inc. All rights reserved.