成果講稿第八天-icnd210s08l

VPN解決方案簡介LAN

Extension

into

a

WAN什么是VPN？使用Cisco路由器連接的業(yè)務(wù)合作伙伴 主站點邊界路由器配有PIX防火墻的區(qū)域辦公室 原有的集中器 原有的PIX防火墻配有Cisco

ISDN/DSL路由器的SOHO

使用配有Cisco

VPN客戶端的筆記本電腦的移動工作人員虛擬：私有網(wǎng)絡(luò)中的信息通過公共網(wǎng)絡(luò)傳輸私有：對流量進(jìn)行加密以保持?jǐn)?shù)據(jù)的機(jī)密性What

Is

a

VPN?Virtual:

Information

within

a

private

network

is

transportedover

a

public

network.Private:

The

traffic

is

encrypted

to

keep

the

data

confidential.VPN的優(yōu)點：分支機(jī)構(gòu)傳統(tǒng)的第二層WAN移動用戶

VSInternet

中央站點SOHO開銷安全可擴(kuò)展性Benefits

of

VPNCostSecurityScalability站點間VPN遠(yuǎn)程站點電纜

POP

Internet

路由器 中央站點企業(yè)對企業(yè)外聯(lián)網(wǎng)內(nèi)部網(wǎng)站點間VPN：傳統(tǒng)WAN的擴(kuò)展Site-to-Site

VPNsSite-to-site

VPN:

extension

of

classic

WAN遠(yuǎn)程訪問VPN：遠(yuǎn)程訪問客戶端 中央站點電子通勤族 電纜

POP

Internet

路由器移動消費(fèi)者對企業(yè)外聯(lián)網(wǎng)遠(yuǎn)程訪問VPN：撥號網(wǎng)絡(luò)和ISDN的發(fā)展Remote-Access

VPNsRemote-access

VPN:

evolution

of

dial-in

networks

and

ISDNCisco

Easy

VPN：家庭辦公室Easy

VPN

客戶端

Easy

VPN

服務(wù)器 總部 工作場所資源遠(yuǎn)程辦公室Cisco

Easy

VPNCisco

IOS

IPsec

SSL

VPN（WebVPN）集成安全性和路由Cisco

IOS

IPsec

SSL

VPN

(WebVPN)Integrated

security

and

routingBrowser-based

full

network

SSL

VPN

access支持VPN的Cisco

IOS

路由器VPN-Enabled

Cisco

IOS

RoutersCisco

ASA

自適應(yīng)安全設(shè)備：Cisco

ASA

Adaptive

Security

AppliancesVPN客戶端：(legacy)VPN

Clients什么是IPsec？IPsec在網(wǎng)絡(luò)層起作用，保護(hù)和驗證IP數(shù)據(jù)包-它是一種與算法無關(guān)的開放式標(biāo)準(zhǔn)框架-而且它提供數(shù)據(jù)機(jī)密性，數(shù)據(jù)完整性和來源驗證What

Is

IPsec?IPsec

acts

at

the

network

layer,

protecting

and

authenticating

IP

packeIt

is

a

framework

of

open

standards

that

is

algorithm

independent.It

provides

data

confidentiality,

data

integrity,

and

origin

authenticatIPsec安全服務(wù)：機(jī)密性數(shù)據(jù)完整性身份驗證

反重播保護(hù)IPsec

Security

ServicesConfidentialityData

integrityAuthenticationAntireplay

protection機(jī)密性：付給史密斯100美元 加密算法 加密算法

付給史密斯100美元我無法讀取Confidentiality

(Encryption)加密算法：DES

3DES

AES

RSAEncryption

AlgorithmsEncryption

algorithms:DESAES3DESRSADH密鑰交換： 兩個對等點需要安全地建立共享密鑰迪福赫爾曼算法：DH1

DH2

DH5DH

Key

ExchangeDiffie-Hellman

algorithms:DH1DH2DH5數(shù)據(jù)完整性：哈希算法：

HMAC-MD5HMAC-SHA-1Data

IntegrityHashing

algorithms:HMAC-MD5HMAC-SHA-1身份驗證：遠(yuǎn)程辦公室 對等點身份驗證 企業(yè)辦公室對等點身份驗證方法：PSKPSA簽名AuthenticationPeer

authentication

methods:PSKsRSA

signaturesIPsec安全協(xié)議：驗證報頭 所有數(shù)據(jù)都為明文形式AH：提供以下共功能身份驗證完整性封裝安全負(fù)載 所有負(fù)載經(jīng)過加密ESP提供以下功能：加密身份驗證完整性IPsec

Security

ProtocolsIPsec框架IPsec框架 選擇IPsec協(xié)議

ESP

ESP+AH

AH加密

DES

3SES

AES身份驗證

MD5

SHADH

DH1

DH2

DH5IPsec

FrameworkSummaryOrganizations

implement

VPNs

because

they

are

less

expensive,more

secure,

and

easier

to

scale

than

traditional

WANs.Site-to-site

VPNs

secure

traffic

between

intranet

and

extranetpeers.

Remote

access

VPNs

secure

communications

from

thetraveling muter

to

the

central

office.VPNs

can

be

implemented

with

a

variety

of

different

Ciscodevices:

Cisco

IOS

routers,

ASA

5500

Series

Adaptive

SecurityAppliances,

and

Cisco

VPN

Client

software.IPsec

is

the

framework

that

combines

security

protocols

t