index_208
Router Security Configuration Guide
UNCLASSIFIED
208
UNCLASSIFIED
Version 1.0g
7.3. IPSec and Dynamic Virtual Private Networks
Section 5.2 explains some of the basic features of IPSec. However, IPSec and
Virtual Private Network (VPN) configutation are complex topics. As deployment of
VPNs becomes more common, the simple configurations described in Section 5.2
probably will not scale well enough satisfy users needs. To achieve scalability,
VPNs will need to be dynamic, employing public keys and public key certificates to
set up IPSec-protected links on the fly
Security configuration issues are likely to be important in deployment of large
dynamic VPNs are listed below.
§ PKI enrollment and obtaining certificates
To participate in a dynamic VPN based on Public Key Infrastructure
(PKI), a router or any other device must possess a copy of the correct root
and authority certificates, and it must have its own certified public key and
private key. Installing certificates and setting up authorities on Cisco
routers is complex but well-documented. There are also trust issues in any
large VPN deployment: are all members of the VPN trusted equally? In
general, IPSec is most useful for integrity and confidentiality assurance,
but not for authorization or access control.
§ Designating traffic to be encrypted
Cisco routers, and most other VPN systems, support the ability to protect
certain traffic based on its protocol and port numbers. Currently, there are
no uniform guidelines for selecting traffic to protect.
§ Certificate revocation
In any large-scale PKI, removing certified principals from the trusted
community is very important. PKI standards define various data formats
and protocols for defining revocations and for checking certification status
(e.g. X.509 CRL format, OCSP). It may be necessary to configure
revocation checking on routers participating in dynamic VPNs.
§ Cryptographic issues
Selection of uniform key sizes and cryptographic algorithms will be a
contentious issue in VPN deployment. Cisco routers currently support
only a small complement of algorithms, depending on the installed IOS
version and feature set.
For complete information on the IPSec and dynamic VPN capabilities of Cisco IOS
12.0, consult Cisco IOS 12.0 Network Security [2].