Customer Reviews

IPSec VPN Design

5 star:		(3)
4 star:		(1)
3 star:		(0)
2 star:		(1)
1 star:		(0)

 

 

IPSec VPN Design (ISBN 1587051117) focuses on the design and implementation of IPSec VPNs. The authors consider this the "definitive design and deployment guide for secure virtual private networks." There are many theoretical publications covering the foundations of network security, but VPN security design is especially challenging. There are so many variables that even knowing the theoretical concepts, models, tradeoffs, and scalability, it can still be a daunting task. This book is for the advanced/expert in the network security field.

Because of the advanced topics presented in this guide, considerable network management and/or a network engineer level of experience is needed to use the wealth of information presented by authors Vijay Bollapragada (CCIE), Mohamed Khalid (CCIE), and Scott Wainner. It is expected that the reader will have a working knowledge of IP routing, architectures, WAN technologies, Cisco IOS, and network security. The introductory chapters briefly "review" knowledge that the authors expect users to have which results in getting everyone focused on the starting point of this technical guide.

The concept of network security is not the same in all environments as each VPN will have different connectivity and integration platforms. This guide to designing an IPSec type of VPN is Cisco based. The configuration examples and troubleshooting output are Cisco IOS. Many design principles -efficient, reliable, cost effective, fault-tolerant, and scalable -- have commonality in several environments, but again, all illustrations and examples use Cisco technology. This book does design IPSec VPNs from many perspectives.

The organization of IPSec VPN Design is organized into three units: introduction and concepts; design and deployment; service enhancements. This organizes technical material as it moves from a brief review of technologies that use VPNs, to an overview of IPSec architecture, protocols, components, and concludes by examining advanced issues such as voice, multicast, and network-based VPNs.

As an introduction to this topic, an IPSec VPN is configured and packet processing is explained step-by-step using Cisco IOS. The illustrations and diagrams of the topology, end-to-end packet processing, and configuration command output (from show and debug commands) is very helpful to the reader. IPSec protocols and the differences between tunnel mode and transport mode are described.

After an introduction to authentication and security, the authors move into considerable detail and enhanced features of IPSec, scalability, and fault tolerance with dead peer detection or control plane keepalives. There are always unique challenges to implementing VPNs, and this book gives examples from the authors' experience to handle situations for interaction with NAT (Network Address Translation) or PMTUD (Path Maximum Transmission Unit Detection). To end the introduction/concepts unit, authentication/authorization models for remote access users discusses XAUTH (Extended Authentication) and MODE-CFG (Mode-configuration). Cisco's EzVPN connection model and digital certification conclude this unit. The authors then move to applying these concepts to VPN design.

The design and deployment phase considers hub and spoke architecture, failover, fault tolerance, and alleviation of complexity in large-scale situations using TED (Tunnel End-Point Discovery) and DMVPN (Dynamic Multipoint VPN). Advanced enhancements include quality of service (QoS), interoperability with voice and video, and a new type of VPN service known as the network-based VPN.

Topics move from general introductory concepts (Chapters 1-4) to specific design and deployment (Chapters 5-7), and concludes with advanced/integrated service enhancements (Chapters 8-9). The authors have taken care to explain pros and cons of various designs and give alternatives. The "notes" sections illustrate advantages and disadvantages or add relevant comments from the author's experience. Illustrations are appropriate, easily read, and well-designed. There is an abundance of configuration examples, complete with resulting show and debug output, and all with highlighting to assist the learner. These types of real-world examples are easier to learn from than the traditional technical documentation. The index is complete; there is not a glossary which might have been helpful for some readers.

Throughout this guide, Bollapragada, Khalid, and Wainner have managed to write at a level that is appropriate for an advanced topic while using examples that are easily understood. Some network managers may not actually design an IPSec VPN, but still need to understand the principles of security, be able to communicate with technical support, and work with network engineers and service providers in maintaining/troubleshooting the VPN. Advanced understanding and good troubleshooting skills are contained in this guide.

IPSec VPN Design is a well-written, concise guide to designing VPNs in general and IPSec VPNs specifically. It would be helpful to individuals taking their networking skills to another level or those studying for CCIE or Security certifications. It targets network engineers and network designers working at the corporate level or working for the service provider. Bollapragada, Khalid, and Wainner each brought their expertise and considerable experience into the collaboration while authoring this book.

An excellent book published by Cisco Press, 2005, which deserves a rating of 5 on a 1-5 scale.

This was a great book if your implementation of IPSec were to be solely on IPV4, however, there is not one mention of the changes that affect Cisco networks with IPSec such as no support for IPSec in the transport mode etc. If IPv6 is not a concern, this book is the best available.

IPSec VPN Design is not a bad technical book. It's what I call a "Cool Whip" book. It looks good, but there is little that is useful or original. It claims to be "the definitive design and deployment guide". It is not. Most of the explanations are academic and dry. There are many examples. Some are useful. Some are not. Many are outdated.

My primary complaint is that it does not cover Pix 7.0. This is a huge oversight for a Cisco Press book published in April 2005. There are several important features in 7.0 such as "hairpinning" or the ability for one spoke (or remote access client) to access another spoke in the hub and spoke model. The book states that hairpinning is not possible and most of the designs are based on this premise.

I was also disappointed to find that the book failed to cover ACLs and VPNs. This is an critical topic in VPN design. Too many network administrators simply allow full access of one private network to another using "sysopt connection permit-ipsec" without thinking of the security implications. It many circumstances, it may be more appropriate to disable this command and create explicit access lists for resources accessible via VPN. I would have liked to see some examples using both methods and the trade-offs of each approach.

There were a couple of interesting topic areas covered by the book such as VoIP over VPN. Even though it's short on configuration details or examples, I enjoyed learning about the issues involved.

The book is simply not work the money. If you're new to IPSec or just setting up a basic site-to-site VPN, you'd be better off with a simpler guide. And if you're more sophisticated, you will do better digging up examples with Google, even from Cisco's own website.

If you have fixed sites that you want to be secure, you can link the sites with leased lines and lots of simple security that will work well. But that's an expensive approach.

Further, people in your organization probably travel around and need to access confidential data. How can you lift the firewall for that access and still keep intruders out? It's a harder task.

The presence of moving users means that most secure networks will have some component that's going over the Internet. The Internet is not as secure as leased lines, but it's a lot cheaper. So while you're there, how much else can you do with the Internet?

With IPSec VPN Design, any good network engineer will be in a position to make good choices about architecture, hardware and software.

One of the basic limitations is that encryption ties up a lot of hub space while two sites are connected. The tougher the encryption you use, the more hub space is tied up. You can terminate idle connections faster and free up more space that way. You can also employ simpler means of encryption.

One of the book's great strengths is that it assumes that you know about networks, but not about secure networks. So a neophyte in the area can use this helpful guide. I know, because I'm such a neophyte and the book made great sense to me.

Like all the wonderful Cisco guides, this one is filled with figures to show hardware structures, examples with router and message configurations, and helpful tables that show formats.

Chapter 1 is a brief introduction to VPNs.

Chapter 2 is an overview of IPSec explaining algorithms, digital signatures, security protocols ((transport and tunnel modes, encapsulating security headers and authentication headers), key management and security associations (Diffie-Hellman, IKE and IPSec packet processing).

Chapter 3 looks at more detailed features of IPSec such as IKE keepalives, dead peer detection, idle timeouts, IPSec and fragmentation, and IPSec and GRE).

Chapter 4 is an excellent look at authentication and authorization models.

Chapter 5 examines the pros and cons of different IPSec VPN architectures. I liked this chapter best. The choices are more subtle than you think because you can mix and match bits and pieces of architectures to solve specific problems.

Since so many secure public networks involve applications that can't be down, chapter 6 looks in depth at fault tolerance methods.

Chapter 7 offers some time-saving tips on how to use auto-configuration architectures for site-to-site applications.

Chapter 8 examines application interoperability. I found the sections on mixing voice and data to be especially interesting.

In chapter 9, the book concludes with looking at network-based VPNs.

This book will save anyone examining the feasibility of putting secure data over the Internet a lot of mistakes, time and money.

Get this book today!

This book is one of the most comprehensive book that I can use to understand & teach IPSec & even design/deploy IPSec networks.