mopdf.com

Customized application access with Cisco WebVPN v4.7 delivering clientless, thin-client, and SSL tunneling client access methods. Thisenables deployment of the appropriate level of application access based on the end-system deployment environment, such as employees, extranets,and non-company-managed devices.– The SSL VPN Client for WebVPN is a lightweight, centrally configured, and easy-to-support SSL VPN software client which allows accessto virtually any application. The SSL VPN Client for WebVPN is compatible with any SSL-enabled browser, and is dynamically pushed tothe user in one of three methods—ActiveX, Java, or an .exe file.– Thin-client access with Cisco WebVPN v4.7 is achieved through a port forwarding mechanism enabled by a small Java applet download.Port forwarding relays data requested by the port on the local machine to the corresponding application port on the network side—grantingthe user access to more applications and network resources than a Web browser offers.– Clientless access with Cisco WebVPN allows users to connect to a corporate network with little requirements beyond a basic Web browser,and the ability to access Web servers or resources such as file shares and e-mail through Outlook Web Access 2003. The Cisco Secure Desktop is an industry-leading endpoint security solution offering advanced endpoint security and data theft prevention. Atsession initiation, the Cisco Secure Desktop performs a pre-connection security posture assessment, checking for the presence of antivirus softwareand personal firewall software, and ensures a keystroke logger is not running on the endpoint prior to the session initiation. During the session, allsession data is encrypted and written to a secure vault, or partition to the hard drive, and cannot be saved to the host system by the user, knowinglyor unknowingly. At the close of the session, the secure vault is eradicated using a U.S. Department of Defense (DoD) sanitization algorithm,erasing all session information, including cache files, history, cookies, file downloads, and passwords. Cisco VPN 3000 Concentrator Software v4.7 offers fully clientless Citrix support for terminal service environments, without the need for any SSLVPN client software. This increases application performance and reduces endpoint software compatibility issues, providing users with rapid andhighly stable system access regardless of browser or security settings. Cisco VPN 3000 Concentrator Software v4.7 is NAC-enabled for IPSec remote-access scenarios, allowing the concentrator to act as a NACenforcement point. This reduces the risk associated with extending network resources in remote-access scenarios by preventing vulnerable hostsfrom obtaining and retaining normal network access. Standards-based, easy-to-use VPN client with touchless Cisco Easy VPN configuration management and broad operating system support,including Windows, Mac, Linux, and Solaris. Integrated Web-based management system that enables corporations to easily install, configure, and monitor their remote-access VPNs. Integrated clustering and load-balancing capabilities that enable customers to scale their Cisco VPN 3000 Series deployments to tens of thousandsof users with low operational expense. Broad user authentication support, including single-use passwords, RADIUS, Active Directory, Security Dynamics’ SDI, digital certificates, andmany othersCisco VPN 3000 Series concentrators supports the widest range of connectivity options, including WebVPN, Cisco VPN Client, Cisco VPN 3002Hardware Client, Microsoft Layer 2 Tunneling Protocol (L2TP)/IPSec, and Microsoft Point-to-Point Tunneling Protocol (PPTP).The Cisco VPN 3000 Series offers both award-winning IPSec capabilities and clientless SSL VPN capabilities on a single platform. The combinationof Cisco WebVPN and IPSec VPN provides unparalleled deployment flexibility and ease of management for meeting the requirements of anyremote-access user population. Available applications include Webpage access, Windows (CIFS) file shares (via Web interface), e-mail (SimpleMail Transfer Protocol [SMTP], point of presence [POP], Internet Message Access Protocol [IMAP], MAPI/Exchange, Outlook Web Access, LotusNotes, and Lotus iNotes), and most TCP-based client-server applications. Cisco WebVPN supports load balancing, multidevice clustering for pay-asyou-go scalability and resiliency, user-group-based management, and all user authentication methods supported by the Cisco VPN 3000, includingsingle-use passwords, RADIUS, Active Directory, SDI, and digital certificates and many others. 2005 Cisco Systems, Inc. All rights reserved.Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.Page 4 of 17

Table 2 gives performance data for Cisco VPN 3000 Series concentrators.Table 2.*Cisco VPN 3000 Series Concentrator PerformanceCisco VPN 3000 SeriesConcentratorsSimultaneous IPSecRemote-Access Users*Maximum LAN-to-LANSessionsSimultaneous WebVPN(Clientless) Users**Encryption ThroughputCisco VPN 3002253***1–2.2 MbpsCisco VPN 3005200100504 MbpsCisco VPN 3015100100754 MbpsCisco VPN 302075025020050 MbpsCisco VPN 3030150050050050 MbpsCisco VPN 306050001000500100 MbpsCisco VPN 308010,0001000500100 MbpsAssumes maximum device memory and Enhanced Scalable Encryption Processing (SEP-E) modules (Cisco VPN 3020, 3030, 3060, and 3080 models). Forplanning purposes, a simultaneous IPSec user is considered to be a remote-access VPN user connected in all-tunneling mode; this includes one IKE securityassociation and two unidirectional IPSec security associations. Network sizing should take into consideration number of sessions, throughput per user, andaggregate throughput of the remote access environment when choosing the appropriate VPN 3000 Concentrator model.** Assumes maximum device memory and SEP-E modules (models 3020–3080). For planning purposes, a simultaneous WebVPN user is considered to be aclientless VPN user retrieving a Webpage at up to every 60 seconds. Users log in at the rate of one per second and pass data for the duration of the test. Theaverage retrieval time for the Webpage is less than or equal to five seconds.*** Refers to the number of devices on a single network behind the Cisco VPN 3002 Hardware Client.Cisco VPN 3000 Series concentrators can be managed using any standard Web browser (HTTP or Secure HTTP [HTTPS]), as well as by Telnet,Secure Shell Protocol (SSHv1), or a console port. Files can be accessed through HTTPS, FTP, and SSH Copy (SCP). The Cisco VPN 3000 Seriesprovides a user-friendly interface that simplifies configuration and monitoring by the enterprise and the service provider. This flexible user interfaceallows the configuration of access levels by user and groups, allowing thorough configuration and maintenance of security policies. For larger-scaledeployments, Cisco VPN 3000 Series concentrators are supported in several Cisco network management applications, including the Cisco IPSolution Center (ISC), Cisco VPN Monitor, CiscoWorks CiscoView, and tools available from Cisco AVVID (Architecture for Voice, Videoand Integrated Data) partners.CISCO ASA 5500 SERIES ADAPTIVE SECURITY APPLIANCESCisco ASA 5500 Series all-in-one adaptive security appliances deliver enterprise-class security and VPN to small and medium-sized businesses(SMBs) and large enterprise networks in a modular, purpose-built appliance (Figure 2). The Cisco ASA 5500 Series incorporates a wide range ofintegrated security services, including firewall, intrusion prevention system (IPS), and VPN in an easy-to-deploy, high-performance solution. Byintegrating VPN and security services, the Cisco ASA 5500 Series provides secure VPN connectivity and communications. Integrated AdaptiveThreat Defense capabilities protect the VPN deployment from becoming a conduit for network attacks such as worms, viruses, malware, or hacking.Detailed application and access control policy is applied to VPN traffic, so individuals and groups of users have access to the services and resourcesto which they are entitled.The Cisco ASA 5500 Series is Cisco’s most feature-rich solution for IPSec remote access, and also supports SSL VPN and IPSec site-to-siteconnectivity. Furthermore, the series provides higher scalability and increased throughput capabilities, relative to Cisco VPN 3000 Seriesconcentrators. Cisco ASA 5500 Series adaptive security appliances integrate easily into any Cisco VPN 3000 Series load-balancing cluster. 2005 Cisco Systems, Inc. All rights reserved.Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.Page 5 of 17

Figure 2. The Cisco ASA 5500 Series PortfolioCisco ASA 5510Cisco ASA 5520Cisco ASA 5540Small BranchMedium-Sized BranchEnterprise Branch or HeadquartersTable 3 summarizes the VPN performance of each adaptive security appliance.Table 3.Cisco ASA 5500 Series Appliance VPN PerformanceModelVPN BasicVPN PlusVPN Throughput (300/1400 Byte)Cisco ASA 551050 VPN peers150 VPN peers50/170 MbpsCisco ASA 5520300 VPN peers750 VPN peers100/225 MbpsCisco ASA 5540500 VPN peers2000 VPN peers200/325 Mbps5000 VPN peers with a VPNpremium licenseLicensing for the Cisco ASA 5500 Series licenses encompasses a large number of new features. There are three Cisco ASA licenses: Basic, VPNPlus, and VPN Premium. Feature licenses are available for additional security context support, failover active-active support, and GPRS TunnelingProtocol (GTP) support. Generally as you move upward in licensing class (Basic Plus Premium) the number of supported VPN peers increases(e.g. for the 5540 supported VPN peers changes from 500 to 2000 and finally 5000). Please see the product data sheet for more details.Remote Access—The Cisco ASA 5500 Series offers flexible technologies that deliver tailored solutions to suit connectivity requirements. It providesemployees with company-managed desktops robust, customizable remote access via an IPSec VPN. In situations where endpoints are not companymanaged, such as extranets, Internet kiosks, or employee-owned desktops, the Cisco ASA 5500 Series delivers WebVPN for SSL-based remoteaccess. Enterprises can take advantage of Cisco’s remote-access expertise to deploy a single integrated platform with broad support for coreenterprise applications. Flexible platform—Offers both IPSec and SSL VPN on a single platform, eliminating the need to provide parallel solutions. The inefficiency andadded cost of deploying separate, distinct platforms for both SSL and IPSec VPNs is eliminated. Resilient clustering—Allows remote-access deployments to scale cost-effectively by evenly distributing VPN sessions across all Cisco ASA 5500Series and VPN 3000 Series devices without requiring any user intervention. This highly resilient capability eliminates any single point of failureand helps to protect customer investments. Cisco Easy VPN—Delivers a uniquely scalable, cost-effective, and easy-to-manage remote-access VPN architecture. Cisco ASA 5500 Seriesappliances dynamically push the latest VPN security policies to remote VPN devices and clients, making sure those endpoint policies are up todate before a connection is established. This offers the ultimate flexibility, scalability, and ease of use. Automatic Cisco VPN Client updates—The Cisco ASA 5500 Series provides VPN client software “auto-update” capabilities that enableautomated version upgrades for Cisco VPN Client software operating on remote desktops. 2005 Cisco Systems, Inc. All rights reserved.Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.Page 6 of 17

Site-to-Site—Using the standards-based site-to-site VPN capabilities provided by the Cisco ASA 5500 Series, businesses can securely extend theirnetworks across low-cost Internet connections to business partners and remote and satellite offices worldwide. VPN infrastructure for today’s applications—The Cisco ASA 5500 Series provides a VPN infrastructure capable of converged voice, video, anddata across a secure IPSec network, by combining robust site-to-site VPN support with rich inspection capabilities, quality of service (QoS),routing, and stateful failover features, allowing businesses to take advantages of the many benefits that converged networks deliver. Robust security and performance—Branch and remote offices extend a company’s reach into different markets and locations. Cisco ASA 5500Series-based VPN solutions enable secure, high-speed communications between multiple locations, offering the performance, reliability, andavailability that businesses need to communicate.Cisco ASA 5500 Series adaptive security appliances are managed via the integrated Web-based Cisco Adaptive Security Device Manager (ASDM).Cisco ASDM manages all security and VPN functions of the appliances.CISCO PIX SECURITY APPLIANCESWorld-leading Cisco PIX Security Appliances provide robust, enterprise-class, integrated network security services, including stateful inspectionfirewalling, deep protocol and application inspection, IPSec VPN, multivector attack protection, and rich multimedia and voice security—in costeffective, easy-to-deploy solutions. Cisco PIX Security Appliances range from compact, “plug-and-play” desktop security appliances for small andhome offices to modular, carrier-class gigabit security appliances for the most demanding enterprise and service provider environments (Figure 3).Cisco PIX Security Appliances are ideal for those looking for the best-of-breed firewall combined with comprehensive VPN support. They are alsoan excellent option for organizations whose security policies recommends separate management of the security infrastructure, setting a cleardemarcation between security and network operation.Figure 3. Cisco PIX Security Appliance PortfolioTeleworker/SOHOSmall BranchMedium-Sized BranchEnterprise BranchEnterprise EdgeEnterprise HeadquartersData CenterCisco PIX 501Cisco PIX 506ECisco PIX 515ECisco PIX 525Cisco PIX 535The figure above provides general guidelines. Network environments should be scaled on application requirements, not solely on the sizeof the network.Built upon a hardened, purpose-built operating system designed for delivering rich security services, Cisco PIX Security Appliances provide thehighest levels of security. The appliances have earned numerous industry evaluations and certifications, including Common Criteria EvaluationAssurance Level (EAL) 4 status, as well as ICSA Labs Firewall and IPSec certifications.Cisco PIX Security Appliances provide market-leading protection for a wide range of voice-over-IP (VoIP) and multimedia standards, allowingbusinesses to securely take advantage of the many benefits that converged data, voice, and video networks deliver. By combining VPN with the richstateful inspection firewall services that Cisco PIX Security Appliances provide for these converged networking standards, businesses can securelyextend voice and multimedia services to home-office and remote-office environments for additional cost savings, improved productivity, andcompetitive advantage.Using the standards-based site-to-site VPN capabilities provided by Cisco PIX Security Appliances, businesses can securely extend their networksacross low-cost Internet connections to business partners and remote and satellite offices worldwide. Built upon the IKE and IPSec VPN standards,Cisco PIX Security Appliances encrypt data using 56-bit Data Encryption Standard (DES), 168-bit Triple DES (3DES), or up to 256-bit Advanced 2005 Cisco Systems, Inc. All rights reserved.Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.Page 7 of 17

Encryption Standard (AES). Cisco PIX Security Appliances can also participate in X.509-based Public Key Infrastructures (PKIs) and provide easy,automated certificate enrollment using the Simple Certificate Enrollment Protocol (SCEP)—another Internet standard that Cisco Systems helpedpioneer.Remote-access users can be authenticated against the internal user ID/password database on the Cisco PIX security appliance itself (which alsointegrates with Kerberos [Windows Active Directory], Lightweight Directory Access Protocol [LDAP], and RSA SecurID backend systems), orvia an external source using TACACS or RADIUS. Access to network resources can be strongly authenticated through the Cisco PIX securityappliance’s local user database or through integration with enterprise databases, either directly using TACACS /RADIUS or indirectly with CiscoSecure Access Control Server (ACS). Additionally, Cisco PIX Security Appliances support dynamic downloading and enforcement of access controllists (ACLs) on a per-user basis, upon user authentication with the device. Cisco PIX Security Appliances support a wide range of VPN clients, fromCisco VPN Client to the Microsoft embedded PPTP clients, L2TP VPN clients, and clients for mobile personal digital assistant (PDA) devices.Certain Cisco PIX models have integrated hardware VPN acceleration capabilities. The Cisco VPN Accelerator Card (VAC ) delivers up to 425Mbps of DES, 3DES, or AES IPSec encryption throughput. Well beyond full-duplex OC-3 line rates, the Cisco PIX security appliance with VAC provides excellent price and performance for small to very large enterprise-class site-to-site aggregation. Moreover, it supports up to 2000 encryptedtunnels for mixed VPN environments that have both site-to-site and remote-access VPN requirements. These performance features, along withupgradable encryption accelerators and LAN interfaces, make Cisco PIX Security Appliances some of the most scalable, upgradable, and costeffective central-site VPN and security solutions on the market. This high level of modularity provides unmatched investment protection. Individualcomponents of the solution can be upgraded as requirements grow, helping customers avoid costly upgrades of the entire chassis to enable newfeatures or performance levels.Table 4 summarizes the crypto performance of each Cisco PIX security appliance model (using 3DES and AES-128 with 1400-byte packets).Table 4.Cisco PIX Security Appliance IPSec PerformanceModelMaximum Site-to-Site andRemote User Tunnels3DES PerformanceAES-128 PerformanceCisco PIX 501103 Mbps4.5 MbpsCisco PIX 506E2515 Mbps30 MbpsCisco PIX 515E with VAC 2000130 Mbps130 MbpsCisco PIX 525 with VAC 2000145 Mbps135 MbpsCisco PIX 535 with VAC 2000425 Mbps495 MbpsCisco PIX Security Appliances provide up to 16 levels of customizable administrative roles so that enterprises can grant administrators andoperations personnel the appropriate level of access to each device (for example, monitoring-only, read-only access to the configuration, VPNconfiguration only, or firewall configuration only).Administrators can choose from products that meet their operational requirements for remotely configuring, monitoring, and troubleshooting CiscoPIX Security Appliances. Administrators can manage Cisco PIX Security Appliances using a convenient CLI through a variety of methods, includingTelnet, SSH, or out-of-band via a console port. Alternatively, Cisco ASDM, an easy to use, Web-based device configuration tool embedded withinthe appliances, lets users graphically set up, configure, and monitor their Cisco PIX Security Appliances without requiring extensive knowledge ofthe CLI. In addition, a wide range of informative, real-time, and

Cisco Easy VPN Server allows Cisco IOS routers, Cisco PIX Security Appliances, Cisco ASA 5500 Series adaptive security appliances, and Cisco VPN 3000 Series concentrators to act as VPN head-end d