Manualshelf

System information

ManualsBrandsCisco ManualsComputer equipment3005 - VPN Concentrator - Gateway
81828384858687888990
Scenario 4-1 207
Scenarios
The following scenarios and questions are designed to draw together the content of the chapter
and exercise your understanding of the concepts. There might be more than one correct answer.
The thought process and practice in manipulating each concept in the scenario are the goals of
this section.
Scenario 4-1
Users at one of your small branch facilities dial in to your corporate access server for access to
the Internet, e-mail, and other network services. This four-user group is one of your research
and development teams, and each of the four users dials in to the access server using 56-kbps
modems for network services. Their work is considered top secret by upper management.
Because of the sensitive nature of their communications, you want to establish a VPN for them
using IPSec.
At the same time, other users at other branch sites—your sales staff and other key personnel—
frequently use laptops and home computers to connect to the corporate network through the Inter-
net or through the access server. These users discuss sales figures and development projects and
also require IPSec protection on their MS Exchange messaging and MS SQL database traffic.
You had considered using your router as a VPN server, but decided to use a Cisco VPN
Concentrator because of its ability to authenticate users internally. You don’t anticipate ever
having more than 50 VPN clients active in your user community at any given time, and your
employee base is stable.
As the senior security architect for your organization, how would you answer these questions?
1 Which VPN 3000 Concentrator would you purchase and install?
2 Would you use preshared keys or digital certificates for device authentication?
3 Would you depend on the internal authentication services of the VPN device, or would
you use some other user authentication method?
4 How would you assign VPN addresses?
5 Would you permit split tunneling?
6 Would you use multiple IPSec groups? If so, why?
7 Which IPSec protocol would you use?
8 Which encryption protocol would you use?
9 Would you allow unrestricted access hours?
10 What would you set for idle timeout and maximum connect time?
chpt_04.fm Page 207 Friday, April 4, 2003 9:19 AM