Defining VPN Members and Topology Using NSM
You can use a VPN to connect:
- Security devices—Create a VPN between two or more
security devices to establish secure communication between separate
networks.
- Network components—Create a VPN between a two or
more network components to establish secure communication between
specific machines.
- Remote users—Create a VPN between a user and a security
device to enable secure access to protected networks.
 |
Note:
In NSM, remote users are known as remote
access service (RAS) users.
|
Each device, component, and RAS user in
a VPN is considered a VPN node. The VPN connects each node to other
nodes using a VPN tunnel. VPN tunnel termination points are the end
points of the tunnel; traffic enters and departs the VPN tunnel through
these end points. Each tunnel has two termination points: a source
and destination, which are the source and destination zones on security
device.
Table 1 describes the various types of
topologies.
Table 1: VPN Types
Topology
|
Description
|
Network Address Translation (NAT)
|
Network Address Translation (NAT) maps private
IP addresses to public, Internet-routeable IP addresses. Because your
security device is also a NAT server, you can use private, unregistered
IP addresses for your internal network, minimizing the number of registered
IP addresses you must buy and use.
If you enable NAT, when an internal system connects
to the Internet, the security device translates the unregistered IP
address in the outbound data packets to the registered address of
the security device. The security device also relays responses back
to the original system. Additionally, because your internal systems
do not have a valid Internet IP address, your systems are invisible
to the outside Internet, meaning that attackers cannot discover the
IP addresses in use on your network.
|
Site-to-Site
|
Site-to-site VPNs are the most common type of VPN.
Typically, each remote site is an individual security device or RAS
user that connects to a central security device.
- Advantages—Simple, easy to configure.
- Disadvantages—The central security device is a single
point of failure.
Use a site-to-site VPN to connect remote
networks to a single, central network inexpensively. An example is
shown below:
|
Hub and Spoke
|
In a hub and spoke VPN, multiple security devices
(spokes) communicate through a central device (the hub).
- Advantages—Can connect several devices and users.
Hub and spoke VPNs are easy to maintain because you only need to reconfigure
the spoke and the hub device, which save you administration and resource
costs. If you have smaller security devices with limited tunnel capacity,
you can use hub and spoke VPNs to increase the number of available
tunnels.
- Disadvantages—The hub is a single point of failure;
however, you can use NSRP for redundancy.
A hub acts as a concentrator for the other
VPN members, but does not necessarily have resources that are available
to other members. In fact, you can specify a security device that
is not a VPN member to act as the hub: If you include the hub in the
VPN, the hub device can send and receive traffic from all spokes;
if you do not include the hub, the hub device routes traffic between
spokes.
Use a hub and spoke topology when you want to route
VPN traffic through a VPN member that does not contain protected resources.
An example is shown below:
|
Full Mesh
|
In a full mesh VPN, all VPN member can communicate
with all other VPN members.
- Advantages—Because a full mesh configuration uses
redundant IPSec tunnels, traffic continues to flow even if a node
fails.
- Disadvantages—When you add a member to the VPN,
you must reconfigure all devices.
Use a full mesh VPN when you need to ensure
that every VPN member can communicate with every other VPN member.
|
Creating Redundancy
|
To ensure stable, continuous VPN connection, use redundant
gateways to create multiple tunnels between resources. If a tunnel
fails, the management system automatically reroutes traffic. Redundant
gateways use NSRP to determine the tunnel status.
|
Published: 2009-08-21
