Firewall Wizards mailing list archives
Re: Benefits of Network Extention Mode vs IPsec
From: "Tina Bird" <tbird () precision-guesswork com>
Date: Fri, 19 Jan 2007 11:29:22 -0800
I've been looking around on the net and I have not been able to find any documentation on the befefits of Network Extention Mode VPN's vs standard IPSec VPN's. Can anyone point me to some good documentaion as why NEM is better then Standard IPSec VPNS?
"Network Extension Mode" is Cisco-specific terminology, so I'll assume you're talking about Cisco VPN gear. Cisco's site is the only place you'll find doc. They've got a white paper on enterprise VPN deployments which might help out. One of the big problems for IPsec deployments is making sure that the VPN peers on both sides of the connection are configured with the same parameters for session negotiation and management. In The Beginning, we had to do that manually, which was annoying but feasible for site-to-site VPNs. For remote access VPNs, where you've typically got a single machine connecting from a random external IP address into a corporate environment, it was a complete pain in the, uh, ethernet jack, because a lot of the negotiations are managed based on things like IP address. Hence the need for certs and dynamic client management (but we'll ignore that tangent). Despite IPsec's support for multi-vendor deployments, in *practice* now, the vast majority of organizations using IPsec for remote access have deployed single-vendor VPN servers and clients. The biggest reason for this IMO is because vendor have frequently deployed proprietary features that make managing IPsec for remote access *much* simpler. Cisco is the premier example of this. Their "EZvpn" technology (based on a proprietary mechanism of theirs called the Unity protocol) creates a mechanism for the server to control all aspects of session negotiation and traffic management, leaving a minimal amount of configuration required for the client itself. As I said above, most remote access connections require a single client to connect into the enterprise network. Cisco IPsec assumes this in their "basic" VPN config. The VPN concentrator need only connect that single machine in -- the corporate network does not need to connect back into the remote environment. In this case, the VPN server assigns a local corporate IP address to the endpoint connection, and has no visibility into any other machines in the remote environment. But there are some situations -- for instance, when the remote user is an engineer with a development LAN that needs access into the corp network -- where corporate machines have legitimate reasons to connect into the remote location. Cisco supports this using its "Network Extension Mode." In this mode, the VPN server provides a unique range of addresses for the machines in the remote subnet (usually via a DHCP server on the remote end), and manages traffic back and forth through the tunnel. This mode is more complicated, because you have to manage a larger set of network addresses and routes, but it works a charm for branch offices and telecommuters with lots of machines. Neither one is better or worse, they fulfill different requirements. Hope this rather wordy explanation helps -- tbird _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Benefits of Network Extention Mode vs IPsec Craig Van Tassle (Jan 19)
- Re: Benefits of Network Extention Mode vs IPsec Robby Cauwerts (Jan 19)
- Re: Benefits of Network Extention Mode vs IPsec Tina Bird (Jan 20)