Re: Benefits of Network Extention Mode vs IPsec

["Tina Bird" <tbird () precision-guesswork com>]

> I've been looking around on the net and I have not been able 
> to find any
> documentation on the befefits of Network Extention Mode VPN's 
> vs standard IPSec
> VPN's.
>
> Can anyone point me to some good documentaion as why NEM is 
> better then Standard
> IPSec VPNS?

"Network Extension Mode" is Cisco-specific terminology, so I'll assume
you're talking about Cisco VPN gear. Cisco's site is the only place you'll
find doc. They've got a white paper on enterprise VPN deployments which
might help out.

One of the big problems for IPsec deployments is making sure that the VPN
peers on both sides of the connection are configured with the same
parameters for session negotiation and management. In The Beginning, we had
to do that manually, which was annoying but feasible for site-to-site VPNs.
For remote access VPNs, where you've typically got a single machine
connecting from a random external IP address into a corporate environment,
it was a complete pain in the, uh, ethernet jack, because a lot of the
negotiations are managed based on things like IP address. Hence the need for
certs and dynamic client management (but we'll ignore that tangent).

Despite IPsec's support for multi-vendor deployments, in *practice* now, the
vast majority of organizations using IPsec for remote access have deployed
single-vendor VPN servers and clients. The biggest reason for this IMO is
because vendor have frequently deployed proprietary features that make
managing IPsec for remote access *much* simpler. Cisco is the premier
example of this. Their "EZvpn" technology (based on a proprietary mechanism
of theirs called the Unity protocol) creates a mechanism for the server to
control all aspects of session negotiation and traffic management, leaving a
minimal amount of configuration required for the client itself.

As I said above, most remote access connections require a single client to
connect into the enterprise network. Cisco IPsec assumes this in their
"basic" VPN config. The VPN concentrator need only connect that single
machine in -- the corporate network does not need to connect back into the
remote environment. In this case, the VPN server assigns a local corporate
IP address to the endpoint connection, and has no visibility into any other
machines in the remote environment.

But there are some situations -- for instance, when the remote user is an
engineer with a development LAN that needs access into the corp network --
where corporate machines have legitimate reasons to connect into the remote
location. Cisco supports this using its "Network Extension Mode." In this
mode, the VPN server provides a unique range of addresses for the machines
in the remote subnet (usually via a DHCP server on the remote end), and
manages traffic back and forth through the tunnel. This mode is more
complicated, because you have to manage a larger set of network addresses
and routes, but it works a charm for branch offices and telecommuters with
lots of machines.

Neither one is better or worse, they fulfill different requirements.

Hope this rather wordy explanation helps -- tbird

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards