Falls short on key topics

IPSec VPN Design is not a bad technical book. It's what I call a "Cool Whip" book. It looks good, but there is little that is useful or original. It claims to be "the definitive design and deployment guide". It is not. Most of the explanations are academic and dry. There are many examples. Some are useful. Some are not. Many are outdated.

My primary complaint is that it does not cover Pix 7.0. This is a huge oversight for a Cisco Press book published in April 2005. There are several important features in 7.0 such as "hairpinning" or the ability for one spoke (or remote access client) to access another spoke in the hub and spoke model. The book states that hairpinning is not possible and most of the designs are based on this premise.

I was also disappointed to find that the book failed to cover ACLs and VPNs. This is an critical topic in VPN design. Too many network administrators simply allow full access of one private network to another using "sysopt connection permit-ipsec" without thinking of the security implications. It many circumstances, it may be more appropriate to disable this command and create explicit access lists for resources accessible via VPN. I would have liked to see some examples using both methods and the trade-offs of each approach.

There were a couple of interesting topic areas covered by the book such as VoIP over VPN. Even though it's short on configuration details or examples, I enjoyed learning about the issues involved.

The book is simply not work the money. If you're new to IPSec or just setting up a basic site-to-site VPN, you'd be better off with a simpler guide. And if you're more sophisticated, you will do better digging up examples with Google, even from Cisco's own website.

Other Reviews

• Great for IPV4 - No mention of IPV6
• Falls short on key topics
• Essential Guide!
• A Definitive Design and Deployment Guide