Build and Deploy a Django Project on OSX from Scratch
Team Blog, creators of
May 2, 2013
If you read this blog, you&re certainly a front-end mobile developer (and certainly also an iOS dev). Guess what? The server part is the most important piece of your project: maybe tomorrow you will want to expand your app on Android, Windows 8, or you want a beautiful responsive HTML5 web site etc& All these frontends will speak to your back-end, and inevitably you will have to work on your backend.
Fortunately, there are tons of choice of technologies, that can really be fun to learn. At Manbolo, we have choosen to build on , one of the most famous Python framework.
This post is an attempt to show how to build and deploy a Django project from a new Mac, assuming you&ve nothing installed on it. The aim is to have a local developement server on our Mac, pretty similar to what can be your production server (hosted on your Linux box, or on
for instance). That&s way, you can work on your server, even if your are offline. For the example, we&re going to build
that will be powered by Django and hosted locally on your mac.
WARNING: this post describes a simple way to test a Django project in a development environnement (your local Mac). There is no security consideration, and this is not a post about how to deploy a Django app on a production server.
1. Choices: Apache, MySQL, Python 2.7
Apache: already installed on Mac, we&re going to use mod_wsgi for serving the Django project and also using the same Apache server for serving static files. The Django documentation on deployment recommends
or ), but for simplicity, we will use the same server (though the static pages won&t be interpreted by the Python interpreter)
MySQL: we use MySQL ( more precisely) on our server and we have a good knowledge of it. , but we don&t know it at all. For our needs, MySQL is simple to configure and rock solid.
Python 2.7: this was a hard choice. Pretty new to Python, we&ve stared to invest on Python 3. But the state of MySQL on Python 3 is pretty bad: we&ve managed to play with
on Python 3, but failed with Django. Django is, of course, Python 3 but if you&re using MySQL, you should better stick with Python 2.x. The good news is that you can have multiple versions of Python, with different modules, coexist on the same system, with . A last argument for Python 2.x is our production environment: we&re using Debian-Squeeze distribution and the stable packages for Python on Squeeze is Python 2.6.6.
2. Install Xcode command line tools
Let&s start. First, Xcode command line tools are needed to build MySQL and to use Homebrew.
If you already have Xcode, just go to &Preferences& & Downloads& then click on Command Line Tools Install button.
If you don&t have Xcode, just go to
and search for Command Line Tools (OS X Mountain Lion) for Xcode, or Command Line Tools (OS X Lion) for Xcode depending on your OS.
3. Install Homebrew
We&ll need Homebrew to install mod_wsgi.
There are many package installers on OSX but I find
very pleasant, simple and convenient. Homebrew, originally started by , simplify the installation of open source tools (like , ,
etc..) that are not by default on OSX.
What I really like with Homebrew is that everything is installed on a directory that is not conflicting with the system directories. By default, it&s on /usr/local but you can change to whatever you like.
Installing Hom open a Terminal window and type
ruby -e "$(curl -fsSkL /mxcl/homebrew/go)"
4. Configure Apache
First, we enable php on the local Apache with mod_php, only to use . You can manage your database by hand but franckly this is simpler with phpMyAdmin. Then we&ll enable . This will allow us to test our Django project in our browser, at the url . Then, we&ll install our MySQL database, needed by Django and create a first user/database for our Django project.
Apache is installed by default on OSX Mountain Lion, open a terminal and start it:
sudo apachectl start
Go to your browser, http://localhost/, and you should see classic &It Works&
4.1. Enable mod_php
Enable mod_php in Apache:
cd /etc/apache2
sudo vi httpd.conf
Uncomment this line:
# LoadModule php5_module libexec/apache2/libphp5.so
Make a copy of the default php.ini.default to php.ini
sudo cp php.ini.default php.ini
In php.ini, change the MySQL Unix socket (MariaDB installed by Homebrew use /tmp/mysql.sock by default). If php.ini copied from php.ini.default is not writable, make it writable then replace every occurence of /var/mysql/mysql.sock with /tmp/mysql.sock (it should be at two places)
sudo chmod +w php.ini
sudo vi php.ini
Test Apache config is ok, and restart it:
apachectl configtest
sudo apachectl graceful
4.2. Enable and configure Virtual Host
We&re going to enable Virtual Host on Apache. This give you a skeletton to easily manage multiple development sites, locally on your Mac. I usually put all my document root under ~/Sites/ so we&re going to create a ~/ document root for our dev site (with our Django app, only the web site static content will be located under ~/, our Django project will be located at ~/Documents/mysite)
cd /etc/apache2
sudo vi httpd.conf
Uncomment this line
#Include /private/etc/apache2/extra/httpd-vhosts.conf
Test Apache config is ok:
apachectl configtest
The result should be:
Warning: DocumentRoot [/usr/docs/dummy-] does not exist
Warning: DocumentRoot [/usr/docs/dummy-] does not exist
All is ok, we&re going to configure virtual hosts configuration files
cd /etc/apache2/extra/
sudo vi httpd-vhosts.conf
Replace the content of httpd-vhosts.conf with this one. This give us a good template for future vhosts configuration file.
NameVirtualHost *:80
include /private/etc/apache2/extra/vhosts/localhost.conf
include /private/etc/apache2/extra/vhosts/.conf
For each new site you&re building, you will have a corresponding Apache configuration file. Our Django site will be under , so we create a virtual host on our Apache for managing this site. If you want to manage other dev site, just add as many lines as there are web sites:
include /private/etc/apache2/extra/vhosts/.conf
include /private/etc/apache2/extra/vhosts/.conf
include /private/etc/apache2/extra/vhosts/.conf
include /private/etc/apache2/extra/vhosts/.conf
Currently, we just need an Apache conf for localhost and .
Create the virtual host configuration for localhost:
sudo mkdir -p /etc/apache2/extra/vhosts/
cd /etc/apache2/extra/vhosts/
sudo vi localhost.conf
Put this content in the localhost.conf and save it
&VirtualHost *:80&
DocumentRoot "/Users/jc/Sites/localhost"
ServerName localhost
ErrorLog "/Users/jc/Sites/logs/localhost-error_log"
CustomLog "/Users/jc/Sites/logs/localhost-access_log" common
&Directory "/Users/jc/Sites/localhost"&
Order deny,allow
Allow from all
&/Directory&
&/VirtualHost&
Create the virtual host configuration for :
cd /etc/apache2/extra/vhosts/
sudo vi .conf
Put this content in .conf and save it
&VirtualHost *:80&
DocumentRoot "/Users/jc/"
ServerName
ErrorLog "/Users/jc/Sites/-error_log"
CustomLog "/Users/jc/Sites/-access_log" common
&Directory "/Users/jc/"&
Order deny,allow
Allow from all
&/Directory&
&/VirtualHost&
Create the log repository and document root for our virtual hosts
~/Sites/logs/
~/Sites/localhost/
Now the test for Apache should be ok:
apachectl configtest
Then, restart Apache
sudo apachectl graceful
Finally, we want to test our site in our browser locally by typing . To do this, we edit /etc/hosts:
sudo vi /etc/hosts
And add lines for
# Host Database
# localhost is used to configure the loopback interface
# when the system is booting.
Do not change this entry.
255.255.255.255 broadcasthost
fe80::1%lo0 localhost
fe80::1%lo0
Open a terminal to check this config:
And the result should be
(127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.035 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.109 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.065 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.096 ms
Now, we you type
in your browser, you should point to your Apache virtual host.
4.3. Install MySQL (MariaDB)
Install MySQL with Homebrew
brew install mariadb
As suggested by brew, finish the installation
unset TMPDIR
mysql_install_db --user=`whoami` --basedir="$(brew --prefix mariadb)"
--datadir=/usr/local/var/mysql --tmpdir=/tmp
Start MariaDB at login
mkdir -p ~/Library/LaunchAgents
ln -sfv /usr/local/opt/mariadb/*.plist ~/Library/LaunchAgents
Then launch it now,
launchctl load ~/Library/LaunchAgents/homebrew.mxcl.mariadb.plist
Once you&ve launch the server, set a password for the MariaDB root user:
mysqladmin -u root password &NEW-PASSWORD&
4.4. Install phpMyAdmin
Download the , unzip under
/Users/jc/Sites/localhost/phpmyadmin
In your browser type http://localhost/phpmyadmin and log with root and the password you&ve previously set.
Then go to the Users tab, and select &Add user&
Create you a user with login project1 and password project1, and select &Create database with same name and grant all privileges& then &Add user&:
That&s all, we have our database ready for our Django project.
5. Install virtualenv
virtualenv is a very powerful tool that will allow you to create a Python environment sandbox. That way, you can have multiple versions of Python with multiple modules and each environment is isolated from the others. We&re going to install virtualenv, and then install Django in a virtual environment.
Just download
in a temporary folder:
tar xvzf virtualenv-1.9.1.tar.gz
cd virtualenv-1.9.1
sudo python setup.py install
6. Creating a Django project with virtualenv
To create a virtual environment of a specific Python version, use the -p option of virtualenv and put the path of a given Python interpreter. On OSX, Python 2.7 is installed by default, so, for our Django project, we&re going to create a Python 2.7 virtual environment.
6.1. Create a Python virtual environment
Create a 2.7 virtual environment with Python 2.7:
cd ~/Documents/VirtualEnvs/
virtualenv --python=/usr/bin/python2.7 --no-site-packages venv-python2.7-django
Activate this virtual environment:
cd ~/Documents/VirtualEnvs/venv-python2.7-django/
source bin/activate
Before your prompt, you should see the current virtual environment activated:
(venv-python2.7-django) $
Now, when you will launch a Python interpreter, you&ll use the interpreter installed at ~/Documents/VirtualEnvs/venv-python2.7-django/bin. When you will install any Python module with pip, you will install it only in this virtual environment and not in the system. You can deactivate the virtual environment with the command deactivate and come back to your system Python.
Finally, to test installation:
which python
/Users/jc/Documents/VirtualEnvs/python2.7-django/bin/python
Install last version of Django in this virtual environment: download
in a temporary folder (doesn&t need to be under your virtual environment, but be sure to be in a terminal where this env is activated)
tar xzvf Django-1.5.1.tar.gz
cd Django-1.5.1
python setup.py install
No need sudo as we are in a virtual environment now. T launch python and import django
Python 2.7.2 (default, Oct 11 :37)
[GCC 4.2.1 Compatible Apple Clang 4.0 (tags/Apple/clang-418.0.60)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
&&& import django
Everything seems OK, ctrl+D to quit the interactive interpreter.
Install distribute &= 0.6.28 (needed by MySQLdb). I prefer to do it manually, I don&t know why it is much slower if we relly on MySQLdb to install distribute. Download
in a temporary folder and
tar xvzf distribute-0.6.36.tar.gz
cd distribute-0.6.36/
python setup.py install
Install MySQLdb in this env. Download
in a temporary folder and
tar xvzf MySQL-python-1.2.4b4.tar.gz
cd MySQL-python-1.2.4b4
python setup.py install
6.2. Create a Django project
We&re going to create our Django project. Starting from now, you should have your Python virtual environement activated (remember that our system default Python doesn&t know anything about Django). If you&re new to Django, just follow the wonderful tutorials &Writing your first Django& on the Django site, from
to . I recommand also to read the section about .
cd ~/Documents
django-admin.py startproject mysite
Edit mysite/settings.py to put the MySQL database settings
DATABASES = {
&default&: {
&ENGINE&: &django.db.backends.mysql&,
&NAME&: &project1&,
&USER&: &project1&,
&PASSWORD&: &project1&,
&HOST&: &&,
# Empty for localhost
&PORT&: &&,
# Set to empty string for default.
6.3. Test the Django project in local
In command-line, test that your Django project is working. We&re using the embedded Django server:
cd ~/Documents/mysite/
python manage.py runserver
7. Deploy your Django project with mod_wsgi
7.1 Install mod_wsgi
We&re going to use Homebrew to install mod_wsgi. There is some extra step to install it, you can read
to have more information.
Before installation, run this command that will create a needed link for Homebrew mod_wsgi compilation:
$ [ "$(sw_vers -productVersion | sed &s/^\(10\.[0-9]\).*/\1/&)" = "10.8" ] && bash -c "[ -d /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain ] && sudo bash -c &cd /Applications/Xcode.app/Contents/Developer/Toolchains/ && ln -vs XcodeDefault.xctoolchain OSX10.8.xctoolchain& || sudo bash -c &mkdir -vp /Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.8.xctoolchain/usr && cd /Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.8.xctoolchain/usr && ln -vs /usr/bin&"
Then, load new Formulas into brew:
brew tap homebrew/apache
Finally install mod_wsgi
brew install mod_wsgi
Once mod_wsgi installed, we&ll enable it in Apache: edit /etc/apache2/http.conf and add this line
LoadModule wsgi_module /usr/local/Cellar/mod_wsgi/3.4/libexec/mod_wsgi.so
Test the config and restart Apache if everything is ok:
apachectl configtest
sudo apachectl restart
7.2 Configure VirtualHost for mod_wsgi
On the one hand, all static ressources will be served by Apache and will point to /Users/jc//static; on the other hand, the WSGI entry-point for our Python app will be at /Users/jc/Documents/mysite/mysite/wsgi.py
We&re going to configure our virtual host configuration file for
and enable mod_wsgi. Edit /etc/apache2/extra/vhosts/.conf and copy these lines:
&VirtualHost *:80&
LogLevel info
ServerName
ServerAdmin
# Static files
DocumentRoot "/Users/jc/"
Alias /static/ /Users/jc//static/
&Directory "/Users/jc//static"&
Order deny,allow
Allow from all
&/Directory&
# WGSI configuration
processes=2 threads=15 display-name=%{GROUP} python-path=/Users/jc/Documents/mysite/:/Users/jc/Documents/VirtualEnvs/python2.7-django/lib/python2.7/site-packages
WSGIScriptAlias / /Users/jc/Documents/mysite/mysite/wsgi.py
&Directory "/Users/jc/Documents/mysite/mysite"&
&Files wsgi.py&
Order allow,deny
Allow from all
&/Directory&
&/VirtualHost&
We are using mod_wsgi in daemon mode, each Django instance will runs as a distinct user. You can get more informations on
on the Django docs, and on
You can see that the WSGIDaemonProcess variable allows us to specify which Python interpreter we will use: by changing this path, you can specify exactly which Python virtual environment you&ll use for this Django app. Note tnat we specify the path to our Python project AND to our Python virtual environement site-packages.
I&ve not look for the right number of processes and thread one should put in WSGIDaemonProcess but 2 and 15 should be safe for our developement configuration.
Finally, put the right permissions on your local folder for Apache to acces your files:
Chmod -R 755 ~/Documents/mysite/mysite
Chmod -R 755 ~/Documents/
Then restart Apache
sudo apachectl graceful
7.3. Collect static files
Our static pages on your Django project will be under ~/Documents//static, and accessible at /static. Note that, with our Apache virtual host configuration, static files won&t go through the Python interpreter (there is no need to) but will be serve directly by Apache.
In your Django project, edit settings.py and change STATIC_ROOT:
STATIC_ROOT = /Users/jc//static/
Then, collect all statics files from your Django project:
python manage.py collectstatic
Finally, type in your browser /admin and you should see:How Virtual Private Networks Work - Cisco
This document covers the fundamentals of VPNs, such as basic VPN components, technologies, tunneling, and VPN security.
There are no specific requirements for this document.
This document is not restricted to specific software and hardware versions.
for more information on document conventions.
The world has changed a lot in the last couple of decades. Instead of simply dealing with local or regional concerns, many businesses now have to think about global markets and logistics. Many companies have facilities spread out across the country, or even around the world. But there is one thing that all companies need: a way to maintain fast, secure, and reliable communications wherever their offices are located.
Until recently, reliable communication has meant the use of leased lines to maintain a wide-area network (WAN). Leased lines, ranging from Integrated Services Digital Network (ISDN, which runs at 144 Kbps) to Optical Carrier-3 (OC3, which runs at 155 Mbps) fiber, provide a company with a way to expand their private network beyond their immediate geographic area. A WAN has obvious advantages over a public network like the Internet when it comes to reliability, performance, but maintaining a WAN, particularly when using leased lines, can become quite expensive (it often rises in cost as the distance between the offices increases). Additionally, leased lines are not a viable solution for organizations where part of the work force is highly mobile (as is the case with the marketing staff) and might frequently need to connect to the corporate network remotely and access sensitive data.
As the popularity of the Internet has grown, businesses have turned to it as a means of extending their own networks. First came intranets, which are sites designed for use only by company employees. Now, many companies create their own Virtual Private Networks (VPNs) to accommodate the needs of remote employees and distant offices.
A typical VPN might have a main local-area network (LAN) at the corporate headquarters of a company, other LANs at remote offices or facilities, and individual users that connect from out in the field.
A VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated, real-world connection, such as leased line, a VPN uses &virtual& connections routed through the Internet from the company's private network to the remote site or employee.
There are two common types of VPNs.
Remote-Access—Also called a Virtual Private Dial-up Network (VPDN), this is a user-to-LAN connection used by a company that has employees who need to connect to the private network from various remote locations. Typically, a corporation that wishes to set up a large remote-access VPN provides some form of Internet dial-up account to their users using an Internet service provider (ISP). The telecommuters can then dial a 1-800 number to reach the Internet and use their VPN client software to access the corporate network. A good example of a company that needs a remote-access VPN would be a large firm with hundreds of sales people in the field. Remote-access VPNs permit secure, encrypted connections between a company's private network and remote users through a third-party service provider.
Site-to-Site—Through the use of dedicated equipment and large-scale encryption, a company can connect multiple fixed sites over a public network such as the Internet. Each site needs only a local connection to the same public network, thereby saving money on long private leased-lines. Site-to-site VPNs can be further categorized into intranets or extranets. A site-to-site VPN built between offices of the same company is said to be an intranet VPN, while a VPN built to connect the company to its partner or customer is referred to as an extranet VPN.
A well-designed VPN can greatly benefit a company. For example, it can:
Extend geographic connectivity
Reduce operational costs versus traditional WANs
Reduce transit times and traveling costs for remote users
Improve productivity
Simplify network topology
Provide global networking opportunities
Provide telecommuter support
Provide faster Return On Investment (ROI) than traditional WAN
What features are needed in a well-designed VPN? It should incorporate these items:
Reliability
Scalability
Network Management
Policy Management
Imagine that you live on an island in a huge ocean. There are thousands of other islands all around you, some very close and others farther away. The normal way to travel is to take a ferry from your island to whichever island you wish to visit. Traveling on a ferry means that you have almost no privacy. Anything you do can be seen by someone else.
Assume that each island represents a private LAN and the ocean is the Internet. When you travel by ferry, it is similar to when you connect to a web server or to another device through the Internet. You have no control over the wires and routers that make up the Internet, just like you have no control over the other people on the ferry. This leaves you susceptible to security issues if you try to connect between two private networks using a public resource.
Your island decides to build a bridge to another island so that there is an easier, more secure and direct way for people to travel between the two. It is expensive to build and maintain the bridge, even though the island you are connecting with is very close. But the need for a reliable, secure path is so great that you do it anyway. Your island would like to connect to a second island that is much farther away, but you decide that it is too expensive.
This situation is very much like having a leased line. The bridges (leased lines) are separate from the ocean (Internet), yet they are able to connect the islands (LANs). Many companies have chosen this route because of the need for security and reliability in connecting their remote offices. However, if the offices are very far apart, the cost can be prohibitively high - just like trying to build a bridge that spans a great distance.
So how does VPN fit in to this analogy? We could give each inhabitant of our islands their own small submarine with these properties.
It is fast.
It is easy to take with you wherever you go.
It is able to completely hide you from any other boats or submarines.
It is dependable.
It costs little to add additional submarines to your fleet once the first is purchased.
Although they are traveling in the ocean along with other traffic, the inhabitants of our two islands could travel back and forth whenever they wanted to with privacy and security. That is essentially how a VPN works. Each remote member of your network can communicate in a secure and reliable manner using the Internet as the medium to connect to the private LAN. A VPN can grow to accommodate more users and different locations much easier than a leased line. In fact, scalability is a major advantage that VPNs have over typical leased lines. Unlike leased lines where the cost increases in proportion to the distances involved, the geographic locations of each office matter little in the creation of a VPN.
A well-designed VPN uses several methods in order to keep your connection and data secure.
Data Confidentiality—This is perhaps the most important service provided by any VPN implementation. Since your private data travels over a public network, data confidentiality is vital and can be attained by encrypting the data. This is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode.
Most VPNs use one of these protocols to provide encryption.
IPsec—Internet Protocol Security Protocol (IPsec) provides enhanced security features such as stronger encryption algorithms and more comprehensive authentication. IPsec has two encryption modes: tunnel and transport. Tunnel mode encrypts the header and the payload of each packet while transport mode only encrypts the payload. Only systems that are IPsec-compliant can take advantage of this protocol. Also, all devices must use a common key or certificate and must have very similar security policies set up.
For remote-access VPN users, some form of third-party software package provides the connection and encryption on the users PC. IPsec supports either 56-bit (single DES) or 168-bit (triple-DES) encryption.
PPTP/MPPE—PPTP was created by the PPTP Forum, a consortium which includes US Robotics, Microsoft, 3COM, Ascend, and ECI Telematics. PPTP supports multi-protocol VPNs, with 40-bit and 128-bit encryption using a protocol called Microsoft Point-to-Point Encryption (MPPE). It is important to note that PPTP by itself does not provide data encryption.
L2TP/IPsec—Commonly called L2TP over IPsec, this provides the security of the IPsec protocol over the tunneling of Layer 2 Tunneling Protocol (L2TP). L2TP is the product of a partnership between the members of the PPTP forum, Cisco, and the Internet Engineering Task Force (IETF). Primarily used for remote-access VPNs with Windows 2000 operating systems, since Windows 2000 provides a native IPsec and L2TP client. Internet Service Providers can also provide L2TP connections for dial-in users, and then encrypt that traffic with IPsec between their access-point and the remote office network server.
Data Integrity—While it is important that your data is encrypted over a public network, it is just as important to verify that it has not been changed while in transit. For example, IPsec has a mechanism to ensure that the encrypted portion of the packet, or the entire header and data portion of the packet, has not been tampered with. If tampering is detected, the packet is dropped. Data integrity can also involve authenticating the remote peer.
Data Origin Authentication—It is extremely important to verify the identity of the source of the data that is sent. This is necessary to guard against a number of attacks that depend on spoofing the identity of the sender.
Anti Replay—This is the ability to detect and reject replayed packets and helps prevent spoofing.
Data Tunneling/Traffic Flow Confidentiality—Tunneling is the process of encapsulating an entire packet within another packet and sending it over a network. Data tunneling is helpful in cases where it is desirable to hide the identity of the device originating the traffic. For example, a single device that uses IPsec encapsulates traffic that belongs to a number of hosts behind it and adds its own header on top of the existing packets. By encrypting the original packet and header (and routing the packet based on the additional layer 3 header added on top), the tunneling device effectively hides the actual source of the packet. Only the trusted peer is able to determine the true source, after it strips away the additional header and decrypts the original header. As noted in
, &...disclosure of the external characteristics of communication also can be a concern in some circumstances. Traffic flow confidentiality is the service that addresses this latter concern by concealing source and destination addresses, message length, or frequency of communication. In the IPsec context, using ESP in tunnel mode, especially at a security gateway, can provide some level of traffic flow confidentiality.& All the encryption protocols listed here also use tunneling as a means to transfer the encrypted data across the public network. It is important to realize that tunneling, by itself, does not provide data security. The original packet is merely encapsulated inside another protocol and might still be visible with a packet-capture device if not encrypted. It is mentioned here, however, since it is an integral part of how VPNs function. Tunneling requires three different protocols.
Passenger protocol—The original data (IPX, NetBeui, IP) that is carried.
Encapsulating protocol—The protocol (GRE, IPsec, L2F, PPTP, L2TP) that is wrapped around the original data.
Carrier protocol—The protocol used by the network over which the information is traveling.
The original packet (Passenger protocol) is encapsulated inside the encapsulating protocol, which is then put inside the carrier protocol's header (usually IP) for transmission over the public network. Note that the encapsulating protocol also quite often carries out the encryption of the data. Protocols such as IPX and NetBeui, which would normally not be transferred across the Internet, can safely and securely be transmitted.
For site-to-site VPNs, the encapsulating protocol is usually IPsec or Generic Routing Encapsulation (GRE). GRE includes information on what type of packet you are encapsulating and information about the connection between the client and server.
For remote-access VPNs, tunneling normally takes place using Point-to-Point Protocol (PPP). Part of the TCP/IP stack, PPP is the carrier for other IP protocols when communicating over the network between the host computer and a remote system. PPP tunneling will use one of PPTP, L2TP or Cisco's Layer 2 Forwarding (L2F).
AAA—Authentication, authorization, and accounting is used for more secure access in a remote-access VPN environment. Without user authentication, anyone who sits at a laptop/PC with pre-configured VPN client software can establish a secure connection into the remote network. With user authentication however, a valid username and password also has to be entered before the connection is completed. Usernames and passwords can be stored on the VPN termination device itself, or on an external AAA server, which can provide authentication to numerous other databases such as Windows NT, Novell, LDAP, and so on.
When a request to establish a tunnel comes in from a dial-up client, the VPN device prompts for a username and password. This can then be authenticated locally or sent to the external AAA server, which checks:
Who you are (Authentication)
What you are allowed to do (Authorization)
What you actually do (Accounting)
The Accounting information is especially useful for tracking client use for security auditing, billing or reporting purposes.
Nonrepudiation—In certain data transfers, especially those related to financial transactions, nonrepudiation is a highly desirable feature. This is helpful in preventing situations where one end denies having taken part in a transaction. Much like a bank requires your signature before honoring your check, nonrepudiation works by attaching a digital signature to the sent message, thus precluding the possibility of sender denying participation in the transaction.
A number of protocols exist that can be used to build a VPN solution. All of these protocols provide some subset of the services listed in this document. The choice of a protocol depends on the desired set of services. For example, an organization might be comfortable with the data being transferred in clear text but extremely concerned about maintaining its integrity, while another organization might find maintaining data confidentiality absolutely essential. Their choice of protocols might thus be different. For more information on the protocols available and their relative strengths, refer to
Based on the type of VPN (remote-access or site-to-site), you need to put in place certain components to build your VPN. These might include:
Desktop software client for each remote user
Dedicated hardware such as a Cisco VPN Concentrator or a Cisco Secure PIX Firewall
Dedicated VPN server for dial-up services
Network Access Server (NAS) used by service provider for remote user VPN access
Private network and policy management center
Because there is no widely accepted standard for implementing a VPN, many companies have developed turn-key solutions on their own. For example, Cisco offers several VPN solutions that include:
VPN Concentrator—Incorporating the most advanced encryption and authentication techniques available, Cisco VPN Concentrators are built specifically for creating a remote-access or site-to-site VPN and ideally are deployed where the requirement is for a single device to handle a very large number of VPN tunnels. The VPN Concentrator was specifically developed to address the requirement for a purpose-built, remote-access VPN device. The concentrators provide high availability, high performance and scalability and include components, called Scalable Encryption Processing (SEP) modules, that enable users to easily increase capacity and throughput. The concentrators are offered in models suitable for small businesses with 100 or fewer remote-access users to large enterprise organizations with up to 10,000 simultaneous remote users.
VPN-Enabled Router/VPN-Optimized Router—All Cisco routers that run Cisco IOS& software support IPsec VPNs. The only requirement is that the router must run a Cisco IOS image with the appropriate feature set. The Cisco IOS VPN solution fully supports remote access, intranet and extranet VPN requirements. This means that Cisco routers can work equally well when connected to a remote host running VPN Client software or when connected to another VPN device such as a router, PIX Firewall or VPN Concentrator. VPN-enabled routers are appropriate for VPNs with moderate encryption and tunneling requirements and provide VPN services entirely through Cisco IOS software features. Examples of VPN-enabled routers include the Cisco 1000, Cisco 1600, Cisco 2500, Cisco 4000, Cisco 4500, and Cisco 4700 series. Cisco's VPN-optimized routers provide scalability, routing, security, and Quality of Service (QoS). The routers are based on the Cisco IOS software, and there is a device suitable for every situation, from small-office/home-office (SOHO) access through central-site VPN aggregation to large-scale enterprise needs. VPN-optimized routers are designed to meet high encryption and tunneling requirements and often make use of additional hardware such as encryption cards to achieve high performance. Examples of VPN-optimized routers include the Cisco 800, Cisco 1700, Cisco 2600, Cisco 3600, Cisco7200, and Cisco7500 series.
Cisco Secure PIX Firewall—The Private Internet eXchange (PIX) Firewall combines dynamic network address translation, proxy server, packet filtration, firewall, and VPN capabilities in a single piece of hardware. Instead of using Cisco IOS software, this device has a highly streamlined operating system that trades the ability to handle a variety of protocols for extreme robustness and performance by focusing on IP. As with Cisco routers, all PIX Firewall models support IPsec VPN. All that is required is that the licensing requirements to enable the VPN feature must be met.
Cisco VPN Clients—Cisco offers both hardware and software VPN clients. The Cisco VPN Client (software) comes bundled with the Cisco VPN 3000 Series Concentrator at no additional cost. This software client can be installed on the host machine and used to connect securely to the central site concentrator (or to any other VPN device such a router or firewall). The VPN 3002 Hardware Client is an alternative to deploying the VPN Client software on every machine and provides VPN connectivity to a number of devices.
The choice of devices that you would use to build your VPN solution is ultimately a design issue that depends on a number of factors, including the desired throughput and the number of users. For example, on a remote site with a handful of users behind a PIX 501, you could consider configuring the existing PIX as the IPsec VPN endpoint, provided that you accept the 501's 3DES throughput of roughly 3 Mbps and the limit of a maximum of 5 VPN peers. On the other hand, on a central site acting as a VPN endpoint for a large number of VPN tunnels, going in for a VPN-optimized router or a VPN concentrator would probably be a good idea. The choice now would depend on the type ( LAN-to-LAN or remote access) and number of VPN tunnels being set up. The wide range of Cisco devices that support VPN provides the network designers with a high amount of flexibility and a robust solution to meet every design need.