Module 7: Implementing VPN ppt

Security: Encapsulation and Encryption The key to VPN technology is security  VPNs secure data by: – encapsulating the data – or encrypting the data – or both encapsulating the data an

Module 7: Implementing VPN

 What Is Needed to Build a VPN?

 Overlay and Peer-to-Peer VPN Architecture

 VPN Topologies

 Characteristics of a Secure VPNs

 VPN Security: Encapsulation

 VPN Security: IPsec and GRE

 VPN Security: Symmetric and Asymmetric

Virtual Private Networks (VPNs)

 A virtual private network (VPN) is a concept that describes how to

create a private network over a public network infrastructure while maintaining confidentiality and security

 VPNs use cryptographic tunneling protocols to provide sender

authentication, message integrity, and confidentiality by protecting against packet sniffing

 VPNs can be implemented at Layers 2, 3, and 4 of the Open Systems Interconnection (OSI) model.

Virtual Private Networks (VPNs)

 A Virtual Private Networks (VPN) creates a private connection, or

network, between two endpoints

 This is a virtual connection because the physical means of

connectivity is indifferent to the safety of the data involved

 IPsec adds a layer of protection to the data that travels across the VPN

VPN Components

1 An existing network with servers and workstations

2 Connection to the Internet

3 VPN gateways (i.e., routers, PIX, ASA, VPN concentrators)

that act as endpoints to establish, manage, and control VPN connections

4 Software to create and manage tunnels

Security: Encapsulation and Encryption

 The key to VPN technology is security

 VPNs secure data by:

– encapsulating the data

– or encrypting the data

– or both encapsulating the data and then encrypting the data

 Encapsulation is also referred to as tunneling

– encapsulation transmits data transparently from network to network through

a shared network infrastructure

 Encryption codes data into a different format

– Decryption decodes encrypted data into the data’s original unencrypted

format

 Service providers (SPs) are the most common users of the overlay VPN

model

 The design and provisioning of virtual circuits (VC) across the backbone

is complete prior to any traffic flow

 In the case of an IP network, this means that even though the underlying

technology is connectionless, it requires a connection-oriented approach to

Overlay VPNs

Overlay VPNs

 L2 overlay VPN:

–L2 overlay VPNs are independent of the network protocol

used by the customer meaning that the VPN is not limited to carrying IP traffic

–If the carrier offers the appropriate ATM service, the overlay VPN will carry any kind of information

–Frame Relay VPNs are normally limited to data applications, although voice over Frame Relay customer premises equipment (CPE) devices may be useable on some services.

 The overlay model includes L2 and L3 VPNs.

Overlay VPNs

Extra: Layer2- Based VPN Services

CPE-Based VPN

(Peer-to-Peer)

 CPE-based VPN is another name for an L3 overlay VPN

 The VPN is implemented using CPE.

 Customer creates a VPN:

– across an Internet connection

– without any specific knowledge or cooperation from the service provider

 Customer gains increased privacy using an inexpensive Internet

connection.

 SP loses opportunity for VPN service revenue

SP-Provisioned VPN

 Multiprotocol Label Switching (MPLS) combines:

– the benefits of overlay VPNs (security and isolation among customers)

– benefits of the simplified routing of a peer-to-peer VPN

 Only the Provider Edge (PE) routers need to be provisioned to support the VPNs

 Note that MPLS VPNs cannot replace all VPN implementations because MPLS only supports IP as the Layer 3 protocol Other protocols including IPX and

AppleTalk must be tunneled through the IP backbone.

 MPLS will be discussed in the chapter 4

VPN Topologies

 Remote Access VPN

 Site-to-Site VPNs

VPN Topologies

Remote Access VPN

 Provide remote users access to

an intranet or extranet over a

VPN Topologies

Remote Access VPN

 The party negotiating a secure connection with the VPN Gateway uses VPN

client software

 The VPN Client software allows telecommuters and traveling users to

communicate on the central network and access servers from many different

locations

 Tunnels are created using either:

–IPsec

–Point to Point Tunneling Protocol (PPTP) - Microsoft

–Layer 2 Tunnel Protocol (L2TP)

–Layer 2 Forwarding (L2F) Protocol - Cisco

–Help increase productivity and confidence by ensuring secure

network access regardless of an employee’s location.

 Site-to-Site Intranet VPNs allow access only to trusted employees

 Gateways at various physical locations within the same business.

 Negotiate secure tunnels across the Internet

VPN Topologies

Site-to-Site Intranet VPN

 Example

–Data Center or mainframe at Main Office

–Remote Offices have access to Data Center

–Users from the networks on either side of the tunnel can

communicate with one another as if the networks were a single network

 These networks may need:

–strong encryption

–strict performance (QoS) and bandwidth requirements

 Tunnels are created using either:

–IPsec

–IPsec/GRE

VPN Topologies

Site-to-Site Extranet VPN

 VPN links to an enterprise customer's network over a shared

infrastructure using dedicated connections:

–outside customers

–Suppliers

–partners

–communities of interest to an enterprise customer's network over a

shared infrastructure using dedicated connections

 Extranet VPNs allow access to users who are outside the enterprise

 Use firewalls and VPN tunnels

–Secure access to specific data and resources

–Not gaining access to private corporate information

Characteristics of a Secure VPNs

Characteristics of a

Secure VPNs

Authentication

 Ensures that a message:

–comes from an authentic source and

–goes to an authentic destination

 VPN technologies are making use of several reputable methods for

establishing the identity of the party at the other end of a network

– passwords

– digital certificates

– smart cards

– biometrics

Characteristics of a

Secure VPNs

Data confidentiality

 Protecting data from eavesdroppers

intercepted by unauthenticated or unauthorized sources

– encapsulation

– and encryption

 Data integrity guarantees that between the source and destination:

– No tampering or alternation to data

 VPNs typically use one of three technologies to ensure data integrity:

– one-way hash functions

– message authentication codes (MAC)

– digital signatures

VPN Security:

Encapsulation

 Major components of confidentiality:

– Encapsulation (major components of confidentiality)

– Encryption (is the other)

 Tunneling is the transmission of data through a public network so that

routing nodes in the public network are unaware that the transmission is part of a private network

 Tunneling allows the use of public networks to carry data on behalf of

users as though the users had access to a private network

VPN Security:

Encapsulation

 VPNs build tunnels by:

–encapsulating the private network data and protocol information

within public network protocol data

–tunneled data is not available to anyone examining the transmitted

data frames.

 Tunneling is the process of placing an entire packet within another packet and sending the new, composite packet over a network

VPN Security:

Encapsulation

 Three different protocols that tunneling uses:

–Carrier protocol:

• The protocol the information is traveling over

• Frame Relay, PPP, ATM, etc.

VPN Security: IPsec and GRE

network for IP unicast only

multicast, dynamic IGP routing protocols, or non-IP protocols is required

VPN Security: IPsec and GRE

 Tunnel mode encrypts the header and the payload of each packet.

 Transport mode only encrypts the payload

 GRE encloses the IP header and payload of packets with a

VPN Security: Symmetric and Asymmetric Encryption Algorithms

 The primary methods of encryption are symmetric-key (or secret

key) encryption and asymmetric (or public key) encryption.

VPN Security: Symmetric and Asymmetric Encryption Algorithms

Computing Power Requirements of Cryptographic Algorithms

 Asymmetric encryption demands significantly more computing power than

symmetric encryption demands The longer the key is, the more processing power is used.

 Typically symmetric encryption is used to encrypt large amounts of data

because it is far more efficient than using asymmetric encryption

 Asymmetric encryption is typically used for authentication purposes.

Symmetric Encryption Algorithms

ciphers and block ciphers

–Stream ciphers encrypt the bits of the message one at a time,

–Block ciphers take a number of bits and encrypt them as a single unit A block cipher operates on fixed-length groups of bits, termed blocks, with an unvarying transformation

Symmetric Encryption Algorithms

algorithm

Symmetric Encryption Algorithms

 Symmetric Encryption: DES

 DES is now considered to be insecure for many applications, mainly due

to the DES 56-bit key size being too small DES keys have been broken in less than 24 hours

Symmetric Encryption Algorithms

 Symmetric Encryption: 3DES

 While 3DES has a key length of 168 bits (three 56-bit DES keys), its

effective key length from a security point of view is only 112 bits.

Symmetric Encryption Algorithms

 Symmetric Encryption: AES

 AES, often referred to as the Rijndael encryption (pronounced “Rhine

dahl”), is a block cipher that was adopted as an encryption standard by the U.S government.



– RSA authenticates the remote device

– Diffie-Hellman exchanges keys that are used for encryption

Diffie-Hellman Key Exchange

User B exchange public keys and a calculation is performed on their individual private key and on the

process is an identical shared key The shared key

is used to encrypt and decrypt the data

Diffie-Hellman Key Exchange

Diffie-Hellman Key Exchange

Diffie-Hellman Key Exchange

VPN Security: Authentication

VPN Security: Authentication

 Authentication, authorization, and accounting

(AAA) servers are used for more secure access in a

remote-access VPN environment

dialup client, the request is proxied to the AAA server

AAA then checks and records the following:

– Who the client is (authentication)

– What the client is allowed to do (authorization)

– What the client actually does (accounting)

Module 7: Implementing VPN

Objectives

IPsec Security Features

transmission over IP networks, ensuring

confidentiality, integrity, and authenticity of data communications over unprotected networks such as the Internet

standard (RFC 2401-2412) that defines how a VPN can

be created over IP networks IPsec provides the following essential security functions:

IPsec Protocols and Headers

 IPsec includes:

– 1 protocol for exchanging keys called Internet Key Exchange (IKE) ,

this key is used for Symmetric Encryption

–2 IPsec IP protocols, Encapsulating Security Payload (ESP) (50)

and Authentication Header (AH) (51)

 In simple terms, IPsec provides secure tunnels between two peers,

such as two routers.

 these tunnels are sets of Security Associations (SA)s

established between two remote IPsec peers.

 The Security Associations define which protocols and

algorithms should be applied to sensitive packets and specify the keying material to be used by the two peers.

 Security Associations are unidirectional and are established by

the security protocol that is being used (AH or ESP).

© 2010 Cisco Systems, Inc All rights reserved.

IPsec Protocols and Headers

IPsec Protocols and Headers

IPsec Protocols and Headers

© 2010 Cisco Systems, Inc All rights reserved.

ROUTE

54

Manual IPSec

Internet Key Exchange

keys with the IKE uses UDP port 500

generate symmetrical keys to be used by two IPsec peers

parameters, such as data to be protected, strength of the keys, hash methods used, and whether packets are protected from replay

Internet Key Exchange

Internet Key Exchange

A security association (SA) requires the following:

 Internet Security Association and Key Management Protocol

(ISAKMP): ISAKMP is a protocol framework that defines the

mechanics of implementing a key exchange protocol and negotiating a security policy ISAKMP can be implemented over any transport protocol The reference document for ISAKMP is RFC 2408.

 SKEME: A key exchange protocol that defines how to derive

authenticated keying material with rapid key refreshment.

 OAKLEY: A key exchange protocol that defines how to acquire

authenticated keying material The basic mechanism for OAKLEY

is the DH key exchange algorithm The reference document is

RFC 2412: The OAKLEY Key Determination Protocol.

Internet Key Exchange

IKE includes these features:

 Eliminates the need to manually specify all of the IPsec

security parameters at both peers

 Allows specification for a lifetime for the IPsec SA

 Allows encryption keys to change during IPsec sessions

 Allows IPsec to provide anti-replay services

 Permits certification authority (CA) support for a manageable,

scalable IPsec implementation

 Allows dynamic authentication of peers

IKE Phases and Modes

IKE Phases and Modes

IKE Phase 1: Management Tunnel Setup

 The purpose of IKE Phase 1 is to create a secure management tunnel between two IPSec peers for the purpose of establishing, maintaining, and tearing down a VPN tunnel

In IKE Phase 1, the following steps occur:

 Step 1 Security Association negotiation and exchange - A secure communications channel is

created between two IPSec peers through the negotiation and exchange of IKE policy information

known as Security Associations (SAs)

IKE Phase 1 SAs carry policy parameters in constructs called transforms Transforms define the

following:

- Encryption algorithm used: DES, 3DES, AES

- Hashing algorithm to be used (integrity check): MD5, SHA-1

- Authentication algorithm to be used-Preshare, Rivest, Shamir, and Adelman (RSA) certificates, or RSA nounces

- Mode (method of transferring the policy information): Main or aggressive

- Diffie-Hellman key length: Group 1 768 or Group 2 1024

Both sides must agree to the same parameters for all values defined in the transform, or no tunnel will

be established

 Step 2 Diffie-Hellman Key Exchange- Used to allow both parties to create and exchange a shared

secret key over an insecure channel After the key is exchanged, all subsequent tunnel management traffic between the peers will be encrypted using the shared secret

 Step 3 Authentication- Peer authentication can be done using either preshared keys configured

manual on both peers, RSA certificates using the PKI X.509 specification, or RSA nounces, which use random number generation encryption and exchanges to authenticate

© 2010 Cisco Systems, Inc All rights reserved.

ROUTE

62

IKE Phase 2: IPSec Tunnel Setup

 The purpose of IKE Phase 2 is to create a VPN tunnel between two IPSec peers for the purpose

of exchanging data across a secure channel over an untrusted network IKE Phase 2 is

conducted over the secure channel created in IKE Phase 1

In IKE Phase 2, the following steps occur:

 Step 1 SA negotiation and exchange- To establish the IPSec tunnel, both peers must negotiate and

agree upon a security policy Just as in IKE Phase 1, SAs must be established that define how the

packets are to be processed when they are received from their IPSec peer This is done through the

definition and exchange of transforms Transforms for IKE Phase 2 define the following:

Encryption algorithm: DES, 3DES, or AES

Authentication algorithm: MD5 or SHA 1

- IPSec protocol: Encapsulating Security Payload (ESP) or Authentication Header (AH)

- Mode: Transport or tunnel

- Lifetime of the SA

 After the policy is defined and agreed upon by both ends, each participant creates an SA for the

session containing all the defined parameters and stores the information in their respective security

policy databases It is important to note that the security policy has to be identical for each participant

on either end of the tunnel The SA is used when a packet arrives to define the processing that is

required to decrypt and authenticate the data To ensure that the correct policy is applied to a received packet, each packet sent across a VPN tunnel carries a Security Parameter Index (SPI) The SPI is

used to look up the appropriate security policy in the database for that peer so that the correct policy is applied to the packet

 Step 2 IPSec peers can change security policy parameters associated with a session through the

renegotiation of SAs The Diffie-Hellman key can also be renegotiated but only if Perfect Forward

Secrecy (PFS) has been enabled