Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 3: VPN and Encryption Technology.

Published byWilliam Tyler Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 3: VPN and Encryption Technology."— Presentation transcript:

1 © 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 3: VPN and Encryption Technology

2 © 2006 Cisco Systems, Inc. All rights reserved. Lesson 3.3 Implementing Digital Certificates Module 3: VPN and Encryption Technology

3 © 2006 Cisco Systems, Inc. All rights reserved. Certificate authority support

4 © 2006 Cisco Systems, Inc. All rights reserved. Certificate authority support  Restrictions CA should be configured only when both IPSec and ISAKMP are configured in the network. Cisco IOS does not support CA server public keys greater than 2048 bits.  Prerequisites A CA must be available to the network CA must support Simple Certificate Enrollment Protocol (SCEP)

5 © 2006 Cisco Systems, Inc. All rights reserved. Simple Certificate Enrollment Protocol SCEP  The protocol is designed to make the issuing and revocation of digital certificates as scalable as possible.  The idea is that any standard network user should be able to request their digital certificate electronically and as simply as possible.  These processes have usually required intensive input from network administrators, and so have not been suited to large scale deployments.  Two authentication methods that SCEP provides are manual authentication and authentication based on pre- shared secret keys.

6 © 2006 Cisco Systems, Inc. All rights reserved. CA Server Support

7 © 2006 Cisco Systems, Inc. All rights reserved. Asymmetric Encryption

8 © 2006 Cisco Systems, Inc. All rights reserved. Entrust

9 © 2006 Cisco Systems, Inc. All rights reserved. VeriSign On Site

10 © 2006 Cisco Systems, Inc. All rights reserved. UniCERT Baltimore Technologies

11 © 2006 Cisco Systems, Inc. All rights reserved. Microsoft CA

12 © 2006 Cisco Systems, Inc. All rights reserved. Enroll a device with a CA

13 © 2006 Cisco Systems, Inc. All rights reserved. Lesson 3.4 VPN Topologies Module 3: VPN and Encryption Technology

14 © 2006 Cisco Systems, Inc. All rights reserved. VPNs  A VPN provides the same network connectivity for remote users over a public infrastructure as they would have over a private network.  VPN services for network connectivity include authentication, data integrity, and confidentiality.  Two basic VPN types: LAN-to-LAN (Site to Site) VPNs Intranet VPNs. Extranet VPNs Remote Access VPNs Connect remote users, such as mobile users and telecommuters, to the enterprise.

15 © 2006 Cisco Systems, Inc. All rights reserved. Site-to-site VPNs

16 © 2006 Cisco Systems, Inc. All rights reserved. Remote access VPNs  There two types of Remote Access VPNs:  Client-initiated – Remote users use a VPN client or web browser to establish a secure tunnel across a public network to the enterprise.  NAS-initiated – Remote users dial in to an ISP Network Access Server (NAS). The NAS establishes a secure tunnel to the enterprise private network that might support multiple remote user-initiated sessions.

17 © 2006 Cisco Systems, Inc. All rights reserved. Remote access VPNs

18 © 2006 Cisco Systems, Inc. All rights reserved. Lesson 3.5 VPN Technologies Module 3: VPN and Encryption Technology

19 © 2006 Cisco Systems, Inc. All rights reserved. VPN technology options

20 © 2006 Cisco Systems, Inc. All rights reserved. VPN technology options  With implementation of encryption on one layer, this layer and all layers above it are automatically protected.  Network layer protection offers one of the most flexible solutions.  It is media independent as well as application independent.

21 © 2006 Cisco Systems, Inc. All rights reserved. WebVPN

22 © 2006 Cisco Systems, Inc. All rights reserved. WebVPN  Lets users establish a secure, remote-access VPN tunnel to a head-end device using a web browser.  Not a replacement for IPSec, but widens application availability.  No need for either a software or hardware client.  Provides easy access to a broad range of enterprise applications,  WebVPN uses the SSL protocol and its successor, TLS

23 © 2006 Cisco Systems, Inc. All rights reserved. WebVPN Features

24 © 2006 Cisco Systems, Inc. All rights reserved. WebVPN and IPSec comparison

25 © 2006 Cisco Systems, Inc. All rights reserved. Tunneling Protocols

26 © 2006 Cisco Systems, Inc. All rights reserved. Tunneling Protocols L2TP  Cisco used Layer 2 Forwarding (L2F) as its proprietary tunneling protocol.  L2TP is entirely backwards compatible with L2F. L2F is not forward compatible with L2TP.  L2TP, is a combination of Cisco L2F and Microsoft Point-to-Point Tunneling Protocol (PPTP).  Microsoft supports PPTP in its earlier versions of Windows and PPTP/L2TP in Windows NT/2000/XP.  L2TP allows users to invoke corporate security policies across any VPN link as an extension of their internal networks.  L2TP is best suited for remote access VPNs that require multiprotocol support.

27 © 2006 Cisco Systems, Inc. All rights reserved. Tunneling Protocols GRE  Cisco GRE multiprotocol carrier encapsulates IP, CLNP, IPX, AppleTalk, DECnet Phase IV, and XNS inside IP tunnels.  Creates a virtual point-to-point link between routers across an IP cloud.  GRE is best suited for site-to-site VPNs that require multiprotocol support.  GRE is typically used to tunnel multicast packets such as routing protocols.

28 © 2006 Cisco Systems, Inc. All rights reserved. Tunneling Protocols IPSEC  Is the choice for secure corporate VPNs.  Supports IP unicast traffic only.  For multiprotocol or IP multicast tunneling, another tunneling protocol must be used.  Neither L2TP or GRE supports data encryption or packet integrity.  IPSec can be used in combination to provide encryption, such as L2TP/IPSec and GRE/IPSec.  If only IP unicast packets are tunneled, simple encapsulation provided by IPSec is sufficient.

29 © 2006 Cisco Systems, Inc. All rights reserved. Tunneling Protocols MPLS  MPLS is a VPN technology.  Implemented by ISPs and large corporations.  Uses label switching and label switched paths over various link level technologies. Packet-over-SONET Frame Relay ATM LAN technologies  Includes procedures and protocols for the distribution of labels between routers, encapsulations, and multicast considerations.

30 © 2006 Cisco Systems, Inc. All rights reserved. Selecting VPN Technologies

31 © 2006 Cisco Systems, Inc. All rights reserved. Tunneling Interfaces  Provide a point-to-point connection between two routers through a virtual software interface.  Appear as one direct link between routers hiding the underlying infrastructure  Should not to be confused with IPSec or L2TP tunnels, which can act as tunnels but not as true Cisco IOS interfaces.

32 © 2006 Cisco Systems, Inc. All rights reserved. GRE Tunnel

33 © 2006 Cisco Systems, Inc. All rights reserved. Lesson 3.6 IPSec Module 3: VPN and Encryption Technology

34 © 2006 Cisco Systems, Inc. All rights reserved. What Is IPsec?  IPsec is the IETF standard that enables encrypted communication between peers. Consists of open standards for securing private communications Ensures data confidentiality, integrity, and authentication through network layer encryption Scales from small to very large networks IPsec Internet

35 © 2006 Cisco Systems, Inc. All rights reserved. AH and ESP

36 © 2006 Cisco Systems, Inc. All rights reserved. IPSec Header

37 © 2006 Cisco Systems, Inc. All rights reserved. Options for IPSec framework  AH and ESP use symmetric secret key algorithms, although public key algorithms are feasible  The IPSec framework provides data integrity, authentication, and confidentiality, as well as security association and key management

38 © 2006 Cisco Systems, Inc. All rights reserved. Advantages of IPSec

39 © 2006 Cisco Systems, Inc. All rights reserved. Authentication Header (AH)  Used to provide connectionless integrity and data origin authentication for IP datagrams, and to provide protection against replays.  Provides authentication for as much of the IP header as possible, as well as for upper level protocol data.  AH is defined as IP protocol 51.  May be applied alone, in combination with the IP ESP, or in a nested fashion through the use of tunnel mode.  ESP may be used to provide the same security services, and it also provides a confidentiality, or encryption, service.  The primary difference between the authentication services provided by ESP and AH is the extent of the coverage.  ESP does not protect any IP header fields unless ESP encapsulates those fields, or the fields are in tunnel mode.

40 © 2006 Cisco Systems, Inc. All rights reserved. AH Generation in IPSec

41 © 2006 Cisco Systems, Inc. All rights reserved. AH Header Fields  The following are reasons to use AH even though ESP seems to do all the security services. –Requires less overhead than ESP. –Is never export-restricted. –Is mandatory for IPv6 compliance.

42 © 2006 Cisco Systems, Inc. All rights reserved. Encapsulating Security Payload (ESP)  Used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service  Confidentiality may be selected independent of all other services.  However, use of confidentiality without integrity authentication, either in ESP or separately in AH, may subject traffic to certain forms of active attacks  ESP is defined as IP protocol 50.

43 © 2006 Cisco Systems, Inc. All rights reserved. Encapsulating Security Payload (ESP)  Data origin authentication and connectionless integrity are joint services Offered as an option in conjunction with optional confidentiality.  The anti-replay service may be selected only if data origin authentication is selected. Its election is solely at the discretion of the receiver.  Anti-replay service is effective only if the receiver checks the sequence number.  Traffic flow confidentiality requires selection of tunnel mode.  Although both confidentiality and authentication are optional, at least one of them must be selected.

44 © 2006 Cisco Systems, Inc. All rights reserved. Encapsulating Security Payload (ESP)  One of the most important values is the Security Parameters Index (SPI) Keep track to the current SA between two IPSec devices.  Encryption is done with DES or 3DES.  Optional authentication and integrity are provided with HMAC, keyed SHA-1, or keyed MD5  There are two different key types contained in the SA : Encryption session keys HMAC session keys

45 © 2006 Cisco Systems, Inc. All rights reserved. Tunnel and transport modes  Transport mode Each end host does IPSec encapsulation of its own data, host-to-host.  Tunnel mode IPSec gateways provide IPSec services to other hosts in peer-to-peer tunnels. End-hosts are not aware of IPSec being used

46 © 2006 Cisco Systems, Inc. All rights reserved. Tunnel and transport modes  ESP and AH can be applied to IP packets in transport mode and tunnel mode.  In transport mode, Security is provided only for the transport layer and above. Protects the payload of the packet but leaves the original IP address in the clear. Original IP address is used to route the packet through the Internet.  Tunnel mode Provides security for the whole original IP packet. Original IP packet is encrypted. Encrypted packet is encapsulated in another IP packet.

47 © 2006 Cisco Systems, Inc. All rights reserved. AH Header in Transport mode

48 © 2006 Cisco Systems, Inc. All rights reserved. AH Header in Tunnel Mode

49 © 2006 Cisco Systems, Inc. All rights reserved. ESP in Transport mode

50 © 2006 Cisco Systems, Inc. All rights reserved. ESP in Tunnel mode

51 © 2006 Cisco Systems, Inc. All rights reserved. Security associations  Represent a policy contract between two peers  Contain all the security parameters to securely transport packets between the peers  Practically define the security policy used in IPSec  Is a prerequisite for IPSec traffic protection to work  SAs always contain unidirectional, or one-way, specifications.  SAs are encapsulation protocol specific.

52 © 2006 Cisco Systems, Inc. All rights reserved. Security associations  An SA contains the following security parameters : –Authentication/encryption algorithm, key length and other encryption parameters –Session keys for authentication, or HMACs, and encryption –Specification of network traffic to which the SA will be applied –IPSec AH or ESP encapsulation protocol and tunnel or transport mode  Security Parameters Index (SPI) 32-bit number that identifies each established SA Identifies a particular SA in the SADB. Finally Are written into IPSec packet headers to locate the appropriate SA on the receiving system.

53 © 2006 Cisco Systems, Inc. All rights reserved. SA Security Parameters

54 © 2006 Cisco Systems, Inc. All rights reserved. Five steps of IPSec  IPSec - protect the desired data with the necessary security and algorithms  Five primary steps: –Interesting traffic initiates the IPSec process –IKE Phase One, Authenticates IPSec peers and negotiates IKE SAs –IKE Phase Two Negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers. –Data transfer phase, data is transferred with IPSec parameters and keys stored in the SA database. –IPSec tunnel termination Deletion or by timing out.

55 © 2006 Cisco Systems, Inc. All rights reserved. IKE  In IKE Phase One, in main or aggressive mode, the peers will: Negotiate an IKE protection suite Authenticate each other Exchange keying material to protect the IKE session Establish the IKE SA  Then in IKE Phase Two, in quick mode, peers: Negotiate IPsec policies Exchange keying material of IPsec SAs Establish IPsec SAs

56 © 2006 Cisco Systems, Inc. All rights reserved. IKE Phase One  Runs in main or aggressive mode.  Mode used is implementation and situation dependent.  The IKE main mode - ISAKMP uses six messages to establish the IKE SA. SA negotiation, Diffie-Hellman key exchange, and authentication of peers. Hides the identity of IKE peers from eavesdroppers Can use the protocol’s negotiation capabilities to the fullest.  Aggressive mode takes half the number of messages Offers less negotiating flexibility. Initiating peer proposes a list of policies, and the responder accepts a policy or rejects the offers Does not provide peer identity protection. Much faster than an IKE main mode Used mainly when security policies are well known on both peers,

57 © 2006 Cisco Systems, Inc. All rights reserved. IKE Phase Two  Used to negotiate and establish SAs of other protocols, such as AH and ESP for IPSec,  Only operates in one defined mode - quick mode.  IKE initiator presents a list of IPSec policy proposals and the IKE responder chooses an acceptable proposal  Quick mode is quite fast, with almost no noticeable delay associated  Once an IKE SA is in place only quick mode exchanges are used to negotiate additional IPsec SAs or to rekey established IPsec SAs.

58 © 2006 Cisco Systems, Inc. All rights reserved. Five steps of IPSec

59 © 2006 Cisco Systems, Inc. All rights reserved. Internet Key Exchange (IKE)  IKE enhances IPSec by providing additional features and flexibility.  Hybrid protocol  Oakley key exchange and SKeme key exchange inside the Internet Security Association and Key Management Protocol (ISAKMP) framework.  IKE provides authentication of the IPSec peers, negotiates IPSec keys, and negotiates IPSec security associations..  IKE Mode configuration allows a gateway to download an IP address, to the client  Using this exchange, the gateway gives IP addresses to the IKE client to be used as an inner IP address encapsulated under IPSec.  Provides a known IP address for the client, which can be matched against IPSec policy.

60 © 2006 Cisco Systems, Inc. All rights reserved. IKE Benefits  Eliminates the need to manually specify all the IPSec security parameters in the crypto maps at both peers  Allows administrators to specify a lifetime for the IPSec security association  Allows encryption keys to change during IPSec sessions  Allows IPSec to provide anti-replay services  Permits CA support for a manageable, scalable IPSec implementation  Allows dynamic authentication of peers

61 © 2006 Cisco Systems, Inc. All rights reserved. IKE Authentication  Each peer must be sure that it is talking to the correct peer, before negotiating traffic protection IPSec policies with it.  Mutual authentication is accomplished using the two- way authentication methods available with IKE.  Provides three defined methods for two-way authentication: Authentication using a pre-shared secret Authentication using RSA encrypted nonces Authentication using RSA signatures

62 © 2006 Cisco Systems, Inc. All rights reserved. IOS IKE and IPSec Flowchart

63 © 2006 Cisco Systems, Inc. All rights reserved. Cisco VPN solutions  IPsec VPN capabilities are included in many models of Cisco routers, as well as in the PIX Security Appliance  ASA  NM  VAC+  FW 6500

64 © 2006 Cisco Systems, Inc. All rights reserved. Q and A

65 © 2006 Cisco Systems, Inc. All rights reserved.

Download ppt "© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 3: VPN and Encryption Technology."

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.

Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
1 IP VPN Nikolay Scarbnik. 2 Agenda Introduction………………………………………………………….3 VPN concept definition……………………………………………..4 VPN advantages……………...…………………………………….5.

1 IP VPN Nikolay Scarbnik. 2 Agenda Introduction………………………………………………………….3 VPN concept definition……………………………………………..4 VPN advantages……………...…………………………………….5.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
CCNA 5.0 Planning Guide Chapter 7: Securing Site-to-Site Connectivity

CCNA 5.0 Planning Guide Chapter 7: Securing Site-to-Site Connectivity
VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.

VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)

Similar presentations

Ads by Google