- 1 - S 21. Directory-based Administration of Virtual Private Networks: Policy & Configuration. Charles A Kunzinger.

Transcription

1 - 1 - S 21 Diretory-based Administration of Virtual Private Networks: Poliy & Configuration Charles A Kunzinger kunzinge@us.ibm.om

2 - 2 - Clik here Agenda to type page title What is a VPN? What is VPN Poliy? "Box Configuration" & "Network Configuration" Shemas: Unambiguous desriptions Some examples Future Work

3 - 3 - What is a VPN? Clik here to type Remote page title Branh Offie or Corporate Intranet User Another Company's Intranet Internet / Other Publi Network A VPN (Virtual Private Network) is an extension of an enterprise's private intranet, aross a publi network (suh as the Internet), reating a seure onnetion enrypt the user's datagrams validate the user's datagrams authentiate the soure of the datagrams establish & maintain ryptographi serets

4 - 4 - VPN Customer Value Clik here to type page title Corporate Intranet Remote User Branh Offie or Another Company's Intranet Internet / Other Publi Network Easy, seure aess to enterprise networks and resoures: Remote users and remote loations an aess required information whenever they need to and from wherever they are Worldwide Aess: Internet aess is available worldwide, where other forms of onnetivity may be either not available or may be more expensive Cost Savings: Cost effetive aess to the Internet via a loal all to an ISP, versus expensive leased lines, long-distane alls and toll-free telephone numbers Estimated 20%-47% savings in WAN osts and 60%-80% savings in remote aess dial-up osts, per Infonetis Researh, In

5 VPN Business Opportunities Remote Aess Branh Offie Connetion Business Partner/Supplier Network Corporate Intranet Corporate Intranet Corporate Intranet Internet Internet Internet Remote User Branh Offie Intranet Business Partner/Supplier Intranets Remote Aess Senario Problems: High administrative workload ost, expensive 800 or long distane osts Solutions: VPNs exploit world-wide ISP reah and lower onnetivity and administrative osts Branh Offie Connetion Senario Problems: Expensive Leased Line onnetions or part-time dial onnetions to home offie Solutions: VPNs provide 24-hour ease-of-use onnetivity via inexpensive Internet links Business Partner/Supplier Network Senario Problems: Set-up/operational ost prohibitively high for smaller business partners; geographi limitations Solutions: VPNs provide global, seure, ost-effetive, end-to-end inter-ompany ommuniation via Internet

6 Where Does IPSe Fit? Appliations TCP/UDP IP S-MIME S-HTTP SET IPSe (ISAKMP) Others... SOCKS V5 SSL TLS IPSe (AH, ESP), paket filtering, tunneling Network Interfae CHAP, PAP,MS-CHAP Network Layer (AH, ESP) protets user data Appliation Layer (ISAKMP) manages seurity assoiations and seurely generates and refreshes ryptographi keys

7 Seurity Taxonomy Seurity Cryptography Algorithms (AH, ESP) Shared Key Message Digest Publi/Private Key Pairs Seurity Servies Confidentiality Authentiation Integrity Replay Protetion Management Key Management Key Distribution Certifiates Seurity Assoiation (ISAKMP)

8 - 8 - Clik here Poliy to type Issues page title There are three: What should it be: eah ompany must analyze its own situation and set its own poliy Where it should be defined: per-box entralized, network-entri How it should be stored: LDAP Shema Retrieval methods

9 - 9 - Clik Who here sets to VPN type Poliy? page title VPN's owner-operator sets the poliy: Membership Aess ontrols Seurity details: enryption requirements authentiation requirements allowable protools: http, ftp, telnet,..., mail VPN's members (lients, servers, gateways) exeute poliy, but do not set it: Centralized database with single point of ontrol Download box onfigurations, whih arry out the VPN poliy

10 Clik here to type page title Company seurity poliy: profiles, natural language desriptions, VPN topology,... Gui/Shema Mapping VPN Poliy LDAP Flows with IPSe onfig data Map "Poliy" into GUI into VPN Shema Pre-defined profiles for typial onfigurations: Branh Offie Interonnet Supplier Networks Remote Aess Centralized definition for all IPSe boxes in a given VPN onsisteny heking ompany-wide definition Database management: individual boxes "pull in" their own onfiguration data onfiguration data must be authentiated, but not neessarily kept onfidential Central Repository

11 Box & Network Configuration Clik here to type page title Today most boxes are onfigured on an individual basis: Firewalls guard your perimeter, regardless of what's done (or not done) at the far end of the ommuniations path In today's VPN world, pairwise onfiguration of boxes is the norm: same algorithms, shared keys, et. In tomorrow's VPN world, network-wide onfiguration of boxes will be ritial: "Branh Offie" is a mesh onnetion "Business Partner" typially involves multiple enterprises "Remote Users" may aess their home networks or their business partners' networks A given box may simultaneously partiipate in multiple senarios

12 Box & Network Configuration... Clik here to type page title Remote Aess Corporate Intranet Remote Site Internet Business Partner A given box may partiipate in multiple VPNs: e.g., Branh Offie and Supplier Networks Eah box (lient, server, gateway) has its own Shema The olletion of individual Shemas must implement a ompany's network-wide poliy onsistently

13 Poliy, Clik here Parameters, to type page & Shema title Poliy: desribes what you want your VPN to do for you Parameters: detailed box-speifi values that IPse/IKE must instantiate Shema: formal mehanism to desribe how IPSe and IKE onfiguration will be stored in the ommon database, for eventual retrieval via LDAP mehanisms

14 IPSe Shema Clik here to type page title Voabulary is largely "IPse-speifi": preise tehnial meanings ould be daunting to "non-experts" Standardized, open desription of the onfiguration of a single VPN-apable box Two types of objets are desribed: Generi: an apply to many Seurity Assoiations; reusable; unambiguous depition of orporate VPN poliy Traffi-speifi: define the end points between whih a given SA an be instantiated; link topology to abstrat poliy

15 VPN Shema Overview Clik here to type page title Poliy Rule Traffi Profile Traffi Profile Traffi Profile ISAKMP Ation IPse Ation Validity Period Validity Period Phase 2 Phase 1 ISAKMP Proposal ISAKMP Proposal IPSe Proposal IPSe Proposal IPSe Proposal IPSe Proposal D-H Group D-H Group IPSe Transform Legend: Independent of end points End point speifi

16 Shema Model Clik here to type page title If (onditions met) then (take indiated ation) Conditions: Traffi Profile: soure & destination addresses, ports, interfaes, protools, ID Validity Period IPSe Ation: proxies' addresses, ports, protools Ations: ISAKMP Ation IPSe Ation

17 Shema Classes... Clik here to type page title A single Poliy Rule an point to: multiple Traffi Profiles multiple Validity Periods single ISAKMP Ation single IPSe Ation ISAKMP Ation: Phase 1 exhange mode, lifetimes, publi key (ertifiate) information, pointer to "ISAKMP Proposals" ISAKMP Proposal: algorithms & authentiation methods, lifetimes, D-H group. (multiple per "ISAKMP Ation") IPse Ation: proxy info, tunnel end point, lifetimes, pointer to protetion suites, pointer to a oupled "ISAKMP Proposal". IPSe Transforms: algorithm details, lifetimes, D-H group. (multiple per "IPSeAtion") D-H Group: general D-H group harateristis; pointed to by "IPSe Proposals" and "ISAKMP Proposals There ae some "non-standards" items in the Shema: ISAKMP Connetion "Lifetime" for ISAKMP Connetion as well as for ISAKMP SA Override values for Lifetimes

18 Branh Offie Senario Clik here to type page title H1 H3 SG IKE SA IPSe SA SG1 H2 Only SG1 and SG2 have VPN Shemas Phase 1 SA terminates at SG1 & SG2 Phase 2 SA(s) terminate at SG1 and SG2 If a multiple host pairs levy the same speial requirements on the Gateways, then appropriate "proxy info" must be inluded in the IPSe Ation defined in both SG1's and SG2's shema If multiple host pairs levy different speial requirements on the Gateways, then multiple Poliy Rules must be reated

19 Supplier Network (Nested Tunnels) Clik here to type page title IKE SA H1 IKE SA SG1 IPSe SA SG2 IPSe SA H2 Independent IKE negotiations: SG1 & SG2 have a set of SAs between them H1 and H2 have a set of SAs between them H1-H2 SAs are nested inside SG1-SG2 IPSe SA SG1-SG2 IPSe SA(s) must inlude "proxy info" on intranet end points: eah "proxy pair" needs a different SG1-SG2 IPSe SA eah different IPSe SA implies a separate IPSe Ation eah IPSe Ation implies a distint Poliy Rule......and so on as we get into even more omplex examples

20 Box Configuration Impliations... Clik here to type page title A VPN Shema alone is not suffiient to guarantee network-wide onsistent poliy: It guarantees unambiguous "per-box" desriptions of IPSe harateristis It does not guarantee aeptable end-to-end results In previous two examples, a network topology diagram was needed to visualize the orret "shema" to onstrut If boxes are onfigured individually, then eah administrator must work off the same topology diagram, inluding the speifi IP address & port information Boxes that partiipate in all three IBM senarios (Branh Offie, Supplier, Remote Aess) will be espeially diffiult to onfigure aurately

21 Clik Poliy here to Questions... type page title Mehanisms for a box to retrieve its own onfiguration information from Diretory? Mehanisms for heking onsisteny aross a large set of individually onfigured boxes? outright misonfiguration errors (e.g., does eah rule have a "mirror image"?) overlapping poliy rules (what breaks the ties?) Consisteny of terminology between GUI panels and LDAP Shema? Mapping of GUI entries into the Shema formats?

22 IBM Clik VPN here Poliy to type Groundrules page title Sine "Shema" is to be an open standard, it takes preedene over GUIs IBM GUIs must demonstrate one-to-one mapping onto the VPN Shema All profiles possible that an be onfigured with a GUI must map into a mathing Shema GUIs need not support all profiles that are possible under VPN Shema GUI terminology must be ommon aross all IBM VPN produts, but an use more"olloquial" terms than the Shema

23 Clik Sanity here to Chek... type page title Define a benhmark "omplex VPN onfiguration" involving: lients, servers, firewalls, and routers elements from all senarios: branh offie, supplier, remote aess Demonstrate "per box" onfiguration using GUI Produe omposite LDAP VPN Shema Learn from our mistakes...

24 Sample Configuration Clik here to type page title H2 H1 Example VPN Poliy GW1 1. GW1 and GW2 must enrypt and authentiate from all hosts, exept from H2 and H3, that flows between GW1 and GW2, using DES and HMAC-MD5. Keys must be refreshed at least one every 20 minutes. 2. Traffi from H1 to H2 must be enrypted and authentiated end-to-end using 3DES and HMAC-SHA1. Keys must be refreshed at least one very 10 minutes with PFS. 3. Traffi between H2 nd H3 must be authentiated by GW2 and GW1. Keys must be refreshed with PFS one every 60 minutes. 4. GW1 must rejet all traffi from the "blue" intranet exept for pakets from H1. And GW1 and GW3 must authentiate trafi flowing between themselves. 5. GW2 must rejet all traffi to or from the "non-yellow" intranets. GW3 INTERNET GW2 H3

25 Future Work Clik here to type page title LDAP-based "VPN Shema" aepted by IETF by 1Q'99 (industry-wide goal) IBM "Value-Adds" for VPNs: Develop user-friendly front-end network onfiguration tool--"point & lik" will: Apply named poliy elements between speifi VPN-enabled boxes Automatially generate orresponding VPN shema and load into entral database Develop automated onsisteny heker for VPN Poliy aross large numbers of boxes