Network Security CSN11111

Transcription

1 Network Security CSN11111 VPN part 2 12/11/2010 r.ludwiniak@napier.ac.uk

2

3 Five Steps of IPSec

4 Step 1 - Interesting Traffic Host A Router A Router B Host B Apply IPSec Discard Bypass IPSec

5 Step 2 - IKE Phase 1 Host A Router A Router B Host B IKE Phase 1: main mode exchange Negotiate the policy Diffie-Hellman exchange Verify the peer identity Negotiate the policy Diffie-Hellman exchange Verify the peer identity

6 IKE Transform Sets Host A Router A Router B Host B Negotiate IKE Proposals Transform 10 DES MD5 pre-share DH1 lifetime Transform 20 3DES SHA pre-share DH1 lifetime IKE Policy Sets Transform 15 DES MD5 pre-share DH1 lifetime Negotiates matching IKE transform sets to protect IKE exchange

7 Diffie-Hellman Key Exchange Terry public key B + private key A shared secret key (BA) Key = Key Alex public key A + private key B shared secret key (AB) Pay to Terry Smith $ One Hundred and xx/100 Dollars Encrypt Decrypt Pay to Terry Smith $ One Hundred and xx/100 Dollars 4ehIDx67NMop9eR U78IOPotVBn45TR Internet 4ehIDx67NMop9eR U78IOPotVBn45TR

8 Authenticate Peer Identity Remote office Corporate office Internet HR servers Peer authentication Peer authentication methods Pre-shared keys RSA signatures RSA encrypted nonces

9 Step 3 - IKE Phase 2 Host A Router A Router B Host B Negotiate IPSec security parameters

10 IPSec Transform Sets Host A Router A Router B Host B Negotiate transform sets Transform set 30 ESP 3DES SHA Tunnel Lifetime IPSec Transform Sets Transform set 55 ESP 3DES SHA Tunnel Lifetime Transform set 40 ESP DES MD5 Tunnel Lifetime A transform set is a combination of algorithms and protocols that enact a security policy for traffic.

11 Security Association

12 Security Association Lifetime Data-based Time-based

13 Step 4 - IPSec Session Host A Router A Router B Host B IPSec session SAs are exchanged between peers. The negotiated security services are applied to the traffic.

14 Step 5 - Tunnel Termination Host A Router A Router B Host B IPSec tunnel A tunnel is terminated By an SA lifetime timeout If the packet counter is exceeded Removes IPSec SA

15 Site-to-Site VPN using Pre-shared Keys

16 Tasks to Configure IPSec Encryption Task 1 - Prepare for IKE and IPSec. Task 2 - Configure IKE. Task 3 - Configure IPSec. Task 4 - Test and Verify IPSec.

17 Task 1 - Prepare for IKE and IPSec Step 1 Determine IKE (IKE phase one) policy. Step 2 Determine IPSec (IKE phase two) policy. Step 3 Check the current configuration. show running-configuration show crypto isakmp policy show crypto map Step 4 Ensure the network works without encryption. ping Step 5 Ensure access lists are compatible with IPSec. show access-lists

18 Step 1 - Determine IKE (IKE Phase One) Policy Determine the following policy details: Key distribution method Authentication method IPSec peer IP addresses and hostnames IKE phase 1 policies for all peers Encryption algorithm Hash algorithm IKE SA lifetime Goal: Minimize misconfiguration.

19 Step 2 - Determine IPSec (IKE Phase Two) Policy Determine the following policy details: IPSec algorithms and parameters for optimal security and performance Transforms and, if necessary, transform sets IPSec peer details IP address and applications of hosts to be protected Manual or IKE-initiated SAs Goal: Minimize misconfiguration.

20 Step 3 - Check Current Configuration Site 1 Site 2 router# show running-config View router configuration for existing IPSec policies. router# RouterA show crypto isakmp policy A Internet RouterB View default and any configured IKE phase one policies. RouterA# show crypto isakmp policy Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman Group: #1 (768 bit) lifetime: seconds, no volume limit B

21 Step 4 - Ensure the Network Works Cisco RouterB Remote user with Cisco Unified VPN client Cisco PIX Firewall Cisco router Other vendor s IPSec peers Cisco RouterA CA server RouterA# ping

22 Step 5 - Ensure Access Lists are Compatible with IPSec IKE AH ESP Site 1 Site 2 RouterA A Internet RouterB E0/ E0/ B RouterA# show access-lists access-list 102 permit ahp host host access-list 102 permit esp host host access-list 102 permit udp host host eq isakmp Ensure protocols 50 and 51, and UDP port 500 traffic are not blocked at interfaces used by IPSec.

23 Task 2 - Configure IKE Step 1 Enable or disable IKE. crypto isakmp enable Step 2 Create IKE policies. crypto isakmp policy Step 3 Configure pre-shared keys. crypto isakmp key Step 4 Verify the IKE configuration. show crypto isakmp policy

24 Step 1 - Enable or Disable IKE Site 1 Site router(config)# RouterA [no] crypto isakmp enable A Internet RouterB B RouterA(config)# no crypto isakmp enable RouterA(config)# crypto isakmp enable Globally enables or disables IKE at your router. IKE is enabled by default. IKE is enabled globally for all interfaces at the router. Use the no form of the command to disable IKE. An ACL can be used to block IKE on a particular interface.

25 Step 2 - Create IKE Policies RouterA A Internet RouterB B router(config)# crypto isakmp policy priority Defines an IKE policy, which is a set of parameters used during IKE negotiation. Invokes the config-isakmp command mode. RouterA(config)# crypto isakmp policy 110

26 router(config)# Create IKE Policies with the crypto isakmp Command Site 1 Site 2 RouterA A Policy 110 DES MD5 Pre-Share Internet Tunnel crypto isakmp policy priority RouterB RouterA(config)# crypto isakmp policy 110 RouterA(config-isakmp)# authentication pre-share RouterA(config-isakmp)# encryption des RouterA(config-isakmp)# group 1 RouterA(config-isakmp)# hash md5 RouterA(config-isakmp)# lifetime B

27 Step 3 - Configure Pre-Shared Keys Site 1 Site 2 router(config)# crypto isakmp key keystring address peer-address router(config)# RouterA A Internet RouterB Pre-shared key Cisco crypto isakmp key keystring hostname hostname B RouterA(config)# crypto isakmp key cisco1234 address Assigns a keystring and the peer address. The peer s IP address or host name can be used.

28 Step 4 - Verify the IKE Configuration Site 1 Site 2 RouterA A Internet RouterB B RouterA# show crypto isakmp policy Protection suite of priority 110 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Displays configured and default IKE policies.

29 Task 3 - Configure IPSec Step 1 Configure transform set suites. crypto ipsec transform-set Step 2 Configure global IPSec SA lifetimes. crypto ipsec security-association lifetime Step 3 Create crypto access lists. access-list Step 4 Create crypto maps. crypto map Step 5 Apply crypto maps to interfaces. interface serial0 crypto map

30 Step 1- Configure Transform Set Suites Site 1 Site 2 router(config)# RouterA A Mine esp-des Tunnel Internet RouterB crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]] router(cfg-crypto-trans)# B RouterA(config)# crypto ipsec transform-set mine des A transform set is a combination of IPSec transforms that enact a security policy for traffic. Sets are limited to up to one AH and up to two ESP transforms.

31 Step 2 - Configure Global IPSec Security Association Lifetimes Site 1 Site 2 router(config)# RouterA A Internet RouterB crypto ipsec security-association lifetime {seconds seconds kilobytes kilobytes} RouterA(config)# crypto ipsec security-association lifetime Configures global IPSec SA lifetime values used when negotiating IPSec security associations. IPSec SA lifetimes are negotiated during IKE phase two. Can optionally configure interface specific IPSec SA lifetimes in crypto maps. IPSec SA lifetimes in crypto maps override global IPSec SA lifetimes. B

32 Step 3 - Create Crypto ACLs Site 1 Site 2 router(config)# RouterA access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny permit} protocol source source-wildcard destination destination-wildcard [precedence precedence][tos tos] [log] RouterA(config)# access-list 110 permit tcp Define which IP traffic will be protected by crypto. Permit = encrypt / Deny = do not encrypt. A Internet Encrypt RouterB B

33 Purpose of Crypto Access Lists RouterA A Internet Outbound traffic Encrypt Bypass (clear text) Permit Bypass Inbound traffic Discard (clear text) Outbound Indicate the data flow to be protected by IPSec. Inbound filter out and discard traffic that should have been protected by IPSec.

34 Configure Symmetrical Peer Crypto Access Lists Site 1 Site 2 RouterA E0/ E0/ RouterA(config)# access-list 110 permit tcp A Internet You must configure mirror image ACLs. RouterB B RouterB(config)# access-list 101 permit tcp

35 Step 4 - Create Crypto Maps Site 1 Site 2 RouterA A Internet RouterB B router(config)# crypto map map-name seq-num ipsec-manual crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name] RouterA(config)# crypto map mymap 110 ipsec-isakmp Use a different sequence number for each peer. Multiple peers can be specified in a single crypto map for redundancy. One crypto map per interface

36 Purpose of Crypto Maps Crypto maps pull together the various parts configured for IPSec, including Which traffic should be protected by IPSec. The granularity of the traffic to be protected by a set of SAs. Where IPSec-protected traffic should be sent. The local address to be used for the IPSec traffic. What IPSec type should be applied to this traffic. Whether SAs are established (manually or via IKE). Other parameters needed to define an IPSec SA.

37 Crypto Map Parameters Site 1 Site 2 RouterA A Internet RouterB B Crypto maps define the following: The access list to be used. Remote VPN peers. Transform-set to be used. Key management method. Security-association lifetimes. Crypto map Router interface Encrypted traffic

38 Step 5 - Apply Crypto Maps to Interfaces Site 1 Site 2 RouterA Internet RouterB A E0/ E0/ mymap router(config-if)# crypto map map-name RouterA(config)# interface ethernet0/1 RouterA(config-if)# crypto map mymap Apply the crypto map to outgoing interface Activates the IPSec policy B

39 IPSec Configuration Examples Site 1 Site 2 RouterA A Internet RouterB E0/ E0/ B RouterA# show running config crypto ipsec transform-set mine esp-des! crypto map mymap 10 ipsec-isakmp set peer set transform-set mine match address 110! interface Ethernet 0/1 ip address no ip directed-broadcast crypto map mymap! access-list 110 permit tcp RouterB# show running config crypto ipsec transform-set mine esp-des! crypto map mymap 10 ipsec-isakmp set peer set transform-set mine match address 101! interface Ethernet 0/1 ip address no ip directed-broadcast crypto map mymap! access-list 101 permit tcp

40 Task 4 - Test and Verify IPSec Display your configured IKE policies. show crypto isakmp policy Display your configured transform sets. show crypto ipsec transform set Display the current state of your IPSec SAs. show crypto ipsec sa Display your configured crypto maps. show crypto map Enable debug output for IPSec events. debug crypto ipsec Enable debug output for ISAKMP events. debug crypto isakmp

41 The show crypto isakmp policy Command Site 1 Site 2 router# RouterA show crypto isakmp policy A Internet RouterB RouterA# show crypto isakmp policy Protection suite of priority 110 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Rivest-Shamir-Adleman Encryption Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit B

42 The show crypto ipsec transform-set Command Site 1 Site 2 RouterA A Internet RouterB E0/ E0/ B router# show crypto ipsec transform-set RouterA# show crypto ipsec transform-set Transform set mine: { esp-des } will negotiate = { Tunnel, }, View the currently defined transform sets.

43 The show crypto ipsec sa Command Site 1 Site 2 router# RouterA E0/ E0/ show crypto ipsec sa A Internet RouterB RouterA# show crypto ipsec sa interface: Ethernet0/1 Crypto map tag: mymap, local addr local ident (addr/mask/prot/port): ( / /0/0) remote ident (addr/mask/prot/port): ( / /0/0) current_peer: PERMIT, flags={origin_is_acl,} #pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0 #pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0 #send errors 0, #recv errors 0 local crypto endpt.: , remote crypto endpt.: path mtu 1500, media mtu 1500 current outbound spi: 8AE1C9C B

44 The show crypto map Command Site 1 Site E0/ E0/ router# show crypto map RouterA A Internet View the currently configured crypto maps. RouterB B RouterA# show crypto map Crypto Map "mymap" 10 ipsec-isakmp Peer = Extended IP access list 102 access-list 102 permit ip host host Current peer: Security association lifetime: kilobytes/3600 seconds PFS (Y/N): N Transform sets={ mine, }

45 debug crypto Commands router# debug crypto ipsec Displays debug messages about all IPSec actions. router# debug crypto isakmp Displays debug messages about all ISAKMP actions.

46 Crypto System Error Messages for ISAKMP %CRYPTO-6-IKMP_SA_NOT_AUTH: Cannot accept Quick Mode exchange from %15i if SA is not authenticated! ISAKMP SA with the remote peer was not authenticated. %CRYPTO-6-IKMP_SA_NOT_OFFERED: Remote peer %15i responded with attribute [chars] not offered or changed ISAKMP peers failed protection suite negotiation for ISAKMP.

47 Cisco Easy VPN The Cisco Easy VPN Remote feature and the Cisco Easy VPN Server feature offer flexibility, scalability, and ease of use for site-to-site and remote-accessvpns It eliminates tedious work by implementing the Cisco Unity Client protocol to allow administrators to define most VPN parameters at a Cisco IOS Easy VPN Server The Cisco Easy VPN Remote feature allows Cisco routers running Cisco IOS Release 12.2(4)YA (or later releases), Cisco PIX firewalls, and Cisco hardware clients to act as remotevpn clients A Cisco IOS Easy VPN Server can be a dedicated VPN device, such as a Cisco VPN 3000 Concentrator, a Cisco PIX Firewall, or a Cisco IOS router that supports the Cisco Unity Client protocol

48 Cisco Easy VPN Cisco Easy VPN simplifies deployment. When the Easy VPN Remote initiates the VPN tunnel connection, the Cisco Easy VPN Server pushes the IPSec policies to the Cisco Easy VPN Remote client and creates the corresponding VPN tunnel connection Cisco EasyVPN Remote provides for automatic management of: The negotiation of tunnel parameters, such as addresses, algorithms, and lifetime Establishment of tunnels according to the parameters that are set Network Address Translation (NAT) or Port Address Translation (PAT) and associated access control lists (ACLs) creation as needed Authentication of users (that is, ensuring that users are who they say they are) by usernames, group names, and passwords Security keys for encryption and decryption Authenticating, encrypting, and decrypting data through the tunnel

49 Easy VPN Components Cisco EasyVPN Server Enables Cisco IOS routers, Cisco PIX Firewalls, Cisco VPN Concentrators and Cisco ASA to act as VPN head-end devices in siteto-site or remote-access VPNs, in which the remote office devices are using the Cisco EasyVPN Remote feature Cisco EasyVPN Remote Enables Cisco IOS routers, Cisco PIX Firewalls, and Cisco VPN Hardware Clients or Software Clients to act as remotevpn clients

50 Easy VPN Components Cisco Easy VPN Server enables Cisco IOS routers, Cisco PIX Firewalls, and Cisco VPN 3000 Series Concentrators to act as VPN head-end devices in site-to-site or remote-access VPNs where the remote office devices use the Cisco Easy VPN Remote feature Using this feature, the Cisco Easy VPN Server pushes security policies that are defined at the head-end to the remote VPN device, ensuring that those connections have up-to-date policies in place before the connection is established In addition, a Cisco Easy VPN Server-enabled device can terminate IPSec tunnels that are initiated by mobile remote workers runningvpn Client software on PCs. This flexibility makes it possible for mobile and remote workers, such as sales staff on the road or telecommuters, to access their headquarters intranet where critical data and applications exist.

51 Easy VPN Components Cisco Easy VPN Remote enables Cisco IOS routers, Cisco PIX Firewalls, and Cisco VPN 3002 Hardware Clients or Software Clients to act as remotevpn clients These devices can receive security policies from a Cisco Easy VPN Server, minimizingvpn configuration requirements at the remote location This cost-effective solution is ideal for remote offices with little IT support or for large customer premises equipment (CPE) deployments where it is impractical to individually configure multiple remote devices This feature makes VPN configuration with Cisco Easy VPN Remote as easy as entering a password, which increases productivity and lowers costs by minimizing the need for local IT support

52 Deployment Models Small or Medium Business Deployment A small or medium business (SMB) using a Cisco Easy VPN Server-enabled Cisco router at the main site can securely connect small branch offices, teleworkers, and mobile workers The head-end router must have security policies configured, which determine the VPN parameters, such as encryption algorithms and authentication algorithms, to use to communicate with remote devices. Large Enterprise Deployment A large enterprise can connect branch offices, remote offices, and teleworkers to the enterprise network using a Cisco EasyVPN Server-enabled Cisco router. The head-end router must be similarly configured as above

53 Small or Medium Business Deployment

54 Large Enterprise Deployment

55 Limitations DH Group The Cisco Unity Client protocol supports only ISAKMP policies that use DH Group 2 (1024-bit) IKE negotiation. Therefore, the Cisco Easy VPN Server being used with the Cisco Easy VPN Remote feature must be configured for a Group 2 ISAKMP policy The Easy VPN Server cannot be configured for ISAKMP Group 1 or Group 5 when the server is being used with a Cisco Easy VPN client Transform Sets Supported To ensure a secure tunnel connection, the Cisco Easy VPN Remote feature does not support transform sets that provide encryption without authentication (esp-des and esp-3des) or transform sets that provide authentication without encryption (esp-null esp-sha-hmac and esp-null espmd5-hmac) Dial Backup for Easy VPN Remotes Line status-based backup is not supported in this feature NAT Interoperability Support NAT interoperability is not supported in client mode with split tunneling

56 Easy VPN Server and Easy VPN Remote Operation Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 The VPN client initiates the IKE Phase 1 process The VPN client establishes an ISAKMP SA The Easy VPN Server accepts the SA proposal The Easy VPN Server initiates a username and password challenge The mode configuration process is initiated The RRI process is initiated IPSec quick mode completes the connection

57 Step 1: The VPN Client Initiates the IKE Phase 1 Process Using pre-shared keys? Initiate aggressive mode. Using digital certificates? Initiate main mode.

58 Step 2: The VPN Client Establishes an ISAKMP SA The VPN client attempts to establish an SA between peer IP addresses by sending multiple ISAKMP proposals to the Easy VPN Server. To reduce manual configuration on the VPN client, these ISAKMP proposals include several combinations of the following: Encryption and hash algorithms Authentication methods Diffie-Hellman group sizes

59 Step 3: The Cisco Easy VPN Server Accepts the SA Proposal The Easy VPN Server searches for a match: The first proposal to match the server list is accepted (highest-priority match). The most secure proposals are always listed at the top of the Easy VPN Server proposal list (highest priority). The ISAKMP SA is successfully established. Device authentication ends and user authentication begins.

60 Step 4: The Cisco Easy VPN Server Initiates a Username and Password Challenge If the Easy VPN Server is configured for Xauth, the VPN client waits for a username and password challenge: The user enters a username and password combination. The username and password information is checked against authentication entities using AAA. All Easy VPN Servers should be configured to enforce user authentication.

61 Step 5: The Mode Configuration Process Is Initiated If the Easy VPN Server indicates successful authentication, the VPN client requests the remaining configuration parameters from the Easy VPN Server: Mode configuration starts. The remaining system parameters (IP address, DNS, split tunneling information, and so on) are downloaded to the VPN client. Remember that the IP address is the only required parameter in a group profile; all other parameters are optional.

62 Step 6: The RRI Process Is Initiated RRI should be used when the following conditions occur: More than one VPN server is used Per-client static IP addresses are used with some clients (instead of using per- VPN-server IP pools) RRI ensures the creation of static routes. Redistributing static routes into an IGP allows the server site routers to find the appropriate Easy VPN Server to use for return traffic to clients.

63 Step 7: IPSec Quick Mode Completes the Connection After the configuration parameters have been successfully received by the VPN client, IPSec quick mode is initiated to negotiate IPSec SA establishment. After IPSec SA establishment, the VPN connection is complete.

64 Cisco VPN Client The Cisco VPN Client is simple to deploy and operate It allows organizations to establish end-to-end, encrypted VPN tunnels for secure connectivity for mobile employees or teleworkers The thin design IPSec-implementation is compatible with all Cisco VPN products

65 Cisco VPN Client When the Cisco VPN Client is preconfigured for mass deployments, initial logins require little user intervention. Cisco VPN Client supports the innovative Cisco Easy VPN capabilities, delivering a uniquely scalable, costeffective, and easy-to-manage remote access VPN architecture that eliminates the operational costs associated with maintaining a consistent policy and key management method The Cisco Easy VPN feature allows the Cisco VPN Client to receive security policies on a VPN tunnel connection from the central site VPN device (Cisco Easy VPN Server), minimizing configuration requirements at the remote location This simple and highly scalable solution is ideal for large remote access deployments where it is impractical to configure policies individually for multiple remote PCs

66 Cisco VPN Client Configuration Tasks 1. Install Cisco VPN Client 2. Create a new client connection entry 3. Configure the client authentication properties 4. Configure transparent tunneling 5. Enable and add backup servers 6. Configure a connection to the Internet through dialup networking