Secure channel, VPN and IPsec. stole some slides from Merike Kaeo

Similar documents
VPN, IPsec and TLS. stole slides from Merike Kaeo apricot2017 1

Virtual Private Network

VPN, IPsec and TLS. stole slides from Merike Kaeo 2015/08/09 1

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

IPSec. Overview. Overview. Levente Buttyán

CSCE 715: Network Systems Security

Virtual Private Networks

securing a host Matsuzaki maz Yoshinobu

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

Network Security: IPsec. Tuomas Aura

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

IP Security IK2218/EP2120

IP Security. Have a range of application specific security mechanisms

The IPsec protocols. Overview

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Configuring Security for VPNs with IPsec

The EN-4000 in Virtual Private Networks

Sample excerpt. Virtual Private Networks. Contents

Internet security and privacy

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

Transport Level Security

IPSec Network Applications

Chapter 5: Network Layer Security

Firewalls, Tunnels, and Network Intrusion Detection

Table of Contents 1 IKE 1-1

IBM i Version 7.2. Security Virtual Private Networking IBM

Index. Numerics 3DES (triple data encryption standard), 21

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Network Security IN2101

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

show crypto group summary, page 1 show crypto ikev2-ikesa security-associations summary spi, page 2

INFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP

Network Security (NetSec) IN2101 WS 16/17

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Lecture 13 Page 1. Lecture 13 Page 3

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Lecture 12 Page 1. Lecture 12 Page 3

Cisco Live /11/2016

IPSec Site-to-Site VPN (SVTI)

Security for VPNs with IPsec Configuration Guide, Cisco IOS XE Release 3S

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Chapter 11 The IPSec Security Architecture for the Internet Protocol

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

COSC4377. Chapter 8 roadmap

Virtual Private Networks

iii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

IKE and Load Balancing

NCP Secure Enterprise macos Client Release Notes

8. Network Layer Contents

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Network Security: IPsec. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

The IPSec Security Architecture for the Internet Protocol

Crypto Templates. Crypto Template Parameters

Data Sheet. NCP Secure Entry Mac Client. Next Generation Network Access Technology

Virtual Private Networks (VPN)

Network Infrastructure Security

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

NCP Secure Entry macos Client Release Notes

Cryptography and Network Security

Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

Some optimizations can be done because of this selection of supported features. Those optimizations are specifically pointed out below.

IPSec Transform Set Configuration Mode Commands

CSE509: (Intro to) Systems Security

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1

Transport Layer Security

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15M&T

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

Security for VPNs with IPsec Configuration Guide Cisco IOS Release 12.4T

L2TP over IPsec. About L2TP over IPsec/IKEv1 VPN

Introduction to IPsec. Charlie Kaufman

Chapter 6/8. IP Security

Configuring L2TP over IPsec

AIT 682: Network and Systems Security

Lecture 9: Network Level Security IPSec

CSCE 715: Network Systems Security

This version of the des Secure Enterprise MAC Client can be used on Mac OS X 10.7 Lion platform.

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

IPv6 Deployments. Is Security An Afterthought (again)? Merike Kaeo

VPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist

CSE543 Computer and Network Security Module: Network Security

4 Network Access Control 4.1 IPsec Network Security Encapsulated security payload (ESP) 4.2 Internet Key Exchange (IKE)

CSC 6575: Internet Security Fall 2017

IP Security Discussion Raise with IPv6. Security Architecture for IP (IPsec) Which Layer for Security? Agenda. L97 - IPsec.

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Microsoft Privacy Protected Network Access: Virtual Private Networking and Intranet Security

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

COMPUTER SECURITY. Computer Security Secure Communication Channels (2)

IPSec Transform Set Configuration Mode Commands

Data Sheet. NCP Exclusive Remote Access Mac Client. Next Generation Network Access Technology

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

BCRAN. Section 9. Cable and DSL Technologies

Configuration of an IPSec VPN Server on RV130 and RV130W

VPN Overview. VPN Types

Transcription:

Secure channel, VPN and IPsec <maz@iij.ad.jp> stole some slides from Merike Kaeo <merike@doubleshotsecurity.com> 1

HTTP and Secure Channel HTTP HTTP TLS TCP TCP IP IP 2

SSL and TLS SSL/TLS SSL v3.0 specified in an I-D in 1996 (draft-freier-sslversion3-02.txt) and now in RFC6101 TLS v1.0 specified in RFC2246 TLS v1.0 = SSL v3.1 SSL v3.0 TLS v1.1 specified in RFC4346 TLS v1.2 specified in RFC5246 Goals of protocol Secure communication between applications Data encryption Server authentication Message integrity Client authentication (optional) 3

SSL is not secure any more SSL2.0 and SSL3.0 have known vulnerabilities in protocol specifications downgrade attack POODLE attack RFC6176 - Prohibiting Secure Sockets Layer (SSL) Version 2.0 RFC7568 - Deprecating Secure Sockets Layer Version 3.0 Use TLS instead 4

TLS Properties Connection is private Encryption is used after an initial handshake to define a secret key. Symmetric cryptography used for data encryption Peer s identity can be authenticated Asymmetric cryptography is used (RSA or ECDSA) Connection is reliable Message transport includes a message integrity check using a keyed MAC. Secure hash functions (such as SHA384, SHA256) are used for MAC computations. 5

The TLS Handshake Process TLS Client TLS Server Internet 1 Client initiates TLS connection / sends supported cipher suites Server returns digital certificate to client and selected cipher suite 2 3 Client sends shared secret encrypted with server s public key 4 5 6 Message encryption and integrity algorithms are negotiated Session keys are generated Secure session tunnel is established 6

TLS Client Authentication - Client authentication (certificate based) is optional and not often used - Many application protocols incorporate their own client authentication mechanism such as username/password or S/Key - These authentication mechanisms are more secure when run over TLS 7

TLS IANA Assigned Port #s Protocol Defined Port Number HTTP 80 443 NNTP 119 563 POP 110 995 FTP-Data 20 989 FTP-Control 21 990 Telnet 23 992 TLS Port Number 8

TLS policy example Server Key RSA 2048bit or more ECDSA 256bit or more Protocols enable TLS1.2, TLS1.1, TLS1.0 and disable SSL Ciphers Suites TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 1024bit or more key length TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA 2048bit or more key length 9

Certificate Authority Issues a digital certificate which is signed by the CA s private key You can verify the certificate using the corresponding public key if you trust the public key and CA can have hierarchical trust model 10

Trust chain root CA sign intermidiate CA sign sign end entity cert end entity cert 11

https://www.apricot.net 12

trusted CA 13

CA and certificates CA can issue a certificate for any domainname if you trust the CA, the certificate looks legitimate if you have a malicious CA in your trusted keychain, an attacker can monitor/modify your TLS session data Yes, we have cases https://support.lenovo.com/nz/en/product_security/s uperfish https://www.dell.com/support/article/us/en/19/sln3 00321 14

Check your trusted CA Windows certlm.msc Mac OS X Keychain Access.app Firefox Setting -> Advanced -> Certificates -> View Certificates 15

VPN 16

Virtual Private Network Overlay Network a VPN is built on top of a public network (Internet) Cost effective You don t need to expand your network Rapidly deployable An underlay network just carries IP packets as usual Only your nodes need to agree about VPN Control You can enforce your own policy in the VPN 17

satellite office 18

access to intranet from outside 19

over an untrusted network 20

IPv4 and IPv6 path to get a destination cache DNS 21

VPN and security Any VPN is not automagically secure. You need to add security functionality to create secure VPNs. That means using firewalls for access control and probably IPsec or SSL/TLS for confidentiality and data origin authentication. 22

VPN protocols PPTP IP over PPP over GRE possible password leakage by MS-CHAPv2 weakness OpenVPN IP over TLS over TCP/UDP MS-SSTP IP over PPP over SSTP over HTTPS over TCP L2TP/IPsec IP over PPP over L2TP over UDP over ESP IPsec IP over ESP IP over ESP over UDP (NAT traversal) 23

Layer 2 Tunneling Protocol - Designed in IETF PPP Extensions working group - Combination of Cisco L2F & PPTP features - L2TP RFC 2661, Aug 1999 - Uses UDP port 1701 for control and data packets - Uses PPP for packet encapsulation carries most protocols (also non-ip protocols) - Security Functionality - Control session authentication, keepalives - EAP for a broader authentication mechanisms - IPsec ESP for confidentiality and integrity - IKE for key management 24

L2TP and IPsec Multiple Encapsulations..careful of packet size!! IPsec encrypted IP IPSEC (ESP) UDP L2TP PPP IP TCP UDP Application Data IPSEC (ESP Trailer) Ping with large MTU size.help discover fragmentation issues!! 25

What Is IPSec? Internet IPSec IETF standard that enables encrypted communication between peers: Consists of open standards for securing private communications Network layer encryption ensuring data confidentiality, integrity, and authentication Scales from small to very large networks 26

What Does IPsec Provide? Confidentiality.many algorithms to choose from Data integrity and source authentication Data signed by sender and signature verified by the recipient Modification of data can be detected by signature verification Because signature based on a shared secret, it gives source authentication Anti-replay protection Optional : the sender must provide it but the recipient may ignore Key Management IKE session negotiation and establishment Sessions are rekeyed or deleted automatically Secret keys are securely established and authenticated Remote peer is authenticated through varying options 27

IPsec Components AH (Authentication Header) Authentication is applied to the entire packet, with the mutable fields in the IP header zeroed out If both ESP and AH are applied to a packet, AH follows ESP Standard requires HMAC-MD5-96 and HMAC-SHA1-96.older implementations also support keyed MD5 ESP (Encapsulating Security Payload) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication is applied to data in the IPsec header as well as the data contained as payload Standard requires DES 56-bit CBC and Triple DES. Can also use RC5, IDEA, Blowfish, CAST, RC4, NULL IKE (Internet Key Exchange) Automated SA (Security Association) creation and key management 28

Interoperable Defaults For SAs Security Association groups elements of a conversation together ESP encryption algorithm and key(s) Cryptographic synchronization SA lifetime SA source address Mode (transport or tunnel) How Do We Communicate Securely? Do we want integrity protection of data? Do we want to keep data confidential? Which algorithms do we use? What are the key lengths? When do we want to create new keys? Are we providing security end-to-end? 29

IPsec with IKE 1 Traffic which needs to be protected is recognized as requiring IPsec protection IPsec Peer Peers Authenticate using: - Pre-shared key - Digital Certificate 2 IKE Phase 1 Secure communication channel IPsec Peer 3 IKE Phase 2 IPsec Tunnel Secured traffic exchange 4 Secured Communications 30

IPsec IKE Phase 1 Uses DH Exchange First public key algorithm (1976) Diffie Hellman is a key establishment algorithm Two parties in a DF exchange can generate a shared secret There can even be N-party DF changes where N peers can all establish the same secret key Diffie Hellman can be done over an insecure channel IKE authenticates a Diffie-Hellman exchange Pre-shared secret Nonce (RSA signature) Digital signature 31

IKE Phase 1 Main Mode 3 Compute DH shared secret and derive keying material Initiator Responder Internet 1 Negotiate IKE Policy IKE Message 1 (SA proposal) IKE Message 2 (accepted SA) 2 Authenticated DH Exchange IKE Message 3 (DH public value, nonce) IKE Message 4 (DH public value, nonce) 4 Protect IKE Peer Identity IKE Message 5 (Authentication material, ID) IKE Message 6 (Authentication material, ID) (Encrypted) 32

IKE Phase 2 Quick Mode 4 Validate message 2 1 7 Compute keying material Initiator Responder Internet Message 1 (authentication/keying material and SA proposal) 2 Validate message 1 6 Validate message 3 Message 2 (authentication/keying material and accepted SA) 3 5 Message 3 (hash for proof of integrity/authentication) 33

IKE v2: Replacement for Current IKE Specification Feature Preservation Most features and characteristics of baseline IKE v1 protocol are being preserved in v2 Compilation of Features and Extensions Quite a few features that were added on top of the baseline IKE protocol functionality in v1 are being reconciled into the mainline v2 framework Some New Features 34

IKE v2: What Is Not Changing Features in v1 that have been debated but are ultimately being preserved in v2 Most payloads reused Use of nonces to ensure uniqueness of keys v1 extensions and enhancements being merged into mainline v2 specification Use of a configuration payload similar to MODECFG for address assignment X-auth type functionality retained through EAP Use of NAT Discovery and NAT Traversal techniques 35

IKE v2: What Is Changing Significant Changes Being to the Baseline Functionality of IKE EAP adopted as the method to provide legacy authentication integration with IKE Public signature keys and pre-shared keys, the only methods of IKE authentication Use of stateless cookie to avoid certain types of DOS attacks on IKE Continuous phase of negotiation 36

How Does IKE v2 Work? IKE_SA_INIT (Two Messages) IKE_SA Authentication Parameters Negotiated IKE_AUTH (Two Messages) IKE Authentication Occurs and One CHILD_SA Created CREATE_CHILD_SA (Two Messages) Second CHILD_SA Created Protected Data 37

Relevant Standard(s) IETF specific rfc2409: IKEv1 rfc4301: IPsec Architecture (updated) rfc4303: IPsec ESP (updated) rfc4306: IKEv2 rfc4718: IKEv2 Clarifications rfc4945: IPsec PKI Profile IPv6 and IPsec rfc4294: IPv6 Node Requirements Rfc4552: Authentication/Confidentiality for OSPFv3 rfc4877: Mobile IPv6 Using IPsec (updated) rfc4891: Using IPsec to secure IPv6-in-IPv4 Tunnels 38

Considerations For Using IPsec Security Services Data origin authentication Data integrity Replay protection Confidentiality Size of network How trusted are end hosts can apriori communication policies be created? Vendor support What other mechanisms can accomplish similar attack risk mitigation 39

Non-Vendor Specific Deployment Issues Historical Perception Configuration nightmare Not interoperable Performance Perception Need empirical data Where is the real performance hit? Standards Need Cohesion 40

Vendor Specific Deployment Issues Lack of interoperable defaults A default does NOT mandate a specific security policy Defaults can be modified by end users Configuration complexity Too many knobs Vendor-specific terminology Good News: IPv6 support in most current implementations 41

Transport vs Tunnel Mode TFTP Routing Update File Transfer File Transfer Transport Mode: End systems are the initiator and recipient of protected traffic Tunnel Mode: Gateways act on behalf of hosts to protect traffic 42

IPsec Concerns Are enough people aware that IKEv2 is not backwards compatible with IKEv1? IKEv1 is used in most IPsec implementations Will IKEv2 implementations first try IKEv2 and then revert to IKEv1? Is IPsec implemented for IPv6? Some implementations ship IPv6 capable devices without IPsec capability and host requirements is changed from MUST to SHOULD implement OSPFv3 All vendors IF they implement IPsec used AH Latest standard to describe how to use IPsec says MUST use ESP w/null encryption and MAY use AH 43

IPsec Concerns (cont) What is transport mode interoperability status? Will end user authentication be interoperable? PKI Issues Which certificates do you trust? How does IKEv1 and/or IKEv2 handle proposals with certificates? Should common trusted roots be shipped by default? Who is following and implementing pki4ipsec-ikecert-profile (rfc4945) Have mobility scenarios been tested? Mobility standards rely heavily on IKEv2 ESP how determine if ESP-Null vs Encrypted 44

IPv4 IPsec AH IPv4 AH Transport Mode: Before applying AH: After applying AH: Original IP Header TCP/UDP Data Original IP Header AH Header TCP/UDP Data Mutable Fields: - ToS - TTL - Hdr Checksum - Offset - Flags Authenticated except for mutable fields in IP header IPv4 AH Tunnel Mode: Before applying AH: After applying AH: Original IP Header TCP/UDP Data New IP Header AH Header Original IP Header TCP/UDP Data Mutable Fields: - ToS - TTL - Hdr Checksum - Offset - Flags Authenticated except for mutable fields in new IP header 45

IPv4 IPsec ESP Before applying ESP: Original IP Header TCP/UDP Data IPv4 ESP Transport Mode: After applying ESP: Original IP Header ESP Header TCP/UDP Data ESP Trailer ESP Auth Encrypted Authenticated Before applying ESP: Original IP Header TCP/UDP Data IPv4 ESP Tunnel Mode: After applying ESP: New IP Header ESP Header Original IP Header TCP/UDP Data ESP Trailer ESP Auth Encrypted Authenticated 46

ESP Header Format 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Security Parameter Index (SPI) Sequence Number ENCRYPTED Initialization Vector (IV) Payload Data (Variable) Padding (0-255 bytes) Padding Length Authentication Data (ICV) Next Header SPI: Arbitrary 32-bit number that specifies SA to the receiving device Seq #: Start at 1 and must never repeat; receiver may choose to ignore IV: Used to initialize CBC mode of an encryption algorithm Payload Data: Encrypted IP header, TCP or UDP header and data Padding: Used for encryption algorithms which operate in CBC mode Padding Length: Number of bytes added to the data stream (may be 0) Next Header: The type of protocol from the original header which appears in the encrypted part of the packet Auth Data: ICV is a digital signature over the packet and it varies in length depending on the algorithm used (SHA-1, MD5) 47

Potentially Easy Configuration 2001:DB8:6665:AF75::3B RNOC- Srvc Router_Z 2001:DB8:8888:BAD::66 2001:DB8:6665:FAD::99 Router_M 2001:DB8:6665:AF75::3D RNOC- Mgmt Syslog server 2001:DB8:6665:AF75::3D authenticate esp-null sha1 pre-share secret4syslog TFTP server 2001:DB8:6665:AF75::3D authenticate esp-null aes128 pre-share secret4tftp BGP peer 2001:DB8:8888:BAD::66 authenticate esp-null aes128 pre-share secret4as#xxx 48

Pretty Good IPsec Policy IKE Phase 1 (aka ISAKMP SA or IKE SA or Main Mode) 3DES (AES-192 if both ends support it) Lifetime (8 hours = 480 min = 28800 sec) SHA-2 (256 bit keys) DH Group 14 (aka MODP# 14) IKE Phase 2 (aka IPsec SA or Quick Mode) 3DES (AES-192 if both ends support it) Lifetime (1 hour = 60 min = 3600 sec) SHA-2 (256 bit keys) PFS 2 DH Group 14 (aka MODP# 14) 49

Help With Configuring IPsec Documents for Cisco IPsec configuration: http://www.cisco.com/en/us/tech/tk583/tk372/technologi es_configuration_example09186a0080093f73.shtml http://www.cisco.com/en/us/tech/tk583/tk372/technologi es_configuration_example09186a0080093f86.shtml Document for Juniper IPsec configuration: http://kb.juniper.net/infocenter/index?page=content&id=k B10128 50

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback