07.Vpns and Ipsec

  • View

  • Download

Embed Size (px)

Text of 07.Vpns and Ipsec

  • 8/13/2019 07.Vpns and Ipsec


    The Ultimate CCNA Study Package - ICND 2

    Chris Bryant, CCIE #12933 www.thebryantadvantage.com Back To Index

    VPNs And IPSec


    It will come as no surprise to you the protection of WAN transmissions isone of the most vital facing us today. To that end, an important part ofCisco networking is knowing when and how to configure Virtual PrivateNetworks (VPNs). It's the "private" part of VPNs that we're mostconcerned with. Configuring VPNs gives us the opportunity to applysecurity to a connection that is using a shared technology such as FrameRelay - in other words, to treat this connection as though it were on aprivate network.

    What's A VPN?

    You can think of a VPN as a tunnel - actually, VPNs are often referred toas tunnels. We can apply security rules and policies to this tunnelwithout applying them to other WAN communications. In the following

    exhibit, a VPN has been created between two routers. Security policiescan be enforced on the VPN between those two routers without affectingany WAN communications involving other routers.

    What's A VPN?

    Tunneling Protocols

    VPN Types

    VPN Terminology

    Data Encryption Schemes

    Key Encryption Schemes

    IPSec Architecture

    Internet Key Exchange (IKE)

    IPSec Process Overview

  • 8/13/2019 07.Vpns and Ipsec


    VPNs offer three vital functions, all of which are important in today'snetworks. Note that two of these occur at the receiver, and one at the

    sender. Data origin authenticationallows the receiver to guarantee thesource of the packet.

    Encryption is just that - the sender encrypts the packets before sendingthem. If an intruder picks them off the wire, they will have no meaning.

    Integrityis the receiver's ability to ensure that the data was not affected oraltered in any fashion as it traveled across the VPN.

  • 8/13/2019 07.Vpns and Ipsec


    There are three different protocols we can use to create this tunnel.Originally defined in RFC 1701,Generic Routing Encapsulationenables aCisco router to encapsulate a packet in an IP header. When the packet

    reaches the remote router, the header is stripped off. GRE's drawback isthat there's no encryption scheme, and that's a pretty big drawback.

    Defined in RFC 2661, The Layer 2 Tunneling Protocol(L2TP) is actually ahybrid of Microsoft's Point-to-Point Tunneling Protocol (PPTP) and Cisco'sown Layer 2 Forwarding (L2F). Again, the major drawback is that L2TPdoesn't have an encryption scheme either.

    This drawback is corrected by IP Security,generally referred to as IPSec.IPSec does offer encryption along with authentication, and that's why you'llsee more IPSec in today's networks than L2TP or GRE. That's also why

    we're going to spend the majority of this section working with IPSec.

    A couple of the tunneling protocols we've already mentioned - L2TP andL2F - obviously work at Layer 2 of the OSI model. Tunneling protocolscan actually run at different OSI layers:

    Secure Shell (SSH) and Secure/Multipurpose Internet MailExtensions(S/MIME) both run at the Application layer.

    Secure Socket Layer (SSL) runs at the Transport layer, althoughsome documentation lists it as running at the Presentation layer.

    As mentioned, L2TP and L2F both run at the Data Link layer.

    Since both GRE and L2TP offer no encryption, they should be avoided ifpossible. IPSec is an excellent choice since both encryption andauthentication are possible, but (there's always a "but") IPSec can onlysupport unicast IP traffic. If other protocols are in use, or multicast trafficmust go across the tunnel, GRE or L2TP may have to be used.

    VPN Types

    There are two general types of remote access VPNs, and the name of oneof them is a little misleading. The obvious one is client-initiated, where aremote user will use a VPN client to create a secure tunnel across an

    ISP's network to the enterprise network.

    The oddly-named Network Access Server-initiated VPN starts with the

  • 8/13/2019 07.Vpns and Ipsec


    remote user as well. The user will dial in to a Network Access Server,and the NAS is the device that creates a secure tunnel to the enterprisenetwork.

    Both of these VPN types illustrate the major advantage that suchconnections have over more traditional point-to-point connections - theremote users can be at any remote point and still connect to theircorporate network.

    VPN Terminology

    Before we get to a more specific discussion of VPNs, there are somemore general terms you should know.

    Data Confidentialitymeans that only the devices that shouldsee the data

    in an unencrypted form will. Generally, this is achieved by one endpointencrypting the data and sending it across the link in that fashion, with thesecond endpoint unencrypting the data.

    Data Integritymeans that the recipient of the data can guarantee that thereceived data is the same as the transmitted data - in short, that the datawas not altered during transport.

    Data Origin Authentication guarantees that the data originated from aspecific endpoint.

    Anti-replay protection(sometimes just called "replay protection") protectsagainst replay attacks, a malicious repeat and/or delay of a validtransmission.

    For example, Router A requests proof of identity from RouterC. Router C responds with proof of identity. The problem is, an intruderis listening to the conversation and copies Router C's proof of identity.

    After Router A and Router C are done talking, the Intruder starts aconversation with Router A, pretending to be Router C. When Router Aasks for proof of identity, the Intruder submits Router C's proof, and

    Router A will accept it. The potential intruder is now officially an intruder.

  • 8/13/2019 07.Vpns and Ipsec


    Anti-replay protection can use several different methods of defeating suchan attack, including the one-time use of tokens for the proof of identity orby using sequence numbers. When a sequence number is presented asecond time as proof of identity, it will be rejected.

    Data Encryption Technologies

    For data to be encrypted, it follows that something's got to perform thisencryption! One such encryption tool is the Data Encryption Standard(DES). DES was developed in 1976, and a few problems have developedwith DES since then. The main issue is that the key used by DES to

    encrypt data is only 56 bits in size. (A key is a random string of binarydigits.)

    Thirty years ago, that was fine, but then again floppy disks used to be thelargest storage unit any of us needed! Depending on whosedocumentation you read, DES keys can be broken in any time frame from24 hours to ten minutes. That's bad, no matter how long it takes!

    Triple DES (TDES) is just what it sounds like - the DES encryptionprocedure is run three times, with three different 56-bit DES keys. That's atotal of 168 bits, but the effective security provided is considered to be

    only 112 bits.

    TDES is sometimes referred to as 3DES, and you may see it expressedthat way on your exam; however, to avoid confusion with TDES variations2TDES and 3TDES, the "3DES" abbreviation is discouraged.

    The Advanced Encryption Standard (AES) is being rapidly adopted bygovernments and organizations around the world. AES can run on anyCisco router that has IPSec DES/3DES capability. The actual function of

    AES is far beyond the scope of this exam, but it really is quite fascinating.Visit www.wikipedia.org and search on "advanced encryption standard"to learn exactly how it works.

    Key Encryption Schemes

    Symmetric encryption is an algorithm where the key that is used forencryption is also used for decryption. Symmetric encryption issometimes called secret key encryption. Variations of symmetricencryption include stream algorithms, where one bit or byte isencrypted/decrypted at a time, and block algorithms, where blocks of dataare encrypted/decrypted as a whole. These data blocks are usually 64bits in size. Both DES and TDES use symmetric encryption.

    The drawback to symmetric encryption is that the key is used for twopurposes, making it that much easier for an intruder to discover the key.Proper key management is vital (and that can be said for asymmetric

  • 8/13/2019 07.Vpns and Ipsec


    encryption as well!)

    In contrast, asymmetric encryptioninvolves two keys for both the senderand receiver. This public key encryption scheme involves a public andprivate key for each user. Before starting the actual encryption process,

    the public key should be certified by a third party called a CertificateAuthority (CA).

    If "Dan" has a public key, the CA will make sure Dan is who he says he is,and the CA will then issue a digital certificatesaying just that. The digitalcertificate is a combination of Dan's public key and the CA's private rootkey.

    The CA may be global, such as www.verisign.com, or it may be a CA inyour very own organization. The key here (no pun intended) is that youbetter trust your CA, because the entire public key encryption process isbuilt around the CA verifying users and their public keys.

    Now that the CA has verified Dan and Bob, public key encryption can beput into use. In this example, Dan will send an email to Bob using PKE.Dan will actually use Bob'spublic key to encrypt the message. The emailis then sent to Bob, who will use his private key to de-encrypt the email.

    RSAis a well-known public key encryption scheme. The letters stand for

    the originators of this algorithm (Ron Rivest, Adi Shamir, and LenAdelman).

    Exchanging Secret Keys Over A Non-Secure Connection

    It seems like quite a Catch-22; to create the VPN, we need the endpointsto

Search related