Upload
victorh1
View
58
Download
0
Embed Size (px)
Citation preview
Chapter
Germn Bastidas, Ing. Universidad San Francisco de Quito
8
Implementing Virtual Private Networks
CCNA Security 1.0 Implementing Network Security Cisco Networking Academy
Overview
VPN
VPN Overview
A VPN is a private network that is created via tunneling over a public network, usually the Internet.
VPNs have many benefits: Cost savings Security Scalability Compatibility with broadband technology
Types of VPN Networks
Site-to-site. Devices on both sides of the VPN connection are aware of the VPN configuration in advance. The VPN remains static, and internal hosts have no knowledge that a VPN exists. Frame Relay, ATM, GRE, and MPLS VPNs are examples of site-to-site VPNs.
Remote-access. VPN information is not statically set up, but instead allows for dynamically changing information and can be enabled and disabled.
Cisco VPN Client Software The Cisco VPN Client software encapsulates and encrypts that traffic before sending it over the Internet to the VPN gateway at the edge of the target network
Cisco IOS SSL VPN SSL VPNs allow users to access web pages and services, including the ability to access files, send and receive email, and run TCP-based applications without IPsec VPN Client software.
The primary restriction of SSL VPNs is that they are currently supported only in software.
SSL VPN Modes of Access
Clientless SSL VPN. A remote client needs only an SSL-enabled web browser to access HTTP- or HTTPS-enabled web servers on the corporate LAN.
Client SSL VPN. A remote client must download a small, Java-based applet for secure access of TCP applications that use static port numbers. UDP is not supported in a thin client environment.
VPN Solutions
VPN Specialized Hardware
AIM - A broad range of Cisco routers can be equipped with AIM. Advanced integration modules are installed inside the router chassis and offload encryption tasks from the router CPU. Cisco IPsec VPN Shared Port Adapter (SPA) - Delivers scalable and cost-effective VPN performance for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers.
Cisco IPsec VPN SPA
GRE VPN
Generic Routing Encapsulation (GRE)
GRE does not include any strong security mechanisms to protect its payload.
GRE Tunnel Header The GRE header, together with the tunneling IP header, creates at least 24 bytes of additional overhead for tunneled packets.
Configuring a Site-to-Site GRE Tunnel
When To Use GRE
IPSEC VPN COMPONENTS AND OPERATION
IPsec
IETF standard (RFC 2401-2412) that defines how a VPN can be configured using the IP addressing protocol.
IPsec is not bound to any specific encryption, authentication, security algorithms, or keying technology.
IPsec is a framework of open standards that spells out the rules for secure communications.
IPsec relies on existing algorithms to implement the encryption, authentication, and key exchange.
IPsec Framework
Confidentiality
Integrity
Authentication - PSK
Authentication - RSA
Secure Key Exchange
The Diffie-Hellman (DH) key agreement is a public key exchange method that provides a way for two peers to establish a shared secret key that only they know, even though they are communicating over an insecure channel.
There are four DH groups: 1, 2, 5, and 7. DH groups 1, 2, and 5 support exponentiation over a prime
modulus with a key size of 768 bits, 1024 bits, and 1536 bits, respectively.
Cisco 3000 clients support DH groups 1, 2, and 5. DES and 3DES encryption support DH groups 1 and 2.
AES encryption supports DH groups 2 and 5. The Certicom movianVPN client supports group 7. Group 7 supports Elliptical Curve Cryptography (ECC), which
reduces the time needed to generate keys.
IPsec Framework Protocols
IP protocol 51
IP protocol 50
Transport Mode and Tunnel Mode
Internet Key Exchange (IKE)
Protocol used to set up a Security Association (SA)
An SA is a basic building block of IPsec. Security associations are maintained within a SA database (SADB).
IKE uses UDP port 500.
An alternative to using IKE is to manually configure all parameters required to establish a secure IPsec connection.
IKE Phase 1 Main Mode
IKE Phase 1 Aggressive Mode
IKE Phase 2 (Quick Mode)
The purpose of IKE Phase 2 is to negotiate the IPsec security parameters that will be used to secure the IPsec tunnel.
IKE Phase 2 performs the following functions:
Negotiates IPsec security parameters, known as IPsec transform sets
Establishes IPsec SAs
Periodically renegotiates IPsec SAs to ensure security
Optionally performs an additional DH exchange
IMPLEMENTING SITE-TO-SITE IPSEC VPN WITH CLI
IPsec VPN Steps
Task to Configure IPsec
Task 1. Ensure that ACLs configured on the Interface are compatible with IPsec configuration. Usually there are restrictions on the interface that the VPN traffic uses; for example, block all traffic that is not IPsec or IKE.
Task 2. Create an ISAKMP policy to determine the ISAKMP parameters that will be used to establish the tunnel.
Task 3. Define the IPsec transform set. The definition of the transform set defines the parameters that the IPsec tunnel uses. The set can include the encryption and integrity algorithms.
Task 4. Create a crypto ACL. The crypto ACL defines which traffic is sent through the IPsec tunnel and protected by the IPsec process.
Task 5. Create and apply a crypto map. The crypto map groups the previously configured parameters together and defines the IPsec peer devices. The crypto map is applied to the outgoing interface of the VPN device.
Task 1
Task 1 - Configuration
Task 2. Create an ISAKMP policy
Use an integer from 1 to 10,000, with 1 being the highest priority and 10,000 the lowest.
ISAKMP Parameters
Task 2. Configure a PSK
Task 3 Configure the Transform Sets
Transform Combinations
Transform Sets Negotiation Example
Transform Sets Configuration Example
Task 4 Configure the Crypto ACL
Task 5 Create the Crypto Map
Crypto Map Command
Crypto Map Configuration Mode Commands
Task 5 Configuration Example
Task 5 Apply the Crypto Map
Verify and Troubleshoot IPsec Configuration
Configure IPsec with SDM
IMPLEMENTING REMOTE-ACCESS VPNS
Teleworking Benefits
Methods for Deploying Remote-Access VPNs
IPsec vs SSL Remote-Access VPNs
Establishing an SSL Session
Cisco Easy VPN
Establishing an IPsec Remote-Access Session
Configure a VPN Server with SDM
Connect with a VPN Client