ccna_security_ch19_fundamentals_ip_security.odt

8/9/2019 ccna_security_ch19_fundamentals_ip_security.odt

http://slidepdf.com/reader/full/ccnasecuritych19fundamentalsipsecurityodt 1/34

Chapter 19: Fundamentals of IP Security

I. IPsec Concepts, Components, and Operations1. The Goal of IPsec

. f

!. f Ta"le 19# IPsec Goals and the Methods Used to Implement ThemGoal $ethod That Pro%ides the Feature

Confidentiality Encryption

Data integrity Hashing

Peer authentication Pre-shared keys, RSA digital signatures

Antireplay Integrated into IPsec, basically applying serial nu bers to packets

!" #oals described$a" Confidentiality & Pro%ided through encryption changing clear te&t into cipher

te&tb" 'ata inte(rity & Pro%ided through hashing and or through Hashed Message

Authentication Code (HMAC) to %erify that data has not been anipulatedduring its transit across the net'ork

c" )uthentication & Pro%ided through authenticating the (P) peers near thebeginning of a (P) session using pre-shared keys (P !) or digital signatures*le%eraging digital certificates+" Authentication can also be done continuouslythrough the use of an H AC, 'hich includes a secret kno'n only to t'o ends ofthe (P)"

d" )ntireplay support & hen (P)s are established, the peers can se.uentiallynu ber the packets, and if a packet is atte pted to be replayed again *perhaps byan attacker+, the packet 'ill not be accepted because the (P) de%ice belie%es ithas already processed that packet"

/" Diagra abo%e sho's the !0"0"0"0 net'ork re.uiring a (P) connection to the!1/"!2"0"0 net'ork" 3raffic to and fro these net'orks are encrypted by R! o%erthe Internet to R/ 'here it4s decrypted and sent to the ser%er and %ice %ersa"



*. The Play "y Play for IPsec!" 5oth routers *of the diagra + are (P) gate'ays, ser%ing both !0"0"0"0 and

!1/"!2"0"0 net'orks" 3he t'o routers 'ill beco e IPsec peers 'ith each other tofor the IPsec tunnel o%er the Internet"

/" R! 'aits for traffic fro the !0"0"0"0 net'ork destined to !1/"!2"0"0" Routers ha%enot yet established a (P), ho'e%er, R! 'ould then initiate negotiations for theIPsec tunnel"

+. Step 1: e(otiate the I- Phase 1 Tunnel!" 6irst negotiation is the follo'ing$

a" Internet !ey "#change (I!") Phase ! tunnela" 3'o odes

!" ain ode 7 uses ore packets than aggressi%e ode but is consideredore secure" o%es (P) i ple entations default to using ain ode

/" Aggressi%e ode 7 see abo%eb" I8E Phase ! tunnel is the first tunnel and is used for the routers to speak to

one another" 9nce established, is not going to be used to for'ard userpackets, but use dot protect anage ent traffic related to the (P) bet'eenthe t'o routers"!" :sed for keepali%e packets to %erify still 'orking/" R! is the initiator as a packet ca e in that needed to be encrypted;" 6i%e 5asic Ite s ust be agreed upon for I8E Phase ! to be successful

!" /ash al(orithm & 3his could be message digest $ algorithm (M%$)or ecure Hash ( HA) on ost de%ices

/" ncryption al(orithm & 3his could be %igital "ncryption tandard(%" ) *bad idea, too 'eak+, Triple %" (&%" ) *better+ or Ad'anced

"ncryption tandard (A" ) *best+ 'ith %arious key lengths" *<onger

is better for keys"+;" 'iffie#/ellman 0'/ (roup to use & 3he DH =group> refers to theodulus si?e *length of the key+ to use for the DH key e&change"

#roup ! uses 12@ bits, group / uses !0/ , and group B uses !B;2"3he purpose of DH is to generate shared secret keying aterial*sy etric keys+ that ay be used by the t'o (P) peers forsy etrical algorith s, such as AES" It is i portant to note that theDH e&change itself is asy etrical *and is CP: intensi%e+, and theresulting keys that are generated are sy etrical

" )uthentication method & :sed for %erifying the identity of the(P) peer on the other side of the tunnel" 9ptions include a pre-

shared key (P !) used only for the authentication or RSA signatures*'hich le%erage the public keys contained in the digital certificates+"B" 2ifetime & Ho' long until this I8E Phase ! tunnel should be torn

do'n" *3he default is ! day, listed in seconds"+ 3his is the onlypara eter that does not ha%e to e&actly atch 'ith the other peer tobe accepted" If all other para eters atch and the lifeti e isdifferent, they agree to use the s allest lifeti e bet'een the t'opeers" A shorter lifeti e is considered ore secure because it gi%esan attacker less ti e to calculate keys used for a current tunnel



/o3 to 4emem"er the Fi%e Items e(otiated in I- Phase 1As a handy 'ay to recall the fi%e pieces in%ol%ed in the negotiation of the I8E Phase ! tunnel, you

ight 'ant to re e ber that the t'o de%ices HA#<E o%er I8E Phase !$H$ HashA$ Authentication ethod#$ DH group *stretch, but it 'orks+

<$ <ifeti e of the I8E Phase ! tunnelE$ Encryption algorith to use for the I8E Phase ! tunnel

5. f 6ho 7e(ins the e(otiation83he initiator sends o%er all of its I8E Phase ! policies, and the other (P) peer looks at all of thosepolicies to see 'hether any of its o'n policies atch the ones it ust recei%ed" If there is a atchingpolicy, the recipient of the negotiations sends back infor ation about 'hich recei%ed policy atches,and they use that atching policy for the I8E Phase ! tunnel"

. Step : 4un the '/ -ey chan(e!" De%ices agree to I8E Phase ! 7 then co es the DH key e&change/" 3hey use the DH group *DH key si?e for the e&change+ they agreed to during the

negotiations;" At the end of this key e&change they both ha%e sy etrical keying aterial *'hich

is a fancy 'ay of saying they both ha%e the sa e secret keys that they can use 'ithsy etrical algorith s+

" DH allo's t'o de%ices that do not yet ha%e a secure connection to establish sharedsecret keying aterial *keys that can be used 'ith sy etrical algorith s, such asAES+

;. Step !: )uthenticate the Peer!" <ast piece of I8E phase !$ %alidate or Authenticate the peer on the other side

a" Authentication *'hat they agreed to during HA#<E+ PS8 or RSA digitalsignatures

b" )o' 'e ha%e I8E Phase ! tunnel in place 'hich is bidirectional9. 6hat )"out the <ser=s Ori(inal Pac>et8

!" I8E Phase ! tunnel is for anage ent like tunnel keepali%es/" I8E Phase / is the actual IPsec tunnel the tunnel that has the sole purpose of

encrypting the end-users packets1?.2e%era(in( 6hat They /a%e )lready 7uilt

!" e ha%e to configure the options for both the I8E Phase ! tunnel A)D the I8EPhase / tunnel"

/" Additionally 'e ha%e to configure the trans orm set for the I8E Phase / tunnel";" I ediately after the I8E Phase ! tunnel is established *either ain ore 'hich

uses ore packets or aggressi%e ode 'hich is considered less secure+ the routersi ediately begin to establish the I8E Phase / tunnel

" I8E Phase ! tunnel is the anage ent tunnel and also protects the I8E Phase /negotiation traffic"

B" 3he I8E Phase / tunnel includes the hashing and encryption algorith s" It4s called.uick ode



11. o3 IPsec Can Protect the <ser=s Pac>ets!" Source and destination IP addresses are that of the routers IP addresses" 3he actual

Payload that contains the real, internal source and destination IP address isencrypted"

1 .Traffic 7efore IPsec1!.f

!" Ea%esdropper can see the abo%e 'ithout encryption if the !0"0"0"0 net'ork 'ereable to tra%erse the Internet to get o%er to !1/"!2"0"0 'ithout encryption" 3his isactually possible 'ith so ething like a #RE tunnel *tunneling 'ithout encryption+"



1*.Traffic )fter IPsec!" After you configure R! and R/ to beco e (P) peers gate'ays, and telling the

that all packets bet'een the t'o net'orks of !0"0"0"0 / and !1/"!2"0"0 / shouldbe protected by IPsec, R! and R/ negotiate and build their (P) tunnels *I8E phase! and I8E Phase /+, and then any traffic fro either net'ork and destined for theother is protected" <et4s consider the packet sho'n in the earlier figure" hen R!

sees this sa e packet heading out to !1/"!2"0" , and because its source IP address ison the !0"0"0"0 / net'ork, R! uses the I8E Phase / tunnel and encrypts the packetand encapsulates the encrypted packet 'ith a ne' IP header that sho's the source IPaddress as R! and the destination address as R/" 3he <ayer protocol 'ould sho'as being "ncapsulating ecurity Payload (" P) , 'hich is reflected in the IP headeras protocol FB0, 'hich is in plain te&t, but the content after that is the encryptedoriginal packet" hen R/ recei%es this, R/ de-encapsulates the packet, sees that it isESP, and then proceeds to decrypt the original packet" 9nce decrypted, R/ for'ardsthe plainte&t packet to the ser%er at !1/"!2"0" " 3he encrypted packet as it crossedo%er the untrusted net'ork bet'een R! and R/ appears, as sho'n belo'$



1+.Summary of the IPsec Story!" In su ary, the (P) peers gate'ays negotiate the I8E phase ! tunnel using

Aggressi%e or ain ode, and then use Guick ode to establish the I8E Phase /tunnel" 3hey use the I8E Phase / tunnel to encrypt and decrypt user packets"5ehind the scenes, the I8E Phase / tunnel really creates t'o one-'ay tunnels$ onefro R! to R/, and one fro R/ to R!" 3he end user does not see the process in any

detail, and end users do not kno' the encryption is e%en being applied to theirpackets" So, 'e could say 'e ha%e one I8E Phase ! bidirectional tunnel used foranage ent bet'een the t'o (P) peers and t'o I8E Phase / unidirectional

tunnels used for encrypting and decrypting end-user packets" 3hese tunnels areoften referred to as the security agree ents bet'een the t'o (P) peers" anyti es, these agree ents are called security associations ( A) " Each SA is assigninga uni.ue nu ber for tracking"

II.Confi(urin( and @erifyin( IPsec1. Tools to Confi(ure the Tunnels

. Start 3ith a Plan!" hat protocols to use for I8E Phase ! and I8E Phase //" Identify 'hich traffic should be encrypted *!0"0"0"0 / and !1/"!2"0"0 / +;" I8E Phase !$

a" H$ 6or hashing, 'e can use DB *!/@ bits+ or SHA-! *!20 bits+" <et4s go forDB for I8E Phase !

b" A$ Authentication" e can use PS8s or digital certificates" <et4s start off 'ithPS8s *a pass'ord really+ for authentication

c" #$ 6or DH group, 'e can use !, /, or B on ost routers" <et4s use group /"d" <$ <ifeti e is default to ! day" <et4s set the lifeti e for the I8E Phase ! to 200

secondse" E$ Encryption of the I8E Phase ! can be DES, ;DES, or so e fla%or of AES"

<et4s use !/@-bit AES" I8E Phase /$

a" ini ua" Choose hashing and encryption algorith s

!" :se Default for lifeti e/" <et4s use SHA * ust to see difference bet'een DB and SHA+;" :se AES-/B2 in I8E Phase /

!" I8E Phase / policies are called transfor sets



!. )pplyin( the Confi(uration!" Select R! fro drop#do3n/" Confi(ure A Security A @P A Site#to#Site @P

a" (erify that Create a Site#to#Site @P open is selectedb" Click 2aunch the Selected Tas> button



;" Choose the follo'ing$a" Buic> setup 7 :ses defaults for I8E Phase ! and Phase /b" Step "y Step 6i ard 7 custo i?e the policies

a" Choose Step "y Step 6i ard Click e t



" Interface is that of the outside connecting to the InternetB" 9utside IP address of the (P) peer ;"0"0"/2" 6or this e&a ple 'e use PS8 *cisco!/;+ needs to be the sa e on both sides

a" 3his is for I8E Phase ! authentication





@" Select 'hat 'e ha%e decided to use belo' for I8E Phase !a" Click O-



" )o' 'e ha%e both the default and an added policy!0" /i(hli(ht our added policy and click e t



!!" Policy for I8E Phase / is called 3ransfor Seta" Encryption and hashing

!/" )ot using default 7 'ant to use AES-/B2 and SHA for the I8E Phase / tunnelsa" Click )dd



!;" After clicking add, choose your algorith sJ * ust be the sa e on other router+a" )a e your transfor setb" Select your Data Integrity Algorith *A8A Hashing algorith +c" Select your Confidentiality algorith *A8A Encryption algorith +d" Click O-



e" (erify your ne' 3ransfor set is selected and click DT



! " Crypto AC< 7 used to select, based on source and destination subnets, 'hich traffic'ill be encrypted and sent o%er the (P)

!B" Crypto ap 7 A Crypto AC< is not applied to any interface, but is applied to apolicy, called a Crypto ap" 3he Crypto ap is then directly applied to an interface

!2" 6ill in the follo'ing fields for traffic that needs to be encrypted by IPsec"



!1" Sho's a su ary!@" I8E Phase ! likes to also i ple ent the default 'hich is sho'n belo' along 'ith

the added policy for I8E Policies! " 9ur transfor set called -SE3

a" ESP Encryption$ ESPKAESK/B2b" ESP Integrity$ ESPKSHAKH AC

c" ode$ 3:))E</0" And then 'e ha%e the Crypto AC<, A8A IPSec Rule/!" hen you click finish, it ay ust send the configuration to the router or sho' you

the C<I co ands that 'ill be sent to the router before hand" If the C<I co andsare not sho'n ake sure you ha%e configured CCP to do this by configuring itspreferences"



*. @ie3in( the C2I Eui%alent at the 4outer+. f

5. f



. f





;. Completin( and @erifyin( IPsec!" After clicking finish 7 status of (P) is sho'n

/" Can click Generate $irror button to irror the configuration on R! to R/



;" e 'ould then take this file and edit it to fit R/



" Edited %ersion of the irror config of R!



B" If sa%ing the R/ config %ia the C<I, ake sure to refresh R/ fro CCP to reflect thene' configuration"

2" Also sa%ing both R! and R/ configuration changes to )(RA is alsoreco ended

1" 5elo' 'e are generating traffic fro !0"0"0"0 / by pinging !1/"!2"0" " Successful

ping %erifies tunnel is up



@" Subse.uent packets use the ne'ly for ed I8E Phase / *IPsec+ tunnel for the life-ti e of that tunnel

" :sing the C<I to %erify IPsec (P)

9. f





1?.f





11.f

III. 'o I -no3 This )lready8 Bui

Ta"le 19#1 %o I !no* This Already+, ection-to- uestion MappingFoundation Topics Section Buestions

IPsec Concepts, Co ponents, and 9perations !-!0

Configuring and (erifying IPsec !!

!" hich technology is a pri ary ethod that IPsec uses to i ple ent data integrityLa" DBb" AESc" RSAd" DH



/" hat are the source and destination addresses used for an encrypted IPsec packetLa" 9riginal sender and recei%er IP addressesb" 9riginal sender4s and outbound (P) gate'ay4s addressesc" Sending and recei%ing (P) gate'aysd" Sending (P) gate'ay and original destination address in the packet

;" hich tunnel is used for pri%ate anage ent traffic bet'een the t'o (P) peersL

a" IPsecb" I8E Phase !c" I8E Phase /d" I8E Phase ;

" hich of the follo'ing are negotiated during I8E Phase !La" Hashingb" DH groupc" Encryptiond" Authentication ethod

B" hat ethod is used to allo' t'o (P) peers to establish shared secret keys and toestablish those keys o%er an untrusted net'orkLa" AESb" SHAc" RSAd" DH

2" hich of the follo'ing is not part of the I8E Phase ! processLa" )egotiation of the I8E phase ! protocolsb" Running DHc" Authenticating the peerd" )egotiating the transfor set to use

1" Ho' is the negotiation of the IPsec *I8E Phase /+ tunnel done securelyLa" :se the I8E Phase ! tunnelb" :ses the IPsec tunnelc" :ses the I8E Phase / tunneld" :ses RSA

@" hat are the t'o ain ethods for authenticating a peer as the last step of I8EPhase !L *Choose all that apply"+a" RSA signatures, using digital certificates to e&change public keysb" PS8 *pre-shared key+c" DH #roup /d" 3CP three-'ay handshake

" hich co ponent acts as an if-then state ent, looking for packets that should beencrypted before they lea%e the interfaceLa. Crypto isa>mp policy". crypto mapc. crypto ipsec transform#setd" crypto access#list *access list used for cryptography+



!0" hat is true about sy etrical algorith s and sy etrical crypto access lists usedon (P) peersLa" Sy etrical algorith s used the sa e secret *key+ to lock and unlock the data"

Sy etrical AC<s bet'een t'o (P) peers should sy etrically s'ap thesource and destination portions of the AC<

b" Sy etrical algorith s like RSA use the sa e secret *key+ to lock and unlock

the data" Sy etrical AC<s bet'een t'o (P) peers should sy etricallys'ap the source and destination portions of the AC<c" Sy etrical algorith s use the sa e secret *key+ to lock and unlock the data"

Sy etrical AC<s bet'een t'o (P) peers should be identicald" Sy etrical algorith s use the sa e secret *key+ to lock and unlock the data"

Sy etrical AC<s bet'een t'o (P) peers re.uire that only sy etricalalgorith s be used for all aspects of IPsec"

!!" hich one of the follo'ing co ands re%eal the AC<s, transfor sets, and peerinfor ation and indicate 'hich interface is being used to connect to the re oteIPsec (P) peerLa. Sho3 crypto map". sho3 crypto isa>mp policyc. sho3 crypto confi(d. sho3 crypto ipsec sa

I@. 4e%ie3 )ll the -ey Topics

Ta"le 19#! !ey Topics-ey Topic

lement'escription Pa(e

um"er

3e&t IPsec (oals - 2@

3e&t The play "y play for IPsec - 2

3e&t /o3 to remem"er the fi%e items ne(otiated in I- Phase 1 - 10

3e&t o3 IPsec can protect user pac>ets - 1/

3e&t ) loo> at the traffic after IPsec - 1;

3e&t The IPsec story in a nutshell - 1

3e&t Start 3ith a plan - 1B

6igure ! -@ nterin( custom I- Phase 1 policies - 1@

6igure ! -!! Creatin( a ne3 transform set 0I- Phase policy - @0

6igure ! -!; Confi(urin( the access list used to classify traffic should "e protected"y IPsec -

@!

E&a ple ! -! The C2I eEui%alent commands to implement IPsec @P s - @/

E&a ple ! -/ dited mirrored @P confi(uration appropriate for 4 - @2

E&a ple ! -; @erifyin( the IPsec @P from the C2I - @1



@. Complete the Ta"les and 2ists from $emory

Ta"le 19# Ad'antages and .imitations o A'aila/le HA Methods$ethod )d%anta(es 2imitations

Acti%e standby

failo%er

Can offer stateful or stateless

ethods" Stateful operation is re-.uired to pre%ent session reestab-lish ent during or after a failo%er"

)o load sharing or balancing occurs

bet'een de%ices" 9nly one de%ice isacti%e at a ti e" <ack of support forclientless Secure Sockets <ayer *SS<+(P) applications"Re.uires identical hard'are andsoft'are %ersions

(P) loadbalancing*clustering+

Allo's for the load bet'een de-%ices to be shared a ong thebased on the =least used> de%icerecei%ing the latest connection at-te pt"Differing hard'are and soft'arere%isions can be used")ati%e, built-in ASA feature"

Cannot pro%ide stateful failo%er"

<oad balancingusing an e&ternalload balancer

Allo's for the load bet'een de-%ices to be shared a ong the "

e ha%e greater fle&ibility inchoosing load-balancing algo-rith s than clustering"Differing hard'are and soft'arere%isions can be used"

Cannot pro%ide stateful failo%er")o acti%e failo%er bet'een de%ices"Clients ust reconnect to the ne&ta%ailable de%ice after being discon-nected"

Redundant (P)ser%ers

Allo's for connections to beshared a ong a%ailable de%icesbased on clients using different(P) ser%er addresses"Differing hard'are and soft'arere%isions can be used"

)o acti%e failo%er detection" Clientsust use dead peer detection *DPD+

for peer-a%ailability detection"Connections are not stateful"Clientless SS< (P) cannot use this

ethod"

Ta"le 19#! A A Hard*are-0ased 1ailo'er .icense 2e3uirements)S) $odel 2icense 4eEuired

ASA BB0B Security Plus

ASA BB!0 Security PlusAll re aining odels 5ase <icense



Ta"le 19#* A %M 1ailo'er Con iguration ItemsField @alue

Enable 6ailo%er Check this bo& to enable failo%er

:se ;/ He&adeci al Character8ey and Shared 8ey

Enter the shared key that 'ill be used by each de%ice tocreate the encryption key used on the failo%er link" 3he

key can be ! to 2 alphanu eric characters in length" Ho'-e%er, if you ha%e selected the option to enable the use of a;/-he&adeci al character key, enter the ;/-character he&key into the Shared 8ey field"

<A) 6ailo%er

Interface Select an a%ailable unused interface fro the drop-do'nlist for the use as the failo%er link"

<ogical )a e Enter a na e for the interface"

Acti%e IP Enter the IP address of this de%ice that 'ill be used forco unication across the failo%er link"

Subnet ask Enter the subnet ask that corresponds to the Acti%e IPaddress configured"

Standby IP Enter the IP address of the second ASA de%ice that 'ill becontactable using the failo%er link"

Preferred Role Select the preferred role for this de%ice, either Pri ary orStandby" If Pri ary is selected, this de%ice 'ill be the pre-ferred unit for the acti%e fire'all status" Ho'e%er, if thestandby unit co es up fro a reboot po'er on before theacti%e one, it 'ill resu e the role of the acti%e fire'all")ote that acti%e standby configuration is not pree pti%e"

*9ptional+ State 6ailo%er

Interface *Select if stateful HAoperation is re.uired"+

Select the interface fro the list a%ailable" 3his need not be aphysically separate interface fro the <A) failo%erconnection" Ho'e%er, it is reco ended" If you select thesa e interface as the failo%er one, there is no need to supply IPaddressing infor ation, only logical na eif

<ogical )a e Enter the na e for this connection

Acti%e IP Enter the IP address used by this de%ice for co unicationacross the stateful link, but only if the stateful link is not the

sa e as the failo%er linkSubnet ask Enter the subnet ask that corresponds to the acti%e IP ad-

dress on the stateful link"

Standby IP Enter the IP address used by the secondary de%ice forco unication across the stateful link"

Enable H33P Replication Check this bo& if you 'ant to enable the replication ofH33P connection states bet'een the acti%e and standbyde%ices"



Ta"le 19# IPsec Goals and the Methods Used to Implement ThemGoal $ethod That Pro%ides the Feature

Confidentiality Encryption

Data integrity Hashing

Peer authentication Pre-shared keys, RSA digital signatures

Antireplay Integrated into IPsec, basically applying serialnu bers to packets

@I.'efine -ey Terms!" I8E Phase ! -/" I8E Phase / -;" transfor set -

" DH group -B" lifeti e -2" authentication -

1" encryption -@" hashing -" DH key e&change -

@II. Command 4eference to Chec> Hour $emory

Ta"le 19#* Command 2e erenceCommand 'escription

Crypto map mymap4 ipsec#isa>mp

#enerate or edit a crypto ap na ed AP, se.uence nu ber !, andre.uest the ser%ices of ISA8 P

Crypto isa>mppolicy !

Enter I8E Phase ! configuration ode for policy nu ber ;

Sho3 crypto map (erify 'hich co ponents are included in the crypto ap, including the AC<,the peer address, the transfor set, and 'here the crypto ap is applied

Crypto ipsectransform set myset

3his is the beginning se.uence to creating an I8E Phase / transfor set na edSE3" 3his is follo'ed by the H AC *hashing 'ith authentication+ and

encryption ethod *;DES, or AES preferably+ that you 'ant to use

Documents

ccna_security_ch19_fundamentals_ip_security.odt