1 / 106

CCNA Security

CCNA Security. Chapter Eight Implementing Virtual Private Networks. This lesson should take 3-4 hours to present The lesson should include lecture, demonstrations, discussions and assessments The lesson can be taught in person or using remote instruction. Lesson Planning.

Download Presentation

CCNA Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CCNA Security Chapter Eight Implementing Virtual Private Networks

  2. This lesson should take 3-4 hours to present The lesson should include lecture, demonstrations, discussions and assessments The lesson can be taught in person or using remote instruction Lesson Planning

  3. Describe the purpose and operation of VPN types Describe the purpose and operation of GRE VPNs Describe the components and operations of IPsec VPNs Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using CLI Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM Configure and verify a Remote Access VPN Major Concepts

  4. Upon completion of this lesson, the successful participant will be able to: Describe the purpose and operation of VPNs Differentiate between the various types of VPNs Identify the Cisco VPN product line and the security features of these products Configure a site-to-site VPN GRE tunnel Describe the IPSec protocol and its basic functions Differentiate between AH and ESP Describe the IKE protocol and modes Describe the five steps of IPSec operation Lesson Objectives

  5. Lesson Objectives • Describe how to prepare IPSec by ensuring that ACLs are compatible with IPSec • Configure IKE policies using the CLI • Configure the IPSec transform sets using the CLI • Configure the crypto ACLs using the CLI • Configure and apply a crypto map using the CLI • Describe how to verify and troubleshoot the IPSec configuration • Describe how to configure IPSec using SDM • Configure a site-to-site VPN using the Quick Setup VPN Wizard in SDM • Configure a site-to-site VPN using the step-by-step VPN Wizard in SDM

  6. Lesson Objectives • Verify, monitor and troubleshoot VPNs using SDM • Describe how an increasing number of organizations are offering telecommuting options to their employees • Differentiate between Remote Access IPSec VPN solutions and SSL VPNs • Describe how SSL is used to establish a secure VPN connection • Describe the Cisco Easy VPN feature • Configure a VPN Server using SDM • Connect a VPN client using the Cisco VPN Client software

  7. What is a VPN? Business Partner with a Cisco Router Mobile Worker with a Cisco VPN Client • Virtual:Information within a private network is transported over a public network. • Private:The traffic is encrypted to keep the data confidential. CSA VPN Internet Firewall SOHO with a Cisco DSL Router Corporate Network VPN WAN VPN Regional branch with a VPN enabled Cisco ISR router

  8. Layer 3 VPN IPSec IPSec VPN Internet SOHO with a Cisco DSL Router • Generic routing encapsulation (GRE) • Multiprotocol Label Switching (MPLS) • IPSec

  9. Types of VPN Networks Remote-access VPNs Business Partner with a Cisco Router Mobile Worker with a Cisco VPN Client CSA MARS VPN Internet SOHO with a Cisco DSL Router Firewall Site-to-Site VPNs VPN IPS WAN VPN Iron Port CSA Regional branch with a VPN enabled Cisco ISR router CSA CSA CSA CSA CSA Web Server Email Server DNS

  10. Site-to-Site VPN Business Partner with a Cisco Router Hosts send and receive normalTCP/IP traffic through a VPN gateway CSA MARS VPN Internet SOHO with a Cisco DSL Router Firewall Site-to-Site VPNs VPN IPS WAN VPN Iron Port CSA Regional branch with a VPN enabled Cisco ISR router CSA CSA CSA CSA CSA Web Server Email Server DNS

  11. Remote-Access VPNs Remote-access VPNs Mobile Worker with a Cisco VPN Client CSA MARS Internet Firewall VPN IPS Iron Port CSA CSA CSA CSA CSA CSA Web Server Email Server DNS

  12. R1 R1-vpn-cluster.span.com “R1” VPN Client Software In a remote-access VPN, each host typically has Cisco VPN Client software

  13. Cisco IOS SSL VPN • Provides remote-access connectivity from any Internet-enabled host • Uses a web browser and SSL encryption • Delivers two modes of access: • Clientless • Thin client

  14. Cisco VPN Product Family

  15. Cisco VPN-Optimized Routers Remote OfficeCisco Router Main OfficeCisco Router Internet Regional OfficeCisco Router • VPN Features: • Voice and video enabled VPN (V3PN) • IPSec stateful failover • DMVPN • IPSec and Multiprotocol Label Switching (MPLS) integration • Cisco Easy VPN SOHOCisco Router

  16. Cisco ASA 5500 Series AdaptiveSecurity Appliances Flexible platform Resilient clustering Cisco Easy VPN Automatic Cisco VPN Cisco IOS SSL VPN VPN infrastructure for contemporary applications Integrated web-based management Central Site Remote Site Internet Intranet Remote User ExtranetBusiness-to-Business

  17. IPSec Clients A wireless client that is loaded on a pda Certicom PDA IPsecVPN Client Internet Router withFirewall andVPN Client Cisco VPNSoftware Client Software loaded on a PC Small Office A network appliance that connects SOHO LANs to the VPN Cisco AnyConnect VPN Client Internet Provides remote users with secure VPN connections

  18. Hardware Acceleration Modules • AIM • Cisco IPSec VPN Shared Port Adapter (SPA) • Cisco PIX VPN Accelerator Card+ (VAC+) • Enhanced Scalable Encryption Processing (SEP-E) Cisco IPsec VPN SPA

  19. GRE VPN Overview

  20. Encapsulation Encapsulated with GRE Original IP Packet

  21. Configuring a GRE Tunnel Create a tunnel interface Assign the tunnel an IP address R1(config)# interface tunnel 0 R1(config–if)# ip address 10.1.1.1 255.255.255.252 R1(config–if)# tunnel source serial 0/0 R1(config–if)# tunnel destination 192.168.5.5 R1(config–if)# tunnel mode gre ip R1(config–if)# R2(config)# interface tunnel 0 R2(config–if)# ip address 10.1.1.2 255.255.255.252 R2(config–if)# tunnel source serial 0/0 R2(config–if)# tunnel destination 192.168.3.3 R2(config–if)# tunnel mode gre ip R2(config–if)# Identify the source tunnel interface Identify the destination of the tunnel Configure what protocol GRE will encapsulate

  22. IP Only? Unicast Only? Use IPsec VPN Use GRE Tunnel Using GRE Yes User Traffic No No Yes GRE does not provide encryption

  23. IPSec Topology Main Site • Works at the network layer, protecting and authenticating IP packets. • It is a framework of open standards which is algorithm-independent. • It provides data confidentiality, data integrity, and origin authentication. Business Partner with a Cisco Router IPsec Perimeter Router LegacyCisco PIX Firewall Legacy Concentrator POP Regional Office with aCisco PIX Firewall ASA Mobile Worker with aCisco VPN Clienton a Laptop Computer Corporate SOHO with a Cisco SDN/DSL Router

  24. IPSec Framework Diffie-Hellman DH7

  25. Confidentiality Least secure Most secure Key length: - 56-bits Key length: - 56-bits (3 times) • Key lengths: • 128-bits • 192 bits • 256-bits Diffie-Hellman DH7 Key length: - 160-bits

  26. Integrity Least secure Most secure Key length: - 128-bits Key length: - 160-bits) Diffie-Hellman DH7

  27. Authentication Diffie-Hellman DH7

  28. Pre-shared Key (PSK) [JG1]It? • At the local device, the authentication key and the identity information (device-specific information) are sent through a hash algorithm to form hash_I. One-way authentication is established by sending hash_I to the remote device. If the remote device can independently create the same hash, the local device is authenticated. • The authentication process continues in the opposite direction. The remote device combines its identity information with the preshared-based authentication key and sends it through the hash algorithm to form hash_R. hash_R is sent to the local device. If the local device can independently create the same hash, the remote device is authenticated. Diffie-Hellman DH7

  29. RSA Signatures • At the local device, the authentication key and identity information (device-specific information) are sent through the hash algorithm forming hash_I. hash_I is encrypted using the local device's private encryption key creating a digital signature. The digital signature and a digital certificate are forwarded to the remote device. The public encryption key for decrypting the signature is included in the digital certificate. The remote device verifies the digital signature by decrypting it using the public encryption key. The result is hash_I. • Next, the remote device independently creates hash_I from stored information. If the calculated hash_I equals the decrypted hash_I, the local device is authenticated. After the remote device authenticates the local device, the authentication process begins in the opposite direction and all steps are repeated from the remote device to the local device.

  30. Secure Key Exchange Diffie-Hellman DH7

  31. IPSec Framework Protocols Authentication Header R1 R2 All data is in plaintext. • AH provides the following: • Authentication • Integrity Encapsulating Security Payload R1 R2 Data payload is encrypted. • ESP provides the following: • Encryption • Authentication • Integrity

  32. Authentication Header 1. The IP Header and data payload are hashed IP Header + Data + Key R2 Hash Data IP HDR AH Authentication Data (00ABCDEF) IP Header + Data + Key 3. The new packet is transmitted to the IPSec peer router Internet Hash Data IP HDR AH Received Hash (00ABCDEF) Recomputed Hash (00ABCDEF) 2. The hash builds a new AH header which is prependedto the original packet = R1 4. The peer router hashes the IP header and data payload, extracts the transmitted hash and compares

  33. DH7 ESP Diffie-Hellman

  34. Provides confidentiality with encryption Provides integrity with authentication Function of ESP Internet Router Router IP HDR Data Data IP HDR ESP Trailer ESP Auth New IP HDR ESP HDR Data IP HDR Encrypted Authenticated

  35. Mode Types IP HDR Data Original data prior to selection of IPSec protocol mode Transport Mode Encrypted ESP Trailer ESP Auth IP HDR Data ESP HDR Authenticated Tunnel Mode Encrypted ESP Trailer ESP Auth New IP HDR IP HDR ESP HDR Data Authenticated

  36. Security Associations IPSec parameters are configured using IKE

  37. IKE Phases R1 R2 Host A Host B 10.0.2.3 10.0.1.3 IKE Phase 1 Exchange Policy 10 DES MD5 pre-share DH1 lifetime Policy 15 DES MD5 pre-share DH1 lifetime • Negotiate IKE policy sets • DH key exchange • Verify the peer identity • Negotiate IKE policy sets • DH key exchange • Verify the peer identity IKE Phase 2 Exchange Negotiate IPsec policy Negotiate IPsec policy

  38. IKE Phase 1 – First Exchange R1 R2 Host A Host B Negotiates matching IKE policies to protect IKE exchange Negotiate IKE Proposals 10.0.2.3 10.0.1.3 Policy 10 DES MD5 pre-share DH1 lifetime Policy 15 DES MD5 pre-share DH1 lifetime IKE Policy Sets Policy 20 3DES SHA pre-share DH1 lifetime

  39. XA XB YA = g mod p YB= gmod p IKE Phase 1 – Second Exchange Establish DH Key Private value, XA Public value, YA Private value, XB Public value, YB Alice Bob YA YB XA XB (YB )mod p = K (YA )mod p = K A DH exchange is performed to establish keying material.

  40. IKE Phase 1 – Third Exchange Authenticate Peer Remote Office Corporate Office Internet HR Servers Peer Authentication Peer authentication methods • PSKs • RSA signatures • RSA encrypted nonces A bidirectional IKE SA is now established.

  41. IKE Phase 1 – Aggressive Mode R1 R2 Host A Host B 10.0.2.3 10.0.1.3 IKE Phase 1 Aggressive Mode Exchange • Confirm IKE policy set, calculate shared secret and send R2’s DH key • Authenticate peer and begin Phase 2. Policy 10 DES MD5 pre-share DH1 lifetime Policy 15 DES MD5 pre-share DH1 lifetime • Send IKE policy set and R1’s DH key • Calculate shared secret, verify peer identify, and confirm with peer IKE Phase 2 Exchange Negotiate IPsec policy Negotiate IPsec policy

  42. IKE Phase 2 • IKE negotiates matching IPsec policies. • Upon completion, unidirectional IPsec Security Associations(SA) are established for each protocol and algorithm combination. R1 R2 Host A Host B 10.0.2.3 10.0.1.3 Negotiate IPsec Security Parameters

  43. IPSec VPN Negotiation 10.0.2.3 R1 R2 10.0.1.3 • Host A sends interesting traffic to Host B. • R1 and R2 negotiate an IKE Phase 1 session. IKE Phase 1 IKE SA IKE SA • R1 and R2 negotiate an IKE Phase 2 session. IKE Phase 2 IPsec SA IPsec SA • Information is exchanged via IPsec tunnel. IPsec Tunnel • The IPsec tunnel is terminated.

  44. Configuring IPsec Tasks to Configure IPsec: Task 1: Ensure that ACLs are compatible with IPsec. Task 2: Create ISAKMP (IKE) policy. Task 3: Configure IPsec transform set. Task 4: Create a crypto ACL. Task 5: Create and apply the crypto map.

  45. Task 1Configure Compatible ACLs AH ESP IKE Site 1 Site 2 10.0.1.0/24 10.0.2.0/24 10.0.2.3 R2 R1 10.0.1.3 Internet S0/0/0172.30.1.2 S0/0/0 172.30.2.2 • Ensure that protocols 50 (ESP), 51 (AH) and UDP port 500 (ISAKMP) traffic are not blocked by incoming ACLs on interfaces used by IPsec.

  46. Permitting Traffic AH ESP IKE Site 1 Site 2 10.0.1.0/24 10.0.2.0/24 10.0.2.3 R2 R1 10.0.1.3 Internet S0/0/0172.30.1.2 S0/0/0 172.30.2.2 R1(config)# access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2 R1(config)# access-list 102 permit esp host 172.30.2.2 host 172.30.1.2 R1(config)# access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp R1(config)# R1(config)# interface Serial0/0/0 R1(config-if)# ip address 172.30.1.2 255.255.255.0 R1(config-if)# ip access-group 102 in ! R1(config)# exit R1# R1# show access-lists access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2 access-list 102 permit esp host 172.30.2.2 host 172.30.1.2 access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp R1#

  47. Task 2Configure IKE 10.0.2.0/24 10.0.1.0/24 10.0.2.3 R2 R1 10.0.1.3 Internet Site 2 Site 1 Policy 110 DESMD5 Preshare 86400DH1 Tunnel router(config)# crypto isakmp policy priority Defines the parameters within the IKE policy R1(config)# crypto isakmp policy 110 R1(config–isakmp)# authentication pre-share R1(config–isakmp)# encryption des R1(config–isakmp)# group 1 R1(config–isakmp)# hash md5 R1(config–isakmp)# lifetime 86400

  48. ISAKMP Parameters

  49. Multiple Policies 10.0.1.0/24 10.0.2.0/24 10.0.1.3 10.0.2.3 R2 R1 Internet Site 2 Site 1 R1(config)# R2(config)# crypto isakmp policy 100 hash md5 authentication pre-share ! crypto isakmp policy 200 hash sha authentication rsa-sig ! crypto isakmp policy 300 hash md5 authentication pre-share crypto isakmp policy 100 hash md5 authentication pre-share ! crypto isakmp policy 200 hash sha authentication rsa-sig ! crypto isakmp policy 300 hash md5 authentication rsa-sig

  50. Policy Negotiations R1 attempts to establish a VPN tunnel withR2 and sends its IKE policy parameters 10.0.1.0/24 10.0.2.0/24 10.0.2.3 R2 R1 10.0.1.3 Internet Site 1 Site 2 Policy 110 Preshare 3DESSHA DH2 43200 Tunnel R2 must have an ISAKMP policy configured with the same parameters. R1(config)# crypto isakmp policy 110 R1(config–isakmp)# authentication pre-share R1(config–isakmp)# encryption 3des R1(config–isakmp)# group 2 R1(config–isakmp)# hash sha R1(config–isakmp)# lifetime 43200 R2(config)# crypto isakmp policy 100 R2(config–isakmp)# authentication pre-share R2(config–isakmp)# encryption 3des R2(config–isakmp)# group 2 R2(config–isakmp)# hash sha R2(config–isakmp)# lifetime 43200

More Related