1 / 65

Network Security 2

Network Security 2. Module 3: VPN and Encryption Technology. Module 3: VPN and Encryption Technology. Lesson 3.3 Implementing Digital Certificates. Certificate authority support. Certificate authority support. Restrictions

emark
Download Presentation

Network Security 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Network Security 2 Module 3: VPN and Encryption Technology

  2. Module 3: VPN and Encryption Technology Lesson 3.3 Implementing Digital Certificates

  3. Certificate authority support

  4. Certificate authority support • Restrictions • CA should be configured only when both IPSec and ISAKMP are configured in the network. • Cisco IOS does not support CA server public keys greater than 2048 bits. • Prerequisites • A CA must be available to the network • CA must support Simple Certificate Enrollment Protocol (SCEP)

  5. The protocol is designed to make the issuing and revocation of digital certificates as scalable as possible. • The idea is that any standard network user should be able to request their digital certificate electronically and as simply as possible. • These processes have usually required intensive input from network administrators, and so have not been suited to large scale deployments. • Two authentication methods that SCEP provides are manual authentication and authentication based on pre-shared secret keys. Simple Certificate Enrollment Protocol  SCEP

  6. CA Server Support

  7. Asymmetric Encryption

  8. Entrust

  9. VeriSign On Site

  10. UniCERT Baltimore Technologies

  11. Microsoft CA

  12. Enroll a device with a CA

  13. Module 3: VPN and Encryption Technology Lesson 3.4 VPN Topologies

  14. VPNs • A VPN provides the same network connectivity for remote users over a public infrastructure as they would have over a private network. • VPN services for network connectivity include authentication, data integrity, and confidentiality. • Two basic VPN types: • LAN-to-LAN (Site to Site) VPNs • Intranet VPNs. • Extranet VPNs • Remote Access VPNs • Connect remote users, such as mobile users and telecommuters, to the enterprise.

  15. Site-to-site VPNs

  16. Remote access VPNs • There two types of Remote Access VPNs: • Client-initiated – Remote users use a VPN client or web browser to establish a secure tunnel across a public network to the enterprise. • NAS-initiated – Remote users dial in to an ISP Network Access Server (NAS). The NAS establishes a secure tunnel to the enterprise private network that might support multiple remote user-initiated sessions.

  17. Remote access VPNs

  18. Module 3: VPN and Encryption Technology Lesson 3.5 VPN Technologies

  19. VPN technology options

  20. VPN technology options • With implementation of encryption on one layer, this layer and all layers above it are automatically protected. • Network layer protection offers one of the most flexible solutions. • It is media independent as well as application independent.

  21. WebVPN

  22. WebVPN • Lets users establish a secure, remote-access VPN tunnel to a head-end device using a web browser. • Not a replacement for IPSec, but widens application availability. • No need for either a software or hardware client. • Provides easy access to a broad range of enterprise applications, • WebVPN uses the SSL protocol and its successor, TLS

  23. WebVPN Features

  24. WebVPN and IPSec comparison

  25. Tunneling Protocols

  26. Tunneling Protocols L2TP • Cisco used Layer 2 Forwarding (L2F) as its proprietary tunneling protocol. • L2TP is entirely backwards compatible with L2F. L2F is not forward compatible with L2TP. • L2TP, is a combination of Cisco L2F and Microsoft Point-to-Point Tunneling Protocol (PPTP). • Microsoft supports PPTP in its earlier versions of Windows and PPTP/L2TP in Windows NT/2000/XP. • L2TP allows users to invoke corporate security policies across any VPN link as an extension of their internal networks. • L2TP is best suited for remote access VPNs that require multiprotocol support.

  27. Tunneling Protocols GRE • Cisco GRE multiprotocol carrier encapsulates IP, CLNP, IPX, AppleTalk, DECnet Phase IV, and XNS inside IP tunnels. • Creates a virtual point-to-point link between routers across an IP cloud. • GRE is best suited for site-to-site VPNs that require multiprotocol support. • GRE is typically used to tunnel multicast packets such as routing protocols.

  28. Tunneling Protocols IPSEC • Is the choice for secure corporate VPNs. • Supports IP unicast traffic only. • For multiprotocol or IP multicast tunneling, another tunneling protocol must be used. • Neither L2TP or GRE supports data encryption or packet integrity. • IPSec can be used in combination to provide encryption, such as L2TP/IPSec and GRE/IPSec. • If only IP unicast packets are tunneled, simple encapsulation provided by IPSec is sufficient.

  29. Tunneling Protocols MPLS • MPLS is a VPN technology. • Implemented by ISPs and large corporations. • Uses label switching and label switched paths over various link level technologies. • Packet-over-SONET • Frame Relay • ATM • LAN technologies • Includes procedures and protocols for the distribution of labels between routers, encapsulations, and multicast considerations.

  30. Selecting VPN Technologies

  31. Tunneling Interfaces • Provide a point-to-point connection between two routers through a virtual software interface. • Appear as one direct link between routers hiding the underlying infrastructure • Should not to be confused with IPSec or L2TP tunnels, which can act as tunnels but not as true Cisco IOS interfaces.

  32. GRE Tunnel

  33. Module 3: VPN and Encryption Technology Lesson 3.6 IPSec

  34. Internet What Is IPsec? IPsec • IPsec is the IETF standard that enables encrypted communication between peers. • Consists of open standards for securing private communications • Ensures data confidentiality, integrity, and authentication through network layer encryption • Scales from small to very large networks

  35. AH and ESP

  36. IPSec Header

  37. Options for IPSec framework • AH and ESP use symmetric secret key algorithms, although public key algorithms are feasible • The IPSec framework provides data integrity, authentication, and confidentiality, as well as security association and key management

  38. Advantages of IPSec

  39. Authentication Header (AH) • Used to provide connectionless integrity and data origin authentication for IP datagrams, and to provide protection against replays. • Provides authentication for as much of the IP header as possible, as well as for upper level protocol data. • AH is defined as IP protocol 51. • May be applied alone, in combination with the IP ESP, or in a nested fashion through the use of tunnel mode. • ESP may be used to provide the same security services, and it also provides a confidentiality, or encryption, service. • The primary difference between the authentication services provided by ESP and AH is the extent of the coverage. • ESP does not protect any IP header fields unless ESP encapsulates those fields, or the fields are in tunnel mode  .

  40. AH Generation in IPSec

  41. AH Header Fields • The following are reasons to use AH even though ESP seems to do all the security services. • Requires less overhead than ESP. • Is never export-restricted. • Is mandatory for IPv6 compliance.

  42. Encapsulating Security Payload (ESP) • Used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service • Confidentiality may be selected independent of all other services. • However, use of confidentiality without integrity authentication, either in ESP or separately in AH, may subject traffic to certain forms of active attacks • ESP is defined as IP protocol 50.

  43. Encapsulating Security Payload (ESP) • Data origin authentication and connectionless integrity are joint services • Offered as an option in conjunction with optional confidentiality. • The anti-replay service may be selected only if data origin authentication is selected. • Its election is solely at the discretion of the receiver. • Anti-replay service is effective only if the receiver checks the sequence number. • Traffic flow confidentiality requires selection of tunnel mode. • Although both confidentiality and authentication are optional, at least one of them must be selected.

  44. Encapsulating Security Payload (ESP) • One of the most important values is the Security Parameters Index (SPI) • Keep track to the current SA between two IPSec devices. • Encryption is done with DES or 3DES. • Optional authentication and integrity are provided with HMAC, keyed SHA-1, or keyed MD5 • There are two different key types contained in the SA : • Encryption session keys • HMAC session keys

  45. Tunnel and transport modes • Transport mode • Each end host does IPSec encapsulation of its own data, host-to-host. • Tunnel mode • IPSec gateways provide IPSec services to other hosts in peer-to-peer tunnels. • End-hosts are not aware of IPSec being used

  46. Tunnel and transport modes • ESP and AH can be applied to IP packets in transport mode and tunnel mode. • In transport mode, • Security is provided only for the transport layer and above. • Protects the payload of the packet but leaves the original IP address in the clear. • Original IP address is used to route the packet through the Internet. • Tunnel mode • Provides security for the whole original IP packet. • Original IP packet is encrypted. • Encrypted packet is encapsulated in another IP packet.

  47. AH Header in Transport mode

  48. AH Header in Tunnel Mode

  49. ESP in Transport mode

  50. ESP in Tunnel mode

More Related