© 2006 Cisco Systems, Inc. All rights reserved.ISCW v1.04-1 IPsec VPNs IPsec Components and IPsec VPN Features.

Презентация:



Advertisements
Похожие презентации
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Secured Connectivity Introducing IPsec.
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved. SND v Building IPsec VPNs Introducing IPsec VPNs.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Site-to-Site IPsec VPN Operation.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Configuring GRE Tunnels over IPsec.
© 2006 Cisco Systems, Inc. All rights reserved.ONT v Implement the DiffServ QoS Model Implementing QoS Preclassify.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Configuring IPsec Site-to-Site VPN Using SDM.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Module Summary The IKE protocol is a key management protocol standard used in conjunction with.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Implementing the Cisco VPN Client.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 14 Configuring the Cisco Virtual Private Network 3000 Series Concentrator for IPSec.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 17 Configure the Cisco Virtual Private Network 3000 Series Concentrator for LAN-to-LAN.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Introducing VPNs.
© 2006 Cisco Systems, Inc. All rights reserved.SND v Building Cisco IPsec VPNs Building Remote Access VPNs.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Cisco High Availability Options.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Implementation of Frame Mode MPLS Introducing MPLS Networks.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v BGP Overview Establishing BGP Sessions.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS Concepts Introducing MPLS Labels and Label Stacks.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Configuring Cisco Easy VPN and Easy VPN Server Using SDM.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 3 Cisco PIX Firewall Technology and Features.
Designing Security Services © 2004 Cisco Systems, Inc. All rights reserved. Implementing Network Security Using the SAFE Security Blueprints ARCH v
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Building a Simple Serial Network Understanding the OSI Model.
Транксрипт:

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs IPsec Components and IPsec VPN Features

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec Overview

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v What Is IPsec? IPsec is an IETF standard that employs cryptographic mechanisms on the network layer: –Authentication of every IP packet –Verification of data integrity for each packet –Confidentiality of packet payload Consists of open standards for securing private communications Scales from small to very large networks Is available in Cisco IOS software version 11.3(T) and later Is included in PIX Firewall version 5.0 and later

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec Security Features IPsec is the only standard Layer 3 technology that provides: Confidentiality Data integrity Authentication Replay detection

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec Protocols IPsec uses three main protocols to create a security framework: Internet Key Exchange (IKE): –Provides framework for negotiation of security parameters –Establishment of authenticated keys Encapsulating Security Payload (ESP): –Provides framework for encrypting, authenticating, and securing of data Authentication Header (AH): –Provides framework for authenticating and securing of data

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec Headers IPsec ESP provides the following: Authentication and data integrity (MD5 or SHA-1 HMAC) with AH and ESP Confidentiality (DES, 3DES, or AES) only with ESP

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Peer Authentication Peer authentication methods: Username and password OTP (Pin/Tan) Biometric Preshared keys Digital certificates

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Internet Key Exchange

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Internet Key Exchange IKE solves the problems of manual and unscalable implementation of IPsec by automating the entire key exchange process: Negotiation of SA characteristics Automatic key generation Automatic key refresh Manageable manual configuration

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IKE Phases Phase 1: –Authenticate the peers –Negotiate a bidirectional SA –Main mode or aggressive mode Phase 1.5: –Xauth –Mode config Phase 2: –IPsec SAs/SPIs –Quick mode

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IKE Modes

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IKE: Other Functions

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IKE: Other Functions Dead peer detection (DPD): –Bidirectional –Sent on periodic intervals –Sender must receive a reply or disconnect IKE keepalives are unidirectional and are sent every 10 seconds. NAT traversal: –Defined in RFC 3947 –Encapsulates IPsec packet in UDP packet Mode config (Push Config) and Xauth (User Authentication)

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec and NAT: The Problem

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec NAT Traversal Need NAT traversal with IPsec over TCP/UDP: NAT traversal detection NAT traversal decision UDP encapsulation of IPsec packets UDP encapsulated process for software engines

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Mode Configuration Mechanism used to push attributes to IPsec VPN clients

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Easy VPN Dynamically updated: –Central services and security policy –Offload VPN function from local devices –Client and network extension mode Centralized control: –Configuration and security policy pushed at the time of the VPN tunnel establishment

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Xauth Mechanism used for user authentication for VPN clients

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v ESP and AH

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v ESP and AH IPsec protocols: –ESP or AH –ESP uses IP protocol number 50 –AH uses IP protocol number 51 IPsec modes: –Tunnel or transport mode –Tunnel mode creates a new additional IP header –The Message is concatenated with a symmetric key

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v ESP and AH Header ESP allows encryption and authenticates the original packet. AH authenticates the whole packet (including the header) and does not allow encryption.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v AH Authentication and Integrity

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v ESP Protocol Provides confidentiality with encryption Provides integrity with authentication

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Tunnel and Transport Mode

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Message Authentication and Integrity Check

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Message Authentication and Integrity Check Using Hash A MAC is used for message authentication and integrity check. Hashes are widely used for this purpose (HMAC).

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Commonly Used Hash Functions MD5 provides 128-bit output. SHA-1 provides 160-bit output (only first 96 bits used in IPsec). SHA-1 is computationally slower than MD5, but more secure.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Symmetric vs. Asymmetric Encryption Algorithms

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Symmetric vs. Asymmetric Encryption Algorithms Symmetric algorithm: –Secret key cryptography –Encryption and decryption use the same key –Typically used to encrypt the content of a message –Examples: DES, 3DES, AES Asymmetric algorithm: –Public key cryptography –Encryption and decryption use different keys –Typically used in digital certification and key management –Example: RSA

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Key Lengths of Symmetric vs. Asymmetric Encryption Algorithms Symmetric Key LengthAsymmetric Key Length ,360 Comparable key lengths required for asymmetric keys compared to symmetric keys

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Security Level of Cryptographic Algorithms Security LevelWork FactorAlgorithms WeakO(2 40 )DES, MD5 LegacyO(2 64 )RC4, SHA-1 BaselineO(2 80 )3DES StandardO(2 128 )AES-128, SHA-256 HighO(2 192 )AES-192, SHA-384 UltraO(2 256 )AES-256, SHA-512

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Symmetric Encryption: DES Symmetric key encryption algorithm Block cipher: Works on 64-bit data block, uses 56-bit key (last bit of each byte used for parity) Mode of operation: Apply DES to encrypt blocks of data

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Symmetric Encryption: 3DES 168-bit total key length Mode of operation decides how to process DES three times Normally: encrypt, decrypt, encrypt 3DES requires more processing than DES

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Symmetric Encryption: AES Formerly known as Rijndael Successor to DES and 3DES Symmetric key block cipher Strong encryption with long expected life AES can support 128-, 192-, and 256-bit keys; 128-bit key is considered safe

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Asymmetric Encryption: RSA Based on Diffie-Hellman key exchange (IKE) principles Public key to encrypt data, and to verify digital signatures Private key to decrypt data, and to sign with a digital signature Perfect for insecure communication channels

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Diffie-Hellman Key Exchange

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Diffie-Hellman Key Exchange (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v PKI Environment

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v PKI Environment

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Certificate Authority The trust basis of a PKI system Verifies user identity, issues certificates by binding identity of a user to a public key with a digital certificate Revokes certificates and publishes CRL In-house implementation or outsourcing

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v X.509 v3 Certificate

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v PKI Message Exchange

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v PKI Credentials How to store PKI credentials: RSA keys and certificates NVRAM eToken: –Cisco 871, 1800, 2800, 3800 Series router –Cisco IOS Release 12.3(14)T image –Cisco USB eToken –A k9 image

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Summary IPsec provides a mechanism for secure data transmission over IP networks. The IKE protocol is a key management protocol standard used in conjunction with the IPsec standard. IKE has some additional functions: DPD, NAT traversal, encapsulation in UDP packet, config mode, and Xauth. The two IP protocols used in the IPsec standard are ESP and AH. For message authentication and integrity check, an HMAC is used. The two types of encryption are symmetric encryption and asymmetric encryption. PKI provides customers with a scalable, secure mechanism for distributing, managing, and revoking encryption and identity information in a secured data network.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v