© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 3 Overview of Virtual Private Networks and IPSec Technologies
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Objectives Upon completion of this lesson, you will be able to perform the following tasks: Define the three VPN solutions. Describe the three Cisco VPN product families and their related products. Identify IPSec and other open standards supported by Cisco VPN products. Identify the component technologies of IPSec. Explain how IPSec works.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Cisco VPN Products
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Internet VPN Definition VPNAn encrypted connection between private networks over a public network such as the Internet Mobile user Analog ISDN Cable DSL Central site Server Remote site Remote site
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Internet DSL cable Mobile Extranet Consumer-to-business Telecommuter Remote Access VPNs Router Remote access client or Remote access VPNExtension/evolution of dial Central Site POP
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Site-to-Site VPNs Site-to-Site VPNExtension of classic WAN Intranet DSL cable Extranet Business-to-business Router Remote site Central site or Internet POP
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Firewall-Based VPN Solutions Intranet Extranet Business-to-business Central site Remote site Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN VPN Product Function Matrix and Positioning
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Remote Access VPNsConcentrator Connection of remote sites, users, and partners across a VPN High-density, low-bandwidth connections Mobile Customer Telecommuter Central site Remote access client POP Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Cisco VPN 3000 Concentrator Series
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN VPN Clients Certicom PDA IPSec VPN Client Hardware Client Small office Cisco VPN Software Client Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Site-to-Site VPNsCisco Routers Main office 7100/7200/7400 Series Small office/ home office SOHO/800 Series Remote office 1700/2600 Series Regional office 3600/3700 Series Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Cisco VPN Router PortfolioSOHO and Small to Med-Sized Enterprise Enterprise HQ and beyond Cisco 3600 Cisco 1700 Teleworker/SOHOSMB/Small BranchEnterprise branchLarge branch Cisco 800 Cisco 1760 Cisco 2600XM/2691 Cisco 3725 Cisco 3745
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Small to Mid-SizeCisco VPN Router Details Hardware accelerators deliver enhanced encryption performance
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Cisco VPN Router PortfolioLarge Enterprise and Service Provider Cat 6500 Cisco 7140 Cisco 7120 Cisco 7400 Cisco 7200 Large Enterprise/Service Provider
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Enterprise Size and Service Provider Cisco VPN Router Details Hardware accelerators deliver enhanced encryption performance
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Firewall-Based VPNPIX Firewall Intranet Extranet Business-to-business Central site Remote site Internet Remote User
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN PIX Firewall Family Overview SMB Performance Functionality Gigabit Ethernet Enterprise ROBO PIX 515E PIX 525 PIX 535 SOHO PIX 501 PIX 506E SP
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN PIX Firewall Product Line Details
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Cisco VPN Portfolio Summary Cisco now provides the industrys broadest VPN solution set. Customer typeRemote accessSite-to-siteFirewall-based Large enterprise Concentrators 3060, 3080 CAT 6500 Routers 7100, 7200, 7400 PIX Firewall 525, 535 Medium enterprise Concentrator 3030 Routers 3700, 7100 PIX Firewall 515, 525 Small business or branch office Concentrators 3005, 3015 Routers 1700, 3600 PIX Firewalls 506, 515 SOHO market Cisco VPN Software Client Hardware Client Routers SOHO, 800 PIX Firewall 501, 506
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN VPN Interoperability
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN IPSec Overview
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN What Is IPSec? IPSec acts at the network layer protecting and authenticating IP packets –Framework of open standards - algorithm independent –Provides data confidentiality, data integrity, and origin authentication Perimeter router Main site PIX Firewall Concentrator SOHO with a Cisco ISDN/DSL router POP Mobile worker with a Cisco VPN Client on a laptop computer Business partner with a Cisco router Regional office with a PIX Firewall IPSec Corporate
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN IPSec Security Services Confidentiality Data integrity Origin authentication Anti-replay protection
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Confidentiality (Encryption) This quarterly report does not look so good. Hmmm.... Earnings off by 15% Internet Server
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Internet Basics of Encryption Pay to Terry Smith $ One Hundred and xx/100 Dollars 4ehIDx67NMop9eR U78IOPotVBn45TR Pay to Terry Smith $ One Hundred and xx/100 Dollars Hmmm.... I cannot read a thing. Encryption algorithm 4ehIDx67NMop9eR U78IOPotVBn45TR Encryption algorithm
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN DH Key Exchange Protocol Messages Terry Alex public key A + private key B shared secret key (BA) Internet Pay to Terry Smith $ One Hundred and xx/100 Dollars Protocol Messages public key B + private key A shared secret key (AB) = 4ehIDx67NMop9eR U78IOPotVBn45TR 4ehIDx67NMop9eR U78IOPotVBn45TR Key Data Traffic Pay to Terry Smith $ One Hundred and xx/100 Dollars Data Traffic Decrypt
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Generate large integer p. Send p to Peer B. Receive q. Generate g. 2. Generate private key X A 5. Generate shared secret number ZZ = Y B ^ X A mod p 2. Generate private key X B 3. Generate public key Y A = g ^ X A mod p 3. Generate public key Y B = g ^ X B mod p 4. Send public key Y A 4. Send public key Y B 5. Generate shared secret number ZZ = Y A ^ X B mod p 6. Generate shared secret key from ZZ (DES, 3DES, or AES) Peer BPeer A 1. Generate large integer q. Send q to Peer A. Receive p. Generate g. The DH Key Exchange Algorithm
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Pay to Terry Smith $ One Hundred and xx/100 Dollars Encryption Algorithms Encryption algorithms DES 3DES AES RSA Key Encryption key Decryption key Pay to Terry Smith $ One Hundred and xx/100 Dollars 4ehIDx67NMop9eR U78IOPotVBn45TR DecryptEncrypt
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN RSA Encryption Key Remotes public key Remotes private key KJklzeAidJfdlwiej47 DlItfd578MNSbXoE Local Remote Pay to Terry Smith $ One Hundred and xx/100 Dollars Pay to Terry Smith $ One Hundred and xx/100 Dollars DecryptEncrypt
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Data Integrity Pay to Terry Smith $ One Hundred and xx/100 Dollars Pay to Alex Jones $ One Thousand and xx/100 Dollars Yes, I am Alex Jones. 4ehIDx67NMop9 12ehqPx67NMoX Match = No changes No match = Alterations Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN HMAC Received message Hash function 4ehIDx67NMop9 Pay to Terry Smith $ One Hundred and xx/100 Dollars Pay to Terry Smith $ One Hundred and xx/100 Dollars 4ehIDx67NMop9 Message + hash Shared secret key Variable-length input message Shared secret key Hash function 4ehIDx67NMop9 Pay to Terry Smith $ One Hundred and xx/100 Dollars LocalRemote 12
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Hash function Pay to Terry Smith $ One Hundred and xx/100 Dollars Pay to Terry Smith $ One Hundred and xx/100 Dollars 4ehIDx67NMop9 HMAC Algorithms HMAC algorithms HMAC-MD5 HMAC-SHA-1
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Internet Digital Signatures Pay to Terry Smith $ One Hundred and xx/100 Dollars Pay to Terry Smith $ One Hundred and xx/100 Dollars 4ehIDx67NMop9 Hash algorithm Hash algorithm Encryption algorithm Encryption algorithm Hash Decryption algorithm Decryption algorithm Hash Private key Public key Local Remote Pay to Terry Smith $ One Hundred and xx/100 Dollars 4ehIDx67NMop9 Hash Match
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Peer Authentication Peer authentication methods: Pre-shared keys RSA signatures RSA encrypted nonces HR servers Peer authentication Remote office Corporate Office Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Pre-Shared Keys Authenticating hash (Hash_I) + ID Information Local Peer Remote Router Hash Computed hash (Hash) Hash Received hash (Hash_I) = Auth. Key + ID Information Auth. Key Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN RSA Signatures Encryption algorithm Encryption algorithm Hash_I Decryption algorithm Decryption algorithm Hash_I Private key Public key Local Remote Hash = + ID Information Hash Auth. key Digital signature Digital signature + ID Information Hash Auth. key 1 2 Digital cert + Digital cert Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN RSA Encrypted Nonces Authenticating hash (Hash_I) + ID Information Local Remote Hash Computed hash (Hash_I) Hash Received hash (Hash_I) = + ID Information Auth. key Internet Auth. key
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN IPSec Protocol Framework
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN IPSec Security Protocols The Encapsulating Security Payload provides the following: Encryption Authentication Integrity All data in clear text Router A Router B Data payload is encrypted Router A Router B The Authentication Header provides the following: Authentication Integrity Authentication Header Encapsulating Security Payload
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN All data in clear text Router A Router B Authentication Header Ensures data integrity Provides origin authentication (ensures packets definitely came from the peer) Uses keyed-hash mechanism Does not provide confidentiality (no encryption) Provides anti-replay protection
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Authentication data (00ABCDEF) IP header + data + key AH Authentication and Integrity Router A Router B Hash Re-computed hash (00ABCDEF) IP header + data + key Hash Received hash (00ABCDEF) = DataAH IP HDR DataAH IP HDR Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Data payload is encrypted Router A Router B ESP Data confidentiality (encryption) Data integrity Data origin authentication Anti-replay protection
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN ESP Protocol Provides confidentiality with encryption Provides integrity with authentication Router IP HDR Data ESP HDR New IP HDR ESP Trailer ESP Auth IP HDR Data Encrypted Authenticated IP HDR Data Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Modes of UseTunnel Versus Transport Mode IP HDR Encrypted ESP HDR Data IP HDRData ESP HDR IP HDRNew IP HDR Data Tunnel mode Transport mode ESP Trailer ESP Auth ESP Trailer ESP Auth Authenticated Encrypted Authenticated
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Tunnel Mode HR servers Tunnel mode Remote office Corporate office HR servers Tunnel mode Corporate office Home office Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN IPSec ProtocolFramework MD5 SHA IPSec Framework DES 3 DES DH2DH1ESP +AH IPSec Protocol Encryption Diffie - Hellman Authentication Choices : AES AH
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN How IPSec Works
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Five Steps of IPSec Interesting TrafficThe VPN devices recognize the traffic to protect. IKE Phase 1The VPN devices negotiate an IKE security policy and establish a secure channel. IKE Phase 2The VPN devices negotiate an IPSec security policy used to protect IPSec data. Data transferThe VPN devices apply security services to traffic and then transmit the traffic. Tunnel terminatedThe tunnel is torn down. Host AHost B Router ARouter B
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Step 1Interesting Traffic Host A Host B Router A Router B Apply IPSec Bypass IPSec Discard
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Step 2IKE Phase 1 Host AHost B Router ARouter B IKE Phase 1: main mode exchange Negotiate the policy DH exchange Verify the peer identity Negotiate the policy DH exchange Verify the peer identity
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN First and Second ExchangeIKE Policy Sets and Establishing a Shared Secret Transform 15 DES MD5 pre-share DH1 lifetime Transform 10 DES MD5 pre-share DH1 lifetime IKE policy sets Transform 20 3DES SHA pre-share DH1 lifetime Host AHost B Router ARouter B Negotiate IKE proposals Negotiates matching IKE transform sets to protect IKE exchange A DH exchange is performed to establish a shared secret
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Third ExchangeAuthenticate Peer Identity Peer authentication methods Pre-shared keys RSA signatures RSA encrypted nonces HR servers Peer authentication Remote office Corporate office Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Step 3IKE Phase 2 Host AHost B Router ARouter B Negotiate IPSec security parameters
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN IPSec Transform Sets A transform set is a combination of algorithms and protocols that enact a security policy for traffic. Transform set 55 ESP 3DES SHA Tunnel Lifetime Transform set 30 ESP 3DES SHA Tunnel Lifetime IPSec transform sets Transform set 40 ESP DES MD5 Tunnel Lifetime Host AHost B Router ARouter B Negotiate transform sets
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN SA Security Policy Db Encryption Algorithm Authentication Algorithm Mode Key lifetime SA Db Destination IP address SPI Protocol (ESP or AH) B A N K SPI–12 ESP/3DES/SHA tunnel SPI–39 ESP/DES/MD5 tunnel Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN SA Lifetime Data-based Time-based
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Step 4IPSec Session SAs are exchanged between peers. The negotiated security services are applied to the traffic. Host AHost B Router ARouter B IPSec session
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Step 5Tunnel Termination A tunnel is terminated –By an SA lifetime timeout –If the packet counter is exceeded Removes IPSec SA Host AHost B Router ARouter B IPSec tunnel
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Summary
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Summary Cisco VPN components include Cisco VPN 3000 Series Concentrators, Cisco VPN routers, the PIX Firewall, and the Cisco VPN Client. Cisco supports the following IPSec standards: AH, ESP, DES, 3DES, AES, MD5, SHA, RSA signatures, IKE (also known as ISAKMP), DH, and CAs. There are five steps to IPSec: interesting traffic, IKE phase 1, IKE phase 2, IPSec encrypted traffic, and tunnel termination. IPSec SAs consist of a destination address, SPI, IPSec transform, mode, and SA lifetime value.