Lesson 9 SAFE Remote-User Network Implementation © 2005 Cisco Systems, Inc. All rights reserved. CSI v2.19-1
Design Overview © 2005 Cisco Systems, Inc. All rights reserved. CSI v2.19-2
© 2005 Cisco Systems, Inc. All rights reserved. CSI v There are four options for remote-user connectivity: –Software client option –Remote-site firewall option –VPN hardware client option –Remote-site router option Software Client Option ISP Edge Module ISP Remote-Site Firewall Option Cisco VPN Software Client with Personal Firewall Broadband Access Device Home Office Firewall with VPN Remote-Site Router Option Router with Firewall and VPN Hardware VPN Client Option Broadband Access Device Cisco VPN Hardware Client Broadband Access Device (optional) Design Overview: Remote-User Connectivity
© 2005 Cisco Systems, Inc. All rights reserved. CSI v The result of implementing IPSec remote-user-to- LAN tunneling is that the security perimeter of your organization is extended to include remote sites. Application Server VPN Private IP VPN Public IP Adapter IP Address Client IP Address ISP Internet Telecommuter or Mobile Worker IPSec Remote-User-to-LAN Tunneling
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Internet Application Server ISP VPN Headend Device PPP Connectivity Dial Access IPSec Tunnel or Session Telecommuter or Mobile Worker Remote VPN client IPSec, IKE, and PPP protocols Cisco VPN Concentrator as headend device IPSec Remote-User-to-LAN Components
Key Devices and Threat Mitigation © 2005 Cisco Systems, Inc. All rights reserved. CSI v2.19-6
© 2005 Cisco Systems, Inc. All rights reserved. CSI v SAFE Remote User: Key Devices The following are the key devices: Broadband access devices Firewalls with VPN support Layer 2 hubs Personal firewall software Routers with firewall and VPN support Cisco VPN Software Client Cisco VPN Hardware Client ISP Key Devices Broadband Access Device Firewall with a VPN or a Router with a Firewall and VPN Hub Hardware or Software Client
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Threat Mitigation in Remote-User Networks The following threats are common to most remote-user networks: Unauthorized access Network reconnaissance Virus and Trojan horse attacks IP spoofing Man-in-the-middle attacks
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Mitigation Options Overview There are four basic VPN options available to mitigate threats: Hardware options –Cisco VPN Hardware Client –Remote-site firewall –Remote-site router Software option: Cisco VPN Software Client access
Software Access Option © 2005 Cisco Systems, Inc. All rights reserved. CSI v
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Software Access Option: Attack Mitigation Roles Software Access Option ISP Edge Module ISP Cisco VPN Software Client with a Personal Firewall Remote-site authentication, IPSec termination, and personal firewall and virus scanning for local attack mitigation
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Software Access Option: Design Guidelines Geared toward mobile and home- office worker. Remote user needs VPN software and Internet access. Authentication and configuration are controlled from the headquarters. Split tunneling is disabled when the VPN tunnel is operational. Personal firewall software is recommended to protect the remote user when split tunneling is enabled or the VPN is not connected. Virus-scanning software is recommended. Software Client Access Option ISP Edge Module ISP VPN Software Client with a Personal Firewall
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Software Access Option: Implementation The Cisco VPN Client Version 3.5 or higher is the recommended product for implementation of the software access option: Integrated VPN and firewall functionality Simple installation process Configuration via the headend VPN termination device Software Client Access Option ISP Edge Module ISP VPN Software Client with a Personal Firewall
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco VPN Client for Windows
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco VPN Client for Windows Run Mode Simple Mode
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Main Tabs Connection Entries Certificates Log
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Menus: Connection Entries
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Menus: Status
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Menus: Certificates
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Menus: Log
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Menus: Options
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Creating a New Connection: Authentication Concentrator authentication: The end user never sees this after initial configuration.
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Creating a New Connection: Transport
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Creating a New Connection: Backup Servers
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Creating a New Connection: Dialup
Remote-Site Firewall Option © 2005 Cisco Systems, Inc. All rights reserved. CSI v
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Remote-Site Firewall: Attack Mitigation Roles ISP Remote-Site Firewall Option Broadband Access Device Home- Office Firewall with VPN Stateful packet filtering, basic Layer 7 filtering, host DoS mitigation, remote site authentication, and IPSec termination Virus scanning for local attack mitigation
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Remote-Site Firewall: Design Guidelines Geared toward a home-office worker or a very small branch office Provides connection-state enforcement Termination point for site-to-site IPSec –For remote management and production –Individual software (firewall or VPN) for client not needed –NAT not used in IPSec tunnel –Device authentication used at headend –Allows split tunneling Authentication controlled from the headquarters Virus-checking software still recommended Personal firewall software can be used to protect remote user when split tunneling is enabled Can use an IDS on a PIX Firewall ISP Remote-Site Firewall Option Broadband Access Device Home- Office Firewall with a VPN
© 2005 Cisco Systems, Inc. All rights reserved. CSI v PIX Security Appliances: Implementation Commands Summary The following are the mitigation roles of and necessary implementation commands for the PIX Security Appliances: Stateful packet filtering (this is the default for the PIX Security Appliances) Host DoS mitigation –ip verify reverse-path interface –icmp –attack guard commands (except for frag guard, these are on by default) –static/nat Spoof mitigation and RFC filtering –access-list –access-group ISP Remote-Site Firewall Option Broadband Access Device Home- Office Firewall with a VPN
© 2005 Cisco Systems, Inc. All rights reserved. CSI v PIX Security Appliances: Implementation Commands Summary (Cont.) Remote site authentication (and logging) –aaa-server –aaa authentication –logging on IPSec termination –sysopt connection permit-ipsec –isakmp enable –isakmp key –isakmp policy –crypto ipsec transform-set –crypto map ISP Remote-Site Firewall Option Broadband Access Device Home- Office Firewall with a VPN
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Terminate IPSec: sysopt connection permit- ipsec and isakmp enable Implicitly permits any packet that came from an IPSec tunnel and bypasses the checking of an associated access-list, conduit, or access-group command statement for IPSec connections. pixfirewall(config)# sysopt connection permit-ipsec Used to enable ISAKMP negotiation on the interface on which the IPSec peer will communicate with the PIX Security Appliances. This is enabled by default. pixfirewall(config)# isakmp enable outside
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Terminate IPSec: isakmp key Specifies the authentication pre-shared key. You can use any combination of alphanumeric characters up to 128 bytes. The pre-shared key must be identical at both peers. pixfirewall(config)# isakmp key cisco1234 address netmask
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Terminate IPSec: isakmp policy Sets the various parameters of the IKE policy that will be used pixfirewall(config)# isakmp policy 10 encryption 3des pixfirewall(config)# isakmp policy 10 hash sha pixfirewall(config)# isakmp policy 10 authentication pre- share pixfirewall(config)# isakmp policy 10 group 1 pixfirewall(config)# isakmp policy 10 lifetime 86400
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Terminate IPSec: crypto ipsec transform-set Create, view, or delete IPSec SAs, SA global lifetime values, and global transform sets. You can specify up to three transforms. Transforms define the IPSec security protocols and algorithms. Each transform represents an IPSec security protocol (ESP, AH, or both) plus the algorithm you want to use. pixfirewall(config)# crypto ipsec transform-set myset esp-3des
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Terminate IPSec: crypto map Sets the various parameters of the IKE policy that will be used pixfirewall(config)# crypto map branch 10 ipsec-isakmp pixfirewall(config)# crypto map branch 10 match address NONAT_PSS pixfirewall(config)# crypto map branch 10 set peer pixfirewall(config)# crypto map branch 10 set transform-set myset pixfirewall(config)# crypto map branch interface outside
VPN Hardware Client Option © 2005 Cisco Systems, Inc. All rights reserved. CSI v
© 2005 Cisco Systems, Inc. All rights reserved. CSI v VPN Hardware Client: Attack Mitigation Roles ISP Cisco VPN Hardware Client Option Broadband Access Device Cisco VPN Hardware Client Personal firewall and virus scanning for local attack mitigation Remote-site authentication and IPSec termination
© 2005 Cisco Systems, Inc. All rights reserved. CSI v VPN Hardware Client: Design Guidelines Has same guidelines as remote-site firewall option except that the Cisco VPN Hardware Client does not have resident stateful firewall. Use a personal firewall on individual hosts (if split tunneling will be used). If no personal firewall is in use, security behind the VPN device is dependent upon NAT (with split tunneling enabled). Access and authentication are controlled from the headquarters. Configuration and security management is done from the headquarters. Cisco VPN Client software is not needed. ISP Cisco VPN Hardware Client Option Broadband Access Device Cisco VPN Hardware Client
© 2005 Cisco Systems, Inc. All rights reserved. CSI v VPN Hardware Client: Implementation Welcome to Cisco Systems VPN 3000 Concentrator Series Command Line Interface Copyright (C) Cisco Systems, Inc. 1) Configuration 2) Administration 3) Monitoring 4) Save changes to Config file 5) Help Information 6) Exit
© 2005 Cisco Systems, Inc. All rights reserved. CSI v GUI Table of contents Manager toolbar Manager window
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Quick Configuration
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Quick Configuration Example Screens
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Launching the Client
Remote-Site Router Option © 2005 Cisco Systems, Inc. All rights reserved. CSI v
© 2005 Cisco Systems, Inc. All rights reserved. CSI v ISP Remote-Site Firewall Option Broadband Access Device Router with a Firewall and a VPN Virus scanning for local attack mitigation Host DoS mitigation, stateful packet filtering, basic Layer 7 filtering, remote site authentication, and IPSec termination Remote-Site Router: Attack Mitigation Roles
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Remote-Site Router: Design Guidelines Uses the same guidelines as the remote site firewall option. The router can support QoS, routing, and more encapsulation options. Broadband capability can be integrated into the router: –This removes the need for a separate broadband access device. –This is typically managed by a service provider. An IDS on a router can be used (may not be available on all router platforms). ISP Remote-Site Firewall Option Broadband Access Device Router with a Firewall and a VPN
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco IOS: Implementation Commands Summary The following are mitigation roles of and necessary implementation commands for Cisco IOS: Stateful packet filtering (part of CBAC on Cisco IOS routers) Spoof mitigation and RFC filtering –access-list –access-group Host DoS mitigation and basic Layer 7 filtering –ip inspect Remote site authentication (and logging) –aaa new-model –tacacs-server –aaa authentication login –aaa authorization exec –aaa accounting exec –login authentication ISP Remote-Site Firewall Option Broadband Access Device Router with a Firewall and a VPN
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco IOS: Implementation Commands Summary (Cont.) IPSec commands: Provide for IPSec tunnel termination –crypto isakmp policy –encryption –authentication –group –crypto isakmp key –crypto ipsec transform-set –crypto map –set peer –set tranform-set –match address ISP Remote-Site Firewall Option Broadband Access Device Router with a Firewall and a VPN
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Terminate IPSec: Enable IKE and Define IKE Policy Enables IKE router(config)# crypto isakmp enable Defines an IKE policy Invokes the ISAKMP policy configuration (config-isakmp) command mode router(config)# crypto isakmp policy 110 router(config-isakmp)#
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Terminate IPSec: ISAKMP Policy Configuration While in the ISAKMP policy configuration command mode, the commands shown in the box are available to specify the parameters in the policy. If you do not specify one of these commands for a policy, the default value will be used for that parameter. router(config-isakmp)# encryption 3des router(config-isakmp)# hash sha router(config-isakmp)# authentication pre-share router(config-isakmp)# group 1 router(config-isakmp)# lifetime 86400
© 2005 Cisco Systems, Inc. All rights reserved. CSI v router(config)# crypto isakmp key cisco1234 address Configures a pre-shared authentication key router(config)# crypto ipsec transform-set myset esp-3des router(cfg-crypto-trans)# Defines a transform set and invokes the crypto transform configuration mode Terminate IPSec: Configure an Authentication Key and Define a Transform Set
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Terminate IPSec: Specify the Mode and Create a Crypto Map router(cfg-crypto-trans)# mode tunnel Specifies the mode for a transform set router(config)# crypto map mymap 10 ipsec-isakmp router(config-crypto-map)# Creates or modifies a crypto map entry and enters the crypto map configuration mode
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Terminate IPSec: Identify an ACL and Specify Transform Sets router(config-crypto-map)# match address 103 Identifies the extended ACL router(config-crypto-map)# set transform-set myset Specifies which transform sets can be used with the crypto map entry
© 2005 Cisco Systems, Inc. All rights reserved. CSI v router(config-crypto-map)# set peer Specifies the IPSec peer router(config-if)# crypto map mymap Applies a previously defined crypto map set to an interface Terminate IPSec: Specify an IPSec Peer and Apply a Crypto Map to the Interface
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Summary The following are the key devices in a remote user network: –Broadband access devices –Firewalls with VPN support –Layer 2 hubs –Personal firewall software –Routers with firewall and VPN support –Cisco VPN Software Clients –Cisco VPN Hardware Clients
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Summary (Cont.) The following threats can be expected: –Unauthorized access –Network reconnaissance –Virus and Trojan horse attacks –IP spoofing –Man-in-the-middle attacks Four basic options are available to mitigate threats: One is software-based, and three are hardware-based options.
© 2005 Cisco Systems, Inc. All rights reserved. CSI v e0/1 PSS WWW FTP P.0/24 Lab Visual Objective e0/ P.0 /24 Pod P (1–10) P.0/24.1 e2 pP.4 pub cP P.0/24 sensorP DMZ Super Server WWW FTP priv.5.2 e P.0/24.1 e4.1 e /24 rP RTS RBB VPN Client brP Branch 10.2.P.0/24.10P e0/ e0/ P P Branch 10.0.P.11 Student