Top Banner
This Document is The property of INECERT.com and issued just for Knowledge no Selling of this document. INECERT will not be responsible for Any illegal use of this document VPN TYPES and IPSEC Basic Protocols and Features What you can learn from This Document? 1) Types of VPN 2) What is IPSEC? a. Core Concept of IPSEC b. Features of IPSEC. c. ESP and AH Protocol Features and Working VPN (virtual private network):= There are three types of VPN topologies 1. INTERNET VPN: A private communication channel over internet with public IP’s. this type of VPN’s has following two sub categories Connecting remote office across the internet Connecting remote dial users to their home gateway via an ISP 2. INTRANET VPN: A private communication channel with in a private network it may or may not use wan connection for communication 3. EXTRANET VPN: A private communication channel between two separate entities it may use internet or some other wan media VPN types: 1. IPSEC VPN: 2. Remote Access VPN 3. Site to site VPN 4. SSL VPN (web VPN) 5. Any connect VPN: Cisco Tunnel Based solution is called any connect VPN. IP SEC VPN : IPSec was defined in RFC 2401
6

VPN Types and Ipsec VPN Features Inecert.com

Dec 01, 2015

Download

Documents

Waqas Younas

read all the types of VPN and IPSEC core features and terms.
like our facebook page or join our study group for more
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: VPN Types and Ipsec VPN Features Inecert.com

This Document is The property of INECERT.com and issued just for Knowledge no Selling of this document. INECERT will not be responsible for Any illegal use of this document

VPN TYPES and IPSEC Basic Protocols and Features

What you can learn from This Document?

1) Types of VPN

2) What is IPSEC?

a. Core Concept of IPSEC

b. Features of IPSEC.

c. ESP and AH Protocol Features and Working

VPN (virtual private network):=

There are three types of VPN topologies

1. INTERNET VPN:

A private communication channel over internet with public IP’s. this type of VPN’s has

following two sub categories

Connecting remote office across the internet

Connecting remote dial users to their home gateway via an ISP

2. INTRANET VPN:

A private communication channel with in a private network it may or may not

use wan connection for communication

3. EXTRANET VPN:

A private communication channel between two separate entities it may use

internet or some other wan media

VPN types:

1. IPSEC VPN:

2. Remote Access VPN

3. Site to site VPN

4. SSL VPN (web VPN)

5. Any connect VPN:

Cisco Tunnel Based solution is called any connect VPN.

IP SEC VPN :

IPSec was defined in RFC 2401

Page 2: VPN Types and Ipsec VPN Features Inecert.com

This Document is The property of INECERT.com and issued just for Knowledge no Selling of this document. INECERT will not be responsible for Any illegal use of this document

IPSec is not a protocol it’s a architecture which is made up of protocols IPSEC is used to negotiate, establish, authenticate, manage keys, encrypt/decrypt and

control data. There are two VPNS which are called IPSEC VPN (remote access & Site to Site VPN) it enables the following security appliance VPN features:

1. Data confidentiality:

The IPSec sender can encrypt packets before transmitting them across a network.

2. Data integrity:

The IPSec receiver can authenticate IPSec peers and packets sent by the IPSec sender to ensure that the data has not been altered during transmission.

3. Data origin authentication:

The IPSec receiver can authenticate the source of the IPSec packets that are sent. This service is dependent upon the data integrity service.

4. Anti-replay:

The IPSec receiver can detect and reject replayed packets, helping to prevent spoofing and man-in-the-middle attacks

IP SEC FEATURES:

Transport mode—Protects payload of the original IP datagram; typically used for end-to-end sessions Tunnel mode—Protects the entire IP datagram by encapsulating the entire IP datagram

in a new IP datagram Consists of open standards for securing private communications Has network layer encryption that ensures data confidentiality, integrity, and

authentication Scales from small to very large networks. IPSec acts at the network layer, protecting and authenticating IP packets between a

security appliance and other participating IPSec devices

Cisco security appliances support the following IPSec and related standards: IPSec Internet Key Exchange (IKE) Data Encryption Standard (DES) Triple Data Encryption Standard (3DES) Advanced Encryption Standard (AES)

Diffie-Hellman (DH)

Message Digest 5 (MD5) Secure Hash Algorithm-1 (SHA-1) Rivest, Shamir, and Adleman (RSA) Signature

Page 3: VPN Types and Ipsec VPN Features Inecert.com

This Document is The property of INECERT.com and issued just for Knowledge no Selling of this document. INECERT will not be responsible for Any illegal use of this document

CA

IPSec consists of the following two main protocols:

1) Authentication Header (AH):

A security protocol that provides authentication and optional replay-detection services. AH acts as a “digital signature” to ensure that tampering has not occurred with the data in the IP packet. AH does not provide data encryption and decryption services. AH is not supported on your security appliance.

2) Encapsulating Security Payload (ESP):

A security protocol that provides data confidentiality and protection with optional authentication and replay-detection services. The security appliance uses ESP to encrypt the data payload of IP packets Below are the core concepts and Features of ESP, I will describe more in my Tutorial for IPSEC.

I. Internet Key Exchange:

IKE is a hybrid protocol that provides utility services for IPSec: authentication of the IPSec peers, negotiation of IKE and IPSec security associations (SAs), and establishment of keys for encryption algorithms used by IPSec. IKE is synonymous with Internet Security Association and Key Management Protocol (ISAKMP) in security appliance configuration.

II. Data Encryption Standard:

DES is used to encrypt and decrypt packet data. DES is used by both IPSec and IKE. DES uses a 56-bit key, ensuring high-performance encryption.

III. Triple Data Encryption Standard:

3DES is a variant of DES that iterates three times with three separate keys, effectively doubling the strength of DES. 3DES is used by IPSec to encrypt and decrypt data traffic. 3DES uses a 168-bit key, ensuring strong encryption.

IV. Advanced Encryption Standard:

The National Institute of Standards and Technology (NIST) recently adopted the new AES to replace DES encryption in cryptographic devices. AES provides stronger security than DES And is computationally more efficient than 3DES. AES offers three different key strengths: 128-, 192-, and 256-bit keys.

V. Diffie-Hellman:

DH is a public-key cryptography protocol. It enables two parties to establish a shared secret key over an insecure communications channel. DH is used within IKE to establish session keys.

Page 4: VPN Types and Ipsec VPN Features Inecert.com

This Document is The property of INECERT.com and issued just for Knowledge no Selling of this document. INECERT will not be responsible for Any illegal use of this document

VI. Message Digest 5:

MD5 is a hash algorithm used to authenticate packet data. The security appliance uses the MD5 Hash-based Message Authentication Code (HMAC) variant, which provides an additional level of hashing. A hash is a one-way encryption algorithm that takes an input message of arbitrary length and produces a fixed-length output message. IKE and ESP use MD5 for authentication.

VII. Secure Hash Algorithm-1:

SHA is a hash algorithm used to authenticate packet data. The security appliance uses the SHA-1 HMAC variant, which provides an additional level of hashing. IKE and ESP use SHA-1 for authentication.

VIII. RSA Signature

RSA is a public-key cryptographic system used for authentication. IKE on the security Appliance uses a DH exchange to determine secret keys on each IPSec peer used by encryption Algorithms. The DH exchange can be authenticated with RSA (or pre-shared keys).

IX. Certificate Authority

The CA support of the security appliance enables the IPSec-protected network to scale by providing the equivalent of a digital identification card to each device. When two IPSec peers Wish to communicate; they exchange digital certificates to prove their identities (thus removing The need to manually exchange public keys with each peer or to manually specify a shared key At each peers). The digital certificates are obtained from a CA. CA support on the security Appliance uses Directory System Agent (DSA) Signature and RSA Signature to authenticate the CA exchange.

X. Security Association

The concept of an SA is fundamental to IPSec. An SA is a connection between IPSec peers that determines the IPSec services available between the peers, similar to a TCP or UDP port. Each IPSec peer maintains an SA database in memory containing SA parameters. SAs are uniquely identified by the IPSec peer address, security protocol, and security parameter index (SPI). You will need to configure SA parameters and monitor SAs on the security appliance

Steps to implement IP-SEC vpn:

The goal of IPSec is to protect the desired data with the needed security services. IPSec operation can be broken down into five primary steps:

Interesting traffic:

Traffic is deemed interesting when the VPN device recognizes that the traffic you want to send needs to be protected.

IKE Phase 1:

A basic set of security services are negotiated and agreed upon between peers. these security services protect all subsequent communications between the peers. IKE Phase 1 sets up a secure communication channel between peers.

Page 5: VPN Types and Ipsec VPN Features Inecert.com

This Document is The property of INECERT.com and issued just for Knowledge no Selling of this document. INECERT will not be responsible for Any illegal use of this document

IKE Phase 2:

IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers. These security parameters are used to protect data and messages that are exchanged between endpoints.

Data transfer:

Data is transferred between IPSec peers based on the IPSec parameters and keys that are stored in the SA database.

IPSec tunnel termination:

IPSec SAs terminate through deletion or by timing out..

The security appliance supports two data origin authentication methods: Pre-shared keys: A secret key value entered for each peer is manually used to authenticate

The peer RSA Signature: Specifies RSA Signature as the authentication method DSA Signature: Specifies DSA Signature as the authentication method

There are Two phases of IKE

IKE Phase 1 Two ISAKMP peers establish a secure, authenticated channel. This channel is known as the ISAKMP SA. There are two modes defined by ISAKMP: Main Mode and Aggressive Mode.

In routers by default main-mode is used so there will be 6 packets in phase 1:

QM_IDLE

Message shows that the aggressive mode cannot be started that doesn’t mean that it’s an error; its mean the mode is not configured.

MM_NO_STATE

This state means the ISAKMP SA has been created,

Page 6: VPN Types and Ipsec VPN Features Inecert.com

This Document is The property of INECERT.com and issued just for Knowledge no Selling of this document. INECERT will not be responsible for Any illegal use of this document

First place where something could go wrong, In this mode the received packet contains the SA(security Association) policy and Vendor id is also included(to check that the next peer supports Nat-transversal and maintain Keep-alive and dead-peer detection process

MM_SA-Setup (send message 3-recive 4)

This packet contains the key exchange information for Deff-hell secure key exchange Message-4 checks the policies implemented on both devices and cross-check if it does match the tunnel will be down.

MM-Key-Exchange(send message 5- recive6)

this message is used to send the authentication information of the peer. The information is send under the protection of common-shared secret.

The peer identity is verified by the local router and SA has been established IKE Phase 2 SAs are negotiated on behalf of services such as IPSec that needs keying material. This phase is called Quick Mode.

QM_IDLE (message 1-2-3)

The router sends out the contain the local proxy ids (interesting traffic protected by IPSEC tunnel) and the security policies defined by Transform set.

Second message cross checks the proxy id on both sides it’s a next place where something go wrong.

Third message finish the QM. On the completation of Phase 2 session key could be derived from the new DH secret key. This session key will be used until the timer expires.