Chapter 8 - VPN and IPsec Concepts

IPsec

Internet Protocol Security

Site-to-Site and Remote-Access VPNs

A site-to-site VPN Is created when VPN terminating devices, also called VPN gateways, are preconfigured with information to establish a secure tunnel. VPN traffic is only encrypted between these devices. Internal hosts have no knowledge that a VPN is being used. Remote-access VPN Is dynamically created to establish a secure connection between a client and a VPN terminating device. For example, a remote access SSL VPN is used when you check your banking information online.

Building the IPsec security function - step 4

Authentication The device on the other end of the VPN tunnel must be authenticated before the communication path is considered secure. Choices: PSK - pre-shared-key - secure but does not scale well - uses an authentication key so both parties can create the same hash. RSA - Rivest, Shamir, Adleman - uses digital certificates. A the authentication key and identity information is used to create the hash. The hash is then encrypted by a private key. This creates a digital signature. The digital signature and a digital certificate are forwarded to the remote device. The public encryption key for decrypting the signature is included in the digital certificate. The remote device verifies the digital signature by decrypting it using the public encryption key. The result is Hash_L. Next, the remote device independently creates Hash_L from stored information. If the calculated Hash_L equals the decrypted Hash_L, the local device is authenticated. Each peer must validate the opposite peer before the tunnel is considered secure.

Building the IPsec security function - step 2

Confidentiality Confidentiality is achieved by encrypting the data. The degree of confidentiality depends on the encryption algorithm and the length of the key used in the encryption algorithm. If someone tries to hack the key through a brute-force attack, the number of possibilities to try is a function of the length of the key. The time to process all the possibilities is a function of the computer power of the attacking device. The shorter the key, the easier it is to break. A 64-bit key can take approximately one year to break with a relatively sophisticated computer. A 128-bit key with the same machine can take roughly 1019 or 10 quintillion years to decrypt. Choices: DES - 56 bit key - not secure 3DES - 56 bit key times 3 - not secure AES - 128, 192 or 256 bit key - recommended SEAL - 160 bit key - stream cipher - encrypts data continuously - SUPER DUPER STRONG

IPsec provides these 4 essential security functions

Confidentiality IPsec uses encryption algorithms to prevent cybercriminals from reading the packet contents. Integrity IPsec uses hashing algorithms to ensure that packets have not been altered between source and destination. Origin authentication IPsec uses the Internet Key Exchange (IKE) protocol to authenticate source and destination. Methods of authentication including using pre-shared keys (passwords), digital certificates, or RSA certificates. Diffie-Hellman Secure key exchange typically using various groups of the DH algorithm.

GRE over IPsec

Generic Routing Encapsulation (GRE) is a non-secure site-to-site VPN tunneling protocol. It can encapsulate various network layer protocols. It also supports multicast and broadcast traffic which may be necessary if the organization requires routing protocols to operate over a VPN. However, GRE does not by default support encryption; and therefore, it does not provide a secure VPN tunnel. A standard IPsec VPN (non-GRE) can only create secure tunnels for unicast traffic. Therefore, routing protocols will not exchange routing information over an IPsec VPN. To SOLVE this problem, we can encapsulate routing protocol traffic using a GRE packet, and then encapsulate the GRE packet into an IPsec packet to forward it securely to the destination VPN gateway. The terms used to describe the encapsulation of GRE over IPsec tunnel are: Passenger protocol Carrier protocol Transport protocol

Building the IPsec security function - step 1

IPsec Protocol Encapsulation Choosing the IPsec protocol encapsulation is the first building block of the framework. IPsec encapsulates packets using Authentication Header (AH) or Encapsulation Security Protocol (ESP). The choice of AH or ESP establishes which other building blocks are available. Choices: AH - Integrity and authentication. No encryption of data ESP - Confidentiality(encryption), integrity and authentication.

Building the IPsec security function - step 3

Integrity Data integrity means that the data that is received is exactly the same data that was sent. Potentially, data could be intercepted and modified. The Hashed Message Authentication Code (HMAC) is a data integrity algorithm that guarantees the integrity of the message using a hash value. The two most common HMAC algorithms/Choices: MD5 - Message Digest 5 - 128 bit secret key - not secure SHA - Secure Hash Algorithm - 160 bit secret key - the variably length message and the secret key are combined and sent through the HMAC SHA 1 Algorithm. 160 bit hash result. SHA 256 or higher is secure

IPsec vs SSL/TLS

It is important to understand that IPsec and SSL VPNs are not mutually exclusive. Instead, they are complementary; both technologies solve different problems, and an organization may implement IPsec, SSL, or both. Applications supported IPsec - Extensive - All IP-based applications are supported. SSL - Limited - Only web-based applications and file sharing are supported. Authentication strength IPsec - Strong - Uses two-way authentication with shared keys or digital certificates. SSL - Moderate - Using one-way or two-way authentication. Encryption strength IPsec - Strong - Uses key lengths from 56 bits to 256 bits. SSL - Moderate to strong - With key lengths from 40 bits to 256 bits. Connection complexity IPsec - Medium - Because it requires a VPN client pre-installed on a host. SSL - Low - It only requires a web browser on a host. Connection option IPsec - Limited - Only specific devices with specific configurations can connect. SSL - Extensive - Any device with a web browser can connect.

IPsec history

It was designed to SOLVE the transport layer (layer 4) security problem. IPsec protects and authenticates IP packets between source and destination. IPsec can protect traffic from Layer 4 through Layer 7 Transport layer 4 - UDP, TCP, end to end connections

Service Provider MPLS VPNs

MPLS = Multiprotocol Layered Switching Traffic is forwarded through the MPLS backbone using labels that are previously distributed among the core routers. Like legacy WAN connections, traffic is secure because service provider customers cannot see each other's traffic (cuz labels). MPLS can provide clients with managed VPN solutions; therefore, securing traffic between client sites is the responsibility of the service provider. There are two types of MPLS VPN solutions supported by service providers: Layer 3 MPLS VPN The service provider participates in customer routing by establishing a peering between the customer's routers and the provider's routers. Then customer routes that are received by the provider's router are then redistributed through the MPLS network to the customer's remote locations. Layer 2 MPLS VPN The service provider is not involved in the customer routing. Instead, the provider deploys a Virtual Private LAN Service (VPLS) to emulate an Ethernet multiaccess LAN segment over the MPLS network. No routing is involved. The customer's routers effectively belong to the same multiaccess network.

VPN Benefits

Modern VPNs now support encryption features, such as Internet Protocol Security (IPsec) and Secure Sockets Layer (SSL) VPNs to secure network traffic between sites. 1. Cost Savings With the advent of cost-effective, high-bandwidth technologies, organizations can use VPNs to reduce their connectivity costs while simultaneously increasing remote connection bandwidth. Security VPNs provide the highest level of security available, by using advanced encryption and authentication protocols that protect data from unauthorized access. Scalability VPNs allow organizations to use the internet, making it easy to add new users without adding significant infrastructure. Compatibility VPNs can be implemented across a wide variety of WAN link options including all the popular broadband technologies. Remote workers can take advantage of these high-speed connections to gain secure access to their corporate networks

Building the IPsec security function - step 5

Secure Key Exchange with Diffie-Hellman Encryption algorithms require a symmetric, shared secret key to perform encryption and decryption. How do the encrypting and decrypting devices get the shared secret key? The easiest key exchange method is to use a public key exchange method, such as Diffie-Hellman (DH) DH provides a way for two peers to establish a shared secret key that only they know, even though they are communicating over an insecure channel. Variations of the DH key exchange are specified as DH groups: DH groups 1, 2, and 5 should no longer be used. These groups support a key size of 768 bits, 1024 bits, and 1536 bits, respectively. DH groups 14, 15, and 16 use larger key sizes with 2048 bits, 3072 bits, and 4096 bits, respectively, and are recommended for use until 2030. DH groups 19, 20, 21 and 24 with respective key sizes of 256 bits, 384 bits, 521 bits, and 2048 bits support Elliptical Curve Cryptography (ECC), which reduces the time needed to generate keys. DH group 24 is the preferred next generation encryption. The DH group you choose must be strong enough, or have enough bits, to protect the IPsec keys during negotiation. For example, DH group 1 is strong enough to support DES and 3DES encryption, but not AES. For example, if the encryption or authentication algorithms use a 128-bit key, use group 14, 19, 20 or 24. However, if the encryption or authentication algorithms use a 256-bit key or higher, use group 21 or 24. Choices: DH group 1, 2 and 5 - not secure DH group 14, 15 and 16 - Secure until year 2030 DH group 19, 20, 21 and 24 - next generation

SSL

Secure Sockets Layer

DMVPN

Site-to-site IPsec VPNs and GRE over IPsec are adequate to use when there are only a few sites to securely interconnect. However, they are not sufficient when the enterprise adds many more sites. This is because each site would require static configurations to all other sites, or to a central site. Dynamic Multipoint VPNs Dynamic Multipoint VPN (DMVPN) is a Cisco software solution for building multiple VPNs in an easy, dynamic, and scalable manner. Like other VPN types, DMVPN relies on IPsec to provide secure transport over public networks, such as the internet. DMVPN simplifies the VPN tunnel configuration and provides a flexible option to connect a central site with branch sites. It uses a hub-and-spoke configuration to establish a full mesh topology. Spoke sites establish secure VPN tunnels with the hub site. Each site is configured using Multipoint Generic Routing Encapsulation (mGRE). The mGRE tunnel interface allows a single GRE interface to dynamically support multiple IPsec tunnels. Therefore, when a new site requires a secure connection, the same configuration on the hub site would support the tunnel. No additional configuration would be required.

GRE

The first types of VPNs were strictly IP tunnels that did not include authentication or encryption of the data. For example, Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco and which does not include encryption services. It is used to encapsulate IPv4 and IPv6 traffic inside an IP tunnel to create a virtual point-to-point link.

Site-to-Site IPsec VPNs

Site-to-site VPNs are used to connect networks across another untrusted network such as the internet. In a site-to-site VPN, end hosts send and receive normal unencrypted TCP/IP traffic through a VPN terminating device. The VPN terminating is typically called a VPN gateway. A VPN gateway device could be a router or a firewall. For example, the Cisco Adaptive Security Appliance (ASA) is a standalone firewall device that combines firewall, VPN concentrator, and intrusion prevention functionality into one software image. The VPN gateway encapsulates and encrypts outbound traffic. It then sends the traffic through a VPN tunnel over the internet to a VPN gateway at the target site. Upon receipt, the receiving VPN gateway strips the headers, decrypts the content, and relays the packet toward the target host inside its private network. Site-to-site VPNs are typically created and secured using IP security (IPsec).

IPsec security functions

The each point to point must have chosen the same SA (security association, chosen from the list below). You can have different combinations, but each point needs to have the same SAs for the IPsec tunnel to form. IPsec Protocol The choices for IPsec Protocol include Authentication Header (AH) or Encapsulation Security Protocol (ESP). AH authenticates the Layer 3 packet. ESP encrypts the Layer 3 packet. Note: ESP+AH is rarely used as this combination will not successfully traverse a NAT device. Confidentiality Encryption ensures confidentiality of the Layer 3 packet. Choices include Data Encryption Standard (DES), Triple DES (3DES), Advanced Encryption Standard (AES), or Software-Optimized Encryption Algorithm (SEAL). No encryption is also an option. Integrity Ensures that data arrives unchanged at the destination using a hash algorithm, such as message-digest 5 (MD5) or Secure Hash Algorithm (SHA). Authentication IPsec uses Internet Key Exchange (IKE) to authenticate users and devices that can carry out communication independently. IKE uses several types of authentication, including username and password, one-time password, biometrics, pre-shared keys (PSKs), and digital certificates using the Rivest, Shamir, and Adleman (RSA) algorithm. Diffie-Hellman IPsec uses the DH algorithm to provide a public key exchange method for two peers to establish a shared secret key. There are several different groups to choose from including DH14, 15, 16 and DH 19, 20, 21 and 24. DH1, 2 and 5 are no longer recommended.

TLS

Transport Layer Security

Enterprise and Service Provider VPNs

VPNs can be managed and deployed as: Enterprise VPNs Enterprise-managed VPNs are a common solution for securing enterprise traffic across the internet. Site-to-site and remote access VPNs are created and managed by the enterprise using both IPsec and SSL VPNs. Service Provider VPNs Service provider-managed VPNs are created and managed over the provider network. The provider uses Multiprotocol Label Switching (MPLS) at Layer 2 or Layer 3 to create secure channels between an enterprise's sites. MPLS is a routing technology the provider uses to create virtual paths between sites. This effectively segregates the traffic from other customer traffic. Other legacy solutions include Frame Relay and Asynchronous Transfer Mode (ATM) VPNs

Remote-Access VPNs

VPNs have become the logical solution for remote-access connectivity for many reasons. Remote-access VPNs let remote and mobile users securely connect to the enterprise by creating an encrypted tunnel. Remote users can securely replicate their enterprise security access including email and network applications. Remote-access VPNs also allow contractors and partners to have limited access to the specific servers, web pages, or files as required. This means that these users can contribute to business productivity without compromising network security. Remote-access VPNs are typically enabled dynamically by the user when required. Remote access VPNs can be created using either IPsec or SSL. A remote user must initiate a remote access VPN connection. Clientless VPN connection The connection is secured using a web browser's SSL connection. SSL is commonly used to secure HTTP, IMAP and POP3 traffic. Client based VPN connection A VPN client software solution must be installed.

IPsec Virtual Tunnel Interface

VTI Like DMVPNs, IPsec Virtual Tunnel Interface (VTI) simplifies the configuration process required to support multiple sites and remote access. IPsec VTI configurations are applied to a virtual interface instead of static mapping the IPsec sessions to a physical interface. IPsec VTI is capable of sending and receiving both IP unicast and multicast encrypted traffic. Therefore, routing protocols are automatically supported without having to configure GRE tunnels. IPsec VTI can be configured between sites or in a hub-and-spoke topology

VPN

Virtual Private Networks To secure network traffic between sites and users, organizations use virtual private networks (VPNs) to create end-to-end private network connections. A VPN is virtual in that it carries information within a private network, but that information is actually transported over a public network. A VPN is private in that the traffic is encrypted to keep the data confidential while it is transported across the public network.

SSL VPNs

When a client negotiates an SSL VPN connection with the VPN gateway, it actually connects using Transport Layer Security (TLS). TLS is the newer version of SSL and is sometimes expressed as SSL/TLS. However, both terms are often used interchangeably. Both IPsec and SSL VPN technologies offer access to virtually any network application or resource. However, when security is an issue, IPsec is the superior choice. If support and ease of deployment are the primary issues, consider SSL.

SA

security association