VPN v2 PDF

ZOOM
Technologies
Virtual Private Networking ZOOM

Technologies
Copyright
Copyright Zoom Technologies
Zoom Technologies
VPN Services ZOOM
Technologies
Services Offered by VPN are:

Data Security
Data Integrity
Authentication
Anti-Replay
Tunneling
Copyright
Zoom Technologies
Devices Supports VPN

ZOOM
Technologies
Routers
Firewall
VPN concentrator
Servers
Cisco VPN Client v 5
Copyright
Zoom Technologies
VPN Types ZOOM
Technologies
Remote-access
Client-initiated
Network access server
Site-to-site
Intranet
Extranet
Copyright
Zoom Technologies
Remote Access VPN ZOOM

Technologies
Head Office
Client Initiated VPN
IP
/
Internet
RAS
Network Access Server
Copyright
Zoom Technologies
Site to Site ZOOM
Technologies
Head Office
Intranet
Branch Office
IP
/
Internet
Business Partner
Extranet
Copyright
Zoom Technologies
Encryption at Several Layers ZOOM

Technologies
Copyright
Zoom Technologies
Tunneling Protocols ZOOM
Technologies
Copyright
Zoom Technologies
ZOOM
Technologies
Generic Routing Encapsulation ZOOM
Technologies
2.2.2.3 IP 61.0.0.5
Data 192.168.1.10
Data 192.168.1.10
192.168.2.20192.168.2.20 /
Data 192.168.1.10 192.168.2.20
192.168.1.10
Internet
192.168.2.20
Data 192.168.1.10 192.168.2.20 2.2.2.3 61.0.0.5

Data 192.168.1.10 192.168.2.20 2.2.2.3 61.0.0.5
Copyright
Zoom Technologies
ZOOM
Technologies
IPSec VPN
IPSec ZOOM
Technologies
IPSec is a open standard (IETF)
Network layer protocol
It provide Data security and tunneling services
It is a framework of many open standard
Scales from small to very large networks
It can Work only for IP unicast traffic
IPSec over GRE is used for protecting non-IP or Multicast traffic
Copyright
Zoom Technologies
IPSec over GRE ZOOM

Technologies
NO
User Data Encryption
YES
NO
GRE / L2TP IP Unicast
YES
IPSec Send
Copyright
Zoom Technologies
IPSec Mode ZOOM
Technologies
IPSec modes:
Tunnel Mode
Tunnel mode creates a new additional IP header with data
encryption
Transport mode
just encrypt data without adding new IP header
Copyright
Zoom Technologies
ZOOM
Technologies
IPSec Protocols

IPSec Protocols ZOOM
Technologies
Negotiation protocol
IKE
Security Protocol
ESP
AH
Copyright
Zoom Technologies
IPSec Protocols ZOOM

Technologies
Encryption
DES
3DES
AES
Hash
MD5
SHA
Authentication
Pre-share key
Username/Password
OTP
Password Protection (Diffie-Hellman for password exchange)
DH Group 1
DH Group 2
DH Group 5
Copyright
Zoom Technologies
ZOOM
Technologies
Internet Key Exchange
Internet Key Exchange ZOOM

Technologies
IKE solves the problems of manual and unsalable implementation

of IPSec by automating the Negotiation Process
Automatic key generation, negotiation and implementation
Negotiation of SA characteristics
Manageable manual configuration
Copyright
Zoom Technologies
IKE Negotiation ZOOM
Technologies
Branch X
2600 Head Office
Policy 1
Encryption: 3DES 3800
Hash: SHA IP Policy 1
Authentication: Pre Share
DH 2 / Encryption: AES
Hash: SHA
Policy 2 Internet Authentication: Pre Share
Encryption: DES DH 2
Hash: MD5 Policy 2
Authentication: Pre Share Branch Y Encryption: 3DES
DH 2
2500 Hash: SHA
Policy 1 Authentication: Pre Share
Encryption: DES DH 2
Hash: MD5 Policy 3
Encryption: DES
DH 2
Hash: MD5
DH 2
Copyright
Zoom Technologies
ZOOM
Technologies
ESP and AH

Encapsulating Security Payload ZOOM
Technologies
ESP protocol ID 50
Provides framework for encrypting, authenticating and data

integrity. Optional Anti-replay
Original L2 IP Header TCP / UDP Head DATA
Transport Mode L2 IP Header ESP Head TCP / UDP Head DATA ESP Tail ESP Auth
New IP
Tunnel Mode L2 ESP Head IP Head TCP / UDP Head DATA ESP Tail ESP Auth
Header
Copyright
Zoom Technologies
Authentication Header ZOOM

Technologies
AH protocol ID 51
Provides framework for authenticating and data integrity.

Optional Anti-Replay
Original L2 IP Header TCP / UDP Head DATA
Transport Mode L2 IP Header AH Head TCP / UDP Head DATA
Tunnel Mode L2 New IP Header AH Head IP Head TCP / UDP Head DATA
Copyright
Zoom Technologies
ZOOM
Technologies
Message Authentication and

Integrity Check
Peer Authentication ZOOM

Technologies
Peer authentication methods:

Username and password
OTP (Pin/Tan)
Biometric
Pre-shared keys
Digital certificates
Copyright
Zoom Technologies
Commonly Used Hash Functions ZOOM
Technologies
Hash is one way function which always generate fix

length result
MD5
Message digest v. 5
MD5 provides 128-bit output
SHA-1
Secure hash algorithm
SHA provides 160-bit output
Copyright
Zoom Technologies
Authentication and Integrity ZOOM

Technologies
IP IP
Header Header
DATA DATA
Key IP Key
/
Internet
12A9BE 12A9BE
Data HMAC IP Head

Data HMAC IP Head
Reciver Hash Computed Hash

=
12A9BE 12A9BE
HMAC: Hash-based Message Authentication Code
Uses MD5 or SHA Hash

Copyright
Zoom Technologies
IPSec Headers ZOOM
Technologies
IPSec ESP provides the following:
Authentication and data integrity (MD5 or SHA-1 HMAC) with

AH and ESP
Encryption (DES, 3DES or AES) only with ESP
Copyright
Zoom Technologies
ZOOM
Technologies
Other IKE Function

IKE: Other Functions ZOOM
Technologies
Dead peer detection (DPD):
IKE keep-alive are unidirectional and are sent every 10

seconds.
NAT traversal:
Encapsulates IPSec packet in UDP packet
Mode config (Push Config) and Xauth (User Authentication)
Copyright
Zoom Technologies
NAT Traversal ZOOM

Technologies
Head Office
VPN Server
IP
ISP Router /
NAT
Internet
PC
Private IP
Tunnel Mode L2 IP Header ESP Head IP Head TCP / UDP Head DATA ESP Tail
Tunnel L2 IP Header UDP Head ESP Head IP Head TCP / UDP Head DATA ESP Tail
Copyright
Zoom Technologies
Mode Configuration ZOOM
Technologies
Head Office
VPN Server
IP
ISP Router /
NAT
Internet
Mode config Push IP

PC
address and other
Private IP
attribute for IPSec VPN
clients
Tunnel L2 IP Head UDP Head ESP Head IP Head TCP / UDP Head DATA ESP Tail
Copyright
Zoom Technologies
Xauth ZOOM
Technologies
Head Office
VPN Server
IP
ISP Router /
NAT
Internet
AAA Server
X Authetication for
PC
verify user in Domain
Private IP
Copyright
Zoom Technologies
ZOOM
Technologies
Symmetric vs. Asymmetric

Encryption Algorithms
Symmetric Encryption Algorithm ZOOM

Technologies
Secret key cryptography
Encryption and decryption use the same key
Typically used to encrypt the content of a message
Examples: DES, 3DES, AES
Copyright
Zoom Technologies
Asymmetric Encryption Algorithm ZOOM
Technologies
Public key cryptography
Encryption and decryption use different keys
Typically used in digital certification and key management
Example: RSA
Copyright
Zoom Technologies
Key Lengths of Encryption Algorithms ZOOM

Technologies
Comparable key lengths required for asymmetric keys compared

to symmetric keys
Symmetric Key Length Asymmetric Key Length
56 1024
168 2048
128 3072
192 7680
256 15,360
Copyright
Zoom Technologies
Symmetric Encryption: DES ZOOM
Technologies
Symmetric key encryption algorithm uses 56-bit key mode of

operation:
Apply DES to encrypt blocks of data
Block cipher: Works on 64-bit data block, (last bit of each byte
used for parity).
Copyright
Zoom Technologies
Symmetric Encryption: 3DES ZOOM

Technologies
168-bit total key length
Mode of operation decides how to process DES three times
3DES requires more processing than DES
Copyright
Zoom Technologies
Symmetric Encryption: AES ZOOM
Technologies
Formerly known as Rijndael
Successor to DES and 3DES
Symmetric key block cipher
Strong encryption
AES can support 128, 192 and 256 bit keys.
Copyright
Zoom Technologies
Asymmetric Encryption: RSA ZOOM

Technologies
Ron Rivest, Adi Shamir and Leonard Adleman (RSA)
Public key to encrypt data and to verify digital signatures
Private key to decrypt data and to sign with a digital signature
Copyright
Zoom Technologies
ZOOM
Technologies
Site-to-Site
IPSec VPN Operations
IKE Phases ZOOM

Technologies
Phase 1
Authenticate the peers
Negotiate a bidirectional SA
Phase 1.5
Xauth
Mode config
Phase 2
IPSec SAs/SPIs
Copyright
Zoom Technologies
Five Steps of IPsec ZOOM
Technologies
Copyright
Zoom Technologies
Step 1: Interesting Traffic ZOOM

Technologies
Copyright
Zoom Technologies
Step 2: IKE Phase 1 ZOOM
Technologies
Copyright
Zoom Technologies
IKE Policy ZOOM

Technologies
Negotiates matching IKE

transform sets to protect
IKE exchange
Copyright
Zoom Technologies
Diffie-Hellman Key Exchange ZOOM
Technologies
Copyright
Zoom Technologies
Authenticate Peer Identity ZOOM

Technologies
Peer authentication methods:
Preshared keys
RSA signatures
RSA encrypted nonces
Copyright
Zoom Technologies
Step 3: IKE Phase 2 ZOOM
Technologies
Negotiates IPsec security parameters, IPsec transform sets
Establishes IPsec SAs
Periodically renegotiates IPsec SAs to ensure security
Optionally, performs an additional Diffie-Hellman exchange
Copyright
Zoom Technologies
IPsec Transform Sets ZOOM

Technologies
A transform set is a
combination of algorithms
and protocols that enact a
security policy for traffic.
Copyright
Zoom Technologies
Step 4: IPsec Session ZOOM
Technologies
SAs are exchanged between peers.
The negotiated security services are applied to the traffic.
Copyright
Zoom Technologies
Step 5: Tunnel Termination ZOOM

Technologies
A tunnel is terminated by one of the following:
By an SA lifetime timeout
If the packet counter is exceeded
IPsec SA is removed
Copyright
Zoom Technologies
ZOOM
Technologies
Configuring IPsec
Configuration Steps for Site-to-Site VPN ZOOM

Technologies
1. Establish ISAKMP policy
2. Configure IPsec transform set
3. Configure crypto ACL
4. Configure crypto map
5. Apply crypto map to the interface
6. Configure interface ACL
Copyright
Zoom Technologies
What Is Cisco SDM? ZOOM
Technologies
Perfect for insecure communication channels
SDM is an embedded web-based management tool.
Provides intelligent wizards to enable quicker and easier

deployments, and does not require knowledge of Cisco IOS CLI
or security expertise.
Contains tools for more advanced users:
ACL editor
VPN crypto map editor
Cisco IOS CLI preview
Copyright
Zoom Technologies
What Is Cisco SDM? ZOOM

Technologies
Startup wizard, one-step router lockdown, policy-based firewall

and ACL management (firewall policy), one-step VPN (site-to-
site), and inline IPS
Guides untrained users through workflow
Smart wizards for these frequent router and security
configuration issues:
Avoid misconfigurations with integrated routing and security
Secure the existing network infrastructure easily and cost-
effectively
Uses Cisco TAC- and ICSA-recommended security
configurations
Copyright
Zoom Technologies
ZOOM
Technologies
How AES Work
ZOOM
ZOOM
Technologies

Copyright
Zoom Technologies

VPN v2 PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

VPN v2 PDF

Transféré par

Droits d'auteur :

Formats disponibles

ZOOM

Virtual Private Networking ZOOM

Services Offered by VPN are:

Devices Supports VPN

Cisco VPN Client v 5

Network access server

Remote Access VPN ZOOM

Client Initiated VPN

Network Access Server

Encryption at Several Layers ZOOM

Data 192.168.1.10 192.168.2.20 2.2.2.3 61.0.0.5

IPSec is a open standard (IETF)

Network layer protocol

It provide Data security and tunneling services

It is a framework of many open standard

Scales from small to very large networks

It can Work only for IP unicast traffic

IPSec over GRE is used for protecting non-IP or Multicast traffic

IPSec over GRE ZOOM

Copyright Zoom Technologies

IPSec Protocols ZOOM

Internet Key Exchange

Internet Key Exchange ZOOM

IKE solves the problems of manual and unsalable implementation

Automatic key generation, negotiation and implementation

Manageable manual configuration

Copyright Zoom Technologies

Provides framework for encrypting, authenticating and data

Original L2 IP Header TCP / UDP Head DATA

Authentication Header ZOOM

Provides framework for authenticating and data integrity.

Original L2 IP Header TCP / UDP Head DATA

Transport Mode L2 IP Header AH Head TCP / UDP Head DATA

Message Authentication and

Peer Authentication ZOOM

Peer authentication methods:

Hash is one way function which always generate fix

MD5 provides 128-bit output

SHA provides 160-bit output

Authentication and Integrity ZOOM

Data HMAC IP Head

Reciver Hash Computed Hash

HMAC: Hash-based Message Authentication Code

Uses MD5 or SHA Hash

IPSec ESP provides the following:

Authentication and data integrity (MD5 or SHA-1 HMAC) with

Encryption (DES, 3DES or AES) only with ESP

Other IKE Function

Dead peer detection (DPD):

IKE keep-alive are unidirectional and are sent every 10

Encapsulates IPSec packet in UDP packet

Mode config (Push Config) and Xauth (User Authentication)

NAT Traversal ZOOM

Mode config Push IP

Symmetric vs. Asymmetric

Symmetric Encryption Algorithm ZOOM

Secret key cryptography

Encryption and decryption use the same key

Typically used to encrypt the content of a message

Examples: DES, 3DES, AES

Public key cryptography

Encryption and decryption use different keys

Typically used in digital certification and key management