Académique Documents
Professionnel Documents
Culture Documents
VPN Objectives
> Upon completion of this module, you should be familiar with the following:
General VPN Concepts
> Types of VPNs > Tunneling, Authentication and Encryption > GRE over IPSec > Security Associations > Keys and Keying Modes > Internet Key Exchange > IPSec > Encryption and Data Integrity
> Virtual Private Network or VPN, allows secure, encrypted access to your network from either a remote laptop or another site > Two Types of VPNs
Site-to-Site
> A VPN connection established between two VPN gateways, typically used for office-to-office connectivity
Client-to-Site
> A VPN connection established between a remote user and the VPN gateway
> When a VPN connection is established, we refer to the connection as a VPN Tunnel > The X505 supports up to 250 Site-to-Site tunnels and 1000 client tunnels
> Encryption
DES 3DES AES MD5 SHA
4
> Generic Routing Encapsulation (GRE) is used to supplement IPSec in order to transmit multicast/routing packets across VPN tunnels
Security Associations
> The Security Association defines the parameters with which the VPN tunnel will be negotiated and established > A Security Association includes the following features
Encryption Authentication of data integrity Sender authentication and non-repudiation (if using certificates)
> Default SA
The X505 has a default SA which can be used for multiple client-to-site VPN connections The Default SA is disabled by default
Security Associations
> Keys are used to encode data for encryption and authentication > Key generation can be performed manually or dynamically using Internet Key Exchange (IKE) > Manual Keying
Keys are specified manually by the VPN administrator Due to its non-dynamic nature, manual keying is less secure
> IKE is the method by which keys are exchanged between two VPN endpoints in order to establish a secure channel > An SA is established during the IKE process > There are two phases to the IKE
In Phase 1, the secure channel between the two VPN peers are established There are two modes to Phase 1 Main Mode and Aggressive Mode In Phase 2, the IPSec security association is established and keys are generated
> IKE uses one of the following methods to validate the others identity
Pre-Shared Key X.509 Certificate
> The IP header and payload are protected via the following mechanisms
Authentication Header (AH)
> Provides security by adding authentication information to the packet NOTE: When AH is used, a hash is computed using the source/destination IP addresses of the packet. Thus, using AH with a VPN gateway that is behind a NATing device (i.e. a firewall) will prevent the VPN tunnel from establishing.
10
> Data is encrypted using one of the following data encryption methods
DES or Data Encryption Standard
> Uses a 56-bit key to encrypt data
IKE Proposals
12
IKE Proposals
13
Site-to-Site VPN
> IPSec is used to provide encryption for site-to-site VPN tunnels > Tunnel Mode vs Transport Mode
In Tunnel Mode, the entire packet is encapsulated within another packet, making the source/destination IP as well as the payload completely invisible to the medium In Transport Mode, only the payload of the packet is encrypted. Thus, the source/destination IP addresses are usually publicly routable addresses
14
15
> Enable IPSec > Create a new IKE Proposal (or use the default) > Create a Security Association > Identify the remote network (specify manually or create an IP Address Group) > Decide on a keying method > Decide on Tunnel or Transport mode
16
Client-to-Site VPN
> User Authentication is accomplished via the local user database or RADIUS
17
19
> L2TP/IPSec
Complete all steps for IPSec above Enable L2TP
> PPTP
Enable the PPTP Server Check Require Encryption to use MPPE
20
> Traffic from remote sites and/or users connecting to the network via VPN can be terminated into any configured security zone > In order to provide maximum protection, it may be wise to use the preconfigured VPN zone to implement policy (Firewall and IPS)
21