1 / 46

IPSec

IPSec. Internet Protocol Security And You. Outline. What is IPSec, and what is it for? The IPSec Framework How do IKE, AH, and ESP fit together? Routing and Technology Issues Management and Policy Issues How To Learn More. IPSec Scope (RFC 2401). Good news:

bertr
Download Presentation

IPSec

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPSec Internet Protocol Security And You Bill Nickless / IPSec

  2. Outline • What is IPSec, and what is it for? • The IPSec Framework • How do IKE, AH, and ESP fit together? • Routing and Technology Issues • Management and Policy Issues • How To Learn More Bill Nickless / IPSec

  3. IPSec Scope (RFC 2401) Good news: IPSEC is designed to provide interoperable, high quality, cryptographically-based security for IPv4 and IPv6. Bill Nickless / IPSec

  4. IPSec Scope (RFC 2401) Bad news: The set of IPSec protocols employed in any context, and the ways they are employed, will be determined by the security and system requirements of users, applications, and/or sites/organizations. Bill Nickless / IPSec

  5. IPSec Scope • IPSec is a technology. • IPSec is NOT a solution. • Better: IPSec is a technology framework. Bill Nickless / IPSec

  6. Outline • What is IPSec, and what is it for? • The IPSec Framework • How do IKE, AH, and ESP fit together? • Routing and Technology Issues • Management and Policy Issues • How To Learn More Bill Nickless / IPSec

  7. IPSec • Standards-based IP Security Framework • Data Integrity • Data Confidentiality • Data Origin Authentication • Anti-Replay Protection • Supported in modern router software • Cisco IOS 12.1(19) or later • Juniper JUNOS 5.3 or later (with Encryption Services PIC) Bill Nickless / IPSec

  8. IPSec Router performs additional operations: • Receive the packetand verify/decrypt it • Inspect the headers of the packet • Based on that inspection, put the packet into an outbound queue • Transmit the packet when it reaches the front of the outbound queueand sign/encrypt it 1 2 3 4 Bill Nickless / IPSec

  9. Ciphers, Signing and Keys(Oh My!) • IPSec is a framework that supports many cryptographic technologies. • What fits into the IPSec framework? • Diffie-Hellman Key Exchange • Ciphers • Hashes • Shared Secrets • Certificates • Perfect Forward Secrecy Bill Nickless / IPSec

  10. Diffie-Hellman Key Exchange • Agree on a secret shared key, without a secure channel. Suppose Alice and Bob want to agree on a shared secret key using the Diffie-Hellman key agreement protocol. They proceed as follows: First, Alice generates a random private value a and Bob generates a random private value b. Both a and b are drawn from the set of integers . Then they derive their public values using parameters p and g and their private values. Alice's public value is ga mod p and Bob's public value is gb mod p. They then exchange their public values. Finally, Alice computes gab = (gb)a mod p, and Bob computes gba = (ga)b mod p. Since gab = gba = k, Alice and Bob now have a shared secret key k. http://www.rsasecurity.com/rsalabs/node.asp?id=2248 Bill Nickless / IPSec

  11. Ciphers • Obscure data, so that it can only be read by someone with the right “key” • DES, AES, RSA, RC5, Blowfish, Skipjack, etc. Bill Nickless / IPSec

  12. Hashes • Take a bunch of data, make a digest of it, so that changes can be detected • MD5, SHA-1, RIPEMD-160 Bill Nickless / IPSec

  13. Shared Secrets • Prove identity by demonstrating knowledge of the same data • Not necessary to actually transmit the shared secret. Bill Nickless / IPSec

  14. Perfect Forward Secrecy RFC 2409: Perfect Forward Secrecy (PFS) refers to the notion that compromise of a single key will permit access to only data protected by a single key. For PFS to exist the key used to protect transmission of data MUST NOT be used to derive any additional keys, and if the key used to protect transmission of data was derived from some other keying material, that material MUST NOT be used to derive any more keys. Bill Nickless / IPSec

  15. Certificates • Establish trust based on mutual trust of a third party • X.509 Bill Nickless / IPSec

  16. IPSec Security Associations • IPSec SecurityAssociations (SA) • between two routers (or hosts) • Unicast only • Unidirectional • Selection Criteria: Drop, Apply IPSec, Pass without IPSec Bill Nickless / IPSec

  17. IPSec Router IPSec flow: • Receive the packet. • Inspect the headers of the packet. Matching Security Association (SA)? • If so, verify/decrypt • Inspect headers again. Make routing decision, and look for matching Security Association (SA). • If so, sign/encrypt • Transmit the packet. 1 3 2 4 6 5 Bill Nickless / IPSec

  18. Outline • What is IPSec, and what is it for? • The IPSec Framework • How do IKE, AH, and ESP fit together? • Routing and Technology Issues • Management and Policy Issues • How To Learn More Bill Nickless / IPSec

  19. The Internet Key Exchange (IKE) RFC 2409: The purpose is to negotiate, and provide authenticated keying material for, security associations in a protected manner. Processes which implement this memo can be used for negotiating virtual private networks (VPNs) and also for providing a remote user from a remote site (whose IP address need not be known beforehand) access to a secure host or network. Bill Nickless / IPSec

  20. IKE Phase 1 Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to communicate. This is called the ISAKMP Security Association (SA). Bill Nickless / IPSec

  21. IKE Phase 2 Phase 2 is where Security Associations are negotiated on behalf of services such as IPsec or any other service which needs key material and/or parameter negotiation. Bill Nickless / IPSec

  22. IKE New Group "New Group Mode" is not really a phase 1 or phase 2. It follows phase 1, but serves to establish a new group which can be used in future negotiations. Bill Nickless / IPSec

  23. IKE In Operation Bill Nickless / IPSec

  24. IKE In Operation Bill Nickless / IPSec

  25. IKE In Operation Bill Nickless / IPSec

  26. Authentication Header (AH) Uses a hash such as MD5 or SHA • Protects against modification • Protects against replay • RFC 2402 Bill Nickless / IPSec

  27. ESP: Encapsulating Security Payload Transport Mode • Before applying ESP ---------------------------- IPv4 |orig IP hdr | | | |(any options)| TCP | Data | ---------------------------- • After applying ESP ------------------------------------------------- IPv4 |orig IP hdr | ESP | | | ESP | ESP| |(any options)| Hdr | TCP | Data | Trailer |Auth| ------------------------------------------------- |<----- encrypted ---->| |<------ authenticated ----->| • RFC 2406 Bill Nickless / IPSec

  28. Recursive Encapsulation: Tunneling Why? • Create a virtual connection between two parts of a private Internet that… …uses nonroutable addresses? …uses advanced services like IPv6 or multicast? • Encrypt the encapsulated packet Bill Nickless / IPSec

  29. Recursive Encapsulation: Tunneling • Encapsulate an IP packet inside the data portion of another IP packet Bill Nickless / IPSec

  30. ESP: Encapsulating Security Payload Tunnel Mode • Before applying ESP ---------------------------- IPv4 |orig IP hdr | | | |(any options)| TCP | Data | ---------------------------- • After applying ESP --------------------------------------------------------------- IPv4 | new IP hdr | ESP | orig IP hdr | | | ESP | ESP| |(any options)| HDR | (any options)| TCP | Data |Trailer |Auth| --------------------------------------------------------------- |<--------- encrypted -------------->| |<----------- authenticated -------------->| • RFC 2406 Bill Nickless / IPSec

  31. IPSec Router IPSec flow: • Receive the packet. • Inspect the headers of the packet. Matching Security Association (SA)? • If so, verify/decrypt • Inspect headers again. Make routing decision, and look for matching Security Association (SA). • If so, sign/encrypt • Transmit the packet. 1 3 2 4 6 5 Bill Nickless / IPSec

  32. ESP in Operation Bill Nickless / IPSec

  33. Outline • What is IPSEC, and what is it for? • The IPSEC Framework • How do IKE, AH, and ESP fit together? • Routing and Technology Issues • Management and Policy Issues • How To Learn More Bill Nickless / IPSec

  34. ESP and AH • Additional Header Information • Smaller payload • MTU ugliness • Cryptographic Operations • Additional Complexity • More CPU load? Bill Nickless / IPSec

  35. ESP Tunnel Mode • Original headers obscured • Bad guys can’t see the headers ...neither can your firewall! ...neither can your router! • Creates a Virtual Circuit • Encapsulated IP TTL isn’t decremented • Intermediate hops are obscured • Remember debugging ATM VCs? …or MPLS? Bill Nickless / IPSec

  36. ESP in Operation Bill Nickless / IPSec

  37. Outline • What is IPSEC, and what is it for? • The IPSEC Framework • How do IKE, AH, and ESP fit together? • Routing and Technology Issues • Management and Policy Issues • How To Learn More Bill Nickless / IPSec

  38. Where is your Security Perimeter? • Firewalls and ACLs protect your network • IPSec VPN solutions bring external hosts inside your network • Should you trust those external hosts? • Viruses, Worms, Trojans • OS Vendor Patch-of-the-week • “Art and Music” sharing • Split tunneling vs. Host-based Firewalls Bill Nickless / IPSec

  39. Policy Enforcement • Enforcement Requires Visibility • ESP Tunnel Mode • Bad guys can’t see the headers ….neither can your firewall! ….neither can your router! • Encryption Obscures Activity • Is this traffic work-related or “Art and Music”? Bill Nickless / IPSec

  40. IPSec: A Two-Edged Sword • Powerful set of options • Data Confidentiality • Data Integrity • Data Origin Authentication • Bad Guys can use IPSec too • Back doors • Hiding “bad” activity Bill Nickless / IPSec

  41. IPSec Legal/Societal Issues • Cryptography: Controlled as a Munition • Lawful Intercept • U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Not a comprehensive list) Bill Nickless / IPSec

  42. Outline • What is IPSEC, and what is it for? • The IPSEC Framework • How do IKE, AH, and ESP fit together? • Routing and Technology Issues • Management and Policy Issues • How To Learn More Bill Nickless / IPSec

  43. Example Solution: Cisco Easy VPN Bill Nickless / IPSec

  44. Example Solution: Cisco Easy VPN Bill Nickless / IPSec

  45. Cisco and Linux Interoperate http://www.sans.org/rr/papers/20/753.pdf Bill Nickless / IPSec

  46. Juniper IPSec Configuration http://www.juniper.net/techpubs/software/junos/junos63/ swconfig63-services/html/ipsec-config.html Cisco IPSec Configuration http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/ 122cgcr/fsecur_c/fipsenc/scfipsec.htm IETF IPSec Working Group http://www.ietf.org/html.charters/ipsec-charter.html Virtual Private Network Consortium http://www.vpnc.org/vpn-standards.html Bill Nickless / IPSec

More Related