1 / 38

Deployment of IPSec VPN VPN, IPSec, PKI, Smart Cards

Ivan Svoboda Manager Information security projects. Deployment of IPSec VPN VPN, IPSec, PKI, Smart Cards. Agenda. Business drivers VPN levels VPN & Firewall VPN & PKI VPN & Security Certification. Current issues. E-commerce, E-government Internet services Flexibility

melyssa-newman
Download Presentation

Deployment of IPSec VPN VPN, IPSec, PKI, Smart Cards

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ivan Svoboda Manager Information security projects Deployment of IPSec VPNVPN, IPSec, PKI, Smart Cards

  2. Agenda • Business drivers • VPN levels • VPN & Firewall • VPN & PKI • VPN & Security Certification

  3. Current issues • E-commerce, E-government • Internet services • Flexibility • Network infrastructure & cost reduction • Network Security Threats • Sniffing • IP spoofing • Session hijacking • Man-in-the-middle • The enabler: Secure VPN

  4. Secure networks ? Data Data Praha Brno X.25, ATM Frame Relay Internet PSTN

  5. Secure networks ? YES ! Dokument Dokument Dokument Dokument Praha Brno VPN X.25, ATM Frame Relay Internet JTS

  6. Secure networks ? YES ! Dokument Dokument Dokument Dokument Praha Brno VPN X.25, ATM Frame Relay Internet JTS

  7. Appl. Appl. Present. Present. Session Session SSL/TLS Transport Transport Network Network IPSec Link Link Physical Physical Encryption layers SSH, S-MIME L2TP, PPTP LAN, WAN, Internet

  8. Encryption layers • Application (SSH, S/MIME etc.) • (-) application dependant • (-) network access control missing • (+) most specific services • Transport (SSL/TLS) • (-) TCP-only (HTTP etc.) • Network (IPSec) • (-) IP-only • (+) every IP-packet is secured • (+) IP-address tunelling • Link (L2TP, PPTP) • (+) RAS, mixed networks (IP, IPX, NetBEUI etc.)

  9. Dokument Dokument Appl. Appl. Present. Present. Session Session Transport Transport IPSec IPSec Network Network Link Link Physical Physical Network layer encryption: IPSec

  10. Appl. Present. Session Transport Network Link Physical IPSec VPN compatibility database client/server ERM e-mail applications GIS www Unix Microsoft platforms Oracle Novell IPSec - VPN LAN networks X.25 Internet Frame Relay PPP WAN

  11. Dokument Dokument Public key X.Y. Dig. signed CA IPSec VPN functions: • Data confidentiality & integrity • Encryption (ESP) • Authentication (AH) • Users/nodes authentication • digital certificates X.509 • Access control • Access to networks, • Access to sources (servers)

  12. Secure VPN – IPSec technology applications applications TCP / UDP TCP / UDP IKE (ISAKMP/Oakley) IP IP IPSEC IPSEC LAN, WAN, ... IP IP Ethernet / PPP Ethernet / PPP ESP/AH Data authentication and encryption

  13. Public key X.Y. Dig. signed CA IPSec Implementation IPSec - VPN HW SW Firewall Router VPN-gateway

  14. Microsoft IPSec Interoperability LAN, WAN, Internet, JTS • Different types of products in different locations • IPSec compatibility: ICSA certification

  15. PDA, ... IPSec VPN deployment • Intranet • Extranet • E-business/ /E-government LAN PTSN WAN Internet LAN LAN • Where are the threats? • Internal vs. External

  16. VPN deployment issues • VPN & firewall • Complementary technologies • Coordination of policies necessary • VPN & PKI & smart cards • Complementary technologies • Attribute certificates • Two-factor authentication

  17. Firewall supplements Contentsecurity High-availability Antiviruscontrol Loadbalancing Strongauthentication Vulnerabilitiesassesment Directory PKI Intrusiondetection VPN Log analysis Network management

  18. Deploying a VPN Servicewith or without a Firewall • Each component in the network solves its own distinct problem • Issues: Performance, reliability, policy integration, TCO, … • Security: question of protected area perimeter

  19. No Firewall Scenario • VPN Gateway authenticates users with X.509 certificates • If all traffic is encrypted VPN Gateway acts as “perfect” firewall • No other filtering Head office LAN Internet Secure VPN Gateway Access router

  20. Outside of Firewall Scenario • VPN traffic decrypted by VPN Gateway • Firewall can perform additional packet filtering, authentication, and application proxies • No changes to firewall security policy • Security perimeter ? Head office LAN Internet Access router Firewall Secure VPN Gateway

  21. In Parallel to Firewall Scenario • Network access validated and secured by VPN system • Security policy more flexible and simple to implement • No network traffic bottlenecks Head office LAN Firewall Internet Access router Secure VPN Gateway

  22. Inside of Firewall Scenario(1) DMZ FW VPN router LAN WAN VPN Protected area

  23. Inside of Firewall Scenario(2) Protected area DMZ VPN FW router LAN WAN VPN • FW: non-authorised users (access to Web server) • VPN: authorised users (access to accounting server)

  24. Problemissues • Correct IPSec transport through firewall (proxy server) • Transport of LDAP (TCP/port309) and PKIX (TCP/port709) • Transport ISAKMP / IKE (UDP/port500) • Transport ESP (IP/port50) AH (IP/port51) • Network address translation (NAT)

  25. Secure VPNs and Authentication • Two ends wishing to set up a secured session need to know who they are communicating with, otherwise… • spoofing attack • man-in-the-middle attacks • The secure tunnel needs to be authenticated at both ends • Authentication options (IKE): • Certificates • Shared secret

  26. Alternate Authentication Method“Shared Secret” • Eliminate certificates for small deployments • User enters a password for authentication • supported by IKE, in lieu of certificates • longer passwords are more secure • password never traverses the network • But…not as scalable as certificates • password administration becomes difficult

  27. VPN & PKI • PKI is the most scalable authentication method for VPN • VPN is a “killer” aplication for PKI • Dynamic modifications: • Attribute certificates – VPN groups membership

  28. Secure VPN Groups • Engineering VPN group • User A • Engineering subnet Engineering subnet User A Internet • Finance VPN group • User B • Finance subnet Finance subnet VPN gateway User B • Inventory VPN group • User B • User C • Inventory subnet Inventory subnet User C

  29. VPN (1) VPN (2) VPN groupsAccess priviliges WAN LAN A LAN B

  30. VPN policy manager VPN groups Group members New users

  31. Two-factor authentication

  32. Smart cards advantage • Not only private key storage • Private key operations (electronic signature on-card) • Security !

  33. Dokument E-mail Dokument SSL IPSec PKI & smart cards CA LDAP X.500

  34. Smart cards advantage • Different private keys/certificates: • Clients: e-mail, SSL, IPSec, … • Use: authentication, encryption, non-repudiation (electronic signature) • Single smart card • Multi-function cards • Physical access control (contact-less) • Secure login • Electronic signature

  35. Multi-function smart cards

  36. Non-certified „IPSec compatible“ Is it really secure?(IPSec VPN) FIPS 140-1 Security Certification 2-5 ICSA Certification cca 10-15

  37. FIPS 140-1 • Cryptographic modules certification • NIST - http://csrc.ncsl.nist.gov/cryptval • CR: Electronic Signature Act Regulation • Requirements for the private key protection, as a part of secure signature creation device) • Levels 1-4 • Level 2: • Physical security for high risk environment (temper-evident coatings) • User authentication • Controlled access protection (C2 equivalent) • VPN, PKI, smart card, …

  38. Conclusion • VPN deployment issues/decisions • VPN level • Security perimeter (Risk analysis) • VPN & FW • Authentication options (VPN & PKI & smart cards) • Security certifications • www.tsoft.cz • svoboda@tsoft.cz • +420-2- 6134 8738

More Related