210 likes | 225 Views
VPNs and IPSec. Review VPN concepts Encryption IPSec Lab. VPN concepts. Tunneling Encryption. Tunneling. Encapsulation of a packet within another packet Encapsulated packet may be another protocol IPX packet may be encapsulated in IP to transport IPX across an IP network
E N D
VPNs and IPSec • Review • VPN concepts • Encryption • IPSec • Lab
VPN concepts • Tunneling • Encryption
Tunneling • Encapsulation of a packet within another packet • Encapsulated packet may be another protocol • IPX packet may be encapsulated in IP to transport IPX across an IP network • Encapsulated packet may be encrypted
What is Encryption • Converting clear or plain text into some other form – called ciphertext • Transposition • Substitution • Encryption and decryption is performed by an algorithm using a key
Encryption History • Dates back to early history • Greek system – • Polybius square – each message letter replaced by two letters in grid.
Encryption History • Ceasar Cipher • Simply shift each letter • Let’s make an encryption system-
Encryption Methods • Block cipher • Operates on fixed length group of bits • Stream • Operates on plaintext digits (usually single bits or bytes) • Combined with pseudorandom cipher bit stream (keystream)
Encryption • Symmetric key encryption • Shared key – same on both ends • Encryption is fast • Key management is issue • DES, 3DES, AES, IDEA • Used by IPSec for data encryption
Data Encryption Standard • Block cipher • 56 bit key • Now considered insecure • 3DES is more secure but slower – DES is applied three times
Advanced Encryption Standard • Block cipher (128 bit block) • Key sizes of 128, 192, 256 • Became a standard in 2002
Asymmetric Encryption • Two different keys - private key & public key • Encrypt with one, decrypt with the other • More complex – slower encryption • Pretty Good Privacy (PGP), Diffie-Hellman • For confidentiality encrypt with public- only private key can decrypt • For authentication encrypt with private – public can decrypt and verify
Hash Algorithm • Mathematical function that coverts variable length input into constant length output • When two inputs result in same output it is called a collision • Hashes have many uses • In CHAP, for example, used for authentication • SHA-1 and MD5 are hash algorithms
IPSec • Standard protocol • Purpose is to provide either a tamper-free and/or confidential transfer service • Tamper-free means you can be sure it wasn’t altered in transit • Confidential means no one else could read it • May invoke both services • Includes anti-replay service through use of sequence numbers • IPSec is a protocol suite - consists of multiple protocols • IKE - Internet Key Exchange • ESP - Encapsulation security Protocol – confidential transfer • AH - Authentication header – tamper-free transfer
IPSec implementation modes • Tunnel mode • Usually formed between 2 routers (gateways). Can be host to host or host to gateway. • Encrypted tunnel provided by ESP. Entire packet is encrypted and a new header is attached. DIP is peer address. • Transparent to end user • Frame makeup –
IPSec implementation modes • Transport mode • Original IP header used- encrypts payload only • Suited for host to host on internal network • Frame makeup
IKE • Authentication and negotiation protocol. • Verifies the identity of each peer to the other • Exchanges public keys; manages keys • Negotiates which encryption method will be used • Negotiates which protocol – ESP or AH • Operates in 2 phases • Uses SKEME, Oakley and ISAKMP protocols • SKEME – key exchange protocol • Oakley – allows different exchange modes • ISAKMP – Defines how peers communicate
IKE phase 1 • Remote user must first be authenticated • Pre-shared key can be used • Digital certificates - covered below • Kerberos – Windows with Active Directory • Negotiates the parameters that will be used in phase 2. • Phase 1 can be accomplished by 2 different modes - main mode and aggressive mode. Aggressive mode uses fewer packets and is less secure. Not supported by all vendors.
IKE phase 2 • Negotiates the parameters of the IPSec SA. • Only uses quick mode - 3 packets • All exchanges are encrypted
Security Association (SA) • Formed before any data is exchanged • Agreement between 2 IPSec peers/endpoints as to parameters of data exchange such as- • Encryption and hash algorithm to be used • Protocols being used • Communication modes • Each IPSec peer may be communicating with other peers and have multiple SAs. SAs are maintained in an SA database. (SAD)
Authentication Header (AH) • Protocol ID 51 • Provides authentication and integrity checking but not confidentiality • Adds header to existing IP packet. Header contains digital signature verifying that packet hasn't been changed. Digital signature in this case is termed the Intergrity Check Value (ICV) and is a hash value. • What is a digital signature? • What is a hash?
Configuring IPSec • Cisco • Define traffic to protect with acl • Configure IPSec transform set • Set peer address