1.36k likes | 1.84k Views
NETGEAR Product Training Firewall VPN Products. Presented by Hien Ly Level 3, Sr. Tech Support Engineer November, 2007. Agenda. Introduction to NETGEAR Firewall VPN Products Firewall Overview Types of Firewall DMZ NETGEAR DMZ How to Choose a Firewall? VPN Overview What is VPN?
E N D
NETGEAR Product TrainingFirewall VPN Products Presented by Hien Ly Level 3, Sr. Tech Support Engineer November, 2007
Agenda • Introduction to NETGEAR Firewall VPN Products • Firewall Overview • Types of Firewall • DMZ • NETGEAR DMZ • How to Choose a Firewall? • VPN Overview • What is VPN? • Encryption • IPsec Basics • IPsec Protocols • Security Associations (SA) • IKE Phases • SSL312 VPN Introduction • NETGEAR Firewall VPN Router Features • Unique Features highlight • NETGEAR VPN Configuration Screenshots • ProSafe VPN Client Software • Troubleshooting Tips and Lab • VPN Troubleshooting Flow • Hands-on lab
Course Objectives • Agents should be able to do the following after this course: • Recognize the Firewall VPN products that NETGEAR has to offer • Be able to understand the basic Firewall concepts • Be able to understand the basic VPN concepts • Be able to understand the differences between IPSec and SSL VPN • Be able to understand the different types of firewall settings on the NETGEAR routers • Be able to configure and establish VPN sessions using various NETGEAR products: • Box-to-box VPN • Client-to-box VPN • Hub & Spoke VPN
FVS338 50 Tunnels Dial-up Failover SSL312 DGFV338 FVG318 25 SSL Tunnels 108Mbps 802.11g 50 VPN tunnels w/ ADSL2+ modem 108Mbps 802.11g 8 VPN Tunnels ProSafe VPN Firewall Line-up FVX538 200+ Tunnels Dual WAN port 1 Gig LAN Port “Wired” Firewalls FVS336G New • IPSec tunnels • 10 SSL tunnels • 4 Gig LAN • Dual Gig WAN New Wireless Firewalls FVS318v3 8 Tunnels FVS114 8 Tunnels
Firewall 101 • A firewall is a set of components that sit between networks and acts as a gatekeeper to allow in or keep out traffic based on certain criteria. • Firewall types: • Stateful Packet Inspection • Hybrids • Packet filters • Applications proxy
Stateful Packet Inspection (SPI) • Examine each packet passed through. • Allows or drops packets depends of rules. • Maintains tables of information about current connections. • Information traveling from inside the firewall to the outside is monitored for specific defining characteristics, then incoming information is compared to these characteristics. If the comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded. • Use current state of connections in tables to determine if it will allow or drops incoming packets. • When a connection terminates, it removes the reference from the internal table. Most of the Firewalls available today are Hybrids.
Hybrid Firewall • Offers the best of all world: • Application-Level Packet Filtering • Proxy-ARP Transparency isolates internal systems from attack • Policy-based routing for efficient use of dual network connections • Multiple redundant / balanced Internet links for fail-safe operation • Traffic shaping and QOS control for priority services • Address translation and port/address forwarding hides the internal network
Packet Filters • A packet filter examines every network packets that passes through it. • It drops or forwards the packets depends on a set of rules. • Rules are depends on: • IP Address • Protocol (TCP, UDP, IP, ICMP) • Port number (HTTP, FTP, TELNET) • Direction (inbound, outbound) • Fast • No application or content awareness. • Each packet is examined on a standalone basis.
Applications Proxy • Application awareness. • Acts as a “man in the middle”. • Never allows a packet to pass through the proxy. • Receive and send out packets on behalf of the internal users. • The net effect of this action is that the remote computer hosting the Web page never comes into direct contact with anything on your home network, other than the proxy server. • Computational intensive. • Need proxy for each applications.
DMZ (Demilitarized Zone) • A segment of network for hosting public accessible services (web servers, mail servers, ftp servers). • Limit damage to private network even if DMZ is compromised. Only available on FVX538
DMZ in NETGEAR routers • Only available on FVX538 • This zone can be used to host servers and give public access to them. Port 8 on the LAN of the router can be dedicated as a hardware DMZ port and safely provide the Internet services without compromising security on your LAN. Note: The IP subnet of the DMZ should be different from that of the LAN port and the WAN port(s). Example:WAN 1: 10.0.0.1 with subnet 255.0.0.0WAN2: 20.0.0.1 with subnet 255.0.0.0LAN: 192.168.1.1 with subnet 255.255.255.0DMZ: 192.168.10.1 with subnet 255.255.255.0
How to choose a firewall? • Security. • Features: • Flexibility in defining rules – by time/date. • User authentications. • URL Filtering. • Content filtering. • Port forwarding (NAT). • Performance • Support – updates, enhancement. • Audit Trail – logs, alarms. • Manageability – a firewall is as security as it is configured.
What is a VPN? • VPN is a secure path through a public shared network. • Data is secured by encryption. • Types of VPN: • IPSEC (Internet Protocol Security) • PPTP (Point-to-Point Tunneling Protocol) • L2TP (Layer Two Tunneling Protocol) • SSL (Secure Socket Layer)
Encryption • A mathematical function to convert data into secret. • Encryption convert cleartext to ciphertext. - Encrypt(cleartext, key) = ciphertext - Decrypt(ciphertext, key) = cleartext • Symmetric encryption (DES, 3DES) • Asymmetric encryption (public key) • Hash algorithm - Hash(A, key) = B Low probability that another data will be hashed into B. Fast.
Encryption Overview Private key Encryption (Symmetric) • Encrypt and decrypt with the same key. • Need special procedure for key distribution. • Fast and computational inexpensive • Used for preserving confidentiality Public key Encryption (Asymmetric) • Encrypt with public key and decryption with private key. • Encrypt (cleartext, KEYpublic) = ciphertext • Decrypt (ciphertext, KEYprivate) = cleartext • Public key can be freely distributed. • Slow and computational intensive • used for achieving authentication and non-repudiation.
Public Key Encryption at work • You give John (aka Sender) a copy of your public key. • John uses your public key to encrypt the plaintext to produce a ciphertext for you. • He then gives (just) the ciphertext to you, and • You use your private key to decrypt the ciphertext to reproduce the plaintext.
IPsec Basics • Applications transparency. • Automated key management. • Interoperability with PKI (Public Key Infrastructure). • Fast deployment. • Implemented in existing routers/CPE.
IPsec Protocols • Three main Protocols of IPsec • IKE (Internet Key Exchange) • Defines a method for the secure exchange of the initial encryption keys between the two endpoints of a VPN (establishing SA). • UDP protocol 500 • AH (Authentication Header) • Used to ensure integrity of the header information and payload as the packet makes its way through the Internet. Authentication only, no encryption • 128-bit MD5 or 160-bit SHA-1 keys used to compute the integrity checksum value (ICV) • TCP protocol 51 • ESP (Encapsulating Security Payload) • Performs the actual encryption of the data to provide data confidentiality, and data integrity. • Encrypt with DES/3DES. • TCP protocol 50
Security Associations (SA) • What is Security Associations (SA)? • Basic concepts of IPsec • Represents a policy contract between two VPN endpoints describing how they will use IPsec to secure network traffic • Contains all the security parameters to establish VPN connection • Unidirectional – one SA for each direction. • Each established SA is identified by a 32-bit number (SPI) • SPI are written into IPsec packet headers to locate the appropriate SA.
Security Association (SA) Components • What are the components of the SA? • Authentication/encryption algorithm, key length, key lifetime, etc… • Session keys • Specification of network traffic which IPsec will apply • IPsec encapsulation protocol (AH/ESP) and mode (Transport/Tunnel).
IPSec Data Exchange Modes • Transport Mode: • Between two IPsec hosts. • IP address of the hosts must be Public IP addresses • Only encapsulate data. • Tunnel Mode: • Between two IPsec gateways • Encapsulate both header and data. • Hides the original IP header
AH & ESP Protocols Normal IP Packet
IKE – Internet Key Exchange Protocol • ISAKMP (Internet Security Association and Key Management Protocol) • Protocol to negotiate and establish SA. • Oakley • Define mechanism for key exchange over the IKE session • By default, use Diffie-Hellman algorithm for key exchange • Each IKE peer has an IKE identitiy which based on: • IP address • FQDN (Fully qualified domain name) • X.500 (certificate) name • Email address • IKE session are protected by cryptographic algorithms. • IKE peers must agree exactly on a set of algorithms and protocols to protect the IKE session
IKE Operations • Phase1 (Authentication Phase) • Main mode or Aggressive mode • Used to establish a secure channel, authenticate the negotiating parties, and generate shared keys to protect IKE protocol messages • Negotiates IKE SA • Phase2 (Key Exchange Phase) • AKA: Quick mode • Used to establish the IPSec SA and to generate new keying material • Negotiates IPsec SA
IKE Main Mode Message Exchange • Use 6 messages to establish the IKE SA. • First 2 – negotiate security policy that will be used • Next 2 – performs Diffie-Hellman key exchange and pass Nonces (random # for signing) to each other • Last 2 – used to authenticate peers • Hides identity of the IKE peers.
IKE Aggressive Mode Message Exchange • Less negotiation flexibility for IKE session protection. • Will not hide identity (all identities of parties involved are revealed).
IKE Quick Mode Message Exchange • Quick Mode • Fast. • If an IKE SA is in place, only quick mode exchanges are used to negotiate new key or re-key. • PFS (Perfect Forward Secrecy) • Generate new key that is independent of the current key (from Phase1).
VPN Policy requirements? • Who are the VPN parties? • IKE Identifiers (WAN IP, FQDN, FQUN, DN). • Where are the VPN parties? • VPN gateway addresses (WAN IP, FQDN). • What traffics are included in the VPN? • Local VPN subnet, remote VPN subnet. • How the VPN secure the communication? • Main mode / Aggressive mode. • Pre-shared key. • Key lifetime. • ESP / AH (authentication algorithm, encryption algorithm). • PFS?
What is SSL VPN? SSL VPNs create secure tunnels by performing two functions: Requiring authentication from users before allowing access so that only authorized parties can establish tunnels Encrypting all data transmitted to and from the user by implementing the actual tunnel using SSL The process of establishing an SSL tunnel requires exchange of different configuration information between the computers on either end of the connection.
SSL VPN on OSI Network Model IPSec VPN operates at the Network Layer – Layer 3 SSL VPN establish connectivity using SSL, which functions at Layers 4 & 5 Information gets encapsulate at Layer 6 & 7 of the OSI model So why don't SSL VPNs simply use SSL to tunnel network-level communications as IPSec does and not worry about the higher levels? Technical limitations of many devices prevent the establishment of Network-Layer communications over SSL, but allow application-layer access from a web browser. Security considerations and policies normally prohibit attaching Internet kiosks and borrowed computers as nodes on your corporate network. Cannot install VPN client software on public Kiosks
Full access Restricted access Kiosk or Laptop Internet Café Home PDA B2B Partner Segmentation in SSL VPN Corporate Applications Email Web Database File server ProSafe SSL312 VPN Concentrator ProSafe VPN Firewall Secure SSL VPN connections Internet