What Is Needed to Build a VPN?

Download Report

Transcript What Is Needed to Build a VPN?

What Is Needed to Build a VPN?
•An existing network with servers and
workstations
•Connection to the Internet
•VPN gateways (i.e., routers, PIX, ASA,
VPN concentrators) that act as
endpoints to establish, manage, and
control VPN connections
•Software to create and manage tunnels
Overlay and Peer-to-Peer VPN’s
• Overlay VPNs
Service providers (SPs) are the most common
users of the overlay VPN model.
• The design and provisioning of virtual circuits
(VC) across the backbone is complete prior to any
traffic flow.
• In the case of an IP network, this means that
even though the underlying technology is
connectionless, it requires a connection-oriented
approach to provision the service.
L2 overlay VPN
• L2 overlay VPNs are independent of the network
protocol used by the customer meaning that the
VPN is not limited to carrying IP traffic.
• If the carrier offers the appropriate ATM service,
the overlay VPN will carry any kind of
information.
• Frame Relay VPNs are normally limited to data
applications, although voice over Frame Relay
customer premises equipment (CPE) devices may
be useable on some services.
L3 overlay VPN
• L3 Overlay VPNs most often use an “IP in IP”
tunneling scheme using Point to Point
Tunneling Protocol (PPTP), Layer 2 Tunneling
Protocol (L2TP), and IP security (IPsec).
CPE-Based VPN (Peer-to-Peer)
• CPE-based VPN is another name for an L3 VPN.
• The VPN is implemented using CPE.
• In this way, a customer creates a VPN across an
Internet connection without any specific
knowledge or cooperation from the service
provider.
• The customer gains the advantage of increased
privacy using an inexpensive Internet connection.
SP-Provisioned VPN
• The introduction of Multiprotocol Label Switching
(MPLS) combines the benefits of overlay VPNs (security
and isolation among customers) with the benefits of
the simplified routing of a peer-to-peer VPN.
• MPLS VPN provides simpler customer routing, simpler
service provider provisioning and a number of possible
topologies that are hard to implement in either the
overlay or peer-to-peer VPN models.
• MPLS also adds the benefits of a connection-oriented
approach to the IP routing paradigm, through the
establishment of label-switched paths that are created
based on topology information rather than traffic flow.
• The Provider Core (P) and the Customer Edge
(CE) routers are assumed to be unaware of
any VPN protocols or procedures.
• Only the Provider Edge (PE) routers need to be
provisioned to support the VPN’s.
3 Types of VPN
Characteristics of a Secure VPN’s
VPN Security: Encapsulation
• Three different protocols that tunnelling uses:
• Carrier protocol: The protocol the information
is travelling over.
• Encapsulating protocol: The protocol (GRE,
IPsec, L2F, PPTP, L2TP) that is wrapped around
the original data. Not all protocols offer the
same level of security.
• Passenger protocol: The original data (IPX,
AppleTalk, IPv4, IPv6).
VPN Security: IPsec and GRE
• 1. Tunnel mode 2. Transport mode
• Tunnel mode encrypts the header and the payload of
each packet
• Transport mode only encrypts the payload.
• Only systems that are IPsec-compliant can take
advantage of transport mode.
• Additionally, all devices must use a common key and
the firewalls of each network must be set up with very
similar security policies.
• IPsec can encrypt data between various devices,
including router to router, firewall to router, PC to
router, and PC to server
Symmetric Encryption Algorithm
• Symmetric-key encryption, also called secret key
encryption, works when each computer has a secret
key (code) that the computer uses to encrypt
information before the information is sent over the
network to another computer.
• Symmetric-key encryption requires that someone
know which computers will be talking to each other so
that the person can configure the key on each
computer.
• Symmetric-key encryption is a secret code, or key, that
each of the two computers must know to decode the
information.
Asymmetric Encryption Algorithm
• Uses different keys for encryption and decryption.
• Knowing one of the keys does not allow a hacker to deduce
the second key and decode the information.
• One key encrypts the message, while a second key decrypts
the message. It is not possible to encrypt and decrypt with
the same key.
• Public-key encryption uses a combination of a private key
and a public key.
• Only the sender knows the private key.
• The sender gives a public key to any recipient that the
sender with whom he wants to communicate.
• To decode an encrypted message, the recipient must use
the public key, provided by the originating sender, and the
recipient’s own private key.
VPN Security: Authentication
• Username and password: Uses the predefined usernames and
passwords for different users or systems.
• One Time Password (OTP) (Pin/Tan): A stronger authentication
method than username and password, this method uses new
passwords that are generated for each authentication.
• Biometric: Biometrics usually refers to technologies that are used
for measuring and analyzing human body characteristics such as
fingerprints, eye retinas and irises, voice patterns, facial patterns,
and hand measurements, especially for authentication purposes.
• Pre-shared keys: This method uses a secret key value, manually
entered into each peer, and then used to authenticate the peers.
• Digital certificates: Use the exchange of digital certificates to
authenticate the peers.
What is IPSEC?
IPsec Protocols
• IKE: Provides a framework for the negotiation of security parameters and
establishes authenticated keys. IPsec uses symmetrical encryption
algorithms for data protection, which are more efficient and easier to
implement in hardware than other types of algorithms. These algorithms
need a secure method of key exchange to ensure data protection. The IKE
protocols provide the capability for secure key exchange.
• AH: The IP Authentication Header (AH) provides connectionless integrity
and data origin authentication for IP datagrams and optional protection
against replays. AH is embedded in the data that needs to be protected.
ESP has replaced the AH protocol, and AH is no longer used very often in
IPsec.
• ESP: Encapsulating Security Payload (ESP) provides a framework for
encrypting, authenticating, and securing data. ESP provides data privacy
services, optional data authentication, and anti-replay services. ESP
encapsulates the data that needs protection. Most IPsec implementations
use the ESP protocol.
Site-to-Site IPsec VPN Operations
• Step 1 Interesting traffic initiates the IPsec process: Traffic is
deemed interesting when the VPN device recognizes that the traffic
you want to send needs protection.
• Step 2 IKE Phase 1: IKE authenticates IPsec peers and negotiates IKE
SAs during this phase, setting up a secure communications channel
for negotiating IPsec SAs in Phase 2.
• Step 3 IKE Phase 2: IKE negotiates IPsec SA parameters and sets up
matching IPsec SAs in the peers. These security parameters are
used to protect data and messages that are exchanged between
endpoints.
• Step 4 Data transfer: Data is transferred between IPsec peers based
on the IPsec parameters and keys that are stored in the SA
database.
• Step 5 IPsec tunnel termination: IPsec SAs terminate through
deletion or by timing out.
Step 2: IKE Phase 1
• First exchange: The two peers negotiate and agree on
which algorithms and hashes to use to secure the IKE
communications.
• Second exchange: A Diffie-Hellman exchange generates
shared secret keys and pass nonces (a nonce is a value used
only once by a computer security system). A random
number sent by one party to another party, signed, and
returned to the first party proves the second party’s
identity. Once created, the shared secret key is used to
generate all the other encryption and authentication keys.
• Third exchange: In this exchange, each peer verifies the
identity of the other side by authenticating the remote
peer.
Step 3: IKE Phase 2
• Negotiates IPsec security parameters and
IPsec transform sets
• Establishes IPsec SAs
• Periodically renegotiates IPsec SAs to ensure
security
• Optionally, performs an additional DiffieHellmann exchange
IPsec Tunnel Operation
• The last two steps in IPsec involve transferring the data and
then closing the connection
• Data Transfer:
After IKE Phase 2 is complete and quick mode has
established IPsec SAs, traffic is exchanged between Host A
and Host B via a secure tunnel as shown in Figure .
Interesting traffic is encrypted and decrypted according to
the security services that are specified in the IPsec SA.
• IPsec Tunnel Termination:
IPsec SAs terminate through deletion or by timing out. An
SA can time out when a specified number of seconds has
elapsed or when a specified number of bytes have passed
through the tunnel. When the SAs terminate, the keys are
also discarded.
Configuring a Site-to-Site IPsec VPN
• Step 1 Configure the ISAKMP policy that is required to establish an
IKE tunnel.
• Step 2 Define the IPsec transform set. The definition of the
transform set defines the parameters for the IPsec tunnel, such as
encryption and integrity algorithms.
• Step 3 Create a crypto access control list (ACL). The crypto ACL
identifies the traffic to be forwarded through the IPsec tunnel.
• Step 4 Create a crypto map. The crypto map combines the
previously configured parameters together and defines the IPsec
peer device.
• Step 5 Apply the crypto map to the outgoing interface of the VPN
device.
• Step 6 Configure an ACL and apply the list to the interface. Typically,
edge routers are configured with restrictive ACLs that could
inadvertently block the IKE or IPsec protocols.