What is a VPN?

Download Report

Transcript What is a VPN? 

Implementing Secure
Converged Wide
Area Networks
(ISCW)
Module 3.1
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
1
Major Concepts in Module 3
 Describe the purpose and operation of VPN types
 Describe the purpose and operation of GRE VPNs
 Describe the components and operations of IPsec
VPNs
 Configure and verify a site-to-site IPsec VPN with preshared key authentication using CLI
 Configure and verify a site-to-site IPsec VPN with preshared key authentication using SDM
 Configure and verify a Remote Access VPN
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
2
Module 3 Objectives
Upon completion of this lesson, the successful participant
will be able to:
1. Describe the purpose and operation of VPNs
2. Differentiate between the various types of VPNs
3. Identify the Cisco VPN product line and the security features of
these products
4. Configure a site-to-site VPN GRE tunnel
5. Describe the IPSec protocol and its basic functions
6. Differentiate between AH and ESP
7. Describe the IKE protocol and modes
8. Describe the five steps of IPSec operation
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
3
Module 3 Objectives ctd …
9. Describe how to prepare IPSec by ensuring that ACLs are
compatible with IPSec
10. Configure IKE policies using the CLI
11. Configure the IPSec transform sets using the CLI
12. Configure the crypto ACLs using the CLI
13. Configure and apply a crypto map using the CLI
14. Describe how to verify and troubleshoot the IPSec configuration
15. Describe how to configure IPSec using SDM
16. Configure a site-to-site VPN using the Quick Setup VPN Wizard
in SDM
17. Configure a site-to-site VPN using the step-by-step VPN Wizard
in SDM
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
4
Module 3 Objectives ctd …
18. Verify, monitor and troubleshoot VPNs using SDM
19. Describe how an increasing number of organizations are
offering telecommuting options to their employees
20. Differentiate between Remote Access IPSec VPN solutions and
SSL VPNs
21. Describe how SSL is used to establish a secure VPN
connection
22. Describe the Cisco Easy VPN feature
23. Configure a VPN Server using SDM
24. Connect a VPN client using the Cisco VPN Client software
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
5
What is a VPN?
Business Partner
with a Cisco Router
Mobile Worker
with a Cisco
VPN Client
CSA
VPN
Internet
Firewall
SOHO with a Cisco
DSL Router
VPN
Corporate
Network
WAN
VPN
Regional branch with
a VPN enabled
Cisco ISR router
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
Virtual: Information within a private network is
transported over a public network.
Private: The traffic is encrypted to keep the
data confidential.
6
Layer 3 VPN
IPSec
VPN
IPSec
Internet
SOHO with a Cisco DSL
Router
 Generic routing encapsulation (GRE)
 Multiprotocol Label Switching (MPLS)
 IPSec
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
7
Types of VPN Networks
Remote-access
VPNs
Business Partner
with a Cisco Router
Mobile Worker
with a Cisco
VPN Client
CSA
MARS
VPN
SOHO with a
Cisco DSL Router
Site-to-Site
VPNs
Internet
Firewall
VPN
IP
S
WAN
VPN
Regional branch with
a VPN enabled
Cisco ISR router
Iron Port
CSA
CSA
Web
Email
Server Server
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
CSA
CSA
CSACSA
DNS
8
Site-to-Site VPN
Business Partner
with a Cisco
Router
Hosts send and receive normal
TCP/IP traffic through a VPN gateway
CSA
MARS
VP
N
SOHO with a
Cisco DSL
Router
Site-to-Site
VPNs
Internet
Firewall
VPN
IP
S
WAN
VPN
Regional branch with
a VPN enabled
Cisco ISR router
Iron
Port
CSA
CSA
Web Email
Server Server
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
CSA
CS
A
CS CS
A A
DNS
9
Remote-Access VPNs
Remote-access
VPNs
Mobile Worker
with a Cisco
VPN Client
CSA
MARS
Internet
Firewall
VPN
IPS
Iron Port
CSA
CSA
Web
Server
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
CSA
Email
Server
CSA
CSA
CSA
DNS
10
VPN Client Software
R1
R1-vpn-cluster.span.com
“R1”
In a remote-access VPN, each host
typically has Cisco VPN Client software
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
11
Cisco IOS SSL VPN
 Provides remote-access
connectivity from any
Internet-enabled host
 Uses a web browser and
SSL encryption
 Delivers two modes of
access:
Clientless
Thin client
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
12
Cisco VPN Product Family
Remote-Access
VPN
Site-to-Site VPN
Cisco VPN-Enabled Router
Secondary role
Primary role
Cisco PIX 500 Series Security Appliances
Secondary role
Primary role
Cisco ASA 5500 Series Adaptive Security
Appliances
Primary role
Secondary role
Cisco VPN
3000 Series Concentrators
Primary role
Secondary role
Home Routers
Primary role
Product Choice
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
13
Cisco VPN-Optimized Routers
Remote Office
Cisco Router
Main Office
Cisco Router
Internet
Regional Office
Cisco Router
SOHO
Cisco Router
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
VPN Features:
• Voice and video enabled VPN (V3PN)
• IPSec stateful failover
• DMVPN
• IPSec and Multiprotocol Label Switching
(MPLS) integration
• Cisco Easy VPN
14
Cisco ASA 5500 Series Adaptive
Security Appliances
Central Site
Remote Site
Internet
Intranet
Extranet
Business-to-Business
Remote User
 Flexible platform
 Cisco IOS SSL VPN
 Resilient clustering
 VPN infrastructure for
contemporary applications
 Cisco Easy VPN
 Automatic Cisco VPN
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
 Integrated web-based
management
15
IPSec Clients
A wireless client that is loaded on a pda
Certicom PDA IPsec
VPN Client
Router with
Firewall and
VPN Client
Small Office
Internet
Cisco VPN
Software Client
Software loaded on a PC
A network appliance that connects SOHO LANs to the VPN
Cisco
AnyConnect
VPN Client
Internet
Provides remote users with secure VPN connections
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
16
Hardware Acceleration Modules
 AIM
 Cisco IPSec VPN Shared
Port Adapter (SPA)
 Cisco PIX VPN
Accelerator Card+
(VAC+)
 Enhanced Scalable
Encryption Processing
(SEP-E)
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco IPsec VPN SPA
17
GRE VPN Overview
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
18
Encapsulation
Encapsulated with GRE
Original IP Packet
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
19
Configuring a GRE Tunnel
Create a tunnel
interface
R1(config)# interface tunnel 0
R1(config–if)# ip address 10.1.1.1 255.255.255.252
R1(config–if)# tunnel source serial 0/0
R1(config–if)# tunnel destination 192.168.5.5
R1(config–if)# tunnel mode gre ip
R1(config–if)#
Assign the tunnel an IP address
R2(config)# interface tunnel 0
R2(config–if)# ip address 10.1.1.2 255.255.255.252
R2(config–if)# tunnel source serial 0/0
R2(config–if)# tunnel destination 192.168.3.3
R2(config–if)# tunnel mode gre ip
R2(config–if)#
Identify the source tunnel interface
Identify the destination of the tunnel
Configure what protocol GRE will encapsulate
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
20
Using GRE
IP
Only
?
User Traffic
Yes
No
Use GRE
Tunnel
No
Unicast
Only?
Yes
Use
IPsec
VPN
GRE does not provide encryption
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
21
IPSec Topology
Main Site
Business Partner
with a Cisco Router
Regional Office with a
Cisco PIX Firewall
IPsec
Perimeter
Router
POP
SOHO with a Cisco
SDN/DSL Router
Legacy
Cisco
PIX
Firewall
Legacy
Concentrator
ASA
Mobile Worker with a
Cisco VPN Client
on a Laptop Computer
Corporate
 Works at the network layer, protecting and authenticating IP packets.
It is a framework of open standards which is algorithm-independent.
It provides data confidentiality, data integrity, and origin authentication.
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
22
IPSec Framework
Diffie-Hellman
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
DH7
23
Confidentiality
Least secure
Most secure
Key length:
- 56-bits
Key length:
- 56-bits (3 times)
Diffie-Hellman
Key lengths:
-128-bits
DH7
-192 bits
-256-bits
Key length:
- 160-bits
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
24
Integrity
Least secure
Most secure
Key length:
- 128-bits
Diffie-Hellman
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
Key length:
- 160-bits)
DH7
25
Authentication
Diffie-Hellman
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
DH7
26
Pre-shared Key (PSK)
•At the local device, the authentication key and the identity information (device-specific
Diffie-Hellman
DH7 authentication is
information)
are sent through a hash algorithm to form hash_I. One-way
established by sending hash_I to the remote device. If the remote device can independently
create the same hash, the local device is authenticated.
• The authentication process continues in the opposite direction. The remote device
combines its identity information with the preshared-based authentication key and sends it
through the hash algorithm to form hash_R. hash_R is sent to the local device. If the local
device can independently create the same hash, the remote device is authenticated.
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
27
RSA Signatures
• At the local device, the authentication key and identity information (device-specific information)
are sent through the hash algorithm forming hash_I. hash_I is encrypted using the local
device's private encryption key creating a digital signature. The digital signature and a digital
certificate are forwarded to the remote device. The public encryption key for decrypting the
signature is included in the digital certificate. The remote device verifies the digital signature by
decrypting it using the public encryption key. The result is hash_I.
• Next, the remote device independently creates hash_I from stored information. If the
calculated hash_I equals the decrypted hash_I, the local device is authenticated. After the
remote device authenticates the local device, the authentication process begins in the opposite
direction and all steps are repeated from the remote device to the local device.
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
28
Secure Key Exchange
Diffie-Hellman
ISCW-Mod3_L5
© 2007 Cisco Systems, Inc. All rights reserved.
DH7
29