1 / 21

VPNs and IPSec

VPNs and IPSec. Review VPN concepts Encryption IPSec Lab. VPN concepts. Tunneling Encryption. Tunneling. Encapsulation of a packet within another packet Encapsulated packet may be another protocol IPX packet may be encapsulated in IP to transport IPX across an IP network

pbuell
Télécharger la présentation

VPNs and IPSec

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. VPNs and IPSec • Review • VPN concepts • Encryption • IPSec • Lab

  2. VPN concepts • Tunneling • Encryption

  3. Tunneling • Encapsulation of a packet within another packet • Encapsulated packet may be another protocol • IPX packet may be encapsulated in IP to transport IPX across an IP network • Encapsulated packet may be encrypted

  4. What is Encryption • Converting clear or plain text into some other form – called ciphertext • Transposition • Substitution • Encryption and decryption is performed by an algorithm using a key

  5. Encryption History • Dates back to early history • Greek system – • Polybius square – each message letter replaced by two letters in grid.

  6. Encryption History • Ceasar Cipher • Simply shift each letter • Let’s make an encryption system-

  7. Encryption Methods • Block cipher • Operates on fixed length group of bits • Stream • Operates on plaintext digits (usually single bits or bytes) • Combined with pseudorandom cipher bit stream (keystream)

  8. Encryption • Symmetric key encryption • Shared key – same on both ends • Encryption is fast • Key management is issue • DES, 3DES, AES, IDEA • Used by IPSec for data encryption

  9. Data Encryption Standard • Block cipher • 56 bit key • Now considered insecure • 3DES is more secure but slower – DES is applied three times

  10. Advanced Encryption Standard • Block cipher (128 bit block) • Key sizes of 128, 192, 256 • Became a standard in 2002

  11. Asymmetric Encryption • Two different keys - private key & public key • Encrypt with one, decrypt with the other • More complex – slower encryption • Pretty Good Privacy (PGP), Diffie-Hellman • For confidentiality encrypt with public- only private key can decrypt • For authentication encrypt with private – public can decrypt and verify

  12. Hash Algorithm • Mathematical function that coverts variable length input into constant length output • When two inputs result in same output it is called a collision • Hashes have many uses • In CHAP, for example, used for authentication • SHA-1 and MD5 are hash algorithms

  13. IPSec • Standard protocol • Purpose is to provide either a tamper-free and/or confidential transfer service • Tamper-free means you can be sure it wasn’t altered in transit • Confidential means no one else could read it • May invoke both services • Includes anti-replay service through use of sequence numbers • IPSec is a protocol suite - consists of multiple protocols • IKE - Internet Key Exchange • ESP - Encapsulation security Protocol – confidential transfer • AH - Authentication header – tamper-free transfer

  14. IPSec implementation modes • Tunnel mode • Usually formed between 2 routers (gateways). Can be host to host or host to gateway. • Encrypted tunnel provided by ESP. Entire packet is encrypted and a new header is attached. DIP is peer address. • Transparent to end user • Frame makeup –

  15. IPSec implementation modes • Transport mode • Original IP header used- encrypts payload only • Suited for host to host on internal network • Frame makeup

  16. IKE • Authentication and negotiation protocol. • Verifies the identity of each peer to the other • Exchanges public keys; manages keys • Negotiates which encryption method will be used • Negotiates which protocol – ESP or AH • Operates in 2 phases • Uses SKEME, Oakley and ISAKMP protocols • SKEME – key exchange protocol • Oakley – allows different exchange modes • ISAKMP – Defines how peers communicate

  17. IKE phase 1 • Remote user must first be authenticated • Pre-shared key can be used • Digital certificates - covered below • Kerberos – Windows with Active Directory • Negotiates the parameters that will be used in phase 2. • Phase 1 can be accomplished by 2 different modes - main mode and aggressive mode. Aggressive mode uses fewer packets and is less secure. Not supported by all vendors.

  18. IKE phase 2 • Negotiates the parameters of the IPSec SA. • Only uses quick mode - 3 packets • All exchanges are encrypted

  19. Security Association (SA) • Formed before any data is exchanged • Agreement between 2 IPSec peers/endpoints as to parameters of data exchange such as- • Encryption and hash algorithm to be used • Protocols being used • Communication modes • Each IPSec peer may be communicating with other peers and have multiple SAs. SAs are maintained in an SA database. (SAD)

  20. Authentication Header (AH) • Protocol ID 51 • Provides authentication and integrity checking but not confidentiality • Adds header to existing IP packet. Header contains digital signature verifying that packet hasn't been changed. Digital signature in this case is termed the Intergrity Check Value (ICV) and is a hash value. • What is a digital signature? • What is a hash?

  21. Configuring IPSec • Cisco • Define traffic to protect with acl • Configure IPSec transform set • Set peer address

More Related