© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 8 – Implementing Virtual Private Networks.

Slides:



Advertisements
Similar presentations
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
Advertisements

Encrypting Wireless Data with VPN Techniques
Internet Protocol Security (IP Sec)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Prototyping the WAN Designing and Supporting Computer Networks – Chapter 8.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
SCSC 455 Computer Security Virtual Private Network (VPN)
1 Configuring Virtual Private Networks for Remote Clients and Networks.
Guide to Network Defense and Countermeasures Second Edition
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Virtual Private Networks and IPSec
Kapitel 7: Securing Site-to-Site Connectivity
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)
CCNA 5.0 Planning Guide Chapter 7: Securing Site-to-Site Connectivity
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Implementing Secure Converged Wide Area Networks (ISCW)
Internet Protocol Security (IPSec)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW)
Chapter 7: Securing Site-to-Site Connectivity
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.
NetComm Wireless VPN Functionality Feature Spotlight.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
Course 201 – Administration, Content Inspection and SSL VPN
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Securing Site-to-Site Connectivity Connecting Networks.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
What Is Needed to Build a VPN? An existing network with servers and workstations Connection to the Internet VPN gateways (i.e., routers, PIX, ASA, VPN.
RE © 2003, Cisco Systems, Inc. All rights reserved.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 3: VPN and Encryption Technology.
Implementing VPN Solutions Laurel Boyer, CCIE 4918 Presented, June 2003.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Cisco Certified Network Associate CCNA Access the WAN Asst.Prof. It-arun.
12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.
C3 confidentiality classificationIntegrated M2M Terminals Introduction Vodafone MachineLink 3G v1.0 1 Vodafone MachineLink 3G VPN functionality Feature.
Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
Generic Routing Encapsulation GRE  GRE is an OSI Layer 3 tunneling protocol: Encapsulates a wide variety of protocol packet types inside.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Chapter 8: Implementing Virtual Private Networks
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
FreeS/WAN & VPN Cory Petkovsek VPN: Virtual Private Network – a secure tunnel through untrusted networks. IP Security (IPSec): a standardized set of authentication.
Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW) Module 3.1.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives  VPN Overview  Tunneling Protocol  Deployment models  Lab Demo.
V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.
Virtual Private Network Configuration
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
Securing Access to Data Using IPsec Josh Jones Cosc352.
Lecture 10 Page 1 CS 236 Online SSL and TLS SSL – Secure Socket Layer TLS – Transport Layer Security The common standards for securing network applications.
WELCOME LAN TO LAN VPN LAN to LAN VPN also known as Site to Site VPN is the most basic and the most simplest of all the VPN’s used on CISCO devices. It.
Virtual Private Network Wo Yan Lam. Overview What is Virtual Private Network Different types of VPN –Remote-Access VPN –Site-to-site VPN Security features.
100% Exam Passing Guarantee & Money Back Assurance
Module 4: Configuring Site to Site VPN with Pre-shared keys
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
Now you don’t need to take any stress about the Cisco Exam
100% Exam Passing Guarantee & Money Back Assurance
Chapter 18 IP Security  IP Security (IPSec)
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
Chapter 10: Advanced Cisco Adaptive Security Appliance
Presentation transcript:

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 8 – Implementing Virtual Private Networks

© 2012 Cisco and/or its affiliates. All rights reserved. 2 Describe the purpose and types of VPNs and define where to use VPNs in a network. Describe how to configure a GRE VPN tunnel. Describe the fundamental concepts and technologies of VPNs, and terms that IPsec VPNs use. Describe how to configure a site-to-site IPsec VPN. Configure a site-to-site IPsec VPN with PSK authentication using CLI and Cisco CCP. Describe the two common remote network access methods used in enterprise networks. Describe how the Cisco VPN Client is used in an IPsec remote-access VPN. Describe how Secure Socket Layer (SSL) is used in a remote-access VPN. Configure a remote-access IPsec VPN using CLI and Cisco CCP.

© 2012 Cisco and/or its affiliates. All rights reserved Implementing VPN Technologies 9.2 Describe VPN technologies IPsec SSL 9.3 Describe the building blocks of IPsec IKE ESP AH Tunnel mode Transport mode 9.4 Implement an IOS IPSec site-to-site VPN with pre-shared key authentication CCP CLI

© 2012 Cisco and/or its affiliates. All rights reserved. 4 A VPN is a private network that is created via tunneling over a public network. It can deployed as a site-to-site and remote access VPN. Generic routing encapsulation (GRE) is a tunneling protocol that is used to create a point-to-point link, supports multiprotocol tunneling, and can be used in combination with IPsec. IPsec is a framework of open standards that establishes the rules for secure communications. It relies on existing algorithms to achieve encryption, authentication, and key exchange. When creating a site-to-site VPN, ensure that the existing ACLs do not block IPsec traffic, define the IKE parameters and IPsec transform set, configure the crypto ACL and create and apply a crypto map. Use the CCP Quick Setup VPN wizard or the Step-by-Step wizard to create and monitor an IPsec VPN. Remote access connections can be configured using CCP.

© 2012 Cisco and/or its affiliates. All rights reserved. 5 Chapter 8 Lab A: Configuring a Site-to-Site VPN Using Cisco IOS and CCP –Part 1: Basic Router Configuration –Part 2: Configure a Site-to-Site VPN Using Cisco IOS –Part 3: Configure a Site-to-Site VPN using CCP Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client –Part 1: Basic Router Configuration –Part 2: Configuring a Remote Access VPN Chapter 8 Lab C: (Optional) Configuring a Remote Access VPN Server and Client –Part 1: Basic Router Configuration –Part 2: Configuring a Remote Access VPN

© 2012 Cisco and/or its affiliates. All rights reserved. 6

7

8

9

10

© 2012 Cisco and/or its affiliates. All rights reserved. 11

© 2012 Cisco and/or its affiliates. All rights reserved. 12 SDM has been replaced by CCP.

© 2012 Cisco and/or its affiliates. All rights reserved. 13 To explain GRE use the concept of three protocols: –Passenger protocol (i.e., IPv4 or IPv6) that needs to be encapsulated. –Carrier protocol (i.e., GRE) that is used to encapsulate the passenger protocol. –Transport protocol (i.e., IPv4 or IPv6) that is used to carry the encapsulated carrier protocol. GRE is popular to use to support routing protocols (that require broadcasts) over an IPsec VPN.

© 2012 Cisco and/or its affiliates. All rights reserved. 14 Example GRE configuration

© 2012 Cisco and/or its affiliates. All rights reserved. 15 To configure IPsec VPNs, the IOS must support crypto parameters. –Usually indicated by “k9” in the image name. (“k8” indicates limited crypto commands available)

© 2012 Cisco and/or its affiliates. All rights reserved. 16 Use the show crypto isakmp sa command to verify if the IKE Phase 1 negotiation was successful. –QM_IDLE indicates success. Use the debug crypto isakmp command to display Phase 1 and 2 negotiations.

© 2012 Cisco and/or its affiliates. All rights reserved. 17 To verify IPsec VPN tunnel functionality, use the sequence: 1.clear crypto sa 2.Generate interesting traffic to trigger VPN link 3.show crypto ipsec sa NOTE: The output of the show crypto ipsec sa command should reveal encrypted / decrypted packets. Use extended pings to generate traffic between LANs – ping {destination-IP-address} source {source-IP-address} NOTE: The first ping attempt should fail as it negotiates the initial SA. Use the debug crypto ipsec command to display Main mode negotiations.

© 2012 Cisco and/or its affiliates. All rights reserved. 18 Common problems encountered when troubleshooting VPNs include: – Incorrect ISAKMP policies configured. – Incorrect crypto keys or peer address configured. – Crypto map parameters not configured accurately. – Crypto map not applied to the correct interface (should usually be the outside interface). – Invalid ACL statements. If pings from the router do not enable the VPN: – Make sure you are using extended pings or better yet, use an actual host on the inside network.

© 2012 Cisco and/or its affiliates. All rights reserved. 19 CCP provides various VPN wizards by choosing Configure > Security > VPN. –The wizards vary depending on the type of VPN being configured. You can also test to confirm the correct tunnel configuration by clicking the Test VPN button. Verify the VPN status by choosing Monitor > Security > VPN Status > IPsec Tunnels.

© 2012 Cisco and/or its affiliates. All rights reserved. 20 Remote access VPNs can be deployed using either IPsec or SSL VPNs. –IPsec remote access VPNs are more secure and supports most applications but requires a client to be pre-installed on a host such as the Cisco VPN client or Cisco AnyConnect. –SSL remote access VPNs is more flexible as it is accessed using a web browser but can only access web enabled applications.

© 2012 Cisco and/or its affiliates. All rights reserved. 21 CategoriesSSLIPsec Application support Web-enabled applications, file sharing, All IP-based applications Encryption Moderate Key lengths from 40 bits to 128 bits Stronger Key lengths from 56 bits to 256 bits Authentication Moderate One-way or two-way authentication Strong Two-way authentication using shared secrets or digital certificates Ease of UseVery easyModerately easy Overall Security Moderate Any device can connect Strong Only specific devices with specific configurations can connect IPsec Remote Access VPN SSL-Based VPN Anywhere Access Any Application Mobile User Requirements

© 2012 Cisco and/or its affiliates. All rights reserved. 22 You will need to download the Cisco VPN client from cisco.com and provide it to students. –Cisco VPN client is available for free.

© 2012 Cisco and/or its affiliates. All rights reserved. 23 Explain to students that this chapter now applies the cryptology topics discussed in Chapter 7. To contrast between the function of a firewall (Chapter 4) and that of a VPN, explain that a firewall inside the network and a VPN protects the data traversing the outside network (Internet).

© 2012 Cisco and/or its affiliates. All rights reserved. 24 Use the analogy of a ocean for the network and each LAN is an island. –Without VPN tunnels, you must travel using a ferry between islands which means there is no privacy. –With VPN tunnels, you have your own private submarine to go from island to island. Leased lines can be compared to building bridges between nearby islands.

© 2012 Cisco and/or its affiliates. All rights reserved. 25 Another analogy is that of two lovers sending mushy letters to each other. –They know that letters will pass through many hands, including the postal service, organization, and perhaps even parents at either end. –By setting up a secret code in advance, they can send letters without someone knowing what they’re sending.

© 2012 Cisco and/or its affiliates. All rights reserved. 26 Refer back in history to how encryption has been used: – The Spartans with the Scytale – Julius Caesar for military dispatches. – Enigma machine during WWII. Contrast that with how freely information now flows. –Encourage discussion on how important VPNs are becoming. Ask “Should we be encrypting everything we send?”. –Consider the overhead (and increased latency) if we did. –When should we be using VPNs?

© 2012 Cisco and/or its affiliates. All rights reserved. 27 This chapter is best learned by applying the concepts as much as possible. –Student must get their own battle scars. Encourage students to come up with their own VPN topology scenarios.

© 2012 Cisco and/or its affiliates. All rights reserved. 28 Cisco VPN Main page – Cisco IOS Software Releases 12.4 Mainline – ome.htmlhttp:// ome.html The Cisco IOS Command Reference – htmlhttp:// html VPN client –

© 2011 Cisco and/or its affiliates. All rights reserved. 29