1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.

Slides:



Advertisements
Similar presentations
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
Advertisements

Internet Protocol Security (IP Sec)
Virtual Private Networks (VPNs)
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
Security at the Network Layer: IPSec
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
Introduction to Cryptography
Agenda VPN tunnels Configuration of basic core network components Maintenance of Cisco devices Exercises & troubleshooting.
Guide to Network Defense and Countermeasures Second Edition
Kapitel 7: Securing Site-to-Site Connectivity
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
Cryptography and Network Security
CCNA 5.0 Planning Guide Chapter 7: Securing Site-to-Site Connectivity
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Chapter 7: Securing Site-to-Site Connectivity
7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -1/100- OfficeServ 7400 Enterprise IP Solutions Quick Install.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Securing Site-to-Site Connectivity Connecting Networks.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
What Is Needed to Build a VPN? An existing network with servers and workstations Connection to the Internet VPN gateways (i.e., routers, PIX, ASA, VPN.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 9: Securing Network Traffic Using IPSec.
RE © 2003, Cisco Systems, Inc. All rights reserved.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 3: VPN and Encryption Technology.
Network Access for Remote Users: Practical IPSec Dr John S. Graham ULCC
Implementing VPN Solutions Laurel Boyer, CCIE 4918 Presented, June 2003.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
Secure Socket Layer (SSL)
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 3: VPN and Encryption Technology.
1 Chapter 8 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Implementing Secure Converged Wide Area Networks (ISCW) Module 3.2.
406 NW’98 1 © 1998, Cisco Systems, Inc. IPSec Loss of Privacy Security Threats Impersonation Loss of Integrity Denial of Service m-y-p-a-s-s-w-o-r-d.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
Generic Routing Encapsulation GRE  GRE is an OSI Layer 3 tunneling protocol: Encapsulates a wide variety of protocol packet types inside.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Karlstad University IP security Ge Zhang
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
Chapter 8: Implementing Virtual Private Networks
IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 4 City College.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW) Module 3.1.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
Potential vulnerabilities of IPsec-based VPN
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
Virtual Private Network Configuration
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
© 2012 Cisco and/or its affiliates. All rights reserved. 1 IPsec.
K. Salah1 Security Protocols in the Internet IPSec.
Securing Access to Data Using IPsec Josh Jones Cosc352.
WELCOME LAN TO LAN VPN LAN to LAN VPN also known as Site to Site VPN is the most basic and the most simplest of all the VPN’s used on CISCO devices. It.
Module 4: Configuring Site to Site VPN with Pre-shared keys
Presentation transcript:

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San Francisco Spring 2007

2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 3 – Encryption and VPN Technology

3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives –3.1 Encryption Basics –3.2 Integrity Basics –3.3 Implementing Digital Certificates –3.4 VPN Topologies –3.5 VPN Technologies –3.6 IPSec

4 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Encryption and VPN Technology 3.1 Encryption Basics

5 © 2005 Cisco Systems, Inc. All rights reserved. Symmetric Encryption Process

6 © 2005 Cisco Systems, Inc. All rights reserved. Asymmetric Encryption Process public key encryption

7 © 2005 Cisco Systems, Inc. All rights reserved. Asymmetric Encryption Some of the more common public key algorithms are the Rivest-Shamir-Adleman (RSA) algorithm and the El Gamal algorithm. –public key encryption algorithms are typically used in applications using digital signatures and key management.

8 © 2005 Cisco Systems, Inc. All rights reserved. RSA Encryption RSA encryption generates a value known as a nonce. A nonce is temporary random string, which is generated and combined with the peer public key.

9 © 2005 Cisco Systems, Inc. All rights reserved. Diffie-Hellman Algorithm Diffie-Hellman algorithm provides a way for two parties to establish a shared secret key, even though they are communicating over an insecure channel. DH begins with a large random number that is kept secret. The Diffie-Hellman algorithm is then performed, whereby both partners carry out some computations and exchange results. These results are used to generate the private and public keys. Once the public key is created it is exchanged between partners and a shared secret is created.

10 © 2005 Cisco Systems, Inc. All rights reserved. Diffie-Hellman Algorithm

11 © 2005 Cisco Systems, Inc. All rights reserved. Diffie-Hellman Key Exchange

12 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Encryption and VPN Technology 3.2 Integrity Basics

13 © 2005 Cisco Systems, Inc. All rights reserved. Integrity and Hashing To guard against traffic being intercepted and modified, each message has a hash attached to it. A hash is a method of verifying that the contents of a transmission are the same at both ends of the path, similar to a checksum. A hash is a fixed-size string generated from the packet. The hash guarantees the integrity of the original message. Two common hashing algorithms are Message Digest (MD) and Secure Hash Algorithm (SHA).

14 © 2005 Cisco Systems, Inc. All rights reserved. The Hashing Process If the hash at the receiving end does not match the hash that was sent then the packet or transaction is dropped.

15 © 2005 Cisco Systems, Inc. All rights reserved. Hashed Method Authentication Code A Hashed Message Authentication Code (HMAC) guarantees the integrity of the message. HMAC is similar to the hash process discussed earlier except that HMAC combines a secret key with the message. There are two common hashing algorithms: –HMAC-MD5 uses a 128-bit shared secret key. –HMAC-SHA-1 uses a 160-bit secret key.

16 © 2005 Cisco Systems, Inc. All rights reserved. The Keyed Hashing Process - HMAC

17 © 2005 Cisco Systems, Inc. All rights reserved. Certificate-Based Authentication

18 © 2005 Cisco Systems, Inc. All rights reserved. Digital Certificates A digital signature, or digital certificate, is an encrypted hash that is appended to a document. Digital certs are used to confirm the identity of the sender and the integrity of the document. A digital certificate contains information to identify a user or device, such as the name, serial number, company, department or IP address as well as copy of the entity’s public key. A Certificate Authority (CA) signs the certificate. –The CA is a third party that is explicitly trusted by the receiver to validate identities and to create digital certificates

19 © 2005 Cisco Systems, Inc. All rights reserved. Digital Signatures

20 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Encryption and VPN Technology 3.3 Implementing Digital Certificates

21 © 2005 Cisco Systems, Inc. All rights reserved. Simple Certificate Enrollment Protocol (SCEP) The Simple Certificate Enrollment Protocol (SCEP) is a Cisco, Verisign, Entrust, Microsoft, Netscape, and Sun Microsystems initiative that provides a standard way of managing the certificate life cycle. SCEP provides manual authentication and authentication based on pre-shared secret keys. Manual authentication uses an MD5 fingerprint Pre-shared key authentication challenges the user for password. –The user then uses the pre-shared key as the password.

22 © 2005 Cisco Systems, Inc. All rights reserved. IPSec Peers Enroll with the CA Server Cisco devices can also enroll with a CA to sign digital certificates

23 © 2005 Cisco Systems, Inc. All rights reserved. Enrolling a Device with a CA

24 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Encryption and VPN Technology 3.4 VPN Topologies

25 © 2005 Cisco Systems, Inc. All rights reserved. Site-to-Site VPNs A Site-to-Site VPN is an Extension of the classic WAN

26 © 2005 Cisco Systems, Inc. All rights reserved. Site-to-Site VPNs—Cisco Routers

27 © 2005 Cisco Systems, Inc. All rights reserved. Remote Access VPNs

28 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Encryption and VPN Technology 3.5 VPN Technologies

29 © 2005 Cisco Systems, Inc. All rights reserved. VPN Technology Options

30 © 2005 Cisco Systems, Inc. All rights reserved. WebVPN

31 © 2005 Cisco Systems, Inc. All rights reserved. WebVPN Features

32 © 2005 Cisco Systems, Inc. All rights reserved. Tunneling Protocols GRE = Generic Routing Encapsulation Protocol

33 © 2005 Cisco Systems, Inc. All rights reserved. GRE Encapsulation Process

34 © 2005 Cisco Systems, Inc. All rights reserved. Selecting VPN Technologies

35 © 2005 Cisco Systems, Inc. All rights reserved. Tunnel Interfaces

36 © 2005 Cisco Systems, Inc. All rights reserved. GRE Tunnel Example

37 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Encryption and VPN Technology 3.6 VPN

38 © 2005 Cisco Systems, Inc. All rights reserved. IP Header with IPSec Information

39 © 2005 Cisco Systems, Inc. All rights reserved. Two Types of IPSec Security Protocols

40 © 2005 Cisco Systems, Inc. All rights reserved. Advantages of IPSec

41 © 2005 Cisco Systems, Inc. All rights reserved. How an AH is Generated in IPSec

42 © 2005 Cisco Systems, Inc. All rights reserved. AH Fields

43 © 2005 Cisco Systems, Inc. All rights reserved. The ESP Header Format

44 © 2005 Cisco Systems, Inc. All rights reserved. Tunnel Versus Transport Mode

45 © 2005 Cisco Systems, Inc. All rights reserved. AH Header Placement in Transport Mode

46 © 2005 Cisco Systems, Inc. All rights reserved. AH Header Placement in Tunnel Mode

47 © 2005 Cisco Systems, Inc. All rights reserved. ESP Header Placement in Transport Mode

48 © 2005 Cisco Systems, Inc. All rights reserved. ESP Header Placement in Tunnel Mode

49 © 2005 Cisco Systems, Inc. All rights reserved. IPSec Process Negotiation SA = Security Association

50 © 2005 Cisco Systems, Inc. All rights reserved. IKE and IPSec Flowchart

51 © 2005 Cisco Systems, Inc. All rights reserved. Configuration crypto isakmp policy 10 encr 3des hash sha authentication pre-share group 2 ! crypto isakmp key address x ! crypto ipsec transform-set esp-3des esp-md5-hmac ah-md5-hmac crypto ipsec transform-set EZVPN esp-3des esp-md5-hmac ah-md5-hmac crypto ipsec transform-set OURVPN esp-3des ah-md5-hmac ! crypto map DDBVPN 10 ipsec-isakmp set peer x set transform-set EZVPN OURVPN match address 110 ! IKE Phase 1 = IKE SA IKE Phase 2 = IPSec SA

52 © 2005 Cisco Systems, Inc. All rights reserved. Configuration (cont) access-list 110 remark VPN INTERESTING TRAFFIC - CRYPTO ACL access-list 110 permit ip x x access-list 110 permit ip x x ! ip access-list extended INBOUND_ALLOW_VPN_TRAFFIC permit udp any host eq isakmp log-input permit esp any host log-input permit ahp any host log-input ! interface GigabitEthernet0/0 description outside interface ip address ip access-group INBOUND_ALLOW_VPN_TRAFFIC in ip nat outside ip inspect CBAC-ALL out ip virtual-reassembly crypto map DDBVPN

53 © 2005 Cisco Systems, Inc. All rights reserved. VPN 3005 Concentrator

54 © 2005 Cisco Systems, Inc. All rights reserved. VPN Hardware Clients

55 © 2005 Cisco Systems, Inc. All rights reserved. 55 © 2005, Cisco Systems, Inc. All rights reserved.