Rob MacPhee World Wide Technology

1
Rob MacPheeWorld Wide Technology
2
What is a VPN?

• A VPN is a service that offers secure, reliable
  connectivity over a shared public network
  infrastructure such as the Internet

3
Three Types of VPNs

• Access
• Intranet
• Extranet

4
Benefits of VPN
5
Benefits of VPN

• Government Benefits
• Protect government and citizen information using
  tunneling and encryption for data privacy
• Reduce communications costs
• Leverage existing infrastructure
• Improved productivity
• Capabilities
• Connect multiple locations together seamlessly
• Send and receive real-time information and data
  between agencies
• Provide secure network access from remote
  locations

6
What is IPSec?

• Framework of open standards that provides data
  confidentiality between participating peers at
  the IP layer

7
IPSec

• Industry standard (RFC 2401)
• Protocol Suite
• Benefits
• Data confidentiality
• Data integrity
• Data origin authentication
• Antireplay

8
IPSec Protocols

• Main protocols
• Authentication Header (AH)
• Encapsulating Security Payload (ESP)

9
IPSec Protocol Suite Supported by Cisco

• AH ESP
• Data Encryption Standard (DES)
• Triple DES (3DES)
• Advanced Encryption Standard (AES)
• Diffie-Hellman (D-H)
• Message Digest 5 (MD5)
• Secure Hash Algorithm-1 (SHA-1)
• Rivest, Shamir, Adelman (RSA) Signatures
• Internet Key Exchange (IKE)
• Certificate Authorities (CA)

10
AH Protocol

• Ensures data integrity
• Provides origin authentication
• Uses keyed-hash mechanism
• Provides optional replay protection
• Can be used in conjunction with ESP
• Does NOT provide confidentiality
• Does not work with NAT

11
ESP Protocol

• Provides confidentiality
• Supports variety of symmetric encryption
  algorithms
• Ensures data integrity
• Provides origin authentication
• Provides optional replay protection
• Limited traffic flow confidentiality
• Can be used in conjunction with AH
• May be used without AH
• Does NOT protect IP header
• Works with NAT

12
DES

• Encryption protocol
• Developed in 1977
• Shared secret keys enable encryption and
  decryption
• Uses 56 bit key
• 256 key combinations
• Broken by cipheranalysis in 22 hours in 1999

13
3DES

• Variant of DES
• Data blocks processed 3 times with independent 56
  bit keys (encrypt, decrypt, and encrypt)
• Theoretically contains 2168 key combinations
• Effectively doubles encryption strength over DES

14
AES

• Developed in 2000
• Uses 128, 192, or 256 bit keys
• 2( bits in key) possible combination
• Removes many of security flaws in DES
• 50 billion calculations per second would take
  5x1021 years to check all combinations of 128
  bit AES (versus 1 year for DES)

15
DES vs. AES
16
D-H Protocol

• Public key cryptography protocol
• Establishes shared secret key between two parties
• Supports encryption algorithms (DES, MD5, etc.)
• Group 1 768 bits
• Group 2 1024 bits (more secure)
• Group 7 Used by handheld devices and only
  compatible with VPN Concentrators

17
MD5

• Secure hash algorithm
• Authenticates packet data
• Uses 128 bit encryption
• Cisco implements with HMAC variant
• Used by AH, ESP, and IKE for authentication

18
SHA-1

• Secure hash algorithm
• Authenticates packet data
• Higher encryption than MD5 (160 bit)
• Cisco implements with HMAC variant
• Used by AH, ESP, and IKE for authentication

19
HMAC

• Hashed Message Authentication Codes
• Additional hash implemented in MD5 and SHA-1
• Fixes security hole of standard MD5 (collision
  search attack)

20
IKE Protocol

• Hybrid protocol
• Provides utility services for IPSec
• Authentication of peers
• Negotiation of Security Associations (SA)
• Establishment of keys for encryption algorithms
• Synonymous with Internet Security Association Key
  Management Protocol (ISAKMP)

21
Tunnel vs. Transport Modes

• Transport mode is terminated on each device (peer
  to peer)
• Tunnel mode terminated or through one device and
  through another

22
Transforms

• Defines protocol, security algorithm, and mode
• Transform Set
• Combination of IPSec transforms
• Matched to create Security Association (SA)

23
IPSec Negotiation

• Interesting traffic initiates the IPSec process
• IKE Phase One (Main and Aggressive Modes)
• Authenticates peers
• Negotiates SAs for Phase One
• Exchanges shared secret keys (D-H)
• Establishes secure channel for Phase Two
• IKE Phase Two
• Negotiates SAs for Phase Two (PFS)
• Data transfer
• Tunnel renegotiation and termination

24
VPN Capable Cisco Products

• Routers
• Firewalls
• VPN Concentrators
• VPN Clients

25
Compatibility

• Devices that are compatible with each other to
  perform IPSec
• Standards based compatibility with other vendors

26
VPN Concentrators

• 3002 (Hardware Client)
• 3005
• 3015
• 3020
• 3030
• 3060
• 3080

27
VPN Concentrators
28
VPN Concentrator 3020

• High performance
• Lower cost
• Not upgradeable to higher models

29
VPN Concentrator Physical
30
VPN Concentrator Management

• Console
• Web interface

31
VPN Management

• CiscoWorks VMS
• Management of security devices
• VPN creation, maintenance, and monitoring

32
FIPS 140 Certification

• VPN termination certification
• US and Canada
• Levels 1-4
• Higher levels cover lower
• Level 1 still valid
• http//csrc.nist.gov/cryptval/

33
Current FIPS 140 Products

• VPN 3002, 3005, 3015, 3030, 3060, 3080
• VPN Software Client
• Catalyst 6509 Switch and 7606 and 7609 Router
  with VPN Services Module
• 1721, 1760
• 2621, 2651, 2621XM, 2651XM, 2691
• 3725, 3745
• 7206, 7206VXR NPE-400, 7206VXR NPE-G1
• 3640, 3660
• 7140

34
04 FIPS 140 Products

• 3250 Mobile Access Router
• 3220 Mobile Access Router
• 831

35
FIPS 140 Certification

• Industrys first and only FIPS certified VPN
  client software
• Key for US government client security
  applications
• Remote access VPN
• Automated wireless LAN security for multi-vendor
  NIC environments using Client wireless LAN
  auto-initiation
• Cisco VPN Client and VPN 3000 Concentrator v3.6

36
QA

• Rob MacPhee