Rob MacPhee World Wide Technology - PowerPoint PPT Presentation

1 / 36
About This Presentation
Title:

Rob MacPhee World Wide Technology

Description:

A VPN is a service that offers secure, reliable connectivity over a shared ... Possible ASCII printable character keys* 2128 , 2192 , or 2256. 256. Possible Keys ... – PowerPoint PPT presentation

Number of Views:65
Avg rating:3.0/5.0
Slides: 37
Provided by: robma7
Category:

less

Transcript and Presenter's Notes

Title: Rob MacPhee World Wide Technology


1
Rob MacPheeWorld Wide Technology
2
What is a VPN?
  • A VPN is a service that offers secure, reliable
    connectivity over a shared public network
    infrastructure such as the Internet

3
Three Types of VPNs
  • Access
  • Intranet
  • Extranet

4
Benefits of VPN
5
Benefits of VPN
  • Government Benefits
  • Protect government and citizen information using
    tunneling and encryption for data privacy
  • Reduce communications costs
  • Leverage existing infrastructure
  • Improved productivity
  • Capabilities
  • Connect multiple locations together seamlessly
  • Send and receive real-time information and data
    between agencies
  • Provide secure network access from remote
    locations

6
What is IPSec?
  • Framework of open standards that provides data
    confidentiality between participating peers at
    the IP layer

7
IPSec
  • Industry standard (RFC 2401)
  • Protocol Suite
  • Benefits
  • Data confidentiality
  • Data integrity
  • Data origin authentication
  • Antireplay

8
IPSec Protocols
  • Main protocols
  • Authentication Header (AH)
  • Encapsulating Security Payload (ESP)

9
IPSec Protocol Suite Supported by Cisco
  • AH ESP
  • Data Encryption Standard (DES)
  • Triple DES (3DES)
  • Advanced Encryption Standard (AES)
  • Diffie-Hellman (D-H)
  • Message Digest 5 (MD5)
  • Secure Hash Algorithm-1 (SHA-1)
  • Rivest, Shamir, Adelman (RSA) Signatures
  • Internet Key Exchange (IKE)
  • Certificate Authorities (CA)

10
AH Protocol
  • Ensures data integrity
  • Provides origin authentication
  • Uses keyed-hash mechanism
  • Provides optional replay protection
  • Can be used in conjunction with ESP
  • Does NOT provide confidentiality
  • Does not work with NAT

11
ESP Protocol
  • Provides confidentiality
  • Supports variety of symmetric encryption
    algorithms
  • Ensures data integrity
  • Provides origin authentication
  • Provides optional replay protection
  • Limited traffic flow confidentiality
  • Can be used in conjunction with AH
  • May be used without AH
  • Does NOT protect IP header
  • Works with NAT

12
DES
  • Encryption protocol
  • Developed in 1977
  • Shared secret keys enable encryption and
    decryption
  • Uses 56 bit key
  • 256 key combinations
  • Broken by cipheranalysis in 22 hours in 1999

13
3DES
  • Variant of DES
  • Data blocks processed 3 times with independent 56
    bit keys (encrypt, decrypt, and encrypt)
  • Theoretically contains 2168 key combinations
  • Effectively doubles encryption strength over DES

14
AES
  • Developed in 2000
  • Uses 128, 192, or 256 bit keys
  • 2( bits in key) possible combination
  • Removes many of security flaws in DES
  • 50 billion calculations per second would take
    5x1021 years to check all combinations of 128
    bit AES (versus 1 year for DES)

15
DES vs. AES
16
D-H Protocol
  • Public key cryptography protocol
  • Establishes shared secret key between two parties
  • Supports encryption algorithms (DES, MD5, etc.)
  • Group 1 768 bits
  • Group 2 1024 bits (more secure)
  • Group 7 Used by handheld devices and only
    compatible with VPN Concentrators

17
MD5
  • Secure hash algorithm
  • Authenticates packet data
  • Uses 128 bit encryption
  • Cisco implements with HMAC variant
  • Used by AH, ESP, and IKE for authentication

18
SHA-1
  • Secure hash algorithm
  • Authenticates packet data
  • Higher encryption than MD5 (160 bit)
  • Cisco implements with HMAC variant
  • Used by AH, ESP, and IKE for authentication

19
HMAC
  • Hashed Message Authentication Codes
  • Additional hash implemented in MD5 and SHA-1
  • Fixes security hole of standard MD5 (collision
    search attack)

20
IKE Protocol
  • Hybrid protocol
  • Provides utility services for IPSec
  • Authentication of peers
  • Negotiation of Security Associations (SA)
  • Establishment of keys for encryption algorithms
  • Synonymous with Internet Security Association Key
    Management Protocol (ISAKMP)

21
Tunnel vs. Transport Modes
  • Transport mode is terminated on each device (peer
    to peer)
  • Tunnel mode terminated or through one device and
    through another

22
Transforms
  • Defines protocol, security algorithm, and mode
  • Transform Set
  • Combination of IPSec transforms
  • Matched to create Security Association (SA)

23
IPSec Negotiation
  • Interesting traffic initiates the IPSec process
  • IKE Phase One (Main and Aggressive Modes)
  • Authenticates peers
  • Negotiates SAs for Phase One
  • Exchanges shared secret keys (D-H)
  • Establishes secure channel for Phase Two
  • IKE Phase Two
  • Negotiates SAs for Phase Two (PFS)
  • Data transfer
  • Tunnel renegotiation and termination

24
VPN Capable Cisco Products
  • Routers
  • Firewalls
  • VPN Concentrators
  • VPN Clients

25
Compatibility
  • Devices that are compatible with each other to
    perform IPSec
  • Standards based compatibility with other vendors

26
VPN Concentrators
  • 3002 (Hardware Client)
  • 3005
  • 3015
  • 3020
  • 3030
  • 3060
  • 3080

27
VPN Concentrators
28
VPN Concentrator 3020
  • High performance
  • Lower cost
  • Not upgradeable to higher models

29
VPN Concentrator Physical
30
VPN Concentrator Management
  • Console
  • Web interface

31
VPN Management
  • CiscoWorks VMS
  • Management of security devices
  • VPN creation, maintenance, and monitoring

32
FIPS 140 Certification
  • VPN termination certification
  • US and Canada
  • Levels 1-4
  • Higher levels cover lower
  • Level 1 still valid
  • http//csrc.nist.gov/cryptval/

33
Current FIPS 140 Products
  • VPN 3002, 3005, 3015, 3030, 3060, 3080
  • VPN Software Client
  • Catalyst 6509 Switch and 7606 and 7609 Router
    with VPN Services Module
  • 1721, 1760
  • 2621, 2651, 2621XM, 2651XM, 2691
  • 3725, 3745
  • 7206, 7206VXR NPE-400, 7206VXR NPE-G1
  • 3640, 3660
  • 7140

34
04 FIPS 140 Products
  • 3250 Mobile Access Router
  • 3220 Mobile Access Router
  • 831

35
FIPS 140 Certification
  • Industrys first and only FIPS certified VPN
    client software
  • Key for US government client security
    applications
  • Remote access VPN
  • Automated wireless LAN security for multi-vendor
    NIC environments using Client wireless LAN
    auto-initiation
  • Cisco VPN Client and VPN 3000 Concentrator v3.6

36
QA
  • Rob MacPhee
Write a Comment
User Comments (0)
About PowerShow.com