Introducing IPsec VPNs Secured Connectivity Introducing IPsec 2 Introducing IPsec IPsec has these features: It is an IETT standard (RFC 2401-2412). It defines how a VPN can be set up using the IP addressing protocol. It determines how the interface appears to the encryption protocol, not which type of encryption is used. It provides these essential functions: Confidentiality Integrity Authentication IPsec Overview IKE AH ESP Provides a framework for the negotiation of security parameters and establishment of authenticated keys Provides a framework for the authenticating and securing of data Provides a framework for encrypting, authenticating, and securing of data RFC 2401 Combines three protocols into a cohesive security framework 3 IPsec Modes Transport Mode Original IP Header ESP Header TCP Data ESP Trailer ESP Authentication Encrypted Authenticated Tunnel Mode Original IP Header ESP Header TCP Data ESP Trailer ESP Authentication Encrypted Authenticated New IP Header Authentication Header RFC 2402 IP protocol 51 Mechanism for providing strong integrity and authentication for IP datagrams Can also provide nonrepudiation 4 Encapsulating Security Payload RFC 2406 IP protocol 50 May provide the following: Confidentiality (encryption) Connectionless integrity Data origin authentication An antireplay service Internet Key Exchange RFC 2409 A hybrid protocol consisting of: SKEME A mechanism for using public key encryption for authentication Oakley A modes-based mechanism for arriving at an encryption key between two peers ISAKMP An architecture for message exchange, including packet formats and state transitions between two peers Phase-based 5 How IKE Works IKE is a two-phase protocol. IKE Phase 1 SA (ISAKMP SA) Main mode six messages OR Aggressive mode three messages IKE Phase 2 SA (IPsec SA) Quick Mode S e c u r e D a t a Peers negotiate a secure, authenticated communications channel. Security associations are negotiated on behalf of IPsec services. Internet Security Association and Key Management Protocol RFC 2408 UDP 500 Defines procedures for: Authenticating a peer Creation and management of SAs Key generation techniques Threat mitigation 6 IPsec Configuration Task LIst Check network connectivity Ensure ACLs lists are compatible with IPsec Allow IP protocols 50 and 51 Allow UDP 500 Configure IKE ISAKMP Configure IPsec Create crypto ACLs Define transform sets Create crypto map entries Set global lifetimes for IPsec SAs Apply crypto map to the interface Summary IPsec is designed to provide interoperable, high-quality, cryptographically based security. AH is used to provide connectionless integrity and data origin authentication for IP datagrams. ESP is designed to provide a mix of security services in IPv4 and IPv6. IKE is used to establish a shared security policy and authenticated keys for services (such as IPsec) that require keys. 7 Summary (Cont.) ISAKMP defines the procedures for authenticating a communicating peer. Other protocols or standards used with IPsec include DES, HMAC, and MD5. IPsec configuration on a Cisco router comprises the configuration of ISAKMP and IPsec. Internet Key Exchange IPsec uses the IKE protocol to authenticate a peer computer and to generate encryption keys. The IKE protocol automates the key exchange process by: Negotiating SA characteristics Automatically generating keys Automatically refreshing keys Allowing manual configuration The IKE protocol uses these modes to secure communications: Main mode Agressive mode Quick mode 8 IKE Communication Negotiation Phases IKE uses these phases to secure a communication channel between two peers: IKE Phase 1: Transform sets, hash methods, and other parameters are determined. IKE Phase 1.5 (optional): XAUTH protocol can be used to provide user authentication of IPsec tunnels within the IKE protocol to provide additional authentication of the VPN clients. IKE Phase 2: SAs are negotiated by ISAKMP, where quick mode is used. In this phase, the IPsec SAs are unidirectional. IKE: Other Functions These IKE functions are also available: NAT traversal NAT detection NAT traversal decision UDP encapsulation of IPsec packets UDP encapsulated process for software engines: Transport mode and tunnel mode ESP encapsulation Mode configuration option Extended Authentication 9 IKE: Other Functions (Cont.) IPsec and NAT: The Problem PAT Device Port Address Translation fails because ESP packet Layer 4 port information is encrypted. IPsec Gateway IPsec Remote Client Public Network Private Network Private Network IKE: Other Functions (Cont.) Need NAT traversal with IPsec over TCP and UDP NAT traversal detection NAT traversal decision UDP encapsulation of IPsec packets UDP encapsulated process for software engines PAT Device IPsec Gateway IPsec Remote Client Public Network External IP Header ESP Header Original IP Header TCP/UDP Header Payload ESP Trailer UDP Header ESP Header Original IP Header TCP/UDP Header Payload ESP Trailer External IP Header Private Network Private Network 10 ESP and AH Header IP Hdr Data IP Hdr ESP Hdr New IP Hdr Data ESP Auth ESP Trailer Encrypted Authenticated IP Hdr AH New IP Hdr Data Authenticated Using ESP Using AH ESP allows encryption and authenticates the original packet. AH authenticates the whole packet and does not allow encryption. Original Packet Transport and Tunnel Mode TCP UDP New IP Hdr ESP Auth ESP Trailer Data IP Hdr ESP Hdr Transport Mode Encrypted Authenticated Tunnel Mode Encrypted Authenticated TCP UDP ESP Auth ESP Traile r Data ESP Hdr IP Hdr 11 Message Authentication and Integrity Check Using Hash Sender Receiver ? Insecure Channel HMAC HMAC HMAC Hash Output Message Message Message Hash Hash MD5 and SHA-1 MD5 produces a 128-bit message digest. SHA-1 produces a 160-bit message digest. IPsec protocol uses only the first 96 bits of the SHA-1 message digest. SHA-1 is computationally slower than MD5, but more secure. 12 Symmetric vs. Asymmetric Encryption Algorithms Public key cryptography Encryption and decryption use different keys Typically used in digital certification and key management Example: RSA Secret key cryptography Encryption and decryption use the same key Typically used to encrypt the content of a message Examples: DES, 3DES, AES Symmetric Plain Text Encryption( ) or Decryption( ) Encryption( ) CipherText Plain Text Asymmetric CipherText Decryption( ) Symmetric vs. Asymmetric Encryption Algorithms (Cont.) 15360 7680 3072 2048 1024 Asymmetric Key Length Symmetric Key Length 256 192 128 112 80 Comparing key lengths required for asymmetric keys and symmetric keys 13 Symmetric vs. Asymmetric Encryption Algorithms (Cont.) AES-256, SHA-512 O(2 256 ) Ultra AES-192, SHA-384 O(2 192 ) High AES-128, SHA-256 O(2 128 ) Standard 3DES O(2 80 ) Baseline RC4, SHA-1 O(2 64 ) Legacy DES, MD5 O(2 40 ) Weak Algorithms Work Factor Security Level Comparing security levels of cryptographic algorithms Symmetrical Key Encryption Algorithms DES Uses a 56-bit key Is considered outmoded and insecure Triple-DES Uses a 168-bit key Only provides baseline encryption protection AES The 126bit key version is deemed acceptable by the NSA for U.S. government nonclassified data. 14 DH and RSA Asymmetric Encryption Algorithms Diffie-Hellman key agreement protocol: The first practical method for establishing a shared secret over an unprotected communications channel Vulnerable to a man-in-the-middle attack because there is no requirement to authenticate the sender and receiver RSA cryptosystem: Most popular asymmetric encryption system available Provides encryption and digital signatures for authentication RSA keys are typically 10242048 bits long PKI Environment Certificate Authority Key Recovery Registration and Certification Issuance Support for Nonrepudiation Key Storage Trusted Time Service Key Generation Certificate Distribution Certificate Revocation 15 PKI Certificates A PKI uses a CA to: Manage certificate requests and issue certificates Provide a centralized trusted source for key management Provide a trusted source to validate identities and to create digital certificates The CA starts by generating its own public key pair and creates a self-signed CA certificate. Then the CA can sign certificate requests and begin peer enrollment for the PKI. Use a third-party CA vendor, or use the Cisco IOS certificate server for your own CA-signed certificates. Hierarchical CA Frameworks A PKI allows a hierarchical CA framework supporting multiple CAs with these features: The root CA holds a self-signed certificate and an RSA key pair. Subordinate CAs enroll with either the root CA or with another subordinate CA. Each enrolled peer can validate the certificate of another enrolled peer. Multiple CAs provide users with added flexibility and reliability. A subordinate CA can be placed in a branch office, and the root CA can be placed at office headquarters. One CA can automatically grant certificate requests, while another CA can require only manually granted certificate requests. 16 PKI Certificates Signing Algorithm Example: SHA-1with RSA CA Identity Lifetime of Certificate Public Key of Users (Bound to Users Subject Name of User) Other User Information Example: subAltName, Cisco Discovery Protocol Signed by Private Key of CA X.509 v3 Certificate Extension CA Digital Signature Subject Unique ID Subject Public Key Info. Issuer Unique ID Version Serial Number Signature Algorithm ID Subject X.500 Name Validity Period Issuer (CA) X.500 Name Algorithm ID Public Key Value PKI Message Exchange Certificate Authority Alice Convey Trust in Her Public Key Bob Request for CA Public Key 1 CA Sends Its Public Key 2 4 Alice Hash Message Digest Sign Bob trusts the Alice public key after verifying her signature using the CA public key. Cert Req. Alice 3 6 Alice .. Alice .. 5 CA Private Key 17 PKI Credentials Storing PKI credentials: RSA keys and certificates NVRAM or eToken storage eToken prerequisites: Cisco 871 Integrated Service Router; Cisco 1800, 2800, or 3800 Series Integrated Service Routers Cisco IOS Release 12.3(14)T image USB eToken supported by Cisco A Cisco K9 image Summary IPsec is an IETF standard that defines how a VPN can be set up using the IP addressing protocol. IPsec provides confidentiality, integrity, and authentication security functions. IPsec relies on the IKE protocol to provide the negotiation of SA characteristics, automatic key generation, the automatic refreshing of keys, and a way to manage the manual configuration of keys. The IKE protocol supports the verification of peer device activity, the passing of IPsec packets through NAT devices, and the exchange of additional configuration parameters between peer devices. 18 Summary (Cont.) Together the ESP and AH protocols provide an undecipherable data flow and a tamper-evident seal. The ESP and AH protocols can use the IPsec transport mode when packet size is a concern or the IPsec tunnel mode when packet expansion is not a concern. The IPsec protocol uses HMAC to provide an iterative cryptographic hash function. The strength of HMAC depends on the properties of the underlying hash function. IPsec uses symmetric and asymmetric encryption. In symmetric encryption the sender and the receiver use the same secret key; in asymmetric encryption, one key is used for encryption and another key is used for decryption. PKI provides a scalable, secure mechanism for distributing, managing, and revoking encryption and identity information in a secured data network. Building IPsec VPNs Building a Site-to-Site IPsec VPN Operation 19 Site-to-Site IPsec VPN IPsec Tunnel IKE Phase 1 IKE Phase 2 IKE SA IKE SA IPsec SA IPsec SA Host A Host B Router B Router A 1. Host A sends interesting traffic to Host B. 2. Routers A and B negotiate an IKE Phase 1 session. 3. Routers A and B negotiate an IKE Phase 2 session. 4. Information is exchanged via IPsec tunnel. 5. The IPsec tunnel is terminated. Site-to-Site IPsec Configuration Step 1: ISAKMP policy Step 2: IPsec transform set Step 3: Cryptographic access list Step 4: Create and apply the cryptographic map Step 5: Interface access list 20 Site-to-Site IPsec ConfigurationPhase 1 Internet 172.16.172.10 172.16.171.20 Router 1 Router 2 10.1.1.0/24 10.1.2.0/24 crypto isakmp policy 1 authentication pre-shared hash sha encryption aes 128 group 2 lifetime 86400 crypto isakmp key SeCrEt address 172.16.172.10 netmask 255.255.255.255 crypto isakmp policy 1 authentication pre-shared hash sha encryption aes 128 group 2 lifetime 86400 crypto isakmp key SeCrEt address 172.16.171.20 netmask 255.255.255.255 Site-to-Site IPsec ConfigurationPhase 2 Internet 172.16.172.10 172.16.171.20 Router 2 Router 1 10.1.1.0/24 10.1.2.0/24 crypto ipsec transform-set aes_sha esp-aes 128 esp-sha-hmac access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 crypto map VPN_To_R1 10 ipsec- isakmp set peer 172.16.172.10 match address 101 set transform-set aes_sha crypto ipsec transform-set aes_sha esp-aes 128 esp-sha-hmac access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 crypto map VPN_To_R2 10 ipsec- isakmp set peer 172.16.171.20 match address 101 set transform-set aes_sha 21 interface serial 1/0 ip address 172.16.172.10 255.255.255.0 crypto map VPN_To_R2 ip route 10.1.2.0 255.255.255.0 172.16.171.20 interface serial 3/0 ip address 172.16.171.20 255.255.255.0 crypto map VPN_To_R1 ip route 10.1.1.0 255.255.255.0 172.16.172.10 Site-to-Site IPsec ConfigurationApply VPN Configuration Internet 172.16.172.10 172.16.171.20 Router 2 Router 1 10.1.1.0/24 10.1.2.0/24 Site-to-Site IPsec ConfigurationInterface Access List When using only IPsec VPN on a router interface, block all traffic except the traffic that you want. Block unwanted traffic by enabling the IPsec protocol 50 for ESP, or protocol 51 for AH, and enable IKE to configure UDP on port 500. To pass IPsec traffic through a NAT or PAT device or both, be sure to permit UDP port 4500 or the correct TCP port.