Universidad San Francisco de Quito
Universidad San Francisco de Quito
Universidad San Francisco de Quito
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Germán Bastidas, Ing.<br />
<strong>Universidad</strong> <strong>San</strong> <strong>Francisco</strong> <strong>de</strong> <strong>Quito</strong><br />
Chapter<br />
8<br />
Implementing Virtual<br />
Private Networks<br />
CCNA Security 1.0<br />
Implementing Network Security<br />
Cisco Networking Aca<strong>de</strong>my
Overview
VPN
VPN Overview<br />
• A VPN is a private network that is created via tunneling over a public<br />
network, usually the Internet.<br />
• VPNs have many benefits:<br />
– Cost savings<br />
– Security<br />
– Scalability<br />
– Compatibility with broadband technology
Types of VPN Networks<br />
• Site-to-site. Devices on both si<strong>de</strong>s of the VPN<br />
connection are aware of the VPN configuration in<br />
advance. The VPN remains static, and internal<br />
hosts have no knowledge that a VPN exists. Frame<br />
Relay, ATM, GRE, and MPLS VPNs are examples of<br />
site-to-site VPNs.<br />
• Remote-access. VPN information is not statically<br />
set up, but instead allows for dynamically<br />
changing information and can be enabled and<br />
disabled.
Cisco VPN Client Software<br />
The Cisco VPN Client software encapsulates and encrypts that traffic before sending it over<br />
the Internet to the VPN gateway at the edge of the target network
Cisco IOS SSL VPN<br />
SSL VPNs allow users to access web pages and services, including the ability to access files,<br />
send and receive email, and run TCP-based applications without IPsec VPN Client software.<br />
The primary restriction of SSL VPNs is that they are currently supported only in software.
SSL VPN Mo<strong>de</strong>s of Access<br />
• Clientless SSL VPN. A remote client needs only an<br />
SSL-enabled web browser to access HTTP- or<br />
HTTPS-enabled web servers on the corporate LAN.<br />
• Client SSL VPN. A remote client must download a<br />
small, Java-based applet for secure access of TCP<br />
applications that use static port numbers. UDP is<br />
not supported in a thin client environment.
VPN Solutions
VPN Specialized Hardware<br />
AIM - A broad range of Cisco routers can be equipped with AIM. Advanced integration<br />
modules are installed insi<strong>de</strong> the router chassis and offload encryption tasks from the<br />
router CPU.<br />
Cisco IPsec VPN Shared Port Adapter (SPA) - Delivers scalable and cost-effective VPN<br />
performance for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers.<br />
Cisco IPsec VPN SPA
GRE VPN
Generic Routing Encapsulation (GRE)<br />
GRE does not inclu<strong>de</strong> any strong security mechanisms to protect its payload.
GRE Tunnel Hea<strong>de</strong>r<br />
The GRE hea<strong>de</strong>r, together with the tunneling IP hea<strong>de</strong>r,<br />
creates at least 24 bytes of additional overhead for<br />
tunneled packets.
Configuring a Site-to-Site GRE Tunnel
When To Use GRE
IPSEC VPN COMPONENTS AND<br />
OPERATION
IPsec<br />
• IETF standard (RFC 2401-2412) that <strong>de</strong>fines how a<br />
VPN can be configured using the IP addressing<br />
protocol.<br />
• IPsec is not bound to any specific encryption,<br />
authentication, security algorithms, or keying<br />
technology.<br />
• IPsec is a framework of open standards that spells<br />
out the rules for secure communications.<br />
• IPsec relies on existing algorithms to implement<br />
the encryption, authentication, and key exchange.
IPsec Framework
Confi<strong>de</strong>ntiality
Integrity
Authentication - PSK
Authentication - RSA
Secure Key Exchange<br />
• The Diffie-Hellman (DH) key agreement is a public key<br />
exchange method that provi<strong>de</strong>s a way for two peers to<br />
establish a shared secret key that only they know, even<br />
though they are communicating over an insecure channel.<br />
• There are four DH groups: 1, 2, 5, and 7.<br />
– DH groups 1, 2, and 5 support exponentiation over a prime<br />
modulus with a key size of 768 bits, 1024 bits, and 1536 bits,<br />
respectively.<br />
– Cisco 3000 clients support DH groups 1, 2, and 5. DES and 3DES<br />
encryption support DH groups 1 and 2.<br />
– AES encryption supports DH groups 2 and 5.<br />
– The Certicom movianVPN client supports group 7.<br />
– Group 7 supports Elliptical Curve Cryptography (ECC), which<br />
reduces the time nee<strong>de</strong>d to generate keys.
IPsec Framework Protocols<br />
IP protocol 51<br />
IP protocol 50
Transport Mo<strong>de</strong> and Tunnel Mo<strong>de</strong>
Internet Key Exchange (IKE)<br />
• Protocol used to set up a Security Association (SA)<br />
• An SA is a basic building block of IPsec. Security<br />
associations are maintained within a SA database<br />
(SADB).<br />
• IKE uses UDP port 500.<br />
• An alternative to using IKE is to manually<br />
configure all parameters required to establish a<br />
secure IPsec connection.
IKE Phase 1 Main Mo<strong>de</strong>
IKE Phase 1 Aggressive Mo<strong>de</strong>
IKE Phase 2 (Quick Mo<strong>de</strong>)<br />
• The purpose of IKE Phase 2 is to negotiate the<br />
IPsec security parameters that will be used to<br />
secure the IPsec tunnel.<br />
• IKE Phase 2 performs the following functions:<br />
– Negotiates IPsec security parameters, known as IPsec<br />
transform sets<br />
– Establishes IPsec SAs<br />
– Periodically renegotiates IPsec SAs to ensure security<br />
– Optionally performs an additional DH exchange
IMPLEMENTING SITE-TO-SITE IPSEC<br />
VPN WITH CLI
IPsec VPN Steps
Task to Configure IPsec<br />
• Task 1. Ensure that ACLs configured on the Interface are compatible with IPsec<br />
configuration. Usually there are restrictions on the interface that the VPN traffic<br />
uses; for example, block all traffic that is not IPsec or IKE.<br />
• Task 2. Create an ISAKMP policy to <strong>de</strong>termine the ISAKMP parameters that will<br />
be used to establish the tunnel.<br />
• Task 3. Define the IPsec transform set. The <strong>de</strong>finition of the transform set<br />
<strong>de</strong>fines the parameters that the IPsec tunnel uses. The set can inclu<strong>de</strong> the<br />
encryption and integrity algorithms.<br />
• Task 4. Create a crypto ACL. The crypto ACL <strong>de</strong>fines which traffic is sent through<br />
the IPsec tunnel and protected by the IPsec process.<br />
• Task 5. Create and apply a crypto map. The crypto map groups the previously<br />
configured parameters together and <strong>de</strong>fines the IPsec peer <strong>de</strong>vices. The crypto<br />
map is applied to the outgoing interface of the VPN <strong>de</strong>vice.
Task 1
Task 1 - Configuration
Task 2. Create an ISAKMP policy<br />
Use an integer from 1 to 10,000, with 1 being<br />
the highest priority and 10,000 the lowest.
ISAKMP Parameters
Task 2. Configure a PSK
Task 3 – Configure the Transform Sets
Transform Combinations
Transform Sets Negotiation Example
Transform Sets Configuration Example
Task 4 – Configure the Crypto ACL
Task 5 – Create the Crypto Map
Crypto Map Command
Crypto Map Configuration Mo<strong>de</strong> Commands
Task 5 – Configuration Example
Task 5 – Apply the Crypto Map
Verify and Troubleshoot IPsec Configuration
Configure IPsec with SDM
IMPLEMENTING REMOTE-ACCESS<br />
VPNS
Teleworking Benefits
Methods for Deploying Remote-Access VPNs
IPsec vs SSL Remote-Access VPNs
Establishing an SSL Session
Cisco Easy VPN
Establishing an IPsec Remote-Access Session
Configure a VPN Server with SDM
Connect with a VPN Client