Download Deployment of IPSec Virtual Private Network Solutions

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
Document related concepts

Net neutrality law wikipedia , lookup

Peering wikipedia , lookup

TV Everywhere wikipedia , lookup

Airborne Networking wikipedia , lookup

Network tap wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Net bias wikipedia , lookup

Computer network wikipedia , lookup

Deep packet inspection wikipedia , lookup

Extensible Authentication Protocol wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Computer security wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Wireless security wikipedia , lookup

Authentication wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Distributed firewall wikipedia , lookup

Transcript 
Deployment of IPSec VPN
VPN, IPSec, PKI, Smart Cards
Ivan Svoboda
Manager
Information security projects
CATE-IDET
Brno 11.5.2001
Agenda





Business drivers
VPN levels
VPN & Firewall
VPN & PKI
VPN & Security Certification
CATE-IDET
Brno 11.5.2001
2
Current issues





E-commerce, E-government
Internet services
Flexibility
Network infrastructure & cost reduction
Network Security Threats




Sniffing
IP spoofing
Session hijacking
Man-in-the-middle
 The enabler: Secure VPN
CATE-IDET
Brno 11.5.2001
3
Secure networks ?
Praha
Data
Data
X.25, ATM
Frame Relay
Internet
PSTN
CATE-IDET
Brno 11.5.2001
4
Brno
Secure networks ? YES !
Praha
Dokument
Dokument
Dokument
VPN
X.25, ATM
Frame Relay
Internet
JTS
CATE-IDET
Brno 11.5.2001
5
Dokument
Brno
Secure networks ? YES !
Praha
Dokument
Dokument
Dokument
VPN
X.25, ATM
Frame Relay
Internet
JTS
CATE-IDET
Brno 11.5.2001
6
Dokument
Brno
Encryption layers
SSH, S-MIME
Appl.
Appl.
Present.
Present.
Session
Session
Transport
Transport
IPSec
Network
Network
L2TP, PPTP
Link
Link
Physical
Physical
SSL/TLS
LAN, WAN,
Internet
CATE-IDET
Brno 11.5.2001
7
Encryption layers
 Application (SSH, S/MIME etc.)



(-) application dependant
(-) network access control missing
(+) most specific services
 Transport (SSL/TLS)

(-) TCP-only (HTTP etc.)
 Network (IPSec)



(-) IP-only
(+) every IP-packet is secured
(+) IP-address tunelling
 Link (L2TP, PPTP)

CATE-IDET
Brno 11.5.2001
(+) RAS, mixed networks (IP, IPX, NetBEUI etc.)
8
Network layer encryption: IPSec
Dokument
Dokument
Appl.
Appl.
Present.
Present.
Session
Session
Transport
Transport
IPSec
IPSec
Network
Network
Link
Link
Physical
Physical
CATE-IDET
Brno 11.5.2001
9
IPSec VPN compatibility
database
e-mail
Appl.
Present.
www
client/server
ERM
GIS
Unix
Oracle
Novell
Microsoft
platforms
Session
Transport
IPSec - VPN
Network
Link
Physical
LAN
X.25
WAN
CATE-IDET
Brno 11.5.2001
networks
Internet
Frame Relay
10
applications
PPP
IPSec VPN functions:
 Data confidentiality & integrity
Dokument


Encryption (ESP)
Authentication (AH)
 Users/nodes authentication

digital certificates X.509
 Access control


Public key X.Y.
Dig. signed CA
Access to networks,
Access to sources (servers)
CATE-IDET
Brno 11.5.2001
11
Dokument
Secure VPN – IPSec technology
applications
TCP / UDP
IP
IKE (ISAKMP/Oakley)
IPSEC
IP
Ethernet / PPP
IPSEC
LAN,
WAN, ...
ESP/AH
Data authentication and encryption
CATE-IDET
Brno 11.5.2001
applications
TCP / UDP
IP
12
IP
Ethernet / PPP
IPSec Implementation
Public key X.Y.
Dig. signed CA
IPSec - VPN
HW
SW
Router
CATE-IDET
Brno 11.5.2001
Firewall
VPN-gateway
13
IPSec Interoperability
Microsoft
LAN, WAN, Internet, JTS
 Different types of products in different
locations
 IPSec compatibility: ICSA certification
CATE-IDET
Brno 11.5.2001
14
IPSec VPN deployment
 Intranet
 Extranet
 E-business/
/E-government
LAN
PTSN
WAN
Internet
LAN
LAN
Where are the threats?
Internal
CATE-IDET
Brno 11.5.2001
PDA, ...
vs. External
15
VPN deployment issues
 VPN & firewall


Complementary technologies
Coordination of policies necessary
 VPN & PKI & smart cards



CATE-IDET
Brno 11.5.2001
Complementary technologies
Attribute certificates
Two-factor authentication
16
Firewall supplements
Content
security
Highavailability
Antivirus
control
Load
balancing
Strong
authentication
Vulnerabilities
assesment
Directory
PKI
Intrusion
detection
VPN
Log analysis
Network
management
CATE-IDET
Brno 11.5.2001
17
Deploying a VPN Service
with or without a Firewall
 Each component in the network
solves its own distinct problem
 Issues: Performance, reliability,
policy integration, TCO, …
 Security: question of protected area
perimeter
CATE-IDET
Brno 11.5.2001
18
No Firewall Scenario
 VPN Gateway authenticates users with X.509
certificates
 If all traffic is encrypted VPN Gateway acts as
“perfect” firewall
 No other filtering
Head office LAN
Internet
Secure VPN Gateway
CATE-IDET
Brno 11.5.2001
19
Access router
Outside of Firewall Scenario
 VPN traffic decrypted by VPN Gateway
 Firewall can perform additional packet filtering,
authentication, and application proxies
 No changes to firewall security policy
 Security perimeter ?
Head office LAN
Internet
Firewall
CATE-IDET
Brno 11.5.2001
Secure VPN Gateway
20
Access router
In Parallel to Firewall Scenario
 Network access validated and secured by VPN
system
 Security policy more flexible and simple to
implement
 No network traffic bottlenecks
Head office LAN
Firewall
Internet
Access router
Secure VPN Gateway
CATE-IDET
Brno 11.5.2001
21
Inside of Firewall Scenario (1)
DMZ
FW
LAN
VPN
router
Protected area
CATE-IDET
Brno 11.5.2001
22
WAN
VPN
Inside of Firewall Scenario (2)
Protected area
DMZ
VPN
FW
LAN
router
WAN
FW: non-authorised users (access to Web server)
VPN: authorised users (access to accounting server)
CATE-IDET
Brno 11.5.2001
23
VPN
Problem issues
 Correct IPSec transport through
firewall (proxy server)




CATE-IDET
Brno 11.5.2001
Transport of LDAP (TCP/port309) and
PKIX (TCP/port709)
Transport ISAKMP / IKE (UDP/port500)
Transport ESP (IP/port50) AH (IP/port51)
Network address translation (NAT)
24
Secure VPNs and Authentication
 Two ends wishing to set up a secured
session need to know who they are
communicating with, otherwise…


spoofing attack
man-in-the-middle attacks
 The secure tunnel needs to be
authenticated at both ends
 Authentication options (IKE):


CATE-IDET
Brno 11.5.2001
Certificates
Shared secret
25
Alternate Authentication Method
“Shared Secret”
 Eliminate certificates for small deployments
 User enters a password for authentication



supported by IKE, in lieu of certificates
longer passwords are more secure
password never traverses the network
 But…not as scalable as certificates

password administration becomes difficult
Identity
IP
[email protected]
[email protected]
CATE-IDET
Brno 11.5.2001
Password
mylittlechickadee12
122.2.3.18
mIi8182
77.2.3.*
19insabinsa
26
VPN & PKI
 PKI is the most scalable
authentication method for VPN
 VPN is a “killer” aplication for PKI
 Dynamic modifications:

CATE-IDET
Brno 11.5.2001
Attribute certificates – VPN groups
membership
27
Secure VPN Groups
Engineering VPN group
• User A
• Engineering subnet
Finance VPN group
• User B
• Finance subnet
Inventory VPN group
• User B
• User C
• Inventory subnet
CATE-IDET
Brno 11.5.2001
Engineering subnet
User A
Internet
Finance subnet
VPN gateway
User B
Inventory subnet
User C
28
VPN groups
Access priviliges
VPN (1)
WAN
LAN A
LAN B
VPN (2)
CATE-IDET
Brno 11.5.2001
29
VPN policy manager
VPN groups
Group
members
New users
CATE-IDET
Brno 11.5.2001
30
Two-factor authentication
CATE-IDET
Brno 11.5.2001
31
Smart cards advantage
 Not only private key storage
 Private key operations (electronic
signature on-card)
 Security !
CATE-IDET
Brno 11.5.2001
32
PKI & smart cards
Dokument
CA
E-mail
Dokument
SSL
IPSec
CATE-IDET
Brno 11.5.2001
LDAP
X.500
33
Smart cards advantage
 Different private keys/certificates:


Clients: e-mail, SSL, IPSec, …
Use: authentication, encryption, nonrepudiation (electronic signature)
 Single smart card
 Multi-function cards



CATE-IDET
Brno 11.5.2001
Physical access control (contact-less)
Secure login
Electronic signature
34
Multi-function smart cards
CATE-IDET
Brno 11.5.2001
35
Is it really secure?
(IPSec VPN)
FIPS 140-1
Security Certification
2-5
ICSA Certification
cca 10-15
„IPSec compatible“
CATE-IDET
Brno 11.5.2001
Non-certified
36
FIPS 140-1
 Cryptographic modules certification


NIST - http://csrc.ncsl.nist.gov/cryptval
CR: Electronic Signature Act Regulation
• Requirements for the private key protection, as a part of
secure signature creation device)
 Levels 1-4

Level 2:
• Physical security for high risk environment (temperevident coatings)
• User authentication
• Controlled access protection (C2 equivalent)
 VPN, PKI, smart card, …
CATE-IDET
Brno 11.5.2001
37
Conclusion
 VPN deployment issues/decisions





VPN level
Security perimeter (Risk analysis)
VPN & FW
Authentication options (VPN & PKI & smart
cards)
Security certifications
 www.tsoft.cz
 [email protected]
 +420-2- 6134 8738
CATE-IDET
Brno 11.5.2001
38
Related documents
Mullvad Barnprogram
Mullvad Barnprogram
BUS 352 Week 4 Discussion 2 (Security components)
BUS 352 Week 4 Discussion 2 (Security components)
XP Road Warrior Connection
XP Road Warrior Connection
Virtual Private Network(VPN)
Virtual Private Network(VPN)
Networking in Linux
Networking in Linux
Solution: Virtual Private Network (VPN)
Solution: Virtual Private Network (VPN)
What is a VPN? A VPN (Virtual Private Network) is a private
What is a VPN? A VPN (Virtual Private Network) is a private
level 3sm secure access - Level 3 Communications
level 3sm secure access - Level 3 Communications
Mikrotik VPN Technology
Mikrotik VPN Technology
- Draytek
- Draytek