* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Deployment of IPSec Virtual Private Network Solutions
Survey
Document related concepts
Net neutrality law wikipedia , lookup
TV Everywhere wikipedia , lookup
Airborne Networking wikipedia , lookup
Network tap wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Computer network wikipedia , lookup
Deep packet inspection wikipedia , lookup
Extensible Authentication Protocol wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Computer security wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Wireless security wikipedia , lookup
Authentication wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Transcript
Deployment of IPSec VPN VPN, IPSec, PKI, Smart Cards Ivan Svoboda Manager Information security projects CATE-IDET Brno 11.5.2001 Agenda Business drivers VPN levels VPN & Firewall VPN & PKI VPN & Security Certification CATE-IDET Brno 11.5.2001 2 Current issues E-commerce, E-government Internet services Flexibility Network infrastructure & cost reduction Network Security Threats Sniffing IP spoofing Session hijacking Man-in-the-middle The enabler: Secure VPN CATE-IDET Brno 11.5.2001 3 Secure networks ? Praha Data Data X.25, ATM Frame Relay Internet PSTN CATE-IDET Brno 11.5.2001 4 Brno Secure networks ? YES ! Praha Dokument Dokument Dokument VPN X.25, ATM Frame Relay Internet JTS CATE-IDET Brno 11.5.2001 5 Dokument Brno Secure networks ? YES ! Praha Dokument Dokument Dokument VPN X.25, ATM Frame Relay Internet JTS CATE-IDET Brno 11.5.2001 6 Dokument Brno Encryption layers SSH, S-MIME Appl. Appl. Present. Present. Session Session Transport Transport IPSec Network Network L2TP, PPTP Link Link Physical Physical SSL/TLS LAN, WAN, Internet CATE-IDET Brno 11.5.2001 7 Encryption layers Application (SSH, S/MIME etc.) (-) application dependant (-) network access control missing (+) most specific services Transport (SSL/TLS) (-) TCP-only (HTTP etc.) Network (IPSec) (-) IP-only (+) every IP-packet is secured (+) IP-address tunelling Link (L2TP, PPTP) CATE-IDET Brno 11.5.2001 (+) RAS, mixed networks (IP, IPX, NetBEUI etc.) 8 Network layer encryption: IPSec Dokument Dokument Appl. Appl. Present. Present. Session Session Transport Transport IPSec IPSec Network Network Link Link Physical Physical CATE-IDET Brno 11.5.2001 9 IPSec VPN compatibility database e-mail Appl. Present. www client/server ERM GIS Unix Oracle Novell Microsoft platforms Session Transport IPSec - VPN Network Link Physical LAN X.25 WAN CATE-IDET Brno 11.5.2001 networks Internet Frame Relay 10 applications PPP IPSec VPN functions: Data confidentiality & integrity Dokument Encryption (ESP) Authentication (AH) Users/nodes authentication digital certificates X.509 Access control Public key X.Y. Dig. signed CA Access to networks, Access to sources (servers) CATE-IDET Brno 11.5.2001 11 Dokument Secure VPN – IPSec technology applications TCP / UDP IP IKE (ISAKMP/Oakley) IPSEC IP Ethernet / PPP IPSEC LAN, WAN, ... ESP/AH Data authentication and encryption CATE-IDET Brno 11.5.2001 applications TCP / UDP IP 12 IP Ethernet / PPP IPSec Implementation Public key X.Y. Dig. signed CA IPSec - VPN HW SW Router CATE-IDET Brno 11.5.2001 Firewall VPN-gateway 13 IPSec Interoperability Microsoft LAN, WAN, Internet, JTS Different types of products in different locations IPSec compatibility: ICSA certification CATE-IDET Brno 11.5.2001 14 IPSec VPN deployment Intranet Extranet E-business/ /E-government LAN PTSN WAN Internet LAN LAN Where are the threats? Internal CATE-IDET Brno 11.5.2001 PDA, ... vs. External 15 VPN deployment issues VPN & firewall Complementary technologies Coordination of policies necessary VPN & PKI & smart cards CATE-IDET Brno 11.5.2001 Complementary technologies Attribute certificates Two-factor authentication 16 Firewall supplements Content security Highavailability Antivirus control Load balancing Strong authentication Vulnerabilities assesment Directory PKI Intrusion detection VPN Log analysis Network management CATE-IDET Brno 11.5.2001 17 Deploying a VPN Service with or without a Firewall Each component in the network solves its own distinct problem Issues: Performance, reliability, policy integration, TCO, … Security: question of protected area perimeter CATE-IDET Brno 11.5.2001 18 No Firewall Scenario VPN Gateway authenticates users with X.509 certificates If all traffic is encrypted VPN Gateway acts as “perfect” firewall No other filtering Head office LAN Internet Secure VPN Gateway CATE-IDET Brno 11.5.2001 19 Access router Outside of Firewall Scenario VPN traffic decrypted by VPN Gateway Firewall can perform additional packet filtering, authentication, and application proxies No changes to firewall security policy Security perimeter ? Head office LAN Internet Firewall CATE-IDET Brno 11.5.2001 Secure VPN Gateway 20 Access router In Parallel to Firewall Scenario Network access validated and secured by VPN system Security policy more flexible and simple to implement No network traffic bottlenecks Head office LAN Firewall Internet Access router Secure VPN Gateway CATE-IDET Brno 11.5.2001 21 Inside of Firewall Scenario (1) DMZ FW LAN VPN router Protected area CATE-IDET Brno 11.5.2001 22 WAN VPN Inside of Firewall Scenario (2) Protected area DMZ VPN FW LAN router WAN FW: non-authorised users (access to Web server) VPN: authorised users (access to accounting server) CATE-IDET Brno 11.5.2001 23 VPN Problem issues Correct IPSec transport through firewall (proxy server) CATE-IDET Brno 11.5.2001 Transport of LDAP (TCP/port309) and PKIX (TCP/port709) Transport ISAKMP / IKE (UDP/port500) Transport ESP (IP/port50) AH (IP/port51) Network address translation (NAT) 24 Secure VPNs and Authentication Two ends wishing to set up a secured session need to know who they are communicating with, otherwise… spoofing attack man-in-the-middle attacks The secure tunnel needs to be authenticated at both ends Authentication options (IKE): CATE-IDET Brno 11.5.2001 Certificates Shared secret 25 Alternate Authentication Method “Shared Secret” Eliminate certificates for small deployments User enters a password for authentication supported by IKE, in lieu of certificates longer passwords are more secure password never traverses the network But…not as scalable as certificates password administration becomes difficult Identity IP [email protected] [email protected] CATE-IDET Brno 11.5.2001 Password mylittlechickadee12 122.2.3.18 mIi8182 77.2.3.* 19insabinsa 26 VPN & PKI PKI is the most scalable authentication method for VPN VPN is a “killer” aplication for PKI Dynamic modifications: CATE-IDET Brno 11.5.2001 Attribute certificates – VPN groups membership 27 Secure VPN Groups Engineering VPN group • User A • Engineering subnet Finance VPN group • User B • Finance subnet Inventory VPN group • User B • User C • Inventory subnet CATE-IDET Brno 11.5.2001 Engineering subnet User A Internet Finance subnet VPN gateway User B Inventory subnet User C 28 VPN groups Access priviliges VPN (1) WAN LAN A LAN B VPN (2) CATE-IDET Brno 11.5.2001 29 VPN policy manager VPN groups Group members New users CATE-IDET Brno 11.5.2001 30 Two-factor authentication CATE-IDET Brno 11.5.2001 31 Smart cards advantage Not only private key storage Private key operations (electronic signature on-card) Security ! CATE-IDET Brno 11.5.2001 32 PKI & smart cards Dokument CA E-mail Dokument SSL IPSec CATE-IDET Brno 11.5.2001 LDAP X.500 33 Smart cards advantage Different private keys/certificates: Clients: e-mail, SSL, IPSec, … Use: authentication, encryption, nonrepudiation (electronic signature) Single smart card Multi-function cards CATE-IDET Brno 11.5.2001 Physical access control (contact-less) Secure login Electronic signature 34 Multi-function smart cards CATE-IDET Brno 11.5.2001 35 Is it really secure? (IPSec VPN) FIPS 140-1 Security Certification 2-5 ICSA Certification cca 10-15 „IPSec compatible“ CATE-IDET Brno 11.5.2001 Non-certified 36 FIPS 140-1 Cryptographic modules certification NIST - http://csrc.ncsl.nist.gov/cryptval CR: Electronic Signature Act Regulation • Requirements for the private key protection, as a part of secure signature creation device) Levels 1-4 Level 2: • Physical security for high risk environment (temperevident coatings) • User authentication • Controlled access protection (C2 equivalent) VPN, PKI, smart card, … CATE-IDET Brno 11.5.2001 37 Conclusion VPN deployment issues/decisions VPN level Security perimeter (Risk analysis) VPN & FW Authentication options (VPN & PKI & smart cards) Security certifications www.tsoft.cz [email protected] +420-2- 6134 8738 CATE-IDET Brno 11.5.2001 38