18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.
-
Upload
rosaline-candice-james -
Category
Documents
-
view
219 -
download
1
Transcript of 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.
![Page 1: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/1.jpg)
18 July 2004Bill Nickless / IPSec 1
IPSec
Internet Protocol Security
And You
![Page 2: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/2.jpg)
18 July 2004Bill Nickless / IPSec 2
Outline
• What is IPSec, and what is it for?
• The IPSec Framework
• How do IKE, AH, and ESP fit together?
• Routing and Technology Issues
• Management and Policy Issues
• How To Learn More
![Page 3: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/3.jpg)
18 July 2004Bill Nickless / IPSec 3
IPSec Scope (RFC 2401)
Good news:
IPSEC is designed to provide interoperable, high quality, cryptographically-based security for IPv4 and IPv6.
![Page 4: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/4.jpg)
18 July 2004Bill Nickless / IPSec 4
IPSec Scope (RFC 2401)
Bad news:
The set of IPSec protocols employed in any context, and the ways they are employed, will be determined by the security and system requirements of users, applications, and/or sites/organizations.
![Page 5: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/5.jpg)
18 July 2004Bill Nickless / IPSec 5
IPSec Scope
• IPSec is a technology.
• IPSec is NOT a solution.
• Better: IPSec is a technology framework.
![Page 6: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/6.jpg)
18 July 2004Bill Nickless / IPSec 6
Outline
• What is IPSec, and what is it for?
• The IPSec Framework
• How do IKE, AH, and ESP fit together?
• Routing and Technology Issues
• Management and Policy Issues
• How To Learn More
![Page 7: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/7.jpg)
18 July 2004Bill Nickless / IPSec 7
IPSec
• Standards-based IP Security Framework– Data Integrity– Data Confidentiality– Data Origin Authentication– Anti-Replay Protection
• Supported in modern router software– Cisco IOS 12.1(19) or later– Juniper JUNOS 5.3 or later
(with Encryption Services PIC)
![Page 8: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/8.jpg)
18 July 2004Bill Nickless / IPSec 8
IPSec
Router performs additional operations:
1. Receive the packetand verify/decrypt it
2. Inspect the headers of the packet
3. Based on that inspection, put the packet into an outbound queue
4. Transmit the packet when it reaches the front of the outbound queueand sign/encrypt it
Version(4 or 6)
Protocol(TCP, etc)
Source IP Address
Destination IP Address
Source Port Destination Port
Flags Time To Live
Data
(possibly with sequence number)
Checksum
IP
IP
IP
IP
IP
1
2
3
4
![Page 9: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/9.jpg)
18 July 2004Bill Nickless / IPSec 9
Ciphers, Signing and Keys(Oh My!)
• IPSec is a framework that supports many cryptographic technologies.
• What fits into the IPSec framework?– Diffie-Hellman Key Exchange– Ciphers– Hashes– Shared Secrets– Certificates– Perfect Forward Secrecy
![Page 10: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/10.jpg)
18 July 2004Bill Nickless / IPSec 10
Diffie-Hellman Key Exchange
• Agree on a secret shared key, without a secure channel.
Suppose Alice and Bob want to agree on a shared secret key using the Diffie-Hellman key agreement protocol. They proceed as follows: First, Alice generates a random private value a and Bob generates a random private value b. Both a and b are drawn from the set of integers . Then they derive their public values using parameters p and g and their private values. Alice's public value is ga mod p and Bob's public value is gb mod p. They then exchange their public values. Finally, Alice computes gab = (gb)a mod p, and Bob computes gba = (ga)b mod p. Since gab = gba = k, Alice and Bob now have a shared secret key k.
http://www.rsasecurity.com/rsalabs/node.asp?id=2248
![Page 11: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/11.jpg)
18 July 2004Bill Nickless / IPSec 11
Ciphers
• Obscure data, so that it can only be read by someone with the right “key”
• DES, AES, RSA, RC5, Blowfish, Skipjack, etc.
![Page 12: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/12.jpg)
18 July 2004Bill Nickless / IPSec 12
Hashes
• Take a bunch of data, make a digest of it, so that changes can be detected
• MD5, SHA-1, RIPEMD-160
![Page 13: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/13.jpg)
18 July 2004Bill Nickless / IPSec 13
Shared Secrets
• Prove identity by demonstrating knowledge of the same data
• Not necessary to actually transmit the shared secret.
![Page 14: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/14.jpg)
18 July 2004Bill Nickless / IPSec 14
Perfect Forward Secrecy
RFC 2409:Perfect Forward Secrecy (PFS) refers to the notion
that compromise of a single key will permit access to only data protected by a single key.
For PFS to exist the key used to protect transmission of data MUST NOT be used to derive any additional keys, and if the key used to protect transmission of data was derived from some other keying material, that material MUST NOT be used to derive any more keys.
![Page 15: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/15.jpg)
18 July 2004Bill Nickless / IPSec 15
Certificates
• Establish trust based on mutual trust of a third party
• X.509
![Page 16: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/16.jpg)
18 July 2004Bill Nickless / IPSec 16
IPSec Security Associations
• IPSec Security Associations (SA)– between two routers
(or hosts)– Unicast only– Unidirectional– Selection Criteria:
Drop, Apply IPSec, Pass without IPSec
![Page 17: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/17.jpg)
18 July 2004Bill Nickless / IPSec 17
IPSec
Router IPSec flow:1. Receive the packet.
2. Inspect the headers of the packet. Matching Security Association (SA)?
3. If so, verify/decrypt
4. Inspect headers again. Make routing decision, and look for matching Security Association (SA).
5. If so, sign/encrypt
6. Transmit the packet.
Version(4 or 6)
Protocol(TCP, etc)
Source IP Address
Destination IP Address
Source Port Destination Port
Flags Time To Live
Data
(possibly with sequence number)
Checksum
IP
IP
IP
IP
IP
1
2
5
3
4
6
![Page 18: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/18.jpg)
18 July 2004Bill Nickless / IPSec 18
Outline
• What is IPSec, and what is it for?
• The IPSec Framework
• How do IKE, AH, and ESP fit together?
• Routing and Technology Issues
• Management and Policy Issues
• How To Learn More
![Page 19: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/19.jpg)
18 July 2004Bill Nickless / IPSec 19
The Internet Key Exchange (IKE)
RFC 2409:The purpose is to negotiate, and provide
authenticated keying material for, security associations in a protected manner.
Processes which implement this memo can be used for negotiating virtual private networks (VPNs) and also for providing a remote user from a remote site (whose IP address need not be known beforehand) access to a secure host or network.
![Page 20: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/20.jpg)
18 July 2004Bill Nickless / IPSec 20
IKE Phase 1
Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to communicate. This is called the ISAKMP Security Association (SA).
![Page 21: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/21.jpg)
18 July 2004Bill Nickless / IPSec 21
IKE Phase 2
Phase 2 is where Security Associations are negotiated on behalf of services such as IPsec or any other service which needs key material and/or parameter negotiation.
![Page 22: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/22.jpg)
18 July 2004Bill Nickless / IPSec 22
IKE New Group
"New Group Mode" is not really a phase 1 or phase 2. It follows phase 1, but serves to establish a new group which can be used in future negotiations.
![Page 23: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/23.jpg)
18 July 2004Bill Nickless / IPSec 23
IKE In Operation
![Page 24: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/24.jpg)
18 July 2004Bill Nickless / IPSec 24
IKE In Operation
![Page 25: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/25.jpg)
18 July 2004Bill Nickless / IPSec 25
IKE In Operation
![Page 26: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/26.jpg)
18 July 2004Bill Nickless / IPSec 26
Authentication Header (AH)
Uses a hash such as MD5 or SHA– Protects against
modification– Protects against replay
• RFC 2402
Version(4 or 6)
Protocol(TCP, etc)
Source IP Address
Destination IP Address
Source Port Destination Port
Flags Time To Live
Authentication Header
Data
(possibly with sequence number)
Checksum
![Page 27: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/27.jpg)
18 July 2004Bill Nickless / IPSec 27
ESP: Encapsulating Security Payload
Transport Mode
• Before applying ESP
---------------------------- IPv4 |orig IP hdr | | | |(any options)| TCP | Data | ----------------------------
• After applying ESP ------------------------------------------------- IPv4 |orig IP hdr | ESP | | | ESP | ESP| |(any options)| Hdr | TCP | Data | Trailer |Auth| ------------------------------------------------- |<----- encrypted ---->| |<------ authenticated ----->|
• RFC 2406
![Page 28: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/28.jpg)
18 July 2004Bill Nickless / IPSec 28
Recursive Encapsulation: Tunneling
Why?
– Create a virtual connection between two parts of a private Internet that…
…uses nonroutable addresses?
…uses advanced services like IPv6 or multicast?
– Encrypt the encapsulated packet
![Page 29: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/29.jpg)
18 July 2004Bill Nickless / IPSec 29
Recursive Encapsulation: Tunneling
• Encapsulate an IP packet inside the data portion of another IP packet
Version(4 or 6)
Protocol(TCP, etc)
Source IP Address Destination IP Address
Source Port Destination Port
Flags Time To Live
Data
(possibly with sequence number)
Checksum
Version(4 or 6)
Protocol(TCP, etc)
Source IP Address
Destination IP Address
Source Port Destination Port
Flags Time To Live
Data
(possibly with sequence number)
Checksum
![Page 30: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/30.jpg)
18 July 2004Bill Nickless / IPSec 30
ESP: Encapsulating Security Payload
Tunnel Mode
• Before applying ESP ---------------------------- IPv4 |orig IP hdr | | | |(any options)| TCP | Data | ----------------------------
• After applying ESP --------------------------------------------------------------- IPv4 | new IP hdr | ESP | orig IP hdr | | | ESP | ESP| |(any options)| HDR | (any options)| TCP | Data |Trailer |Auth| --------------------------------------------------------------- |<--------- encrypted -------------->| |<----------- authenticated -------------->|
• RFC 2406
![Page 31: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/31.jpg)
18 July 2004Bill Nickless / IPSec 31
IPSec
Router IPSec flow:1. Receive the packet.
2. Inspect the headers of the packet. Matching Security Association (SA)?
3. If so, verify/decrypt
4. Inspect headers again. Make routing decision, and look for matching Security Association (SA).
5. If so, sign/encrypt
6. Transmit the packet.
Version(4 or 6)
Protocol(TCP, etc)
Source IP Address
Destination IP Address
Source Port Destination Port
Flags Time To Live
Data
(possibly with sequence number)
Checksum
IP
IP
IP
IP
IP
1
2
5
3
4
6
![Page 32: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/32.jpg)
18 July 2004Bill Nickless / IPSec 32
ESP in Operation
![Page 33: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/33.jpg)
18 July 2004Bill Nickless / IPSec 33
Outline
• What is IPSEC, and what is it for?
• The IPSEC Framework
• How do IKE, AH, and ESP fit together?
• Routing and Technology Issues
• Management and Policy Issues
• How To Learn More
![Page 34: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/34.jpg)
18 July 2004Bill Nickless / IPSec 34
ESP and AH
• Additional Header Information– Smaller payload– MTU ugliness
• Cryptographic Operations– Additional Complexity– More CPU load?
![Page 35: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/35.jpg)
18 July 2004Bill Nickless / IPSec 35
ESP Tunnel Mode
• Original headers obscured– Bad guys can’t see the headers
...neither can your firewall!
...neither can your router!
• Creates a Virtual Circuit– Encapsulated IP TTL isn’t decremented– Intermediate hops are obscured– Remember debugging ATM VCs?
…or MPLS?
![Page 36: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/36.jpg)
18 July 2004Bill Nickless / IPSec 36
ESP in Operation
![Page 37: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/37.jpg)
18 July 2004Bill Nickless / IPSec 37
Outline
• What is IPSEC, and what is it for?
• The IPSEC Framework
• How do IKE, AH, and ESP fit together?
• Routing and Technology Issues
• Management and Policy Issues
• How To Learn More
![Page 38: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/38.jpg)
18 July 2004Bill Nickless / IPSec 38
Where is your Security Perimeter?
• Firewalls and ACLs protect your network
• IPSec VPN solutions bring external hosts inside your network
• Should you trust those external hosts?– Viruses, Worms, Trojans– OS Vendor Patch-of-the-week– “Art and Music” sharing
• Split tunneling vs. Host-based Firewalls
![Page 39: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/39.jpg)
18 July 2004Bill Nickless / IPSec 39
Policy Enforcement
• Enforcement Requires Visibility
• ESP Tunnel Mode– Bad guys can’t see the headers
….neither can your firewall!
….neither can your router!
• Encryption Obscures Activity– Is this traffic work-related or “Art and Music”?
![Page 40: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/40.jpg)
18 July 2004Bill Nickless / IPSec 40
IPSec: A Two-Edged Sword
• Powerful set of options– Data Confidentiality– Data Integrity– Data Origin Authentication
• Bad Guys can use IPSec too– Back doors– Hiding “bad” activity
![Page 41: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/41.jpg)
18 July 2004Bill Nickless / IPSec 41
IPSec Legal/Societal Issues
• Cryptography: Controlled as a Munition
• Lawful Intercept
• U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
(Not a comprehensive list)
![Page 42: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/42.jpg)
18 July 2004Bill Nickless / IPSec 42
Outline
• What is IPSEC, and what is it for?
• The IPSEC Framework
• How do IKE, AH, and ESP fit together?
• Routing and Technology Issues
• Management and Policy Issues
• How To Learn More
![Page 43: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/43.jpg)
18 July 2004Bill Nickless / IPSec 43
Example Solution: Cisco Easy VPN
![Page 44: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/44.jpg)
18 July 2004Bill Nickless / IPSec 44
Example Solution: Cisco Easy VPN
![Page 45: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/45.jpg)
18 July 2004Bill Nickless / IPSec 45
Cisco and Linux Interoperate
http://www.sans.org/rr/papers/20/753.pdf
![Page 46: 18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.](https://reader035.fdocuments.net/reader035/viewer/2022062721/56649f1e5503460f94c350aa/html5/thumbnails/46.jpg)
18 July 2004Bill Nickless / IPSec 46
Juniper IPSec Configurationhttp://www.juniper.net/techpubs/software/junos/junos63/ swconfig63-services/html/ipsec-config.html
IETF IPSec Working Grouphttp://www.ietf.org/html.charters/ipsec-charter.html
http://www.vpnc.org/vpn-standards.htmlVirtual Private Network Consortium
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/ 122cgcr/fsecur_c/fipsenc/scfipsec.htm
Cisco IPSec Configuration