The Ultimate CCNA Study Package - ICND 2

Chris Bryant, CCIE #12933 www.thebryantadvantage.com Back To Index

VPNs And IPSec

Overview
What's A VPN? Tunneling Protocols VPN Types VPN Terminology Data Encryption Schemes Key Encryption Schemes IPSec Architecture Internet Key Exchange (IKE) IPSec Process Overview

It will come as no surprise to you the protection of WAN transmissions is one of the most vital facing us today. To that end, an important part of Cisco networking is knowing when and how to configure Virtual Private Networks (VPNs). It's the "private" part of VPNs that we're most concerned with. Configuring VPNs gives us the opportunity to apply security to a connection that is using a shared technology such as Frame Relay - in other words,to treat this connection as though it were on a private network. What's A VPN? You can think of a VPN as a tunnel - actually, VPNs are often referred to as tunnels. We can apply security rules and policies to this tunnel without applying them to other WAN communications. In the following exhibit, a VPN has been created between two routers. Security policies can be enforced on the VPN between those two routers without affecting any WAN communications involving other routers.

VPNs offer three vital functions, all of which are important in today's networks. Note that two of these occur at the receiver, and one at the sender. Data origin authentication allows the receiver to guarantee the source of the packet.

Encryption is just that - the sender encrypts the packets before sending them. If an intruder picks them off the wire, they will have no meaning.

Integrity is the receiver's ability to ensure that the data was not affected or altered in any fashion as it traveled across the VPN.

There are three different protocols we can use to create this tunnel. Originally defined in RFC 1701, Generic Routing Encapsulation enables a Cisco router to encapsulate a packet in an IP header. When the packet reaches the remote router, the header is stripped off. GRE's drawback is that there's no encryption scheme, and that's a pretty big drawback. Defined in RFC 2661, The Layer 2 Tunneling Protocol (L2TP) is actually a hybrid of Microsoft's Point-to-Point Tunneling Protocol (PPTP) and Cisco's own Layer 2 Forwarding (L2F). Again, the major drawback is that L2TP doesn't have an encryption scheme either. Thisdrawback is corrected by IP Security, generally referred to as IPSec. IPSec does offer encryption along with authentication, and that's why you'll see more IPSec in today's networks than L2TP or GRE. That's also why we're going to spend the majority of this section working with IPSec. A couple of the tunneling protocols we've already mentioned - L2TP and L2F - obviously work at Layer 2 of the OSI model. Tunneling protocols can actually run at different OSI layers:

Secure Shell (SSH) and Secure/Multipurpose Internet Mail Extensions (S/MIME) both run at the Application layer. Secure Socket Layer (SSL) runs at the Transport layer, although some documentation lists it as running at the Presentation layer. As mentioned, L2TP and L2F both run at the Data Link layer.

Since both GRE and L2TP offer no encryption, they should be avoided if possible. IPSec is an excellent choice since both encryption and authentication are possible, but (there's always a "but") IPSec can only support unicast IP traffic. If other protocols are in use, or multicast traffic must go across the tunnel, GRE or L2TP may have to be used. VPN Types There are two general types of remote access VPNs, and the name of one of them is a little misleading. The obvious one is client-initiated, where a remote user will use a VPN client to createa secure tunnel across an ISP's network to the enterprise network. The oddly-named Network Access Server-initiated VPN starts with the

remote user as well. The user will dial in to a Network Access Server, and the NAS is the device that creates a secure tunnel to the enterprise network. Both of these VPN types illustrate the major advantage that such connections have over more traditional point-to-point connections - the remote users can be at any remote point and still connect to their corporate network. VPN Terminology Before we get to a more specific discussion of VPNs, there are some more general terms you shouldknow. Data Confidentiality means that only the devices that should see the data in an unencrypted form will. Generally, this is achieved by one endpoint encrypting the data and sending it across the link in that fashion, with the second endpoint unencrypting the data. Data Integrity means that the recipient of the data can guarantee that the received data is the same as the transmitted data - in short, that the data was not altered during transport. Data Origin Authentication guarantees that the data originated from a specific endpoint. Anti-replay protection (sometimes just called "replay protection") protects againstreplay attacks, a malicious repeat and/or delay of a valid transmission. For example,RouterArequests proof of identity from Router C.RouterCresponds with proof of identity. The problem is, an intruder is listening to the conversation and copies Router C's proof of identity.

AfterRouter AandRouter Care done talking, the Intruder starts a conversation withRouter A,pretending to be Router C. When Router A asks for proof of identity, the Intruder submits Router C's proof, and Router A will accept it. The potential intruder is now officially an intruder.

Anti-replay protection can use several different methods of defeating such an attack, including the one-time use of tokens for the proof of identity or by using sequence numbers. When asequence number is presented a second time as proof of identity, it will be rejected. Data Encryption Technologies For data to be encrypted, it follows that something's got to perform this encryption! One such encryption tool is the Data Encryption Standard (DES). DES was developed in 1976, and a few problems have developed with DES since then. The main issue is that the key used by DES to encrypt datais only 56 bits in size. (A key is a random string of binary digits.) Thirty years ago, that was fine, but then again floppy disks used to be the largest storage unit any of us needed! Depending onwhose documentation you read, DES keys can be broken in any time frame from 24 hours to ten minutes. That's bad, no matter how long it takes! Triple DES (TDES) is just what it sounds like - the DES encryption procedure is run three times, with three different 56-bit DES keys. That's a total of 168 bits, but the effective security provided is considered to be only 112 bits. TDES is sometimes referred to as 3DES, and you may see it expressed that way on your exam; however, to avoid confusion with TDES variations 2TDES and 3TDES, the "3DES" abbreviation is discouraged. The Advanced Encryption Standard (AES) is being rapidly adopted by governments and organizations around the world. AES can run on any Cisco router that has IPSec DES/3DES capability. The actual function of AES is far beyond the scope of this exam, but it really is quite fascinating. Visit www.wikipedia.org and search on"advanced encryption standard" to learn exactly how it works. Key Encryption Schemes Symmetric encryption is an algorithm where the key that is used for encryption is also used for decryption. Symmetric encryption is sometimes called secret key encryption. Variations of symmetric encryption include stream algorithms, where one bit or byte is encrypted/decrypted at a time, and block algorithms, where blocks of data are encrypted/decrypted as a whole. These data blocks are usually 64 bits in size. Both DES and TDES use symmetric encryption. The drawback to symmetric encryption is that the key is used for two purposes, making it that much easier for an intruder to discover the key. Proper key management is vital (and that can be said for asymmetric

encryption as well!) In contrast, asymmetric encryption involves two keys for both the sender and receiver.This public key encryption scheme involves a public and private key for each user. Before starting the actual encryption process, the public key should be certified by a third party called a Certificate Authority (CA). If "Dan" has a public key, the CA will make sureDan is who he says he is, and the CA will then issue a digital certificate saying just that. The digital certificate is a combination of Dan's public key and the CA's private root key. The CA may be global, such as www.verisign.com, or it may be a CA in your very own organization. The key here (no pun intended) is that you better trust your CA, because the entire public key encryption process is built around the CA verifying users and their public keys.

Now that the CA has verified Dan and Bob, public key encryption can be put into use. In this example, Dan will send an email to Bob using PKE. Dan will actually use Bob's public key to encrypt the message. The email is then sent to Bob, who will use his private key to de-encrypt the email. RSA is a well-known public key encryption scheme. The letters stand for the originators of this algorithm (Ron Rivest, Adi Shamir, and Len Adelman). Exchanging Secret Keys Over A Non-Secure Connection It seems like quite a Catch-22; to create the VPN, we need the endpoints to exchange secret keys, but since the VPN doesn't exist yet, the secret keys must be exchanged over a non-secure connection! An algorithm youencountered earlier in your CCNA studies will come to our rescue. The Diffie-Hellman algorithm allows the exchange of secret keys over a non-secure communications channel. Referred to in some documentation as exponential key agreement, this protocol was also designed in 1976 but it's still in use today in networks around the world.

The IPSec Architecture IPSec is a combination of three following protocols:

Authentication Header (AH), which defines a method for authentication and securing data Encapsulating Security Payload (ESP), which defines a method for authenticating, securing, and encrypting data Internet Key Exchange (IKE), which negotiates the security parameters and authentication keys The IPSec Packet Format

Defined in RFC 2402, Authentication Header (AH) offers solid security -- it provides data origin authentication as well as offering optional anti-replay protection. The drawback with AH is that the authentication it provides for the IP Header is not complete. That's because some of the IP fields can't be correctly predicted by the receiver - these are mutable fields which may change during transmission. AH will successfully protect the IP packet's payload, though, which is really what we're interested in. To sum it up, AH does offer:

data origin authentication data integrity anti-replay protection (optional)

AH does not offer data confidentiality. The Encapsulating Security Payload (ESP) does just that - as you can see from the IPSec packet illustration, there is an ESP Header and ESP Trailer surrounding, or encapsulating, the data. ESP offers all of the following:

data origin authentication anti-replay protection data confidentiality

Comparing AH and ESP, you might be wondering why you'd ever choose AH over ESP. Here are a few things to consider:

ESP is more processor-intensive than AH. If your data does not require data confidentiality, AH may meet all your requirements. ESP requires strong cryptography, which isn't available and/or allowed everywhere. AH has no such requirement.

Both ESP and AH can be run in one of two modes - Tunnel Mode and Transport Mode. In Tunnel mode, the entire IPSec process is transparent to the end hosts; specialized IPSec gateway devices handle the IPSec workload. The entire IP packet is encrypted, and then that encrypted packet is placed into another IP packet. This total encapsulation results in a kind of "virtual tunnel" being created between the two endpoints. The end hosts themselves perform the encapsulation when Transport mode is used, which naturally means that IPSec has to be running on those hosts. No new IP header is attached when Transport mode is in use. A VPN In Your Web Browser? When you're about to enter credit card information on a website, you should see the "http" in the address bar turn to "https". That means you're using Secure Socket Layer (SSL), which will encrypt this sensitive information. SSL is now being used to create VPNs as well, allowing you to use your web browser to connect to a VPN! Most VPN software is easy to work with, but frankly, some of it's not. Using SSL VPNs means no additional software has to be purchased or installed. Cisco is hardly the only vendor pushing out SSL VPNs. To look into the many options for SSL VPNs today, just search on "SSL VPN" in your favorite search engine and you'll find quite a few solutions.

The following is *not* required reading for the CCENT and CCNA exams. I've included it for those who want to learn more about VPNs. Enjoy!

The Internet Key Exchange (IKE) Basic IPSec operation is much like running PPP over ISDN. We're even going to use some of the same terms! Before we take a broad overview of how IPSec works, there's one more term we need to discuss - the Internet Key Exchange, or IKE. Defined in RFC 2409, IKE has a lot to do! IKE must negotiate the parameters of the communication channel, authenticate both endpoints, handle the exchange of public keys, and manage the keys afterwards. Remember how we consider EIGRP to be a "hybrid" because it has characteristics of both distance vector and link state protocols? IKE is a hybrid as well, but for a much different reason - IKE is a combination of three protocols.

SKEME, which enables public key encryption for authentication ISAKMP, which defines how messages will be exchanged

Oakley, which defines the mechanism for key exchanges

IKEis a two-phase process, andPhase Iis where two IPSec-enabled devices come to an agreement on what methods will be used to exchange data over a secure communications channel. This can be done in either Main or Aggressive modes - Aggressive is a little faster, but none of the information exchanged in Aggressive mode is encrypted. Main mode will be illustrated later in this section. This phase will result in a Security Association being created for the ISAKMP process itself - an IKE SA. A Security Association is simply an agreement between twohosts as to the IPSec parameters that will be used for communications between the two. In contrast to most SAs, an IKE SA is bidirectional. Only one IKE SA is required for two IPSec peers to communicate, and that particular SA negotiates the following:

The hash algorithm to use, whether that be our old friend MD5 or SHA The authentication method The encryption algorithm The Diffie-Hellman group. (Four of these are predefined in IKE)

In turn, this IKE SA will be used in Phase II. In Phase II, the IPSec peers must agree on the attributes to be used to create the SAs for AH and ESP. The SAs created in Phase II are unidirectional. An Overview Of IPSec Operation We've spent quite a bit of time here looking at the individual parts of IPsec, so let's take an overview of a basic IPSec operation. Overall, there are five steps to IPSec:

Process Initialization IKE Phase I (IKE SA negotiation) IKE Phase II (IPSec SA negotiation) Data Transfer Tunnel Termination

IPSec doesn't just start working by itself - like ISDN, it requires interesting traffic to be sent by a host. This interesting traffic initializes the IPSec process.

The routers will now enter IKE Phase I. Assuming we're running Main

mode, there will be three exchanges of messages overall. The initiator will first transmit proposals for the encryption and authentication schemes to be used.

In the second exchange of IKE Phase I, the devices will exchange DiffieHellman public keys; from this point on, the rest of the negotiation is encrypted.

The initiator and recipient authenticate each other in the third exchange of Phase I, using anencrypted form of their IP addresses. The IKE SA is then established and Phase II can begin.

If we had chosen to run IKE in Aggressive Mode, this would have been a

three-message process. The initiator packets everything needed for the SA negotiation in the first message; the recipient responds with the acceptable parameters and authentication information; the initiator then sends its authentication information in the third and final message.

IKE Phase II has one mode, Quick mode. This is also a three-message process. The initiator proposes parameters for the IPSec SA, the recipient responds with a list of acceptable parameters, and the initiator then transmits a message that lets the responder know that message 2 was received and processed. This message is called proof of liveness.

With the IPSec SA in place, the hosts can now exchange data.

Once the data exchange is complete, the tunnel can be torn down. This tunnel termination can be configured to occur after a certain number of bytes have passed through the tunnel, or perhaps after the tunnel have been up for a certain number of seconds. But what if traffic is flowing through the tunnel at the same time the tunnel's supposed to be torn down? No fear - a new Security Association can be agreed upon while the existing one is still in place.
Back To Index
Copyright 2011 The Bryant Advantage. All Rights Reserved.