tippingpoint x505 training - 05-vpn
TRANSCRIPT
-
7/31/2019 Tippingpoint X505 Training - 05-VPN
1/22
TippingPoint X505 TrainingVPNPN General Concepts and Configurationeneral Concepts and Configuration
-
7/31/2019 Tippingpoint X505 Training - 05-VPN
2/22
2
VPN Objectives
> Upon completion of this module, you should be familiar with thefollowing:
General VPN Concepts
> Types of VPNs
> Tunneling, Authentication and Encryption
> GRE over IPSec
> Security Associations> Keys and Keying Modes
> Internet Key Exchange
> IPSec
> Encryption and Data Integrity
Site-to-Site VPN
Client-to-Site VPN
VPN Security Zone
-
7/31/2019 Tippingpoint X505 Training - 05-VPN
3/22
3
General VPN Concepts
> Virtual Private Network or VPN, allows secure, encrypted access toyour network from either a remote laptop or another site
> Two Types of VPNs
Site-to-Site
> A VPN connection established between two VPN gateways, typically used foroffice-to-office connectivity
Client-to-Site> A VPN connection established between a remote user and the VPN gateway
> When a VPN connection is established, we refer to the connection as aVPN Tunnel
> The X505 supports up to 250 Site-to-Site tunnels and 1000 client tunnels
-
7/31/2019 Tippingpoint X505 Training - 05-VPN
4/224
Tunneling, Authentication and Encryption
> The X505 supports the following VPN tunneling protocols:
IPSec
L2TP (Layer 2 Tunneling Protocol) PPTP (Point-to-Point Tunneling Protocol)
> Authentication Types
User Authentication
Packet Authentication
> Encryption
DES
3DES
AES
MD5
SHA
-
7/31/2019 Tippingpoint X505 Training - 05-VPN
5/225
GRE over IPSec
> Generic Routing Encapsulation (GRE) is used to supplement IPSec inorder to transmit multicast/routing packets across VPN tunnels
-
7/31/2019 Tippingpoint X505 Training - 05-VPN
6/226
Security Associations
> The Security Association defines the parameters with which the VPNtunnel will be negotiated and established
> A Security Association includes the following features
Encryption
Authentication of data integrity
Sender authentication and non-repudiation (if using certificates)
> Default SA
The X505 has a default SA which can be used for multiple client-to-siteVPN connections
The Default SA is disabled by default
-
7/31/2019 Tippingpoint X505 Training - 05-VPN
7/227
Security Associations
-
7/31/2019 Tippingpoint X505 Training - 05-VPN
8/228
Keys and Keying Modes
> Keys are used to encode data for encryption and authentication
> Key generation can be performed manually or dynamically usingInternet Key Exchange (IKE)
> Manual Keying
Keys are specified manually by the VPN administrator
Due to its non-dynamic nature, manual keying is less secure
> Dynamic Keying (IKE)
IKE is used to dynamically generate the keys, the SPI and SA used forencryption and authentication
Two operating modes for IKE> IKE + Pre-Shared Key (PSK)
> IKE + X.509 Certificate
-
7/31/2019 Tippingpoint X505 Training - 05-VPN
9/229
Internet Key Exchange
> IKE is the method by which keys are exchanged between two VPNendpoints in order to establish a secure channel
> An SA is established during the IKE process
> There are two phases to the IKE
In Phase 1, the secure channel between the two VPN peers are established
There are two modes to Phase 1 Main Mode and Aggressive Mode
In Phase 2, the IPSec security association is established and keys aregenerated
> IKE uses one of the following methods to validate the others identity
Pre-Shared Key X.509 Certificate
-
7/31/2019 Tippingpoint X505 Training - 05-VPN
10/22
10
IPSec Security Mechanisms
> The IP header and payload are protected via the followingmechanisms
Authentication Header (AH)
> Provides security by adding authentication information to the packet
NOTE: When AH is used, a hash is computed using the source/destinationIP addresses of the packet. Thus, using AH with a VPN gateway that isbehind a NATing device (i.e. a firewall) will prevent the VPN tunnel from
establishing. Encapsulation Security Payload (ESP)
> Provides data encryption (DES, 3DES, AES)
Security Parameter Index (SPI)
> Identifies the cryptographic keys and algorithms to be used to establish a VPNtunnel
-
7/31/2019 Tippingpoint X505 Training - 05-VPN
11/22
11
Encryption and Data Integrity
> Data is encrypted using one of the following data encryption methods
DES or Data Encryption Standard
> Uses a 56-bit key to encrypt data
3DES or Triple DES
> A variation of DES that uses a 168-bit key
AES or Advanced Encryption Standard
> A new generation encryption method
> Can be operated in 128-bit, 192-bit or 256-bit key modes
> Data integrity is ensured by one of the following hash algorithms
MD5 or Message Digest 5> The resulting hash is a 128-bit key which is used to verify the content, source and
integrity of data
SHA or Secure Hash Algorithm
> This algorithm produces a 160-bit key and is more secure than MD5
-
7/31/2019 Tippingpoint X505 Training - 05-VPN
12/22
12
IKE Proposals
-
7/31/2019 Tippingpoint X505 Training - 05-VPN
13/22
13
IKE Proposals
-
7/31/2019 Tippingpoint X505 Training - 05-VPN
14/22
14
Site-to-Site VPN
> Used to connect two remote sites
> IPSec is used to provide encryption for site-to-site VPN tunnels
> Tunnel Mode vs Transport Mode
In Tunnel Mode, the entire packet is encapsulated within another packet,
making the source/destination IP as well as the payload completely invisibleto the medium
In Transport Mode, only the payload of the packet is encrypted. Thus, thesource/destination IP addresses are usually publicly routable addresses
-
7/31/2019 Tippingpoint X505 Training - 05-VPN
15/22
15
Configuring a Site-to-Site Tunnel
-
7/31/2019 Tippingpoint X505 Training - 05-VPN
16/22
16
Configuring a Site-to-Site Tunnel
> Enable IPSec
> Create a new IKE Proposal (or use the default)
> Create a Security Association> Identify the remote network (specify manually or create an IP Address
Group)
> Decide on a keying method
> Decide on Tunnel or Transport mode
-
7/31/2019 Tippingpoint X505 Training - 05-VPN
17/22
17
Client-to-Site VPN
> Used to enable remote users to gain access to corporate networks
> Supported Protocols
IPSec Tunnel Mode
L2TP/IPSec
PPTP (with up to 128-bit MPPE)
> User Authentication is accomplished via the local user database or
RADIUS
-
7/31/2019 Tippingpoint X505 Training - 05-VPN
18/22
18
Client VPN Operation Modes
> IPSec Tunnel Mode
Same mechanisms as site-to-site tunnel mode VPN
> L2TP over IPSec
L2TP uses PPP (Point-to-Point Protocol) to make connections over IP networks (PPPis typically used for modem dial-up applications)
L2TP over IPSec uses IPSec Transport mode to provide security to connections
Supported authentication protocols
> PAP
> CHAP
> MS-CHAP
> MS-CHAPv2
> PPTP with MPPE
Point-to-Point Tunneling Protocol
PPTP is a legacy protocol found in many older versions of Windows
Microsoft Point-to-Point Encryption (MPPE) standard used for encryption
-
7/31/2019 Tippingpoint X505 Training - 05-VPN
19/22
19
Configuring Client-to-Site Tunnel
-
7/31/2019 Tippingpoint X505 Training - 05-VPN
20/22
20
Configuring Client Tunnel
> Decide which mode to use
> IPSec
Create a new IKE Proposal (or use the default)
Enable Global IPSec
Enable the Default SA
> The Default SA is the only one that allows multiple connections
> L2TP/IPSec
Complete all steps for IPSec above
Enable L2TP
> PPTP
Enable the PPTP Server Check Require Encryption to use MPPE
> Configure User Authentication
Local User Database
RADIUS
> Configure your VPN client
-
7/31/2019 Tippingpoint X505 Training - 05-VPN
21/22
21
VPN and Security Zone Interaction
> Traffic from remote sites and/or users connecting to the network via VPNcan be terminated into any configured security zone
> In order to provide maximum protection, it may be wise to use the pre-
configured VPN zone to implement policy (Firewall and IPS)
-
7/31/2019 Tippingpoint X505 Training - 05-VPN
22/22
LAB 5VPN Implementation