Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
IPsec acts at the network layer, protecting and authenticating IP packets between
participating IPsec devices (peers). IPsec is not bound to any specific encryption,
authentication, or security algorithms or keying technology. IPsec is a framework of open
standards. Figure 8-9 shows how IPsec can be used with different customers and devices to
connect.
Internet
Certicom PDA IPsec
VPN Client
Cisco VPN
Software Client
Cisco
Hardware
Client
(Legacy)
Small Office
308 Chapter 8: Extending the Network into the WAN
Figure 8-9 IPsec Flexibility
By not binding IPsec to specific algorithms, IPsec allows newer and better algorithms to be
implemented without patching the existing IPsec standards. IPsec provides data
confidentiality, data integrity, and origin authentication between participating peers at
the IP layer. IPsec secures a path between a pair of gateways, a pair of hosts, or a gateway
and host.
IPsec security services provide the following four critical functions:
■ Confidentiality (encryption): The sender can encrypt the packets before transmitting
them across a network. By doing so, no one can eavesdrop on the communication.
If the communication is intercepted, it cannot be read.
■ Data integrity: The receiver can verify that the data was transmitted through the
Internet without being changed. IPsec ensures data integrity by using checksums (also
known as a hash value or message digest), a simple redundancy check.
■ Authentication: Authentication ensures that the connection is made with the desired
communication partner. The receiver can authenticate the source of the packet,
guaranteeing and certifying the source of the information.
■ Antireplay protection: Antireplay protection verifies that each packet is unique and
not duplicated. IPsec packets are protected by comparing the sequence number of the
received packets with a sliding window on the destination host or security gateway.
A packet that has a sequence number that is before the sliding window is considered
either late or a duplicate packet. Late and duplicate packets are dropped.
Legacy
Concentrator
Legacy
PIX
Firewall
ASA
Business Partner
with a Cisco Router
Mobile Worker with a
Cisco VPN Client
on a Laptop Computer
Corporate
Main Site
Perimeter
Router
POP
Regional Office with
a PIX Firewall
SOHO with a Cisco
ISDN/DSL Router
IPsec
Introducing VPN Solutions 309
Plain-text data that is transported over the public Internet can be intercepted and read. To
keep the data private, you should encrypt the data. By digitally scrambling the data, it is
rendered unreadable. Figure 8-10 shows how the data is encrypted as it passes across the
public Internet.
Figure 8-10 Data Encryption
For encryption to work, both the sender and the receiver must know the rules that are used
to transform the original message into its coded form. Rules are based on an algorithm
and a key. An algorithm is a mathematical function that combines a message, text, digits,
or all three with a string of digits called a key. The output is an unreadable cipher string.
Decryption is extremely difficult or impossible without the correct key.
In Figure 8-10, someone wants to send a financial document across the Internet. At the local
end, the document is combined with a key and run through an encryption algorithm. The
output is undecipherable cipher text. The cipher text is then sent through the Internet. At the
remote end, the message is recombined with a key and sent back through the encryption
algorithm. The output is the original financial document.
The degree of security depends on the length of the key of the encryption algorithm. The
time that it takes to process all the possibilities is a function of the computing power of the
computer. Therefore, the shorter the key, the easier it is to break. Figure 8-11 shows the role
of the key in the process.
Encryption
Algorithm
Internet
Hmmm...
I cannot read a thing.
Encryption
Algorithm
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
4ehIDx67NMop9eR
U78IOPotVBn45TR
4ehIDx67NMop9eR
U78IOPotVBn45TR
310 Chapter 8: Extending the Network into the WAN
Figure 8-11 Encryption Key
Encryption algorithms such as DES and 3DES require a symmetric shared secret key to
perform encryption and decryption. You can use e-mail, courier, or overnight express to
send the shared secret keys to the administrators of the devices. But the easiest key
exchange method is a public key exchange method between the encrypting and decrypting
devices. The DH key agreement is a public key exchange method that provides a way for
two peers to establish a shared secret key, which only they know, even though they are
communicating over an insecure channel. Figure 8-12 shows that the shared keys need to
be established securely over an open network.
Figure 8-12 Encryption Keys Must Be Established
Some of the encryption algorithms and the length of keys they use are as follows:
■ Data Encryption Standard (DES) algorithm: DES was developed by IBM. DES
uses a 56-bit key, ensuring high-performance encryption. DES is a symmetric key
cryptosystem.
4ehIDx67N
U78IOPotV
Key
Encryption Key
Key
Decryption Key
Encrypt Decrypt
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
Key
Encryption Key
Key
Decryption Key
Both peers need
to establish a
shared key
securely.
Encrypt Decrypt
Introducing VPN Solutions 311
■ Triple DES (3DES) algorithm: The 3DES algorithm is a variant of the 56-bit DES.
3DES operates similarly to DES, in that data is broken into 64-bit blocks. 3DES then
processes each block three times, each time with an independent 56-bit key. 3DES
provides significant encryption strength over 56-bit DES. DES is a symmetric key
cryptosystem.
■ Advanced Encryption Standard (AES): The National Institute of Standards and
Technology (NIST) has recently adopted AES to replace the existing DES encryption
in cryptographic devices. AES provides stronger security than DES and is
computationally more efficient than 3DES. AES offers three different key lengths:
128-, 192-, and 256-bit keys.
■ Rivest, Shamir, and Adleman (RSA): RSA is an asymmetrical key cryptosystem. It
uses a key length of 512, 768, 1024, or larger. IPsec does not use RSA for data
encryption. IKE only uses RSA encryption during the peer authentication phase.
VPN data is transported over the public Internet. Potentially, this data could be intercepted
and modified. To guard against this problem, you can use a data integrity algorithm. A data
integrity algorithm adds a hash to the message. A hash guarantees the integrity of the
original message. If the transmitted hash matches the received hash, the message has not
been tampered with. However, if no match exists, the message was altered.
In Figure 8-13, someone is trying to send Terry Smith a check for $100. At the remote end,
Alex Jones is trying to cash the check for $1000. As the check progressed through the
Internet, it was altered. Both the recipient and dollar amounts were changed. In this case, if
a data integrity algorithm were used, the hashes would not match, and the transaction would
no longer be valid.
Figure 8-13 Guarding Against Data Modifications
Match = No Changes
No Match = Alterations
I would like to
cash this check.
4ehIDx67NMop9
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
12ehqPx67NMoX
Pay to Alex Jones $1000.00
One Thousand and xx/100 Dollars
Internet
312 Chapter 8: Extending the Network into the WAN
Keyed Hash-based Message Authentication Code (HMAC) is a data integrity algorithm that
guarantees the integrity of the message. At the local end, the message and a shared secret
key are sent through a hash algorithm, which produces a hash value. The message and hash
are sent over the network.
The two common HMAC algorithms are as follows:
■ HMAC-message digest algorithm 5 (MD5): Uses a 128-bit shared secret key. The
variable-length message and 128-bit shared secret key are combined and run through
the HMAC-MD5 hash algorithm. The output is a 128-bit hash. The hash is appended
to the original message and forwarded to the remote end.
■ HMAC-Secure Hash Algorithm 1 (SHA-1): HMAC-SHA-1 uses a 160-bit secret
key. The variable-length message and the 160-bit shared secret key are combined and
run through the HMAC-SHA-1 hash algorithm. The output is a 160-bit hash. The hash
is appended to the original message and forwarded to the remote end.
When conducting business long distance, it is necessary to know who is at the other end of
the phone, e-mail, or fax. The same is true of VPN networks. The device on the other end
of the VPN tunnel must be authenticated before the communication path is considered
secure. This is illustrated in Figure 8-14.
Figure 8-14 Peer Authentication
The two peer authentication methods are as follows:
■ PSKs: A secret key value that is entered into each peer manually and is used to
authenticate the peer. At each end, the PSK is combined with other information to form
the authentication key.
■ RSA signatures: Use the exchange of digital certificates to authenticate the peers. The
local device derives a hash and encrypts it with its private key. The encrypted hash
(digital signature) is attached to the message and forwarded to the remote end. At the
remote end, the encrypted hash is decrypted using the public key of the local end. If
the decrypted hash matches the recomputed hash, the signature is genuine.
Internet
Peer Authentication
HR
Servers
Remote Office Corporate Office
Introducing VPN Solutions 313
IPsec Protocol Framework
IPsec is a framework of open standards. IPsec spells out the messaging to secure the
communications but relies on existing algorithms. There are two main IPsec framework
protocols, Authentication Header (AH) and Encapsulating Security Payload (ESP). Details
are as follows:
■ AH: AH is the appropriate protocol to use when confidentiality is not required or
permitted. It provides data authentication and integrity for IP packets passed between
two systems. It is a means of verifying that any message passed from Router A to
Router B has not been modified during transit. It verifies that the origin of the data was
either Router A or Router B. AH does not provide data confidentiality (encryption) of
packets. All text is transported in the clear. Used alone, the AH protocol provides weak
protection. Consequently, the AH protocol is used with the ESP protocol to provide
data encryption and tamper-aware security features.
■ ESP: A security protocol that can be used to provide confidentiality (encryption) and
authentication. ESP provides confidentiality by performing encryption on the IP
packet. IP packet encryption conceals the data payload and the identities of the
ultimate source and destination. ESP provides authentication for the inner IP packet
and ESP header. Authentication provides data origin authentication and data integrity.
Although both encryption and authentication are optional in ESP, at a minimum, one
of them must be selected.
IPsec is a framework of open standards that spells out the rules for secure communications.
IPsec, in turn, relies on existing algorithms to implement the encryption, authentication,
and key exchange. Figure 8-15 shows how the different components of security fit into the
IPsec framework, along with the choices of algorithms.
Some of the standard algorithms that IPsec uses are as follows:
■ DES: Encrypts and decrypts packet data
■ 3DES: Provides significant encryption strength over 56-bit DES
■ AES: Provides stronger encryption, depending on the key length used, and faster
throughput
■ MD5: Authenticates packet data, using a 128-bit shared secret key
■ SHA-1: Authenticates packet data, using a 160-bit shared secret key
■ DH (Diffie-Helman): Allows two parties to establish a shared secret key used by
encryption and hash algorithms, for example, DES and MD5, over an insecure
communications channel
314 Chapter 8: Extending the Network into the WAN
Figure 8-15 IPsec Framework Components
In Figure 8-15, four IPsec framework squares are to be filled in. When you configure an IPsec
gateway to provide security services, you must first choose an IPsec protocol. The choices are
ESP or ESP with AH. The second square is an encryption algorithm. Choose the encryption
algorithm that is appropriate for the desired level of security: DES, 3DES, or AES. The third
square is authentication. Choose an authentication algorithm to provide data integrity: MD5 or
SHA. The last square is the DH algorithm group. Choose which group to use: DH1, DH2, or
DH5. IPsec provides the framework, and the administrator chooses the algorithms that are used
to implement the security services within that framework.
Summary of Introducing VPN Solutions
The following summarizes the key points that were discussed in the previous sections:
■ Organizations implement VPNs because they are less expensive, more secure, and
easier to scale than traditional WANs.
■ Site-to-site VPNs secure traffic between intranet and extranet peers. Remote-access
VPNs secure communications from the traveling telecommuter to the central office.
■ VPNs can be implemented with a variety of different Cisco devices—Cisco IOS
routers, ASA 5500 Series adaptive security appliances, and Cisco VPN Client
software.
■ IPsec is the framework that combines security protocols and provides VPNs with data
confidentiality, integrity, and authentication.
■ AH and ESP are the two main IPsec framework protocols.
No comments:
Post a Comment