© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public BRK-134T VPNs Simplified 1 Virtual Private Networks (VPNs) Simplified Erich Spengler CSSIA CATC—Moraine Valley Community College 2008—60 Minute Session BRK-134T VPNs Simplified 2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public Agenda ƒ Demonstration ƒ Introduction to VPNs ƒ VPN Security (IPSec, PPTP, SSL) ƒ VPN Technology Comparison ƒ VPN Group Exercise BRK-134T VPNs Simplified 3 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public Demonstration—Remote Network Access via VPN Corporate Servers VPN Server/Gateway Internet/ Unsecure Network VPN Tunnel Encrypted Traffic to the Corporate Server Remote User BRK-134T VPNs Simplified 4 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public Subtitle Introduction to VPNs BRK-134T VPNs Simplified 5 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public What Is a Virtual Private Network (VPN)? A Remote Access VPN secures connections for remote users, such as mobile users or telecommuters, to corporate LANs over shared service provider networks Homeworker with VPN Client Software Homeworker with VPN Router Branch Office with VPN Router Teleworker with VPN Client Software Dial-Up User with VPN Client Software Corporate HQ Wireless Client with VPN Client Software Public Telephone Network Internet Wireless Hotspot BRK-134T VPNs Simplified 6 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public Wireless: A New Big Driver for VPNs ƒ An access point (AP) is a shared device ƒ Remember the performance issues of shared hubs ƒ Bridges, and other devices allow for interconnection ƒ Protocols and applications work seamlessly Internet BRK-134T VPNs Simplified 7 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public Basic VPN Terms Internet Router to Router VPN Gateway (Extranet) VPN Client to Router VPN via Dial-Up (Access VPN) Internet Other Vendors to Router VPN (Extranet) Internet Router to VPN Firewall Gateway (Extranet) VPN Client to Router VPN Network (Intranet) BRK-134T VPNs Simplified 8 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public Using Site-to-Site VPNs Central Site Intranet Branch/Remote Office Extranet Business-to-Business VPN VPN VPN VPN Frame Relay WAN Network Internet VPN PSTN/ISDN Broadband BRK-134T VPNs Simplified 9 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public Central Site Router Or Or Using Remote-Access VPNs Remote Access Client ƒ Cisco VPN Clients (IPSec) ƒ Microsoft Win 9x/NT/2000/XP (LTTPP) ƒ Thire-party VPN client (PPTP) Remote Access Gateway ƒ Cisco WAN Router ƒ Cisco Secure PIX Firewall ƒ Or IPSec or PPTP aware device to provide firewall/VPN Tunnel Termination Mobile Remote Access Client Telecommuter POP POP Internet Extranet Consumer-to-Consumer DSL Cable BRK-134T VPNs Simplified 10 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public VPN Components GRE L2TP MPLS PPTP TCP Checksum AH in IPSec Prevent Tampering Integrity Increase Protection Encryption Separate Data Tunneling Identify Source Authentication IPSec DES, 3 DES MPPE PKI RSA RSA BRK-134T VPNs Simplified 11 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public Subtitle VPN Security BRK-134T VPNs Simplified 12 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public What a VPN Must Provide Confidentiality AvailabilityIntegrity BRK-134T VPNs Simplified 13 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public Network Security Model Confidentiality Data Security Assurance Model (CIA) ƒ Benefit Ensures data is unaltered during transit ƒ Shuns Alteration Replay ƒ Benefit Ensures identity of originator or recipient of data ƒ Shuns Impersonation Replay Integrity Authentication Data Confidentiality and Data Integrity Depend on Encryption and Encapsulation ƒ Benefit ƒ Ensures data privacy ƒ Shuns ƒ Sniffing ƒ Replay BRK-134T VPNs Simplified 14 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public VPN Technology Options Application Layer (5–7) Transport/ Network Layer (3–4) Link/Physical Layer (1–2) GRE PPTP L2TP MPLS IPSEC MPPE Link-Layer Encryption Link-Layer Encryption Application Layer SSL SSH Network Layer BRK-134T VPNs Simplified 15 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public What Is an IPSec VPN? Internet Protocol Security ƒ A set of security protocols and algorithms used to secure IP data at the network layer ƒ IPSec provides data confidentiality (encryption), integrity (hash), authentication (signature/certificates) of IP packets while maintaining the ability to route them through existing IP networks BRK-134T VPNs Simplified 16 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public Advantages of IPSec ƒ Access VPNs ƒ Classic site-to-site managed VPNs ƒ Trusted MPLS VPNs Business Partner Remote Office Regional Office Main Office Home Office POP Service Provider Mobile Worker Mobile Worker BRK-134T VPNs Simplified 17 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public IPSec Key Points ƒ IPSec can ensure the confidentiality and/or the authenticity of IP packets ƒ The key points are Two modes of propagation (transport and tunnel) Security associations (SAs) Two types of header (ESP and AH) IP Header AH Header ESP Header IP Data (Encrypted) BRK-134T VPNs Simplified 18 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public IPSec Framework ESP—Encapsulating Security Payload AH—Authentication Header AES—Advanced Encryption Standard MD5, SHA—Authentication DH—Diffie-Hellman Identifier to Derive the Share Secret IPSec Framework IPSec Protocol Encryption Authentication DH MD5 SHA DH1 DH2 DH5 ESP ESP + AH AH DES 3 DES AES Choices BRK-134T VPNs Simplified 19 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public Two Types of IPSec Security Protocols ƒ Ensures data integrity ƒ Provides origin authentication— ensures packets definitely came from peer router ƒ Uses keyed-hash mechanism ƒ Does not provide confidentiality (no encryption) ƒ Provides optional replay protection Router A Router B All Data in Cleartext Authentication Header ƒ Data confidentiality (encryption) ƒ Limited traffic flow confidentiality ƒ Data integrity ƒ Optional data origin authentication ƒ Anti-replay protection ƒ Does not protect IP header Router A Router B Data Payload Is Encrypted Encapsulating Security Payload BRK-134T VPNs Simplified 20 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public IP Header with IPSec Information IP Header AH Header ESP Header IP Data (Encrypted) IP Header AH Header ESP Header IP Data BRK-134T VPNs Simplified 21 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public IPSec in a Standards World Standards-Based Cryptography ƒ IKE, IPSec, 3DES ƒ Equipment/vendor interoperability Headquarters Firewall Router Firewall Remote Office Periodic Re-Key Internet/IP VPN CER TIFIC ATE BRK-134T VPNs Simplified 22 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public IKE Benefits an IPSec Environment ƒ Ensure confidential communications in an unsecured network ƒ Also known as the Key Management Nightmare!!! UNIVERSITY BRK-134T VPNs Simplified 23 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public IPSec: Building a Connection ƒ Two-phase protocol: Phase 1 exchange: two peers establish a secure, authenticated channel with which to communicate; Main mode or Aggressive mode accomplishes a Phase 1 exchange Phase 2 exchange: security associations are negotiated on behalf of IPSec services; Quick mode accomplishes a Phase 2 exchange ƒ Each phase has its SAs: ISAKMP SA (Phase 1) and IPSec SA (Phase 2) Data IKE (Phase 2) IKE (Phase 1) BRK-134T VPNs Simplified 24 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public How Does IKE/IPSec Work? Quick Mode Quick Mode Phase I SA (ISAKMP SA) Phase II SA (IPSec SA) Phase II SA (IPSec SA) New IPSec Tunnel or Rekey Main Mode (6 Messages) Aggressive Mode (3 Messages) A Protected Data B C Protected Data D BRK-134T VPNs Simplified 25 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public ISAKMP Main, Quick and Aggressive Modes 1 2 3 Header Hash SA [Key] Hash Header SA [Key] Header Hash Nonce ID/ID Nonce ID /ID ISAKMP Main Mode (Phase 1) ISAKMP Quick Mode (Phase 2) Header SA SA Header Header Key Header ID Key Header ID Header Nonce Nonce [ Cert ] Sig [ Cert ] Sig 1 2 3 4 5 6 R E S P O N D E R I N I T I A T O R Header SA [Key] Nonce ID Header SA [Key] Nonce ID 1 2 3 Header [Cert] [Cert] Sig Sig ISAKMP Aggressive Mode (Phase 1) BRK-134T VPNs Simplified 26 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public What Is a Web/SSL VPN? ƒ Uses certificates for identification ƒ Private key used to prove identity ƒ SSL server provides all encryption keys ƒ Originally for HTTP/Web applications Certificate Certificate BRK-134T VPNs Simplified 27 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public Wireless LAN Web/SSL VPN Features Feature ƒ Access to internal web sites (HTTP/HTTPS) including filtering ƒ Access to internal Windows (CIFS) File Shares ƒ TCP port forwarding for legacy application support ƒ Access to e-mail via POP, SMTP, and IMAP4 over SSL Corporate Network Broadband Provider ISP Access Point Broadband Modem ASA Firewall WebVPN WebVPN BRK-134T VPNs Simplified 28 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public Web/SSL VPN and IPSec Comparison WebVPN ƒ Uses a standard web browser to access the corporate network ƒ SSL encryption native to browser provides transport security ƒ Application accessed through browser portal ƒ Limited client/server application accessed using applets IPSEC VPN ƒ Uses purpose built client software for network access ƒ Client provides encryption and desktop security ƒ Client establishes seamless connection to network ƒ All application are accessible through their native interface BRK-134T VPNs Simplified 29 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public What Is a PPTP VPN? Point to Point Tunneling Protocol ƒ PPTP is a network protocol used in the implementation of Virtual Private Networks (VPN); RFC 2637 is the PPTP technical specification ƒ PPTP works on a client server model; PPTP clients are included by default in Microsoft Windows and also available for both Linux and Mac OS X; newer VPN technologies like L2TP and IPSec may replace PPTP someday, but PPTP/MPPE remains a popular network protocol especially on Windows computers BRK-134T VPNs Simplified 30 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public VPN Technology Options Application Layer (5–7) Transport/ Network Layer (3–4) Link/Physical Layer (1–2) GRE PPTP L2TP MPLS IPSEC MPPE Link-Layer Encryption Link-Layer Encryption Application Layer SSL SSH Network Layer BRK-134T VPNs Simplified 31 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public Benefits of PPTP PPTP ƒ PPoE is point-point protocol over Ethernet ƒ Single tunnel between end-points: Single device support (GRE = generic routing encapsulation) ƒ Six bytes over overhead when compression used ƒ No tunnel authentication ƒ With RADIUS server supports authentication and accounting ƒ CHAP V2 fixes password, masquerading, and encryption weakness ƒ 40 or 128 bit RC4 packet encryption Internet Organization Secure Network PPP IP GRE PPP IP TCP User Data IP GRE PPP IP TCP User Data GRE PPP IP TCP User Data PPP IP TCP User Data IP TCP User Data TCP User Data User Data BRK-134T VPNs Simplified 32 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public Is PPTP Secure? Yes Challenge Response New Client Key New Server Key Encrypted Packet Connection Request Response Challenge New Client Key New Server Key Encrypted Packet Internet Organization Secure Network CHAP V2 Authentication with 40 or 128 bit RC4 Encryption BRK-134T VPNs Simplified 33 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public VPN Technology Comparison Application to Application SSL End to End IPSec Transport Mode Gateway to Gateway PPTP L2TP/IPSec IPSec Tunnel Mode Client to Gateway PPTP L2TP/IPSec PPTP—Point to Point Tunneling Protocol—Layer 2—Multiprotocol L2TP/IPSec—Layer 2 Tunneling Protocol—Multiprotocol—Encryption and Authentication IPSec—IP Security—Layer 3—IP Protocol—Encryption and Authentication SSL—Secure Sockets Layer—Layer 6/7—Application—Encryption and Authentication Simplicity Low Cost Advanced Security BRK-134T VPNs Simplified 34 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public Group Exercise Configuring VPNs Lab BRK-134T VPNs Simplified 35 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public Summary ƒ Demonstration ƒ Introduction to VPNs ƒ VPN Security (IPSec, PPTP, SSL) ƒ VPN Technology Comparison ƒ VPN Group Exercise BRK-134T VPNs Simplified 36 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public BRK-134T VPNs Simplified 37 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public