8/8/2019 IPSec-22

1/10

1

IPSec/VPN Security Management

TDC 568: Network Management

Professor Ehab Al-Shaer

Sources: Panko, Stallings, NIST

2

What is a VPN?

VPN is a tunnel because the data being transferred isencrypted and then encapsulated in IP packets by aVPN gateway.

VPN protects the original packet from beingunderstood (privacy), and from uncovering/alteringthe sender or the recipients identity (authentication).

VPN architecturesnetwork to networkhost to networkdial-up ISP to network

3

VPN Operation & AdvantageThe VPN gateway reads the workstation packets and:

encrypt the packet, thenencapsulate the original encrypted packet with an IP packet that isdestined to the end-point gateway (not the client or the server ineither network)

AdvantagesServices

hide the identity of your networkprovides authentication (between gateways)privacy via encryption

connect branch offices with a cost-effective network compared withleased linesallows user to work from home and mobile hosts

Disadvantage of VPN (vs. leased line)VPN speed is bounded by the slowest link in the Interneta single failure in the path disconnect the entire network

8/8/2019 IPSec-22

2/10

4

IPSec Goals and Architectures

IPSec GoalsSecurity (confidentiality, authentication, integrity)

Allows different VPN vendors to interoperateWhat is VPN?

A tunnel between two networks over a shared network infrastructuresuch as the Internet

VPN/IPSec ArchitecturesHost to hostNetwork to networkHost to networkDial-up ISP Gateway to network

5

IPSec Operation Modes

IPSec Transport OperationEncrypt the payload onlyNo encapsulation No hiding of the original IP headerFrom host to host host must be aware of the IPSecProvide End-to-end protection (from host to host)

IPSec Tunnel OperationEncrypt the entire message (headers + payload)Encapsulation: The IPSec gateway encrypts, encapsulate andsends the encrypted packet to the end-point IPSec routerCould be host-host, host-gateway and gateway-gateway(last one is most popular)Transparent to hostsProtection to IP address/header

6

IPSec Operation: Transport Mode

Secure Connection

Secure onthe Internet

Transport Mode

SiteNetwork

SiteNetwork

Securityin Site

Network

Securityin Site

Network

ExtraSoftwareMay be

Required

ExtraSoftwareMay be

Required

8/8/2019 IPSec-22

3/10

7

IPSec Operation: Tunnel Mode

TunneledConnection

Secure onthe Internet

Tunnel Mode

SiteNetwork

SiteNetwork

NoSecurityin Site

Network

NoSecurityin Site

Network

NoExtra

Software

NoExtra

Software

IPsecGateway

IPsecGateway

8

IPSec Operation: Packet Headers

Transport Mode

Orig. IPHdr

IPSecHdr

Protected PacketData Field

Destination IP AddressIs Actual Address;

Vulnerable to Scanning

Tunnel Mode

New IPHdr

IPSecHdr

ProtectedOriginal Packet

Destination IP AddressIs IPSec Server Address

Host IP Address

Is not Revealed

9

IPSec Protocols

IPSec is a standard to provide IP securityMandatory in IPv6 and can be used with IPV4 too

IPSec is transparent to the usersIt consists of three main components

Internet Key Exchange (IKE): initial negotiation to agreeupon the encryption mechanism, keys .. etcAuthentication Header (AH): security header inserted in theIP packet to determine if the packet is altered and toauthenticate the senderEncapsulation Security Payload (ESP): to encrypt payloadand the header of the original IP packet

8/8/2019 IPSec-22

4/10

10

IKE Protocol

IKEFunctions: (1) security parameter negotiation,

(2) key exchange using Deffie-Hellman

Phase I1. Authentication:

pre-shared key manually distributed (not recommended),Digital Certificate both partners share the same CA.PKI can be used

2. Setting up the security parameters used for Phase IInegotiation (causing double negotiation)

Phase II: negotiating the security parameters used in the VPNcommunications (authentication: MD5, SHA-1, encryption:DES, 2DES, AES, ESP or AH .. etc)

11

AH ProtocolOffers authentication and integrity (not confidentiality)

IP header is not hidden

Adding additional header that includes digital signature calledintegrity check value (ICV) calculated based on IP address ensurethe identity of the sender:

Receiver can verify this using the shared key + source IP address inthe header to re-calculate the DigSig and compare.

This makes AH incompatible with NAT when NAT is before VPNdevice to the Internet (why?)

Sol: (1) put NAT after VPN, or (2) use integrated VPN+NAT device

Sequence number is used in the header to avoid packet replay

12

ESP ProtocolOffers full confidentiality encrypting the IP payloadTransport mode: adds header and trailers as follows:

Trailers includes ICV (DigSig)Tunnel mode: encrypting the entire packet including IP header+ addingnew IP header, ESP header and trailer ( for authentication too)ESP transport mode is also incompatible with NAT when NAT is beforeVPN device to the Internet (why?)

NAT changes the IP address which implies that the TCP Checksum must bechanged (TCP checksum is calculated based on IP headers too). But TCPchecksum in encrypted and can not be modified receiver will calculatewrong checksumSolution: put NAT after VPN

ESP tunnel would work with NAT. However it cause a problem when itcommunicates with IKE because the source UDP port must be 500 butNAT might replace it.Sequence number in the header is used to avoid replaying packets

8/8/2019 IPSec-22

5/10

13

ESP and AH Protection usingTransport Mode

IPHeader

ESPHeader Protected

ESPTrailer

IPHeader

AuthenticationHeader Protected

Confidentiality

Authentication and Message Integrity

Authentication and Message IntegrityNo Confidentiality

Protocol = 50

Protocol = 51

EncapsulatingSecurity

Payload (ESP)

AuthenticationHeader (AH)

14

Modes and Protections

PossiblePossibleTunnel Mode(IPSec Gateway

to Gateway)

PossiblePossibleTransport Mode(End-to-End)

AHAuthenticationIntegrity

ESPConfidentialityAuthenticationIntegrity

15

IPSec Security Association (SA)

SAS is established through IKE (Internet KeyExchange) to negotiate:

Security algorithm to be used

Authentication

Symmetric key exchange (default Diffie-Hellman)

IPSec Default Security ConfigurationKey Exchange: Diffie-Hellman

Encryption: DES-CBS

Authentication: HMAC

8/8/2019 IPSec-22

6/10

16

IPSec Security Associations

IPsec Policy Server

2. Security Association (SA)for Transmissions from A to B

3. Security Association (SA)For Transmission from B to A

(Can Be Different ThanA to B SA)

Party A Party B

1. List ofAllowableSecurity

Associations

1. List ofAllowableSecurity

Associations

17

IPSec Security Association (SA)

Each gateway has it is own SA policy server

Before SA is negotiated, the IPSec partner mustconfigured locally in security policy database (SPD)

SA is stored in a database (SAD) indexed by securityparameter index (SPI) included in every IPSec packetheader

Bi-directional Agreement

Policy based (e.g., algorithm is selected based onsecurity level and performance overhead)

18

IPSec Security Policy

Each gateway has it is own IPSec policy server.Configuration is stored in security policy database(SPD)IPSec policy is written for outbound traffic. Inboundtraffic is matched against a policy mirror image.Policy composed of:

Crypto-access list: rules to protect , bypass or discard traffic.

Crypto-map list: rules to transform traffic into protected form.

Crypto-transform list: how to perform traffic transformation []

8/8/2019 IPSec-22

7/10

19

IPSec Security Policy: Example

1.1.1.1 5.5.5.5 6.6.6.6 2.2.2.2

TCP 1.1.*.* : any 2.2.*.* : any protect

TCP 1.1.1.1 : any 2.2.2.2 : any AH Transport {HMAC MD5}

TCP 1.1.*.* : any 2.2.*.* : any protect

TCP 1.1.1.* : any 2.2.2.* : any ESP Tunnel 6.6.6.6 {3DES}

TCP 2.2.*.* : any 1.1.*.* : any protect

TCP 2.2.2.2 : any 1.1.1.1 : any AH Transport {HMAC MD5}

TCP 2.2.*.* : any 1.1.*.* : any protect

TCP 2.2.2.* : any 1.1.1.* : any ESP Tunnel 5.5.5.5 {3DES}

20

IPSec Intra-Policy Conflicts

Conflicts in crypto-access listsShadowing:TCP 1.1.*.* : any 2.2.*.* : any protectTCP 1.1.1.1 : any 2.2.2.2 : any bypassRedundancy:TCP 1.1.1.1 : any 2.2.2.2 : any protectTCP 1.1.*.* : any 2.2.*.* : any protectGeneralization/Exception:TCP 1.1.1.1 : any 2.2.2.2 : any bypassTCP 1.1.*.* : any 2.2.*.* : any protectCorrelation:TCP 1.1.1.1 : any 2.2.*.* : any bypassTCP 1.1.*.* : any 2.2.2.2 : any protect

21

IPSec Intra-Policy Conflicts

TCP 1.1.1.1 : any 2.2.*.* : any protect

TCP 1.1.1.1 : any 2.2.2.* : any ESP Tunnel 6.6.6.6 {3DES}TCP 1.1.1.1 : any 2.2.2.2 : any AH Tunnel 2.2.2.2 {3DES}

1.1.1.1 5.5.5.5 6.6.6.6 2.2.2.2

Conflict in crypto-map pathsReversed decapsulation order on the traffic path

Cleartraffic

8/8/2019 IPSec-22

8/10

22

IPSec Inter-Policy Conflicts

1.1.1.1 2.2.2.2

Conflicts in crypto-access listsShadowing : upstream policy blocks traffic

TCP 1.1.*.* : any 2.2.*.* : any protect

TCP 2.2.*.* : any 1.1.*.* : any bypass

Trafficdropped

23

IPSec Inter-Policy Conflicts

1.1.1.1 2.2.2.2

Conflicts in crypto-access listsSpurious : downstream policy blocks traffic

TCP 1.1.*.* : any 2.2.*.* : any bypass

TCP 2.2.*.* : any 1.1.*.* : any protect

Trafficdropped

24

IPSec Inter-Policy Conflicts

1.1.1.1 2.2.2.2

Conflicts in tunnel pathsReversed decapsulation order on the traffic path

TCP 1.1.1.1 : any 2.2.*.* : any protect

TCP 1.1.1.1 : any 2.2.*.* : any ESP Tunnel 6.6.6.6 {3DES}

TCP 1.1.*.* : any 6.6.*.* : any protect

TCP 1.1.*.* : any 6.6.*.* : any AH Tunnel 2.2.2.2 {3DES}

5.5.5.5 6.6.6.6 Cleartraffic

8/8/2019 IPSec-22

9/10

25

TCP 1.1.*.* : any 2.2.*.* : any protect

TCP 1.1.*.* : any 2.2.*.* : any AH Tunnel 6.6.6.6 {3DES}

TCP 2.2.*.* : any 1.1.*.* : any protectTCP 1.1.*.* : any 2.2.*.* : any protect

TCP 2.2.*.* : any 1.1.*.* : any ESP Tunnel 5.5.5.5 {3DES}TCP 1.1.*.* : any 2.2.*.* : any ESP Tunnel 5.5.5.5 {3DES}

IPSec Inter-Policy Conflicts

1.1.1.1 2.2.2.2

Tunnel loop conflict

5.5.5.5 6.6.6.6

Trafficloop

26

IPSec Inter-Policy Conflicts

Protection asymmetry conflictAccess rules in both peers should be mirror image to allowprotecting traffic originating from any peer

1.1.1.1 2.2.2.2

TCP 1.1.1.1 : any 2.2.2.2 : any protect

TCP 2.2.*.* : any 1.1.*.* : any protect

Trafficdropped

27

IPSec and NAT/PAT IntegrationIf VPN traffic is NATed (NAT closer to the Internet than VPN)

AH is incompatible with NATBecause changing the IP header makes the DigSig invalid

Solution: (1) put NAT after VPN, or (2) bypass using integratedVPN+NAT deviceESP transport mode is also incompatible with NAT

NAT changes the IP address which implies that the TCP Checksummust be changed (TCP checksum is calculated based on IP headerstoo). But TCP checksum in encrypted and can not be modifiedreceiver will calculate wrong checksumSolution: put NAT after VPN

ESP tunnel would work with NAT. However, not with PAT.PAT cause a problem because

TCP/UDP ports are inaccessible when headers are encryptedwhen it communicates with IKE because the source UDP port must be

500 but NAT might replace it Recommendation: Do not use PAT withVPN in either AH or ESP

8/8/2019 IPSec-22

10/10

28

VPN and Firewall IntegrationExternal DMZ

VPN might be exposed to attacks

Internal DMZ (screen subnet)

V. good solution: offers limited protection (but no NAT)Parallel to the F irewall

Good solution if VPN is a busy device

Trusted networkCreate a tunnel through the firewall !! Not recommended

FW and VPN in one box (best solution)+ cheaper, more secure, no NAT problems because it by passesVPN traffic- offers less flexibility .. The best FW vendor may not be necessarythe best VPN vendors

29

IPSec Pros

AdvantagesHides the identity of your network

Provides secure channel: authentication, privacyand integrity

Connects sites (e.g., branch offices) with a cost-effective secure network compared with leasedlines

Allows user to work from home and mobile hosts

30

IPSec Cons

DisadvantagesComplex policy management

A single failure in the path disconnect the entirenetwork. Also cause performance bottlenecks.

Require tunnels through firewall sometimes

Incompatible with NAT/PAT depending on thearchitecture

Tunneled traffic is undetected by IDS

VPN gateways might be compromised which leadsto uncovering protected data