IPSec-22
-
Upload
saba-wasim -
Category
Documents
-
view
216 -
download
0
Transcript of IPSec-22
-
8/8/2019 IPSec-22
1/10
1
IPSec/VPN Security Management
TDC 568: Network Management
Professor Ehab Al-Shaer
Sources: Panko, Stallings, NIST
2
What is a VPN?
VPN is a tunnel because the data being transferred isencrypted and then encapsulated in IP packets by aVPN gateway.
VPN protects the original packet from beingunderstood (privacy), and from uncovering/alteringthe sender or the recipients identity (authentication).
VPN architecturesnetwork to networkhost to networkdial-up ISP to network
3
VPN Operation & AdvantageThe VPN gateway reads the workstation packets and:
encrypt the packet, thenencapsulate the original encrypted packet with an IP packet that isdestined to the end-point gateway (not the client or the server ineither network)
AdvantagesServices
hide the identity of your networkprovides authentication (between gateways)privacy via encryption
connect branch offices with a cost-effective network compared withleased linesallows user to work from home and mobile hosts
Disadvantage of VPN (vs. leased line)VPN speed is bounded by the slowest link in the Interneta single failure in the path disconnect the entire network
-
8/8/2019 IPSec-22
2/10
4
IPSec Goals and Architectures
IPSec GoalsSecurity (confidentiality, authentication, integrity)
Allows different VPN vendors to interoperateWhat is VPN?
A tunnel between two networks over a shared network infrastructuresuch as the Internet
VPN/IPSec ArchitecturesHost to hostNetwork to networkHost to networkDial-up ISP Gateway to network
5
IPSec Operation Modes
IPSec Transport OperationEncrypt the payload onlyNo encapsulation No hiding of the original IP headerFrom host to host host must be aware of the IPSecProvide End-to-end protection (from host to host)
IPSec Tunnel OperationEncrypt the entire message (headers + payload)Encapsulation: The IPSec gateway encrypts, encapsulate andsends the encrypted packet to the end-point IPSec routerCould be host-host, host-gateway and gateway-gateway(last one is most popular)Transparent to hostsProtection to IP address/header
6
IPSec Operation: Transport Mode
Secure Connection
Secure onthe Internet
Transport Mode
SiteNetwork
SiteNetwork
Securityin Site
Network
Securityin Site
Network
ExtraSoftwareMay be
Required
ExtraSoftwareMay be
Required
-
8/8/2019 IPSec-22
3/10
7
IPSec Operation: Tunnel Mode
TunneledConnection
Secure onthe Internet
Tunnel Mode
SiteNetwork
SiteNetwork
NoSecurityin Site
Network
NoSecurityin Site
Network
NoExtra
Software
NoExtra
Software
IPsecGateway
IPsecGateway
8
IPSec Operation: Packet Headers
Transport Mode
Orig. IPHdr
IPSecHdr
Protected PacketData Field
Destination IP AddressIs Actual Address;
Vulnerable to Scanning
Tunnel Mode
New IPHdr
IPSecHdr
ProtectedOriginal Packet
Destination IP AddressIs IPSec Server Address
Host IP Address
Is not Revealed
9
IPSec Protocols
IPSec is a standard to provide IP securityMandatory in IPv6 and can be used with IPV4 too
IPSec is transparent to the usersIt consists of three main components
Internet Key Exchange (IKE): initial negotiation to agreeupon the encryption mechanism, keys .. etcAuthentication Header (AH): security header inserted in theIP packet to determine if the packet is altered and toauthenticate the senderEncapsulation Security Payload (ESP): to encrypt payloadand the header of the original IP packet
-
8/8/2019 IPSec-22
4/10
10
IKE Protocol
IKEFunctions: (1) security parameter negotiation,
(2) key exchange using Deffie-Hellman
Phase I1. Authentication:
pre-shared key manually distributed (not recommended),Digital Certificate both partners share the same CA.PKI can be used
2. Setting up the security parameters used for Phase IInegotiation (causing double negotiation)
Phase II: negotiating the security parameters used in the VPNcommunications (authentication: MD5, SHA-1, encryption:DES, 2DES, AES, ESP or AH .. etc)
11
AH ProtocolOffers authentication and integrity (not confidentiality)
IP header is not hidden
Adding additional header that includes digital signature calledintegrity check value (ICV) calculated based on IP address ensurethe identity of the sender:
Receiver can verify this using the shared key + source IP address inthe header to re-calculate the DigSig and compare.
This makes AH incompatible with NAT when NAT is before VPNdevice to the Internet (why?)
Sol: (1) put NAT after VPN, or (2) use integrated VPN+NAT device
Sequence number is used in the header to avoid packet replay
12
ESP ProtocolOffers full confidentiality encrypting the IP payloadTransport mode: adds header and trailers as follows:
Trailers includes ICV (DigSig)Tunnel mode: encrypting the entire packet including IP header+ addingnew IP header, ESP header and trailer ( for authentication too)ESP transport mode is also incompatible with NAT when NAT is beforeVPN device to the Internet (why?)
NAT changes the IP address which implies that the TCP Checksum must bechanged (TCP checksum is calculated based on IP headers too). But TCPchecksum in encrypted and can not be modified receiver will calculatewrong checksumSolution: put NAT after VPN
ESP tunnel would work with NAT. However it cause a problem when itcommunicates with IKE because the source UDP port must be 500 butNAT might replace it.Sequence number in the header is used to avoid replaying packets
-
8/8/2019 IPSec-22
5/10
13
ESP and AH Protection usingTransport Mode
IPHeader
ESPHeader Protected
ESPTrailer
IPHeader
AuthenticationHeader Protected
Confidentiality
Authentication and Message Integrity
Authentication and Message IntegrityNo Confidentiality
Protocol = 50
Protocol = 51
EncapsulatingSecurity
Payload (ESP)
AuthenticationHeader (AH)
14
Modes and Protections
PossiblePossibleTunnel Mode(IPSec Gateway
to Gateway)
PossiblePossibleTransport Mode(End-to-End)
AHAuthenticationIntegrity
ESPConfidentialityAuthenticationIntegrity
15
IPSec Security Association (SA)
SAS is established through IKE (Internet KeyExchange) to negotiate:
Security algorithm to be used
Authentication
Symmetric key exchange (default Diffie-Hellman)
IPSec Default Security ConfigurationKey Exchange: Diffie-Hellman
Encryption: DES-CBS
Authentication: HMAC
-
8/8/2019 IPSec-22
6/10
16
IPSec Security Associations
IPsec Policy Server
2. Security Association (SA)for Transmissions from A to B
3. Security Association (SA)For Transmission from B to A
(Can Be Different ThanA to B SA)
Party A Party B
1. List ofAllowableSecurity
Associations
1. List ofAllowableSecurity
Associations
17
IPSec Security Association (SA)
Each gateway has it is own SA policy server
Before SA is negotiated, the IPSec partner mustconfigured locally in security policy database (SPD)
SA is stored in a database (SAD) indexed by securityparameter index (SPI) included in every IPSec packetheader
Bi-directional Agreement
Policy based (e.g., algorithm is selected based onsecurity level and performance overhead)
18
IPSec Security Policy
Each gateway has it is own IPSec policy server.Configuration is stored in security policy database(SPD)IPSec policy is written for outbound traffic. Inboundtraffic is matched against a policy mirror image.Policy composed of:
Crypto-access list: rules to protect , bypass or discard traffic.
Crypto-map list: rules to transform traffic into protected form.
Crypto-transform list: how to perform traffic transformation []
-
8/8/2019 IPSec-22
7/10
19
IPSec Security Policy: Example
1.1.1.1 5.5.5.5 6.6.6.6 2.2.2.2
TCP 1.1.*.* : any 2.2.*.* : any protect
TCP 1.1.1.1 : any 2.2.2.2 : any AH Transport {HMAC MD5}
TCP 1.1.*.* : any 2.2.*.* : any protect
TCP 1.1.1.* : any 2.2.2.* : any ESP Tunnel 6.6.6.6 {3DES}
TCP 2.2.*.* : any 1.1.*.* : any protect
TCP 2.2.2.2 : any 1.1.1.1 : any AH Transport {HMAC MD5}
TCP 2.2.*.* : any 1.1.*.* : any protect
TCP 2.2.2.* : any 1.1.1.* : any ESP Tunnel 5.5.5.5 {3DES}
20
IPSec Intra-Policy Conflicts
Conflicts in crypto-access listsShadowing:TCP 1.1.*.* : any 2.2.*.* : any protectTCP 1.1.1.1 : any 2.2.2.2 : any bypassRedundancy:TCP 1.1.1.1 : any 2.2.2.2 : any protectTCP 1.1.*.* : any 2.2.*.* : any protectGeneralization/Exception:TCP 1.1.1.1 : any 2.2.2.2 : any bypassTCP 1.1.*.* : any 2.2.*.* : any protectCorrelation:TCP 1.1.1.1 : any 2.2.*.* : any bypassTCP 1.1.*.* : any 2.2.2.2 : any protect
21
IPSec Intra-Policy Conflicts
TCP 1.1.1.1 : any 2.2.*.* : any protect
TCP 1.1.1.1 : any 2.2.2.* : any ESP Tunnel 6.6.6.6 {3DES}TCP 1.1.1.1 : any 2.2.2.2 : any AH Tunnel 2.2.2.2 {3DES}
1.1.1.1 5.5.5.5 6.6.6.6 2.2.2.2
Conflict in crypto-map pathsReversed decapsulation order on the traffic path
Cleartraffic
-
8/8/2019 IPSec-22
8/10
22
IPSec Inter-Policy Conflicts
1.1.1.1 2.2.2.2
Conflicts in crypto-access listsShadowing : upstream policy blocks traffic
TCP 1.1.*.* : any 2.2.*.* : any protect
TCP 2.2.*.* : any 1.1.*.* : any bypass
Trafficdropped
23
IPSec Inter-Policy Conflicts
1.1.1.1 2.2.2.2
Conflicts in crypto-access listsSpurious : downstream policy blocks traffic
TCP 1.1.*.* : any 2.2.*.* : any bypass
TCP 2.2.*.* : any 1.1.*.* : any protect
Trafficdropped
24
IPSec Inter-Policy Conflicts
1.1.1.1 2.2.2.2
Conflicts in tunnel pathsReversed decapsulation order on the traffic path
TCP 1.1.1.1 : any 2.2.*.* : any protect
TCP 1.1.1.1 : any 2.2.*.* : any ESP Tunnel 6.6.6.6 {3DES}
TCP 1.1.*.* : any 6.6.*.* : any protect
TCP 1.1.*.* : any 6.6.*.* : any AH Tunnel 2.2.2.2 {3DES}
5.5.5.5 6.6.6.6 Cleartraffic
-
8/8/2019 IPSec-22
9/10
25
TCP 1.1.*.* : any 2.2.*.* : any protect
TCP 1.1.*.* : any 2.2.*.* : any AH Tunnel 6.6.6.6 {3DES}
TCP 2.2.*.* : any 1.1.*.* : any protectTCP 1.1.*.* : any 2.2.*.* : any protect
TCP 2.2.*.* : any 1.1.*.* : any ESP Tunnel 5.5.5.5 {3DES}TCP 1.1.*.* : any 2.2.*.* : any ESP Tunnel 5.5.5.5 {3DES}
IPSec Inter-Policy Conflicts
1.1.1.1 2.2.2.2
Tunnel loop conflict
5.5.5.5 6.6.6.6
Trafficloop
26
IPSec Inter-Policy Conflicts
Protection asymmetry conflictAccess rules in both peers should be mirror image to allowprotecting traffic originating from any peer
1.1.1.1 2.2.2.2
TCP 1.1.1.1 : any 2.2.2.2 : any protect
TCP 2.2.*.* : any 1.1.*.* : any protect
Trafficdropped
27
IPSec and NAT/PAT IntegrationIf VPN traffic is NATed (NAT closer to the Internet than VPN)
AH is incompatible with NATBecause changing the IP header makes the DigSig invalid
Solution: (1) put NAT after VPN, or (2) bypass using integratedVPN+NAT deviceESP transport mode is also incompatible with NAT
NAT changes the IP address which implies that the TCP Checksummust be changed (TCP checksum is calculated based on IP headerstoo). But TCP checksum in encrypted and can not be modifiedreceiver will calculate wrong checksumSolution: put NAT after VPN
ESP tunnel would work with NAT. However, not with PAT.PAT cause a problem because
TCP/UDP ports are inaccessible when headers are encryptedwhen it communicates with IKE because the source UDP port must be
500 but NAT might replace it Recommendation: Do not use PAT withVPN in either AH or ESP
-
8/8/2019 IPSec-22
10/10
28
VPN and Firewall IntegrationExternal DMZ
VPN might be exposed to attacks
Internal DMZ (screen subnet)
V. good solution: offers limited protection (but no NAT)Parallel to the F irewall
Good solution if VPN is a busy device
Trusted networkCreate a tunnel through the firewall !! Not recommended
FW and VPN in one box (best solution)+ cheaper, more secure, no NAT problems because it by passesVPN traffic- offers less flexibility .. The best FW vendor may not be necessarythe best VPN vendors
29
IPSec Pros
AdvantagesHides the identity of your network
Provides secure channel: authentication, privacyand integrity
Connects sites (e.g., branch offices) with a cost-effective secure network compared with leasedlines
Allows user to work from home and mobile hosts
30
IPSec Cons
DisadvantagesComplex policy management
A single failure in the path disconnect the entirenetwork. Also cause performance bottlenecks.
Require tunnels through firewall sometimes
Incompatible with NAT/PAT depending on thearchitecture
Tunneled traffic is undetected by IDS
VPN gateways might be compromised which leadsto uncovering protected data