1 © 2001, cisco systems, inc. all rights reserved. sec-210 3083_05_2001_c1 voip over ipsec vpns.....
TRANSCRIPT
1© 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.
SEC-2103083_05_2001_c1
VoIP over IPSec VPNs..and some general Security tips
Kjetil Berge
Systems Engineer
Cisco Norway
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 2© 2001, Cisco Systems, Inc. All rights reserved. 2© 2001, Cisco Systems, Inc. All rights reserved. 2
Agenda
• Why VoIP over VPN ?
• What are the problems ?
• How to solve them ?
• My own VoIP over VPN test
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 3© 2001, Cisco Systems, Inc. All rights reserved. 3© 2001, Cisco Systems, Inc. All rights reserved. 3
John T. Dryer
History Hack: Captain Crunch and the Origin of “2600”
• Back in the early 70s phone lines did both signaling and regular voice traffic over the same line
• Using a “Captain Crunch” cereal toy whistle it was possible to generate a sound at 2600Hz which allowed signaling data to be sent to “Ma Bell”
• Building on what was learned with the whistle, tones could then be sent using a “blue box” to call anywhere else for free!
• Steve Wozniak even used a “blue box” to call the Pope posing as then Secretary of State Henry Kissinger
• Moral of the story? Security through obscurity is not security (Unauthenticated control channels are bad).
http://www.webcrunchers.com/crunch
4© 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.
SEC-2103083_05_2001_c1
General things before we start …
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 5© 2001, Cisco Systems, Inc. All rights reserved. 5© 2001, Cisco Systems, Inc. All rights reserved. 5
Security in the Enterprise
A
Internet IP WAN PSTN
Use firewalls and IP filters to limit access into the Enterprise
Also, use firewalls to limit access between the user data networks and the IP Telephony, server farm and data center subnets
Perimeter SecurityPerimeter Security
Separate the VoIP devices onto their own subnetworks
RFC 1918 addressing is preferred
NIDS can be used to examine traffic between subnets for potential threats
Network SeparationNetwork SeparationUse non-standard access ports if possible
Eliminate unneeded server OS files, directories and services
A comprehensive Virus Scanning solution is critical
Host-based IDS solutions are recommended
Host SecurityHost Security
Maintain a stringent device/server access policy based on user and subnet
Use of Time-of-Day or temporary ACLs can augment the IP filters
Netmgmt traffic must be allowed only from a secure host
Device AccessDevice Access
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 6© 2001, Cisco Systems, Inc. All rights reserved. 6© 2001, Cisco Systems, Inc. All rights reserved. 6
• Maintain physical device security
• Use card readers and video surveillance in all data centers and wiring closets
• Restrict telnet access
• Use TACACS+/RADIUS for all devices
• Use SSH or IPsec to protect management and auditing traffic
General things before we start …
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 7© 2001, Cisco Systems, Inc. All rights reserved. 7© 2001, Cisco Systems, Inc. All rights reserved. 7
General things before we start …
• Eliminate extraneous router services
HTTP, TCP/UDP Small Servers, Finger, RCP/RSH
• Use neighbor authentication
Routing protocols, HSRP, NTP• Enable Syslog logging
Use NTP synced timestamps• Configure SNMP securely
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 8© 2001, Cisco Systems, Inc. All rights reserved. 8© 2001, Cisco Systems, Inc. All rights reserved. 8
Topology
Headquarters
PIX
CallManagerCluster
NMS
VoIP GW/GK
CSPMDNS/PDC/
CA
VLAN=160
VLAN=102
VLAN=100
VLAN=101
VLAN=200
AAPSTN
V
DNS, opt. DHCP
Voice network
Data network
Syslog
SiSi
IP WAN
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 9© 2001, Cisco Systems, Inc. All rights reserved. 9© 2001, Cisco Systems, Inc. All rights reserved. 9
VOIP EnhancementsPAT for SIP and H.323
• Existing H.323 and SIP fixups are enhanced to support PAT
• Allows customers to conserve their IP address space
• The embedded IP address and port in the SIP/H.323 message is translated to the correct PAT, and the correct media connections negotiated during signaling are opened up
• The PIX dynamic PAT timeout value is also modified to be the same as the client registration timeout value that is set when the client registers with the SIP Proxy Server / H.3.23 Gatekeeper
• Existing commands are used
• Static PAT can be used for SIP Server, H.323 GateKeeper or H.323 endpoints when the port that other endpoints will use to reach them is known ahead of time
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 10© 2001, Cisco Systems, Inc. All rights reserved. 10© 2001, Cisco Systems, Inc. All rights reserved. 10
Agenda
• Why VoIP over VPN ?
• What are the problems ?
• How to solve them ?
• My own VoIP over VPN test
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 11© 2001, Cisco Systems, Inc. All rights reserved. 11© 2001, Cisco Systems, Inc. All rights reserved. 11
Customers can run VoIP over their Private WAN’s TodayIPSec VPNs are Private WAN Replacements
Customers expect/want to run Voice across IPSec VPNs as well
Central /HQ
RegionalSites
BranchOffices
SOHO
TelecommutersMobile Users
Virtual PrivateNetwork
Customer VPN Expectations
Internet/ServiceProvider
VPN Deployment Models
Site to Site
Site to Site SOHO
Remote Access
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 12© 2001, Cisco Systems, Inc. All rights reserved. 12© 2001, Cisco Systems, Inc. All rights reserved. 12
VoIP over VPN offers many exiting possibilites• Implement VPN WAN’s to replace traditional WAN
• Connect home offices via VPN
• Implement IP telephony
• Allows IP telephony at zero cost to home offices and
branch offices!
Customer VPN Expectations – cont.
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 13© 2001, Cisco Systems, Inc. All rights reserved. 13© 2001, Cisco Systems, Inc. All rights reserved. 13
Agenda
• Why VoIP over VPN ?
• What are the problems ?
• How to solve them ?
• My own VoIP over VPN test
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 14© 2001, Cisco Systems, Inc. All rights reserved. 14© 2001, Cisco Systems, Inc. All rights reserved. 14
Why VoIP over IPSec is a problem
• Crypto engine is FIFO only – Unable to prioritize Voice over Data
• Simple to overload crypto engine with too much traffic
• QoS required both in the Enterprise network and in the ISP network
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 15© 2001, Cisco Systems, Inc. All rights reserved. 15© 2001, Cisco Systems, Inc. All rights reserved. 15
Current Crypto Engine Issues
FIFOFIFOFIFOFIFOIPSec Crypto
EngineIPSec Crypto
Engine
VoIP packet not prioritized in Crypto
Voice quality suffers when Crypto Engine congested
VoIP packet not prioritized in Crypto
Voice quality suffers when Crypto Engine congested
• Crypto Engine performance and throughput varies depending upon
HW
• Different Crypto engine throughputs result in variable/unacceptable
delay when congestion occurs at Crypto Engine
• FIFO entrance queuing is the issue
• Crypto Engine performance and throughput varies depending upon
HW
• Different Crypto engine throughputs result in variable/unacceptable
delay when congestion occurs at Crypto Engine
• FIFO entrance queuing is the issue
Crypto Engine looks like an internal FIFO serial interface inside router
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 16© 2001, Cisco Systems, Inc. All rights reserved. 16© 2001, Cisco Systems, Inc. All rights reserved. 16
• No support for cRTP for VoIP
• Bandwidth Consumption (50pps)
G.711 + IPSec/GRE = Approx 110kbps per VoIP call
G.729 + IPSec/GRE = Approx 50kbps per VoIP call
• Example – G.729 at 50pps1) Voice Payload: = 8kbps
2) IP + Voice Payload: = 24,000 bps (IP Header = 20bytes)
3) IP + GRE/IPSec + Voice Payload: = 44,800 bps - ESP = 32bytes (Variable)
4) Add Ethernet Header = 51,000bps
Voice over VPN is large!
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 17© 2001, Cisco Systems, Inc. All rights reserved. 17© 2001, Cisco Systems, Inc. All rights reserved. 17
Current VoIP over VPN Support
• Cisco TAC will not support any Voice Quality related issues with regards to Voice over IPSec VPNs
• Customers running VoIP over IPSec VPNs do so understanding traffic is “best effort” with no guarantee of voice quality
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 18© 2001, Cisco Systems, Inc. All rights reserved. 18© 2001, Cisco Systems, Inc. All rights reserved. 18
Agenda
• Why VoIP over VPN ?
• What are the problems ?
• How to solve them ?
– Todays solutions
– What will come later this year
• My own VoIP over VPN test
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 19© 2001, Cisco Systems, Inc. All rights reserved. 19© 2001, Cisco Systems, Inc. All rights reserved. 19
Dual VPN Routers – VoIP and Data through separate Crypto Engines
Service Provider
IOS VPNRouter
IOS VPNRouter
IOS VPNRouter
IOS VPNRouter
Data Tunnel
Voice Tunnel
Separate tunnel for Voice/Data such thatVoice packets do not incur delay, jitter or loss
Requires Service Provider that recognizes ToS/DSCP and provides SLA
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 20© 2001, Cisco Systems, Inc. All rights reserved. 20© 2001, Cisco Systems, Inc. All rights reserved. 20
VoIP and Data through same Crypto Engine – Today’s efforts
Service Provider
Cisco IOSPlatform
GRE Voice TunnelIPSec Crypto
EngineIPSec Crypto
EngineVoice/Data
Use prioritized traffic limiting techniques such thatencrypted Traffic throughputs are limited to where
voice has Acceptable Delay and jitter(Prevent Crypto Engine Over-Subscription)
Test on per platform basis the Max Cryptorate VoIP can co-exist with Data Such
that VoIP delays are acceptable
Cisco IOSPlatform
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 21© 2001, Cisco Systems, Inc. All rights reserved. 21© 2001, Cisco Systems, Inc. All rights reserved. 21
Service Provider
GRE Voice Tunnel
IPSec Crypto Engine
IPSec Crypto Engine
Voice/Data
Option 2Police to limit encrypted traffic to limits
Throughputs where Voice has acceptabledelays
Option 1Policing on L3 boundary before
Crypto router(L3 switch or Router)
QoS before Crypto Engine:Prevent over-subscription of Crypto Engine
Cisco IOSPlatform
Cisco IOSPlatform
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 22© 2001, Cisco Systems, Inc. All rights reserved. 22© 2001, Cisco Systems, Inc. All rights reserved. 22
Service Provider
IPSec Tunnel
External Policing on L3 boundaryBefore Crypto router(L3 switch or Router)
What about PIX/3xxx Platforms with no QoS?How to “best” deploy
Cisco IOSPlatform
Cisco IOSPlatform PIX/3xxxPIX/3xxx
• PIX/3xxx looks like an external IOS Crypto Engine with regards to QoS
• Must provide external IOS means of preventing PIX/3xxx Crypto engine over-subscription
• PIX/3xxx max Crypto rates for voice and data not tested yet (future)
Headend Remote/SOHO
PC data traffic throttled to SOHO WANLink speed so oversubscribing HW PIX/3xxx
unlikely – IOS QoS must be performed onSOHO CPE device
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 23© 2001, Cisco Systems, Inc. All rights reserved. 23© 2001, Cisco Systems, Inc. All rights reserved. 23
Agenda
• Why VoIP over VPN ?
• What are the problems ?
• How to solve them ?
– Todays solution
– What will come later this year
• My own VoIP over VPN test
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 24© 2001, Cisco Systems, Inc. All rights reserved. 24© 2001, Cisco Systems, Inc. All rights reserved. 24
What is Coming:Crypto LLQ - 1H 2002 CY
IPSec Crypto Engine
IPSec Crypto Engine
• Entrance Queuing to Crypto Engine
• Queue Entrance Criteria must be based on ToS/DSCP
• Crypto-LLQ is required on IOS and new VPN products
• No need for external CAR mechanisms to prevent Crypto Engine
Over-subscription
• Entrance Queuing to Crypto Engine
• Queue Entrance Criteria must be based on ToS/DSCP
• Crypto-LLQ is required on IOS and new VPN products
• No need for external CAR mechanisms to prevent Crypto Engine
Over-subscription
HighHigh
LowLow
LLQLLQLLQLLQ
LLQ on “front end” of Crypto Engine to prevent over-subscriptionLLQ on “front end” of Crypto Engine to prevent over-subscription
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 25© 2001, Cisco Systems, Inc. All rights reserved. 25© 2001, Cisco Systems, Inc. All rights reserved. 25
VoIP+VPNBaseline
VoIP+VPNBaseline
Basic VoiceQuality
Basic VoiceQuality
EnhancedVoice
EnhancedVoice
Voice-VPN Design GuideVoice-VPN Design Guide
Functional QoS (LLQ for CE)Functional QoS (LLQ for CE)
Multicast Voice/VideoMulticast Voice/Video
Voice-VPN Platform TestingVoice-VPN Platform Testing XX
Other enhancements
Call Bandwidth MinimizationCall Bandwidth Minimization
Features/Features/Features/Features/ActivitiesActivities
RemoteAccessRemoteAccess
VoIP+VPN Resiliency (IPSec Stateful Failover)VoIP+VPN Resiliency (IPSec Stateful Failover)
Remote Access Voice-VPN(IOS)Remote Access Voice-VPN(IOS)
1Q02CY1Q02CY 1H02CY1H02CY 2H02CY2H02CY 2H02CY2H02CY
XX
XX
XX
XX
XX
XX
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 26© 2001, Cisco Systems, Inc. All rights reserved. 26© 2001, Cisco Systems, Inc. All rights reserved. 26
Agenda
• Why VoIP over VPN ?
• What are the problems ?
• How to solve them ?
– Todays solution
– What will come later this year
• My own VoIP over VPN test
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 27© 2001, Cisco Systems, Inc. All rights reserved. 27© 2001, Cisco Systems, Inc. All rights reserved. 27
Local VoIP over VPN testing
Service Provider
ADSL
PIX 506
VPN/No QoS
ADSL router
Home office Service Provider
No QoS
PIX 501
No QoS
VPN/No QoS
Cisco Norway
ADSL router
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 28© 2001, Cisco Systems, Inc. All rights reserved. 28© 2001, Cisco Systems, Inc. All rights reserved. 28
Home office PIX configuration 1/2
Specify which traffic to send via the VPN tunnel
1) Traffic to CCM network 10.1.1.0
2) Traffic to IP telephones centrally (10.1.120.0)
access-list VPN-acl permit ip 10.200.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list VPN-acl permit ip 10.200.1.0 255.255.255.0 10.1.120.0 255.255.255.0
Specify that traffic between
1) local network and CCM network
2) local network and IP phones is not to be NAT-ed
access-list no-nat-acl permit ip 10.200.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat-acl permit ip 10.200.1.0 255.255.255.0 10.200.1.0 255.255.255.0
Enable the No NAT acl
nat (inside) 0 access-list no-nat-acl
Enable Skinny fixup
Fixup protocol skinny 2000
SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 29© 2001, Cisco Systems, Inc. All rights reserved. 29© 2001, Cisco Systems, Inc. All rights reserved. 29
Home office PIX configuration
Specify transform sets (I am using DES only)
crypto ipsec transform-set des-transform esp-des esp-md5-hmac
crypto map CiscoAVVID 1 ipsec-isakmp
crypto map CiscoAVVID 1 match address VPN-acl
crypto map CiscoAVVID 1 set peer X.X.X.X
crypto map CiscoAVVID 1 set transform-set des-transform
crypto map CiscoAVVID interface outside
isakmp enable outside
Set up shared key with central PIX
isakmp key ******** address X.X.X.X netmask 255.255.255.255
Set up ISAKMP policy
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 36000