ipsec presentation
TRANSCRIPT
-
8/18/2019 Ipsec Presentation
1/40
Presented by
Avinash R Desai
IPSec VPN’s
-
8/18/2019 Ipsec Presentation
2/40
AGENDA
Introduction and Motivation
IPSec Basics
Enterprise IPSec VPN
Managing VPN
rap!up
" # A
-
8/18/2019 Ipsec Presentation
3/40
hy Do e $are%
Many organi&ations are trying to use IPSec VPN to costsand si'p(i)y ne* connections
VPN a((o*s
– Shared Internet and Enterprise access
– Reduced access line costs
– Ease of provisioning, flexibility
– Increased security
-
8/18/2019 Ipsec Presentation
4/40
IPSec VPN and V+PN Bene)its
IPSec VPN design provides resi(iency Integrated branch routers provide ISP connection, VPN
ter'ination, IP- gate*ay, and $isco I.S /ire*a(( )unctiona(ity
-ested sca(abi(ity and per)or'ance nu'bers
Enhanced productivity and reduced support costs0 e1tend centra(site voice, video, data resources and app(ications to a(( corporate
sites
Voice, Video, data transported secure(y and transparent(y over
IPSec tunne(s *ith enab(ed "oS Standard IP -e(ephony )eatures inc(uding codecs,SRS- preserved
-
8/18/2019 Ipsec Presentation
5/40
Agenda
Introduction and Motivation
IPSec Basics Enterprise IPSec VPN
Managing VPN rap!up
-
8/18/2019 Ipsec Presentation
6/40
IPSec Basics
IPSec uses a Security Association 2SA3 and crypto 4ey to encrypt
se(ected data bet*een a pair o) sites
– This key is used with the DES, DES, or !ES for"s of encryption
to both encrypt and decrypt data
-he 4ey is auto'atica((y estab(ished, changed, and 'anaged by
IPSec devices using I5E 2Internet 5ey E1change3, a646a6 7ISA5MP8
Be)ore a 4ey can be estab(ished, I5E does authentication
– Shared secret or #ertificate !uthority are two ways to do this
$ I5E uses pub(ic 4ey crypto to secure(y do its 9ob – I%E uses public key crypto to securely do its &ob
– Diffie'(ell"an is the techni)ue used to securely exchange encryption
keys
-
8/18/2019 Ipsec Presentation
7/40
Message :ashing
Message :ashing is used to detect a(tered 'essages
– *essage bits a secret key are co"bined into short hash code
– (ash code sent in header
– If received "essage hash doesn+t "atch, "essage was altered
– Two for"s S(! and *D-
– S(! is a bit stronger
-
8/18/2019 Ipsec Presentation
8/40
Message :ashing
– *essage bits a secret key are co"bined into short hash code
– (ash code sent in header
– If received "essage hash doesn+t "atch, "essage was altered
– Two for"s S(! and *D-
– S(! is a bit stronger
-
8/18/2019 Ipsec Presentation
9/40
Message :ashing
IPSec co'es in t*o )or's
– !( provides a keyed hash and authentication data
$ Ensures data co"es fro" peer router .authentication/
$ Detects alterations .keyed hash/
$ 0ut does not encrypt for confidentiality
– ES1 encrypts
$ Two sub'"odes tunnel and transport
$ In tunnel "ode, the new I1 header hides source and
destination addresses keeps server address confidential
$ %eyed hash for detecting alterations
$ !uthentication
$ Encryption
-
8/18/2019 Ipsec Presentation
10/40
-he ; Steps o) IPSec SA Estab(ish'ent
-
8/18/2019 Ipsec Presentation
11/40
hat to Encrypt
-he crypto 'ap you con)igure re)erences an access (ist )or
7interesting pac4ets8
– 2hat to encrypt .outbound/
– 2hat to decrypt .inbound/
– ES1 encrypts I) the router encrypts or decrypts the *rong pac4et, it gets
nonsense and a bad chec4su' discarded pac4et>
-
8/18/2019 Ipsec Presentation
12/40
IPSec -roub(eshooting -ips
-he t*o ends have to agree on the various choices
– (ow to do I%E .I%E policy/
– !uthentication "ethod, shared secret or #!, etc3
– !( versus ES1
– Tunnel versus transport
– *essage hashing sche"e
$ ?ou need routing to be ab(e to de(iver pac4ets
IPSec source address at one end 'ust 'atch destination at the other
?ou need consistent crypto access (ists>>> – The two endpoint !#4+s need to "irror each other
$ @se the ; steps to troub(eshoot
-
8/18/2019 Ipsec Presentation
13/40
Agenda
Introduction and Motivation
IPSec Basics
Enterprise IPSec VPN Managing VPN
rap!up
-
8/18/2019 Ipsec Presentation
14/40
Design Assu'ptions
:igh avai(abi(ity and )ai(over *ith )ast convergence
Support )or dyna'ic routing
Abi(ity to carry diverse tra))ic, inc(uding IP 'u(ticast, 'u(ti!
protoco( $onservative $P@ (eve(s
Router!based 2versus VPN concentrator3
-
8/18/2019 Ipsec Presentation
15/40
5ey Design $o'ponents
$isco VPN routers as head!end VPN ter'ination
$isco access routers as branch ter'ination
@se hard*are IPSec acce(eration
IPSec ESP -unne( 'ode
GRE tunne(s, dua( star to t*o head!end routers
– !t (5 or two head'end sites for geographic diversity
Internet services )ro' an ISP
-
8/18/2019 Ipsec Presentation
16/40
Enterprise I1Sec 617
-
8/18/2019 Ipsec Presentation
17/40
2hy 8RE with I1Sec9
Dyna'ic routing and support o) 'u(ticast and non!IP protoco(s
Side e))ect0 si'p(er i'p(e'entation and troub(eshooting
I) you’re not bui(ding in redundancy, you can (eave out the GRE
and the dyna'ic routing and reduce overhead, at the price o)
doing a bit 'ore con)iguration
-
8/18/2019 Ipsec Presentation
18/40
5ey Design $o'ponents
$ost 2GRE IPSec30 =; 'ore bytes o) header 2overhead3
$ -ota( headers added0 C bytes
-
8/18/2019 Ipsec Presentation
19/40
Avoiding /rag'entation
e *ant to avoid )rag'enting the IPSec pac4ets
– They have to be re'asse"bled at the ter"ination router to be
decrypted
– Re'asse"bly is process switched
– Slow : #1; i"pact – So create frag"ents 0E
– Reduce 8RE tunnel *T; to ?@AA: 0ytes
– #onsider enabling 1ath *T; Discovery on the tunnels
-
8/18/2019 Ipsec Presentation
20/40
Path M-@ Discovery
Path M-@ Discovery is used by current and recent @NI and indo*s servers
– They send large packets with D< set
– Intervening routers needing s"aller *T; send back I#*1 "essage with
option indicating desired fra"e siBe
Prob(e'0 so'e *eb server sites b(oc4 a(( I$MP pac4ets
– Result large web i"ages,
-
8/18/2019 Ipsec Presentation
21/40
hich Router%
$isco tested ESP tunne(s *ith GRE to = head!end sites, =;F
branch routers
Reco''endations are based on !CH $P@ )or a speci)ic tra))ic
'i16
-his is a su''ary0 see the $isco docu'ents )or detai(s6 In
particu(ar, speci)ic 'ode(s *ithin a product )a'i(y 'ay have
(o*er per)or'ance than that sho*n6 ?our Mi(eage May Vary6
-
8/18/2019 Ipsec Presentation
22/40
.ther Reco''endations
:ave a su''ari&ab(e addressing sche'e
– It can "akes crypto !#4+s si"pler, less of an issue with 8RE
– ;se route su""ariBation
/or centra( D:$P, use he(per addresses re'ote(y
@se IPSec -unne( Mode *ith +DES
Don’t use I5E 4eepa(ives
Base nu'ber o) head!end devices on nu'ber o) re'ote sites
and throughput
@se appropriate 2recent3 $isco I.S re(eases
Avoid IPSec through NA- points
-
8/18/2019 Ipsec Presentation
23/40
IPSec Seuence Nu'bers
IPSec a(so uses seuence nu'bers )or anti!rep(ay protection
– =ut'of'order packets can lead to dropped packets>
– #onclusion priority )ueuing and load'balancing can lead to
drops in an I1Sec environ"ent>
$ Ma4e one GRE tunne( pri'ary *ith sing(e pre)erred path )or eachre'ote site
– Dyna"ic routing failover preserved
– #an use interface delay para"eter to prefer one 8RE tunnel
over the other .if both head end routers at sa"e site/
-
8/18/2019 Ipsec Presentation
24/40
Service Provider
-
8/18/2019 Ipsec Presentation
25/40
Service Provider J =
Many or even 'ost ISP’s do not honor the K+ "oS 'ar4ings
– Four voice traffic "ay experience unacceptable delay or &itter
henever possib(e, you need SKA’s
– #overing overall delay and &itter, repair ti"e, etc3
– =r for 5oS'aware service guaranteeing certain delay and &itter
levels for various classes of traffic, based on agreed'upon "arkings
– =therwise, you can deploy and later discover your I1Sec 617 isn+t
working very well no recourse>
Mu(tip(e ISP’s is harder
– S4!+s generally only apply within a single IS1+s network
Be*are0 so'e ho'e cab(e # DSK services b(oc4 IPSec un(ess
7business grade8 service is paid )or
-
8/18/2019 Ipsec Presentation
26/40
-
8/18/2019 Ipsec Presentation
27/40
$on)iguration Steps
Step
-
8/18/2019 Ipsec Presentation
28/40
Enterprise I1Sec 617
-
8/18/2019 Ipsec Presentation
29/40
Sa'p(e0 I5E Po(icy
-
8/18/2019 Ipsec Presentation
30/40
Sa'p(e0 IPSec -rans)or' and Protoco(
-
8/18/2019 Ipsec Presentation
31/40
Sa'p(e0 Encryption A$K’s
-
8/18/2019 Ipsec Presentation
32/40
Sa"ple #rypto *ap
-
8/18/2019 Ipsec Presentation
33/40
Sa'p(e0 App(y $rypto Map
-
8/18/2019 Ipsec Presentation
34/40
Agenda
Introduction and Motivation
IPSec Basics
Enterprise IPSec VPN
Managing VPN rap!up
-
8/18/2019 Ipsec Presentation
35/40
#isco 617 7etwork *anage"ent Tools
$iscoor4s VPN Security Manage'ent So(ution 2VMS3 inc(udes
– *anage"ent #enter .*#/ for IDS Sensors
– *anage"ent #enter for 617 Routers
– *anage"ent #enter for 1IJ
-
8/18/2019 Ipsec Presentation
36/40
!genda
Introduction and Motivation
IPSec Basics
Enterprise IPSec VPN
Managing VPN
rap!up
-
8/18/2019 Ipsec Presentation
37/40
See A(so
AVVID Enterprise Site!to!Site VPN Design
http0***6cisco6co'app(icationpd)enusguestnetso(ns
-
8/18/2019 Ipsec Presentation
38/40
-
8/18/2019 Ipsec Presentation
39/40
-
8/18/2019 Ipsec Presentation
40/40
" # A
-:AN5?.@