Tippingpoint X505 Training - 05-VPN

7/31/2019 Tippingpoint X505 Training - 05-VPN

1/22

TippingPoint X505 TrainingVPNPN General Concepts and Configurationeneral Concepts and Configuration


2/22

2

VPN Objectives

> Upon completion of this module, you should be familiar with thefollowing:

General VPN Concepts

> Types of VPNs

> Tunneling, Authentication and Encryption

> GRE over IPSec

> Security Associations> Keys and Keying Modes

> Internet Key Exchange

> IPSec

> Encryption and Data Integrity

Site-to-Site VPN

Client-to-Site VPN

VPN Security Zone


3/22

3

General VPN Concepts

> Virtual Private Network or VPN, allows secure, encrypted access toyour network from either a remote laptop or another site

> Two Types of VPNs

Site-to-Site

> A VPN connection established between two VPN gateways, typically used foroffice-to-office connectivity

Client-to-Site> A VPN connection established between a remote user and the VPN gateway

> When a VPN connection is established, we refer to the connection as aVPN Tunnel

> The X505 supports up to 250 Site-to-Site tunnels and 1000 client tunnels


4/224

Tunneling, Authentication and Encryption

> The X505 supports the following VPN tunneling protocols:

IPSec

L2TP (Layer 2 Tunneling Protocol) PPTP (Point-to-Point Tunneling Protocol)

> Authentication Types

User Authentication

Packet Authentication

> Encryption

DES

3DES

AES

MD5

SHA


5/225

GRE over IPSec

> Generic Routing Encapsulation (GRE) is used to supplement IPSec inorder to transmit multicast/routing packets across VPN tunnels


6/226

Security Associations

> The Security Association defines the parameters with which the VPNtunnel will be negotiated and established

> A Security Association includes the following features

Encryption

Authentication of data integrity

Sender authentication and non-repudiation (if using certificates)

> Default SA

The X505 has a default SA which can be used for multiple client-to-siteVPN connections

The Default SA is disabled by default


7/227

Security Associations


8/228

Keys and Keying Modes

> Keys are used to encode data for encryption and authentication

> Key generation can be performed manually or dynamically usingInternet Key Exchange (IKE)

> Manual Keying

Keys are specified manually by the VPN administrator

Due to its non-dynamic nature, manual keying is less secure

> Dynamic Keying (IKE)

IKE is used to dynamically generate the keys, the SPI and SA used forencryption and authentication

Two operating modes for IKE> IKE + Pre-Shared Key (PSK)

> IKE + X.509 Certificate


9/229

Internet Key Exchange

> IKE is the method by which keys are exchanged between two VPNendpoints in order to establish a secure channel

> An SA is established during the IKE process

> There are two phases to the IKE

In Phase 1, the secure channel between the two VPN peers are established

There are two modes to Phase 1 Main Mode and Aggressive Mode

In Phase 2, the IPSec security association is established and keys aregenerated

> IKE uses one of the following methods to validate the others identity

Pre-Shared Key X.509 Certificate


10/22

10

IPSec Security Mechanisms

> The IP header and payload are protected via the followingmechanisms

Authentication Header (AH)

> Provides security by adding authentication information to the packet

NOTE: When AH is used, a hash is computed using the source/destinationIP addresses of the packet. Thus, using AH with a VPN gateway that isbehind a NATing device (i.e. a firewall) will prevent the VPN tunnel from

establishing. Encapsulation Security Payload (ESP)

> Provides data encryption (DES, 3DES, AES)

Security Parameter Index (SPI)

> Identifies the cryptographic keys and algorithms to be used to establish a VPNtunnel


11/22

11

Encryption and Data Integrity

> Data is encrypted using one of the following data encryption methods

DES or Data Encryption Standard

> Uses a 56-bit key to encrypt data

3DES or Triple DES

> A variation of DES that uses a 168-bit key

AES or Advanced Encryption Standard

> A new generation encryption method

> Can be operated in 128-bit, 192-bit or 256-bit key modes

> Data integrity is ensured by one of the following hash algorithms

MD5 or Message Digest 5> The resulting hash is a 128-bit key which is used to verify the content, source and

integrity of data

SHA or Secure Hash Algorithm

> This algorithm produces a 160-bit key and is more secure than MD5


12/22

12

IKE Proposals


13/22

13

IKE Proposals


14/22

14

Site-to-Site VPN

> Used to connect two remote sites

> IPSec is used to provide encryption for site-to-site VPN tunnels

> Tunnel Mode vs Transport Mode

In Tunnel Mode, the entire packet is encapsulated within another packet,

making the source/destination IP as well as the payload completely invisibleto the medium

In Transport Mode, only the payload of the packet is encrypted. Thus, thesource/destination IP addresses are usually publicly routable addresses


15/22

15

Configuring a Site-to-Site Tunnel


16/22

16

Configuring a Site-to-Site Tunnel

> Enable IPSec

> Create a new IKE Proposal (or use the default)

> Create a Security Association> Identify the remote network (specify manually or create an IP Address

Group)

> Decide on a keying method

> Decide on Tunnel or Transport mode


17/22

17

Client-to-Site VPN

> Used to enable remote users to gain access to corporate networks

> Supported Protocols

IPSec Tunnel Mode

L2TP/IPSec

PPTP (with up to 128-bit MPPE)

> User Authentication is accomplished via the local user database or

RADIUS


18/22

18

Client VPN Operation Modes

> IPSec Tunnel Mode

Same mechanisms as site-to-site tunnel mode VPN

> L2TP over IPSec

L2TP uses PPP (Point-to-Point Protocol) to make connections over IP networks (PPPis typically used for modem dial-up applications)

L2TP over IPSec uses IPSec Transport mode to provide security to connections

Supported authentication protocols

> PAP

> CHAP

> MS-CHAP

> MS-CHAPv2

> PPTP with MPPE

Point-to-Point Tunneling Protocol

PPTP is a legacy protocol found in many older versions of Windows

Microsoft Point-to-Point Encryption (MPPE) standard used for encryption


19/22

19

Configuring Client-to-Site Tunnel


20/22

20

Configuring Client Tunnel

> Decide which mode to use

> IPSec

Create a new IKE Proposal (or use the default)

Enable Global IPSec

Enable the Default SA

> The Default SA is the only one that allows multiple connections

> L2TP/IPSec

Complete all steps for IPSec above

Enable L2TP

> PPTP

Enable the PPTP Server Check Require Encryption to use MPPE

> Configure User Authentication

Local User Database

RADIUS

> Configure your VPN client


21/22

21

VPN and Security Zone Interaction

> Traffic from remote sites and/or users connecting to the network via VPNcan be terminated into any configured security zone

> In order to provide maximum protection, it may be wise to use the pre-

configured VPN zone to implement policy (Firewall and IPS)


22/22

LAB 5VPN Implementation

Documents

Tippingpoint X505 Training - 05-VPN