You are on page 1of 22

TippingPoint X505 Training

VPN General Concepts and Configuration

VPN Objectives

> Upon completion of this module, you should be familiar with the following:
General VPN Concepts
> Types of VPNs > Tunneling, Authentication and Encryption > GRE over IPSec > Security Associations > Keys and Keying Modes > Internet Key Exchange > IPSec > Encryption and Data Integrity

Site-to-Site VPN Client-to-Site VPN VPN Security Zone


2

General VPN Concepts

> Virtual Private Network or VPN, allows secure, encrypted access to your network from either a remote laptop or another site > Two Types of VPNs
Site-to-Site
> A VPN connection established between two VPN gateways, typically used for office-to-office connectivity

Client-to-Site
> A VPN connection established between a remote user and the VPN gateway

> When a VPN connection is established, we refer to the connection as a VPN Tunnel > The X505 supports up to 250 Site-to-Site tunnels and 1000 client tunnels

Tunneling, Authentication and Encryption

> The X505 supports the following VPN tunneling protocols:


IPSec L2TP (Layer 2 Tunneling Protocol) PPTP (Point-to-Point Tunneling Protocol)

> Authentication Types


User Authentication Packet Authentication

> Encryption
DES 3DES AES MD5 SHA
4

GRE over IPSec

> Generic Routing Encapsulation (GRE) is used to supplement IPSec in order to transmit multicast/routing packets across VPN tunnels

Security Associations

> The Security Association defines the parameters with which the VPN tunnel will be negotiated and established > A Security Association includes the following features
Encryption Authentication of data integrity Sender authentication and non-repudiation (if using certificates)

> Default SA
The X505 has a default SA which can be used for multiple client-to-site VPN connections The Default SA is disabled by default

Security Associations

Keys and Keying Modes

> Keys are used to encode data for encryption and authentication > Key generation can be performed manually or dynamically using Internet Key Exchange (IKE) > Manual Keying
Keys are specified manually by the VPN administrator Due to its non-dynamic nature, manual keying is less secure

> Dynamic Keying (IKE)


IKE is used to dynamically generate the keys, the SPI and SA used for encryption and authentication Two operating modes for IKE
> IKE + Pre-Shared Key (PSK) > IKE + X.509 Certificate

Internet Key Exchange

> IKE is the method by which keys are exchanged between two VPN endpoints in order to establish a secure channel > An SA is established during the IKE process > There are two phases to the IKE
In Phase 1, the secure channel between the two VPN peers are established There are two modes to Phase 1 Main Mode and Aggressive Mode In Phase 2, the IPSec security association is established and keys are generated

> IKE uses one of the following methods to validate the others identity
Pre-Shared Key X.509 Certificate

IPSec Security Mechanisms

> The IP header and payload are protected via the following mechanisms
Authentication Header (AH)
> Provides security by adding authentication information to the packet NOTE: When AH is used, a hash is computed using the source/destination IP addresses of the packet. Thus, using AH with a VPN gateway that is behind a NATing device (i.e. a firewall) will prevent the VPN tunnel from establishing.

Encapsulation Security Payload (ESP)


> Provides data encryption (DES, 3DES, AES)

Security Parameter Index (SPI)


> Identifies the cryptographic keys and algorithms to be used to establish a VPN tunnel

10

Encryption and Data Integrity

> Data is encrypted using one of the following data encryption methods
DES or Data Encryption Standard
> Uses a 56-bit key to encrypt data

3DES or Triple DES


> A variation of DES that uses a 168-bit key

AES or Advanced Encryption Standard


> A new generation encryption method > Can be operated in 128-bit, 192-bit or 256-bit key modes

> Data integrity is ensured by one of the following hash algorithms


MD5 or Message Digest 5
> The resulting hash is a 128-bit key which is used to verify the content, source and integrity of data

SHA or Secure Hash Algorithm


> This algorithm produces a 160-bit key and is more secure than MD5
11

IKE Proposals

12

IKE Proposals

13

Site-to-Site VPN

> Used to connect two remote sites

> IPSec is used to provide encryption for site-to-site VPN tunnels > Tunnel Mode vs Transport Mode
In Tunnel Mode, the entire packet is encapsulated within another packet, making the source/destination IP as well as the payload completely invisible to the medium In Transport Mode, only the payload of the packet is encrypted. Thus, the source/destination IP addresses are usually publicly routable addresses

14

Configuring a Site-to-Site Tunnel

15

Configuring a Site-to-Site Tunnel

> Enable IPSec > Create a new IKE Proposal (or use the default) > Create a Security Association > Identify the remote network (specify manually or create an IP Address Group) > Decide on a keying method > Decide on Tunnel or Transport mode

16

Client-to-Site VPN

> Used to enable remote users to gain access to corporate networks

> Supported Protocols


IPSec Tunnel Mode L2TP/IPSec PPTP (with up to 128-bit MPPE)

> User Authentication is accomplished via the local user database or RADIUS
17

Client VPN Operation Modes

> IPSec Tunnel Mode


Same mechanisms as site-to-site tunnel mode VPN

> L2TP over IPSec


L2TP uses PPP (Point-to-Point Protocol) to make connections over IP networks (PPP is typically used for modem dial-up applications) L2TP over IPSec uses IPSec Transport mode to provide security to connections Supported authentication protocols
> PAP > CHAP > MS-CHAP > MS-CHAPv2

> PPTP with MPPE


Point-to-Point Tunneling Protocol PPTP is a legacy protocol found in many older versions of Windows Microsoft Point-to-Point Encryption (MPPE) standard used for encryption
18

Configuring Client-to-Site Tunnel

19

Configuring Client Tunnel

> Decide which mode to use > IPSec


Create a new IKE Proposal (or use the default) Enable Global IPSec Enable the Default SA
> The Default SA is the only one that allows multiple connections

> L2TP/IPSec
Complete all steps for IPSec above Enable L2TP

> PPTP
Enable the PPTP Server Check Require Encryption to use MPPE

> Configure User Authentication


Local User Database RADIUS

> Configure your VPN client

20

VPN and Security Zone Interaction

> Traffic from remote sites and/or users connecting to the network via VPN can be terminated into any configured security zone > In order to provide maximum protection, it may be wise to use the preconfigured VPN zone to implement policy (Firewall and IPS)

21

LAB 5 VPN Implementation

You might also like