Cisco Secure VPN Ebook free download pdf pdf

(1)

This study guide will help you to prepare you for the Cisco Secure

VPN exam, 9E0-570, which is one in a series of four exams required

to achieve the Cisco Security Specialty. Exam topics include building

and maintaining Cisco security solutions, which encompass

standalone firewall products and IOS software features, IPSEC, and

Configuring VPNs on the Cisco Concentrator platform.

Notice: While every precaution has been taken in the preparation of this material, neither the author nor BrainBuzz.com assumes any liability in the event

of loss or damage directly or indirectly caused by any inaccuracies or incompleteness of the material contained in this document. The information in this

document is provided and distributed "as-is", without any expressed or implied warranty. Your use of the information in this document is solely at your own

risk, and Brainbuzz.com cannot be held liable for any damages incurred through the use of this material. The use of product names in this work is for

information purposes only, and does not constitute an endorsement by, or affiliation with BrainBuzz.com. Product names used in this work may be

registered trademarks of their manufacturers. This document is protected under US and international copyright laws and is intended for individual, personal

use only. For more details, visit our

legal page.

Check for the newest version of this Cramsession

(2)

1

Con t e n t s:

Cont ent s: ... 1

Ov erview of VPN and I PSec Technologies... 3

What is a VPN?... 3

General VPN Diagram ... 3

Why Use a VPN? ... 4

What ar e som e of t he ot her com ponent s of a VPN? ... 4

Confident ialit y ... 4

I nt egrit y ... 5

Aut hent icat ion ... 5

VPN Types ... 5

I nt ernet VPN ... 5

I nt ranet VPN ... 5

Ext ranet VPN... 5

Rem ot e user s ... 6

What is a Tunnel?... 6

What I s I PSec?... 7

I PSec Net w ork Securit y Com m ands ... 7

I PSec or I P ( I nt ernet Pr ot ocol Securit y) ... 7

Why Do We Need I PSec? ... 9

Loss of Privacy ... 9

Loss of Dat a I nt egrit y ... 9

I dent it y Spoofing ... 9

Denial- of- service ... 9

Cisco leveraged I PSec Benefit s ... 9

I PSec Ar chit ect ure ... 10

I PSec Packet s... 11

Aut hent icat ion header ( AH) ... 11

Encapsulat ing securit y payload ( ESP) ... 11

(3)

2

Transport Mode ... 11

Tunnel Mode ... 12

Crypt ology Basics ... 13

Advant ages and Disadv ant ages ... 13

Cert ificat ion Aut horit y ( CA) ... 13

Message Digest 5 ( MD5) ... 13

VeriSign, I nc. ... 13

Com m on Algorit hm s... 14

Com m and r eference for I PSec, I KE and CA ... 14

Cisco VPN 3000 Concent rat or Overview ... 14

Cisco VPN 3000 Concent rat or ... 14

What is t he Concent rat or?... 14

Configurat ions guide for t he 3000 series ... 15

3000 Concent rat or Shot s: ... 16

Ot her Cisco VPN Pr oduct s and Solut ions ... 16

Cisco VPN 3000 Concent rat or Configurat ions Guide... 17

Configurat ions ... 17

Advanced Configurat ions: ... 17

Advanced Encrypt ion Configurat ions: ... 17

Crypt o Maps ... 18

Crypt o m ap ... 18

Creat ing Crypt o Maps ... 18

Com m and r eference ... 19

(4)

3

Ove r vie w of VPN a n d I PSe c Te ch n ologie s

W h a t is a VPN ?

Cisco Docum ent at ion on VPN

• A VPN is a Virt ual Privat e Net w ork

• Now, as m ore and m ore com panies need access for rem ot e users, m obile users or rem ot e offices, your current archit ect ure can be augm ent ed wit h a VPN

• A Virt ual Privat e Net w ork is a net w ork t hat ’s creat ed by encrypt ion ( Tunneling) across anot her unsecured m edium , like t he I nt ernet

• What is great about Cisco and VPN’s is t hat all Cisco devices can be

configured as a VPN enabled device solely by t he I OS feat ure set it self. There is a concent rat or series, but you can t ake a PI X or a basic rout er and “ VPN enable it ” by configuring t he I OS

Ge n e r a l VPN D ia gr a m

(5)

4

• I n any VPN solut ion, you generally have a Main office or WHQ ( World Head Quart ers) t hat everyone com es back t o use or get resources

• Here w e see t hat a Mobile user, a branch office, and a hom e office are all accessing resources in t he Main Office via t he service provider’s net w ork and VPN, Virt ual Privat e Net w ork

W h y Use a VPN ?

• Well, it is cost effect ive for one t hing. The service provider supplies t he brunt of t he hardw are and support for your new WAN connect ions

• I t can be used as an augm ent at ion t o your exist ing infrast ruct ure. I f you have m any m obile users, rem ot e offices and rem ot e branches, t his m ay be a

t echnology you can im plem ent

W h a t a r e som e of t h e ot h e r com pon e n t s of a VPN ?

• You definit ely need t o look int o securit y for one, and pay at t ent ion t o QoS for anot her. Securit y is in your hands and is your responsibilit y; t herefore, you m ust use encrypt ion and configure it . Also, if t here are m ission crit ical services, rem em ber… a VPN m ay not offer you t he flexibilit y of having a specific am ount of bandw idt h. Usually it is com prised of going over dial up connect ions t hat are not very fast

• Cisco VPNs em ploy out st anding encrypt ion and t unneling support : I PSec, L2TP and GRE, t o nam e a few t unneling st andards, and DES and 3DES based encrypt ion t echnologies

A VPN generally consist s of a secure, privat e t unnel bet w een a rem ot e endpoint and a gat ew ay. ( A t unnel is explained below .) The sensit ive nat ure of som e

com m unicat ions requires t he help of I PSe c t o provide: 1) confident ialit y, 2) int egrit y, and 3) aut hent icat ion services.

Here is w hat t hese t hree services really do:

Con fide n t ia lit y

• I f som et hing is sent , t hen t he int ended part y can read it , w hile at t he sam e t im e ot her part ies m ay int ercept it but are not be able t o read it

(6)

5

I n t e gr it y

• I s m aking sure t hat t he dat a is t ransm it t ed from t he source t o t he int ended dest inat ion w it hout undet ect ed alt erat ions or changes

• Provided by hashing algorit hm s such as MD5

Au t h e n t ica t ion

• I s knowing t hat t he dat a you received is in fact t he sam e as t he dat a t hat was sent and t hat t he person or sender who claim s t o have sent it is in fact t he act ual person or sender

• Provided by m echanism s such as t he exchange of digit al cert ificat es

VPN Type s

I n t e r n e t VPN

• A privat e com m unicat ions channel over t he public access I nt ernet

Th is t ype of VPN ca n be divide d in t o:

• Connect ing rem ot e offices across t he I nt ernet

• Connect ing rem ot e- dial users t o t heir hom e gat ew ay via an I SP ( som et im es called a VPDN, Virt ual Privat e Dial Net w ork)

I n t r a n e t VPN

• A privat e com m unicat ion channel in an ent erprise or an organizat ion t hat m ay or m ay not involve t raffic going across a WAN

• Rem em ber, an I nt ranet is a net w ork t hat is only accessible from wit hin your I nt ernet work. You can have users dial in for access your t o I nt ranet via a VPN

Ex t r a n e t VPN

• A privat e com m unicat ions channel bet w een t w o or m ore separat e ent it ies t hat m ay ent ail dat a going across t he I nt ernet or som e ot her WAN

(7)

6

Re m ot e u se r s

• The I nt ernet provides a low - cost alt ernat ive for enabling rem ot e users t o access t he corporat e net w ork

• Rat her t han m aint aining large m odem banks and cost ly phone bills, t he ent erprise can enable rem ot e users t o access t he net w ork over t he I nt ernet

• Wit h j ust a local phone call t o an I nt ernet service provider, a user can have access t o t he corporat e net w ork

Here is anot her breakdow n of t he t ypical VPN archit ect ure:

W h a t is a Tu n n e l?

• A Tunnel is t ype of encrypt ion t hat m akes t he connect ion from one point t o t he ot her point secure

(8)

7 A diagram of a Tunnel m ay look like t his:

W h a t I s I PSe c?

All Configurat ion based com m ands and det ails can be found here:

I PSec Net w ork Securit y Com m ands

St ep by st ep t ut orial from Cisco on how t o configure I PSec I nt el Whit e paper on I PSec

Microsoft on I PSec im plem ent at ion

I PSe c or I P ( I n t e r n e t Pr ot ocol Se cu r it y )

• I P Securit y ( I PSec) is a st andards based Prot ocol t hat provides privacy, int egrit y, and aut hent icit y t o dat a t hat is t ransferred across a net w ork

• A Maj or problem t oday is t hat t he I nt ernet has a m aj or lack of securit y ( it w asn’t designed t o have a lot of securit y) and m ore and m ore people are using it each and every day bot h for privat e use and business use – t his poses a m aj or problem and a m aj or t hreat

• The I nt ernet is subj ect t o m any at t acks t hat include:

(9)

8

o Denial- of- service

( Each of t hese is described below in t he “ Why Do We Need I PSec?” sect ion.)

• The goal of I PSec is t o address all of t hese t hreat s w it hout t he requirem ent of expensive host or applicat ion m odificat ions and changes

• Before I PSec, net w orks w ere forced t o deploy part ial solut ions t hat addressed only a port ion of t he problem . An exam ple is SSL, w hich only provides

applicat ion encrypt ion for Web brow sers and ot her applicat ions. SSL prot ect s t he confident ialit y of dat a sent from each applicat ion t hat uses it , but it does

• SSL or Secure Socket s Layer is applicat ion level or Web Brow ser Client based encrypt ion

• I PSec provides I P net w ork- layer encrypt ion. The st andards define several new packet form at s:

o The aut hent icat ion header ( AH) t o provide dat a int egrit y

o The encapsulat ing securit y payload ( ESP) t o provide confident ialit y and

dat a int egrit y

• I PSec com bines several different securit y t echnologies int o a com plet e syst em t o provide confident ialit y, int egrit y, and aut hent icit y

• I n part icular, I PSec uses:

o Diffie- Hellm an key exchange for deriving key m at erial bet ween peers

on a public net w ork

o Public key crypt ography for signing t he Diffie- Hellm an exchanges t o

guarant ee t he ident it y of t he t w o part ies and avoid m an- in- t he- m iddle at t acks

o Bulk encrypt ion algorit hm s, such as DES, for encrypt ing t he dat a o Keyed hash algorit hm s, such as HMAC, com bined wit h t radit ional hash

algorit hm s such as MD5 or SHA for providing packet aut hent icat ion

o Digit al cert ificat es, signed by a cert ificat e aut horit y, t o act as digit al I D

(10)

9

W h y D o W e N e e d I PSe c?

Loss of Pr iva cy

• A perpet rat or m ay be able t o observe confident ial dat a as it t raverses t he I nt ernet

• This abilit y is probably t he largest inhibit or of business- t o- business

com m unicat ions t oday. Wit hout encrypt ion, every m essage sent m ay be read by an unaut horized part y

Loss of D a t a I n t e gr it y

• Even for dat a t hat is not confident ial, one m ust st ill t ake m easures t o ensure dat a int egrit y

• For exam ple, you m ay not care if anyone sees your rout ine business t ransact ion, but you would cert ainly care if t he t ransact ion were m odified

I de n t it y Spoofin g

• Moving beyond t he prot ect ion of dat a it self, you m ust also be careful t o prot ect your ident it y on t he I nt ernet

• Many securit y syst em s t oday rely on I P addresses t o uniquely ident ify users

D e n ia l- of- se r vice

• As organizat ions t ake advant age of t he I nt ernet , t hey m ust t ake m easures t o ensure t hat t heir syst em s are available

• Over t he last several years at t ackers have found deficiencies in t he TCP/ I P prot ocol suit e t hat allows t hem t o arbit rarily cause com put er syst em s t o crash

Cisco le ve r a ge d I PSe c Be n e fit s

• I PSec is a key t echnology com ponent of Cisco's end- t o- end net w ork service offerings. Working w it h it s part ners in t he Ent erprise Securit y Alliance, Cisco ensures t hat I PSec is available for deploym ent w herever it s cust om ers need it . Cisco and it s part ners offer I PSec across a w ide range of plat form s t hat includes:

o Cisco I OS soft ware o Cisco PI X Firewall

(11)

10

• Cisco is w orking closely w it h t he I ETF t o ensure t hat I PSec is quickly st andardized and is available on all ot her plat form s

• Cust om ers w ho use Cisco's I PSec w ill be able t o secure t heir net w ork infrast ruct ure wit hout cost ly changes t o every com put er. Cust om ers who deploy I PSec in t heir net w ork applicat ions gain privacy, int egrit y, and aut hent icit y cont rols w it hout affect ing individual users or applicat ions. Applicat ion m odificat ions are not required, so t here is no need t o deploy and coordinat e securit y on a per- applicat ion, per- com put er basis

• I PSec provides an excellent rem ot e user solut ion. Rem ot e w orkers can use an I PSec client on t heir PC in com binat ion w it h t he Layer 2 Tunneling Prot ocol ( L2TP) t o connect back t o t he ent erprise net w ork. The cost of rem ot e access is decreased dram at ically, and t he securit y of t he connect ion act ually

im proves over t hat of dialup lines

I PSe c Ar ch it e ct u r e

(12)

11

I PSe c Pa ck e t s

• I PSec defines a new set of headers t hat are added t o I P Dat agram s

• These new headers are placed aft er t he I P header and before t he Layer 4 prot ocol ( TCP or UDP)

Au t h e n t ica t ion h e a de r ( AH )

• This header w ill ensure t he int egrit y and aut hent icit y of t he dat a w hen it is added t o t he dat agram

• I t doe s n ot provide confident ialit y prot ect ion

• AH uses a keyed hash funct ion rat her t han digit al signat ures and t his is because digit al signat ure t echnology is w ay t oo slow and w ould reduce net w ork t hroughput

• AH is also em bedded in t he dat a for prot ect ion purposes

En ca psu la t in g se cu r it y pa yloa d ( ESP)

• This header prot ect s t he confident ialit y, int egrit y, and aut hent icit y of t he dat a w hen added t o t he dat agram

• AH and ESP can be used independent ly or t oget her, alt hough for m ost applicat ions j ust one of t hem is sufficient

• For bot h of t hese prot ocols, I PSec does not define t he specific securit y algorit hm s t o use, but rat her provides an open fram ew ork for im plem ent ing indust ry st andard algorit hm s

• ESP e n ca psu la t e s t he dat a t o be prot ect ed

N ot e : Ensure t hat , when configuring your access list s, prot ocol 50 and 51 as well as UDP port 500 t raffic is not blocked at int erfaces used by I PSec. Ot herw ise, you m ay have a problem

I PSe c pr ovide s t w o m ode s of ope r a t ion

Tr a n spor t M ode

• An encapsulat ion m ode for AH and ESP

(13)

12

• The advant age of Transport m ode is t hat it only adds a few byt es t o each packet

• This m ode also allow s devices on t he public net w ork t o view t he source and dest inat ion of each packet

• The disadvant age of Transport m ode is t hat passing t he I P header in t he clear allow s an at t acker t o capt ure t he packet and perform som e t raffic analysis

Source Dest inat ion En cr ypt e d D a t a

Tu n n e l M ode

• Wit h t unnel m ode t he e n t ir e I P dat agram is encrypt ed and it t hen becom es t he pa yloa d in a new ly const ruct ed I P packet

• Tunnel m ode also allow s a rout er t o act as an I PSec proxy, w hich m eans t hat t he rout er perform s encrypt ion on behalf of t he host s

• A great advant age is t hat t he source and t he dest inat ion addresses a r e n ot

visible w hile encrypt ed

• Re m e m be r : Tu n n e l M ode is u se d t o pr ot e ct D a t a gr a m s sou r ce d fr om or de st in e d t o n on - I PSe c syst e m s

Tunnel Source

Tunnel Dest inat ion

En cr ypt e d Sou r ce

En cr y pt e d D e st

En cr ypt e d D a t a

For excellent diagram s, explanat ions and m ore inform at ion on t he I PSec Packet st ruct ure for Transport and Tunnel m ode visit t he AT&T I PSec Link below :

(14)

• As part of a public key infrast ruct ure, a CA checks w it h a regist rat ion hashes for aut hent icat ion for I PSec

• Rem em ber t hat SHA is m ore secure t han MD4 and MD5

Ve r iSign , I n c.

• VeriSign

(15)

14

Com m on Algor it h m s

DES Dat a Encrypt ion St andard Uses 56 bit key

3DES Encrypt s a block 3 t im es w it h 3 different keys RSA Rivest , Sham ir, and Adelm an

Com m on key is 512 bit s Diffie- Hellm an Very old

Does not support Digit al Signat ures and encrypt ion Not e: Rem em ber t hese basic fact s

Com m a n d r e fe r e n ce for I PSe c, I KE a n d CA

I f you need t o configure any of t hese t echnologies, use t his com m and reference on t he Cisco web sit e for all your needs:

Com m and Reference

Cisco VPN 3 0 0 0 Con ce n t r a t or Ove r vie w

Cisco V PN 3 0 0 0 Con ce n t r a t or

Cisco Docum ent at ion

Not e: This used t o be an Alt iga product unt il Cisco bought it

W h a t is t h e Con ce n t r a t or ?

(16)

15

• I t is unique in t hat it can offer field sw appable com ponent s called Scalable Encrypt ion Processing or SEP m odules. I t is also cust om er upgradeable

• The specialized SEP m odules perform hardware based accelerat ion

• Only t he VPN 3 0 8 0 Concent rat or is available in a fully redundant configurat ion at t his t im e

• Special feat ures:

o Broadband perform ance o Scalable encrypt ion

o Redundant , hot sw ap SEPs w it h st at eful SEP failover o St at eless chassis failover ( VRRP)

o Redundant pow er supplies o Full inst rum ent at ion

Con figu r a t ion s gu ide for t h e 3 0 0 0 se r ie s

Configurat ion Event s I nt erfaces General

Syst em Configurat ion User Managem ent Servers Policy Managem ent Address Managem ent Adm inist rat ion Tunneling Prot ocols Monit oring

I P Rout ing Using t he Com m and Line I nt erface Managem ent Prot ocols Errors and t roubleshoot ing

Not e: All inform at ion on t he concent rat or can be found w it hin t hese links

Alt hough t his is not on t he exam , you m ay find t his link VERY helpful if you are im plem ent ing a VPN solut ion w it h t he 3000 and Microsoft Technologies

H ow t o Con figu r e t h e VPN 3 0 0 0 Con ce n t r a t or w it h M icr osoft Ce r t ifica t e s

(17)

16

3 0 0 0 Con ce n t r a t or Sh ot s:

Front and back view s

For a ll Con ce n t r a t or ba se d in for m a t ion

Concent rat or Docum ent at ion Client based Docum ent at ion

Ot h e r Cisco VPN Pr odu ct s a n d Solu t ion s

• Cisco provides a suit e of VPN- opt im ized rout ers t hat run t he range of VPN applicat ions from t elecom m ut er applicat ions w it h t he Cisco 800 for I SDN access t o rem ot e office connect ivit y w it h t he Cisco 1700, 2600, and 3600 t o head- end connect ivit y w it h t he Cisco 7200 & 7500

• Furt herm ore, Cisco product breadt h ext ends int o t he new w orld of broadband t elecom m ut er and sm all office VPN connect ivit y w it h t he Cisco UBr900 cable access rout er/ m odem and t he Cisco 1400 DSL rout er/ m odem . Providing DSL and cable solut ions is unique in t he VPN m arket

• The Cisco 7100 Series VPN Rout er is an “ int egrat ed VPN rout er” t hat provides solut ions for VPN- cent ric environm ent s. VPN- opt im ized rout ers provide VPN solut ions for hybrid VPN environm ent s w here m odularit y, port densit y, and flexibilit y is required for privat e WAN aggregat ion and ot her classic WAN applicat ions

(18)

17

single or dual hom ing WAN configurat ions and it provides high perform ance for robust VPN services t hroughput

• You can also look at t he 5000 series concent rat or, but it is not list ed on t he

• Configuring t he Cisco VPN 3000 Concent rat or and t he Net w ork Associat es PGP Client

• How t o Configure I PSec Client s t o Aut hent icat e t o and Receive Addresses from a Funk RADI US Server

Adva n ce d En cr ypt ion Con figu r a t ion s:

• Configuring and Troubleshoot ing Cisco's Propriet ary Net w ork- Layer Encrypt ion ( Part I )

(19)

A Cisco I OS soft ware configurat ion t ool t hat perform s specific funct ions:

(20)

19

• I P encrypt ion is support ed, and users can t unnel ot her prot ocols inside of I P and encrypt t he encapsulat ing I P packet s and payload

• This procedure can be done using t he keyw ord GRE in access- list ent ries

• The algorit hm specified in t his m ap m ust be running on t he rout er in order t o use it , so if t he m ap specifies "4 0 - bit - de s cfb- 6 4," t he global com m and "a lgor it h m 4 0 - bit - de s cfb- 6 4" m ust be in t he configurat ion in order t o encrypt dat a

• By default , t he 56- bit im age runs 5 6 - bit - D ES CFB- 6 4, and t he 40- bit im age runs 4 0 - bit - D ES CFB- 6 4

• As w it h any rout e m ap configurat ions, crypt o m aps have t o be carefully w rit t en before applying t hem t o t he int erface in order t o verify w hat w ill be encrypt ed

• Console access is recom m ended for applicat ion of t he m ap

Com m a n d r e fe r e n ce

Cr ypt o k e y ge n e r a t e r sa Generat e a RSA key pair

Cr ypt o ca ce r t ifica t e qu e r y Enables query m ore / causes cert ificat es and CRL ( Cert ificat e Revocat ion List ) t o be st ored locally

Cr ypt o ca ide n t it y Declare a ca

En r ollm e n t u r l Specifies t he url of t he ca

En r ollm e n t m ode r a Specified t hat t he ca syst em provides a regist rat ion aut horit y

Cr l opt ion a l Even if t he appropriat e CRL is not accessible, ot her peer cert ificat es can st ill be accept ed

Ex it This w ill exit ca/ ident it y config m ode

Cr ypt o ca a u t h e n t ica t e Get t he ca public key

Cr ypt o ca e n r oll Request s cert ificat es for all t he RSA key pairs

Cr ypt o ca Cr l r e qu e st Request s an updat ed CRL

Re fe r e n ce for M a ps

Cr ypt o m a p Apply a crypt o m ap set t o t he int erface

(21)

20

Se t t r a n sfor m - se t Specify w hich t ransform set s are allow ed for t he m ap ent ry

M a t ch a ddr e ss Nam e an ext ended access list t o use ( opt ional)

Se t pe e r Specifies a rem ot e I PSec peer