© 1999, Cisco Systems, Inc Chapter 11 Understanding Cisco IOS IPSec Support

© 1999, Cisco Systems, Inc. MCNS Objectives Upon completion of this chapter, you will be able to perform the following task: Identify IPSec encryption protocols implemented in Cisco IOS Software

© 1999, Cisco Systems, Inc. MCNS PIXX Firewall Protected DMZ Dirty DMZ X.0 /24.2 Outside X.0/24.1 DMZ Inside.3 NASX IS.1 10.X.2.1 /24 10.X.2.2 to 10.X.2.10 /24 Windows NT PC NT1 NT Server: CiscoSecure NT, IIS FTP and Web Server Cisco Security Manager, Syslog Server, TFTP Server.4 Instructor NT Server: FTP, HTTP, CA / X.1 /30 PerimeterX Router 10.X.1.0 /24 Bastion Host: Web Server FTP Server.3 Sales Dialup Frame Relay (Internet) Telco Simulator 100X MCNS Lab Environment Generic.1.2 X = POD #

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Cisco IOS IPSec Technologies

© 1999, Cisco Systems, Inc. MCNS IPSecInteroperable Encryption and Authentication IP Header AH Header ESP Header IP Data (Encrypted) AHIP HDRDataESP

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Key Exchange Mechanisms

© 1999, Cisco Systems, Inc. MCNS Internet Key Exchange (IKE) (AKA: ISAKMP-Oakley) Authenticates peers Negotiates policy to protect communication Diffie-Hellman Key Exchange

© 1999, Cisco Systems, Inc. MCNS How IPSec Uses IKE Alices router 1. Outbound packet from Alice to Bob. No IPSec SA 2. Alices IKE begins negotiation with Bobs IKE 3. Negotiation complete. Alice and Bob now have complete set of SAs in place IKE IPSec Bobs router 4. Packet is sent from Alice to Bob protected by IPSec SA IPSec IKE Tunnel

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Public Key Infrastructure Methods

© 1999, Cisco Systems, Inc. MCNS Public Key Infrastructure Certificate Authority (CA) verifies identity and signs digital certificate Certificate equivalent to an ID card Enables large-scale IPSec deployment Interoperate with: Baltimore, Netscape, Verisign Onsite for IPSec and Entrust VPN Connector Internet

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Cisco IOS Cryptosystem Overview

© 1999, Cisco Systems, Inc. MCNS encrypt Data Encryption Standard(DES) to encrypt data identity Digital Signature Standard(DSS) to ensure the identity of your peer Diffie-Hellman key exchange Diffie-Hellman to do key exchange securely Cisco IOS Cryptosystem Text Encrypt Key Public Signature Data

© 1999, Cisco Systems, Inc. MCNS DES Encryption Encryption turns cleartext into ciphertext Decryption restores cleartext from ciphertext Keys enable encryption and decryption Encrypt Decrypt Key Encrypted Message Clear Message Shared Secret Key

© 1999, Cisco Systems, Inc. MCNS DSS Signature Generation Hash Function Private Signature Hash Routing Update Router A + = SignatureRouting Update 3. Router A appends signature and routing update, sends to router B 2. Router A encrypts hash using router As private key, creates digital signature 1. Router A hashes routing update

© 1999, Cisco Systems, Inc. MCNS DSS Signature Verification 5. Router B decrypts signature using router As public key, obtains hash 6. Router B hashes the routing update 7. Router B compares hashes. If hashes are equal, signature is authentic. Public Hash Router B 4. Router B separates signature and routing update + Signature = Routing Update Hash Function SignatureRouting Update

© 1999, Cisco Systems, Inc. MCNS Diffie-Hellman Key Agreement Performs Authenticated key exchange (Y B )Y A ) (Y B ) mod p = K (Y A ) mod p = K XB XB XB XB XA XA XA XA X A Private Value, X A Y A Public Value, Y A X B Private Value, X B Y B Public Value, Y B AliceBob YAYAYAYA YBYBYBYB Y B Y B = g mod p XBXBXBXB Y A Y A =g mod p XAXAXAXA

© 1999, Cisco Systems, Inc. MCNS MD5 Message Hash Fixed-length hashed output message Variable-length input message MD5 message-digest algorithm –Message hash used to ensure the message has not been altered –Used with CHAP authentication, DSS Hash Function Hash Function Clear Message Hashed Message

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Tunneling Protocols

© 1999, Cisco Systems, Inc. MCNS Tunneling Protocols L2FLayer 2 Forwarding Cisco Implementation L2TPLayer 2 Tunneling Protocol IETF Review PPTPPoint-to-Point Tunneling Protocol Microsoft Generic Routing Encapsulation Cisco Implementation

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Virtual Private Networks

© 1999, Cisco Systems, Inc. MCNS The Internet Creating a private network across the Internet For confidentiality (privacy) For non-TCP/IP protocols For control of traffic Virtual Private Networks

© 1999, Cisco Systems, Inc. MCNS The Internet Virtual private network Company to Internet VPN Example

© 1999, Cisco Systems, Inc. MCNS Remote site ISP cloud Home network Home gateway Remote POP Local POP Overview–L2TP

© 1999, Cisco Systems, Inc. MCNS IKE and IPSec Flowchart IOS IPsec Once per IPsec SA (between source and destination) ISAKMP/Oakley Once per ISAKMP SA (between two peers ) Once per private/public key pair CA Authentication Select traffic with access-lists Ipsec SA? IKE SA? Authen. with CA? Encrypt packet and transmit Negotiate IPsec SA over ISAKMP SA Negotiate ISAKMP SA with other peer Get CAs public key Get certificate for own public key y n y n n y Keys Encrypt? y Transmit out interface n with access-lists Each packet access-list 1XX permit crypto ipsec transform- set crypto map crypto ipsec transform- set crypto map crypto isakmp policy crypto isakmp identity crypto key generate crypto key pubkey-chain crypto isakmp policy crypto isakmp identity crypto key generate crypto key pubkey-chain crypto ca identity crypto ca authenticate crypto ca enroll crypto ca crl request crypto ca identity crypto ca authenticate crypto ca enroll crypto ca crl request

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Summary and Review Questions

© 1999, Cisco Systems, Inc. MCNS Summary Ciscos IPSec implementation is multi-vendor compatible, standards-based GRE supports all popular packet types Cisco supports L2TP for VPN IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard Digital signatures, enabled by public key cryptography, provide a means to digitally authenticate devices and individual users

© 1999, Cisco Systems, Inc. MCNS Review Questions 1. What is the difference between ESP Transport mode and ESP Tunnel mode? ESP Tunnel mode encapsulates the entire datagram and gives it a new IP Header. 2. What elements of security does AH provide? A.Data Integrity B.Origin Authentication C.Replay protection (optional) 3. What element of security does AH not provide? A.Confidentiality

© 1999, Cisco Systems, Inc. MCNS Review Questions (cont.) 4. Can IPSec be configured without IKE? Yes 5. What are three of the benefits of IKE? A.Automated IPSec security parameter distribution B.Can specify a lifetime for IPSec security association C.Can change encryption keys during IPSec session D.Allows IPSec to provide anti-replay services E.CA support F.Dynamic authentication of peers 6. What is the Primary purpose of a CA? To verify the identity of an entity in a digital transmission