Lesson 10 SAFE VPN IPSec Virtual Private Networks in Depth © 2005 Cisco Systems, Inc. All rights reserved. CSI v

Architecture Overview © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Design Fundamentals The following VPN design objectives guide the decision-making process: Secure connectivity Reliability, performance, and scalability Options for high availability Authentication of users and devices in the VPN Secure management Security and attack mitigation before and after IPSec

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Branch Versus Headend Considerations Small and medium VPN designs can be used in the following two possible configurations: The design acting as a branch of a larger organization The design as the headend of an organizations network

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Remote User Design Software Client Option ISP Edge Module ISP Remote-Site Firewall Option Cisco VPN Software Client with Personal Firewall Broadband Access Device Home- Office Firewall with VPN Remote-Site Router Option Router with Firewall and VPN Hardware VPN Client Option Broadband Access Device Cisco VPN Hardware Client Broadband Access Device (optional)

SAFE VPN Design Considerations (Axioms) © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v SAFE VPN Design Considerations (Axioms) Identity and IPSec access control IPSec IP addressing Multiprotocol tunneling NAT Single-purpose versus multipurpose devices IDS, NAC, split tunneling, and VPNs Interoperability Fragmentation and Path MTU Discovery Network operations HSRP Compression Remote-access user requirements High availability

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Identity and IPSec Access Control Identity and IPSec access control features are as follows: User and device authentication control VPN access. Device authentication uses either a pre- shared key or a digital certificate. There are three types of pre-shared keys. Digital certificates scale better than pre- shared keys but require additional administrative resources. Protecting the keying material is important. Implement inbound ACLs on the VPN devices for site-to-site traffic. For remote-access traffic filtering, access control occurs dynamically.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Configurable values to define IPSec behavior are: –Data encryption –Device authentication and credentials –Data integrity –Address hiding –SA key aging IPSec standard requires the use of either data integrity or data encryption. Data integrity comes in two types: –MD5 HMAC –SHA HMAC IPSec offers the ability to change SA lifetimes. Perfect Forward Secrecy (PFS) increases the level of security but also increases processor overhead. IPSec

© 2005 Cisco Systems, Inc. All rights reserved. CSI v In order to maintain scalability, performance, and manageability, it is highly recommended that remote sites and users use a subnet of the major network to allow for summarization. Application Server /16 VPN Private IP /8 VPN Public IP Adapter IP Address Client IP Address /24 ISP Internet Telecommuter or Mobile Worker IP Addressing

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Tunneling Protocols IPSec as a standard supports IP unicast traffic only. L2TP is better suited for remote-access VPNs. GRE is better suited for site-to-site VPNs. GRE and L2TP allow a single set of IPSec SAs to tunnel traffic from one site to another.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Network Address Translation NAT can occur before and after IPSec. Avoid applying NAT to VPN traffic unless it is necessary to provide access. NAT after IPSec guidelines: –NAT for address hiding after IPSec encryption provides no benefit. –Use ESP tunnel mode instead of AH. –For remote access, use the NAT transparency mode when PAT is occurring. NAT before IPSec guidelines: –An IPSec tunnel will not establish between two networks when address ranges overlap. –Protocol-aware devices should carry address translation in the IP header and data segment of the packet. –Enabling NAT transparency mode can help establish a tunnel. –Enabling NAT transparency will not resolve connection problems associated with client applications that are not NAT friendly.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Single-Purpose Versus Multipurpose Devices Integrated appliances offer the following benefits: Can implement on existing equipment Is cost-effective Has better interoperability Dedicated VPN appliances offer the following benefits: Depth of functionality Better performance Better suited for growing networks

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Intrusion Detection and Network Access Control NIDS Used before encryption to analyze traffic coming from or destined to the VPN device. Used after encryption to validate that only encrypted traffic is sent and received by VPN devices. Network access control Filtering inbound to the VPN device (toward the campus) Filtering outbound from the VPN device (toward the public network) Segmentation of various types of VPNs in larger deployments

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Split Tunneling Enabling or disabling split tunneling depends on the amount of trust you can place in the remote sites or users. Enabling split tunneling allows the remote VPN user or site to access a public network (e.g., the Internet) at the same time that it accesses the private network via the VPN. Disabling split tunneling forces the remote VPN user or site to pass all traffic through the VPN headend. Consider using additional available security technologies to increase the level of trust.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Partially Meshed, Fully Meshed, Distributed, and Hub-and-Spoke Networks The following factors affect the scalability and performance of the network: –Encrypted versus clear traffic processing –Hardware- versus software-based IPSec –Configuration complexity –High availability –Security features like firewall and IDS –Number of routing peers and networks to track –QoS Fully meshed networks run into scalability constraints. Hub-and-spoke networks scale better because the headend hub site can expand to meet growing spoke capacity requirements.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Interoperability and Mixed Versus Homogenous Device Deployments Many factors increase the likelihood of interoperability challenges. Check with vendors for interoperability information and their participation. Best practice is to use the same code base across all platforms to ensure interoperability between products from a single vendor.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Fragmentation and Path MTU Discovery Fragmentation should be avoided because it is resource intensive. Path MTU Discovery determines the maximum MTU that a host can use to send a packet through the tunnel without causing fragmentation. To allow Path MTU Discovery in your network, do not filter ICMP message Type 3, Code 4. Manually set the MTU low enough to allow packets to pass through the smallest link on the path. The manner in which you should set the MTU on the tunnel depends on VPN termination device.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Network Operations VPN devices support numerous configuration options to determine the tunnel endpoint. For effective management of remote devices, use static crypto maps at the site where management applications are located. Do not use dynamic crypto maps at the headend.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v HSRP, Compression and Remote-Access User Requirements Consider HSRP for resiliency. Layer 2 compression provides no reduction in link bandwidth for VPN traffic. Layer 3 compression does provide reduction in link bandwidth for VPN traffic but is very CPU intensive. Remote-user requirements are pushed to a remote client by the ISAKMP configuration method (IKE MODCFG) during tunnel establishment, but after successful authentication.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v High AvailabilityIKE Keepalive High Availability Example IKE keepalives are sent over the IKE SA to determine remote-site IKE peer reachability. Use IKE keepalives for high availability when using VPN concentrators or VPN firewalls. VPN Internet Headend Hello HE-1 HE-2 Corporate Internet Remote Site VPN

© 2005 Cisco Systems, Inc. All rights reserved. CSI v High AvailabilityRouting Protocol High Availability Example Routing protocols are sent over the IPSec- protected GRE tunnels to track remote network reachability. When using VPN routers at the headend, use routing protocol resilience for high availability. Remote Site Corporate Internet Headend HE-1 HE-2

© 2005 Cisco Systems, Inc. All rights reserved. CSI v High AvailabilityLoad Dispersion on Failure HE 1 HE 2 HE 3 RS 1 RS 2 RS 3 RS 4 RS 5 RS 6 Headend Remote Sites Key: Primary Tunnel Secondary Tunnel VPN

Remote User Design © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Remote User Module Software Client Option ISP Edge Module ISP Remote-Site Firewall Option VPN Software Client with Personal Firewall Broadband Access Device Home Office- Firewall with VPN Remote-Site Router Option Router with Firewall and VPN Hardware VPN Client Option Broadband Access Device VPN Hardware Client Broadband Access Device (optional)

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Remote User ModuleKey Devices Key devices are as follows: Broadband access device VPN firewall Personal firewall software Virus-scanning software VPN firewall router option Remote-access VPN client VPN hardware client

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Remote User ModuleDesign Overview The functionality of the following four remote- user connectivity options is discussed: Software access option Remote-site firewall option Hardware VPN client option Remote-site router option

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Remote User ModuleSoftware Access Option Design Guidelines Software access option guidelines are as follows: Authentication and authorization to the network are controlled from the headquarter. The remote user is first authenticated, then receives IP parameters. Split tunneling is disabled. Personal firewall and virus-scanning software is recommended. IKE keepalives are used to determine headend availability. Device authentication via group pre-shared keys and OTPs are used for user authentication. NAT transparency mode should be enabled if many-to-one NAT occurs between the client and the headend.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Remote User ModuleRemote-Site Firewall Option Design Guidelines Remote-site firewall option guidelines are as follows: A VPN firewall is installed behind a DSL or a cable modem. Individual PCs on the remote-site network do not need VPN client software to access corporate resources. Split tunneling is enabled. Proper address summarization should be implemented. Authentication and authorization to the corporate network and the Internet are controlled by remote-site firewall and the VPN headend device. VPN utilizes device pre-shared key authentication. Digital certificates are recommended for large deployment. NAT is not used over the VPN to translate the local network.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Remote User ModuleHardware VPN Client Option Design Guidelines Hardware VPN client option guidelines are as follows: A personal firewall is used on the individual hosts when split tunneling is enabled. Authentication and authorization to the network are controlled from the headquarter. Individual PCs on the remote-site network do not need VPN client software to access corporate resources. The hardware client operates in two possible modes. Device authentication is via a statically configured group pre-shared key. Digital certificates are recommended for large deployment.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Remote User ModuleRemote-Site Router Option Design Guidelines Remote-site router option guidelines are as follows: Routers can support advanced applications, such as QoS. The option exists to integrate the functions of the VPN firewall and the broadband access device. IKE keepalives or routing protocols can be used to determine headend availability.

Small Network VPN Design © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Small NetworkIPSec VPN Design Campus Module Corporate Servers Corporate Users ISP Edge Small Network or Branch Campus Management Server Small Network or Branch Edge Public Services Corporate Internet Module Firewall Isolated Service Network ISP

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Small Network Corporate Internet Module Public Services To Campus One or the Other To ISP The following are key devices: PIX Firewall or Cisco IOS Firewall RADIUS authentication server

© 2005 Cisco Systems, Inc. All rights reserved. CSI v IPSec VPN Small NetworkDesign Overview SAFE VPN small network design overview: Single box performs routing, NAT, IDS, firewall, and VPN functions. Two alternatives are: –Router with firewall and VPN functionality –Dedicated firewall with VPN

© 2005 Cisco Systems, Inc. All rights reserved. CSI v IPSec VPN Small NetworkDesign Guidelines IdentityPre-shared keys and the IPSec peer IP addresses are used to validate IPSec devices. SecurityRemote access VPN users are not allowed to split tunnel. ScalabilityThis design is not scalable. Secure managementSecure and nonsecure protocols are used for device management. NATNAT is used for access out to the Internet. RoutingRouting is not needed except for some simple static routes. ExtranetThis design is not conducive to an extranet environment. PerformanceVPN traffic coupled with standard Internet traffic can limit WAN performance. AlternativesDesign alternatives include stronger authentication and using dedicated devices. Branch versus standalone considerations vary.

Medium Network VPN Design © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Medium NetworkVPN Design Corporate Internet Module WAN Module ISP Edge Module Frame/ATM Module Campus Module Corporate Users Management Servers Corporate Servers Public Services FR/ATM ISP PSTN PSTN Module

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Medium NetworkKey Devices Key devices are as follows: VPN firewall VPN concentrator NIDS appliance Corporate Internet Module Public Services PSTN To Internet To Campus Module ISP

© 2005 Cisco Systems, Inc. All rights reserved. CSI v IPSec VPN Medium NetworkDesign Guidelines IdentityDigital certificates and the IPSec peer IP addresses are used to validate device identity. Security –Implement an NIDS. –Split tunneling is not allowed for remote-access VPN users. ScalabilityThis design is scalable. Secure managementSecure and nonsecure protocols are used for device management. NATNAT is used for access out to the Internet. RoutingAll internal user traffic is routed to the VPN firewall. ExtranetsThis design can support an extranet connection. PerformanceVPN traffic coupled with standard Internet traffic can limit WAN performance. AlternativesThis can be a dedicated site-to-site VPN design. Branch versus standalone considerations vary.

Large Network VPN Design © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Enterprise Campus Enterprise EdgeISP Edge Management Server Core Building Distribution Building Edge Distribution E-Commerce Corporate Internet VPN/ Remote Access WAN ISP B ISP A PSTN Frame/ATM Extranet Large Network VPN Design

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Large Network Remote Access/VPN Module To Edge Distribution Module PSTN Module To Extranet Module To Corporate Internet module To Management Module Remote Access/VPN Module VPN

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Large Network Remote Access/VPN Module Key Devices Key devices are as follows: Interior firewall Distribution router VPN concentrator VPN router VPN firewall NIDS appliance

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Large Network Remote Access/VPN ModuleDesign Overview The core VPN requirement of this module is to authenticate remote devices and users and to terminate IPSec. Devices generate gigabit traffic load, driving the need for high-speed Layer 3 switching. SAFE recommends a gigabit-line-rate-capable firewall. The following are four types of headend service: –Remote-access VPN –Site-to-site VPN –VPN router option for site-to-site VPN –VPN firewall option for site-to-site VPN

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Large Network Remote Access/VPN ModuleDesign Overview (Cont.) Remote-access VPN –Concentrators support IPSec for tunneling termination only. –NAT transparency mode is enabled on the VPN concentrator. –Split tunneling is not allowed. –After connection, policies are pushed to the remote-access clients. Site-to-site VPN –SAFE practices apply to both the VPN router and the VPN firewall termination options. –Topology chosen for the VPN is hub-and-spoke. VPN router option for site-to-site VPN –Routing protocol resilience is the high-availability mechanism. –Headend VPN routers support IPSec and GRE. –All remote sites can carry out load dispersion. VPN firewall option for site-to-site VPN –IKE keepalive is used for the high-availability mechanism. –The headend VPN firewall supports IPSec only. –Filtering of site-to-site VPN traffic occurs on the interior firewall.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Large Network Remote Access/VPN Module Design Guidelines Identity –Digital certificates are used for site-to-site VPN connections. –Remote-access VPN connections employ two-part authentication. Security –SAFE provides security guidelines for VPN firewalls, VPN routers and VPN concentrators. –Implement NIDS. ScalabilityThis design is extremely scalable. Secure managementSecure and nonsecure protocols are used for device management.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Large Network Remote Access/VPN ModuleDesign Guidelines (Cont.) NATNAT is not used in this module. RoutingSAFE provides routing guidelines for edge distribution routers, interior edge routers, and interior firewall and distribution routers. Extranets –Either VPN firewalls or VPN routers can be used for extranet termination. –SAFE recommends keeping customer traffic separate from corporate user traffic. PerformanceUse hardware acceleration to provide high- speed, low-latency VPNs. Alternatives –SAFE provides scalability and performance alternatives. –Other authentication methods are available.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Large Network Extranet Module To Edge Distribution Module Extranet Module Sensors To VPN/Remote Access Edge Switch Application Servers

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Key devices are as follows: Interior firewall router VPN firewall NIDS appliance Large Network Extranet Module Key Devices

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Large Network Extranet Module Design Overview Mission-critical applications in this module require high availability and security. Products from the same vendor should be used. Two VPN firewalls are implemented to guard against possible device or link failure. VPN firewalls support IPSec only. Use IPSec PFS Group 2.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Large Network Extranet Module Design Guidelines Identity –PKI provider is used to validate peer devices. –Remote-access VPN connections employ two-part authentication. Security –Implement stateful firewall, NIDS, and HIDS. Scalability and performancemodule uses hardware acceleration to provide high-speed, low-latency VPNs. Secure managementUses a mix of secure and nonsecure protocols. NATLimited NAT implementation on VPN firewall. RoutingDynamic routing protocols are used by the interior firewall routers. Alternatives –Device integration can occur. –Use SSL for single-client or application-to-application access. –Other authentication alternatives are available. –VPN routers could replace the VPN firewalls.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Large Network Campus Management Module Management Module OTP Server ACS Network Monitoring CiscoWorks VPN/Security Management Solution Syslog 1 Syslog 2 System Admin To VPN Remote Access Module Terminal Server

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Key devices are as follows: Firewall and VPN router VPN concentrator NIDS appliance Large Network Campus Management Module Key Devices

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Large Network Campus Management Module Design Guidelines NAT –NAT is used on a firewall router to provide Internet access. –NAT transparency mode is enabled. Identity –Use digital certificate for device authentication. –User authentication via OTPs. Security –VPN concentrator is configured to support IPSec only. –Implement NIDS and stateful firewall. –Use PFS Group 2. –Split tunneling is not allowed. –Implement layered security.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Large Network Distribution-Hub Module To ISP Distribution Enterprise Internet Hub Module To Local Hub Network Corporate Servers

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Larger Network Distribution-Hub Module Key Devices Key devices are as follows: VPN router Firewall NIDS appliance

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Large Network Distribution-Hub Module Design Overview VPN routers are at the headend and distribution- hub sites to route packets between remote sites. Routing protocols track enterprise headend reachability. EIGRP is used instead of OSPF because of its lower CPU overhead. Distribution routers track link status by using two HSRP groups. Spoke and tiered local networks use summarized subnets.

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Large Network Distribution-Hub Module Design Guidelines IdentityUse digital certificates. Security –No IDS or firewall function occurs when traffic travels from spoke to spoke or spoke to headend. –The firewall function and filtering occur when remote sites access local services. –Remotes support split tunneling. ScalabilityThis design is scalable. Secure managementSecure and nonsecure protocols are used for device management. NATNAT is used for access out to the Internet. RoutingVPN routers have a default route to the Internet. PerformanceHigh-speed WAN is required. Alternatives –Split-tunneling options –Additional routers to meet performance needs

Summary © 2005 Cisco Systems, Inc. All rights reserved. CSI v

© 2005 Cisco Systems, Inc. All rights reserved. CSI v Summary The following VPN design options are available: –Remote user –Small network –Medium network –Large network with extranet connectivity –Distributed-hub large network Each design has multiple modules that address different aspects of VPN technology. The lesson describes functions of the modules, key devices, design guidelines, and alternatives for implementing SAFE IPSec VPN.