Cisco Presentation Guide
Download
Report
Transcript Cisco Presentation Guide
Deploying and Managing
Enterprise IPsec VPNs
Ken Kaminski
Cisco Systems
Consulting Systems Engineer – Security/VPN Northeast
[email protected]
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
1
IPsec - more than just crypto !
•
•
•
•
•
•
•
•
•
SEC-210
Security Enforcement, Firewall, IDS
Network Topology
Routing (OSPF, EIGRP) design
High Availability
Performance
QoS
Path MTU Discovery
Network Management
.............
© 2002, Cisco Systems, Inc. All rights reserved.
2
Agenda
• IPsec Design Options
• IPsec Design Issues
• IPsec Management
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
3
Product Function Matrix
IOS
PIX
3000
SEC-210
Site-to-Site Role
Remote Access Role
Primary Role
With recent addition of Cisco
VPN Client now supported with
good feature set
Full fledged Site-to-Site
Integrated firewall and VPN
device
Not recommended for largescale use due to lack of QOS,
SLA monitoring, and
multiprotocol routing
© 2002, Cisco Systems, Inc. All rights reserved.
Scales for large deployments
PDM 2.0 includes VPN
management
Primary Role
Full fledged remote access
solution
4
Agenda
• IPsec Design Options
IPsec
IPsec Remote Access (EzVPN)
IPsec/GRE
• IPsec Design Issues
• IPsec Management
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
5
Basic IPsec Example
2.2.2.2
10.1.2.0/24
1.1.1.1
Internet
10.1.1.0/24
10.1.3.0/24
3.3.3.3
• IKE Policy (Phase I)
crypto isakmp policy 1
authentication pre-shared
hash sha
encryption 3des
crypto isakmp key cisco123isabadkey address 2.2.2.2
crypto isakmp key passwordisiabadkey address 3.3.3.3
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
6
Basic IPsec Example
2.2.2.2
10.1.2.0/24
1.1.1.1
Internet
10.1.1.0/24
10.1.3.0/24
3.3.3.3
• IPsec Policy (Phase II)
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
access-list 102 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 103 permit ip 10.1.1.0 0.0.0.255 10.1.3.0 0.0.0.255
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
7
Basic IPsec Example
2.2.2.2
10.1.2.0/24
1.1.1.1
Internet
10.1.1.0/24
10.1.3.0/24
3.3.3.3
• IPsec Policy (Phase II)
crypto map IPSEC 20 ipsec-isakmp
set peer 2.2.2.2
match address 102
set transform-set ESP-3DES-SHA
crypto map IPSEC 30 ipsec-isakmp
set peer 3.3.3.3
match address 103
set transform-set ESP-3DES-SHA
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
8
Basic IPsec Example
2.2.2.2
10.1.2.0/24
1.1.1.1
Internet
10.1.1.0/24
10.1.3.0/24
3.3.3.3
• Apply Crypto Map
interface serial 0
crypto map IPSEC
!
ip route 10.0.0.0 255.0.0.0 serial 0
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
9
Basic IPsec Summary
• Supported by IOS, Pix, VPN 3000 and several
other vendors
• Either side can initiate tunnel
• No support for routing protocol, multicast
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
10
Agenda
• IPsec Design Options
IPsec
IPsec Remote Access (EzVPN)
IPsec/GRE
• IPsec Design Issues
• IPsec Management
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
11
IPsec Remote Access (EzVPN)
IOS
PIX
VPN 3K 1.1.1.1
Head office
VPN Client
?
Internet
?
IOS
PIX
VPN 3002
• Client - Server Architecture
• Client always initiates IPsec connection
• Client may have dynamic ip address
• Very easy to configure !
• Very scalable, no routing expertise required !
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
12
IPsec Remote Access (EzVPN)
IOS
Pix
VPN 3K 1.1.1.1
Head office
Internet
?
• Client extension mode :
Packets from all devices behind EzVPN Client are PATted to
one ip address (then tunneled in IPsec).
• Network extension mode :
Packets from all devices behind EzVPN client
are tunneled in IPsec (no PAT before IPsec)
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
13
EzVPN Configuration example
?
1.1.1.1
Head office
Internet
?
Remote Office
crypto ipsec client ezvpn hw-client
group engineering-1 key secret
mode client
peer 1.1.1.1
!
interface Ethernet1
description connected to INTERNET
ip address .......
crypto ipsec client ezvpn hw-client
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
14
Agenda
• IPsec Design Options
IPsec
IPsec Remote Access (EzVPN)
IPsec/GRE
• IPsec Design Issues
• IPsec Management
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
15
IPsec/GRE : Scalable Site-to-site VPNs
Internet
Frame Relay
• Routing Protocol (OSPF, EIGRP...) necessary !
• Routing (or multicast) not specified by IPsec
• Supported in IOS using GRE/IPsec
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
16
IPsec/GRE Example
2.2.2.2
?
1.1.1.1
Internet
?
?
3.3.3.3
• IKE Policy (Phase I)
Same as without GRE
crypto isakmp policy 1
authentication pre-shared
hash sha
encryption 3des
crypto isakmp key cisco123isabadkey address 2.2.2.2
crypto isakmp key passwordisiabadkey address 3.3.3.3
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
17
IPsec/GRE Example
tunnel 2002
2.2.2.2
1.1.1.1
?
Internet
?
?
tunnel 2003
3.3.3.3
IPsec Policy (Phase II)
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
access-list 102 permit gre host 1.1.1.1 host 2.2.2.2
access-list 103 permit gre host 1.1.1.1 host 3.3.3.3
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
18
IPsec/GRE Example
tunnel 2002
2.2.2.2
1.1.1.1
?
Internet
?
?
tunnel 2003
3.3.3.3
crypto map IPSEC 20 ipsec-isakmp
set peer 2.2.2.2
match address 102
set transform-set ESP-3DES-SHA
crypto map IPSEC 30 ipsec-isakmp
set peer 3.3.3.3
match address 103
set transform-set ESP-3DES-SHA
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
19
IPsec/GRE Example
1.1.1.1
tunnel 2002
10.99.1.0/24
2.2.2.2
?
Internet
?
tunnel 2003
10.99.2.0/24
int tunnel 2002
?
3.3.3.3
ip address 10.99.1.1 255.255.255.0
tunnel source serial 0
tunnel destination 2.2.2.2
crypto map IPSEC
int tunnel 2003
ip address 10.99.2.1 255.255.255.0
tunnel source serial 0
tunnel destination 3.3.3.3
crypto map IPSEC
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
20
IPsec/GRE Example
tunnel 2002
10.99.1.0/24
1.1.1.1
2.2.2.2
?
Internet
?
tunnel 2003
10.99.2.0/24
?
3.3.3.3
int serial 0
ip address 1.1.1.1 255.255.255.252
crypto map IPSEC
!
ip route 2.2.2.2 255.255.255.255 serial 0
ip route 3.3.3.3 255.255.255.255 serial 0
!
router ospf 1
network 10.0.0.0 0.255.255.255 area 1
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
21
IPsec/GRE Summary
• IOS only (not Pix, VPN 3000)
• Enables Routing over IPsec protected Tunnels
• Enables IPsec protected multicast
• Enables Multi-Protocol (IPX...)
• Easy to configure thanks to trivial ACLs
• Reduces the number of SAs
• Uses standards : RFC 240x (IPsec), RFC 2784 (GRE)
• IPinIP (RFC 2003) is an alternative to GRE
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
22
Agenda
• IPsec Design Options
• IPsec Design Issues
Topologies
High Availability
Split Tunneling
Device Placement
• IPsec Management
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
23
Site-to-Site Full Mesh
Internet
• N * (N-1) / 2 tunnels
• Scaling issues with provisioning and routing
protocols
(....future Cisco features may help here...)
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
24
Dynamic Multipoint VPN (DMVPN)
12.2(13)T
• Objective : Easy to configure full mesh IPsec
VPN
• Uses multi-point GRE interfaces
• Uses NHRP (Next Hop Resolution Protocol)
• Only configure hub connection
• Spoke learns about spoke peer dynamically
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
25
Dynamic Multipoint VPN - DMVPN
= Dynamic&Temporary Spoke-to-spoke
IPsec tunnels
10.100.1.0 255.255.255.0
10.100.1.1
12.2(13)T
= Dynamic & Permanent spoke-to-hub
IPsec tunnels
130.25.13.1
Dynamic
(or static)
public
IP addresses
Static
public IP
address
10.1.2.1
10.1.2.0 255.255.255.0
Spoke
10.1.1.1
10.1.1.0 255.255.255.0
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
26
Full Mesh :Tunnel Endpoint Discovery
(TED)
MPLS-VPN/
Frame Relay
• Dynamically discover tunnel endpoint (peer)
• IOS since 12.0T
• Only works with routable (public) ip address
• Must be enabled in all peer routers
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
27
TED Example
Alice
Y
X
Bob
IKE A to B (proxy X)
IP: A to B
IKE Y to X
Z
A to B must be protected
No SA -> Send Probe
Traffic to B must be protected
No SA -> Block &Answer probe
Clive
X(config)#
crypto dynamic-map DYN 10
set transform-set ESP-3DES-SHA
match address 100
!
crypto map IPSEC 99 ipsec-isakmp dynamic discover
!
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
28
IPsec Migration Today
0.
-
-
1.
IPsec
time
- no communication possible 2.
IPsec
IPsec
- all encrypted -
Problem : Migration to IPsec in large networks
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
29
IPSEC Passive Mode
12.2(13)T
0.
-
-
1.
passive
-
2.
passive
passive
- now all router are on passive 3.
active
passive
4.
active
active
time
- now all router are running normal IPsec # crypto ipsec optional
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
30
Agenda
• IPsec Design Options
• IPsec Design Issues
Topologies
High Availability
Split Tunneling
Device Placement
• IPsec Management
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
31
High-Availability Design
Stateless options today:
IPsec and Dead Peer Detection
IPsec and HSRP
IPsec/GRE : Routing Protocols
HE-2
Remote
10.1.5.0
Internet
VPN
Head-End
VPN
Corporate
Intranet
HE-1
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
32
Dead Peer Detection (IKE keepalives)
• Supported on IOS, Pix, VPN 3000, Cisco VPN Client
• hellos are sent between IKE peers that have active
tunnels established
• Will detect dead peers (stale IPsec SAs)
• On the third hello packet failure, IKE attempts to set up a
new tunnel to the next peer in list
VPN
Client
Head-End
HE-2
R1
Corporate
Intranet
Internet
S2
P1
S1
SEC-210
Hello
Hello
© 2002, Cisco Systems, Inc. All rights reserved.
HE-1
Hello
33
Dead Peer Detection vs IKE keepalives
• DPD is an optimization to IKE keepalives :
"I don't bother to check peer by sending
keepalive, if I am receiving data from peer"
• DPD
compatibility :
IOS 12.2(8)T and later
Pix 6.0 and later
VPN 3000 3.0 and later
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
34
High Availability with Dead Peer Detection
1.1.1.2
Remote
X
Internet
HE-2
Head-End
Corporate
Intranet
1.1.1.1
HE-1
crypto map IPSEC 10
match address 10
set peer 1.1.1.1
set peer 1.1.1.2
set transform-set ESP-3DES-SHA
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
35
IPsec and HSRP+
HE-2
Remote
Internet
X
Head-End
Corporate
Intranet
HE-1
•
•
•
•
SEC-210
Supported on IOS
HSRP address used as tunnel endpoint
Active device terminates IPsec tunnel
In the event of failure, standby device takes
over (SAs will be renegotiated)
© 2002, Cisco Systems, Inc. All rights reserved.
36
High Availability with IPsec and HSRP+
HE-2
Remote
X
1.1.1..3
Internet
Corporate
Intranet
HE-1
interface Ethernet1/0
crypto map IPSEC 10
match address 10
set peer 1.1.1.3
set transform-set ESP-3DES-SHA
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
ip address 1.1.1.1 255.255.255.248
standby 1 ip 1.1.1.3
standby 1 priority 200
standby 1 preempt
standby 1 name VPNHA
standby 1 track Ethernet1/1 150
crypto map VPN redundancy VPNHA
37
Reverse Route Injection (RRI)
Because IOS is active-active, and it is not possible for the next-hopdevice to know which router “has” the active tunnel, Reverse Route
Injection (RRI) is required for state tracking
Works with DPD and HSRP+
12.2(8)T
who should I
send traffic to
for 10.1.5.0 ?
HE-2
Remote
10.1.5.0
Internet
Head-End
Corporate
Intranet
HE-1
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
38
Reverse Route Injection Example
HE-2
Remote
Internet
X
Head-End
Corporate
Intranet
2.2.2.2
HE-1
crypto isakmp keepalive 10
!
crypto map vpn 20 ipsec-isakmp
set peer 2.2.2.2
set transform-set ESP-3DES-SHA
match address 102
reverse-route
!
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
39
RRI In Action
RRI triggers when SA goes down
(1)
SA Established To Primary
Sending IKE Keepalives
Remote
Internet
(2) Router P RRI:“I can reach 10.1.5.0”
P
Head-End
10.1.5.0/24
(3) 10.1.5.0/24 via P
(8) 10.1.5.0/24 via S
S
(6) New SA Established To Secondary
Sending IKE Keepalives
(5) Secondary Active
(7) Router S RRI:“I can reach 10.1.5.0”
= Unscheduled Immediate Memory Initialization Routine (4)
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
40
High Availability with IPsec/GRE
• Just plain routing ! (OSPF, EIGRP...)
• Routing copes with some failures other methods can't
detect
• Local and Geographical redundancy possible
• Except under failure conditions:
The IPsec and GRE tunnels are always up since
routing protocols are always running
HE-2
Remote
Internet
Head-End
Corporate
Intranet
HE-1
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
41
High Availability with IPsec/GRE
tunnel 2
HE-2
Remote
Internet
Head-End
tunnel 1
Remote :
!
int tunnel 1
......
ip ospf cost 10
.....
!
int tunnel 2
......
ip ospf cost 20
......
SEC-210
Corporate
Intranet
HE-1
HE-1
!
int tunnel 1
......
ip ospf cost 10
.....
© 2002, Cisco Systems, Inc. All rights reserved.
HE-2
!
int tunnel 2
......
ip ospf cost 10
.....
42
Local/Geographical Failover/LoadBalancing
• The Cisco VPN Client supports the notion of
backup servers for high availability
PIX, 3000, and IOS compatible
• The 3000 Concentrator also supports local
clustering
Supports local load sharing (not geographical)
DNS resolution based load balancing could also be
used as the client resolves the FQDN of the head-end
device (geographical)
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
43
High Availability Summary
• Key: DPD = Dead Peer Detection; RP = Routing
Protocol; RRI = Reverse Route Injection
Head-end
Device
Remote
Device
IOS
SEC-210
IOS
RP
DPD (RRI)
HSRP+ (RRI)
PIX
DPD
PIX Failover
HSRP+ (RRI)
DPD (RRI)
DPD
3000
HSRP+ (RRI)
DPD (RRI)
DPD
© 2002, Cisco Systems, Inc. All rights reserved.
3000
DPD(RRI)
DPD(RRI)
DPD(RRI)
44
Agenda
• IPsec Design Options
• IPsec Design Issues
Topologies
High Availability
Split Tunneling
Device Placement
• IPsec Management
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
45
Split Tunneling
www.evilhackers.com
NAT for Internet
traffic
VPN
HW
Split-Tunneling Enabled
VPN
Client
Internet
No NAT for
corporate traffic
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
46
Split Tunneling
• Should it be allowed ? Policy Decision !
• If allowed, firewall is needed at remote end
• Cisco VPN Client - $0 firewall
Default stops incoming connections; allows outgoing
connections
Firewall active even when VPN client is not connected
Firewall policies can be pushed from VPN 3000 concentrator
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
47
Agenda
• IPsec Design Options
• IPsec Design Issues
Topologies
High Availability
Split Tunneling
Device Placement
• IPsec Management
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
48
VPN Device with separate Firewall
VPN Termination
Stateless L3
Filtering (IKE, ESP)
Focused Layer
4–7 Analysis
VPN
To Campus
To WAN Edge
DMZ
Nothing To See
(crypto-wise)
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
L4–L7 Stateful
Inspection and Filtering
DoS Mitigation
49
Agenda
• IPsec Design Options
• IPsec Design Issues
• IPsec Management
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
50
VPN Management
• Nothing dramatically new
- configuration management
- performance management
- fault management
- sw updates
• Many of the same tools apply :
SNMP, TFTP, SSH
• Management traffic should be encrypted
( IPsec vs SSH)
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
51
VPN Management Applications
• Device Managers (on the box)
PDM—PIX Device Manager
VDM—VPN Device Manager for IOS and 3000
• VPN/Security Management Solution (VMS) 2.1
IOS, IDS, PIX Multiple Device Centers
• VPN Solution Center (VPNSC)
Primary focus : Service Providers
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
52
VPN/Security Management Solution 2.1
Management Centers
(MCs) for
VPN Routers
Pix Firewall
IDS Sensors
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
53
VMS 2.1 / Router MC
•
•
•
•
Web based
IOS IPsec/GRE (Hub/Spoke topologies)
Workflow approach (create task/approve task)
Grouping of devices/apply policy on group
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
54
VMS 2.1 / VPN Monitor
•
Performance Monitoring of IOS and VPN 3000
Number of tunnels
Status/Performance of tunnels
Performance threshold violations
SEC-210
© 2002, Cisco Systems, Inc. All rights reserved.
55