1 © 2002, cisco systems, inc. all rights reserved. sec-210 deploying and managing enterprise ipsec...
TRANSCRIPT
1© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
Deploying and Managing Enterprise IPsec VPNs
Ken Kaminski
Cisco Systems
Consulting Systems Engineer – Security/VPN Northeast
222© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
• Security Enforcement, Firewall, IDS
• Network Topology
• Routing (OSPF, EIGRP) design
• High Availability
• Performance
• QoS
• Path MTU Discovery
• Network Management
• .............
IPsec - more than just crypto !
333© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
• IPsec Design Options
• IPsec Design Issues
• IPsec Management
Agenda
444© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
Product Function Matrix
Site-to-Site Role Remote Access Role
IOS
PIX
3000
Scales for large deployments
PDM 2.0 includes VPN management
Primary Role
Full fledged remote access solution
With recent addition of Cisco VPN Client now supported with
good feature set
Not recommended for large-scale use due to lack of QOS,
SLA monitoring, and multiprotocol routing
Integrated firewall and VPN device
Primary Role
Full fledged Site-to-Site
555© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
Agenda
• IPsec Design Options
IPsec
IPsec Remote Access (EzVPN)
IPsec/GRE
• IPsec Design Issues
• IPsec Management
666© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
Basic IPsec Example
Internet10.1.1.0/24
10.1.2.0/24
• IKE Policy (Phase I)crypto isakmp policy 1
authentication pre-shared
hash sha
encryption 3des
crypto isakmp key cisco123isabadkey address 2.2.2.2
crypto isakmp key passwordisiabadkey address 3.3.3.3
1.1.1.1
2.2.2.2
10.1.3.0/243.3.3.3
777© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
Basic IPsec Example
• IPsec Policy (Phase II)
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
access-list 102 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 103 permit ip 10.1.1.0 0.0.0.255 10.1.3.0 0.0.0.255
Internet10.1.1.0/24
10.1.2.0/241.1.1.1
2.2.2.2
10.1.3.0/243.3.3.3
888© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
Basic IPsec Example
• IPsec Policy (Phase II) crypto map IPSEC 20 ipsec-isakmp
set peer 2.2.2.2
match address 102
set transform-set ESP-3DES-SHA
crypto map IPSEC 30 ipsec-isakmp
set peer 3.3.3.3
match address 103
set transform-set ESP-3DES-SHA
Internet10.1.1.0/24
10.1.2.0/241.1.1.1
2.2.2.2
10.1.3.0/243.3.3.3
999© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
Basic IPsec Example
• Apply Crypto Map
interface serial 0
crypto map IPSEC
!
ip route 10.0.0.0 255.0.0.0 serial 0
Internet10.1.1.0/24
10.1.2.0/241.1.1.1
2.2.2.2
10.1.3.0/243.3.3.3
101010© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
Basic IPsec Summary
• Supported by IOS, Pix, VPN 3000 and several other vendors
• Either side can initiate tunnel
• No support for routing protocol, multicast
111111© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
Agenda
• IPsec Design Options
IPsec
IPsec Remote Access (EzVPN)
IPsec/GRE
• IPsec Design Issues
• IPsec Management
121212© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
IPsec Remote Access (EzVPN)
InternetHead office
1.1.1.1
?
?
• Client - Server Architecture• Client always initiates IPsec connection• Client may have dynamic ip address
• Very easy to configure !• Very scalable, no routing expertise required !
IOSPIX
VPN 3K
VPN Client
IOSPIX
VPN 3002
131313© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
IPsec Remote Access (EzVPN)
InternetHead office
1.1.1.1
?
• Client extension mode : Packets from all devices behind EzVPN Client are PATted to one ip address (then tunneled in IPsec).
• Network extension mode : Packets from all devices behind EzVPN client are tunneled in IPsec (no PAT before IPsec)
IOSPix
VPN 3K
141414© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
EzVPN Configuration example
InternetHead office
1.1.1.1?
?Remote Office
crypto ipsec client ezvpn hw-client group engineering-1 key secret mode client peer 1.1.1.1! interface Ethernet1 description connected to INTERNET ip address ....... crypto ipsec client ezvpn hw-client
151515© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
Agenda
• IPsec Design Options
IPsec
IPsec Remote Access (EzVPN)
IPsec/GRE
• IPsec Design Issues
• IPsec Management
161616© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
IPsec/GRE : Scalable Site-to-site VPNs
Internet
Frame Relay
• Routing Protocol (OSPF, EIGRP...) necessary !
• Routing (or multicast) not specified by IPsec
• Supported in IOS using GRE/IPsec
171717© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
IPsec/GRE Example
Internet?
• IKE Policy (Phase I)crypto isakmp policy 1
authentication pre-shared
hash sha
encryption 3des
crypto isakmp key cisco123isabadkey address 2.2.2.2
crypto isakmp key passwordisiabadkey address 3.3.3.3
1.1.1.1
2.2.2.2
3.3.3.3
?
?
Same as without GRE
181818© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
IPsec/GRE Example
IPsec Policy (Phase II)crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
access-list 102 permit gre host 1.1.1.1 host 2.2.2.2
access-list 103 permit gre host 1.1.1.1 host 3.3.3.3
Internet?
1.1.1.1
2.2.2.2
3.3.3.3
?
?tunnel 2003
tunnel 2002
191919© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
IPsec/GRE Example
crypto map IPSEC 20 ipsec-isakmp
set peer 2.2.2.2
match address 102
set transform-set ESP-3DES-SHA
crypto map IPSEC 30 ipsec-isakmp
set peer 3.3.3.3
match address 103
set transform-set ESP-3DES-SHA
Internet?
1.1.1.1
2.2.2.2
3.3.3.3
?
?tunnel 2003
tunnel 2002
202020© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
IPsec/GRE Example
Internet?
int tunnel 2002
ip address 10.99.1.1 255.255.255.0
tunnel source serial 0
tunnel destination 2.2.2.2
crypto map IPSEC
int tunnel 2003
ip address 10.99.2.1 255.255.255.0
tunnel source serial 0
tunnel destination 3.3.3.3
crypto map IPSEC
1.1.1.1
2.2.2.2
3.3.3.3
?
?tunnel 200310.99.2.0/24
tunnel 200210.99.1.0/24
212121© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
IPsec/GRE Example
int serial 0
ip address 1.1.1.1 255.255.255.252
crypto map IPSEC
!
ip route 2.2.2.2 255.255.255.255 serial 0
ip route 3.3.3.3 255.255.255.255 serial 0
!
router ospf 1
network 10.0.0.0 0.255.255.255 area 1
Internet?
1.1.1.1
2.2.2.2
3.3.3.3
?
?tunnel 2003 10.99.2.0/24
tunnel 200210.99.1.0/24
222222© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
IPsec/GRE Summary
• IOS only (not Pix, VPN 3000)
• Enables Routing over IPsec protected Tunnels
• Enables IPsec protected multicast
• Enables Multi-Protocol (IPX...)
• Easy to configure thanks to trivial ACLs
• Reduces the number of SAs
• Uses standards : RFC 240x (IPsec), RFC 2784 (GRE)
• IPinIP (RFC 2003) is an alternative to GRE
232323© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
Agenda
• IPsec Design Options
• IPsec Design IssuesTopologies
High Availability
Split Tunneling
Device Placement
• IPsec Management
242424© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
Internet
Site-to-Site Full Mesh
• N * (N-1) / 2 tunnels• Scaling issues with provisioning and routing
protocols (....future Cisco features may help here...)
252525© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
Dynamic Multipoint VPN (DMVPN)
12.2(13)T
• Objective : Easy to configure full mesh IPsec VPN
• Uses multi-point GRE interfaces• Uses NHRP (Next Hop Resolution Protocol)
• Only configure hub connection• Spoke learns about spoke peer dynamically
262626© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
Dynamic Multipoint VPN - DMVPN
Spoke
Dynamic (or static)
public IP addresses
10.100.1.0 255.255.255.0
10.1.1.0 255.255.255.0
10.1.1.1
10.100.1.1
= Dynamic & Permanent spoke-to-hub IPsec tunnels
= Dynamic&Temporary Spoke-to-spoke IPsec tunnels
Static public IP address
10.1.2.0 255.255.255.0
10.1.2.1
130.25.13.1
12.2(13)T
272727© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
MPLS-VPN/Frame Relay
• Dynamically discover tunnel endpoint (peer)• IOS since 12.0T• Only works with routable (public) ip address• Must be enabled in all peer routers
Full Mesh :Tunnel Endpoint Discovery (TED)
282828© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
TED Example
Alice Bob
IP: A to B
A to B must be protectedNo SA -> Send Probe
XY
IKE A to B (proxy X)
IKE Y to X
Traffic to B must be protectedNo SA -> Block &Answer probe
Z
Clive
X(config)#crypto dynamic-map DYN 10 set transform-set ESP-3DES-SHA match address 100!crypto map IPSEC 99 ipsec-isakmp dynamic discover!access-list 100 permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255
292929© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
IPsec Migration Today
1. IPsec -
time
0. - -
- no communication possible -
2. IPsec IPsec
- all encrypted -
Problem : Migration to IPsec in large networks
303030© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
IPSEC Passive Mode
1. passive -
2. passive passive
3. active passive
4. active active
time
0. - -
- now all router are on passive -
- now all router are running normal IPsec -
12.2(13)T
# crypto ipsec optional
313131© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
Agenda
• IPsec Design Options
• IPsec Design IssuesTopologies
High Availability
Split Tunneling
Device Placement
• IPsec Management
323232© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
High-Availability Design
Stateless options today:IPsec and Dead Peer Detection
IPsec and HSRP
IPsec/GRE : Routing Protocols
Head-End
Remote
HE-2
HE-1
Internet CorporateIntranet
10.1.5.0VPN
VPN
333333© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
S1
Dead Peer Detection (IKE keepalives)
• Supported on IOS, Pix, VPN 3000, Cisco VPN Client• hellos are sent between IKE peers that have active tunnels established • Will detect dead peers (stale IPsec SAs)• On the third hello packet failure, IKE attempts to set up a new tunnel to
the next peer in list
Head-End
R1 HE-2
HE-1
Internet CorporateIntranet
S2
P1
VPNClien
t
Hello
Hello Hello
343434© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
• DPD is an optimization to IKE keepalives : "I don't bother to check peer by sending keepalive, if I am receiving data from peer"
• DPD compatibility : IOS 12.2(8)T and later Pix 6.0 and later VPN 3000 3.0 and later
Dead Peer Detection vs IKE keepalives
353535© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
High Availability with Dead Peer Detection
Head-End
RemoteHE-2
HE-1
Internet CorporateIntranet
X
crypto map IPSEC 10 match address 10 set peer 1.1.1.1 set peer 1.1.1.2 set transform-set ESP-3DES-SHA
1.1.1.1
1.1.1.2
363636© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
IPsec and HSRP+
• Supported on IOS• HSRP address used as tunnel endpoint• Active device terminates IPsec tunnel• In the event of failure, standby device takes
over (SAs will be renegotiated)
Head-End
Remote
HE-2
HE-1
Internet CorporateIntranet
X
373737© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
High Availability with IPsec and HSRP+
Remote
HE-2
HE-1
InternetCorporateIntranet
X
1.1.1..3
crypto map IPSEC 10 match address 10 set peer 1.1.1.3 set transform-set ESP-3DES-SHA
interface Ethernet1/0
ip address 1.1.1.1 255.255.255.248
standby 1 ip 1.1.1.3
standby 1 priority 200
standby 1 preempt standby 1 name VPNHA standby 1 track Ethernet1/1 150 crypto map VPN redundancy VPNHA
383838© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
Reverse Route Injection (RRI)
Because IOS is active-active, and it is not possible for the next-hop-device to know which router “has” the active tunnel, Reverse Route Injection (RRI) is required for state tracking
Works with DPD and HSRP+
12.2(8)T
Head-End
Remote
HE-2
HE-1
Internet CorporateIntranet
10.1.5.0
who should I
send traffic to
for 10.1.5.0 ?
393939© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
Reverse Route Injection Example
Head-End
Remote
HE-2
HE-1
Internet CorporateIntranet
X
crypto isakmp keepalive 10 !crypto map vpn 20 ipsec-isakmp set peer 2.2.2.2 set transform-set ESP-3DES-SHA match address 102 reverse-route !
2.2.2.2
404040© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
RRI In Action
RRI triggers when SA goes down
Head-End
RemoteInternet
10.1.5.0/24
P
S
(1) SA Established To PrimarySending IKE Keepalives
(2) Router P RRI:“I can reach 10.1.5.0”
(3) 10.1.5.0/24 via P
(8) 10.1.5.0/24 via S
(5) Secondary Active(6) New SA Established To Secondary
Sending IKE Keepalives(7) Router S RRI:“I can reach 10.1.5.0”
= Unscheduled Immediate Memory Initialization Routine (4)
414141© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
High Availability with IPsec/GRE
• Just plain routing ! (OSPF, EIGRP...)
• Routing copes with some failures other methods can't detect
• Local and Geographical redundancy possible
• Except under failure conditions:
The IPsec and GRE tunnels are always up since routing protocols are always running
Head-End
RemoteHE-2
HE-1
Internet CorporateIntranet
424242© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
High Availability with IPsec/GRE
Head-End
RemoteHE-2
HE-1
Internet CorporateIntranet
Remote :!int tunnel 1 ...... ip ospf cost 10 .....!int tunnel 2 ...... ip ospf cost 20 ......
tunnel 1
tunnel 2
HE-1!int tunnel 1 ...... ip ospf cost 10 .....
HE-2!int tunnel 2 ...... ip ospf cost 10 .....
434343© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
Local/Geographical Failover/Load-Balancing
• The Cisco VPN Client supports the notion of backup servers for high availability
PIX, 3000, and IOS compatible
• The 3000 Concentrator also supports local clustering
Supports local load sharing (not geographical)
DNS resolution based load balancing could also be used as the client resolves the FQDN of the head-end device (geographical)
444444© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
• Key: DPD = Dead Peer Detection; RP = Routing Protocol; RRI = Reverse Route Injection
RemoteDevice
Head-endDevice IOS PIX 3000
IOS
PIX Failover
3000
RPDPD (RRI)
HSRP+ (RRI)DPD
DPD(RRI)
DPD
DPD
DPD(RRI)
DPD(RRI)
HSRP+ (RRI)DPD (RRI)
HSRP+ (RRI)DPD (RRI)
High Availability Summary
454545© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
Agenda
• IPsec Design Options
• IPsec Design IssuesTopologies
High Availability
Split Tunneling
Device Placement
• IPsec Management
464646© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
Internet
Split Tunneling
Split-Tunneling Enabled
VPNClient
www.evilhackers.com
No NAT for corporate traffic
No NAT for corporate traffic
NAT for Internet traffic
NAT for Internet traffic
VPNHW
474747© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
Split Tunneling
• Should it be allowed ? Policy Decision !
• If allowed, firewall is needed at remote end
• Cisco VPN Client - $0 firewallDefault stops incoming connections; allows outgoing connections
Firewall active even when VPN client is not connected
Firewall policies can be pushed from VPN 3000 concentrator
484848© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
Agenda
• IPsec Design Options
• IPsec Design IssuesTopologies
High Availability
Split Tunneling
Device Placement
• IPsec Management
494949© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
VPN Device with separate Firewall
To WAN Edge To Campus
VPN
VPN Termination
L4–L7 Stateful Inspection and Filtering
DoS Mitigation
Focused Layer4–7 Analysis
Nothing To See(crypto-wise)
Stateless L3Filtering (IKE, ESP)
DMZ
505050© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
Agenda
• IPsec Design Options
• IPsec Design Issues
• IPsec Management
515151© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
VPN Management
• Nothing dramatically new- configuration management
- performance management
- fault management
- sw updates
• Many of the same tools apply :
SNMP, TFTP, SSH
• Management traffic should be encrypted
( IPsec vs SSH)
525252© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
VPN Management Applications
• Device Managers (on the box)
PDM—PIX Device Manager
VDM—VPN Device Manager for IOS and 3000
• VPN/Security Management Solution (VMS) 2.1
IOS, IDS, PIX Multiple Device Centers
• VPN Solution Center (VPNSC)
Primary focus : Service Providers
535353© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
VPN/Security Management Solution 2.1
Management Centers (MCs) for
VPN RoutersPix FirewallIDS Sensors
545454© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
VMS 2.1 / Router MC
• Web based• IOS IPsec/GRE (Hub/Spoke topologies)• Workflow approach (create task/approve task)• Grouping of devices/apply policy on group
555555© 2002, Cisco Systems, Inc. All rights reserved.SEC-210
VMS 2.1 / VPN Monitor
• Performance Monitoring of IOS and VPN 3000
Number of tunnelsStatus/Performance of tunnelsPerformance threshold violations