cate-idet brno 11.5.2001 deployment of ipsec vpn vpn, ipsec, pki, smart cards ivan svoboda manager...
Post on 24-Dec-2015
228 Views
Preview:
TRANSCRIPT
CATE-IDET
Brno 11.5.2001
Deployment of IPSec VPNDeployment of IPSec VPN
VPN, IPSec, PKI, Smart CardsVPN, IPSec, PKI, Smart Cards
Ivan SvobodaIvan SvobodaManagerManager
Information security projectsInformation security projects
2CATE-IDET
Brno 11.5.2001
AgendaAgenda
Business driversBusiness drivers VPN levelsVPN levels VPN VPN & Firewall& Firewall VPN &VPN & PKI PKI VPN & Security CertificationVPN & Security Certification
3CATE-IDET
Brno 11.5.2001
Current issuesCurrent issues E-commerce, E-governmentE-commerce, E-government Internet servicesInternet services FlexibilityFlexibility Network infrastructure & cost reductionNetwork infrastructure & cost reduction Network Security ThreatsNetwork Security Threats
Sniffing IP spoofing Session hijacking Man-in-the-middle
The enabler: Secure VPNThe enabler: Secure VPN
4CATE-IDET
Brno 11.5.2001
Secure networksSecure networks ? ?Praha BrnoData Data
X.25, ATM
Frame Relay Internet
PSTN
5CATE-IDET
Brno 11.5.2001
Secure networksSecure networks ? ? YESYES ! !Praha BrnoDokument Dokument
X.25, ATM
Frame Relay Internet
JTS
Dokument Dokument
VPNVPN
6CATE-IDET
Brno 11.5.2001
Secure networksSecure networks ? ? YESYES ! !Praha BrnoDokument Dokument
X.25, ATM
Frame Relay Internet
JTS
Dokument Dokument
VPNVPN
7CATE-IDET
Brno 11.5.2001
LAN, WAN, Internet
Encryption layersEncryption layers
SSH, S-MIME
Appl.
Present.
Session
Link
Transport
Network
Physical
SSL/TLS
IPSec
L2TP, PPTP
Appl.
Present.
Session
Link
Transport
Network
Physical
8CATE-IDET
Brno 11.5.2001
Encryption layersEncryption layers ApAppplilication (SSH, S/MIME etc.)cation (SSH, S/MIME etc.)
(-) application dependant (-) network access control missing (+) most specific services
Transport (SSL/TLS)Transport (SSL/TLS) (-) TCP-only (HTTP etc.)
Network (IPSec)Network (IPSec) (-) IP-only (+) every IP-packet is secured (+) IP-address tunelling
LinkLink (L2TP, PPTP) (L2TP, PPTP) (+) RAS, mixed networks (IP, IPX, NetBEUI etc.)
9CATE-IDET
Brno 11.5.2001
Appl.
Present.
Session
Link
Transport
Network
Physical
IPSec
Network layer encryption: IPSecNetwork layer encryption: IPSec
Dokument Dokument
Appl.
Present.
Session
Link
Transport
Network
Physical
IPSec
10CATE-IDET
Brno 11.5.2001
IPSec VPNIPSec VPN compatibility compatibility
X.25
IPSec - VPN
platforms
applications
Microsoft Oracle
Novell
Unix
database
ERM client/server
GIS
Internet
Frame Relay
LAN
WAN PPP
www
networks
Appl.
Present.
Session
Link
Transport
Network
Physical
11CATE-IDET
Brno 11.5.2001
IPSec VPN IPSec VPN functionsfunctions:: Data confidentiality & integrityData confidentiality & integrity
Encryption (ESP) Authentication (AH)
Users/nodes authenticationUsers/nodes authentication digital certificates X.509
Access controlAccess control Access to networks, Access to sources (servers)
Dokument Dokument
Dig. signed CA
Public key X.Y.
12CATE-IDET
Brno 11.5.2001
LAN, LAN, WAN, ...WAN, ...
Secure VPNSecure VPN – IPSec technology – IPSec technology
Data authentication and encryption
applications
TCP / UDP
IP
Ethernet / PPP
IPSEC
IP
applications
TCP / UDP
IP
Ethernet / PPP
IPSEC
IP
IKE (ISAKMP/Oakley)
ESP/AH
13CATE-IDET
Brno 11.5.2001
IPSec ImplementaIPSec Implementationtion
SW
IPSec - VPN
Firewall
Router
HW
VPN-gateway
Dig. signed CA
Public key X.Y.
14CATE-IDET
Brno 11.5.2001
IPSec InteroperabilitIPSec Interoperabilityy
LAN, WAN, Internet, JTS
Microsoft
Different types of products in different Different types of products in different locationslocations
IPSec compatibility: ICSA certificationIPSec compatibility: ICSA certification
15CATE-IDET
Brno 11.5.2001
IPSec VPNIPSec VPN deployment deployment
WAN
LAN
Internet
PTSN
LAN
LAN
IntranetIntranet ExtranetExtranet E-businessE-business// /E-government /E-government
PDA, ...Where are the threats?Where are the threats?Internal vs. External
16CATE-IDET
Brno 11.5.2001
VPN deployment issuesVPN deployment issues
VPN VPN & firewall& firewall Complementary technologies Coordination of policies necessary
VPN & PKI & smart cardsVPN & PKI & smart cards Complementary technologies Attribute certificates Two-factor authentication
17CATE-IDET
Brno 11.5.2001
FFirewallirewall supplements supplements
High-availability
Contentsecurity
Loadbalancing
Antiviruscontrol
Vulnerabilitiesassesment
Intrusiondetection
Log analysis
Network management
Strongauthentication
VPN
PKIDirectory
18CATE-IDET
Brno 11.5.2001
Deploying a VPN ServiceDeploying a VPN Servicewith or without a Firewallwith or without a Firewall
Each component in the network Each component in the network solves its own distinct problemsolves its own distinct problem
Issues: Issues: Performance, reliability, Performance, reliability, policy policy integration, TCO, …integration, TCO, …
Security: question of protected area Security: question of protected area perimeterperimeter
19CATE-IDET
Brno 11.5.2001
No Firewall ScenarioNo Firewall Scenario VPN Gateway authenticates users with X.509 certificates VPN Gateway authenticates users with X.509 certificates If all traffic is encrypted VPN Gateway acts as “perfect” firewallIf all traffic is encrypted VPN Gateway acts as “perfect” firewall No other filtering No other filtering
Access router
Internet
Secure VPN Gateway
Head office LAN
20CATE-IDET
Brno 11.5.2001
Outside of Firewall ScenarioOutside of Firewall Scenario
VPN traffic decrypted by VPN GatewayVPN traffic decrypted by VPN Gateway Firewall can perform additional packet filtering, Firewall can perform additional packet filtering,
authentication, and application proxiesauthentication, and application proxies No changes to firewall security policyNo changes to firewall security policy Security perimeter ?Security perimeter ?
Access router
Internet
Head office LAN
Firewall Secure VPN Gateway
21CATE-IDET
Brno 11.5.2001
In Parallel to Firewall ScenarioIn Parallel to Firewall Scenario
Network access validated and secured by VPN systemNetwork access validated and secured by VPN system Security policy more flexible and simple to implementSecurity policy more flexible and simple to implement No network traffic bottlenecksNo network traffic bottlenecks
Access router
Internet
Head office LAN
Firewall
Secure VPN Gateway
22CATE-IDET
Brno 11.5.2001
LAN
Inside of Firewall ScenarioInside of Firewall Scenario (1)(1)
WAN VPNrouter
FWVPN
DMZ
Protected area
23CATE-IDET
Brno 11.5.2001
LAN
Inside of Firewall ScenarioInside of Firewall Scenario (2)(2)
WAN VPNrouter
FW
VPN DMZ
FW: FW: non-authorised users (access to Web server)
VPN: VPN: authorised users (access to accounting server)
Protected area
24CATE-IDET
Brno 11.5.2001
ProblProblemem issuesissues
Correct IPSec transport throughCorrect IPSec transport through firewall (proxy server)firewall (proxy server)
Transport of LDAP (TCP/port309) and PKIX (TCP/port709)
Transport ISAKMP / IKE (UDP/port500) Transport ESP (IP/port50) AH (IP/port51) Network address translation (NAT)
25CATE-IDET
Brno 11.5.2001
Secure VPNs and Secure VPNs and AuthenticationAuthentication Two ends wishing to set up a secured Two ends wishing to set up a secured
session need to know who they are session need to know who they are communicating with, otherwise…communicating with, otherwise…
spoofing attack man-in-the-middle attacks
The secure tunnel needs to be The secure tunnel needs to be authenticated at both endsauthenticated at both ends
Authentication options (IKE):Authentication options (IKE): Certificates Shared secret
26CATE-IDET
Brno 11.5.2001
Alternate Authentication MethodAlternate Authentication Method“Shared Secret”“Shared Secret”
Eliminate certificates for small deploymentsEliminate certificates for small deployments User enters a password for authenticationUser enters a password for authentication
supported by IKE, in lieu of certificates longer passwords are more secure password never traverses the network
But…not as scalable as certificatesBut…not as scalable as certificates password administration becomes difficult
Identity IP Password
john@timestep.com mylittlechickadee12
gate@newbridge.com 122.2.3.18 mIi8182
77.2.3.* 19insabinsa
27CATE-IDET
Brno 11.5.2001
VPN & PKIVPN & PKI
PKI is the most scalable PKI is the most scalable authentication method for VPNauthentication method for VPN
VPN is a “killer” aplication for PKIVPN is a “killer” aplication for PKI Dynamic modifications:Dynamic modifications:
Attribute certificates – VPN groups membership
28CATE-IDET
Brno 11.5.2001
Secure VPN GroupsSecure VPN Groups
Internet
VPN gateway
User A
Engineering subnet
Finance subnet
Inventory subnet
User B
User C
Engineering VPN group• User A• Engineering subnet
Finance VPN group• User B• Finance subnet
Inventory VPN group• User B• User C• Inventory subnet
29CATE-IDET
Brno 11.5.2001
WAN
LAN A
VPNVPN groups groupsAccess priviligesAccess priviliges
LAN B
VPN (1)
VPN (2)
30CATE-IDET
Brno 11.5.2001
VPN policy managerVPN policy manager
Group members
VPN groups
New users
31CATE-IDET
Brno 11.5.2001
Two-factor authenticationTwo-factor authentication
32CATE-IDET
Brno 11.5.2001
Smart cards advantageSmart cards advantage
Not only private key Not only private key storagestorage Private key Private key operations operations (electronic (electronic
signature on-card)signature on-card) SecuritySecurity ! !
33CATE-IDET
Brno 11.5.2001
PKI & smart cardsPKI & smart cards
Dokument
DokumentE-mail
SSL
IPSecLDAPX.500
CA
34CATE-IDET
Brno 11.5.2001
Smart cards advantageSmart cards advantage
Different private keys/certificates:Different private keys/certificates: Clients: e-mail, SSL, IPSec, … Use: authentication, encryption, non-
repudiation (electronic signature) Single smart cardSingle smart card Multi-function cardsMulti-function cards
Physical access control (contact-less) Secure login Electronic signature
35CATE-IDET
Brno 11.5.2001
Multi-function smart cardsMulti-function smart cards
36CATE-IDET
Brno 11.5.2001
Is it really secure?Is it really secure?(IPSec VPN)(IPSec VPN)
FIPS 140-1Security CertificationFIPS 140-1Security Certification 22-5-5
ICSA CertificationICSA Certification cca 10-15cca 10-15
„IPSec compatible“„IPSec compatible“NNon-on-certificertifieded
37CATE-IDET
Brno 11.5.2001
FIPS 140-1FIPS 140-1
Cryptographic modules certificationCryptographic modules certification NIST - http://csrc.ncsl.nist.gov/cryptval CR: Electronic Signature Act Regulation
• Requirements for the private key protection, as a part of secure signature creation device)
Levels 1-4Levels 1-4 Level 2:
• Physical security for high risk environment (temper-evident coatings)
• User authentication• Controlled access protection (C2 equivalent)
VPN, PKI, smart card, …VPN, PKI, smart card, …
38CATE-IDET
Brno 11.5.2001
ConclusionConclusion
www.tsoft.czwww.tsoft.cz svoboda@tsoft.czsvoboda@tsoft.cz +420-2- 6134 8738+420-2- 6134 8738
VPN deployment issues/decisionsVPN deployment issues/decisions VPN level Security perimeter (Risk analysis) VPN & FW Authentication options (VPN & PKI & smart
cards) Security certifications
top related