About Interesting Posts
Interesting documents about a variety of subjects from around the world. Posted on edocr.
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
BRK-134T
VPNs Simplified
1
Virtual Private
Networks (VPNs)
Simplified
Erich Spengler
CSSIA CATC—Moraine Valley Community College
2008—60 Minute Session
BRK-134T
VPNs Simplified
2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Agenda
Demonstration
Introduction to VPNs
VPN Security (IPSec, PPTP, SSL)
VPN Technology Comparison
VPN Group Exercise
BRK-134T
VPNs Simplified
3
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Demonstration—Remote Network
Access via VPN
Corporate Servers
VPN Server/Gateway
Internet/
Unsecure Network
VPN Tunnel Encrypted Traffic to the Corporate Server
Remote User
BRK-134T
VPNs Simplified
4
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Subtitle
Introduction
to VPNs
BRK-134T
VPNs Simplified
5
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
What Is a Virtual Private Network (VPN)?
A Remote Access VPN secures connections for remote users, such
as mobile users or telecommuters, to corporate LANs over shared
service provider networks
Homeworker
with VPN Client
Software
Homeworker
with VPN Router
Branch Office
with VPN Router
Teleworker with
VPN Client Software
Dial-Up User with
VPN Client Software
Corporate HQ
Wireless Client
with VPN Client Software
Public Telephone
Network
Internet
Wireless
Hotspot
BRK-134T
VPNs Simplified
6
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Wireless: A New Big Driver for VPNs
An access point (AP) is a shared device
Remember the performance issues of shared hubs
Bridges, and other devices allow for interconnection
Protocols and applications work seamlessly
Internet
BRK-134T
VPNs Simplified
7
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Basic VPN Terms
Internet
Router to Router VPN Gateway
(Extranet)
VPN Client to Router VPN via Dial-Up
(Access VPN)
Internet
Other Vendors to Router VPN
(Extranet)
Internet
Router to VPN Firewall Gateway
(Extranet)
VPN Client to Router VPN Network
(Intranet)
BRK-134T
VPNs Simplified
8
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Using Site-to-Site VPNs
Central Site
Intranet
Branch/Remote Office
Extranet
Business-to-Business
VPN
VPN
VPN
VPN
Frame Relay
WAN Network
Internet VPN
PSTN/ISDN
Broadband
BRK-134T
VPNs Simplified
9
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Central Site
Router
Or
Or
Using Remote-Access VPNs
Remote Access Client
Cisco VPN Clients (IPSec)
Microsoft Win 9x/NT/2000/XP (LTTPP)
Thire-party VPN client (PPTP)
Remote Access Gateway
Cisco WAN Router
Cisco Secure PIX Firewall
Or IPSec or PPTP aware device to provide
firewall/VPN Tunnel Termination
Mobile
Remote Access Client
Telecommuter
POP
POP
Internet
Extranet
Consumer-to-Consumer
DSL
Cable
BRK-134T
VPNs Simplified
10
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
VPN Components
GRE
L2TP
MPLS
PPTP
TCP Checksum
AH in IPSec
Prevent Tampering
Integrity
Increase Protection
Encryption
Separate Data
Tunneling
Identify Source
Authentication
IPSec
DES, 3 DES
MPPE
PKI
RSA
RSA
BRK-134T
VPNs Simplified
11
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Subtitle
VPN Security
BRK-134T
VPNs Simplified
12
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
What a VPN Must Provide
Confidentiality
AvailabilityIntegrity
BRK-134T
VPNs Simplified
13
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Network Security Model
Confidentiality
Data Security Assurance Model (CIA)
Benefit
Ensures data is
unaltered during
transit
Shuns
Alteration
Replay
Benefit
Ensures identity of
originator or recipient
of data
Shuns
Impersonation
Replay
Integrity
Authentication
Data Confidentiality and Data Integrity Depend on
Encryption and Encapsulation
Benefit
Ensures data privacy
Shuns
Sniffing
Replay
BRK-134T
VPNs Simplified
14
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
VPN Technology Options
Application
Layer (5–7)
Transport/
Network
Layer (3–4)
Link/Physical
Layer (1–2)
GRE
PPTP
L2TP
MPLS
IPSEC
MPPE
Link-Layer
Encryption
Link-Layer
Encryption
Application Layer
SSL
SSH
Network Layer
BRK-134T
VPNs Simplified
15
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
What Is an IPSec VPN?
Internet Protocol Security
A set of security protocols and algorithms used
to secure IP data at the network layer
IPSec provides data confidentiality (encryption),
integrity (hash), authentication (signature/certificates)
of IP packets while maintaining the ability to route
them through existing IP networks
BRK-134T
VPNs Simplified
16
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Advantages of IPSec
Access VPNs
Classic site-to-site managed VPNs
Trusted MPLS VPNs
Business Partner
Remote Office
Regional Office
Main Office
Home Office
POP
Service Provider
Mobile
Worker
Mobile
Worker
BRK-134T
VPNs Simplified
17
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
IPSec Key Points
IPSec can ensure the confidentiality
and/or the authenticity of IP packets
The key points are
Two modes of propagation
(transport and tunnel)
Security associations (SAs)
Two types of header (ESP and AH)
IP Header
AH Header
ESP Header
IP Data
(Encrypted)
BRK-134T
VPNs Simplified
18
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
IPSec Framework
ESP—Encapsulating Security Payload
AH—Authentication Header
AES—Advanced Encryption Standard
MD5, SHA—Authentication
DH—Diffie-Hellman Identifier to Derive
the Share Secret
IPSec
Framework
IPSec Protocol
Encryption
Authentication
DH
MD5
SHA
DH1
DH2
DH5
ESP
ESP
+ AH
AH
DES
3
DES
AES
Choices
BRK-134T
VPNs Simplified
19
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Two Types of IPSec Security Protocols
Ensures data integrity
Provides origin authentication—
ensures packets definitely came
from peer router
Uses keyed-hash mechanism
Does not provide confidentiality
(no encryption)
Provides optional replay protection
Router A
Router B
All Data in Cleartext
Authentication Header
Data confidentiality (encryption)
Limited traffic flow confidentiality
Data integrity
Optional data origin authentication
Anti-replay protection
Does not protect IP header
Router A
Router B
Data Payload Is Encrypted
Encapsulating Security Payload
BRK-134T
VPNs Simplified
20
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
IP Header with IPSec Information
IP Header
AH Header
ESP Header
IP Data
(Encrypted)
IP Header
AH Header
ESP Header
IP Data
BRK-134T
VPNs Simplified
21
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
IPSec in a Standards World
Standards-Based Cryptography
IKE, IPSec, 3DES
Equipment/vendor interoperability
Headquarters
Firewall
Router
Firewall
Remote Office
Periodic Re-Key
Internet/IP VPN
CER
TIFIC
ATE
BRK-134T
VPNs Simplified
22
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
IKE Benefits an IPSec Environment
Ensure confidential communications in an unsecured network
Also known as the Key Management Nightmare!!!
UNIVERSITY
BRK-134T
VPNs Simplified
23
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
IPSec: Building a Connection
Two-phase protocol:
Phase 1 exchange: two peers establish a secure, authenticated channel
with which to communicate; Main mode or Aggressive mode accomplishes
a Phase 1 exchange
Phase 2 exchange: security associations are negotiated on behalf of IPSec
services; Quick mode accomplishes a Phase 2 exchange
Each phase has its SAs: ISAKMP SA (Phase 1) and IPSec SA
(Phase 2)
Data
IKE (Phase 2)
IKE (Phase 1)
BRK-134T
VPNs Simplified
24
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
How Does IKE/IPSec Work?
Quick Mode
Quick Mode
Phase I SA (ISAKMP SA)
Phase II SA
(IPSec SA)
Phase II SA
(IPSec SA)
New IPSec Tunnel or Rekey
Main Mode
(6 Messages)
Aggressive Mode
(3 Messages)
A
Protected Data B
C
Protected Data D
BRK-134T
VPNs Simplified
25
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
ISAKMP Main, Quick and Aggressive Modes
1
2
3
Header
Hash
SA
[Key]
Hash
Header
SA
[Key]
Header
Hash
Nonce
ID/ID
Nonce
ID /ID
ISAKMP
Main Mode
(Phase 1)
ISAKMP
Quick Mode
(Phase 2)
Header
SA
SA
Header
Header
Key
Header
ID
Key
Header
ID
Header
Nonce
Nonce
[ Cert ]
Sig
[ Cert ]
Sig
1
2
3
4
5
6
R
E
S
P
O
N
D
E
R
I
N
I
T
I
A
T
O
R
Header SA
[Key] Nonce
ID
Header
SA
[Key]
Nonce
ID
1
2
3
Header
[Cert]
[Cert]
Sig
Sig
ISAKMP
Aggressive Mode
(Phase 1)
BRK-134T
VPNs Simplified
26
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
What Is a Web/SSL VPN?
Uses certificates for identification
Private key used to prove identity
SSL server provides all encryption keys
Originally for HTTP/Web applications
Certificate
Certificate
BRK-134T
VPNs Simplified
27
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Wireless LAN
Web/SSL VPN Features
Feature
Access to internal web sites (HTTP/HTTPS) including filtering
Access to internal Windows (CIFS) File Shares
TCP port forwarding for legacy application support
Access to e-mail via POP, SMTP, and IMAP4 over SSL
Corporate
Network
Broadband
Provider
ISP
Access
Point
Broadband
Modem
ASA Firewall
WebVPN
WebVPN
BRK-134T
VPNs Simplified
28
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Web/SSL VPN and IPSec Comparison
WebVPN
Uses a standard web browser to
access the corporate network
SSL encryption native to browser
provides transport security
Application accessed through
browser portal
Limited client/server application
accessed using applets
IPSEC VPN
Uses purpose built client
software for network access
Client provides encryption
and desktop security
Client establishes seamless
connection to network
All application are accessible
through their native interface
BRK-134T
VPNs Simplified
29
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
What Is a PPTP VPN?
Point to Point Tunneling Protocol
PPTP is a network protocol used in the implementation
of Virtual Private Networks (VPN); RFC 2637 is the
PPTP technical specification
PPTP works on a client server model; PPTP clients are
included by default in Microsoft Windows and also
available for both Linux and Mac OS X; newer VPN
technologies like L2TP and IPSec may replace PPTP
someday, but PPTP/MPPE remains a popular network
protocol especially on Windows computers
BRK-134T
VPNs Simplified
30
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
VPN Technology Options
Application
Layer (5–7)
Transport/
Network
Layer (3–4)
Link/Physical
Layer (1–2)
GRE
PPTP
L2TP
MPLS
IPSEC
MPPE
Link-Layer
Encryption
Link-Layer
Encryption
Application Layer
SSL
SSH
Network Layer
BRK-134T
VPNs Simplified
31
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Benefits of PPTP
PPTP
PPoE is point-point protocol over Ethernet
Single tunnel between end-points: Single device support (GRE = generic routing encapsulation)
Six bytes over overhead when compression used
No tunnel authentication
With RADIUS server supports authentication and accounting
CHAP V2 fixes password, masquerading, and encryption weakness
40 or 128 bit RC4 packet encryption
Internet
Organization
Secure
Network
PPP
IP
GRE PPP
IP
TCP
User Data
IP
GRE PPP
IP
TCP
User Data
GRE PPP
IP
TCP
User Data
PPP
IP
TCP
User Data
IP
TCP
User Data
TCP
User Data
User Data
BRK-134T
VPNs Simplified
32
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Is PPTP Secure? Yes
Challenge
Response
New Client Key
New Server Key
Encrypted Packet
Connection Request
Response
Challenge
New Client Key
New Server Key
Encrypted Packet
Internet
Organization
Secure
Network
CHAP V2 Authentication with 40 or 128 bit RC4 Encryption
BRK-134T
VPNs Simplified
33
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
VPN Technology Comparison
Application to Application
SSL
End to End
IPSec Transport Mode
Gateway to Gateway
PPTP
L2TP/IPSec
IPSec Tunnel Mode
Client to Gateway
PPTP
L2TP/IPSec
PPTP—Point to Point Tunneling Protocol—Layer 2—Multiprotocol
L2TP/IPSec—Layer 2 Tunneling Protocol—Multiprotocol—Encryption and Authentication
IPSec—IP Security—Layer 3—IP Protocol—Encryption and Authentication
SSL—Secure Sockets Layer—Layer 6/7—Application—Encryption and Authentication
Simplicity
Low Cost
Advanced
Security
BRK-134T
VPNs Simplified
34
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Group Exercise
Configuring
VPNs Lab
BRK-134T
VPNs Simplified
35
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Summary
Demonstration
Introduction to VPNs
VPN Security (IPSec, PPTP, SSL)
VPN Technology Comparison
VPN Group Exercise
BRK-134T
VPNs Simplified
36
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
BRK-134T
VPNs Simplified
37
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Cisco Public
BRK-134T
VPNs Simplified
1
Virtual Private
Networks (VPNs)
Simplified
Erich Spengler
CSSIA CATC—Moraine Valley Community College
2008—60 Minute Session
BRK-134T
VPNs Simplified
2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Agenda
Demonstration
Introduction to VPNs
VPN Security (IPSec, PPTP, SSL)
VPN Technology Comparison
VPN Group Exercise
BRK-134T
VPNs Simplified
3
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Demonstration—Remote Network
Access via VPN
Corporate Servers
VPN Server/Gateway
Internet/
Unsecure Network
VPN Tunnel Encrypted Traffic to the Corporate Server
Remote User
BRK-134T
VPNs Simplified
4
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Subtitle
Introduction
to VPNs
BRK-134T
VPNs Simplified
5
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
What Is a Virtual Private Network (VPN)?
A Remote Access VPN secures connections for remote users, such
as mobile users or telecommuters, to corporate LANs over shared
service provider networks
Homeworker
with VPN Client
Software
Homeworker
with VPN Router
Branch Office
with VPN Router
Teleworker with
VPN Client Software
Dial-Up User with
VPN Client Software
Corporate HQ
Wireless Client
with VPN Client Software
Public Telephone
Network
Internet
Wireless
Hotspot
BRK-134T
VPNs Simplified
6
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Wireless: A New Big Driver for VPNs
An access point (AP) is a shared device
Remember the performance issues of shared hubs
Bridges, and other devices allow for interconnection
Protocols and applications work seamlessly
Internet
BRK-134T
VPNs Simplified
7
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Basic VPN Terms
Internet
Router to Router VPN Gateway
(Extranet)
VPN Client to Router VPN via Dial-Up
(Access VPN)
Internet
Other Vendors to Router VPN
(Extranet)
Internet
Router to VPN Firewall Gateway
(Extranet)
VPN Client to Router VPN Network
(Intranet)
BRK-134T
VPNs Simplified
8
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Using Site-to-Site VPNs
Central Site
Intranet
Branch/Remote Office
Extranet
Business-to-Business
VPN
VPN
VPN
VPN
Frame Relay
WAN Network
Internet VPN
PSTN/ISDN
Broadband
BRK-134T
VPNs Simplified
9
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Central Site
Router
Or
Or
Using Remote-Access VPNs
Remote Access Client
Cisco VPN Clients (IPSec)
Microsoft Win 9x/NT/2000/XP (LTTPP)
Thire-party VPN client (PPTP)
Remote Access Gateway
Cisco WAN Router
Cisco Secure PIX Firewall
Or IPSec or PPTP aware device to provide
firewall/VPN Tunnel Termination
Mobile
Remote Access Client
Telecommuter
POP
POP
Internet
Extranet
Consumer-to-Consumer
DSL
Cable
BRK-134T
VPNs Simplified
10
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
VPN Components
GRE
L2TP
MPLS
PPTP
TCP Checksum
AH in IPSec
Prevent Tampering
Integrity
Increase Protection
Encryption
Separate Data
Tunneling
Identify Source
Authentication
IPSec
DES, 3 DES
MPPE
PKI
RSA
RSA
BRK-134T
VPNs Simplified
11
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Subtitle
VPN Security
BRK-134T
VPNs Simplified
12
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
What a VPN Must Provide
Confidentiality
AvailabilityIntegrity
BRK-134T
VPNs Simplified
13
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Network Security Model
Confidentiality
Data Security Assurance Model (CIA)
Benefit
Ensures data is
unaltered during
transit
Shuns
Alteration
Replay
Benefit
Ensures identity of
originator or recipient
of data
Shuns
Impersonation
Replay
Integrity
Authentication
Data Confidentiality and Data Integrity Depend on
Encryption and Encapsulation
Benefit
Ensures data privacy
Shuns
Sniffing
Replay
BRK-134T
VPNs Simplified
14
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
VPN Technology Options
Application
Layer (5–7)
Transport/
Network
Layer (3–4)
Link/Physical
Layer (1–2)
GRE
PPTP
L2TP
MPLS
IPSEC
MPPE
Link-Layer
Encryption
Link-Layer
Encryption
Application Layer
SSL
SSH
Network Layer
BRK-134T
VPNs Simplified
15
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
What Is an IPSec VPN?
Internet Protocol Security
A set of security protocols and algorithms used
to secure IP data at the network layer
IPSec provides data confidentiality (encryption),
integrity (hash), authentication (signature/certificates)
of IP packets while maintaining the ability to route
them through existing IP networks
BRK-134T
VPNs Simplified
16
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Advantages of IPSec
Access VPNs
Classic site-to-site managed VPNs
Trusted MPLS VPNs
Business Partner
Remote Office
Regional Office
Main Office
Home Office
POP
Service Provider
Mobile
Worker
Mobile
Worker
BRK-134T
VPNs Simplified
17
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
IPSec Key Points
IPSec can ensure the confidentiality
and/or the authenticity of IP packets
The key points are
Two modes of propagation
(transport and tunnel)
Security associations (SAs)
Two types of header (ESP and AH)
IP Header
AH Header
ESP Header
IP Data
(Encrypted)
BRK-134T
VPNs Simplified
18
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
IPSec Framework
ESP—Encapsulating Security Payload
AH—Authentication Header
AES—Advanced Encryption Standard
MD5, SHA—Authentication
DH—Diffie-Hellman Identifier to Derive
the Share Secret
IPSec
Framework
IPSec Protocol
Encryption
Authentication
DH
MD5
SHA
DH1
DH2
DH5
ESP
ESP
+ AH
AH
DES
3
DES
AES
Choices
BRK-134T
VPNs Simplified
19
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Two Types of IPSec Security Protocols
Ensures data integrity
Provides origin authentication—
ensures packets definitely came
from peer router
Uses keyed-hash mechanism
Does not provide confidentiality
(no encryption)
Provides optional replay protection
Router A
Router B
All Data in Cleartext
Authentication Header
Data confidentiality (encryption)
Limited traffic flow confidentiality
Data integrity
Optional data origin authentication
Anti-replay protection
Does not protect IP header
Router A
Router B
Data Payload Is Encrypted
Encapsulating Security Payload
BRK-134T
VPNs Simplified
20
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
IP Header with IPSec Information
IP Header
AH Header
ESP Header
IP Data
(Encrypted)
IP Header
AH Header
ESP Header
IP Data
BRK-134T
VPNs Simplified
21
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
IPSec in a Standards World
Standards-Based Cryptography
IKE, IPSec, 3DES
Equipment/vendor interoperability
Headquarters
Firewall
Router
Firewall
Remote Office
Periodic Re-Key
Internet/IP VPN
CER
TIFIC
ATE
BRK-134T
VPNs Simplified
22
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
IKE Benefits an IPSec Environment
Ensure confidential communications in an unsecured network
Also known as the Key Management Nightmare!!!
UNIVERSITY
BRK-134T
VPNs Simplified
23
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
IPSec: Building a Connection
Two-phase protocol:
Phase 1 exchange: two peers establish a secure, authenticated channel
with which to communicate; Main mode or Aggressive mode accomplishes
a Phase 1 exchange
Phase 2 exchange: security associations are negotiated on behalf of IPSec
services; Quick mode accomplishes a Phase 2 exchange
Each phase has its SAs: ISAKMP SA (Phase 1) and IPSec SA
(Phase 2)
Data
IKE (Phase 2)
IKE (Phase 1)
BRK-134T
VPNs Simplified
24
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
How Does IKE/IPSec Work?
Quick Mode
Quick Mode
Phase I SA (ISAKMP SA)
Phase II SA
(IPSec SA)
Phase II SA
(IPSec SA)
New IPSec Tunnel or Rekey
Main Mode
(6 Messages)
Aggressive Mode
(3 Messages)
A
Protected Data B
C
Protected Data D
BRK-134T
VPNs Simplified
25
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
ISAKMP Main, Quick and Aggressive Modes
1
2
3
Header
Hash
SA
[Key]
Hash
Header
SA
[Key]
Header
Hash
Nonce
ID/ID
Nonce
ID /ID
ISAKMP
Main Mode
(Phase 1)
ISAKMP
Quick Mode
(Phase 2)
Header
SA
SA
Header
Header
Key
Header
ID
Key
Header
ID
Header
Nonce
Nonce
[ Cert ]
Sig
[ Cert ]
Sig
1
2
3
4
5
6
R
E
S
P
O
N
D
E
R
I
N
I
T
I
A
T
O
R
Header SA
[Key] Nonce
ID
Header
SA
[Key]
Nonce
ID
1
2
3
Header
[Cert]
[Cert]
Sig
Sig
ISAKMP
Aggressive Mode
(Phase 1)
BRK-134T
VPNs Simplified
26
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
What Is a Web/SSL VPN?
Uses certificates for identification
Private key used to prove identity
SSL server provides all encryption keys
Originally for HTTP/Web applications
Certificate
Certificate
BRK-134T
VPNs Simplified
27
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Wireless LAN
Web/SSL VPN Features
Feature
Access to internal web sites (HTTP/HTTPS) including filtering
Access to internal Windows (CIFS) File Shares
TCP port forwarding for legacy application support
Access to e-mail via POP, SMTP, and IMAP4 over SSL
Corporate
Network
Broadband
Provider
ISP
Access
Point
Broadband
Modem
ASA Firewall
WebVPN
WebVPN
BRK-134T
VPNs Simplified
28
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Web/SSL VPN and IPSec Comparison
WebVPN
Uses a standard web browser to
access the corporate network
SSL encryption native to browser
provides transport security
Application accessed through
browser portal
Limited client/server application
accessed using applets
IPSEC VPN
Uses purpose built client
software for network access
Client provides encryption
and desktop security
Client establishes seamless
connection to network
All application are accessible
through their native interface
BRK-134T
VPNs Simplified
29
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
What Is a PPTP VPN?
Point to Point Tunneling Protocol
PPTP is a network protocol used in the implementation
of Virtual Private Networks (VPN); RFC 2637 is the
PPTP technical specification
PPTP works on a client server model; PPTP clients are
included by default in Microsoft Windows and also
available for both Linux and Mac OS X; newer VPN
technologies like L2TP and IPSec may replace PPTP
someday, but PPTP/MPPE remains a popular network
protocol especially on Windows computers
BRK-134T
VPNs Simplified
30
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
VPN Technology Options
Application
Layer (5–7)
Transport/
Network
Layer (3–4)
Link/Physical
Layer (1–2)
GRE
PPTP
L2TP
MPLS
IPSEC
MPPE
Link-Layer
Encryption
Link-Layer
Encryption
Application Layer
SSL
SSH
Network Layer
BRK-134T
VPNs Simplified
31
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Benefits of PPTP
PPTP
PPoE is point-point protocol over Ethernet
Single tunnel between end-points: Single device support (GRE = generic routing encapsulation)
Six bytes over overhead when compression used
No tunnel authentication
With RADIUS server supports authentication and accounting
CHAP V2 fixes password, masquerading, and encryption weakness
40 or 128 bit RC4 packet encryption
Internet
Organization
Secure
Network
PPP
IP
GRE PPP
IP
TCP
User Data
IP
GRE PPP
IP
TCP
User Data
GRE PPP
IP
TCP
User Data
PPP
IP
TCP
User Data
IP
TCP
User Data
TCP
User Data
User Data
BRK-134T
VPNs Simplified
32
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Is PPTP Secure? Yes
Challenge
Response
New Client Key
New Server Key
Encrypted Packet
Connection Request
Response
Challenge
New Client Key
New Server Key
Encrypted Packet
Internet
Organization
Secure
Network
CHAP V2 Authentication with 40 or 128 bit RC4 Encryption
BRK-134T
VPNs Simplified
33
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
VPN Technology Comparison
Application to Application
SSL
End to End
IPSec Transport Mode
Gateway to Gateway
PPTP
L2TP/IPSec
IPSec Tunnel Mode
Client to Gateway
PPTP
L2TP/IPSec
PPTP—Point to Point Tunneling Protocol—Layer 2—Multiprotocol
L2TP/IPSec—Layer 2 Tunneling Protocol—Multiprotocol—Encryption and Authentication
IPSec—IP Security—Layer 3—IP Protocol—Encryption and Authentication
SSL—Secure Sockets Layer—Layer 6/7—Application—Encryption and Authentication
Simplicity
Low Cost
Advanced
Security
BRK-134T
VPNs Simplified
34
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Group Exercise
Configuring
VPNs Lab
BRK-134T
VPNs Simplified
35
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Summary
Demonstration
Introduction to VPNs
VPN Security (IPSec, PPTP, SSL)
VPN Technology Comparison
VPN Group Exercise
BRK-134T
VPNs Simplified
36
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
BRK-134T
VPNs Simplified
37
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public