RESULTADOS DE LA PROGRAMACIÓN

IPsec uses the Internet Key Exchange (IKE) Protocol to negotiate and establish secured site-to-site or remote access VPN tunnels. IKE is a framework provided by the Internet Security Association and Key Management Protocol (ISAKMP) and parts of two other key management protocols, namely Oakley and Secure Key Exchange Mechanism (SKEME).

NOTE IKE is defined in RFC 2409, “The Internet Key Exchange.”

ISAKMP has two phases. Phase 1 is used to create a secure bidirectional communication channel between the IPsec peers. This channel is known as the ISAKMP Security Association (SA).

Phase 1

Within Phase 1 negotiation, several attributes are exchanged, including the following:

•

Encryption algorithms

•

Hashing algorithms

•

Diffie-Hellman groups

•

Authentication method

•

Vendor-specific attributes

The following are the typical encryption algorithms:

•

Data Encryption Standard (DES): 64 bits long

•

Triple DES (3DES): 168 bits long

•

Advanced Encryption Standard (AES): 128 bits long

•

AES 192: 192 bits long

•

AES 256: 256 bits long Hashing algorithms include these:

•

Secure Hash Algorithm (SHA)

•

Message digest algorithm 5 (MD5)

The common authentication methods are preshared keys (where the peers agree on a shared secret) and digital certificates with the use of Public Key Infrastructure (PKI).

NOTE Typically, small and medium-sized organizations use preshared keys as their authentication mechanism. Several large organizations use digital certificates for scalability, for

centralized management, and for the use of additional security mechanisms.

You can establish a Phase 1 SA in two ways:

•

Main mode

•

Aggressive mode

In main mode, the IPsec peers complete a six-packet exchange in three round-trips to negotiate the ISAKMP SA, whereas aggressive mode completes the SA negotiation in three packet exchanges. Main mode provides identity protection if preshared keys are used. Aggressive mode only provides identity protection if digital certificates are used.

NOTE Cisco products that support IPsec typically use main mode for site-to-site tunnels and aggressive mode for remote-access VPN tunnels. This is the default behavior when preshared keys are used as the authentication method.

Figure 1-6 illustrates the six-packet exchange in main mode negotiation.

Figure 1-6 Main Mode Negotiation

DES MD5 DH1 Preshared 3DES SHA DH2 Preshared 3DES SHA DH2 Preshared Diffie-Hellman Key Exchange – SKEYID derived

IDs are exchanged and HASH is verified. *These two packets are

encrypted. 1 2 HDR, SA proposal HDR, SA choice 3 4 HDR, KE i, Nonce i HDR, KE R, Nonce R 5 6 HDR*, ID i, HASH i HDR*, ID R, HASH R Phase 1 SA parameter negotiation complete

R1 R2

Initiator Responder

In Figure 1-6, two Cisco IOS Software routers are configured to terminate a site-to-site VPN tunnel between them. The router labeled as R1 is the initiator, and R2 is the responder. The following are the steps illustrated in Figure 1-6.

Step 1 R1 (the initiator) has two ISAKMP proposals configured. In the first packet, R1 sends its configured proposals to R2.

Step 2 R2 evaluates the received proposal. Because it has a proposal that matches the offer of the initiator, R2 sends the accepted proposal back to R1 in the second packet.

Step 3 Diffie-Hellman exchange and calculation is started. R1 sends the Key Exchange (KE) payload and a randomly generated value called a nonce.

Step 4 R2 receives the information and reverses the equation using the proposed Diffie-Hellman group/exchange to generate the SKEYID.

Step 5 R1 sends its identity information. The fifth packet is encrypted with the keying material derived from the SKEYID. The asterisk in Figure 1-6 is used to illustrate that this packet is encrypted.

Step 6 R2 validates the identity of R1, and R2 sends the identity information of R1. This packet is also encrypted.

Phase 2

Phase 2 is used to negotiate the IPsec SAs. This phase is also known as quick mode. The ISAKMP SA protects the IPsec SAs, because all payloads are encrypted except the ISAKMP header. Figure 1-7 illustrates the Phase 2 negotiation between the two routers that just completed Phase 1.

Figure 1-7 Phase 2 Negotiation

ESP 3DES SHA ESP 3DES SHA 1 2 3 HDR*, HASH2 R1 R2 Initiator Responder

Phase 2 – Quick Mode

HDR*, HASH2, SA proposal, Nonce r [KEr], [ID ci, ID cr] HDR*, HASH1, SA proposal, Nonce i [KEi], [ID ci, ID cr]

The following are the steps illustrated in Figure 1-7.

Step 1 R1 sends the identity information, IPsec SA proposal, nonce payload, and (optional) KE payload if Perfect Forward Secrecy (PFS) is used. PFS is used to provide additional Diffie-Hellman calculations.

Step 2 R2 evaluates the received proposal against its configured proposal and sends the accepted proposal back to R1 along with its identity information, nonce payload, and the optional KE payload.

Step 3 R1 evaluates the R2 proposal and sends a confirmation that the IPsec SAs have been successfully negotiated. This starts the data encryption process.

IPsec uses two different protocols to encapsulate the data over a VPN tunnel:

•

Encapsulation Security Payload (ESP): IP Protocol 50

•

Authentication Header (AH): IP Protocol 51

NOTE ESP is defined in RFC 2406, “IP Encapsulating Security Payload (ESP),” and AH is defined in RFC 2402, “IP Authentication Header.”

IPsec can use two modes with either AH or ESP:

•

Transport mode: Protects upper-layer protocols, such as User Datagram Protocol (UDP) and TCP

•

Tunnel mode: Protects the entire IP packet

Transport mode is used to encrypt and authenticate the data packets between the peers. A typical example of this is the use of GRE over an IPsec tunnel. Tunnel mode is used to encrypt and authenticate the IP packets when they are originated by the hosts connected behind the VPN device. Tunnel mode adds an additional IP header to the packet, as illustrated in Figure 1-8.

Figure 1-8 demonstrates the major difference between transport and tunnel mode. It includes an example of an IP packet encapsulated in GRE and the difference when it is encrypted in transport mode and tunnel mode.

Figure 1-8 Tunnel and Transport Mode Example

SSL VPNs

SSL-based VPNs are in high demand today. SSL is a matured protocol that has been in existence since the early 1990s. SSL is also referred to as Transport Layer Security (TLS). The Internet Engineering Task Force (IETF) created TLS to consolidate the different SSL vendor versions into a common and open standard.

One of the most popular features of SSL VPN is the ability to launch a browser like Microsoft Internet Explorer and Firefox and simply connect to the address of the VPN device. In most implementations, a clientless solution is possible. Users can access corporate intranet sites, portals, and e-mail from almost anywhere (even from an airport kiosk). Because most people allow SSL (TCP port 443) over their firewalls, it is unnecessary to open additional ports.

For more elaborate access to corporate resources, a lite-SSL client can be installed on a user machine. Cisco supports both clientless SSL VPN (WebVPN) and a lite-client. The SSL VPN Client (SVC) gives remote users the benefits of an IPsec VPN client without the need for network administrators to install and configure IPsec VPN clients on remote computers. The SVC uses the SSL encryption that is already present on the remote computer to authenticate to the VPN device. Cisco supports SSL VPN on the following products:

•

Cisco ASA

•

Cisco VPN 3000 series concentrators

•

Cisco IOS routers

•

Cisco WebVPN Services Module

ESP hdr IP hdr 3 Data TCP hdr IP Hdr 1 Data TCP hdr IP Hdr 1 GRE hdr IP hdr 2 Data TCP hdr IP Hdr 1 GRE hdr ESP hdr IP hdr 2 Data TCP hdr IP Hdr 1 GRE hdr IP hdr 2

GRE Over IPsec Tunnel Mode GRE Over IPsec

Transport Mode GRE Encapsulation Original Packet

Intrusion Detection Systems (IDS) and Intrusion

In document Dinámicas comunitarias, en el fortalecimiento de las emisoras universitarias Estudio de caso, tu radio emisora virtual de la Universidad del Tolima (página 89-93)