Cisco Secure VPN Ebook free download pdf pdf

Cramsession™ for Cisco Secure VPN This study guide will help you to prepare you for the Cisco Secure

VPN exam, 9E0-570, which is one in a series of four exams required to achieve the Cisco Security Specialty. Exam topics include building and maintaining Cisco security solutions, which encompass standalone firewall products and IOS software features, IPSEC, and Configuring VPNs on the Cisco Concentrator platform.

Con t e n t s:

Ove r vie w of VPN a n d I PSe c Te ch n ologie s W h a t is a VPN ?

A VPN is a Virt ual Privat e Net w ork
• Now, as m ore and m ore com panies need access for rem ot e users, m obile

users or rem ot e offices, your current archit ect ure can be augm ent ed wit h a

VPN

A Virt ual Privat e Net w ork is a net w ork t hat ’s creat ed by encrypt ion ( Tunneling) across anot her unsecured m edium , like t he I nt e
What is great about Cisco and VPN’s is t hat all Cisco devices can be

configured as a VPN enabled device solely by t he I OS feat ure set it self. There is a concent rat or series, but you can t ake a PI X or a basic rout er and “ VPN enable it ” by configuring t he I OS

Ge n e r a l VPN D ia gr a m

Here is a general idea of w hat a VPN solut ion m ay look like:

• I n any VPN solut ion, you generally have a Main office or WHQ ( World Head

Quart ers) t hat everyone com es back t o use or get resources

• Here w e see t hat a Mobile user, a branch office, and a hom e office are all

accessing resources in t he Main Office via t he service provider’s net w ork and

VPN, Virt ual Privat e Net w ork

W h y Use a VPN ?

Well, it is cost effect ive for one t hing. The service provider supplies t he brunt of t he hardw are and support for your new WAN connect
I t can be used as an augm ent at ion t o your exist ing infrast ruct ure. I f you have

m any m obile users, rem ot e offices and rem ot e branches, t his m ay be a t echnology you can im plem ent

W h a t a r e som e of t h e ot h e r com pon e n t s of a VPN ?

You definit ely need t o look int o securit y for one, and pay at t ent ion t o QoS for

anot her. Securit y is in your hands and is your responsibilit y; t herefore, you m ust use encrypt ion and configure it . Also, if t here are m ission crit ical services, rem em ber… a VPN m ay not offer you t he flexibilit y of having a specific am ount of bandw idt h. Usually it is com prised of going over dial up connect ions t hat are not very fast

• Cisco VPNs em ploy out st anding encrypt ion and t unneling support : I PSec,

L2TP and GRE, t o nam e a few t unneling st andards, and DES and 3DES based encrypt ion t echnologies A VPN generally consist s of a secure, privat e t unnel bet w een a rem ot e endpoint and a gat ew ay. ( A t unnel is explained below .) The sensit ive nat ure of som e com m unicat ions requires t he help of

I PSe c t o provide: 1) confident ialit y, 2) int egrit y, and 3) aut hent icat ion services.

Here is w hat t hese t hree services really do:

Con fide n t ia lit y

• I f som et hing is sent , t hen t he int ended part y can read it , w hile at t he sam e

t im e ot her part ies m ay int ercept it but are not be able t o read it

Provided by encrypt ion algorit hm s such as DES

I n t e gr it y

I s m aking sure t hat t he dat a is t ransm it t ed from t he source t o t he int ended dest inat ion w it hout undet ect ed alt erat ions or cha
Provided by hashing algorit hm s such as MD5

Au t h e n t ica t ion

I s knowing t hat t he dat a you received is in fact t he sam e as t he dat a t hat was

sent and t hat t he person or sender who claim s t o have sent it is in fact t he act ual person or sender

Provided by m echanism s such as t he exchange of digit al cert ificat es

VPN Type s I n t e r n e t VPN

A privat e com m unicat ions channel over t he public access I nt ernet

Th is t ype of VPN ca n be divide d in t o:

Connect ing rem ot e offices across t he I nt e
• Connect ing rem ot e- dial users t o t heir hom e gat ew ay via an I SP ( som et im es

called a VPDN, Virt ual Privat e Dial Net w ork)

I n t r a n e t VPN

A privat e com m unicat ion channel in an ent erprise or an organizat ion t hat m ay

or m ay not involve t raffic going across a WAN

• Rem em ber, an I nt ranet is a net w ork t hat is only accessible from wit hin your

I nt ernet work. You can have users dial in for access your t o I nt ranet via a VPN

Ex t r a n e t VPN

A privat e com m unicat ions channel bet w een t w o or m ore separat e ent it ies t hat

m ay ent ail dat a going across t he I nt ernet or som e ot her WAN

Ext ranet s are used so com panies can easily creat e links wit h t heir suppliers and business part ners

Re m ot e u se r s

The I nt ernet provides a low - cost alt ernat ive for enabling rem ot e users t o access t he corporat e net w
Rat her t han m aint aining large m odem banks and cost ly phone bills, t he

ent erprise can enable rem ot e users t o access t he net w ork over t he I nt ernet

• Wit h j ust a local phone call t o an I nt ernet service provider, a user can have

access t o t he corporat e net w ork Here is anot her breakdow n of t he t ypical VPN archit ect ure:

W h a t is a Tu n n e l?

• A Tunnel is t ype of encrypt ion t hat m akes t he connect ion from one point t o

t he ot her point secure

The t unnel is called virt ual because it can’t be accessed from t he rest of t he I nt ernet based connect ion. ( Not e: I t is not t echnically a t unnel, nor does it resem ble a t unnel like depict ed below in t he diagram , but t hat is j ust how it is shown.)

A diagram of a Tunnel m ay look like t his:

W h a t I s I PSe c?

All Configurat ion based com m ands and det ails can be found here:

I PSe c or I P ( I n t e r n e t Pr ot ocol Se cu r it y )

I P Securit y ( I PSec) is a st andards based Prot ocol t hat provides privacy, int egrit y, and aut hent icit y t o dat a t hat is t ransferred across a net w ork
The I nt ernet is subj ect t o m any at t acks t hat include: _o

Loss of privacy _o Loss of dat a int egrit y _o I dent it y spoofing o Denial- of- service

( Each of t hese is described below in t he “ Why Do We Need I PSec?” sect ion.)

• The goal of I PSec is t o address all of t hese t hreat s w it hout t he requirem ent of

expensive host or applicat ion m odificat ions and changes

• Before I PSec, net w orks w ere forced t o deploy part ial solut ions t hat addressed

only a port ion of t he problem . An exam ple is SSL, w hich only provides applicat ion encrypt ion for Web brow sers and ot her applicat ions. SSL prot ect s t he confident ialit y of dat a sent from each applicat ion t hat uses it , but it does not prot ect dat a sent from ot her applicat ions. Every syst em and applicat ion m ust be prot ect ed wit h SSL in order for it t o work efficient ly – t his does not equal a t ot al solut ion, only a part ial one or one t hat can be easily fum bled

I PSec has been m andat ed in I P Version 6 ( I Pv6 has I PSec) , and if everyone im plem ent ed Version 6, t hen I PSec w ould be com m onp
Rem em ber, I PSec is a net w ork and t ransport level encrypt ion ( unlike SSL)
• SSL or Secure Socket s Layer is applicat ion level or Web Brow ser Client based

encrypt ion

I PSec provides I P net w ork- layer encrypt ion. The st andards define several new packet form at s: _o _o

The aut hent icat ion header ( AH) t o provide dat a int egrit y The encapsulat ing securit y payload ( ESP) t o provide confident ialit y and dat a int egrit y

I PSec com bines several different securit y t echnologies int o a com plet e syst em t o provide confident ialit y, int egrit y, and aut hent icit y
I n part icular, I PSec uses: _o

Diffie- Hellm an key exchange for deriving key m at erial bet ween peers _o on a public net w ork Public key crypt ography for signing t he Diffie- Hellm an exchanges t o guarant ee t he ident it y of t he t w o part ies and avoid m an- in- t he- m iddle _o at t acks _o Bulk encrypt ion algorit hm s, such as DES, for encrypt ing t he dat a

Keyed hash algorit hm s, such as HMAC, com bined wit h t radit ional hash _o algorit hm s such as MD5 or SHA for providing packet aut hent icat ion Digit al cert ificat es, signed by a cert ificat e aut horit y, t o act as digit al I D cards

W h y D o W e N e e d I PSe c? Loss of Pr iva cy

• A perpet rat or m ay be able t o observe confident ial dat a as it t raverses t he

I nt ernet

This abilit y is probably t he largest inhibit or of business- t o- business com m unicat ions t oday. Wit hout encrypt ion, every m essage sent m ay be read by an unaut horized part y

Loss of D a t a I n t e gr it y

Even for dat a t hat is not confident ial, one m ust st ill t ake m easures t o ensure

dat a int egrit y

For exam ple, you m ay not care if anyone sees your rout ine business

t ransact ion, but you would cert ainly care if t he t ransact ion were m odified

I de n t it y Spoofin g

Moving beyond t he prot ect ion of dat a it self, you m ust also be careful t o

prot ect your ident it y on t he I nt ernet

• Many securit y syst em s t oday rely on I P addresses t o uniquely ident ify users

D e n ia l- of- se r vice

As organizat ions t ake advant age of t he I nt ernet , t hey m ust t ake m easures t o

ensure t hat t heir syst em s are available

Over t he last several years at t ackers have found deficiencies in t he TCP/ I P prot ocol suit e t hat allows t hem t o arbit rarily cause com put er syst em s t o crash

Cisco le ve r a ge d I PSe c Be n e fit s

I PSec is a key t echnology com ponent of Cisco's end- t o- end net w ork service offerings. Working w it h it s part ners in t he Ent erprise Securit y Alliance, Cisco ensures t hat I PSec is available for deploym ent w herever it s cust om ers need it . Cisco and it s part ners offer I PSec across a w ide range of plat form s t hat includes: _o _o

Cisco I OS soft ware _o Cisco PI X Firewall Window s 9x, Window s NT4, and Window s 2000

Cisco is w orking closely w it h t he I ETF t o ensure t hat I PSec is quickly

st andardized and is available on all ot her plat form s

Cust om ers w ho use Cisco's I PSec w ill be able t o secure t heir net w ork

infrast ruct ure wit hout cost ly changes t o every com put er. Cust om ers who deploy I PSec in t heir net w ork applicat ions gain privacy, int egrit y, and aut hent icit y cont rols w it hout affect ing individual users or applicat ions. Applicat ion m odificat ions are not required, so t here is no need t o deploy and coordinat e securit y on a per- applicat ion, per- com put er basis

I PSec provides an excellent rem ot e user solut ion. Rem ot e w orkers can use an

I PSec client on t heir PC in com binat ion w it h t he Layer 2 Tunneling Prot ocol ( L2TP) t o connect back t o t he ent erprise net w ork. The cost of rem ot e access is decreased dram at ically, and t he securit y of t he connect ion act ually im proves over t hat of dialup lines

I PSe c Ar ch it e ct u r e

This is a General Diagram of all t he I PSec archit ect ure com ponent s, each described below . The t w o m ain funct ions you need t o know w ell are t he ESP and AH for t he exam . They appear at t he t op of t he follow ing diagram .

I PSe c Pa ck e t s

I PSec defines a new set of headers t hat are added t o I P Dat agr
• These new headers are placed aft er t he I P header and before t he Layer 4

prot ocol ( TCP or UDP)

Au t h e n t ica t ion h e a de r ( AH )

• This header w ill ensure t he int egrit y and aut hent icit y of t he dat a w hen it is

added t o t he dat agram

I t doe s n ot provide confident ialit y prot ect ion
AH uses a keyed hash funct ion rat her t han digit al signat ures and t his is

because digit al signat ure t echnology is w ay t oo slow and w ould reduce net w ork t hroughput

AH is also em bedded in t he dat a for prot ect ion purposes

En ca psu la t in g se cu r it y pa yloa d ( ESP)

This header prot ect s t he confident ialit y, int egrit y, and aut hent icit y of t he dat a w hen added t o t he dat a
AH and ESP can be used independent ly or t oget her, alt hough for m ost

applicat ions j ust one of t hem is sufficient

For bot h of t hese prot ocols, I PSec does not define t he specific securit y

algorit hm s t o use, but rat her provides an open fram ew ork for im plem ent ing indust ry st andard algorit hm s

ESP e n ca psu la t e s t he dat a t o be prot ect ed

N ot e : Ensure t hat , when configuring your access list s, prot ocol 50 and 51 as well as

UDP port 500 t raffic is not blocked at int erfaces used by I PSec. Ot herw ise, you m ay have a problem

I PSe c pr ovide s t w o m ode s of ope r a t ion Tr a n spor t M ode

An encapsulat ion m ode for AH and ESP
• When using t ransport m ode only t he payload is encrypt ed and t hat m eans

t hat t he original I P headers are left fully int act

• The advant age of Transport m ode is t hat it only adds a few byt es t o each

packet

• This m ode also allow s devices on t he public net w ork t o view t he source and

dest inat ion of each packet

The disadvant age of Transport m ode is t hat passing t he I P header in t he clear

allow s an at t acker t o capt ure t he packet and perform som e t raffic analysis Source Dest inat ion En cr ypt e d D a t a

Tu n n e l M ode

• Wit h t unnel m ode t he e n t ir e I P dat agram is encrypt ed and it t hen becom es

t he pa yloa d in a new ly const ruct ed I P packet

Tunnel m ode also allow s a rout er t o act as an I PSec proxy, w hich m eans t hat t he rout er perform s encrypt ion on behalf of t he host s

a r e n ot

• Re m e m be r : Tu n n e l M ode is u se d t o pr ot e ct D a t a gr a m s sou r ce d fr om

or de st in e d t o n on - I PSe c syst e m s

Tunnel Tunnel En cr ypt e d En cr y pt e d En cr ypt e d Source Dest inat ion Sou r ce D e st D a t a For excellent diagram s, explanat ions and m ore inform at ion on t he I PSec Packet st ruct ure for Transport and Tunnel m ode visit t he AT&T I PSec Link below :

Cr ypt ology Ba sics Adva n t a ge s a n d D isa dva n t a ge s Type Adva n t a ge s D isa dva n t a ge s

Public Key Usage of t w o different keys Does not support digit al signat ures Pret t y easy t o dist ribut e keys

Slow Uses digit al signat ures t o provide int egrit y

Sym m et ric Very fast Uses t w o of t he sam e key Can be im plem ent ed in hardw are Not easy t o dist ribut e keys very easily

Ce r t ifica t ion Au t h or it y ( CA)

A cert ificat e aut horit y is t he aut horit y in a net w ork t hat issues and m anages securit y credent ials and public keys for m essage encrypt
As part of a public key infrast ruct ure, a CA checks w it h a regist rat ion

aut horit y ( RA) t o verify inform at ion provided by t he request or of a digit al cert ificat e so if t he RA verifies t he request or's inform at ion, t he CA can t hen issue a cert ificat e

Depending on t he public key infrast ruct ure im plem ent at ion, t he cert ificat e includes t he ow ner's public key, t he expirat ion dat e of t he cert ificat e, t he ow ner's nam e, and ot her inform at ion about t he public key ow ner

M e ssa ge D ige st 5 ( M D 5 )

MD5 is a one- w ay hashing algorit hm t hat produces a 128- bit hash. Cisco uses

hashes for aut hent icat ion for I PSec

Rem em ber t hat SHA is m ore secure t han MD4 and MD5 Ve r iSign , I n c.
VeriSign is t he leading provider of digit al cert ificat e solut ions for ext ranet s

and int ranet s, including I PSec

Com m on Algor it h m s

DES Dat a Encrypt ion St andard Uses 56 bit key

3DES Encrypt s a block 3 t im es w it h 3 different keys RSA Rivest , Sham ir, and Adelm an

Com m on key is 512 bit s Diffie- Hellm an Very old

Does not support Digit al Signat ures and encrypt ion Not e: Rem em ber t hese basic fact s

Com m a n d r e fe r e n ce for I PSe c, I KE a n d CA

I f you need t o configure any of t hese t echnologies, use t his com m and reference on t he Cisco web sit e for all your needs:

Cisco V PN 3 0 0 0 Con ce n t r a t or Ove r vie w Cisco V PN 3 0 0 0 Con ce n t r a t or

Not e: This used t o be an Alt iga product unt il Cisco bought it

W h a t is t h e Con ce n t r a t or ?

The VPN 3000 Concent rat or Series is a rem ot e access VPN plat form and client

soft w are solut ion t hat incorporat es very high availabilit y, high perform ance and scalabilit y w it h encrypt ion and aut hent icat ion

I t is unique in t hat it can offer field sw appable com ponent s called Scalable

Encrypt ion Processing or SEP m odules. I t is also cust om er upgradeable

The specialized SEP m odules perform hardware based accelerat ion

3 0 8 0

Special feat ures: _o

Full inst rum ent at ion

Con figu r a t ion s gu ide for t h e 3 0 0 0 se r ie s

Not e: All inform at ion on t he concent rat or can be found w it hin t hese links Alt hough t his is not on t he exam , you m ay find t his link VERY helpful if you are im plem ent ing a VPN solut ion w it h t he 3000 and Microsoft Technologies

H ow t o Con figu r e t h e VPN 3 0 0 0 Con ce n t r a t or w it h M icr osoft Ce r t ifica t e s

3 0 0 0 Con ce n t r a t or Sh ot s:

Front and back view s

For a ll Con ce n t r a t or ba se d in for m a t ion

Ot h e r Cisco VPN Pr odu ct s a n d Solu t ion s

• Cisco provides a suit e of VPN- opt im ized rout ers t hat run t he range of VPN

applicat ions from t elecom m ut er applicat ions w it h t he Cisco 800 for I SDN access t o rem ot e office connect ivit y w it h t he Cisco 1700, 2600, and 3600 t o head- end connect ivit y w it h t he Cisco 7200 & 7500

Furt herm ore, Cisco product breadt h ext ends int o t he new w orld of broadband t elecom m ut er and sm all office VPN connect ivit y w it h t he Cisco UBr900 cable access rout er/ m odem and t he Cisco 1400 DSL rout er/ m odem . Providing DSL and cable solut ions is unique in t he VPN m a
The Cisco 7100 Series VPN Rout er is an “ int egrat ed VPN rout er” t hat provides

solut ions for VPN- cent ric environm ent s. VPN- opt im ized rout ers provide VPN solut ions for hybrid VPN environm ent s w here m odularit y, port densit y, and flexibilit y is required for privat e WAN aggregat ion and ot her classic WAN applicat ions

The Cisco 7100 provides solut ions for VPN- cent ric environm ent s w here WAN

densit y requirem ent s are low er as only one or t w o connect ions t o t he VPN cloud are required for VPN connect ivit y. I / O of t he 7100 is focused for t his single or dual hom ing WAN configurat ions and it provides high perform ance for robust VPN services t hroughput

• You can also look at t he 5000 series concent rat or, but it is not list ed on t he

t est able obj ect ives at t his t im e

Cisco V PN 3 0 0 0 Con ce n t r a t or Con figu r a t ion s Gu ide Con figu r a t ion s

You can use t he below links and guides t o look at all t he different configurat ions t hat you can apply in your design. Look at each link and m ake sure t hat you are com fort able w it h all t he configurat ions list ed below .

Adva n ce d Con figu r a t ion s:

Adva n ce d En cr ypt ion Con figu r a t ion s:

Cr ypt o M a ps Cr ypt o m a p

A Cisco I OS soft ware configurat ion t ool t hat perform s specific funct ions:

I t select s dat a flows t hat need securit y processing
• I t defines t he policy for t hese flow s and t he crypt o peer t hat t raffic needs t o

go t o

A crypt o m ap is applied t o an int erface
The concept s of t he crypt o m ap w as int roduced in classic crypt o but expanded for I PSec

Cr e a t in g Cr ypt o M a ps

To configure a rout er for encrypt ion, a " crypt o m ap" m ust be def
• This crypt o m ap specifies t he access list t o be used t o define t he t raffic t o

encrypt , t he algorit hm t hat w ill be used in encrypt ing dat a, and t he peer w it h w hom t he rout er w ill exchange t his dat a

Ext ended I P access list s describe t he t raffic t hat w ill be encrypt ed; t he inverse

of t his access list is used t o decrypt

I P encrypt ion is support ed, and users can t unnel ot her prot ocols inside of I P and encrypt t he encapsulat ing I P packet s and pay
• This procedure can be done using t he keyw ord GRE in access- list ent ries
The algorit hm specified in t his m ap m ust be running on t he rout er in order t o use it , so if t he m ap specifies "
By default , t he 56- bit im age runs 5 6 - bit - D ES CFB- 6 4 , and t he 40- bit im age

4 0 - bit - de s cfb- 6 4 ," t he global com m and

" a lgor it h m 4 0 - bit - de s cfb- 6 4 " m ust be in t he configurat ion in order t o encrypt dat a

runs 4 0 - bit - D ES CFB- 6 4

As w it h any rout e m ap configurat ions, crypt o m aps have t o be carefully w rit t en before applying t hem t o t he int erface in order t o verify w hat w ill be encryp
Console access is recom m ended for applicat ion of t he m ap

Com m a n d r e fe r e n ce

Cr ypt o k e y ge n e r a t e r sa Generat e a RSA key pair Cr ypt o ca ce r t ifica t e qu e r y Enables query m ore / causes cert ificat es and CRL

( Cert ificat e Revocat ion List ) t o be st ored locally

Cr ypt o ca ide n t it y Declare a ca En r ollm e n t u r l Specifies t he url of t he ca

En r ollm e n t m ode r a Specified t hat t he ca syst em provides a regist rat ion

aut horit y

Cr l opt ion a l Even if t he appropriat e CRL is not accessible, ot her

peer cert ificat es can st ill be accept ed

Ex it This w ill exit ca/ ident it y config m ode Cr ypt o ca a u t h e n t ica t e Get t he ca public key Cr ypt o ca e n r oll Request s cert ificat es for all t he RSA key pairs Cr ypt o ca Cr l r e qu e st Request s an updat ed CRL Re fe r e n ce for M a ps Cr ypt o m a p Apply a crypt o m ap set t o t he int erface Cr ypt o dyn a m ic- m a p Creat e a dynam ic m ap ent ry

Se t t r a n sfor m - se t Specify w hich t ransform set s are allow ed for t he m ap ent ry

M a t ch a ddr e ss

Se t pe e r

Se t pfs