IPSec/VPN Security Management

TDC 568: Network Management Professor Ehab Al-Shaer
Sources: Panko, Stallings, NIST

1

What is a VPN?
VPN is a tunnel because the data being transferred is encrypted and then encapsulated in IP packets by a VPN gateway. VPN protects the original packet from being understood (privacy), and from uncovering/altering the sender or the recipients’ identity (authentication). VPN architectures
network to network host to network dial-up ISP to network

2

VPN Operation & Advantage
The VPN gateway reads the workstation packets and:
encrypt the packet, then encapsulate the original encrypted packet with an IP packet that is destined to the end-point gateway (not the client or the server in either network)

Advantages
Services hide the identity of your network provides authentication (between gateways) privacy via encryption connect branch offices with a cost-effective network compared with leased lines allows user to work from home and mobile hosts

Disadvantage of VPN (vs. leased line)
VPN speed is bounded by the slowest link in the Internet a single failure in the path disconnect the entire network

3

1

IPSec Goals and Architectures
IPSec Goals
Security (confidentiality, authentication, integrity) Allows different VPN vendors to interoperate What is VPN?
A tunnel between two networks over a shared network infrastructure such as the Internet

VPN/IPSec Architectures
Host to host Network to network Host to network Dial-up ISP Gateway to network

4

IPSec Operation Modes
IPSec Transport Operation
Encrypt the payload only No encapsulation No hiding of the original IP header From host to host host must be aware of the IPSec Provide End-to-end protection (from host to host)

IPSec Tunnel Operation
Encrypt the entire message (headers + payload)
Encapsulation: The IPSec gateway encrypts, encapsulate and sends the encrypted packet to the end-point IPSec router

Could be host-host, host-gateway and gateway-gateway (last one is most popular) Transparent to hosts Protection to IP address/header

5

IPSec Operation: Transport Mode
Transport Mode Site Network Site Network

Secure Connection

Extra Software May be Required

Security in Site Network

Secure on the Internet

Security in Site Network

Extra Software May be Required

6

2

IPSec Operation: Tunnel Mode
Tunnel Mode IPsec Gateway Site Network IPsec Gateway

Tunneled Connection

Site Network

No Extra Software

No Security in Site Network

Secure on the Internet

No Security in Site Network

No Extra Software

7

IPSec Operation: Packet Headers
Transport Mode Destination IP Address Is Actual Address; Vulnerable to Scanning Orig. IP Hdr IPSec Hdr Protected Packet Data Field

Tunnel Mode Destination IP Address Is IPSec Server Address Host IP Address Is not Revealed New IP Hdr IPSec Hdr Protected Original Packet

8

IPSec Protocols
IPSec is a standard to provide IP security Mandatory in IPv6 and can be used with IPV4 too IPSec is transparent to the users It consists of three main components
Internet Key Exchange (IKE): initial negotiation to agree upon the encryption mechanism, keys .. etc Authentication Header (AH): security header inserted in the IP packet to determine if the packet is altered and to authenticate the sender Encapsulation Security Payload (ESP): to encrypt payload and the header of the original IP packet

9

3

IKE Protocol
IKE
Functions: (1) security parameter negotiation, (2) key exchange using Deffie-Hellman Phase I 1. Authentication:
pre-shared key – manually distributed (not recommended), Digital Certificate – both partners share the same CA. PKI can be used

2. Setting up the security parameters used for Phase II negotiation (causing double negotiation) Phase II: negotiating the security parameters used in the VPN communications (authentication: MD5, SHA-1, encryption: DES, 2DES, AES, ESP or AH .. etc)

10

AH Protocol
Offers authentication and integrity (not confidentiality) IP header is not hidden Adding additional header that includes digital signature called integrity check value (ICV) calculated based on IP address ensure the identity of the sender:
<IP Header><SPI><SEQ><Authentication Info><IP Payload>

Receiver can verify this using the shared key + source IP address in the header to re-calculate the DigSig and compare. This makes AH incompatible with NAT when NAT is before VPN device to the Internet (why?)
Sol: (1) put NAT after VPN, or (2) use integrated VPN+NAT device

Sequence number is used in the header to avoid packet replay

11

ESP Protocol
Offers full confidentiality – encrypting the IP payload Transport mode: adds header and trailers as follows: <IP Header> <SPI><SEQ><IP Pkt Payload Encrypted><Trailer> Trailers includes ICV (DigSig) Tunnel mode: encrypting the entire packet including IP header+ adding new IP header, ESP header and trailer ( for authentication too) ESP transport mode is also incompatible with NAT when NAT is before VPN device to the Internet (why?)
NAT changes the IP address which implies that the TCP Checksum must be changed (TCP checksum is calculated based on IP headers too). But TCP checksum in encrypted and can not be modified receiver will calculate wrong checksum Solution: put NAT after VPN

ESP tunnel would work with NAT. However it cause a problem when it communicates with IKE because the source UDP port must be 500 but NAT might replace it. Sequence number in the header is used to avoid replaying packets

12

4

ESP and AH Protection using Transport Mode
Confidentiality Encapsulating Security Payload (ESP) IP Header ESP Header Protected ESP Trailer

Protocol = 50 Protocol = 51 Authentication Header (AH) IP Header

Authentication and Message Integrity

Authentication Header

Protected

Authentication and Message Integrity No Confidentiality

13

Modes and Protections
ESP AH Confidentiality Authentication Authentication Integrity Integrity Transport Mode (End-to-End) Tunnel Mode (IPSec Gateway to Gateway) Possible Possible Possible Possible

14

IPSec Security Association (SA)
SAS is established through IKE (Internet Key Exchange) to negotiate:
Security algorithm to be used Authentication Symmetric key exchange (default Diffie-Hellman)

IPSec Default Security Configuration
Key Exchange: Diffie-Hellman Encryption: DES-CBS Authentication: HMAC

15

5

IPSec Security Associations
2. Security Association (SA) for Transmissions from A to B 3. Security Association (SA) For Transmission from B to A (Can Be Different Than A to B SA) 1. List of Allowable Security Associations

Party A

Party B

1. List of Allowable Security Associations

IPsec Policy Server

16

IPSec Security Association (SA)
Each gateway has it is own SA policy server Before SA is negotiated, the IPSec partner must configured locally in security policy database (SPD) SA is stored in a database (SAD) indexed by security parameter index (SPI) included in every IPSec packet header Bi-directional Agreement Policy based (e.g., algorithm is selected based on security level and performance overhead)

17

IPSec Security Policy
Each gateway has it is own IPSec policy server. Configuration is stored in security policy database (SPD) IPSec policy is written for outbound traffic. Inbound traffic is matched against a policy mirror image. Policy composed of:
Crypto-access list: rules to protect, bypass or discard traffic. <transport> <src ip-port> <dst ip-port> <action> Crypto-map list: rules to transform traffic into protected form. <transport> <src ip-port> <dst ip-port> <transform> Crypto-transform list: how to perform traffic transformation <ipsec-proto> <mode> [<tunnel-end>] <params>

18

6

IPSec Security Policy: Example
TCP 1.1.*.* : any 2.2.*.* : any protect TCP 1.1.1.1 : any 2.2.2.2 : any AH Transport {HMAC MD5} TCP 1.1.*.* : any 2.2.*.* : any protect TCP 1.1.1.* : any 2.2.2.* : any ESP Tunnel 6.6.6.6 {3DES}

1.1.1.1

5.5.5.5

6.6.6.6

2.2.2.2

TCP 2.2.*.* : any 1.1.*.* : any protect TCP 2.2.2.* : any 1.1.1.* : any ESP Tunnel 5.5.5.5 {3DES} TCP 2.2.*.* : any 1.1.*.* : any protect TCP 2.2.2.2 : any 1.1.1.1 : any AH Transport {HMAC MD5}

19

IPSec Intra-Policy Conflicts
Conflicts in crypto-access lists
Shadowing: TCP 1.1.*.* : any 2.2.*.* : any TCP 1.1.1.1 : any 2.2.2.2 : any Redundancy: TCP 1.1.1.1 : any 2.2.2.2 : any TCP 1.1.*.* : any 2.2.*.* : any Generalization/Exception: TCP 1.1.1.1 : any 2.2.2.2 : any TCP 1.1.*.* : any 2.2.*.* : any Correlation: TCP 1.1.1.1 : any 2.2.*.* : any TCP 1.1.*.* : any 2.2.2.2 : any protect bypass protect protect bypass protect bypass protect

20

IPSec Intra-Policy Conflicts
Conflict in crypto-map paths
Reversed decapsulation order on the traffic path
TCP 1.1.1.1 : any 2.2.*.* : any protect TCP 1.1.1.1 : any 2.2.2.* : any ESP Tunnel 6.6.6.6 {3DES} TCP 1.1.1.1 : any 2.2.2.2 : any AH Tunnel 2.2.2.2 {3DES}

1.1.1.1

5.5.5.5

6.6.6.6

Clear traffic

2.2.2.2

21

7

IPSec Inter-Policy Conflicts
Conflicts in crypto-access lists
Shadowing: upstream policy blocks traffic

TCP 1.1.*.* : any 2.2.*.* : any protect

Traffic dropped

1.1.1.1
TCP 2.2.*.* : any 1.1.*.* : any bypass

2.2.2.2

22

IPSec Inter-Policy Conflicts
Conflicts in crypto-access lists
Spurious: downstream policy blocks traffic

TCP 1.1.*.* : any 2.2.*.* : any bypass

1.1.1.1
TCP 2.2.*.* : any 1.1.*.* : any protect

Traffic dropped

2.2.2.2

23

IPSec Inter-Policy Conflicts
Conflicts in tunnel paths
Reversed decapsulation order on the traffic path
TCP 1.1.1.1 : any 2.2.*.* : any protect TCP 1.1.1.1 : any 2.2.*.* : any ESP Tunnel 6.6.6.6 {3DES} TCP 1.1.*.* : any 6.6.*.* : any protect TCP 1.1.*.* : any 6.6.*.* : any AH Tunnel 2.2.2.2 {3DES}

1.1.1.1

5.5.5.5

6.6.6.6

Clear traffic

2.2.2.2

24

8

IPSec Inter-Policy Conflicts
Tunnel loop conflict
TCP 1.1.*.* : any 2.2.*.* : any protect TCP 1.1.*.* : any 2.2.*.* : any AH Tunnel 6.6.6.6 {3DES} Traffic loop

1.1.1.1

5.5.5.5

6.6.6.6

2.2.2.2

TCP 2.2.*.* : any 1.1.*.* : any protect TCP 1.1.*.* : any 2.2.*.* : any protect TCP 2.2.*.* : any 1.1.*.* : any ESP Tunnel 5.5.5.5 {3DES} TCP 1.1.*.* : any 2.2.*.* : any ESP Tunnel 5.5.5.5 {3DES}

25

IPSec Inter-Policy Conflicts
Protection asymmetry conflict
Access rules in both peers should be mirror image to allow protecting traffic originating from any peer

TCP 1.1.1.1 : any 2.2.2.2 : any protect

Traffic dropped

1.1.1.1
TCP 2.2.*.* : any 1.1.*.* : any protect

2.2.2.2

26

IPSec and NAT/PAT Integration
If VPN traffic is NATed (NAT closer to the Internet than VPN)
AH is incompatible with NAT Because changing the IP header makes the DigSig invalid Solution: (1) put NAT after VPN, or (2) bypass using integrated VPN+NAT device ESP transport mode is also incompatible with NAT NAT changes the IP address which implies that the TCP Checksum must be changed (TCP checksum is calculated based on IP headers too). But TCP checksum in encrypted and can not be modified receiver will calculate wrong checksum Solution: put NAT after VPN ESP tunnel would work with NAT. However, not with PAT. PAT cause a problem because TCP/UDP ports are inaccessible when headers are encrypted when it communicates with IKE because the source UDP port must be 500 but NAT might replace it Recommendation: Do not use PAT with VPN in either AH or ESP

27

9

VPN and Firewall Integration
External DMZ
VPN might be exposed to attacks

Internal DMZ (screen subnet)
V. good solution: offers limited protection (but no NAT)

Parallel to the Firewall
Good solution if VPN is a busy device

Trusted network
Create a tunnel through the firewall !! Not recommended

FW and VPN in one box (best solution)
+ cheaper, more secure, no NAT problems because it by passes VPN traffic - offers less flexibility .. The best FW vendor may not be necessary the best VPN vendors

28

IPSec Pros
Advantages
Hides the identity of your network Provides secure channel: authentication, privacy and integrity Connects sites (e.g., branch offices) with a costeffective secure network compared with leased lines Allows user to work from home and mobile hosts

29

IPSec Cons
Disadvantages
Complex policy management A single failure in the path disconnect the entire network. Also cause performance bottlenecks. Require tunnels through firewall sometimes Incompatible with NAT/PAT depending on the architecture Tunneled traffic is undetected by IDS VPN gateways might be compromised which leads to uncovering protected data 30

10