Saturday, February 16, 2008

IPSec Basics

IPSec is an suit of protocols designed to provide interopable and high secure data transfer service. to understand IPSec we need to go to the basics and see some defenitions and protocols used by IPSec and start from there to build our understanding on IPSec, after we know what is IPSec and what he need to provide us we can go over to the practical usage and some configuration samples. so as I have said we have some basics to cover and we will start with: Authentication - is how the units verify they are who they say they are Data Integrity - making sure that the data that was sent it what was recived in the other side with no change Confidentiality - it the Encription of the data Anti-Replay - preventing play back attack, if this mechanizem was not enable then a potential attacker could capture a stream of data and replay it to the box this stream was sent and potentialy could log into the network even if the data is hashed it dosent metter as the other side need to know to unpack that data. this 4 definitios are the very basic to understand, and each one is playing a very important role in the vpn. AH Authentication Header - as it is mentioned in his name it is a header authentication method and can provide integrity authentication and anti-relplay, it is the older form of creating IPSec VPN, and today less used. ESP encapsulation security protocol - this is the new form of creatign IPSec VPN and it add the very important element of Confidentiality or encription of the data as I mentioned. the methods we have to encrypt the data are very wide spread but here are the most common ones DES data encription standart 64bit key 3DES it is 192bit what is even funy The procedure for encryption is exactly the same as regular DES, but it is repeated three times. AES Advanced Encryption Standard has a minimum key size of 128bit and maximum of 256bit, a AES 128 is considered more secure then 3DES. RSA (Ron Rivest, Adi Shamir, and Leonard Adleman) is used for Asymetric Public Private Keys Authentication there are 2 main methods to authenticate pre-shared key is a staticly defigned by the Admin on the units the less secure way but the more common method Certificate Authority this is the high security methode and the less common due to the complex of configuration and usually also you need to buy Certificate from one of the vendors like verisign, commodo... Integrity is using hashing for making sure that that the data is not changed: MD5 Message-Digest algorithm 5 the most commonly hash used today the hash size is 128bit. SHA-1 Secure Hash Algorithm 1 the hash size is 160bit DH Diffie-Hellman "A public-key cryptography protocol which allows two parties to establish a shared secret over an insecure communications channel. Diffie-Hellman is used within IKE to establish session keys and is a component of Oakley." (this line was taken from Cisco Site:http://www.cisco.com/en/US/docs/ios/12_1t/12_1t3/feature/guide/dtgroup5.html#wp1015327 ) Let Me try to expalin the proccess; each unit have a private key (used for decryption) a key that is never passed, and a Diffie-Helman Key (Public Key used for encryption) when a unit want to do a key exchange they each send there Public Key to the other side so lets drill down to Unit_A, Unit_A get the Public Key of Unit_B then using the RSA create a shared key that shared key can only be opened on Unit_B with Unit_B Private Key so even if you intercept the shared key you cant reverse engineer it to see as only the private key of Unit_B will be able to understand it. ok untill here I have summerized for you all the key concepts and provided an example of the proccess used in Asymetric Process of the IPSec next I will take the concept and show you in practice what need to be done to form an IPSec connection. General Guide lines to configure an IPSec connection: 1) Create IKE Policy 2) Create IPsec Transform Set 3) Defign ACL for the encription 4) Configure a Crypto Map 5) Assign the Crypto Map to an Interface Note: when you want to create an IPsec between 2 units you must make sure there configuration match so this is a tip copy the configuration you did to a notepad and on the other side unit only flip the ACL IP address to match the other side and paset it, if you did correct on the first side you will have a working connection, if you did bad then you will need to troubleshoot only one side and again copy paste to the other side, save time and pain!
Post a Comment