jaki vpn wybra w 2015
play

Jaki VPN wybra w 2015? Piotr Matusiak Security Consultant, Cisco - PowerPoint PPT Presentation

Jaki VPN wybra w 2015? Piotr Matusiak Security Consultant, Cisco AS Education CCIE #19860, CCDE 2015::1, C|EH, SFCE Your Presenter Visit us: http://www.cisco.com/go/ase Piotr Matusiak Security Cyber Security (SCYBER) Security Consultant


  1. Jaki VPN wybra ć w 2015? Piotr Matusiak Security Consultant, Cisco AS Education CCIE #19860, CCDE 2015::1, C|EH, SFCE

  2. Your Presenter Visit us: http://www.cisco.com/go/ase Piotr Matusiak Security Cyber Security (SCYBER) Security Consultant SourceFire (SSFIPS, SSFAMP, RULES, SNORT) Cisco AS Education Data Center 16 years in IT Nexus Switches (CCNDC, CCNDC-T, CCNDC-V) CCIE Data Center (DCXUC, DCXUF) 6 years in Cisco (total) Cloud Automation & Prime Services 5 years in Cisco AS Specialization: Security R&S + IoT Industrial Networking (IMINS, IE2k, IE3k) Service Provider (ASR9k, CRS-1, CRS-3, 7600, ASR1k, Metro Ethernet)

  3. Agenda • Preprocessors • IPS Policy Layering • Application Detection • AMP for Networks • Cloud Intelligence • Correlation Policies • Remediation • Event Analysis

  4. VPN Technology Positioning Data Center Core Internet IPSec Edge Agg. GM GM Remote Access KS KS SW Clients WAN Edge Internet/Shared GET MPLS/Private Network Encrypted Network Site-to- Site VPN DMVPN/FlexVPN GETVPN GM EzVPN/ GETVPN GM GETVPN GM Spoke FlexVPN Client Spoke 4

  5. Virtual Tunnel Interface (VTI)

  6. SVTI Configuration IPSec Static Virtual Tunnel Interfaces . . .1 1 92.168.100.0/30 .1 192.168.2.0/24 192.168.1.0/24 crypto isakmp policy 1 crypto isakmp policy 1 authentication pre-share authentication pre-share encr aes encr aes crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto ipsec transform-set TSET esp-aes esp-sha-hmac crypto ipsec transform-set TSET esp-aes esp-sha- hmac crypto ipsec profile TP set transform-set TSET crypto ipsec profile TP set transform-set TSET interface Tunnel0 ip address 192.168.100.1 255.255.255.0 interface Tunnel0 tunnel source FastEthernet0/0 ip address 192.168.100.2 255.255.255.0 tunnel destination 1.1.1.2 tunnel source FastEthernet0/0 tunnel mode ipsec ipv4 tunnel destination 1.1.1.1 tunnel protection ipsec profile TP tunnel mode ipsec ipv4 tunnel protection ipsec profile TP ip route 192.168.2.0 255.255.255.0 Tunnel0 ip route 192.168.1.0 255.255.255.0 Tunnel0 6

  7. Virtual Tunnel Interface • IPsec in tunnel mode between VPN peers • Simplifies VPN configuration • Two types - Static VTI and Dynamic VTI (Enhanced EasyVPN) • Supports Quality of Service (QoS), multicast, and other routing functions that previously required GRE • Limited VPN interoperability support with non-Cisco platforms 7

  8. Static VTI • Statically configured tunnel via ‘tunnel mode ipsec ipv4/ipv6’ and tunnel protection • Always up • Interface state tied to underlying crypto socket state (IPsec SA) • Can initiate and accept only one IPsec SA per VTI • Routing determines traffic to be protected • IPsec SA re-keyed even in the absence of any traffic 8

  9. When do you use it § Used with site-to-site VPNs – to provide always-on traffic protection § Need for routing protocols and/or multicast traffic to be protected by IPsec tunnel § Eliminates the need of GRE § Need for QoS, firewall, or other security services on a per tunnel basis 9

  10. SVTI Advantages Disadvantages • Support for IGP dynamic routing protocol over the • No support for non-IP protocols VPN (EIGRP, OSPF, etc.) • Limited support for multi-vendor • Support for multicast • IPsec stateful failover not available • Application of features such as NAT, ACLs, and • Similar scaling properties of IPsec and GRE QoS and apply them to clear-text or encrypted over IPsec text • Only tunnel mode • Simpler configuration • IPsec sessions not tied to any interface 10

  11. Dynamic VTI § Dynamically instantiated IPsec virtual-access interface (not configurable) cloned from a pre-defined virtual-template § Created on an incoming IPsec tunnel request § Interface state tied to underlying crypto socket state (IPsec SA) § Can support multiple IPsec SAs per DVTI § Avoids the need for a routing protocol and hence scales better 11

  12. Dynamic VTI § Mainly used as Enhanced Easy VPN server for terminating • Enhanced Easy VPN Remote • Legacy Easy VPN Remote § Easy VPN Remote supports 3 modes of operation • client mode • network extension mode • network extension plus mode § A single DVTI can terminate tunnels using static VTIs or crypto map § Can only terminate and cannot initiate an IPSec tunnel (except in the case of Enhanced Easy VPN Remote) 12

  13. SVTI to DVTI interface Tunnel0 ip unnumbered Loopback1 Branch tunnel source FastEthernet0 tunnel destination 192.168.2.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile VTI Crypto Head End IKE pkts to 192.168.2.1 192.168.2.1 tunnel protect ipsec profile … interface Virtual-Access n crypto isakmp profile Data Plane interface Virtual-Template n Control Plane Virtual-Access interface is spawned from the Virtual-Template 13

  14. When do you use it • Scalable connectivity for remote-access VPNs • Need for QoS, firewall, or other security services on a per tunnel basis • Single touch configuration needed on hub • No need for routing protocols as it uses reverse route injection 14

  15. DVTI (SVTI to DVTI) Hub (DVTI) Spoke (SVTI) crypto isakmp policy 1 crypto isakmp policy 1 encr aes encr aes authentication pre-share authentication pre-share group 2 group 2 crypto isakmp key cisco123 address 0.0.0.0 crypto isakmp key cisco123 address 0.0.0.0 crypto isakmp profile VPN crypto ipsec transform-set TSET esp-aes esp- keyring default sha-hmac match identity address 0.0.0.0 virtual-template 1 crypto ipsec profile TP set transform-set TSET crypto ipsec transform-set TSET esp-aes esp-sha-hmac interface Tunnel0 crypto ipsec profile TP ip unnumbered Loopback0 set transform-set TSET tunnel source 1.1.1.2 set isakmp-profile VPN tunnel destination 1.1.1.1 tunnel mode ipsec ipv4 interface Virtual-Template1 type tunnel tunnel protection ipsec profile TP ip unnumbered Loopback0 tunnel source Ethernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile TP 15

  16. Enhanced EasyVPN Client To Server (using DVTI) Enhanced Easy VPN server: Enhanced Easy VPN remote: crypto isakmp client configuration group cisco crypto ipsec client ezvpn EZ key cisco connect manual dns 192.168.1.10 group cisco key cisco pool VPNPOOL local-address Ethernet0/0 acl 101 mode network-plus peer 1.1.1.1 crypto isakmp profile VPN virtual-interface 1 match identity group cisco xauth userid mode interactive isakmp authorization list default ! client configuration address respond interface Virtual-Template1 type tunnel virtual-template 1 ip unnumbered Loopback0 tunnel mode ipsec ipv4 crypto ipsec transform-set TSET esp-3des esp-sha-hmac crypto ipsec profile TP interface Ethernet0/0 set transform-set TSET ip address 1.1.1.3 255.255.255.0 set isakmp-profile VPN crypto ipsec client ezvpn EZ ! interface Virtual-Template1 type tunnel interface Ethernet0/1 ip unnumbered Loopback0 ip address 192.168.3.1 255.255.255.0 tunnel source Ethernet0/0 crypto ipsec client ezvpn EZ inside tunnel mode ipsec ipv4 tunnel protection ipsec profile TP 16

  17. DVTI Advantages Disadvantages • Simple configuration of headend once and • Requires ip unnumbered done • No support for non-IP protocols • Scalable • No direct spoke to spoke • Support for IGP dynamic routing protocol communication over the VPN • No IPsec stateful failover • Support for IP multicast • Support for per-branch QoS and traffic shaping • Centralized Policy Push (Easy VPN) • Support for x-auth (Easy VPN) • Cross platform support • IPsec sessions not tied to any interface 17

  18. Dynamic Multipoint VPN (DMVPN)

  19. What is Dynamic Multipoint VPN? DMVPN is a Cisco IOS software solution for building IPsec+GRE VPNs in an easy, dynamic and scalable manner § Configuration reduction and no-touch deployment § Dynamic spoke-spoke tunnels for partial/full mesh scaling § Can be used without IPsec Encryption (optional) § Wide variety of network designs and options 19

  20. DMVPN Components • Next Hop Resolution Protocol (NHRP ) • Creates a distributed (NHRP) mapping database of all the spoke’s tunnel to real (public interface) addresses • Multipoint GRE Tunnel Interface (mGRE) • Single GRE interface to support multiple GRE/IPsec tunnels • Simplifies size and complexity of configuration • IPsec tunnel protection • Dynamically creates and applies encryption policies (optional) • Routing • Dynamic advertisement of branch networks; almost all routing protocols (EIGRP, RIP, OSPF, BGP, ODR) are supported 20

Recommend


More recommend