Download - Features de Seguridad NAT y VPN12-2T[1]
Reconocimientos
El material de esta presentación fue confeccionado por Rogelio Alvez, con la colaboración de Julio Sanchez Avalos y Darío Ciccarone.
3
IOS 12.2(2)T
DF Bit Override Functionality with IPSec Tunnels
Quality of Service for Virtual Private Networks
SSH Terminal-Line Access
DF Bit Override Functionality with IPSec Tunnels
Problema:Ciertas aplicaciones TCP, cuando pasan por una VPN, no andan más .
Causa:Investigue sobre técnicas de fragmentación en IPSec
Solución
Olvidarse del STD y apagar el bit DF en el header IP. crypto ipsec df-bit [clear | set | copy]
Pregunta para los fanáticos del tema VPN: cómo se resuelve este problema en el VPN3000?cómo se resuelve este problema en el Firewall PIX?
DF Bit Override (cont.)
Internet
Server
Cliente VPN
IPTCP
UserData
Tamaño del paquete = 1500
DF Bit = activo
HASH
ESP50IP Encrypted Data
TúnelVPN
MTU = 1500 MTU = 1500
El paquete del server no va a caber en el siguiente link una vez encapsulado con IPSec, en la medida en que no se lo pueda fragmentar (bit DF).
Hay que poner el bit DF en cero para poder solucionar este problema.
Quality of Service for Virtual Private Networks
Cuál es el problema?La encripción con IPSec impide que QoS funcione
correctamente
Por qué?La información de los headers de TCP/UDP llega ya
encriptada al proceso de QoS
Cómo se resuelve?Con el comando qos pre-classify en el crypto map, en la
interface Tunnel, o en ambos (dependiendo del caso)
Antes de la encripción
class-map match-all med_prioritymatch access-group 103
class-map match-all high_prioritymatch access-group 102
!policy-map DEMOclass med_priority
bandwidth percent 20random-detect
class high_prioritypriority percent 30
access-list 102 permit tcp host 172.16.1.10 eq 22 any
access-list 103 permit tcp host 172.16.1.10 eq www any
interface Serial0/2
bandwidth 64
ip address 10.10.10.9 255.255.255.252
service-policy output DEMO
clockrate 64000
Interpretación: se quiere que el tráfico SSH sea más prioritarioque el tráfico web, y que éste a su vez sea mas prioritario que el resto de los tráficos
Antes de la encripción (cont)core#sh pol inter s0/2Serial0/2
Service-policy output: DEMO
Class-map: high_priority (match-all)108 packets, 66962 bytes5 minute offered rate 0 bps, drop rate 0 bpsMatch: access-group 102Queueing: Strict PriorityOutput Queue: Conversation 24 Bandwidth 30 (%)Bandwidth 19 (kbps) Burst 475
(Bytes)(pkts matched/bytes matched)
40/33944(total drops/bytes drops) 26/31536
Class-map: med_priority (match-all)
11 packets, 5369 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 103
Queueing
Output Queue: Conversation 25
Bandwidth 20 (%)
Bandwidth 12 (kbps)
(pkts matched/bytes matched) 5/1859
(depth/total drops/no-buffer drops) 0/0/0
exponential weight: 9
mean queue depth: 0
Antes de la encripción (cont)
core#sh queue s0/2
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 27
Queueing strategy: weighted fair
Output queue: 4/1000/64/27 (size/max total/threshold/drops)
Conversations 1/2/16 (active/max active/max total)
Reserved Conversations 1/1 (allocated/max allocated)
Available Bandwidth 17 kilobits/sec
(depth/weight/total drops/no-buffer drops/interleaves) 4/32384/0/0/0
Conversation 12, linktype: ip, length: 1504
source: 172.16.1.10, destination: 172.16.31.10, id: 0x09FA, ttl: 127,
TOS: 0 prot: 6, source port 20, destination port 1090
Realizamos un FTP: como FTP es diferente de SSH y WWW, cae en latécnica weighted fair queuing que es comportamiento default del router para interfaces seriales de baja velocidad
Aplicamos el CM, y ahora . . .
core#sh queue s0/2Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 34Queueing strategy: weighted fairOutput queue: 4/1000/64/34 (size/max total/threshold/drops)
Conversations 1/2/16 (active/max active/max total)Reserved Conversations 1/1 (allocated/max allocated)Available Bandwidth 17 kilobits/sec
(depth/weight/total drops/no-buffer drops/interleaves) 4/32384/0/0/0Conversation 9, linktype: ip, length: 1500
source: 10.10.10.9, destination: 10.10.10.18, id: 0x0DA6, ttl: 255, prot: 50
Realizamos otro FTP, con el crypto-map ya aplicado:
PROBLEMA: Al decidir QoS, el router no ve los paquetes entre endpoints, porque primero encripta, y después encola para sacarlo por la WAN, previa decisión de QoS, pero todos los paquetes son iguales!
SOLUCION: Preclasificar el tráfico antes de encriptarlo con el comando qos pre-classify en el crypto map
Luego de QoS Pre-classificationcrypto map demo 10 ipsec-isakmp
set peer 10.10.10.18set transform-set strong
match address 101
qos pre-classify
core#sh queue s0/2
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 34
Queueing strategy: weighted fair
Output queue: 4/1000/64/34 (size/max total/threshold/drops)
Conversations 1/2/16 (active/max active/max total)
Reserved Conversations 1/1 (allocated/max allocated)
Available Bandwidth 17 kilobits/sec
(depth/weight/total drops/no-buffer drops/interleaves) 4/32384/0/0/0
Conversation 4, linktype: ip, length: 1500
source: 172.16.1.10, destination: 172.16.31.10, id: 0x0F5E, ttl: 127,
TOS: 0 prot: 6, source port 20, destination port 1098
Luego de QoS Pre-classification
core#sh cry mapCrypto Map "demo" 10 ipsec-isakmp
Peer = 10.10.10.18Extended IP access list 101
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.31.0 0.0.0.255Current peer: 10.10.10.18Security association lifetime: 4608000 kilobytes/3600 secondsPFS (Y/N): NTransform sets={
strong, }QOS pre-classificationInterfaces using crypto map demo:
Serial0/2
SSH Terminal-Line AccessReverse Telnet provides very little security because all Telnet traffic goes over the network in the clear. The SSH Terminal-Line Access feature replaces reverse Telnet with secure shell (SSH). This feature may be configured to use encryption to access devices on the ttylines, which provide users with connections that support strong privacy and session integrity.Benefits
The SSH Terminal-Line Access feature provides users secure access to tty linesSSH Terminal-Line Access Configuration ExampleThe following example shows how to configure the SSH Terminal-Line Access feature on a modem used for dial-out on lines 1 through 200. To get any of the dial-out modems, use any SSH client and start a SSH session to port 2000 of the router to get to the next available modem from the rotary.line 1 200
no execlogin authentication defaultrotary 1transport input ssh
exitip ssh port 2000 rotary 1
TTY LinesSSH TunnelSSH Tunnel
15
IOS 12.2(4)T
Ability to Disable Extended Authentication for Static IPSec PeersDistinguished Name Based Crypto MapsIPSec - SNMP SupportL2TP Security NAT - Ability to Use Route Maps with Static Translations NAT - Static Mapping Support with HSRP for High Availability
Ability to Disable Extended Auth for Static IPSec PeersProblema:
Se pudre todo cuando combinamos VPNs site-to-site estáticasy de remote access, en particular cuando queremos autenticarcon AAA a los usuarios remotos
CausaLa autenticación de los remotos se hace con el conceptoxauth (extended authentication), que aplica en forma global al
crypto map de la interfaz. Entonces, se va a querer hacer un challenge al router site-to-site
SoluciónNo hacer xauth a los site-to-site
crypto isakmp key keystring address peer-address [mask] [no-xauth]
OBS; comando que colisionaba: crypto map xxx client authentication list zzzz
Distinguished Name Based Crypto Maps
Capacidad de que el router filtre a los candidatos a engancharse con IPSec basándose en el contenido de loscertificados que presentan
crypto map bigbiz 10 ipsec-isakmp set peer 172.21.114.196 set transform-set my-setmatch address 124 identity to-bigbiz
! crypto identity to-bigbiz
dn ou=XYZ
crypto map map-littlecom 10 ipsec-isakmp set peer 172.21.115.119 set transform-set my-set match address 125 identity to-little-com
! crypto identity to-little-com
fqdn laempresa.com
Usable por quienes se autentican por DN si son
de XYZ
Usables por quienes se autentican por hostname si pertenecen a laempresa.com
IPSec: SNMP Support & L2TP Security
IPSec - SNMP SupportL2TP Security vpdn-group pepe
l2tp security crypto-profile profile-name [keep-sa]
OBS: Comportamiento default para L2TP enWindows 2000 y XP
NAT - Ability to Use Route Maps with Static Translations
IPSec Tunnel
200.1.1.1
10.1.2.0/24192.10.1.1
192.1.1.1
.2
.3
.1
10.1.1.0/24
.2
.10
.1Internet
Multihomed internal networks now can host common services such as the WWW and DNS, which are accessed from different outside networks
Caso de uso: un Server de Casa Central es compartido para usuarios en Internet y para usuarios detrás de una VPN
rtr(config)# ip nat inside source static local-ip global-ip route-map map-name
NAT - Static Mapping Support with HSRP for High AvailabilityPermite que dos o más routers apareados con HSRP puedancompartir también una traducción estática NAT, de modo que el router activo HSRP sea el único con capacidad de responder al NAT en común
Configuración del router Activointerface BVI10ip address 192.168.5.54 255.255.255.255.0no ip redirectsip nat insidestandby 10 priority 105 preemptstandby 10 name HSRP1standby 10 ip 192.168.5.30standby 10 track Ethernet2/1!ip nat inside source static 192.168.5.33 3.3.3.5
redundancy HSRP1
Router Standbyinterface BVI10ip address 192.168.5.56 255.255.255.255.0no ip redirectsip nat insidestandby 10 priority 100 preemptstandby 10 name HSRP1standby 10 ip 192.168.5.30standby 10 track Ethernet3/1!ip nat inside source static 192.168.5.33 3.3.3.5
redundancy HSRP1
22
IOS 12.2(8)T
Certificate AutoenrollmentCertificate Enrollment Enhancements Easy VPN Server GRE Tunnel Keepalive IKE: Initiate Aggressive ModeIPSec VPN High Availability Enhancements (RRI y HSRP)Multiple RSA Key Pair support
Certificate Autoenrollment & Enhancements
Proporciona nuevas opciones para requerir certificados y facilita que los usuarios puedan incluir campos en la configuración que antes debían ser ingresados en forma interactiva.
crypto ca trustpoint nameauto-enroll [regenerate]
Hace que el router solicite en forma automática un certificado digital desde una autoridad certificante (CA)
crypto ca trustpoint nameip-address {ip-address | interface}subject-name [x.500-name] serial-number [none]usage method1 [method2, [method3]] password string
Easy VPN Server en IOS
Con el upgrade a 12.2(8)T y posteriores, se puedenterminar túneles del Cisco VPN Client hacia un router con IOS (como así también túneles de Easy VPN iniciados desde un VPN3002, o un PIX o IOS router en modo Easy VPN Client)
Easy VPN Server
El cliente Cisco VPN puede encriptarcontra cualquier plataforma de VPN
Cisco
VPN 3000
PIX
IOS
PIX 6.0
VPN 3.0
IOS 12.2(8)T
Beneficios:-Configuración cliente casi nula-El concentrador envía los parámetrosde sesión al cliente
Easy VPN Server & Easy VPN Client
PIX 501
806
VPN 3002
1700
VPN 3005
VPN 3015
PIX 515
Easy VPN Manejo dinámico de políticas
7200
7400
PIX 506
2600 / 3600
IPSec VPN
ServersRemotos
SOHO 91
VPN client Sólo en modalidad Pass thru VPN
Beneficios de Cisco Easy VPN
Sitio Central
Router Cisco IOS,VPN 3000 Concentrator,
PIX Firewall
GUI basada en browser, en Cisco 800, 900, Cisco PIX 501 FW & CVPN 3002
3. Se establece VPN desde el remoto, acorde a la política de
casa central
Internet
1. El remoto contacta al sitiocentral para autenticarse y proporcionar información
2. Política notificada a losequipos clientes remotos
Cisco 800, 900 Series Router,
Cisco PIX 501 FW, CVPN 3002
Cisco 1700, 2600, 3600 Series
Router, Cisco PIX Firewall, VPN
3002
VPN controlada desde casa central
HQ
Cisco 1700
SBO
El concentrador empuja la información que el remoto necesita para
funcionar
Atributos
Dirección IP lógica y máscara
DNS, WINS
Split tunnel: redes para las cuales Casa Central instruye al remoto que debe usar la VPN (resto del tráfico sigue por Internet)
Casa Central
Hogar, oficinaremota
Cisco Easy VPN Server (Cisco CVPN 3000, Cisco IOS Router, Cisco PIX Firewall)
Fuerza móvil
Internet
Easy VPN Server en IOSusername dciccaro password 0 pepeaaa new-modelaaa authentication login easyvpn localaaa authorization network easyvpn local
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp client configuration group demo
key cisco
dns 172.16.1.20 172.16.1.30
wins 172.16.1.40 172.16.1.50
domain cisco.com
pool easyvpn_pool
acl 101
AAA
ISAKMP y parámetros grupales
crypto ipsec transform-set strong-aes esp-aes 256 !crypto dynamic-map demo_dyn 10set transform-set strong-aes reverse-route
!crypto map demo client authentication list easyvpncrypto map demo isakmp authorization list easyvpncrypto map demo client configuration address respondcrypto map demo 10 ipsec-isakmp dynamic demo_dyn
ip local pool easyvpn_pool 172.16.30.1 172.16.30.254
access-list 101 permit ip 172.16.0.0 0.0.255.255 any
Parámetros IPSec
interface Serial0/1ip address 10.10.10.5 255.255.255.252crypto map demo
crypto map en la interfaz de salida
GRE Tunnel KeepaliveCapability of configuring keepalive packets to be sent over IP-
encapsulated GRE tunnels. You can specify the rate at which keepalives will be sent and the
number of times that a device will continue to send keepalivepackets without a response before the interface becomes inactive. GRE keepalive packets may be sent from both sides of a tunnel, or
from just one side.
Router# configure terminal Router(config)# interface tunnel numberRouter(config-if)# keepalive [seconds [retries]]
IKE: Initiate Aggressive ModeAllows to configure IKE preshared keys as RADIUS tunnel attributes for
IPSec peers.Keys are stored in the AAA as IETF RADIUS tunnel attributes and are
retrieved when a user tries to "speak" to the hub routeraaa new-model aaa authorization network ike group radius aaa authentication login default group radius ! ! The Radius configurations are as follows: radius-server host 1.1.1.1 auth-port 1645 acct-port 1646 radius-server key rad123 ! The IKE configurations are as follows: crypto isakmp policy 1 authentication pre-share ! ! The IPSec configurations are as follows: crypto ipsec transform-set trans1 esp-3des esp-sha-hmac crypto dynamic-map Dmap 10 set transform-set trans1 ! crypto map Testtag isakmp authorization list ike crypto map Testtag 10 ipsec-isakmp dynamic Dmap ! interface Ethernet0 ip address 4.4.4.1 255.255.255.0 crypto map Testtag
The IKE configurations are as follows: crypto isakmp policy 1 authentication pre-share
! ! The IPSec configurations are as follows: crypto ipsec transform-set trans1 esp-3des esp-sha-hmac access-list 101 permit ip 3.3.3.0 0.0.0.255 2.2.2.0 0.0.0.255 ! ! Initiate aggressive mode using Radius tunnel attributescrypto isakmp peer address 4.4.4.1
set aggressive-mode client-endpoint user-fqdn [email protected] set aggressive-mode password cisco123
! crypto map Testtag 10 ipsec-isakmp
set peer 4.4.4.1 set transform-set trans1 match address 101
! interface Ethernet0
ip address 5.5.5.1 255.255.255.0 crypto map Testtag
! interface Ethernet1
ip address 3.3.3.1 255.255.255.0
HUB
SPOKE
VPN High Availability Enhancements (RRI & HSRP)
IPSec VPN High Availability feature consists of two new features Reverse Route Injectionand Hot Standby Router Protocol and IPSec that work together to provide users with a simplified network design for VPNs and reduced complexity on remote peers with respect to defining gateway lists.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml
standby 1 ip 172.16.172.53 standby 1 priority 200 standby 1 preempt standby 1 name VPNHAstandby 1 track Ethernet1/1 150
crypto map vpn 10 ipsec-isakmp set peer 172.16.172.69 set transform-set myset match address 101 reverse-route
crypto map vpn redundancy VPNHA
7204-VXR-1
12.2(8)T Reverse Route Injection
Descripción del problemaDescripción del problema
Hasta este release no había forma de mantener memoria del flujo de conexiones IPSec en una
configuración de múltiples concentradores VPN (o mejor dicho, cuál concentrador era el responsable por cada flujo).HSRP no tenía el concepto de ser aceptado como una dirección IP válida para terminar túneles VPN.
12.2(8)T Reverse Route Injection
Reverse Route Injection
Evita los problemas de asimetría de ruteo
Inyecta rutas en forma dinámica, con lo que evita las inconsistencias de las rutas estáticas
HSRP+ API
Una dirección HSRP ahora puede terminar túneles VPN
En el caso de una falla, HSRP ejecuta los cambios a nivel VPN
Los equipos remotos no necesitan conocer que existen múltiples concentradores centrales, porque HSRP esconde esta complejidad
Ejemplo Inside
Outside
P S
Un cliente se conecta a la IP de HSRPP es elegido como el router activoP anuncia a la intranet de casa central que es el responsable por llegar al sitio remotoEl tráfico de la casa central hacia el sitio remoto será entonces destinado a PSi P falla, S se hará cargo del túnel
1.1.1.0/255.255.255.0
ip route 1.1.1.0/24 P
12.2(8)T Reverse Route Injection
Multiple RSA Key Pair SupportMultiple RSA Key Pair permite que un usuario pueda definir múltiples pares de claves RSA en el mismo router. Un uso podría ser que el router contenga diferentes pares de claves para diferentes certificados digitales
Router(config)# crypto key generate rsa [usage-keys |general-keys] [key-pair-label]
Router(config)# crypto ca trustpoint
Router(ca-trustpoint)# rsakeypair key-label [key-size [encryption-key-size]]
39
IOS 12.2(13)TAdvanced Encryption Standard (AES) Cisco Easy VPN Remote - Phase IDynamic Multipoint VPN (DMVPN) IPSec NAT Transparency Low Latency Queuing (LLQ) for IPSec Encryption EnginesManual Certificate Enrollment (TFTP and Cut-and-Paste)NAT Default Inside ServerNAT Integration with MPLS VPNsNAT Stateful Failover of Network Address TranslationPre-fragmentation for IPSec VPNsPrivilege Command EnhancementVPN Device Manager IOS Feature DocumentVPN crypto/Compr Module (AIM-VPN/EPII & AIM-VPN/HPII)Software IPPCP (LZS) with Hardware Encryption
Soporte de AES (128, 192, 256)
NIST Standard para reemplazar DESOpcion: usar 3DES o usar AES-128 similar strength
AES-256 es para paranoia profunda Usando 12.2(13)T tenemos soporte de AES en software los nuevos VPN Modules incorporan soporte en hwPara mas información:
http://csrc.nist.gov/CryptoToolkit/aes/
Soporte de AES (128, 192, 256)core(config)#cry isak pol 20
core(config-isakmp)#enc ?
3des Three key triple DES
aes AES - Advanced Encryption Standard.
des DES - Data Encryption Standard (56 bit keys).
core(config-isakmp)#enc aes ?
128 128 bit keys.
192 192 bit keys.
256 256 bit keys.
<cr>
core(config)#cry ipsec transform-set new-aes ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-sha-hmac ESP transform using HMAC-SHA auth
core(config)#cry ipsec transform-set new-aes esp-aes ?
128 128 bit keys.
192 192 bit keys.
256 256 bit keys.
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
<cr>
Cisco Easy VPN Remote - Phase ITambién llamado Easy VPN Client . Este feature había salido al mercado con el release 12.2(4)YA y se junta en este release 13 a la línea T
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftezvpcm.htm
En qué versión de PIX se soporta el modo server?
En qué version de IOS se soporta el modo server?
En que versión de VPN3000 se soporta el modo server?
Dynamic Multipoint VPN
Cuál es el problema?En una topología full-meshed física, con remotos con
dirección IP dinámica, es imposible la comunicación directaentre spokes la misma debe pasar por el hub con direcciónIP fija
Por qué?Ninguno de los dos spokes conoce la dirección del otro
imposible usar ni un CM standard, ni un dinámico en ningunode ellos, ni TED
Cómo se resuelve?Usando DMVPN, que combina GRE con IPSec y un método de
registración en el centro de la estrella (hub).
Dynamic Multipoint VPN: Concepto
Sucursal
Direcciones IP públicas
dinámicas (broadband)
192.168.1.0/24
192.168.2.0/24
192.168.2.1
192.168.1.1= túneles dinámicos entre casa central
y sucursales
Túneles temporarios, fabricados entre sucursales en forma dinámica
Dirección IP estática
192.168.3.0/24
192.168.3.1
130.25.13.1
interface Tunnel0ip address 192.168.1.1 255.255.255.0no ip redirectsip mtu 1416ip nhrp authentication cisco123ip nhrp map multicast dynamicip nhrp network-id 1001no ip split-horizontunnel source Serial0/1tunnel mode gre multipointtunnel key 250872tunnel protection ipsec profile DMVPN
DMVPN configuración en hubcrypto isakmp policy 10
encr 3desauthentication pre-share
crypto isakmp key topsecret address 0.0.0.0 0.0.0.0
!crypto ipsec transform-set strong esp-3des !crypto ipsec profile DMVPNset transform-set strong
!interface Ethernet0/0
ip address 172.16.1.1 255.255.255.0
!
interface Serial0/1
ip address 10.10.10.5 255.255.255.252
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.6
DMVPN configuración en spokecrypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key topsecret address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set strong esp-3des
!
crypto ipsec profile DMVPN
set transform-set strong
interface Ethernet0/0
ip address 172.16.31.1 255.255.255.0
!
interface Serial0/0
ip address 10.10.10.18 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 10.10.10.17
interface Tunnel0
ip address 192.168.1.9 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication cisco123
ip nhrp map 192.168.1.1 10.10.10.5
ip nhrp map multicast 10.10.10.5
ip nhrp network-id 1001
ip nhrp nhs 192.168.1.1
tunnel source Serial0/0
tunnel mode gre multipoint
tunnel key 250872
tunnel protection ipsec profile DMVPN
Dirección IP Fijade Casa Central
Dirección del servidor de next hopts
DMVPN CMs creados al vuelocore#sh cry map
Crypto Map "Tunnel0-head-0" 1 ipsec-isakmp
Profile name: DMVPN
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
strong,
}
Crypto Map "Tunnel0-head-0" 2 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 10.10.10.18
Extended IP access list
access-list permit gre host 10.10.10.5 host 10.10.10.18
Current peer: 10.10.10.18
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
strong,
}
Crypto Map "Tunnel0-head-0" 3 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 172.16.4.8
Extended IP access list
access-list permit gre host 10.10.10.5 host 172.16.4.8
Current peer: 172.16.4.8
Security association lifetime: 4608000 kilobytes/3600
seconds
PFS (Y/N): N
Transform sets={
strong,
}
Interfaces using crypto map Tunnel0-head-0:
Tunnel0
IPsec NAT Transparency (IETF UDP wrapper)
A continuación se explican dos posibles soluciones:
Solución IPSec standardSolución IPSec IETF basada en UDPwrappers
ISP InternetCasa
Central
VPN Client
DHCP10.1.1.1
10.1.1.2
VPN Client
10.x.x.x 130.x.x.x 130.40.1.1
IPTCP
UserData
HASH
ESP50IP encriptado
PAT
origen IP 10.1.1.1origen IP 10.1.1.2 origen IP 130.1.1.2
HASH
ESP50IP encriptado
HASH
ESP50IP Encrypted Data
HASH
ESP50IP encriptado
ERROR
Túnel VPN
Problema: solución iPSec STD
IPsec NAT Transparency (cont)
IPsec NAT Transparency (cont.)
PSTN ISP InternetCasa
Central
VPN Client
DHCP
10.1.1.2
VPN Client
10.x.x.x 130.x.x.x 130.40.1.1
NAT/PAT
Origen IP 10.1.1.1origen IP 10.1.1.2 origen IP 130.1.1.2
UDP
IP PayloadUDP
IP Payload
OK
UDP
IP Payload
UDP
IP Payload
S=10.1.1.1S=130.40.20.1
Solución: UDP wrapper (IETF)
Túnel VPN
10.1.1.1
IPTCP
UserData
Low Latency Queuing for IPsec
Low Latency Queueing
Para asegurar un tratamiento adecuado de la voz encriptada en redes IP
Manual Certificate Enrollment (TFTP, Cut-and-Paste)
Útil cuando el CA no soporta el método más conocido de Cisco (SCEP) Debe ser usado cuando no hay una conexión de red previa entre el router y la CA
NAT Default Inside ServerNormalmente, si el router que hace NAT ve llegar un paquete desde el exterior para el cual no tiene unatraducción armada, lo tira.NAT Default Inside Server permite dirigir lospaquetes a una máquina definida como destinatariodefault de paquetes desconocidos.Aplicación: típico en Gaming Devices que recibenpaquetes en cualquier port UDP, y que se encuentran detras de un router con única direcciónIP, dinámica, que es cedida por un ISP.
OBS; comando : ip nat inside source static local-ip interface type number
NAT Integration with MPLS VPNsEscenario: Service Provider que ofrece salida Internet a sucliente via un router de borde de su red MPLS-VPNs. Usualmente el cliente tiene direccionamiento RFC 1918 (privado)El tráfico dirigido a Internet debe pasar por una función de NAT. Se lo resuelve:
Haciendo que el CPE de cliente haga el NAT y ya salga con una dirección consistenteQue el router de borde Internet/MPLS-VPN haga NAT en
cada contexto de cliente! Ejemplo:
ip nat inside source [list {ACL-nbr | ACL-name} | route-map name]interface type number | pool pool-name] vrf vrf-name [overload]
Stateful Failover of NATIt introduces support for two or more network address translators to function as a translation group. A backup router running NAT provides translation services in the event of failure of the active translator.
interface interface-number port-numberstandby [group-name ip ip-address [secondary]]
exit
ip snat stateful id ip-address redundancy group-name mapping-id map-numberip nat pool name start-ip end-ip prefix-length prefix-lengthip nat inside source {route-map name pool pool-name mapping-id map-nbr}
[overload]
Pre-fragmentation for IPSec VPNs
Si se fragmenta un paquete IPSecEl router que desencapsula tiene que desfragmentarGenera una alta penalidad en CPU
Un router puede perder un 70% de capacidad si no se tiene en cuenta este problema
Pre-fragmentation for IPSec VPNs
A nivel de interfaz donde se aplica el crypto maprouter(config-if)# crypto ipsec fragmentation before-encryptionrouter(config-if)# crypto ipsec fragmentation after-encryption
O a nivel global, o sea para cualquier posible interfazrouter(config)# crypto ipsec fragmentation before-encryptionrouter(config)# crypto ipsec fragmentation after-encryption
VPN Device Manager IOS Feature(http://www.cisco.com/cgi-bin/tablebuild.pl/vdm)
VDM software is installed directly onto Cisco VPN devices. It allows network administrators to use a web browser to manage and configure site-to-site VPNs on a single device
Plataformas soportadas:Cisco 1700Cisco 2600 Cisco 3620, 3640, and 3660 Cisco 7100 Cisco 7200 Cisco 7400 Cisco Catalyst 6500 with IPSec VPN Module Cisco 7600 with IPSec VPN Module
60
IOS 12.2(15)TCertificate Security Attribute-Based Access ControlCisco Easy VPN Remote EnhancementsExporting and Importing RSA KeysFirewall Stateful Inspection of ICMP packetsFirewall Intrusion Detection System Signature EnhancementsFirewall Support for N2H2 & Websense URL Filtering Firewall Support for SIP & HTTPS Authentication ProxyHTTPS - HTTP Server and Client with SSL 3.0IP Access List Entry Sequence NumberingIPSec Security Association Idle TimersIPSec VPN AccountingNAT Support for IPSec ESP - Phase IIVRF-Aware IPSecXML Interface to Syslog Messages
Certificate Security AttributeBased Access Control
Allows applications within IOS to perform authorization based on the fields in the certificate. In this way from a user's view a certificate is used for both authentication and authorization.
crypto ca certificate map Group 10 issuer-name co Cisco Systems subject-name co DIAL
crypto ca certificate map Group 20 issuer-name co Cisco Systems subject-name co WAN
! crypto ca trustpoint Access2
match certificate Group
Ejemplo: accepts any certificate issued by Cisco Systemsfor an entity with the subject name DIAL or WAN
subject-name issuer-name unstructured-subject-name alt-subject-name name valid-start expires-on
eq equalne not equal co contains nc does not contain lt less than ge greater than or equal
Easy VPN Remote Enhancements
Negotiating tunnel parametersAddresses, algorithms, lifetime, and so on.
Establishing tunnels according to the parameters.
Automatically creating the NAT/PAT translation and associated access lists that are needed, if any.
Authenticating users Making sure users are who they say they are, by way of usernames, group names and passwords.
Managing security keys for encryption and decryption.
Authenticating, encrypting, and decrypting data through the tunnel.
Manual Tunnel ControlMultiple Inside Interface
EnhancementsMultiple Outside Interfaces SupportNAT Interoperability SupportLocal Address Support for Easy VPN
RemoteCable DHCP Proxy EnhancementPeer Hostname EnhancementProxy DNS Server SupportPIX Interoperability SupportCisco IOS Firewall SupportSimultaneous Easy VPN Client and
Server SupportCisco Easy VPN Remote Web Manager
12.2(4)YA Enhancements in 12.2(15)T
Exporting and Importing RSA KeysAllows to share the private RSA key pair of a router with standby routers, therefore transferring the security credentials between networking devices. The key pair that is shared between two routers will allow one router to immediately and transparently take over the role of the other router. If the main router were to fail, the standby router could be dropped into the network to replace the failed router without the need to regenerate keys, reenroll in CA, or manually redistribute keys.
En ambos routerscrypto key generate rsa {general-purpose | usage-keys} [label key-
label] exportable En el router que exporta sus credencialescrypto ca trustpoint namersakeypair key-label [key-size [encryption-key-size]]crypto ca export trustpointname pkcs12 destination url passphrase
En el router que importa las credenciales de su vecinocrypto ca import trustpointname pkcs12 source url passphrase
Stateful Inspection of ICMP packetsAntes de este feature, quien activaba la función de firewall, debía admitirexplícitamente la vuelta de paquetes ICMP como respuesta a la salida de paquetes a través del firewall, porque la inspección stateful solo incluía a losprotocolos UDP y TCP.
Con esta nueva funcionalidad, es posible construir una política de inspecciónque tenga en cuenta al protocolo ICMP.
access-list 101 remark ## some needed ICMPaccess-list 101 permit icmp any any echo-replyaccess-list 101 permit icmp any any time-exceededaccess-list 101 permit icmp any any packet-too-bigaccess-list 101 permit icmp any any unreachable
Interface <exterior>ip inspect xxxx outip access-group 101 in
ip inspect name xxxx icmp [alert {on | off}] [audit-trail {on |off}] [timeout secs]
IDS Signature Enhancements
21 of the 28 most commonly seen signatures in our research Six of the 7 PIX signatures that were unavailable in IDS
All 15 of the most dangerous HTTP signatures
Before this feature, the Cisco Firewall IDS contained 59 signatures, which was only a small subset of the signatures supported by Cisco Secure IDS. The Firewall IDS Signature Enhancements feature introduces 42 additional signatures that are supported by other Cisco products, such as PIX;are categorized as follows:
ip audit name EXAMPLE attack action alarm drop reset ip audit name EXAMPLE info action alarm
interface Serial0 ip address 191.1.1.1 255.255.255.0 ip audit EXAMPLE in
EJEMPLO
Support of N2H2 and Websense, IOS firewall works with the N2H2 or Websense server to know whether a particular URL should be allowed or denied (blocked).
ip inspect name xxxx http [urlfilter] [java-list access-list] ip urlfilter server vendor {websense | n2h2} ip-address [port port-nbr] [timeout secs]
[retransmit nbr]
Cisco IOS Firewall Support for SIP
config# ip inspect name XXXX sip [alert {on | off}] [audit-trail {on | off}] [timeout secs]
SIP signaling responses can travel the same path as SIP signaling requests.
Subsequent signaling requests can travel directly to the endpoint (destination gateway).
Media endpoints can exchange data between each other.
HTTPS Authentication Proxy
1. HTTP or HTTPS client requests a web page.2. HTTP or HTTPS request is intercepted by the router with authentication proxy.3. The router marks the TCP/IP connection and forwards the request (with the client address) to the web server, if authentication is required.4. The web server builds the authentication request form and sends it to the HTTP or HTTPS client via the original request protocol HTTP or HTTPS.5. The HTTP or HTTPS client receives the authentication request form.6. The user enters his or her username and password in the HTTPS POST form and returns
the form to the router. At this point, the authentication username and password form is sent via HTTPS. The web server will negotiate a new SSL connection with the HTTPS client.
Encrypts the exchange of username and password between the HTTP client and the router via SSL when authentication proxy is enabled on the IOS firewall, thereby ensuring confidentiality of the data passing between the HTTP client and the Cisco IOS router.
ip http secure-server
HTTP Server and Client, SSL 3.0
This feature provides Secure Socket Layer (SSL) version 3.0 support for the HTTP 1.1 server and HTTP 1.1 client within CiscoIOS software. SSL provides server authentication, encryption, and message integrity to allow secure HTTP communications. SSL also provides HTTP client authentication. HTTP over SSL is abbreviated as HTTPS.
ip http secure-serverip http secure-port ip http secure-ciphersuite ip http secure-client-auth ip http secure-trustpoint
IP Access List Entry Sequence Numbering
Users can apply sequence numbers to permit or deny statements and also reorder, add, or remove such statements from a named IP access list
ip access-list resequence <name> starting-sequence-number increment
ip access-list {standard | extended} <name><sequence-number> {permit|deny} <sequence-number> {permit|deny}
router# show access-list 150 Extended IP access list 150 10 permit ip host 10.3.3.3 host 172.16.5.34 20 permit icmp any any 30 permit tcp any host 10.3.3.3 Ejemplo
IPSec VPN Accounting
The IPSec VPN Accounting feature allows for a session to be accounted for by indicating when the session starts and when it stops.
**Aug 23 04:06:20.135: RADIUS: User-Name [1] 13 "joe@cclient"Aug 23 04:20:16.519: RADIUS(00000003):Using existing nas_port 0
*Aug 23 04:20:16.519: RADIUS(00000003): Config NAS IP: 100.1.1.147 *Aug 23 04:20:16.519: RADIUS: Acct-Session-Id [44] 10 "00000002" *Aug 23 04:20:16.519: RADIUS: Vendor, Cisco [26] 20 *Aug 23 04:20:16.519: RADIUS: Cisco AVpair [1] 14 "vrf-id=cisco"*Aug 23 04:20:16.519: RADIUS: Vendor, Cisco [26] 35 *Aug 23 04:20:16.519: RADIUS: Cisco AVpair [1] 29 "isakmp-initator-ip=11.1.1.2"*Aug 23 04:20:16.519: RADIUS: Vendor, Cisco [26] 36 *Aug 23 04:20:16.519: RADIUS: Acct-Session-Time [46] 6 709 *Aug 23 04:20:16.519: RADIUS: Acct-Input-Octets [42] 6 152608 *Aug 23 04:20:16.519: RADIUS: Acct-Output-Octets [43] 6 152608 *Aug 23 04:20:16.519: RADIUS: Acct-Input-Packets [47] 6 1004
config# aaa accounting network list-name start-stop group group-name
EJEMPLO
VRF-Aware IPSec
IOS 12.2(15)T: MPLS integration with VRF-aware Ipsec
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/index.htm
XML Interface to Syslog Messages
logging console xml logging monitor xml logging buffered xml logging host {ip-address | host-name} xml
Logs in a standardized XML format, instead of SYSLOG, can be more readily used in external customized monitoring tools.