Pix Firewall Enables a Secure VPN
Pix Firewall Enables a Secure VPN
Virtual private networks (VPNs) using IPSec provide standards-based authentication and encryption services to protect against modification or unauthorized viewing of the data within a network or as it passes through an unprotected network, such as the public Internet. The correct configuration steps and commands depend on several factors, which include making decisions about the following basic IPSec issues.
-
Choosing between the two IPSec implementations—remote access or site-to-site— is necessary. You look at each in this chapter. Figure 21-1 shows a site-to-site VPN implementation.
Figure 21-1: IPSec site-to-site VPN implementation (tunnel mode)Remote access
This implementation allows VPN clients, such as mobile users or telecommuters, to establish secure remote access to centralized network resources, often over the Internet.
Site-to-site
This implementation is used between two IPSec security gateways, such as PIX Firewall. A site-to-site VPN connects geographically separated networks, such as branch locations, to the corporate network.
-
Which of the two security protocols supported by the IPSec standard will be used? The need for encryption may be the deciding factor.
Authentication Header (AH)
Implements authentication and antireplay services.
Encapsulating Security Protocol (ESP)
Implements authentication, antireplay services, plus encryption.
-
Which of the two IPSec modes will be required, based on the previous choices?
Tunnel mode
The typical IPSec implementation between two security gateways, such as PIX Firewall units, using an untrusted network, such as the public Internet, for connectivity. See Figure 21-1.
Transport mode
This method of implementing IPSec for remote access to corporate network resources. This method frequently involves Windows 2000 VPN clients authenticating with L2TP. See Figure 21-2.
Figure 21-2: IPSec remote access VPN implementation (transport mode)
IPSec VPN Establishment
The role of IPSec is to facilitate the private and secure exchange of information over an inherently insecure link. IPSec uses encryption to secure the information, making it virtually useless to someone who might capture or monitor the exchange. For encryption to work, both the sending and receiving entities need to share a common secret (key) used for encryption and decryption of the data.
IPSec uses a two-phase process to establish the confidential exchange of that shared secret. If Phase 1 can’t be established, then Phase 2 isn’t attempted and data can’t be exchanged.
|
Phase 1 |
The negotiation of security parameters required to establish a secure channel between two IPSec peers. Phase 1 can be implemented using IKE protocol or manually configured using preshared keys. |
|
Phase 2 |
Using the secure connection established in Phase 1, exchange the security parameters necessary to exchange data. |
In both phases of IPSec, the agreed-on parameters are called security associations (SAs) that will be used at each IPSec end point.
Five Steps of IPSec
The basic IPSec process can be summarized in the following five steps:
-
Interesting traffic initiates the IPSec process. Traffic is deemed interesting when the IPSec security policy configured in the IPSec peers starts the IKE process.
-
IKE Phase One—IKE authenticates IPSec peers and negotiates IKE SAs during this phase, setting up a secure channel for negotiating IPSec SAs in Phase two.
-
IKE Phase Two—IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers.
-
Data transfer—Data is transferred between IPSec peers, based on the IPSec parameters and keys stored in the SA database.
-
IPSec tunnel termination—IPSec SAs terminate through deletion or by timing out.
Note? Don’t make this any more difficult than it already is. If you strip out the acronyms and encryption, this process isn’t all that different than ISDN. While more steps exist, they’re basically identifying “interesting” traffic, creating a link, opening a session, transmitting data, and then bringing down the link.
