Docstoc

L6

Document Sample
L6 Powered By Docstoc
					  IPSec Planning and
    Implementation
design and deployment of IPSec solutions
         for enterprise networks


             David Sánchez
          What we already know




Ø   IPSec Fundamentals (thoroughly reviewed in the
    previous two sessions)
         Phases towards IPSec
      deployment in the enterprise

1.        Planning
     1.     Identify Security and Performance Needs
     2.     Design the Solution
2.        Implementation
     1.     Implement and Test Prototype
     2.     Deploy the Solution
3.        Manage the Solution
        1st Step: Identify needs


Ø   Identification of all communications that need to be
    ?
    protected
Ø   Identification of the protection that each type of
    communication needs
Ø   S
    ? election of an IPsec architecture model
Ø   ? pecification of performance requirements
    S
2nd Step: Design the Solution



1.   A
     ? rchitecture
2.   Master Keying
3.   ? ryptography
     C
4.                P
     Selector or ? acket Filter
           Step 2.1 Architecture:
    Considerations for Gateway Placement



Ø   Device performance
Ø   Traffic examination
Ø   Traffic not protected by IPSec
Ø   Gateway Outages
Ø   NAT
            Step 2.1 Architecture:
    Evaluating IPSec Client Software for Hosts

Ø   P
    ? articular encryption, integrity protection, and
    compression algorithms
Ø   P
    ? articular authentication methods
Ø   M
    ? ultiple simultaneous tunnels
Ø   ? utomatic re-keying
    A
Ø   ?H
    A
Ø   ? phase one aggressive mode
    IKE
Ø   L
    ?2TP
Ø   ? ertificates/certificate revocation lists (CRL)
    C
Step 2.1 Architecture:
   Split tunneling issues
           Step 2.1 Architecture:
    IPSec Client Software – Further differences




Ø   Performance
Ø   Software security
Ø   Interoperability
Ø   Installation, configuration and management simplicity
             Step 2.1 Architecture:
        Host Address Space Management



Ø   Host inside the organization
    l   IPSec security based on internal IP addresses
Ø   Host outside the organization
    l   IPSec security based on other identifiers (e.g. human IDs)
    l   Virtual IP addresses (tunnel mode)
         Step 2.2 Master Keying


Ø   Pre-shared secret
    l   Manual not scalable management
    l   Kerberos, TACACS, RADIUS
Ø   Public key crypto based
    l   PKI
    l   Scalable management
         Step 2.3 Cryptography



Ø   128-AES whenever possible
Ø   Don’t protect traffic does not need protection
Ø   Export restrictions in certain countries
      Step 2.4 Selectors (SPD and
                 SADB)



Ø   Carefully tune of selectors to each incoming/outgoing
    traffic
Ø   Configuration error issues
Ø   IPSec-incompatible traffic issues
         Step 2.5 Further Design
             Considerations



Ø   SA Lifetimes
Ø   IKE Phase 1 Exchange Mode
Ø   DH Group Number
Ø   Extra Padding
         Step 2.5 Further Design
             Considerations


Ø   PFS
Ø   Current and Future Network Characteristics
Ø   Incident Response
Ø   Log Management
Ø   Redundancy
       Step 3 Implement and Test
               Prototype


Ø   Connectivity
Ø   Protection
Ø   Authentication
Ø   Application Compatibility
Ø   Management
       Step 3 Implement and Test
               Prototype


Ø   Logging
Ø   Performance
Ø   Security of the Implementation
Ø   Component Interoperability
Ø   Default Settings
    Step 4 Deploy the Solution



Ø   Gradual migration
Ø   Typical issues to consider
    Step 5 Manage the Solution



Ø   Maintenance of IPsec components
Ø   Monitoring performance of IPSec components
Ø   IPSec effectiveness verification
                   References




Ø   NIST Special Publication 800-77. Guide to IPSec VPNs.

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:4/1/2013
language:English
pages:20