Docstoc

Securing Your Telecommuters and Mobile Users

Document Sample
Securing Your Telecommuters and Mobile Users Powered By Docstoc
					                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.   1




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                           1
                                 Securing Your Telecommuters
                                       and Mobile Users
                                                                                          Session SEC-222




                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                     3




                           Outline




                                                 • Who Are They?
                                                 • Securing Remote Connections
                                                 • Challenges




                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                     4




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                                             2
                                                                          Who Are They?



                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                       5




                           Traditional Remote Access

                                                                                                 • Network access servers
                        Individual
                           Dialup                                                                • ISDN/modem dialup


                                                                                          PSTN   ISDN
                                         Hotel
                        Dialup                                                                            ISDN
                                                                       1-800                               PRI

                                                                                                                 Enterprise
                                                                                                                  Network

                           Dialup
                                                                                                        ISDN
                                                                                                        Router
                                                              Airport                                   Dialup
                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                       6




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                                                               3
                           Telecommuters
                                                                                                     • Accessing the enterprise
                        Individual                                                                     network from an individual
                           Dialup                                                                      PC or small LAN at an
                                                                                                       employees home

                                                                                          ISP POP
                                                                                                     Internet


                                                                                                                         Enterprise
                            Cable
                                                                                                                          Network
                                                                               Always-On



                                                                                                              DSL
                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                               7




                           Road Warriors
                         On-Site                                                                    • Accessing the enterprise
                      Consultant                                                                      network from mobile and/or
                                                                                                      temporary locations


                                                                                          ISP POP
                                                                                                     Internet
                                         Hotel
                        Dialup

                                                                                                                         Enterprise
                                                                                                                          Network

                             Always                                              Dialup                             Always
                               On                                                                                   On

                                                                                                    Airport
                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                               8




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                                                                       4
                           Road Warriors on Steroids
                       On-Site                                                                                  • Accessing the
                      Consultant                                                                                  enterprise network
                                                                                                                  from mobile and/or
                                                                                                    Bookstore     temporary locations
                                                                                                                  using wired and
                                                                                          ISP POP                 wireless
                                                                                                     Internet
                                         Hotel
                        Dialup

                                                                                                                     Enterprise
                                                                                                                      Network

                             Always                                                                             Always
                               On                                                                                 On

                                                                                                    Airport
                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                             9




                           So What’s the Problem?



                                       • Communications can be intercepted,
                                         modified, and hijacked
                                       • Computers can be attacked,
                                         compromised, or stolen
                                       • Corporate data can be accessed



                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                             10




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                                                                      5
                           Scenario One



                              • When you trust the local network (home/SOHO),
                                own or control your computer
                                        Dedicated line to the office (e.g., FR, ISDN)
                                        Public ISP access
                                             Dialup
                                             Always on broadband (e.g., DSL and cable modem)




                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.        11




                           Scenario Two



                                 • When you’re using your computer on a
                                   foreign network
                                 • Using wireless on the home or office
                                   network




                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.        12




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                                 6
                           Scenario Three




                              • When you’re using a foreign computer on
                                a foreign network (e.g., cyber café)




                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.   13




                           Basic Requirements


                            • Provide world-wide mobility securely
                                       Enforce strong user authentication
                                       Secure the corporate traffic across the Internet

                            • Protect mobile devices from hostile
                              networks
                            • Protect corporate assets


                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.   14




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                            7
                           Tool Kit


                                 • Use IPsec
                                              IPsec user authentication
                                              Wildcard pre-shared keys or certification authority
                                              Client or LAN initiated IPsec VPN
                                 • Use Firewalls
                                              Personal firewalls on the PC
                                              Hardware firewalls
                                 • User security practices


                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.             15




                           Tools



                                               • IPsec
                                                              End to end
                                                              LAN to LAN

                                               • Set up ssh before leaving home




                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.             16




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                                      8
                                 Securing Remote Connections



                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.             17




                           IPsec

                                       • IETF proposed standard to provide the following
                                         for IP packets
                                                     Authenticity
                                                     Integrity
                                                     Confidentiality
                                                     Replay detection
                                       • Two major components
                                                     Internet Key Exchange (IKE)
                                                              Authentication between devices
                                                     IPsec
                                                          Packet headers to handle encrypted data



                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.             18




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                                      9
                           IPsec Phase 1: IPsec Main Mode
                           Authentication
                                                                                                                Intranet Server
                                                                                                                DNS SMTP WEB

                                                                                                                 Access Control
                                                                                                                 Server


                                                                          IKE

                                                                   Internet E
                                                                           K              I   IKE Policy Negotiation
                                                                                               DES MD5
                                                                                               Preshared Key
                                                                                              Phase 1 Authentication
                                                                                               IP Address = User Name
                                                                                               Preshared Key = Password

                                                                                               IKE SA Established
                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                           19




                           IPsec Main Mode Authentication


                              • Authenticates a device
                                        Not the PC users!
                              • Authentication is based on one of the following:
                                        IP address or fully qualified domain name (FQDN) and
                                        preshared key
                                        IP address or FQDN and public/private key
                                        Digital certificate
                              • Preshared or private keys are never transmitted


                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                           20




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                                                                    10
                           IPsec Phase 1: Weakening IKE Main
                           Mode



                             • RFC 2409 requires a unique IP address to
                               be associated with each pre-shared key
                                        This is for good security
                                        But prevents the use of dynamic IP addresses
                                        Hence cannot use a dial client




                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.   21




                           Weakening IKE (Cont.)




                               • It is possible to use the same preshared
                                 key for a large range of IP addresses
                               • The most unsecured would be to use the
                                 same password for all IP addresses:

                             crypto isakmp key sameFORall address 0.0.0.0 255.255.255.255




                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.   22




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                            11
                           IPsec Phase 1 (optional): IPsec
                           Extended Authentication
                                                                                                                 Intranet Server
                                                                                                                 DNS SMTP WEB
                                                                                                   Radius
                                                                                                                  Access Control
                                                                                                                  Server

                                                                            IKE


                                                                         Internet
                                                                                             xauth: prompt=“Challenge 123DE”


                                                                                          xauth: name=“joe” psw=“13ZD3”


                                                                                                   Mode Configuration
                           • Applies only to user
                                                                                                   IP Address, DNS, WINS
                             authentication
                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                            23




                           IPsec User Authentication (xauth)



                                • Allows authenticating a user after
                                  authenticating the gateway (e.g. the PC)
                                • Provides good authentication where
                                  certificates cannot be used
                                • Solves the issue of not knowing the IP
                                  address in advance


                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                            24




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                                                                     12
                           IPsec Extended Authentication
                           with Radius

                       Crypto Map Is for
                       Client Authentication                                                       aaa new-model
                                                                                                   aaa authentication login xauth
                       Beware That If a                                                            radius local
                       Remote Router Tries
                       to Connect It Might                                                         crypto map fubar client
                       Refuse xauth and                                                            authentication list xauth
                       Therefore IPsec Will
                       Not Come up




                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                                           25




                           IPsec Phase 2: IPsec Quick Mode
                                                                                                                                Intranet Server
                                                                                                                                DNS SMTP WEB

                                                                                                                                 Access Control
                                                                                                                                 Server

                                                                              Ec
                                                                           I se
                                                                         IPK

                                                               Internet                       ec
                                                                                              E
                                                                                            Is
                                                                                          IPK              IPsec SA Policy Negotiation
                                                                                                               Encryption, Integrity
                                                                                                                 Life Time, Proxy
                                                                                                              IPsec SA Established




                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                                           26




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                                                                                    13
                           Securing Remote Connections
                                                                                                                          Intranet Server
                                                                                                                          DNS SMTP WEB

                                                                                                                             Access Control
                                                                           c                                                 Server
                                                                       IPse               c
                                                                                      IPse


                                                 ISDN                Internet                 • Three options
                                                                                                 Use VPN client with xauth
                                                                                                 Use a local VPN hardware
                                                                                                 Use a local router for LAN to LAN VPN

                                                                                              • Internet traffic
                                                                                                 All through the tunnel
                                                                                                 Split tunneling
                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                                     27




                           Home VPN Termination


                              • Using a PC connected to a public ISP is
                                identical to using a foreign network such
                                as is found in an Internet Café.
                              • For multiple home PC use a “VPN
                                hardware client”
                              • For more complex scenarios, specifically
                                dial, use a VPN router


                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                                     28




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                                                                              14
                           Client Software



                            • VPN client software is
                              a crucial component
                                       Provides IPsec (or
                                       PPTP) encryption
                                       Provides “ dialer”
                                       interface to user to start
                                       VPN connections




                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.          29




                           Client Software

                            • Significant benefits in centralizing configuration
                              and administration
                                       Mobile users unlikely to be skilled
                                       Microsoft clients are not centrally managed, and do not
                                       support VPN concentrator pushing policies to clients
                                       Allows users to be configured and managed within
                                       logical groups
                            • Also needs to be:
                                       Easy to use, preconfigurable , updateable, etc.


                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.          30




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                                   15
                           When Do We Need The IPsec Client?


                            • Scenario 1: When you don’t trust the telecom
                              provider or you’re really paranoid
                            • Scenario 2: Definitely need it to protect data from
                              Internet sniffers
                            • Scenario 3: Good to have but you’ll have to
                              download and install the client code:
                                       Administrative access to the PC
                                       Knowledge about the client configuration including
                                       gateway addresses, group information, etc.


                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.           31




                           Firewalls

                               • Personal firewalls
                                          Road warriors on the road and at home
                                          Relatively inexpensive
                                          Requires some system administration skills
                               • Hardware firewalls
                                          SOHO
                                          Low end ones may need little or no configuration but
                                          have limited capability
                                          More traditional ones are expensive but very flexible
                                          when protecting more than one host


                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.           32




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                                    16
                           Home Example

                                                                                                 Internet


                                                Corporate
                                               Headquarters




                                       Katy’s                                       John’s      Mom’s            Dad’s

                     SEC-222
                     3086_05_2001_c1    © 2001, Cisco Systems, Inc. All rights reserved.                                       33




                           Small Office

                                                                                                 Internet


                                                Corporate
                                               Headquarters




                               Worker Bee 1                                   Worker Bee 2   Road warrior 1   Road warrior 2

                     SEC-222
                     3086_05_2001_c1    © 2001, Cisco Systems, Inc. All rights reserved.                                       34




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                                                                 17
                           Example Firewall Configuration

                       Assign a Security Level
                       to Each Interface                                                  PIX Version 5.2(3)
                                                                                          nameif ethernet0 outside security0
                                                                                          nameif ethernet1 inside security100
                       Configure Interface
                       Addresses                                                          ip address outside 200.1.1.2
                                                                                          255.255.255.252
                                                                                          ip address inside 192.168.1.1
                       Translate inside                                                   255.255.255.0
                       address to outside
                       interface address                                                  global (outside) 1 interface
                                                                                          nat (inside) 1 0.0.0.0 0.0.0.0 0 0

                       List Inside Addresses                                              route outside 0.0.0.0 0.0.0.0 200.1.1.1 1
                       to Be Translated

                       Configure Static
                       Routing


                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                               35




                           Where Do We Need These Firewalls


                                       • Scenario 1: No real need
                                       • Scenario 2:
                                                     Definitely need personal firewall if ever
                                                     connecting to foreign networks
                                                     Add hardware firewall for SOHO

                                       • Scenario 3: Not under your control


                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                               36




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                                                                        18
                           Example




                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                  37




                           User Practices


                            • Laptops are easy targets for thieves:
                                       Don’t leave unattended
                                       Use locks
                                       Protect data through use of encryption
                                       Don’t keep sensitive information on the disk if it isn’t needed

                            • Guard against lurkers who may be trying to read data
                              from your display
                                       Use screen locks



                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                  38




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                                           19
                           IR Ports


                             • Infrared ports have a range of 50cm to 100cm,
                               but amplifying systems can increase the range
                               threefold
                             • Notsync is new software that can capture
                               passwords off targeted Palm Pilots by taking
                               advantage of the PDA's hotsync function.
                             • Make sure your IR ports are not available to your
                               neighbor when working in public places


                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.            39




                                                                                      Challenges



                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.            40




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                                     20
                           Complex Home Office
                           Connections: ISDN

                                   • Keep link down when no traffic!
                                   • Dynamic addresses
                                   • SA life time must be equal to connection
                                     duration
                                                Need to use IKE keep alive to reset SPI after
                                                ISDN went down
                                                IKE keep alive must not keep ISDN up and
                                                cannot be filtered

                                   • Time source with digital certificates

                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.               41




                           Keep Alive for Dialup

                                       • IKE must be able to trigger the link
                                       • Keep Alive cannot be separated from
                                         other IKE packets
                                       • Plain IKE Keep Alive will keep ISDN/DDR
                                         line up
                                       • Work-around for negotiated address DDR
                                                    The first packet of IKE phase 1 has a source IP
                                                    address of 0.0.0.0
                                                    All other IKE packets have a real IP address


                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.               42




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                                        21
                           DDR and IKE Keep Alive

                       IP address for the
                       ISDN interface is                                                      interface bri 0
                       allocated by ISP                                                         ip address negotiated
                                                                                                dialer-group 1
                       Interesting traffic that                                               !
                       can trigger dial is:                                                   dialer-list 1 protocol ip list 100
                         • Either first packet                                                !
                                                                                              access-list 100 permit udp host
                           of IKE                                                             0.0.0.0 eq isakmp host 200.1.1.208
                         • Or ESP encrypted                                                   255.255.255.240 eq isakmp
                           data traffic                                                       access-list 100 permit esp any
                                                                                              200.1.1.208 255.255.255.240



                                                 ISDN



                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                                         43




                           IKE Keep Alive Details
                          Let’s check my peer
                                                                                                              Let’s reply to my peer
                                                                                                              NB: my peer is working
                            My peer is working
                                                                                   Default 600 sec

                          Let’s check my peer
                                                                                                              Let’s reply to my peer
                                                                                                              NB: my peer is working
                            My peer is working
                                                                                          Default 600 sec
                                                                                                              No news from my peer
                                         I’m down...                                                          Let’s check my peer
                                                                                                              Try again
                                                                                              Default 2 sec   Try again
                          Always 5 attemps                                                                    Try again
                                                                                                              Try again

                                                                                                              !!! My peer is down/unreachable !!!
                                                                                                              Tear down IKE and IPsec SA.
                     SEC-222                                                                                                           re-
                                                                                                              New traffic will trigger re-negotiation
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                                         44




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                                                                                     22
                           Other Issues with DDR



                             • Digital authentication (CERT) requires the
                               router to know the date
                             • Must use NTP to re-sync after power cycle
                               (some device don’t have permanent time)
                             • NTP cannot maintain the dial link up ==>
                               use time-based ACL


                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.   45




                           Small Routers and CERTs



                            • Small routers have no clock and lose time
                              on power reset/reload
                            • IOS checks its own X.509 certificates
                              validity at start-up while the clock is still at
                              1993 => own certificate is rejected
                            • ==> work around is needed


                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.   46




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                            23
                           Configure NTP over Dialup Interfaces

                             • Configure NTP
                             • Use time based ACL to define NTP as interesting
                               traffic when year is 1993
                             • Denied NTP traffic to be encrypted
                                       No need for confidentiality: UTC is public!
                                       Integrity and authentication built-in NTP

                             • Store the router certificate on the CA (Cert will
                               not be valid at start time)
                                       crypto ca certificate query

                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.   47




                           Time-Based ACL

                                  interface bri 0
                                     dialer-group 1
                                  !
                                  dialer-list 1 protocol ip list 101
                                  !
                                  Time-range NTP_start-up end 12:00 1 January 2000
                                  !
                                  access-list 101 permit ip any time-range NTP_start-up


                            • At start-up, date is Jan 1st 1993
                            • NTP can trigger the ISDN link
                            • After 3 NTP packets the clock will be in sync and NTP
                              won’t trigger ISDN again

                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.   48




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                            24
                           Internet Traffic: Options and Trade-offs


                                • All traffic goes into the IPsec tunnel
                                            Doubles traffic at Headquarters (gets in encrypted
                                            and out to the Internet)
                                            Increase CPU impact
                                            Single point of control
                                • Split tunneling
                                            Corporate traffic goes into VPN, Internet traffic
                                            goes to local ISP
                                            Home office may be used to redirect traffic into VPN


                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                   49




                           Split Tunneling

                              • VPN endpoints usually end up with Internet connectivity
                                and VPN connection



                                                                                                     HQ
                                                                                          Internet




                              • Potential backdoor around corporate firewall and
                                introduces multiple enforcement points
                              • Particularly an issue with always-on broadband access
                                (cable, DSL, etc.)

                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                   50




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                                            25
                           Split Tunneling Solutions

                                       • Apply policy
                                                  Disable Internet access while
                                                  VPN connection is active
                                                  Direct Internet traffic via HQ
                                                  Download ACL’s to client
                                       • Integrated and low end firewalls
                                                                                                                     CSPM
                                                  IOS Firewall, PIX 506, Hardware VPN client
                                       • More powerful policy-based management
                                                  Cisco Security Policy Manager
                                       • Personal firewall software
                                                  eg. Zone Alarm, Black Ice
                                                                                                              PIX 506
                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                     51




                           NAT and IPsec VPNs
                                                                                                   Invalid IPsec
                                                                                                Packets Detected!!



                                                                                          NAT


                            • IPsec is designed to detect attempts to
                              modify packets
                            • Network Address Translation modifies IP packets
                            • Native IPsec cannot pass through a NAT
                              operation that modifies TCP/UDP ports

                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                                     52




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                                                              26
                           NAT and IPsec VPNs Solution



                              • Many VPN solutions provide a “wrapper”
                                option to make IPsec pass through a
                                NAT process
                              • IPsec packets are wrapped in UDP (VPN
                                3000) or TCP (VPN 5000) headers to allow
                                them to pass the NAT process



                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.   53




                           Human Factors


                              • There are limits on how much technology
                                can do
                              • User must be aware that the environment
                                may not be secure
                                         Airport lounge, customer or client building

                              • The screen and disk contents of the PC
                                may need to be secured in other ways

                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.   54




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                            27
                           Summary

                               • Remote access VPN benefits
                                           Reduced cost
                                           Improved service
                                           Expanded connectivity
                               • Standard IPsec needs user authentication
                                           Range of client/tunneling solutions
                               • Users and managers need to be aware of
                                 implementation issues
                                           Human factors, split tunneling, NAT
                               • Connecting to public broadband increases the need for
                                 personal firewalls


                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                     55




                                 Securing Your Telecommuters
                                       and Mobile Users
                                                                                          Session SEC-222




                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                     56




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                                              28
                                                      Please Complete Your
                                                         Evaluation Form
                                                                                          Session SEC-222




                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                     57




                     SEC-222
                     3086_05_2001_c1   © 2001, Cisco Systems, Inc. All rights reserved.                     58




Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr                                                                                              29