Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

VPN presentation - moeshesh

Download as PPT, PDF
Mohamed Shishtawy
Mohamed Shishtawy

A VPN provides secure connectivity over the internet for remote users. It uses encryption and authentication techniques like symmetric keys, hashing, and digital certificates to securely transmit data. Common VPN protocols are L2TP, GRE, and IPSec which can operate in transport or tunnel mode. Setting up a VPN involves configuring IKE/IPsec policies, transform sets, and crypto maps to protect traffic according to defined security parameters and control VPN access. VPN clients facilitate remote access by guiding users through profile configuration and establishing connections according to defined authentication and tunneling protocols.

Related slideshows

ccna networking ppt
ccna networking pptccna networking ppt
ccna networking ppt
 
The Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchThe Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitch
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overview
 
1 of 47
VPN presentation - moeshesh
VPN presentation - moeshesh
:(Virtual Private Network (VPN  VPN network provides the same secure site to site network connectivity for remote user over the internet.
?Why Have VPNs
:VPN Tunnels and Encryption
:VPN Security algorithms
: Symmetric key  Shared secret key is the same key is used by the sender (for encryption) and the receiver (for decryption).  Shared secret key is often used for long messages.
(Data Encryption Standard (DES
One iteration
: Key Exchange—Diffie-Hellman
:(Authentication (pre-shared key
HashFunction :( (MD5,SHA-1 is a formula used to convert a variable-length message into a single  .string of digits of a fixed length
: VPN protocols  L2TP (layer 2 tunneling protocol): is used to create a media-independent , multiprotocol virtual private dialup network (VPDN)…….but it does not provide encryption.  GRE(Generic routing encapsulation ) : with GRE tunneling cisco router at each site encapsulates protocol specific packets in IP HEADER creating point to point link to cisco router at other of an Ip cloud ,where the IP header is stripped off .  IPsec( IP security protocol ): is the choice for secure corporate VPNs .it can provide the security service using internet key exchange (IKE) to handle negotation of protocols and algortithms based on local polivy and to generate the encryption and authentication key to be used by IPSec.
Internet Key Exchange (IKE):  used to esablish ashared security policy and authentication keys for services such as IPSec that require keys .  one of its protocols is ISAKMP Internet Security Association and Key Management Protocol (ISAKMP): it is protocol used for implementing akey exchange and negotation of security association (SA)
Security association (SA):  It is the security database that contains all the security policy that the VPN will based on.  This security database contains that: 1-authentication ,encryption algorithm. 2-specification of network traffic. 3-IPsec protocols . 4-IPsec modes .
:IPsec protocols  Encapsulating Security Payload (ESP): a security protocol that provide data encryption and production with optional authentication …it can completely encapsulates user data  Authentication Header (AH): a security protocol that provide authentication .it can be used either by itself or with ESP
:Tunnel versus Transport Mode
Tasks to Configure IPSec (site to (site Task 1 – Prepare for IKE and IPSEC Task 2 – Configure IKE Task 3 – Configure IPSec Task 4 – Test and Verify IPSEC
VPN presentation - moeshesh
Step1- Determine IKE(IKE Phase 1( Policy Determine the following policy details:  Key distribution method  Authentication method  IPSec peer IP addresses and hostnames IKE phase 1 policies for all peers  Encryption algorithm  Hash algorithm  IKE SA lifetime Goal : setup a secure commuication channel for negotiation of IPSec SA in phase2
Step2-Determine IPSec (IKE Phase 2( Policy Determine the following policy details:  IPSec algorithms and parameters for optimal security and performance  IPSec peer details  IP address and applications of hosts to be protected  IKE-initiated Sas Goal : these are security parameters used to protect data and messages exchanged between end points
Step 3—Check Current Configuration
Step4- Ensure the Network Works
VPN presentation - moeshesh
Step 1—Enable IKE
Step 2—Create IKE Policies
VPN presentation - moeshesh
Step 3—Configure ISAKMP Identity
Step4- Verify IKE Configuration
VPN presentation - moeshesh
Step1- Configure Transform Sets
Step2- IPSec Security Association Lifetimes
Step 3—Create Crypto ACLs using Extended Access Lists
Purpose of Crypto Maps Crypto maps pull together the various parts configured for IPSec, including  The traffic to be protected by IPSec and a set of SAs  The local address to be used for the IPSec traffic  The destination location of IPSec-protected traffic  The IPSec type to be applied to this traffic
Step 4—Configure IPSec Crypto Maps & apply it to interfaces
VPN presentation - moeshesh
 Display your configured IKE policies . show crypto isakmp policy  Display your configured transform sets. show crypto ipsec transform set  Display security associations show crypto isakmp sa  Display the current state of your IPSec SAs. show crypto ipsec sa  Display your configured crypto maps. show crypto map  Enable debug output for IPSec events. debug crypto ipsec  Enable debug output for ISAKMP events. debug crypto isakmp
:VPN Remote access  The requirements for VPN Servers include the need for Internet Security Association and Key Management Protocol (ISAKMP) policies using Diffie-Hellman.  The VPN Remote feature does support transform sets providing Both encryption and authentication ; so it does not support Authentication Header (AH) authentication.
 AAA (authentication, authorization and accounting) servers : are used for more secure access in a remote-access VPN environment. AAA then checks the following:  Who you are (authentication)  What you are allowed to do (authorization)  What you actually do (accounting) The accounting information is especially useful for tracking client use for security auditing, billing or reporting purposes
: VPN Client  The installation of the Cisco VPN Client is a very straightforward process. A number of tasks must be completed to establish connectivity to a VPN head-end.  just start setup and the Welcome screen will be presented
 The Connection Entries screen is capable of holding multiple entries should multiple access sites. Click the New button at the top of the screen to open the Create New VPN Connection Entry dialog box, shown in Figure
 Authentication Tab  Group Authentication—A username and password is necessary to complete the VPN profile.
 Transport Tab The Transport tab allows the configuration of transparent tunneling as well as the choice of whether to use IPsec over UDP or TCP.
 Backup Servers Tab: The VPN client contains a Backup Servers tab to configure a single connection with the capability to connect to multiple servers.
Finish the Connection Configuration  From the main VPN Client window, you can establish a VPN connection by highlighting one of the profiles and clicking the Connect button at the top of the window. If the connection parameters were properly configured, the VPN connection is successful.
 After a VPN connection is established, various statistics about the connection are available. From the Status pull-down menu, select Statistics. This launches the Statistics window.
VPN presentation - moeshesh

More Related Content

VPN presentation - moeshesh

  • 3. :(Virtual Private Network (VPN  VPN network provides the same secure site to site network connectivity for remote user over the internet.
  • 5. :VPN Tunnels and Encryption
  • 7. : Symmetric key  Shared secret key is the same key is used by the sender (for encryption) and the receiver (for decryption).  Shared secret key is often used for long messages.
  • 12. HashFunction :( (MD5,SHA-1 is a formula used to convert a variable-length message into a single  .string of digits of a fixed length
  • 13. : VPN protocols  L2TP (layer 2 tunneling protocol): is used to create a media-independent , multiprotocol virtual private dialup network (VPDN)…….but it does not provide encryption.  GRE(Generic routing encapsulation ) : with GRE tunneling cisco router at each site encapsulates protocol specific packets in IP HEADER creating point to point link to cisco router at other of an Ip cloud ,where the IP header is stripped off .  IPsec( IP security protocol ): is the choice for secure corporate VPNs .it can provide the security service using internet key exchange (IKE) to handle negotation of protocols and algortithms based on local polivy and to generate the encryption and authentication key to be used by IPSec.
  • 14. Internet Key Exchange (IKE):  used to esablish ashared security policy and authentication keys for services such as IPSec that require keys .  one of its protocols is ISAKMP Internet Security Association and Key Management Protocol (ISAKMP): it is protocol used for implementing akey exchange and negotation of security association (SA)
  • 15. Security association (SA):  It is the security database that contains all the security policy that the VPN will based on.  This security database contains that: 1-authentication ,encryption algorithm. 2-specification of network traffic. 3-IPsec protocols . 4-IPsec modes .
  • 16. :IPsec protocols  Encapsulating Security Payload (ESP): a security protocol that provide data encryption and production with optional authentication …it can completely encapsulates user data  Authentication Header (AH): a security protocol that provide authentication .it can be used either by itself or with ESP
  • 18. Tasks to Configure IPSec (site to (site Task 1 – Prepare for IKE and IPSEC Task 2 – Configure IKE Task 3 – Configure IPSec Task 4 – Test and Verify IPSEC
  • 20. Step1- Determine IKE(IKE Phase 1( Policy Determine the following policy details:  Key distribution method  Authentication method  IPSec peer IP addresses and hostnames IKE phase 1 policies for all peers  Encryption algorithm  Hash algorithm  IKE SA lifetime Goal : setup a secure commuication channel for negotiation of IPSec SA in phase2
  • 21. Step2-Determine IPSec (IKE Phase 2( Policy Determine the following policy details:  IPSec algorithms and parameters for optimal security and performance  IPSec peer details  IP address and applications of hosts to be protected  IKE-initiated Sas Goal : these are security parameters used to protect data and messages exchanged between end points
  • 22. Step 3—Check Current Configuration
  • 23. Step4- Ensure the Network Works
  • 29. Step4- Verify IKE Configuration
  • 32. Step2- IPSec Security Association Lifetimes
  • 33. Step 3—Create Crypto ACLs using Extended Access Lists
  • 34. Purpose of Crypto Maps Crypto maps pull together the various parts configured for IPSec, including  The traffic to be protected by IPSec and a set of SAs  The local address to be used for the IPSec traffic  The destination location of IPSec-protected traffic  The IPSec type to be applied to this traffic
  • 35. Step 4—Configure IPSec Crypto Maps & apply it to interfaces
  • 37.  Display your configured IKE policies . show crypto isakmp policy  Display your configured transform sets. show crypto ipsec transform set  Display security associations show crypto isakmp sa  Display the current state of your IPSec SAs. show crypto ipsec sa  Display your configured crypto maps. show crypto map  Enable debug output for IPSec events. debug crypto ipsec  Enable debug output for ISAKMP events. debug crypto isakmp
  • 38. :VPN Remote access  The requirements for VPN Servers include the need for Internet Security Association and Key Management Protocol (ISAKMP) policies using Diffie-Hellman.  The VPN Remote feature does support transform sets providing Both encryption and authentication ; so it does not support Authentication Header (AH) authentication.
  • 39.  AAA (authentication, authorization and accounting) servers : are used for more secure access in a remote-access VPN environment. AAA then checks the following:  Who you are (authentication)  What you are allowed to do (authorization)  What you actually do (accounting) The accounting information is especially useful for tracking client use for security auditing, billing or reporting purposes
  • 40. : VPN Client  The installation of the Cisco VPN Client is a very straightforward process. A number of tasks must be completed to establish connectivity to a VPN head-end.  just start setup and the Welcome screen will be presented
  • 41.  The Connection Entries screen is capable of holding multiple entries should multiple access sites. Click the New button at the top of the screen to open the Create New VPN Connection Entry dialog box, shown in Figure
  • 42.  Authentication Tab  Group Authentication—A username and password is necessary to complete the VPN profile.
  • 43.  Transport Tab The Transport tab allows the configuration of transparent tunneling as well as the choice of whether to use IPsec over UDP or TCP.
  • 44.  Backup Servers Tab: The VPN client contains a Backup Servers tab to configure a single connection with the capability to connect to multiple servers.
  • 45. Finish the Connection Configuration  From the main VPN Client window, you can establish a VPN connection by highlighting one of the profiles and clicking the Connect button at the top of the window. If the connection parameters were properly configured, the VPN connection is successful.
  • 46.  After a VPN connection is established, various statistics about the connection are available. From the Status pull-down menu, select Statistics. This launches the Statistics window.