Tuesday, June 14, 2011

IPSEC - ISAKMP Perfect Forwarding Secrecy / Diffie-Hellman

Diffie-Hellman (DH)

Diffie-Hellman (DH) is a public-key cryptography protocol that allows two devices to establish a shared secret over an unsecure communications channel (ISAKMP Phase 1 / IPSec Phase 2)

Diffie-Hellman Group 1 — 768-bit DH Group.


Diffie-Hellman Group 2 — 1024-bit DH Group. 


Diffie-Hellman Group 5 — 1536-bit DH Group. 

________________________

Perfect Forward Secrecy (PFS)

The PFS determines the length (complexity) of the IPSec "Session keys" (used in the encryption and decryption of data in the IPSec tunnel (IPSEC Security Association (SA) )), and is derived from the public and private keys.

PFS has four groups:

Group1: Specifies that IPSec should use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.

Group2: Specifies that IPSec should use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.

Group5: Specifies that IPSec should use the 1536-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.

Group7: Specifies that IPSec should use group7 (ECC) where the elliptical curve field size is 163-bits, for example, with the movianVPN client.

The crypto map set pfs command sets IPSec to ask for Perfect Forward Secrecy (PFS) when new security associations are requested for this crypto map entry. Alternatively, it asks that IPSec requires PFS when requests are received for new security associations.

To specify that IPSec not request PFS, issue the no crypto map set pfs command. This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries.
Note: By default, PFS is not requested.

With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs, which requires additional processing time.

PFS adds another level of security because if one key is ever cracked by an attacker, only the data sent with that key is compromised. During negotiation, the no crypto map set PFS command causes IPSec to request PFS when new security associations are requested for the crypto map entry.

The default (group1) is sent if the set pfs statement does not specify a group. If the peer initiates the negotiation and the local configuration specifies PFS, the peer must perform a PFS exchange or the negotiation fails.

If the local configuration does not specify a group, a default of group1 is assumed and an offer of either group1 or group2 is accepted. If the local configuration specifies group2, that group must be part of the peer offer or the negotiation fails.


Posted by at 1 comment:

Saturday, June 11, 2011

IPSec

IKE - Internet Key Exchange | Uses uses the framework provided by ISAKMP

ISAKMP - Internet Security Association Key Management Protocol

IPSec - 

Phase 1 - The first phase is used to create a secure and authentic communication channel between the peers.

The are (2) mode’s to est. Phase 1 SA (Security Association): 

Main mode - Typically used for Site-to-Site VPN 

(6) packet / 3 round trips to est. SA 

Aggressive - Typically used for Remote-Access 

(3) packets total to est. SA

These are the default when pre-shared keys are being used.

ISAKMP Attributes negotiated during Phase 1:

Encryption - DES, 3DES, (AES 128, 192, 256)
Hashing - MD5 , SHA
Authentication Method - Pre-shared Keys, RSA or DSA Signature
DH (Diffie - Hellman) Group - 1, 2, 5, 7

Once the ISAKMP SA negotiation is complete, Phase 2 IPsec SA will then be negotiated over an encrypted channel.

All the payloads are encrypted in phase 2 negotiations except for the IP header.

IPSec Pass-Through / NAT-T - These are technologies used to avoid packet drop should the device be behind a PAT device.

IPSec Attributes negotiated during Phase 2:

Encryption - DES, 3DES, (AES 128, 192, 256)
Hashing - MD5 , SHA or Null
Identity Information - Network, Protocol, port number
Lifetime
Mode - Tunnel , Transport
PFS group - None, 1, 2, or 5

IPSec Protocols
AH (Authentication Header) IP Protocol 51
ESP (Encapsulation Security Payload) IP Protocol 50

These protocols as an IPSec header allowing the peer to decrypt the data.

(Cisco ASA does not support AH encapsulation)
Posted by at No comments:

Sunday, April 24, 2011

Cisco ASA - Active / Passive

If you need to set up a pair of ASA 55XX for Active / Passive, here is the base configuration needed to get this up and running. Please keep in mind that both ASA’s need to be running identical code and below is the minimal amount of configuration needed, there are many more configuration options available.


The commands below are to be entered into the Primary ASA:


#failover (This is the last command you should enter, this turns on the failover)


#failover lan unit primary


#failover lan interface failover GigabitEthernet1/1


#failover replication http (This is optional as HTTP sessions don’t get replicated to the stand-by device)


#failover mac address GigabitEthernet0/0 c471.fe43.f830 f866.f24d.0d4a (The first mac address is the primary and the second is the passive ASA)


#failover mac address GigabitEthernet0/1 c471.fe43.f831 f866.f24d.0d4b


#failover mac address GigabitEthernet0/2 c471.fe43.f832 f866.f24d.0d4c


#failover mac address GigabitEthernet0/3 c471.fe43.f833 f866.f24d.0d4d


#failover mac address GigabitEthernet1/0 c471.fe43.fd34 588d.096c.b2d0


#failover link failover GigabitEthernet1/1


#failover interface ip failover 172.16.169.1 255.255.255.252 standby 172.16.169.2




The commands below are to be entered into the Passive ASA:


#failover (This is the last command you should enter, this turns on the failover)


#failover lan unit secondary


#failover lan interface failover GigabitEthernet1/1


#failover interface ip failover 172.16.169.1 255.255.255.252 standby 172.16.169.2 (The IP are correct, they have to match what is on the Primary device)





Posted by at 5 comments:
Subscribe to: Posts (Atom)