Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
-
Upload
nu-the-open-security-community -
Category
Technology
-
view
1.199 -
download
2
Transcript of Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
http://nullcon.net/
Convert your Linux box in to security Gateway Part-2 (VPN)
By Murtuja Bharmal
http://null.co.in/
http://nullcon.net/http://null.co.in/
About Me• No Work Busy Man….• Unemployed….• Interest…. /dev/random….• Co-founder of null…. :-D• X-IBMer ….. • Dal, Roti ka jugad, Security Consulting/Training
http://nullcon.net/
Prerequisites
http://null.co.in/
• Basic concept of networking/routing/natting.• Knowledge of TCP/IP model & communication
protocol IP, TCP, UDP, ICMP, DNS, HTTP/S, SMTP, FTP etc.
• How to Install and use Linux OS• Some hands on Linux command line
http://nullcon.net/
Full Picture
http://null.co.in/
• Security Features of Linux..• Hardening OS• Firewall Concept/Configuration• VPN Concept/Configuration• IDS/IPS Concept/Configuration• Proxy Concept/Configuration• Antivirus Concept/Configuration• Hardening Services i.e. Web Server/Mail
Server/Database etc.
http://nullcon.net/
Agenda for Today
• What is VPN• Why VPN• Benefits of VPN• Types of VPN• VPN Concept• VPN Configuration – (Openswan)
http://null.co.in/
http://nullcon.net/
Why VPN
http://null.co.in/
• Business have grown beyond local and regional concern. We now have to worry about global markets and logistics
• We need to get connected efficiently and securely to our offices.
• Earlier Offices where connected through leased lines, from ISDN to OC3 (Optical Carrier 3 – 155 Mbps) fibre. It proved to be expensive.
• With the wide use of Internet, it became the medium to connect business together and also connect offices using VPN
• VPN, in short, is connecting networks together, using a public network. It could connect a mobile user, or a remote office to the head office using the Internet.
http://nullcon.net/
Benefits of VPN
• Extend Geographic connectivity• Reduce Operational costs versus traditional
WAN• Improve Security• Improve productivity? • Provide global networking opportunity• Provide broadband networking compatibility• Provide telecommuter support
http://null.co.in/
http://nullcon.net/
Types of VPN (Based on Technology)
• IPSec VPN – IP Security• SSL VPN – Secure Socket Layer • MPLS – Multiprotocol Layering Switch• GRE – Generic Route Encapsulation • PPTP – Point-to-Point Tunneling Protocol• L2TP – Layer 2 Tunneling Protocol
http://null.co.in/
http://nullcon.net/
Types of VPN (Based on functionality)
• Site-to-Site VPN• Client-to-Site VPN
http://null.co.in/
http://nullcon.net/
Site-to-Site VPN
http://null.co.in/
Courtesy: http://nirlog.com
http://nullcon.net/
Client-to-Site VPN
http://null.co.in/
Courtesy: http://nirlog.com
http://nullcon.net/
VPN Concept (Encryption)
• Translation of data into secret code is called encryption
• To decrypt data you must have access to a secret key or password
• Unencrypted data is called plain text• Encrypted data is called cipher text
http://null.co.in/
Courtesy: http://www.webopedia.com
http://nullcon.net/
VPN Concept (Encryption)
• There are two main forms of encryption– Symmetric encryption• Each computer uses a secret key that it can use to
encrypt data. The same key is used to decrypt data too.
– Public Key encryption• Uses a combination of two keys called as private key
and public key. The public key is given to everyone. The data is encrypted using the public key and the private key is used to decrypt it.
http://null.co.in/
Courtesy: http://www.webopedia.com
http://nullcon.net/
VPN Concept (HASH)
• Cryptographic hash functions are used for example to create a message digest
• A hash function compresses the bits of a messages to a fixed-size hash value in a way that only one hash value is possible for a message.
• Most widely used hash functions are md5 and sha-1
http://null.co.in/
Courtesy: http://www.webopedia.com
http://nullcon.net/
VPN Concept (IPSec)
• Why do we need IPSec ?– Suite of protocols for securing network
connections• IPSec provides mechanism and not policy– You can decide on any encryption algorithm or
authentication method as long as both the connecting parties agree
http://null.co.in/
Courtesy: http://www.unixwiz.net
http://nullcon.net/
IP Header
http://null.co.in/
Courtesy: http://www.unixwiz.net
http://nullcon.net/
VPN Concept (IPSec Overview)• IPSec, is a framework of open standards (from IETF) that define policies
for secure communication in a network. Using IPSec, participating peers (computers or machines) can achieve data confidentiality, data integrity, and data authentication at the network layer
• The IPsec standard provides a method to manage authentication and data protection between multiple crypto peers engaging in secure data transfer. IPsec includes the Internet Security Association and Key Management Protocol (ISAKMP)/Oakley and two IPsec IP protocols: Encapsulating Security Protocol (ESP) and Authentication Header (AH).
• IPsec uses symmetrical encryption algorithms for data protection. Symmetrical encryption algorithms are more efficient and easier to implement in hardware. These algorithms need a secure method of key exchange to ensure data protection. Internet Key Exchange (IKE) ISAKMP/Oakley protocols provide this capability.
http://null.co.in/
Courtesy: http://cisco.comCourtesy: http://ipv6.com
http://nullcon.net/
VPN Concept (IPSec Overview)
IPSec consists of the following two main protocols:
• Authentication Header (AH)• Encapsulating Security Payload (ESP)
http://null.co.in/
http://nullcon.net/
VPN Concept (IPSec Mode)•Transport mode IPsec transport mode works by inserting the ESP or AH header between the IP
header and the next protocol or the transport layer of the packet. Both IP addresses of the two network nodes whose traffic is being protected by IPsec are visible in the IP header of the post-encrypted packet.
•Tunnel mode Tunnel mode works by encapsulating and protecting an entire IP packet.
Because tunnel mode encapsulates or hides the IP header of the pre-encrypted packet, a new IP header is added so that the packet can be successfully forwarded. The encrypting devices themselves own the IP addresses used in this new header.
Tunnel mode can be employed with either or both IPsec protocols (ESP and AH). Tunnel mode results in additional packet expansion of approximately 20 bytes because of the new IP header. Tunnel mode is widely considered more secure and flexible than transport mode. IPsec tunnel mode encrypts the source and destination IP addresses of the original packet, and hides that information from the unprotected network.
http://null.co.in/
Courtesy: http://www.unixwiz.net
VPN Concept (Difference in Modes)
http://null.co.in/ http://nullcon.net/
New IPHeader
IPSec ESPHeader
Data
IP Header Data
Tunnel Mode
Original IPHeader
IPSec ESPHeader
Transport Mode
Original IPHeader
Data
Optional Encryption
Optional Encryption
Outer IP Header
Inner IP Header
Original Packet
http://nullcon.net/
VPN Concept (Security Association)A Security Association (SA) is an agreement between two peers engaging in a
crypto exchange. This agreement includes the type and strength of the encryption algorithm used to protect the data. The SA includes the method and strength of the data authentication and the method of creating new keys for that data protection.
ISAKMP Security Association (ISAKMP Phase 1)The first phase is a “setup” stage where two devices agree on how to exchange further information securely. This negotiation between the two units creates a security association for ISAKMP itself; an ISAKMP SA. This security association is then used for securely exchanging more detailed information in Phase 2.
IPsec Security Associations (ISAKMP Phase 2) Data Tunnel In this phase the ISAKMP SA established in Phase 1 is used to create SAs for othe security protocols. Normally, this is where the parameters for the “real” SAs for the AH and ESP protocols would be negotiated.
http://null.co.in/
http://nullcon.net/
VPN Concept (Phase 1: Main Mode)
http://null.co.in/
Courtesy: http://www.eetimes.com
http://nullcon.net/
VPN Concept (Phase 1: Aggressive Mode)
http://null.co.in/
Courtesy: http://www.eetimes.com
http://nullcon.net/
VPN Concept (Phase 1: Authentication)
IKE phase 1 has three methods to authenticate IPSec peers.
1. Pre-Shared Keys (PSK). 2. Public KeyInfrastructure (PKI) using X.509
Digital Certificates. 3. RSA encrypted nonces
http://null.co.in/
http://nullcon.net/
VPN Concept (Phase 2: Quick Mode)
http://null.co.in/
Courtesy: http://www.eetimes.com
http://nullcon.net/
VPN Configuration (OpenSwan)Site-to-Site VPN
http://null.co.in/
Office 1 LAN192.168.1.0/24
Office 2 LAN172.16.1.0/24
172.16.1.1
192.168.1.1
1.2.3.4
5.6.7.8
eth0
eth1
eth0eth1
1.2.3.5
5.6.7.9
http://nullcon.net/http://null.co.in/
VPN Configuration (OpenSwan)Site-to-Site VPN – /etc/ipsec.conf
Left Internet IP address of the left-hand side VPN device.
Leftsubnet The network protected by the left-hand side VPN device.
Leftid Fully qualified domain name in DNS of the left-hand side VPN device, which is preceded by an "@" sign. If DNS is set up for the IP addresses, remove this entry, because names that don't resolve correctly cause the VPN initialization to fail.
Leftrsasigkey The entire left RSA sig public key for the left-hand side VPN device. This can be obtained by using the ipsec showhostkey --left command.
Leftnexthop The next hop router from the left-hand side VPN device when trying to reach the right-hand side VPN device. You may use an auto-generated variable %defaultroute, which will be valid in most cases, or the actual IP address of the next hop router in cases where the next hop is not the default router.
Courtesy: http://www.linuxhomenetworking.com
http://nullcon.net/
Conn net-to-netauthby=secret #Key exchange methodleft=1.2.3.4leftsubnet =192.168.1.0/24leftnexthope=%defaultrouteright=5.6.7.8rightsubnet=172.16.1.0/24rightnexthope=5.6.7.9auto=start/add
http://null.co.in/
VPN Configuration (OpenSwan)Site-to-Site VPN – /etc/ipsec.conf
Courtesy: http://www.linuxhomenetworking.com
http://nullcon.net/
• 1.2.3.4 5.6.7.8 : PSK "nonebutourselvescanfreeourminds"
http://null.co.in/
VPN Configuration (OpenSwan)Site-to-Site VPN – /etc/ipsec.secrets
Courtesy: http://www.linuxhomenetworking.com
http://nullcon.net/
• net/ipv4/ip_forward = 1• iptables -t nat -A POSTROUTING -o eth0 -s
192.168.1.0/24 -d \! 172.16.1.0/24 -j MASQUERADE
http://null.co.in/
VPN Configuration (OpenSwan)Site-to-Site VPN – Othersetting
Courtesy: http://www.linuxhomenetworking.com
http://nullcon.net/
• 104 "net-to-net" #1: STATE_MAIN_I1: initiate • 106 "net-to-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2 • 108 "net-to-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3 • 004 "net-to-net" #1: STATE_MAIN_I4: ISAKMP SA established • 112 "net-to-net" #2: STATE_QUICK_I1: initiate • 004 "net-to-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xe0bdd0e9 <0x13ac7645}
http://null.co.in/
VPN Configuration (OpenSwan)Site-to-Site VPN – Log
Courtesy: http://www.linuxhomenetworking.com
http://nullcon.net/
[root@vpn2 tmp]# netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.0.0.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1 6.25.232.0 0.0.0.0 255.255.255.248 U 40 0 0 eth0 172.16.1.0 1.2.3.4 255.255.255.0 UG 40 0 0 ipsec0
tcpdump -n -i ipsec0 icmp03:05:53.971308 IP 192.168.1.5 > 172.16.1.5: icmp 64: echo request seq 89 03:05:53.995297 IP 172.16.1.5 > 192.168.1.5: icmp 64: echo reply seq 89
tcpdump -n -i eth1 host 5.6.7.8 02:08:23.637149 IP 1.2.3.4 > 5.6.7.8: ESP(spi=0xf4909a7e,seq=0x73) 02:08:24.635302 IP 5.6.7.8 > 1.2.3.4: ESP(spi=0x808e9a87,seq=0x74)
http://null.co.in/
VPN Configuration (OpenSwan)Site-to-Site VPN – Verification/Debug
Courtesy: http://www.linuxhomenetworking.com