|
Q. What contains an Encryption Scheme
A. It consists of the following elements
- an encryption algorithm for encrypting messages
- an authentication algorithm for ensuring integrity, the content of the
message has not been changed
- a key management protocol for generating and exchanging keys
Q. What is Manual IPSec
A. It is an encryption and authentication scheme that uses fixed
keys
IP packets are encrypted in accordance with the Encapsulating Security Payload
(ESP) standard. The original packet is encrypted and then encapsulated into
a new, longer packet. Encapsulation can be done in 2 modes
- Tunnel transport
- Transport mode
Q. What is SKIP
A. Simple Key Management for Internet Protocols, is a developpment
from SUN Microsystems adds to additionnal features to Manual
IPSec
- improved keys. A hierarchy of constantly changing keys
- key management. protocol to exchange keys.
The security services that IPSec provides requires shared keys to perform
authentication and/or confidentiality.A mechanism to manually add keys for these
services is implemented. This ensures interoperability of the base IPSec
protocols.
Q. What is an SA
A. SA stands for an IPSec Security Association it is a description of
how two or more entities will use security services in the context of a
particular security protocol (AH or ESP) to communicate securely on behalf of a
particular data flow. It includes such tings as the transform and the shared
secret keys to be used fo protecting the traffic.
The IPSec security association is established either by IKE or by manual user
configuration. Security associations are unidirectional and are unique per
security protocol. The security associations for both directions are
established at the same time.
When using IKE to establish the security
associations for the data flow, the SA are established when needed and expire
after a period of time (or volume of traffic). If the Security
associations are manually established, they
are established as soon as the necessary configuration is completed and do
not expire.
Q. What is ISAKMP/OAKLEY
A. It is a standard for negotiating Security Associations (SA) between
two hosts that will be using IPSec. It is also the key management scheme that
was chosen for IPversion 6.
In IP version 4 ISAKMP/OAKLEY is optionnal
Q. What is Oakley
A. Oakley is a protocol developed By Hilarie Orman, a cryptographer
from the univesity of Arizona
Q. What is ISAKMP
A. (Internet Security Association and key Management Protocol). ISAKMP
was developed by researchers at the National Security Agency (NSA). Recently the
NSA has come of the shadows and its considerable expertise in cryptography and
security has been put to visible use. ISAKMP is one such output.
ISAKMP defines how two peers communicate, how the messages they use to
communicate are constructed, and also defines the state transitions they go
through to secure their communication.
- provides the mean to authenticate a peer
- exchange information for a key exchange
- negotiate security service
ISAKMP does not
- does not define how a particular key
exchange is done
- does not define the security attributes
for establishing a security association
Key exchange is left to the Internet key Exchange and to the Domain IP
sSecurity Domain of Interpretation.
Q. What do I specify by activating Agressive mode
A. ISAKMP/OAKLEY key exchange is divided in two phases
Phase one (Main/Aggressive Mode)
The peers negotiate an ISAKMP Security association (SA) that will be
used for encrypting and authenticating Phase two exchanges. The negotiated SA
includes
- encryption method
- authentication method
- keys
Firewall-1 supports two modes for phase 1
- agressive mode(the default), in which
three packets are exchanged
- main mode, in which six packets are exchanged
Phase two
Using the SA negotiated in phase 1, the peers negotiate an SA for encrypting
the IPSec traffic. Keys can be modified as often as required during a
connection's lifetime by performing phase 2
Q. What is ESP
A. The Encapsulating Security Payload(ESP) is a
protocol header inserted into an IP datagram to provide
- provides confidentiality
- data source authentication
- antireplay
- data integrity services
ESP may be applied in different modes in which it is inserted
a) between the IP header and the upper-layer protocol header, like UDP and
TCP,
b) or it may be used to encapsulate an entire IP datagram
An ESP protected datagram
IP
header |
ESP
header |
protected
data |
ESP
trailer |
ESP is a new IP protocol and an ESP packet is identified by the protocol
field of an IP header.
The protocol value is 50 for ESP, in
the IP header. The IP header is not encrypted, in order to identify the
Security Association(SA).
The ESP header is not encrypted, but a portion of the ESP trailer
is.
Q. What is AH
A. The Authentication Header (AH) is an IPSEC protocol used to
provide
- data integrity, proof of data origin on received packet
- data origin authentication
- optionnal antireplay services to IP.
AH does not encrypt any portion of the protected IP datagram. AH provides
everything that ESP provides except confidentiality.
It is defined in RFC 2042
A AH header looks like
Next
header |
Payload
length |
Reserved |
Reserved | |
|
Security Parameters Index (SPI) |
| Sequence Number |
| Authentication
data |
Q.What is an Internet Key Exchange (IKE)
A. Prior to an IP packet being secured by IPSec, a Security
Association(SA) must exist. SAs are created manually or dynamically. The
Internet Key Exchange(IKE) is used to create them dynamically. IKE negotiates
SAs on behalf of IPSec and populates the SADB.
Q. What is IKE
A. The Internet Key Exchange(IKE) is used to create Security
Association(SA) dynamically, it is used in conjunction with the IPSec standard.
It implements Oakley and SKEME key exchange inside ISAKMP.
Q. What is MD5
A. Message Digest 5 (MD5) is a hash algorithm
Q. What is SHA
A. Secure Hash Algorithm(SHA) is a hash algorithm
Q. Can I have a module in version 4.0 performing a VPN with a module in
version 4.1
A. A VPN between 4.0 and 4.1 on any supported platform is subject to
the restrictions detailed in the release notes for each version of
FireWall-1.
4.0 SP5 cannot use the CBC-DES MAC keyed hash function with
any version of 4.0 prior to SP5 nor can it use this with 4.1. One would have to
use either MD5 of SHA-1. This is limited to SKIP or Manual IPSec.
For
IKE, 4.0 SP3 (Nokia) can establish a VPN with 4.1. General platforms SP2 can
establish a VPN with 4.1
Q. How to make a VPN work between FireWall-1 and a Cisco
routers?
A: See the following URL: http://www.imtek.com/IPSec.html
Q. What is tunnel mode?
A. Tunneling is a method of using an internetwork infrastructure to
transfer data for one network over another network. The data to be transferred
(or payload) can be the frames (or packets) of another protocol. Instead of
sending a frame as it is produced by the originating node, the tunneling
protocol encapsulates the frame in an additional header. The additional header
provides routing information so that the encapsulated payload can traverse the
intermediate internetwork.
The encapsulated packets are then routed between
tunnel endpoints over the internetwork. The logical path through which the
encapsulated packets travel through the internetwork is called a tunnel. Once
the encapsulated frames reach their destination on the internetwork, the frame
is unencapsulated and forwarded to its final destination. Tunneling includes
this entire process (encapsulation, transmission, and unencapsulation of
packets).
IP Security (IPSec) Tunnel Mode allows IP payloads to be encrypted, and then
encapsulated in an IP header to be sent across a corporate IP internetwork or a
public IP internetwork such as the Internet.
Q. What protocols and
ports numberare used for IPSec
A. IPSec traffic consists of three components. UDP/500 is used for
ISAKMP key negotiations. IP protocol 50 carries the Authentication Header
traffic, and IP protocol 51 carries the encapsulating security payload.
TimeStep IPSec equipment requires access to an Entrust certificate authority
on TCP/709.
Q. How to setup a VPN between 2 sites
A. The steps below are related
to to Firewalls which are seperatly managed and remote from each other. If they
are both managed by the same Management module the steps are almost the same
except that both firewalls would be defined as 'internal' under Network Objects.
1. Create Network objects for FW-A and FW-B in Security Policy of FW-A.
2. Check FW-B is marked as 'external' (if it has a seperate MC)
3. Define an 'Encryption Domain' (ED) for each of the firewalls. This is the
network that the firewall is to encrypt traffic from/to. Your local ED would
normally be your internal net and the remote ED would be the remote internal
net. Make sure these definitions are the same on both Firewall policies (IP
addresses, machine names etc).
4. EDs should be a group object so define the networks then place them in two
groups..i.e. Local-ED and Remote-ED. This also makes it easier to modify the ED
without modifying the policy.
5. Goto the 'Encryption' tab of FW-A and select Local-ED in the Encryption
Domain field (FW-B will have Remote-ED in it's field)
6. Choose the Encryption Method you want to use for the VPN. The choices here
will depend on the licenses you have purchased. You can check this buy running
'fw printlic' on the command line. Check that both Firewalls have the
appropriate encryption license.
isakmp/oakley
a. Select isakmp/oakley as the Encryption method and edit.
b. Check the various options are the same on both Firewalls.
c. Choose Auth method as 'pre-shared' secret. Push policy.
d. Edit FW-B and pre-shared secret should now show pre-shared of FW-A. Select,
edit, enter secret key & OK. Push policy.
e. Edit FW-A and check pre-shared secret is present here also.
f. Add rules to Policies on both firewalls:
FW-A, FW-B FW-A, FW-B IKE Accept
Local-ED Remote-ED Any Encrypt Gateways
Remote-Ed Local-ED Any Encrypt Gateways
g. Right click on 'Encrypt' and 'Edit Properties' and Choose FW-B as the 'Peer
Gateway'
h. Repeat steps on the Firewall Policy of FW-B if on different MC....make sure
everything is defined the same!!
Manual IPSec
a. Select ManualIPSec as the Encryption Method on the Encrytion Tab of FW-A. You
will not be able to edit properties here.
b. Go to the main menu bar, Policy ->Properties ->Encryption. Check that
the SPI fields are the same on both Firewall Policies.
c. Create an SPI key, Manage -> Keys -> New -> SPI, type in an SPI
value and generate key from a Seed. Make the Value and the Seed the same on both
Firewall keys. SPI value should be greater than 0x100.
d. Create rules:
FW-A FW-A IPSEC Accept Long Gateways
FW-B FW-B
Local-ED Remote-ED Any Encrypt Long Gateways
Remote-Ed Local-ED Any Encrypt Long Gateways
e. Edit 'Encrypt' properties, Choose ManualIPSec and 'Edit'. Choose SPI in SPI
field and FW-B in 'Peer Gateway' field.
f. Follow the above steps on the other Firewall Policy, making sure that the SPI
values and the Seed is identical.
SKIP
a. Select SKIP as the encryption method on the Encrytion tabs of FW-A and FW-B.
b. Generate the CA and DH keys for the Firewall objects.
c. Install the Policy.
d. Now 'Fetch' the CA and DH keys for the remote firewalls by clicking on their
Network objects and their Encrytion tabs. If you are unable to fetch the keys of
the remote FW object then check the security policy to see if there is a rule
that is blocking the key exchange.
e. Add a rule:
FW-A FW-A SKIP Accept Long Gateways
FW-B FW-B
Local-ED Remote-ED Any Encrypt Long Gateways
Remote-Ed Local-ED Any Encrypt Long Gateways
f. Edit Encrypt Properties (right click), check that SKIP is selected and the
criteria are the same on the other policy also. Select FW-B as the 'Peer Gateway'
g. install Policies on both machines.
FWZ
The same as SKIP. Except replace with FWZ whenever you read SKIP
Notes:
- You can see encrytion working by viewing the log files, the encrypted sessions
should show up in different colours and say 'encrypt'/'decrypt'.
- Other Encrytion options for the various schemes can be set in Policy ->
Properties -> Encryption.
- If You have two Fw modules both Managed seperately, make sure both Management
can talk to each other to export the CA keys.
Tricks for VPN
How to terminate a VPN connection on a alternate interface
In order to force a VPN tunnel to use an physical interface other then the
primary external interface, use routing to direct packets accross the
appropriate connection.
Internet
/ \
/ \
/ \
192.168.1.254 192.168.57.254
Private|----FW-A FW-B----|Private
LAN| | | |LAN
| | | |
\ /
Semi-private
WAN
For Example, FW-A has a primary licensed interface of 192.168.1.254. FW-B has a
primary licensed interface of 192.168.57.254. In order to establish a VPN tunnel
over the Semi-private WAN connection, FW-A's routing table must be configured so
that traffic to any of FW-B's interfaces will be sent of the Semi-private WAN.
Likewise, FW-B must be configured to route any traffic to any of FW-A's
interfaces over the Semi-private WAN interface.
Q. Problems Setting Up Hybrid-Mode IKE Encryption
We have tried to generate CA keys for a hybrid-mode IKE VPN setup, which has
appeared to be successful, but in actuality did not work. After certifying
the firewall objects, no certificates appeared in the list, and the Hybrid-Mode
option did not appear in the workstation properties either.
A. Prior to generate the certs, the firewall processes must be
stopped. Then the certificates should be generated, objects should be certified,
and then the firewall process should be restarted. A few people had to
repeat this process a couple of times, but all eventually got it to work using
that methodology.
Q. What are the interoperability tests that have been performed or that
are known to work by today with FireWall-1
A. Interoperability between different VPN vendors is a raising
subject. We list the equipments we know are working to build a VPN with
FireWall-1. When possible you will find configuration information.
Cisco Creating a VPN
between a Cisco router and a Checkpoint Firewall using IKE-based IPSEC with
shared secret
This information was supplied by Ken
Carvel. This is his actual email message.
From: Carvel, Ken P [carvel@BATTELLE.ORG]
Sent: Tuesday, March 14, 2000 11:38 AM
To: 'Ross Presser'
Subject: RE: Cisco Router to Checkpoint IKE
This is a basic overview of what we did, but the router config is much more
detailed than the Checkpoint setup.
IPs have been changed to protect the innocent.
On the Cisco Router:
!***Setup the ISAKMP policy using triple DES and a preshared key
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key sharedkey address (firewall external IP here)
!
!
!***Define authentication and encryption settings
!
crypto ipsec transform-set ciscofw1 esp-3des esp-md5-hmac
!
!***The actual map
!
crypto map fw1 10 ipsec-isakmp
set peer (firewall external IP here)
set transform-set ciscofw1
!
!***When something matches access-list 100, encyrpt it
!
match address 100
!
!***Assign the map to the external interface
!
interface Ethernet0/0
ip address 192.168.202.254 255.255.255.0
crypto map fw1
!
!***We used NAT on our internal interface
!
interface Ethernet0/1
description Internal LAN Interface
ip address 192.168.201.254 255.255.255.0
no ip directed-broadcast
ip nat inside
!
ip nat inside source list 101 interface Ethernet0/0 overload
!
!*** Encrypt anything going to the 192.168.203 network
!
access-list 100 permit ip host 192.168.202.254 192.168.203.0 0.0.0.255
access-list 101 permit ip 192.168.201.0 0.0.0.255 any
On the Checkpoint Firewall
Add an object for the router and set up it's VPN encryption properties for
IKE. Edit the IKE properties to match the router's crypto settings. Use
preshared secret for the authentication method and set the secret key.
We added two rules, one for traffic coming from the Cisco and one for
traffic going to the Cisco. They allow all traffic and the action is set to
encrypt. Match the encrypt action's properties with the crypto settings on
the router.
|