Professional Documents
Culture Documents
DISCLAIMER
All rights reserved. This product and related documentation are protected by copyright and distribution under licensing
restricting their use, copy and distribution. No part of this document may be used or reproduced in any form or by any means,
or stored in a database or retrieval system, without prior written permission of the publisher except in the case of brief
quotations embodied in critical articles and reviews. Making copies of any part of this Training Courseware for any other
purpose is in violation of copyright laws.
While every precaution has been taken in the preparation of this document, Astaro assumes no responsibility for errors or
omissions and makes no explicit or implied claims to the validity of this information. This document and features described
herein are subject to change without notice.
This Astaro Training Courseware may not be sold by any company other than Astaro without prior written permission. Neither
Astaro nor any authorized distributor shall be liable to the purchaser or any other person or entity with respect to any liability,
loss or damage caused or alleged to have been caused directly or indirectly by this book.
Trademarks:
Copyright 2000 - 2005, Astaro AG. Astaro Security Linux is a registered trademark of Astaro AG.
Copyright 2000 - 2007, Astaro AG. Astaro Security Gateway is a registered trademark of Astaro AG.
Copyright 2002 - 2005, Astaro AG. Astaro Configuration Manager is a registered trademark of Astaro AG.
Copyright 1997 - 2005, Solsoft. Solsoft and Solsoft NP are trademarks of Solsoft.
Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective
companies. Specifications and descriptions subject to change without notice.
All other products or services mentioned herein are trademarks or registered trademarks of their respective owners. Use of a
term in this book should not be regarded as affecting the validity of any trademark or service mark. Consult your product
manuals for complete trademark information.
Agenda - ACE
DAY ONE
DAY TWO
DAY THREE
ASG Overview
User Authentication
Refresher SSL-VPN
Available Products
Users
Groups
Authentication
Introduction to ACC
IPSec VPN
Web Security
Purpose
HTTP Profiles
Certificate Management
Feature Overview
Proxy User
Refresher ACA
Networking
Authentication Setup
E-mail Security
SMTP Proxy
Certificates
E-mail Encryption
Network Security
High Availability
Active/Passive HA
Quality of Service
Clustering
Generic-, Socks-,
Ident Proxy
VoIP Security
H.323
SIP
Intrusion Protection
Configuration
Implementation Guideline
Configuration
Training Hours
Day One:
Day Two & Three:
Summary
LAB
Review
Prerequisites
Training setup / LAB environment
Location Facilities
Parking
Restrooms
Smoking
Breaks, Lunch, Drinks
Internet Access
Architecture
Open Source Components
Configuration Workflow
Web Security
E-mail Security
Network Security
Spyware Protection
Intrusion Protection
Virus Protection
Content Filtering
Anti-Spam/Phishing
VPN-Gateway
E-mail Encryption
Astaro 2007 / ACE_V7.00-0.16
Users
Environments
Astaro
Security
Gateway
110/120
Astaro
Security
Gateway 220
Astaro Security
Gateway 320
Astaro Security
Gateway 425
10/Unrestricted
Unrestricted
Unrestricted
Unrestricted
Unrestricted
Home office,
small office
Small
business,
branch office
Medium business,
enterprise division
Large enterprise
headquarters
Large enterprise
Core networks
Astaro Security
Gateway 525
System
Network ports
3x 10/100 Mbps
8 x 10/100 Mbps
4 x 10/100 Mbps
8 x 10/100/1000 Mbps
10 x 10/100/1000 Mbps
Security Co-Processor
Security Co-Processor
4 x 10/100/1000 Mbps
Performance
Throughput
(Mbps)
Firewall
VPN
IPS/IDS
E-mails/day
100
30
55
350,000
260
150
120
500,000
420
200
180
1,000,000
1200
265
450
1,500,000
3000
400
750
2,200,000
60,000
400,000
550,000
700,000
>1,000,000
(without Mail-Security)
Concurrent
Connections
Introduction
/ Astaro Configuration Manager
... is the Configuration Manager that
provides a centralized visual
command center where security
policies for all Astaro firewall and
VPN devices are graphically
designed and their corresponding
configurations automatically
generated and uploaded.
Introduction
/ Astaro Report Manager
The Astaro Report Manager is a
centralized reporting engine
which gives you the ability to
collect and analyze log data from
one or more ASG installations
The Report Manager allows you to
create robust drill down reports
in a variety of output formats like
Word, Excel, HTML and PDF
Introduction
/ Astaro Secure Client
Astaro Secure Client is an easy-to-use
remote working software based on the
latest VPN technology
The
software
provides
smooth
integration with a remote network and
may be used with any popular IPSeccompliant gateway
The Astaro Secure Client software
provides
strong
and
transparent
authentication and AES encryption to
your network traffic.
Architecture
/ Open Source Module
Open source software is distributed with the
source code freely available for alteration
and customization
Collective work of many programmers
Resulting software can become more
useful and free of holes and bugs
Astaro leverages the flexibility and
innovation of Linux and Open Source
Configuration
/ Administration Workflow
Refresher ACA
This chapter provides a brief
refresher for:
Interfaces
NAT
Packet Filtering
DNS
Refresher ACA
/ Setting up Ethernet Interfaces
An Ethernet interface is a standard
10/100/1000 Mbit network card
Things to remember:
Set the correct IP address for each
interface with the correct netmask
Only define one default gateway
Make sure that each interface has
a unique address range in your
environment
Refresher ACA
/ Packetfiltering architecture
ASG uses the stateful packet filtering capabilities of the 2.6 Linux kernel.
mangle
filter
ips
incoming
packets
PRE
ROUTING
dnat
conntrack
mangle
spoofdrop
Routing
INPUT
FORWARD
outgoing
packets
Routing
conntrack
mangle
filter
ips
OUTPUT
OUTPUT
POST
ROUTING
masquerading
snat
conntrack
mangle
ips
conntrack
mangle
dnat
PPTP
IPSEC
BIND
SOCKS
SQUID
SSHD
Filter
NAT
EXIM
Tables:
Apache
Local Processes
Refresher ACA
/ Network Address Translation: Masquerading
Used if one (or multiple) internal networks should be hidden
behind one official IP address.
Especially useful if private IP address ranges are used.
RFC 1918-IP
Public IP
Refresher ACA
/ DNAT & SNAT
Destination Network Address Translation (DNAT) is used if an
internal resource should be accessible via an IP address assigned to
the firewall
Source Network Address Translation (SNAT) is used like
masquerading, but allows more granular settings
Refresher ACA
/ Packet Filter - Configuration Principles (1)
You only need to maintain one table of filter rules.
ASG automatically creates correct entries in the INPUT, OUTPUT or
FORWARD chain as necessary.
The rules in the table are ordered. The first rule to match decides what is
done with the packet.
Possible actions are:
Allow
Drop
Reject
Astaro Security Gateway starts with an empty table but keeps implicit
internal rules for all services it is using itself.
Astaro 2007 / ACE_V7.00-0.16
Refresher ACA
/ Packet Filter - Configuration Principles (2)
Default View
Source
Action
and
Destination
Service
Enable/Disable
Description
(optional)
Order
Groupname
Edit or delete
Refresher ACA
/ Packet Filter - Configuration Principles (3)
To create new or
edit existing rules:
IP or Group
TCP/UDP/IP
IP or Group
Allow, Drop or Reject
The time
Yes or No
Whatever helps
Astaro Security Gateway V7 - Astaro Certified Engineer Page 24
Refresher ACA
/ DNS - Configuration
Global:
Accepts DNS Requests from allowed,
internal networks (e.g. your AD-Servers,
clients in smaller networks)
Forwarders
Forwards DSN requests of ASG to e.g.
Provider DNS servers
Request Routing
When ASG should be able to resolve the
hostnames of an internal domain hosted
on your own internal DNS server, this
server could be used as an alternate
server to resolve DNS which should not
be resolved by DNS forwarders.
Static Entries
Handles static mappings of hostnames to
IP addresses
Introduction to ACC
Networking
In this chapter you will learn
about:
VLAN
Link Aggregation
Bridging
Policy Routing
OSPF
Networking
/ VLAN (1)
Virtual LAN (VLAN) technology allows a network to be separated in
multiple smaller network segments on the Ethernet level (layer 2).
A VLAN switch plus a VLAN capable network interface simulate a number
of physical interfaces plus cabling.
Every segment is identified by a "tag (an integer number).
Adding a VLAN interface will create a virtual hardware device.
Example
PC1 and PC2 on the first floor and PC4 on the
second floor will be connected together on
VLAN 10.
PC3, PC5 and PC6 will be connected together
on VLAN 20.
Both VLAN can communicate through ASGs
Rulebase.
Switch a
Host4
b3
VLAN
Tag
tagged/
untagged
Port
VLAN
Tag
tagged/
untagged
10, 20
10, 20
2 (PC1)
10
2 (PC4)
10
3 (PC2)
10
3 (PC5)
20
4 (PC3)
20
4 (PC6)
20
10,20
b4
Switch b
Router
b1
Switch a
Port
Host6
b2
Switch b
Host5
a2
a3
a5
a1
a4
Firewall
Host1
Host2
Host3
Networking
/ VLAN (2)
VLAN segments are distinguished by a
tag (integer value), a 12-bit number,
allowing up to 4095 virtual LANs.
When you add a VLAN interface, you
will create a virtual hardware device
that can be used to add additional
interfaces (aliases) too.
NOTES:
- It is essential to check HCL for ensuring
VLAN capable NICs are supported.
-
Make sure you have installed a VLANcapable NIC or refer to the HCL.
Networking
/ Uplink Fail-Over
Usage:
If a primary connection goes down to the Internet, a secondary
connection will take over.
Requirements:
Additional NIC in the firewall
Additional connection to the Internet
Restrictions:
Will only be allowed on interfaces where there is a default gateway.
MPLS Connection
Primary
LAN
DSL Connection
Backup
Networking
/ Overview IEEE 802.3ad Link Aggregation
Link aggregation (LA, also known as "port trunking" or "NIC bonding")
allows to aggregate multiple Ethernet network ports into one virtual
interface.
Link Aggregation Control Layer
(LACL) controls the distribution
of the data stream to the
different ports communication
via Link Aggregation Control
Protocol (LACP).
Networking
/ Link Aggregation using ASG
Link aggregation allows to have:
Trunking two links for speed and
Two links in redundancy mode
Requirement:
The link partner needs to support Link
Aggregation
Networking
/ Link Aggregation Configuration (1)
IEEE 802.3ad Link Aggregation
Link Trunking (for speed)
Link Redundancy (for high availability)
Combination of both
Networking
/ Link Aggregation Configuration (2)
Up to four different link aggregation groups with a maximum of four
Ethernet interfaces per group possible.
To create a link aggregation group (LAG), proceed as follows:
1. Select the interfaces you want to convert into a link
aggregation group.
2. Select check box for each unconfigured interface you
want to add to the LAG.
3. Enable LAG
On top of the bonding interface you can create one of the following:
Ethernet Standard
Cable Modem (DHCP)
Ethernet VLAN
Alias interfaces
To disable a LAG, clear the check boxes of the interfaces that make up the LAG
and click Update This Group.
The status of the bonding interface is shown on the Support / Advanced /
Interfaces Table tab.
Link partner needs to support 802.3ad. MAC-Address of the first NIC in the LAG
will be used for all other NICs within the LAG.
Astaro 2007 / ACE_V7.00-0.16
Networking
/ Bridging Overview (1)
Bridging occurs at the link layer (OSI
layer 2)
The link layer controls data flow,
handles transmission errors, provides
physical (as opposed to logical)
addressing, and manages access to the
physical medium
Bridges analyze incoming frames,
make forwarding decisions based on
information contained in the frames,
and forward the frames toward the
destination
Split Subnet
Keep Subnet
Networking
/ Bridging Overview (2)
A bridge transparently relays traffic between multiple network
interfaces.
Basically, a bridge connects two or more physical networks
together to form one bigger (logical) network.
How it works:
The default gateway for
172.16.1.2 and 172.16.1.4 is
172.16.1.1
172.16.1.1 is the bridge
interface br0 with ports eth1 and
eth2
Networking
/ Bridging Overview (3)
The idea is that traffic between 172.16.1.4 and 172.16.1.2 is
bridged, while the rest is routed, using masquerading.
How it works:
When ethX interfaces are added to a
bridge, then become a part of the
br0 interface
The Linux 2.6 kernel has built-in
support for bridging via the ebtables
project
Ebtables has very basic IPv4
support
Bridge-nf is the infrastructure that
enables iptables/netfilter to see
bridged IPv4 packets and do
advanced things like transparent IP
NAT
It forces bridged IP frames/packets
go through the iptables chains
Networking
/ Bridging Configuration (1)
Configuration Example:
Networking
/ Bridging Configuration (2)
There two advanced options available:
Allow ARP Broadcasts
Ageing timeout
Networking
/ Policy Based Routing (1)
Policy-based routing provides a mechanism
for expressing and implementing
forwarding/routing of data packets based
on the policies defined by the network
administrators.
It provides a more flexible mechanism for
routing packets, complementing the
existing mechanism provided by routing
protocols.
Prov. A
Prov. B
DSL
MPLS
Router
Router
DMZ 1
SMTP
Example:
ERP
LAN 2
interface = any
service = SAP
source = Finance
target = Provider A
interface = 2
service = SMTP
source = DMZ1
target = Provider B
LAN 1
Networking
/ Policy Based Routing (2)
Policy based routing will route by selectors:
Destination
Source
Service
Source Interface
Limitations:
It is not possible to select all traffic and route it as this would be a default
gateway
Policy routes have an order which is evaluated in the same way as the packet
filter (top to bottom)
Only user defined policy routes are possible
Network groups in policy routes are not possible
OSPF
/ Overview
OSPF = Open Shortest Path First
Link-state hierarchical routing protocol
Uses Dijkstras SPF Algorithm to calculate the shortest path tree.
Open standard, developed by IETF
ASG supports OSPF version 2, RFC 2328 (using the Quagga package,
http://www.quagga.net)
Interior Gateway Protocol (IGP) for routing within one autonomous
System (AS)
OSPF uses cost as its routing metric (e.g. by dividing 10^8 through the
bandwidth of the interface in bits per second)
The cost of an OSPF-enabled interface is an indication of the overhead required to
send packets across a certain interface.
The cost of an interface is inversely proportional to the bandwidth of that
interface.
OSPF
/ Features & Benefits
Area concepts for hierarchical topologies and reduction of CPU and
memory consumption of routers
Independent from IP subnet classes
Arbitrary, dimensionless metric
Load Balancing for paths with equal costs
Special reserved multicast addresses reduce impact at non-OSPF devices
Authentication
External Route Tags
TOS-Routing possible
Fast database reconciliation after topology changes
Support for large networks
Low susceptibility for fault routing information
OSPF
/ Operating Mode
10.1.1.1
10.1.1.2
10.1.1.3
10.1.1.4
10.1.1.5
10.1.1.6
Checksum
Seq. No.
Age
0x9b47
0x219e
0x6b53
0xe39a
0xd2a6
0x05c3
0x80000006
0x80000007
0x80000003
0x8000003a
0x80000038
0x80000005
0
1618
1712
20
18
1680
OSPF
/ Example LDSB & Principles
10.11.12.1
10.11.12.2
10.11.12.4
10.11.12.6
10.11.12.3
10.11.12.5
Point-To-Point Connections
Costs for each connection := 1
Databases are synchronized
Each router knows shortest path to each other router
10.11.12.1 has two equal routes with identical costs to 10.11.12.6
Assume the connection between 10.11.12.2 and 10.11.12.4 fails
LSAs will flooded over the whole network
After LSDB-Sync. only one shortest path will remain
OSPF
/ Router Types & Principles (1)
Area border router (ABR)
connect to routers or networks in more than one OSPF area.
maintain an LSDB for each area of which they are a part.
connects also to the main backbone network.
is considered a member of all areas it is connected to.
keeps multiple copies of the link-state database in memory, one for each
area.
OSPF
/ Router Types & Principles (2)
Backbone Routers (BR)
are part of the OSPF backbone.
OSPF
/ OSPF Packets
IP Header
(Protocol #89)
OSPF
Paket Header
OSPF Paket
5 types of packets
Hello
Database Description
Link State Request
Link State Update
Link State Acknowledgement
OSPF
/ Header Format
32 Bits
8
Version
8
Typ
8
Lenght
Router ID
Area ID
Checksum
AuType
Authentication *)
Authentication *)
Packet Data
*) if AuType = 2:
0x0000
Key ID
Cryptogr. Sequence Number
Auth. Length
OSPF
/ Area Types
AS External LSAs are flooded over area borders
Additionally ASBR Summary LSAs are distributed within their areas by
ABRs
Different area types are used to minimize LSDB
Stub Areas
OSPF
/ ASG Configuration OSPF-ID
OSPF
/ ASG Configuration OSPF Area
OSPF
/ ASG Configuration OSPF Interfaces (1)
OSPF
/ ASG Configuration OSPF Interfaces (2)
OSPF
/ ASG Configuration OSPF Interfaces (3)
Networking
Review Questions
Networking
/ Review Questions
1. How can VLAN segments being distinguished? How many virtual
LANs can be distinguished by ASG?
2. How will ARP broadcasts being handled in terms of bridged
interfaces?
3. What are the two major benefits of Link aggregation at ASG?
4. On which OSI layer bridging occurs?
5. Is it possible to combine bridging and routing on ASG?
6. What are the route selectors in Policy Routing?
7. Name 5 benefits of OSPF.
8. Which transmission protocol is used for OSPF?
9. What router and area types do you know and how do they
interfere each other?
10. What must be configured before you can enable the OSPF
function on ASG?
Network Security
In this chapter you will learn
about:
Server Load Balancing
Quality of Service
Generic Proxy
Socks Proxy
Ident Proxy
Network Security
/ Server Load Balancing (1)
Used if the traffic going to one IP address should be split or
"balanced" between multiple servers
Network Security
/ Server Load Balancing (2)
Configuration for Server Load
Balancing contains three options:
Service to Balance
The Pre-Balance Target
A Group of Target Hosts
Quality of Service
/ Working Principle
Quality of Service (QoS) can reserve guaranteed bandwidths for certain
types of outbound network traffic passing between two points in the network.
Inbound traffic is optimized internally by various techniques such as
Stochastic Fairness Queuing (SFQ) or Random Early Detection (RED).
ASG left
ASG right
Headquarter
Branch Office
Quality of Service
/ Features and Benefits
QoS allows to
and
Ext. NIC
downstream
Upstream shape
Int. NIC
Quality of Service
/ Configuration
Status
The Status tab
lists the
interfaces for
which QoS can
be configured.
By default,
QoS is
disabled for
each interface.
Traffic
Selectors
A traffic
selector can be
regarded as a
QoS definition
for a certain
type of network
traffic.
Quality of Service
/ Configuration: Status Overview
Quality of Service
/ Configuration: Traffic Selectors
Quality of Service
/ Configuration: Bandwidth Pools
Bandwidth Pools
They describe the available and
guaranteed bandwidth for the available
interfaces
Network Security
/ Advanced
The Generic
Proxy is
another option
when private
networks are
being used
SOCKS is an
internet
protocol to
allow clients to
use the
services of a
firewall
transparently
and is short
for SOCKetS
The Ident
Protocol is
specified in
RFC 1413 and
helps
identifying
users of
particular TCP
connection.
Network Security
/ Generic Proxy
Works as a port forwarder
Combines features of DNAT and
Masquerading
Forwarding all incoming traffic for a
specific service to an arbitrary server.
In contrast to DNAT, source IP address
is replaced with the IP of the interface
of the ASG for outgoing connections
It is possible to change target port
number also
Network Security
/ SOCKS
What is it used for?
Can build TCP and UDP connections for client applications
Can provide incoming ports to listen on
Used with systems that incorporate NAT
Where is it used?
IM clients such as ICQ, AIM
Socks
FTP
RealAudio
Astaro Security Gateway supports SOCKSv5
User authentication can be used
Network Security
/ IDENT Relay
IDENT is an older protocol
Allows external users to associate a username with a TCP
connection
Not very secure because the connection isn't encrypted
Necessary for some services like IRC and some mail servers
Astaro will respond with the string that you specify as the
default response
Hence the configuration is rather
simple, it offers:
Configuration of the string
to answer with
Optionally the possibility to forward
Ident requests to the internal clients
(which is not always possible)
Network Security
Review Questions
Network Security
/ Review Questions
1. What does Server Load Balancing do?
2. With which technology is it realized?
3. For which kinds of traffic is Quality of Service suitable?
4. What is the Generic Proxy used for?
5. What does the Socks Proxy do?
6. What can the Ident Proxy do?
VoIP Security
In this chapter you will learn how
SIP
and
H.323
security work
VoIP Security
/ SIP/H.323 Security
SIP and H.323 are so called Signaling
protocols, which are designed to notify
communication partners in telephony like
connections. These signals contain
information about the state of the
connection, like INVITE, RINGING or
HANGUP. The actual voice connection
takes place on a dynamic port.
Astaros VoIP Security uses special
connection tracking helper modules for
monitoring the control channel to
determine which dynamic ports are being
used and then only allowing these ports
to pass traffic when the control channel is
busy.
Rick
Cory
To IP-B, PORT-S
INVITE Cory@IP-B
C = IN IP4 IP-A
M = audio 2000 RTP/AVP 0
To IP-A, PORT-S
200 OK
C = IN IP4 IP-B
M = audio 4000 RTP/AVP 3
Audio stream to IP-A, 2000
Time
Astaro 2007 / ACE_V7.00-0.16
VoIP Security
/ SIP Session Initiation Protocol
Session Initiation Protocol is is an application-layer
control (signaling) protocol for creating,
modifying, and terminating sessions with one or
more participants. These sessions include Internet
telephone calls, multimedia distribution, and
multimedia conferences." (cit. RFC 3261)
INVITE cory@astaro.com
Rick
SIP Proxy
Cory
SIP Registrar
VoIP Security
/ H323 Session Initiation Protocol
H.323 is an umbrella recommendation from the ITU Telecommunication
Standardization Sector (ITU-T), that defines the protocols to provide
audio-visual communication sessions on any packet network.
H.323 was originally created to provide a mechanism for transporting
multimedia applications over LANs but it has rapidly evolved to address the
growing needs of VoIP networks.
Currently real-time applications such as NetMeeting and Ekiga (the latter
using the OpenH323 implementation) use H323.
A good link to get started with readings about is at
http://en.wikipedia.org/wiki/H323
VoIP Security
/ SIP/H.323 Security
VoIP Security
Review Questions
VoIP Security
/ Review Questions
1. What does SIP stand for?
2. Which parts do you need to configure for SIP/H323 security?
3. Explain how SIP works.
4. What are the ports SIP is normally making use of?
Intrusion Protection
Statefulness
Configuration
Ruleset
Advanced
Intrusion Protection
/ Working Principle
Astaro Security Gateways IPS operates in inline mode
It is placed logically between external, internal and DMZ
networks, located on one single machine.
Astaro uses Inline Snort (http://snort-inline.sourceforge.net)
as IPS, which is a modified version of SNORT (open source
module).
Inline SNORT lets Astaro Security Gateway perform detection
and prevention at the same time.
Another benefit of inline mode is, that all packets must pass
the Astaro Security Gateway and no packets can be
missed, e.g. due to high network load.
Intrusion Protection
/ Fundamentals
Inline
Intrusion Protection
/ Working Principle
Each packet runs through the IPS only ONCE:
1. Packet from Network to the local machine
2. Packet from Network to Network
3. Packet from local machine to Network (e.g. of using the proxies and also in
case of an exploit to a Linux module on Astaro Security Gateway itself)
incoming
packets
PRE
ROUTING
Routing
FORWARD
dnat
conntrack
mangle (empty)
spoofdrop
conntrack
mangle
filter
ips
OUTPUT
OUTPUT
masquerading
snat
conntrack
mangle
ips
conntrack
mangle
dnat
PPTP
Tables:
IPSEC
BIND
SOCKS
SQUID
SSHD
EXIM
Apache
Local Processes
POST
ROUTING
Routing
mangle
filter
ips
INPUT
outgoing
packets
Filter
NAT
Intrusion Protection
/ Limitations of Firewalls and Virus-Scanners (1)
A robust firewall policy can minimize the exposure of many networks.
Depending on the security level to be achieved, such countermeasures alone
might not be enough.
Packet Filter Firewalls inspect on a per packet basis.
Even invalid packets may pass through
No detection of application-layer attacks
Protocols using multiple ports are hard to handle by firewalls (e.g. FTP, PPTP, H.323,
MMS, ...)
Intrusion Protection
/ Limitations of Firewalls and Virus-Scanners (2)
Firewalls inspect for viruses and worms in:
E-mails & Attachments
SMTP, POP3 and HTTP-Streams
Intrusion Detection
/ Configuration
Global
Attack
Patterns
Anti-DoS /
Flooding
AntiPortscan
Exceptions
Advanced
General
Settings for
Intrusion
Protection
Enable or
disable the
categories of
attacks that
can be
recognized
Configure the
Denial of
Service and
Flood
Protection
here.
Portscan
detection
configuration
is in here
Of course the
configuration
can be
limited to
certain hosts
and networks
Modified
Rules and IP
address
information
about
dedicated
servers is
here.
Intrusion Detection
/ Configuration: Global
The global settings contain a list of
networks, that are protected by
intrusion prevention
If attacks from the local networks should be
detected, it is important NOT to add them to this
list!
Depending on the traffic between the LAN
segments a major impact on the performance of
the ASG is possible
LAN1
LAN2
LAN3
Notify:
Send an e-mail to the
admin-address, if
packets are detected
matching rules of this
group.
Intrusion Protection
/ Refresher: How SYN Floods work
SYN Attack: Sends a stream of SYN packets with attacking host
(spoofing) source IP-address (to be that of a currently unreachable
host).
Attacking
Host
IP of Unreachable Host #1
SYN
SYN
IP of Unreachable Host #2
SYN
SYN
IP of Unreachable Host #3
SYN
SYN
SYN
Server
SYN/ACK
Unreachable Host #1
SYN/ACK
Unreachable Host #2
SYN/ACK
Unreachable Host #3
Astaro 2007 / ACE_V7.00-0.16
Server
Anti Portscan:
Detects Portscans
Can have exceptions
Exceptions:
Advanced:
Modified Rules
Performance Tuning
Anti-Portscan
Anti-DoS/Flooding TCP
Anti-DoS/Flooding UDP
Anti-DoS/Flooding ICMP
Performance Tuning
For source and
destination networks
Astaro 2007 / ACE_V7.00-0.16
Intrusion Protection
Review Questions
Intrusion Protection
/ Review Questions
1. How does Intrusion Protection work?
2. What is the improvement over Firewalls or Anti-Virus Products?
3. Where is Astaro Intrusion Detection placed?
4. How does it integrate with the Packetfilter framework?
5. Which detection methods are applied to traffic?
User Authentication
In this chapter you will learn about:
Users
Groups
Authentication
User Authentication
/ Purpose
Authentication (Greek: = real or genuine, from
'authentes' = author ) is the act of establishing or confirming
something (or someone) as authentic, that is, that claims made by
or about the thing are true.
Authenticating an object may mean confirming its provenance,
whereas authenticating a person often consists of verifying their
identity.
Authentication depends upon one or more authentication factors.
In computer security, authentication is the process of attempting
to verify the digital identity of the sender of a communication such
as a request to log in.
The sender being authenticated may be a person using a
computer, a computer itself or a computer program.
Local Authentication
User Authentication
/ User Management
User management is necessary to allow or
forbid services to certain users or user groups.
To manage local and remote authentication
services, the web interface offers the Users
menu.
User Authentication
/ Local User Management
The User Management in Astaro allows to
administer local users and user groups.
Here you can create user profiles local to the
firewall.
No external authentication service is queried to
authenticate these users.
To create a local authenticated user, select
Authentication: Local
Remote Authentication
Remote Authentication
/ Available Methods
Astaro has many options for
remote user authentication:
eDirectory
Novell, partly LDAP based
Active Directory
Microsoft, partly LDAP based
RADIUS
Remote Access Dial-In User
Service
Livingston Enterprises, later
RFC
TACACS+
Terminal Access Controller
Access-Control System Plus
Cisco, now RFC
Remote Authentication
/ Novell eDirectory
With ASG V7 eDirectory SSO, Novell users will only need to
authenticate once at initial client login to gain web access to the
Internet.
Based on the ASG V7 SSO authenticated user, user-, groupand/or container-based access control and content inspection
profiles are assigned.
Once authenticated, Web security capabilities of ASG are
applied to traffic flows based on the user, including prevention
of phishing, virus and spam attacks, without the need for
further authentication at the browser level.
Remote Authentication
/ Novell eDirectory
When creating Groups from the Novell eDirectory, ASG
offers a very convenient eDirectory Browser
It allows you to select usergroups directly in the Web
Admin Interface
NOTE:
SSO in eDir does not work on machines
where more than one users are logged in.
Currently ASG V7 does not support
containers and multiple root nodes in
eDir.
Astaro 2007 / ACE_V7.00-0.16
Remote Authentication
/ Active Directory (1)
Can be used to implement
single sign on with Astaro
Security Gateway when using
the HTTP Proxy
NTLM uses a challengeresponse authentication
scheme
Active Directory allows to
have all users centrally
managed in groups of users.
Remote Authentication
/ Active Directory (2)
Using Surf-Protection with Active Directory
Authentication requires a running Windows
Server and AD services.
Active Directory Service manages the users of a
Windows Domain.
LDAP uses the Distinguished Name (DN) of an
user for identification. The name has to be unique
within the directory.
Steps to perform:
1.
Create an AD user with read privileges.
(applied by ASG to query the AD service)
2.
Add the AD Users and Computers Snap
Inn in the MS Management Console to
define it.
3.
To add the user, right click on your Domain
Controller to define a new user.
4.
Grand full read privileges to your defined
user. (Right click CN: properties)
5.
Create as much users as you need in your
Active Directory. All of theses users are
able to authenticate.
Astaro 2007 / ACE_V7.00-0.16
Remote Authentication
/ RADIUS
Remote Access Dial-In User Service (RADIUS)
Uses UDP port 1813 or 1645 to send
queries for authentication
Uses external directory for large
installations, often used by Internet
Service Providers for the purpose
of network, router and internet access
Only the password is encrypted
Remote Authentication
/ TACACS+
Terminal Access Controller Access-Control System Plus (TACACS+)
Uses TCP port 49 to send queries for authentication
and is therefore more reliable than RADIUS
Also uses external directory for large
installations, often used by Internet
Service Providers
TACACS+ separates, unlike RADIUS,
authentication and authorization.
Whole datagram is encrypted
Despite the name, TACACS+ does not
have too much in common with
TACACS (without the +)
Remote Authentication
/ LDAP
LDAP (Lightweight Directory Access Protocol) is an information model and a protocol for
querying and manipulating tree-like directories.
LDAP's overall data and namespace model is essentially that of X.500.
The authentication by querying an LDAP Server requires an active DNS Proxy with valid
entries.
Astaro Security Gateway can connect to LDAP-based directories such as:
Sun Identity Server
Open LDAP
Netscape Directory
But also these are based on LDAP:
Active Directory
Novell eDirectory
Control of Proxy-usage on a per-user basis!
Bind-DN and password are used for login to a LDAP server
Base-DN specifies location of user database in LDAP-tree
Remote Authentication
/ Advanced
Advanced Configuration
Backend query order
Defines in which order all the
configured backends for
authentication are queried. This is
important if the same user exists in
different directories.
Password complexity
When users change their password
in the Astaro End-User Portal, you
can force them to use complex
passwords with these settings.
User Authentication
Configuration Example
Authentication
/ Local Users (1)
To add yourself to the local user directory,
first go to the Users/Users Menu.
This menu offers you to view existing or add
new user:
Authentication
/ Local Users (2)
When you have finished and saved the entry, you should find
the following user in the list:
The rest of the line contains information about the user, his
eMail-Address, the authentication source and a comment
Authentication
/ Remote User-Authentication: NTLM (1)
Before NTLM/SSO becomes available, you
need to setup the Active Directory
configuration.
Active Directory takes only
few parameters:
the server itself
Use an existing or newly created definition here
SSL
encrypt or not
Authentication
/ Remote User-Authentication: NTLM (2)
Once the Active Directory Configuration is setup, NTLM/SSO
becomes available and can be configured. To do so, you need to
join your ASG into your Windows Domain
This works exactly as it would with a Windows PC you need an
adminstrative account to approve the join.
Simply enter the Domain Name and the credentials and hit
apply.
Authentication
/ Remote User Groups
Finally, to use whole groups on the
remote Active Directory, you may want to
create an assignment of remote user
groups to local user groups:
To do so, go to the Users/groups menu
and create a new user group
The group should be of group-type
Backend Membership with the backend
Active Directory. This example limits
the membership to the local group
Active Directory to members of the
remote AD group http_users (which
exists in the Active Directory).
User Authentication
Review Questions
User Authentication
/ Review Questions
1. How are Users and Groups structured?
2. Which Authentication Methods are supported by Astaro?
3. Whats the benefit of using NTLM Authentication?
4. How is SSO activated when using Active Directory?
Web Security
In this chapter you will learn about:
HTTP Profiles
HTTP Authentication
Web Security
/ HTTP Proxy Overview (1)
The HTTP Proxy allows to do
User Authentication
Content Filtering
HTTP Protocol Enforcement
Web Security
/ HTTP Proxy Overview (2)
The HTTP Proxy relays HTTP, HTTPS, FTP
and WebDAV queries
HTTP and FTP queries are cached in disk
and memory
FTP
HTTP
HTTP
HTTPS
FTP/HTTP
Proxy & Cache
Web Security
/ HTTP Proxy - Workflow
Flexible configuration is
possible through so called
Proxy Profiles and Filters.
Web Security
/ Content Classification
Text Classification
Text is categorized using Bayes' statistic methodology and vector machine
algorithms.
Optical Character Recognition (OCR)
OCR recognizes text in graphics and images, and can even analyze colored type
or transparent text on any background. This module supports a wide range of
type fonts, colors, sizes and rotations.
Logo and Object Recognition
This module searches for logos, symbols and other graphical elements in photos.
Variations in size, color and rotation are taken into consideration.
Face Recognition
This module recognizes faces, including color, hue and texture. With high-quality
images, it is even possible to search for individual persons.
Pornography and Recognition of Nudity
This module identifies nudity by analyzing the qualities of human skin and
individual skin tones.
Digital Fingerprint
This module characterizes and labels images and data for later identification on
the Internet, intranets or in e-mail messages.
Web Security
/ HTTP Proxy (1)
HTTP Proxy Global Configuration
Web Security
/ HTTP Proxy (2)
Operational Modes
Standard
Proxy listens on port 8080
Allows any network listed in
Allowed Networks to connect
Client browser must be configured
HTTP proxy service requires a
valid Domain Name Server (DNS)
Transparent
Proxy handles all traffic on port 80
Client doesnt need to touch browser
configuration
Proxy cannot handle FTP and HTTPS
Packetfilter must allow port 21 and 443
No HTTP on other than port 80
Clients must be able to resolve
hostnames
Web Security
/ HTTP Proxy (3)
Operational Modes with
User Authentication:
Basic
Active Directory
Novell eDirectory
Web Security
/ HTTP Proxy (4)
Configuring User
Authentication for HTTP:
When you have selected
one of the userauthentication operation
modes, a User/Groups
selection box
pops up.
Drag and Drop the
allowed Users and
Groups to this box.
Web Security
/ Anti Virus
HTTP Anti Virus
Enable/Disable Virus scanning
Disallow Downloads by
file-extension
Web Security
/ Content Filter (1)
HTTP Content Filter:
Default profile
Operation mode:
Black or Whitelist
Categories to block or allow
Web Security
/ Content Filter (2)
HTTP Content Filter
Category assignment
The Number of Categories is fixed
Names and Contents can be edited.
Name of Category
Assigned Subcategories
Modify Name
and Assignment
Web Security
/ Content Filter (3)
HTTP Content Filter
Exceptions
Content Filter Exceptions,
e.g. windowsupdate.com
Web Security
/ Content Filter Profiles (1)
HTTP Content Filter Profiles
Content Filter Profiles allow to treat different
user(-groups) and network-areas differently.
The configuration is done by linking Proxy
Profiles and Filter Actions through Filter
Assignments
Web Security
/ Content Filter Profiles (2)
HTTP Content Filter Profiles
A Proxy Profile
combines
Source Networks
Filter Assignments
and Authentication
Methods
Web Security
/ Content Filter Profiles (3)
HTTP Content Filter Profiles
A Filter Assignment
combines
Web Security
/ Content Filter Profiles (4)
HTTP Content Filter Profiles
Filter Actions
Work either as Black or
Whitelist
Contain the things to block
or allow:
Blacklisted/Allowed Sites
Categories or
uncategorized
Spyware
Content
Virus
Web Security
/ HTTP Content Filter Working Principle
Networks,
Authentication Methods
Proxy Profile
Users, Groups
Time, Action
WWW
Filter
Assignment
Filter
Actions
Categories
Anti-Virus
Content Removal
Web Security
/ HTTP Proxy Advanced Options
Web Security
Review Questions
Web Security
/ Review Questions
1. What do you need to consider when using NTLM Authentication if
your PC is not assigned to the domain ASLLAB?
2. Is it possible to limit access to Entertainment, Trading and Gambling
during working hours but allowing it after 6 p.m.?
3. What happens if you have time-based profiles for groups during the
working hours created but nothing defined for after hours?
4. What is the default Profile meant for?
5. What might be reasons if NTLM is not working correctly?
6. What is the purpose of different profiles?
7. What happened when downloading eicar.com from the Internet?
8. What would you recommend if servers will download larger patches
automatically over the http proxy and Virus-scanning is enabled?
SMTP Proxy
/ Overview
Simple Mail Transfer Protocol
SMTP relay shields your internal mail server from
malformed, malicious, and unwanted messages
Can relay incoming and outgoing mails
Scans mails for viruses and other malicious data
Deals with SPAM
NOTES:
The SMTP proxy also supports subdomains
To use the SMTP proxy correctly, a valid name server (DNS)
must be configured
SMTP Proxy
/ Relaying Incoming / Outgoing e-mail
Define the domains the security system should be responsible for
You should have an DNS MX record for every domain pointing to the
security system
Specify the internal server to which e-mails should be forwarded to
Decide whether you want to scan the content of outgoing e-mails
Define which networks and hosts are allowed to send outgoing e-mail
using the security system (never use ANY)
Optionally you can switch on authenticated relaying for single users
Define a smarthost if outgoing e-mail is not delivered to the recipient
directly
SMTP Proxy
/ Anti-Virus
Anti-Virus scanning checks every message for viruses,
worms and other malware
Astaro Security Gateway features several anti-virus engines
for best security
Single Scan provides maximum performance
Dual Scan uses two different scan engines for an extra level
of security
Optionally activate the Hardware accelerated scanner (only
supported with hardware applicances ASG425/ASG525)
SMTP Proxy
/ Anti-Spam: Overview
Provides many "arrows for the quiver" in fighting unwanted e-mails
from entering the network
Users can consult with real-time blackhole lists and allow certain
senders or networks to be exempt from many of the checks
Expression (keyword) filtering can take action on
messages that contain certain patterns in the
subject line or message body
Astaro Security Gateway features several
techniques to reduce Spam:
Realtime Blackhole Lists
Advanced heuristic analysis
Greylisting
SPF record checks
BATV reverse path signing
SMTP Proxy
/ Review Questions
1. What is the fundamental precondition that the SMTP
proxy will handle incoming e-mails?
2. Is it possible to configure more than one SMTP route?
3. What are possible configuration options to avoid SPAM?
4. What is User spam releasing?
5. What happens to SPAM messages sent from hosts listed
in Allowed Networks?
6. Does VirusProtection also checks outgoing e-mails?
7. What are the options to handle unwanted e-mails?
8. What happens if BATV is turned on?
E-mail Encryption
Upon completion of this chapter you will be
able to perform the following:
Configure & test e-mail encryption using S/MIME or
OpenPGP
E-mail Encryption
/ Motivation
Still one of the most used services
Over 95% of all e-mails are sent as plain text!
Would You sent your tax declarations on a postcard?
s;f sdf;aknmffdsa g
Dsfg sdfgdsfgfdg
Fdsg fgsdfgsdfgdsf
Sfdgsdfdsfgsdf
Fg fdsgdsfgsdfg
Dfgdfsgfdsgfdsg
dslaskhddfsgdsfg
Business Requirements
Industry espionage
Formal/Legal Requirements
Data Protection
Secure cooperation
Basel II
Cost effectiveness
HIPAA
Sarbanes-Oxley
Industry Initiatives
E-mail Encryption
/ Goals
What objective want to be achieved using secure e-mail?
1.
Confidentiality
Encryption: only recipient who possess the correct private key can
decrypt and read content of e-mail
2.
Integrity
Hashes: assures that content has not been altered during transport over
the internet
3.
Authenticity/Non-Repudiation
E-mail Encryption
/ Standards
S/MIME (Secure / Multipurpose Internet Mail Extensions, V3.1, RFC 3850-52)
Uses X.509 digital certificates for securing MIME-encapsulated e-mails
Implemented by MS-Outlook, Thunderbird, Lotus Notes,
Algorithms: RSA, SHA-1, MD5, 3DES, AES
OpenPGP (Pretty Good Privacy, RFC 2440)
Uses public/private keys for securing e-mails (and other content) within
a web of trust
No central certificate authority -> keys are signed by other users
Used by commercial and open source software (GnuPG, PGP, )
Algorithms: DSA/ElGamal, RSA, SHA-1, MD5, AES, 3DES, CAST5
Both standards provide e-mail encryption and digital signing via
similar public key mechanisms
However, they are not compatible with each other!
Astaro 2007 / ACE_V7.00-0.16
E-mail Encryption
/ E-mail Encryption & Content Scanning
Encryption SW
on Client
NO additional SW
on Client
Encryption SW
on Gateway
Internal
users
OpenPGP
snmffdsa g
Dsfg sdfgdsfgfdg
Fdsg fgsdfgsdfgdsf
Sfdgsdfdsfgsdf
Fg fdsgdsfgsdfg
Dfgdfsgfdsgfdsg
dslsgdsfg
snmffdsa g
Dsfg sdfgdsfgfdg
Fdsg fgsdfgsdfgdsf
Sfdgsdfdsfgsdf
Fg fdsgdsfgsdfg
Dfgdfsgfdsgfdsg
dslsgdsfg
snmffdsa g
Dsfg sdfgdsfgfdg
Fdsg fgsdfgsdfgdsf
Sfdgsdfdsfgsdf
Fg fdsgdsfgsdfg
Dfgdfsgfdsgfdsg
dslsgdsfg
Content Scanning/
Virus Protection
SMTP
E-mail
Server
External
users
S/MIME
E-mail
Encryption &
Digital Signing
Management of
Keys & Certificates
OpenPGP
S/MIME
E-mail
Server
E-mail Encryption
/ Configuration in a few steps
Done
E-mail Encryption
/ Activate e-mail Encryption
E-mail Encryption
/ Generate CA certificate and postmaster (1)
E-mail Encryption
/ Generate CA certificate and postmaster (2)
E-mail Encryption
/ Define default policy
E-mail Encryption
/ Create internal users (1)
Create a new entry for every user who should
encrypt outgoing e-mails
Use the default policy or set individual options
E-mail Encryption
/ Create internal users (2)
Keys and certificates are generated automatically by the security system, if desired
Download the public keys and certificates and provide them to your e-mail recipients
E-mail Encryption
/ Import public OpenPGP-keys
E-mail Encryption
/ Import public X.509 certificates
To create recipients using S/MIME with
X.509 certificates you can import a public
certificate for every single recipient or you
can import a CA certificate and let the
security system extract the public
certificates from incoming signed e-mails
(see next step)
If you import a X.509 user certificate
manually, messages from the e-mail
address associated with this certificate are
always trusted without the need to import
the appropriate CA certificate!
The source is always trusted!
E-mail Encryption
/ Use case: Send encrypted e-mail
Decrypt on Client
snmffdsa g
Dsfg sdfgdsfgfdg
Fdsg fgsdfgsdfgdsf
Sfdgsdfdsfgsdf
Fg fdsgdsfgsdfg
Dfgdfsgfdsgfdsg
dslsgdsfg
E-mail
Server
hs@asllab.net
SMTP
1.
SMTP
Astaro
Security
Gateway
mail.extern.corp
POP3
Client
4.
S/MIME or OpenPGP
5.
snmffdsa g
Dsfg sdfgdsfgfdg
Fdsg fgsdfgsdfgdsf
Sfdgsdfdsfgsdf
Fg fdsgdsfgsdfg
Dfgdfsgfdsgfdsg
dslsgdsfg
2.+3.
1. Internal client sends plain e-mail to ASG
user1@extern.corp
E-mail Encryption
/ Advanced Topics: S/MIME authorities
Import a public CA certificate to achieve multiple
objectives
Every incoming e-mail signed by a certificate
issued by this CA is verified valid (if the content
is not altered during transport)
If Automatic extraction of S/MIME certificates
is enabled, X.509 user certificates attached to a
signed S/MIME message issued by this CA are
extracted and imported
Astaro Security Gateway ships several public
keys of commercial Certification Authorities:
Trustcenter (http://www.trustcenter.de)
S-TRUST (http://www.s-trust.de)
Thwate (http://www.thawte.com)
Verisign (http://www.verisign.com)
and more
E-mail Encryption
Review Questions
E-mail Encryption
/ Review Questions
1. What objective want to be achieved using secure e-mail?
2. Which algorithms are supported by S/MIME
Symmetric encryption/Signatures
Asymmetric encryption
Hashes
redundant switches
redundant links
redundant
Hardware
LAN
Internet
:= Aggregated Links
Active-Active HA (Cluster)
New in Version 7!
Offers High Availability AND Load balancing
All appliances are working
If one unit fails, all other units take over
Load is actively balanced
Slave
All tunnels, SPF-Connections (IPConntrack) and quarantined objects are
synchronized
Active/Active Mode
Slave
Master
Cluster Nodes
Scalable
1 Gigabit/sec
VPN, IPS, AV, AS
LAN
Fully meshed
Note:
Packet Filtering runs on the Master only
Balanced Services are:
Internet
Fully meshed
Slave and cluster
nodes handle the
load.
HA port (eth3)
Slave
High Availability
Review Questions
High Availability
/ Review Questions
1. Which HA options are supported by Astaro?
2. How many nodes are supported in Cluster Mode?
3. What are the requirements for Active / Passive? Cluster Mode?
4. Which device corresponds with the HA Port in the Appliances?
5. Which applications are balanced to other nodes in cluster mode?
6. How is the load distributed between the cluster nodes?
Refresher: SSL-VPN
In this chapter you will learn to configure, test
and maintain:
Remote Access using SSL-VPN
Remote Access
/ Brief Technology Comparism
PPTP
Developed by Microsoft
Based on PPP protocol
Included in MS-Windows
Easy to install and use
Weak security
session key dependant on password
IPSec
De-facto standard for VPNs today
optimized for site-to-site VPN
SSL
De facto standard for online-shops
(optimized for remote access)
(like PPTP)
The CAs vouch for the validity of the information contained within
the certificate
The browser or server trusts the certificate because it trusts the
CA
Astaro 2007 / ACE_V7.00-0.16
Remote Access
/ The promise of SSL VPNs
The promise of SSL VPNs
Easy to install
Does not require a client (uses SSL mechanisms integrated into each browser)
Sufficient security
Also supporting certificates
Remote Access
/ SSL VPN native application support
Webifier
Transforms native applications into web-based applications
Usage is not as comfortable as with native applications (different GUI)
Often out of action due to complex protocol transformation
Requires much processing power on SSL VPN gateway
Port forwarding
Applet on client forwards traffic for each server/application through SSL
tunnel to SSL gateway
Typically requires admin rights on client
ActiveX controls within browser
ActiveX-Agent forwards all traffic through SSL tunnel
Real network access through virtual network interface
Dependant on OS and browser (MS-Windows/IE only)
SSL client
Offers the same benefits as ActiveX controls (full network access)
Platform independent
Remote Access
/ Astaro One Click VPN
Complete Remote Access VPN functionality
Feature rich clients for SSL and IPSec
Astaro SSL VPN Client
Astaro Secure Client
Remote Access
/ Astaro SSL VPN Client
Based on OpenVPN Client
Uses latest SSL version (TLS)
Proven technology
Used for all internet applications
Next Unpack
the installation
package and
launch the file
setup.exe
Site-to-Site VPN
/ Supported Protocols & Parameters (1)
IPSec provides two security functions at the IP (Internet Protocol) level:
Authentication
Encryption
This requires a higher-level protocol (IKE) for the setup of the IP-level
services (ESP, AH).
Three protocols are used in an IPsec implementation:
ESP, Encapsulating Security Payload
AH, Authentication Header
IKE, Internet Key Exchange
Encrypts and/or
authenticates data
Provides a packet
authentication service
Negotiates connection
parameters, including keys
IKE (Internet Key Exchange) is defined in RFC 2409 and is based on the
Internet Security Association and Key Management Protocol (ISAKMP, RFC
2408), the IPsec Domain of Interpretation (DOI, RFC 2407), OAKLEY (RFC
2412) and SKEME (Secure Key Exchange Mechanism).
ASG V7 is using StrongSwan the most stable Linux implementation of
IPSec.
Site-to-Site VPN
/ Supported Protocols & Parameters (2)
In IPSec, two protocols and two modes exist:
ESP vs. AH
Transport Mode vs. Tunneling Mode
Most secure and flexible is ESP Tunneling mode.
Astaro Security Gateway only supports this mode.
New IP
Header
Original IP header
is not changed
IP
Header
IP packets are
encapsulated in other
IP packets.
ESP
Header
TCP or UDP
Header
mnhjbfv09WERRrnoim37QTW
Encrypted
Authenticated
Astaro 2007 / ACE_V7.00-0.16
Site-to-Site VPN
/ Supported Protocols & Parameters (3)
IKE happens in two phases:
Negotiate parameters (SA, Security Association) for the key exchange
(ISAKMP) using the Aggressive Mode or Main Mode
Create an SA for IPsec using Quick Mode
Site-to-Site VPN
/ ISAKMP and IPsec SA
Initiator
IKE
ISAKMP SA
Header
Proposal
Responder
1
2
IKE
Header
IKE
Header
DH Key
Exchange
Ni
encrypted
3 + 4
5 + 6
ISAKMP SA
Response
IKE
Header
DH Key
Exchange
3
Nr
encrypted
IKE
Header
6
1 + 2
IKE
Header
Site-to-Site VPN
/ Diffie-Hellman Key-Exchange Algorithm (1)
Alices
Private
Key
Alices
Public
Key
Alice
Bobs
Public
Key
Bobs
Private
Key
Bob
Diffie-Hellmann Key
Calculation Engine
4
Shared Secret Key
(Session Key)
Site-to-Site VPN
/ Diffie-Hellman Key-Exchange Algorithm (2)
1. Alice and Bob agree on a large prime modulus n, a primitive element g
and the one-way function y = f(x) = gx mod n.
2. The integers n and g are not secret and can be published.
3. Alice chooses a large random integer a and sends Bob
A = ga mod n
4. Bob chooses a large random integer b and sends Alice
B = gb mod n
5. Alice computes
s = Ba mod n = gba mod n
6. Bob computes
s = Ab mod n = gab mod n
7. Alice and Bob share now the secret key s = gab mod n
8. Since computing the inverse x = f-1(y) is extremely difficult, no one
listening to the key-exchange can compute the secret key s from the
values A, B, n and g.
Site-to-Site VPN
/ Supported Protocols & Parameters (3)
Possible parameters of IPSec tunnels (Security Association SA):
IKE Parameters
Encryption algorithms
DES, 3DES (168bit), AES (Rijndael) (128bit, 192bit, 256bit), Blowfish (128bit), Twofish
(128bit), Serpent (128bit)
Authentication algorithms
MD5 (128bit), SHA-1 (160bit), SHA-256 (256bit), SHA-512 (512bit)
IPSec Parameters
Encryption algorithms
Null, DES, 3DES (168bit), AES (Rijndael) (128bit, 192bit, 256bit), Blowfish (128bit),
Twofish (128bit), Serpent (128bit)
Authentication algorithms
MD5 (128bit), SHA-1 (160bit), SHA-256 (256bit), SHA-512 (512bit)
SA lifetime
60s 86400s, default value = 7800 sec.
Strict policy
Accept only exactly the parameters specified.
Compression
NOTES:
PFS is not fully interoperable
with all vendors.
MODP768 (DH Group 1) is
considered weak and only
supported for interoperability
reasons.
enable/disable IPCOMP
Astaro 2007 / ACE_V7.00-0.16
Site-to-Site VPN
/ Symmetric Encryption Algorithms
Performance Issues
MARS (IBM)
Modified Feistel Network - 32 Rounds
Based on mixed structure DES
RC6 (RSA)
Feistel Network - 20 Rounds
Based on modified RC5
Site-to-Site VPN
/ ISAKMP and IPsec SA
rightsubnet=10.1.1.0/22
#3 IPsec SA
09:50
rightsubnet=10.1.9.0/24
#4 IPsec SA
10:05
rightsubnet=10.1.1.0/22
#5 IPsec SA
10:50
rightsubnet=10.1.9.0/24
#6 IPsec SA
ikelifetime=3h
keylife=1h
11:00
#7 IPsec SA
11:40
#8 ISAKMP SA
10
11
12
In cooperation Prof. Dr. A. Steffen / ZHW
Site-to-Site VPN
/ PKI - Important terms
Public Key Infrastructure: technology, processes, software and hardware
Certification Authority (CA): Body that issues digital certificates
Digital certificate: Unique certificate assigning a digital signature to an
entity
Digital signature: Unique signature, guaranteed to be unreproducible by a
third party that can be used to sign a transaction
Registration Authority (RA): Body that registers entities on behalf of the CA
Entity: Person, Organization or Data
Algorithm: mathematical calculation used to produce a numerical result
(RSA, DES, 3DES, SHA)
Smart Card: Plastic card with a built-in, programmable chip
Site-to-Site VPN
/ PKI Big Picture
Name: John
Doe
Valid : from
01.00
till
07.02
Public Key
Public Key
Issuer
CA
Signature
Certificate
Name: John
Doe
Age: 27
Country:
Germany
Directory
(LDAP, X.500Server)
----
Personal
Data
Registration Authority
(RA)
Database
Internal
Clock
Verification Service
Site-to-Site VPN
/ Authentication by X.509V3 Certificates (1)
Scenario & Configuration Example
The authentication of the tunnel end points must be done by using X.509 Certificates.
The headquarter CA is trusted and will be used as signing CA for all branch offices.
ASGleft #1
A-L CA
#0
ASG-T CA
ASG-L CA
ASGright #2
A-L CA
#0
ASG-T CA
ASG-L CA
LAN left
LAN right
ASG left
ASG right
Headquarter
Branch Office
1.
2.
3.
4.
5.
6.
7.
Site-to-Site VPN
/ Authentication by X.509V3 Certificates (2)
Scenario & Configuration Example
The Signing CA is automatically generated when the WebAdmin is opened
for the first time.
Site-to-Site VPN
/ Authentication by X.509V3 Certificates (3)
Scenario & Configuration Example
Create the Certificates
For each gateway (local and remote) a host certificate will be
generated. The verification through the signing CA is done automatically.
The certificate for the local VPN gateway is automatically generated
when the WebAdmin is opened for the first time ( Certificates tab)
It is possible to
replace the local,
default certificate
by any other, e.g.
one using DN as
VPN identifier.
Site-to-Site VPN
/ Authentication by X.509V3 Certificates (4)
Scenario & Configuration Example
Create the host certificate for the branch office
Download this certificate as PKCS#12 file
File contains Root CA, Host Certificate & Private Key
1
Site-to-Site VPN
/ Authentication by X.509V3 Certificates (5)
Scenario & Configuration Example
Import Host Certificate as local key on the remote ASG (branch office)
Site-to-Site VPN
/ Authentication by X.509V3 Certificates (6)
New Example: Net2Net X.509 Certificates / Cross Site Certification (1)
Task:
The scenario is the same as in the previous example with one exception:
Both communication partners run their own CA.
ASGleft #1
A-L CA
ASGright #1
#0
ASG-T CA
A-R CA
ASG-L CA
LAN left
A-R CA
ASG left
#0
ASG-T CA
ASG-R CA
LAN right
#0
ASG-R CA
A-L CA
Exchange !
#0
ASG-L CA
ASG right
Site-to-Site VPN
/ Authentication by X.509V3 Certificates (7)
New Example: Net2Net X.509 Certificates / Cross Site Certification (2)
ASGleft #1
A-L CA
ASGright #1
#0
ASG-T CA
A-R CA
ASG-L CA
LAN left
A-R CA
ASG left
#0
ASG-T CA
ASG-R CA
LAN right
#0
ASG-R CA
A-L CA
Exchange !
#0
ASG-L CA
ASG right
Site-to-Site VPN
Review Questions
Site-to-Site VPN
/ Review Questions
1. Name the IPSec encryption algorithm options you can choose from at ASG
V7.
2. What is the possible range of IPSec SA lifetime in seconds? What is a
reasonable value? Why?
3. Explain the term <Allow Path MTU Discovery>. What is the default MTU
size in byte when using ESP.
4. What does ASG perform in IPSec when enabling PFS?
5. Is it possible to import multiple Verification CAs? When would it be useful?
What about multiple Signing CAs?
6. In which format the public key of each signing CA can be downloaded?
7. What are the VPN-IDs you can select from? What happens if you install
certificates issued with identical e-mail addresses as VPN-ID?
8. Explain a typical use case for automatic CRL fetching.
9. What means <Parsing> in the IPSec debug options? Why wouldnt it be a
good idea to run IPSec debugging in an operational stage?
Remote
Clients
NAT-ing
Router
LAN
Branch Office
VPN Gateway
NAT-ing Router
VPN-Tunnel
Intranet
VPN Gateway
Central Office
Working principle:
The sender indicates that an encapsulated packet follows by setting the first 8 bytes of the UDP
payload to zero. These bytes overlap the IKE Initiator Cookie field, for which zero is an invalid
value.
Thus, implementations can use these bytes to discriminate between IKE and UDP-encapsulated
ESP arriving on port 500. Because only peers that agree will ever send UDP-encapsulated ESP
packets, backward compatibility is not an issue.
NOTE: Using NAT-T you need to configure VIPs for remote access.
Remote
Users
ASG-CA #0
ASG-CA
RemUser #2
NATT-ing
Router
ASG-CA
ASG-GW #1
ASG-CA
VPN Gateway
ASG-CA #0
ASG-CA
Intranet
Central Office
8
7
9
10
11
12
Connect
14
and
check
connection
and log file
IPSec VPN
Review Questions
THE END.
Questions
&
Answers.
Astaro 2007 / ACE_V7.00-0.16