Sunday, October 20, 2013

IPsec VPN Tunnel

As you can tell by the title of this post, today was a milestone in my lab. I am starting to reap the fruits of my security studies. Most of the CCNA Security study that I have been undergoing (CBT Nuggets) has all been leading up to VPNs. Yesterday I completed and today I fully tested a site-to-site VPN in my lab.

I was able to establish a site-to-site VPN in my lab over my existing frame-relay topology. Usually when people think of VPNs, they think of two VPN gateways establishing a secure private tunnel over then internet. In most practical cases, this is true. However, a VPN can be tunneled over almost any routed infrastructure including a private frame-relay or MPLS network. As long as the two VPN server/gateways (usually a firewall) can talk to each other and agree on hashing, authentication, group, lifetime, encryption protocols, and allowed traffic, you should be able to establish a site-to-site VPN. Below is a sample of my site-to-site VPN lab.
This device is my Zone Based Firewall (Cisco 2821 Router). The caption above is a simple monitoring tab of the site-to-site VPN. This router runs the Advanced Security IOS supported by the Cisco Configuration Professional feature.























My ASA at the HQ site is the peer device to the Zone Based Firewall. Both devices negotiate VPN parameters and establish the SA(Security Association) and IPsec Tunnel. I tested the tunnel for over 14.5 hours without failure.



















Below is a simple diagram of how my topology was designed. Keep in mind, that routes for the destination networks supported by the VPN were not directly advertised. This would defeat the purpose. Basically traffic was generated from the local network supported by the VPN. Once that traffic reached that device's default gateway (edge device/firewall) that device could find no routes in it's routing tables to the remote network but found a usable path through VPN. At that point, the VPN tunnel is negotiated and established. From there, traffic is free to traverse the tunnel.




The goal of this site-to-site VPN was to permit traffic from 10.11.1.0/24 network and 10.11.2.0/24 networks behind the Zone Based Firewall to networks 10.0.2.16/24 behind the HQ ASA and 192.168.3.0/24 behind the my Internet Gateway/Core Router WITHOUT any advertising of those networks via static or dynamic routing protocols.

VPN is very simple in nature yet very complex at the same time. The key to configuring a site-to-site VPN is making sure that both sides agree to the same protocols. As you can see in my VPN I used:

Hashing - SHA1
Authentication - PSK
Group - DH2
Lifetime - 86400
Encryption - AES128

I used these parameters for both tunnels; IKE phase 1 and IKE phase 2. The first tunnel simply establishes is the VPN gateways are willing to talk to each other. If those conditions are met, then the second tunnel establishes the condition for traffic that will be allowed over the VPN coming from nodes on their respective networks. If you get ONE parameter off, everything fails. The only flexibility is in the lifetime. Other than that, everything has to match. 

I highly recommend watching both Jeremy Cioara (2008) and Keith Barker's (2012) Nuggets on site-to-site VPN. They both make it a lot easier by explaining the basic fundamentals of establishing a site-to-site VPN and Keith also introduces a very creative way to remember the VPN tunnel parameters required in the acronym HAGLE: Hashing, Authentication, Lifetime, Encryption.

On another side-note, Keith Barker also taught me an important lesson at the end of his CCNA Security series. When building a network, have security in mind before and during the implementation; not after. When establishing an enterprise (or larger) level network, we as network administrators should always be thinking of ways to secure the network in the planning phases because it is so much more difficult to implement security after the network has been established, or worse; after it has been compromised.

I REALLY enjoyed performing this lab and watching the VPN come to life. I will probably practice more with site-to-site VPNs and get more comfortable configuring them in different and more complex scenarios. Other than that, next stop, CCNP! 

Sunday, October 13, 2013

Study Advice

In earlier posts, I described my CCNP interim and goals I wished to accomplish during that time. Basically, I want to get some Security/Firewall training in. 

Improving my security and firewall skills is definitely an opportunity for me before beginning CCNP. By the way, think opportunity; never think weakness! My decision to cover this before CCNP is one made out of practicality. What I have heard from veterans and found to be true is that studies (mostly certification studies) does not necessarily correlate with all of your job requirements.

Take myself for example. My current studies mostly revolve around Routing & Switching. CCNA and CCNP Routing & Switching are not going to prepare me for that firewall that sits on the edge of our corporate network just like neither will prepare you for load balancers or WAN accelerators.

I have heard that people put too much focus into certification as opposed to practical training and that is a very true statement. I have read articles that referred to people aspiring for certifications as 'zombies' and one guru that I worked with even described some CCNPs and CCIEs that he has met as "Paper Tigers". Basically, this person appears much more intimidating, skills-wise, on paper than when asked to actually configure a "box" (router, server, etc.). 

I must admit that I aspire for certifications but most certainly do not feel that I am a 'zombie.' The most important thing about certification to me is the journey; not the test and not the piece of paper. I have no intention (at the moment) of getting certified in security but my CCNA security training has provided a lot of valuable information to me about securing networks that is assisting me with my security and risk management at work as well as helping me understand the nature of a firewall. As of late, I have been learning about:

  • VPNs (Site-to-Site)
  • AAA (Triple-A)
  • Zone Based Firewalls
  • ASA 
  • Layered Security and attacks at each layer of the network
  • Deep packet inspection
  • ACLs
I have learned much more valuable information but those were some of the highlights. I am also learning about the very powerful security tool Kali Linux (formerly Backtrack). One thing you should remember about Kali/Backtrack... It can destroy an improperly secured network before you can say "The network is down?". Kali has tools for CAM overflow, STP, DHCP, DNS, VLAN attacks, and all sorts of man in the middle attacks.


















Keith Barker moves a little fast but he is a smart guy and a great teacher and I highly recommend any one looking for some security briefing take a look at his CBT Nuggets series on CCNA Security and Kali-Backtrack Linux.  

The second most important thing about certification testing to me is also not to get too caught up in vendor specific content. Cisco is great, but I find it wise to pay closer attention to more open protocols and standards during my studies. The usual strategy seems to be "OK, we're going to teach you the building blocks, theories and concepts, and after that we're going to teach you how to do them the Cisco way." What if your company decides that Cisco is too expensive and it wants to move to Alactel-Lucent or Juniper? Yesterday you were the infallible king of EIGRP and now you're getting drop-kicked by OSPF. 

I like Cisco but realize that they are not always the end-all solution to networking or getting your job done and neither is certification.

Just a few words of advice.