Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Copy of Building a Site-to-Site IPsec VPN Solution

No description
by

Andrew Fyfe

on 26 August 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Copy of Building a Site-to-Site IPsec VPN Solution



Build a Road

Allow the Tunnel

Tell "B" how to get to the Tunnel
Virtual Private Networks
Internet Key Exchange (IKE) Protocol
IPsec uses the IKE protocol to authenticate a peer computer and to generate encryption keys. IKE negotiates a security association (SA), which is an agreement between two peers engaging in an IPsec exchange, and consists of all the requiered parameteres necessary to establish successful communication.
IPsec Uses the IKE Protocol to Provide these Functions:
Negotiation of SA characteristics

Automatic key generation

Automatic key refresh

Manageable manual configuration
IKE Phases
IKE Phase 1 (ISAKMP Phase)
IKE Phase 2 (IPsec Tunnel Phase)
IKE Overview
IKE
Tunnel Partner
Unterschiede VPN-Dienstleister
FW-Freischaltungen
Tunnelpartner
Netzwerkplan Kunde <--> E2-Plattform
PIA
Unterschiede MKG --> sFTP-Adressen
Roads & Tunnels
The Road
Provider 1
Married Certificates
Central Management
Provider 2
Provider 3
Smartcards
Stores encrypted digital certificate
Public key infrastructure (PKI)
Message Impossible
Meet "E"

He needs to be sent safely
VPN Overview
Benefits
Cost
Security
Scalabilty
Compatibility
The Solution:
Meet "IPSec"
Meet Agent "B"
Needs a Road

Needs Security Clearance

Trust Relationship
Routing
Firewall Rules
IPsec
Authentication Header
Encapsulating Security Payload
IPsec Protocols
IPsec Framework
Internet Protocol Security
The Mission: Transfer Agent "B" Safely
He knows he will be exposed if he travels into the cloud unprotected !!
Technology
external Interface
TCP Port 80
HTTP
Access to the TCL Server
(any) Internet
Access via LDAP to the CRL
A CRL (Certificate Revocation List) is a signed list indicating a set of certificates that are no longer considered valid (revoked certificates) by the certificate issuer. The Enterprise Gateway can query a CRL to find out if a given certificate has been revoked. If the certificate is present in the CRL, it should not be trusted.

To validate a certificate using a CRL lookup, the certificate's issuing CA certificate should be trusted by the Enterprise Gateway. This is because for a CRL lookup, the CA public key is needed to verify the signature on the CRL. The issuing CA public key is not always included in the certificates that it issues, so it is necessary to retrieve it from the Enterprise Gateway's certificate store instead.
DNS resolution of the FQDN of CRL & TCL Servers
Certificate Trust List
issued by a trusted third party, such as a certificate authority e.g.Entrust or VeriSign.
Both clients and servers can also store a list of trusted certificates. When a connection is requested, each party presents their certificate and that certificate is checked against the list of trusted certificates. If the certificate is not found, the connection is refused. Checking trusted certificates allows clients to ensure that they are connecting to the correct server. For servers, trusted certificates are used to ensure only the authorized clients can connect to the server.
Checking a certificate involves checking the certificate of the party that signed the certificate. There can be a hierarchy of intermediate certificates, also known as a certificate chain, that must be checked up to the root certificate to ensure that a certificate is authentic.
TCP Port 389
LDAP
UDP Port 53
DNS
Mission Possible
IPsec offers
Confidentiality
Integrity
Authentication
Anti-replay
DES
3DES
AES
RSA
SEAL algorithm
PSK
RSA Signatures
HMAC-MD5
HMAC-SHA-1
DIFFIE-HELLMAN
Internet Protocol 50 (ESP)
ESP(Encapsulating Security Payload)
UDP Port 500
(isakmp)
Phase
Phase
UDP Port 4500
(isakmp-nat-t)
Tunnel IP
External IP
External IP
Tunnel IP
Internet Protocol 50 (ESP)
ESP(Encapsulating Security Payload)
UDP Port 500
(isakmp)
UDP Port 4500
(isakmp-nat-t)
The Story
Message Impossible
Mission Possible
Who is IPSec & Why VPN
Roads & Tunnels
Don't Forget Protocol 50

What "E" Needs to Do...
Putting it Together
What "IPSec" Needs...
provider independent Addresses
PIA
Backup
Q & A
Thank You
Full transcript