This discussion is locked

Best Practices for Implementing Cryptographic VPN

Unanswered Question
Sep 5th, 2013

Best Practices for Implementing Cryptograhic VPNWith Marcin Latosiewicz

Welcome to the Cisco Support Community Ask the Expert conversation.  This  is an opportunity to learn and ask questions about implementing cryptographic VPN and how to prepare it for the future with expert Marcin Latosiewicz. 

Marcin will share his best practices for implementing cryptographic VPN as well as advise those customers who are looking to build a new or update their existing setups how to maximize their potential.  Additionally, Marcin will provide insight into which technologies could be applicable for new deployments and exciting new technologies that will be available in the next few months. 

Marcin Latosiewicz is a customer support engineer at the Cisco®  Technical Assistance Center in Belgium, with more than 6 years of  experience with Cisco Security products and technologies including  IPsec, VPN, internetworking appliances, network and system security,  Internet services, and  Cisco networking equipment. Prior to joining Cisco, he operated, administered, and ran UNIX and Microsoft networks for 14 years. Latosiewicz holds bachelors and masters degrees in engineering from Warsaw University of Technology. He also holds CCIE® certification in Security (No. 25784) and CCDP® certification.

Remember to use the rating system to let Marcin know if you've received an adequate response. 

Because of the volume expected during this event, Marcin might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity, VPN, shortly after the event. This event lasts through September 20, 2013. Visit this forum often to view responses to your questions and those of other Cisco Support Community members.

      

I have this problem too.
3 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (4 ratings)
egordon310 Wed, 09/11/2013 - 16:24

Hello Marcin,

Are there any considerations when securing SSLVPNs? What parameters and non-defaults should I be looking at to make SSLVPN secure?

thanks,

Evan

Marcin Latosiewicz Thu, 09/12/2013 - 00:30

Hi Evan,

There are a few considerations in basic SSL and TLS that one needs to look into.

First thing would be to look into crypto suite negotiation, ASA has a set of algorithms it will try to negotiate, among them we have RC4 (to see which ones are there by default check "show run all ssl").

Removing RC4 (and 3DES most of the time) is a good place to start securing your SSL connection.

You can have a look at all the supported methods:

http://www.cisco.com/en/US/docs/security/asa/command-reference/s20.html#wp1562163

Another recommendation is to use certificates for authentication, either via third party CA or via ASA's local CA feature.

This authentication method gives us two benefits:

- Seamless authentication with added security.

- Ability to revoke certificates should something go wrong

You can also make sure that ASA is changing security material every so often controlling the "rekey".

Setting method to "ssl" and timer to around one hour should add security and limit impact on ASA.

For a lot of other parameters ASA is using very sane defaults.

One very important thing to remember about PKI/SSL is that the whole system can be compromised if private key became compromised.

- Take care not to export your private keys in clear - always protect them with a password, ideally a one time one.

- When importing a PKCS12 from CA vendors (VeriSign, Geotrust, Entrust to name a few) remember that the private key is contained in there, i.e. someone else knows what it is. Typically those vendors are trustworthy. Consider generating CSR instead, it can be generated on ASA or IOS or using OpenSSL.

HTH,

M

whitlelisa Thu, 09/12/2013 - 23:59

Hello Marcin,

What are the Cisco recommended encryption algorithms? could you please help?

Thank you,

LW

Marcin Latosiewicz Fri, 09/13/2013 - 00:41

Lisa,

There are state-mandated suites and standards that one needs to adhere to, especially if working with government.

The most recent development would be probably suite B, which is widely supported on Cisco platforms.

For reference:

http://www.nsa.gov/ia/programs/suiteb_cryptography/

If you would like to see Cisco's recommendations we maintain a site here:

http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html

it will tell you what is current state of cryptographic function and what is our recommended alternative/mitigation (if applicable).

There's also an Appendix (A.) there suggesting what are the minimum requirements.

Personally, for crypto VPNs, I'm looking into GCM (Galois/Counter Mode) which is a way to perform encryption with simultaneous authentication.

What you should bare in mind is that this is a static page, it's not updated on a day to day basis, there's quite a few things going on in world of cryptography every day (recent events involving parts of US government, for example).

Another note to consider is that not all platform support all the algorithms listed on the page, refer to Cisco Feature Navigator (CFN) and support matrixes per platform to find out what is supported on your platforms.

CFN: http://tools.cisco.com/ITDIT/CFN/

HTH,

M.

Jouni Forss Fri, 09/13/2013 - 08:48

Hi Marcin,

A bit of a general question about VPN. Is there any books or publicly available papers/documents that you could suggest for reading about indepth information about VPN? (all the way from basic topics to the specifics)

My own background is basically that when I was still studying we had absolutely no courses related to firewall/vpn as all content dealt with Routing&Switching. I ended up learning anything I might know today through configuring/testing/troubleshooting and referring to configuration guides and command references.

I would wish to read up more on everything related to VPN as I feel that even though I know how to configure them that is not enough for me.

I never got into going for Cisco Certifications until last month when I did my CCNA R&S so I have yet to touch the Security path which I am going to start with as soon as I get my books. I am wondering if they contain that indepth information. I would imagine they dont cover everything I need.

So any recomendations would be more than welcome. I feel I have gotten pretty rusty on the VPN side because of concentrating so much more on the Firewalling side.

- Jouni

Marcin Latosiewicz Fri, 09/13/2013 - 09:21

Jouni,

Good question. And answer is complex, there is in depth and there is in depth.

Most people would be satisfied by reading a summary of all the different components - encryption, hashing, signing, PKI, how IPsec and SSL/TLS work. This group also counts most of security CCIEs.

To this extent CCIE Security Study Guide (by Henry Benjamin) was a good read, if a bit outdated today.

Most people who are in depth will look first into specification.

RFC 4301 (IPsec architecture)

RFC 2246 (TLS 1.0)

Are a good start and contain references to other documents worth reading.

This is where the good folks will base their knowledge of off.

The really in depth people will look into the math behind it and will conquer topics like

Elliptic Curve Crypto ( http://en.wikipedia.org/wiki/Elliptic_curve_cryptography ) and difference between CCM, GCM and CCB, to which you have really good materials published by universities.

There are relatively a few who know this.

To start with I can suggest:

- http://www.cl.cam.ac.uk/~rja14/book.html (Ross' Anderson book is free, informative and suprisngly entertaining, this is a definitely a must-read for security/VPN).

- Have a look at books recommended by Richard Bejtlich or Bruce Scheiner - while they might not be VPN specific it's a good security read most of the time.

I'll have a look at the books at home see which one can be interesting to read, and edit this post.

M.


Jouni Forss Fri, 09/13/2013 - 09:42

Hi,

Thanks for the information so far.

I might have used the wrong term when referring to indepth (just sounded the best choise at that moment to describe that I am not looking for a configuration guide or general description ). What I am basically looking for is well written books/documents describing "everything" that someone working with VPN "should" know to grasp the theory regarding VPN.

Some weeks ago I did browse through the Cisco Press but found a lot of the Security related books were already pretty old. Something ranging from 5 - 10 years unless I remember wrong.

Again, thank you for the information so far

- Jouni

Marcin Latosiewicz Mon, 09/16/2013 - 04:56

Jouni,

I think you've identified something that does not fully exist at the moment.

There's QUITE a few different material available but it's not going to be ONE publication (not up-to-date one).

My suggestion is to start off with cisco live presentations.

https://www.ciscolive365.com/connect/publicDashboard.ww

Or you can google for "BRKSEC", there are very good materials from Fred Detienne (among others), you will find theoretical information as well as some implmentation specifc.

We're also in progress of getting flexvpn document out (design guide). But cannot commit to timeframe and end content.

M.

fahad.wasi Wed, 09/18/2013 - 08:26

Hello Marcin,

Will this Q & A session start on 20th September?

Also pls let me know when will this session end?

Thanks

Marcin Latosiewicz Wed, 09/18/2013 - 08:37

Hi Fahad,

It started on the 9th Sept and will last until the 20th September :-)

M.

fahad.wasi Fri, 09/20/2013 - 02:00

Hi Marcin,

Thanks for your reply,

I have some other questions,

Q.1 Is IPsec a protocol or an algorithm?

Q.2 My other question is that what is the difference between SSL and IPsec VPN?

Thanks

Marcin Latosiewicz Fri, 09/20/2013 - 02:44

Fahad,

Not really a best practices question and I think you can write books abbot second question, but here goes... :-)

1) IPsec is neither, you can all it a framework or a protocol suite. Within it are defined two major components encryption and authentication. How both of those are negotiated and achieved is discussed in RFCs, IPsec will use IKE (version 1 or 2) to achieve its objectives. IKE will use and negotiate certain algorithms to provide services offered by IPsec.

2) The answer in technological terms is a long one, functionality, and security wise ...

- SSL is (primarily) TCP based, the other datagram based.

- SSL/TLS are well known and implemented (any HTTPS transcation you make will use those).

- SSLVPNs in general are proprietary and do not interoperate. i.e. Cisco Anyconnect will not work with OpenVPN and vice versa (unless something changed recently).

- Both are standars based, and offer certain degree of flexability.

- SSLVPN is typically only remote access technology

- IPsec offers remote access and site-to-site.

I think the list can go on an on :-)

M.

Actions

Login or Register to take actions

This Discussion

Posted September 5, 2013 at 11:07 AM
Stats:
Replies:12 Avg. Rating:5
Views:2291 Votes:3
Shares:0

Related Content

Discussions Leaderboard