Friday, 15 November 2019

Cisco SNMP Configuration | What is Simple Network Management Protocol

Cisco SNMP Configuration | What is Simple Network Management Protocol

This chapter explain the operation of SNMP. It also describes how to configure SNMP on Cisco Router to collect messages on a small to medium-sized network management device.

What is Simple Network Management Protocol (SNMP)

SNMP (Simple Network Management Protocol) was developed to allow administrators to manage nodes, such as servers, workstations, routers, switches and security devices, in an IP network. It allows network administrators to manage network performance , detect and resolve network problems, and plan for network growth.
SNMP is an application layer protocol that provides a message format for communication between administrators and agents. The SNMP system consists of three elements:

  • SNMP Manager
  • SNMP agents (managed node)
  • Administration Information Base (MIB)

To configure SNMP on a network device, it is first necessary to define the relationship between the administrator and the agent.
The SNMP Manager is part of a network management system (NMS) and runs SNMP management software.

The SNMP administrator can collect information from an SNMP agent using a “get” action and can change the setting with “set”. In addition, SNMP agents can forward information directly to an NMS through traps.
The SNMP agent and the MIB reside on the network device clients. The network devices that must be managed have an SMNP agent software module. MIBs store data about the device's operation and are designed to be available to authenticated remote users. The SNMP agent is responsible for providing access to the local MIB that reflects the resources and activity of the objects.
SNMP uses UDP port number 162 to retrieve and send administration information.

SNMP OPERATION

SNMP agents that reside on managed devices collect and store information about the devices and their operation. The agent stores this information locally in the MIB. The SNMP administrator then uses the SNMP agent to access the information within the MIB.
There are two main SNMP administrator requests: get and set.

  • NMS uses a get request to request data from the device.
  • NMS uses an established request to change the configuration variables on the agent's device. A set request can also initiate actions within a device. For example, a set request can cause a router to restart, send or receive a configuration file.

The SNMP administrator uses the actions of the get and set requests to perform the operations described in the table:
SNMP Operations Table.
OperationDescription
get-requestRetrieve a value of a specific variable.
get-next-requestRetrieves a value of a variable within a table; The SNMP administrator does not need to know the exact name of the variable. A sequential search is performed to find the necessary variable within a table.
get-bulk-requestIt retrieves large blocks of data, such as several rows in a table, that would otherwise require the transmission of many small blocks of data. (Only works with SNMPv2 or newer).
get-responseIt responds to a get-request, get-next-request and set-request operation sent by NMS.
set-requestStores a value in a specific variable.
The SNMP agent responds to SNMP administrator requests as follows:

  • Obtain an MIB variable : The SNMP agent performs this function in response to an NMS get request PDU. The agent retrieves the value of the requested MIB variable and responds to NMS with that value.
  • Set a MIB variable : The SNMP agent performs this function in response to an NMS set request PDU. The SNMP agent changes the value of the MIB variable to the value specified by NMS. The SNMP agent response to a set request includes the new configuration on the device.

SNMP AGENT TRAPS

NMS periodically polls SNMP agents that reside on managed devices to request data from devices through the get request. With this process, a network management application can collect information to control traffic loads and verify the configurations of managed devices.
The information can be displayed through the NMS GUI. You can calculate the averages, the minimums or the maximums, graph the data or set thresholds to activate a notification process when the thresholds are exceeded.
For example, NMS can control the CPU usage of a Cisco router. The SNMP administrator periodically tests the value and presents this information in a graph so that the network administrator uses it to create a baseline.
SNMP periodic polling has disadvantages:

  • There is a delay between the moment at which an event occurs and the moment when NMS warns of it (by polling).
  • There is a level of balance between the frequency of the poll and the use of bandwidth.

To mitigate these disadvantages, SNMP agents may generate and send traps to inform NMS about certain events immediately.

USE OF AN SNMP TRAP

Traps are unsolicited messages that alert the SNMP administrator about a condition or event on the network. Some examples of trap conditions include, but are not limited to, incorrect user authentication, reboots, link status (active or inactive), MAC address tracking, closing a TCP connection, loss of connection to a Neighbor or other important events.
Trap notifications reduce network and agent resources by eliminating the need for some of the SNMP polling requests.

In Image, the use of an SNMP trap to alert the network administrator that the G0 / 0 interface failed is shown. The NMS software can send a text message to the network administrator, display a pop-up window in the NMS software or display the router icon in red in the NMS GUI.

SNMP VERSIONS

There are several versions of SNMP, including the following:

  • SNMPv1 : The simple network management protocol, a complete Internet standard, is defined in RFC 1157.
  • SNMPv2c : defined in RFCs 1901 to 1908; uses the administrative framework based on community chains.
  • SNMPv3 : interoperable protocol based on standards originally defined in RFCs 2273 to 2275; Provides secure access through authentication and encryption of packets across the network.

All versions use SNMP managers, SNMP agents and MIB. Cisco IOS software supports the three versions mentioned above.
Unlike SNMPv1, SNMPv2c includes a mass recovery mechanism and more detailed error message reports for management stations.
The most up-to-date description of SNMPv3 is found in RFCs 3410 to 3415. It adds methods to ensure the secure transmission of important data between managed devices.
SNMPv3 provides both models and security levels. A security model is an authentication strategy configured for a user and the group within which the user resides. A security level is the level of security allowed within a security model.
The combination of security level and security model determines what security mechanism is used when handling an SNMP package. The available security models are SNMPv1, SNMPv2c and SNMPv3.
A network administrator must configure the SNMP agent to use the version of SNMP that the management station supports.

COMMUNITY CHAINS

For SNMP to work, NMS must have access to the MIB. To ensure that access requests are valid, there must be some form of authentication.
SNMPv1 and SNMPv2c use community strings that control access to the MIB. Community strings are passwords for unencrypted text. SNMP community strings authenticate access to MIB objects.
There are two types of community chains:

  • Read only (ro) : provides access to MIB variables, but does not allow changes to these variables, just read them. Because security is minimal in version 2c, many organizations use SNMPv2c in read-only mode.
  • Read and write (rw) : provides read and write access to all objects in the MIB.

To view or set MIB variables, the user must specify the corresponding community string for read or write access.

STEPS TO CONFIGURE SNMP

A network administrator can configure SNMPv2 to obtain network information from network devices:

  1. Step 1 . (Required) Configure the community string and access level (read or read and write only) using the snmp-server community string ro | rw .
  2. Step 2 . (Optional) Register the device location using the snmp-server location text command .
  3. Step 3 . (Optional) Register the system contact using the snmp-server contact text command .
  4. Step 4 . (Optional) Restrict SNMP access to NMS hosts (SNMP administrators) that authorizes an ACL: Define the ACL and then name the ACL with the snmp-server community string access-list-number-or-name command . This command can be used to specify the community string and to restrict SNMP access through ACLs. Steps 1 and 4 can be combined in one step, if desired.
  5. Step 5 . (Optional) Specify the recipient of SNMP trap operations with the snmp-server host id-host [ version { 1 | 2c | 3 [ auth | noauth | priv ]}] community-string . By default, no trap manager is defined.
  6. Step 6 . (Optional) Enable traps on an SNMP agent with the snmp-server enable traps notification-types command . If no type of trap notification is specified in this command, then all types of trap are sent. Repeated use of this command is necessary if a certain subset of trap types is desired.

All basic steps to configure SNMP are performed in global configuration mode:

R1 (config) # snmp-server community batonaug ro SNMP_ACL 
R1 (config) # snmp-server location NOC_SNMP_MANAGER 
R1 (config) # snmp-server contact Wayne World 
R1 (config) # snmp-server host 192.168.1.3 version 2c batonaug 
R1 ( config) # snmp-server enable traps 
R1 (config) # ip access-list standard SNMP_ACL 
R1 (config-std-nacl) # permit 192.168.1.3

VERIFICATION OF SNMP CONFIGURATION

There are several software solutions to see the SNMP result. For our purposes, the Kiwi syslog server shows the SNMP messages associated with SNMP traps.
PC1 and R1 are configured to demonstrate the result in an SNMP manager in relation to SNMP traps. IP address 192.168.1.3/24 was assigned to PC1. The Kiwi syslog server is installed on PC1.
After R1 is configured, every time an event occurs that qualifies as a trap, SNMP traps are sent to the SNMP administrator. For example, if an interface is activated, a trap is sent to the server. Configuration changes on the router also activate the sending of SNMP traps to the SNMP administrator.
Can you see a list of more than 60 types of trap notification with the snmp-server enable traps command ? . In the configuration of R1, no type of trap notification is specified in the snmp-server enable traps notification-types command , so all traps are sent.

SNMP Manager

In Image 12, a check box was activated in the Setup menu to indicate that the network administrator wants the SNMP manager software to listen to detect SNMP traps on UDP port 162.

SNMP VERIFICATION COMMANDS

To verify the SNMP configuration, use any variant of the show snmp command in privileged EXEC mode. The most useful command is simply the show snmp command, as it shows the information that is usually of interest when examining the SNMP configuration.
Unless an SNMPv3 configuration is involved, most other command options only show selected parts of the show snmp command result .
The result of the show snmp command does not show information related to the SNMP community string or, if applicable, to the associated ACL. Figure 5 shows the information of the SNMP community string and the ACL using the show snmp community command .

RECOMMENDED SECURITY PRACTICES

While SNMP is very useful for monitoring and troubleshooting, it can also create security vulnerabilities. For this reason, before implementing SNMP, consider security best practices.

SNMPv1 and SNMPv2c rely on SNMP community strings in unencrypted text to authenticate access to MIB objects. These community chains, like all passwords, must be chosen carefully to ensure that they are not too easy to crack.
In addition, community chains should be changed at regular intervals and in accordance with network security policies. For example, chains must be changed when a network administrator changes roles or leaves the company. If SNMP is used only to monitor devices, use read-only communities.
Make sure SNMP messages do not spread beyond management consoles. ACLs must be used to prevent SNMP messages from being sent beyond the required devices.
SNMPv3 is recommended because it provides authentication and security encryption. There are other global configuration mode commands that a network administrator can implement to take advantage of authentication and encryption in SNMPv3:

  • The snmp-server group groupname { v1 | v2c | v3 { auth | noauth | priv }} creates a new SNMP group on the device.
  • The snmp-server user username groupname v3 [ encrypted ] [ auth { md5 | sha } auth-password ] [ priv { des | 3des | aes { 128 | 192 | 256 }} priv-password ] is used to add a new user to the SNMP group specified in the snmp-server group ngroupname command .


Thursday, 14 November 2019

Cisco SYSLOG Configuration Complete Tutorial

Cisco SYSLOG Configuration Complete Tutorial

This tutorial is a complete guide on Cisco SYSLOG Configuration, what is syslog and how syslog works . In addition, how to configure syslog to collect messages on a small to medium-sized network management device.
Monitoring a functioning network can provide information to a network administrator to proactively manage the network and report network usage statistics to others. Link activity, error rates and link status are some of the factors that help a network administrator determine the status and use of a network. Collecting and reviewing this information over time allows a network administrator to view and project the growth, and can help detect and replace a defective part before it fails completely.
This chapter covers three protocols that a network administrator can use to control the network. Syslog, SNMP and NetFlow are popular protocols with different strengths and weaknesses. Together they provide a good set of tools to understand what happens in a network.
The NTP protocol is used to synchronize the time across the devices, which is especially important when trying to compare the log files of different devices.

What is SYSLOG ?

When certain events occur on a network, network devices have trusted mechanisms to notify detailed system messages to the administrator. These messages may be important or not.
Network administrators have a variety of options for storing, interpreting and displaying these messages, as well as for receiving those messages that could have the greatest impact on the network infrastructure.
The most common method of accessing system messages provided by network devices is to use a protocol called " syslog ".

Syslog uses UDP port 514 to send event notification messages over IP networks to event message collectors.
The term "syslog" is used to describe a standard. It is also used to describe the protocol developed for that standard. The syslog protocol was developed for UNIX systems in the 1980s, but IETF first registered it as RFC 3164 in 2001 .
Many network devices support syslog, including routers, switches, application servers, firewalls and other network devices. The syslog protocol allows network devices to send system messages to syslog servers across the network. It is possible to set up a special out-of-band network (OOB) for this purpose.
There are several different software packages of syslog servers for Windows and UNIX. Many of them are freeware.
The syslog logging service provides three main functions:

  • The ability to collect registration information for problem control and resolution
  • Ability to select the type of registration information that is captured
  • The ability to specify the destinations of captured syslog messages

How SYSLOG Works

On Cisco network devices, the syslog protocol begins by sending system messages and the debug command result to an internal local device registration process. The way in which the registration process manages these messages and results is based on the device settings.
For example, syslog messages can be sent over the network to an external syslog server. These messages can be retrieved without having to access the device itself. The results and log messages stored on the external server can be included in several reports for easy reading.
On the other hand, syslog messages can be sent to an internal buffer. Messages sent to the internal buffer can only be viewed through the device CLI.

Finally, the network administrator can specify that only certain types of system messages be sent to several destinations. For example, you can configure the device to forward all system messages to an external syslog server. However, debug level messages are forwarded to the internal buffer, and only the administrator can access them from the CLI.
As shown in the illustration, common destinations for syslog messages include the following:

  • Logging buffer (RAM inside a router or switch)
  • Console line
  • Terminal line
  • Syslog server

It is possible to control system messages remotely by viewing the logs on a syslog server or accessing the device through Telnet, SSH or through the console port.

 FORMAT OF SYSLOG MESSAGES

Cisco devices generate syslog messages as a result of network events. Each syslog message contains a severity level and an installation .

SYSLOG SEVERITY LEVEL

The lower the level numbers, the more fundamental the syslog alarms. The severity level of the messages can be set to control where each type of message is displayed (that is, on the console or other destinations). In Image 3, the complete list of syslog levels is shown.

Each level of syslog has its own meaning:

  • Warning level, emergency level : these are error messages about software or hardware that is malfunctioning; These types of messages mean that the functionality of the device is affected. The severity of the problem determines the actual level of syslog that is applied.
  • Debug level: This level indicates that the messages are results that are generated from the issuance of several debug commands .
  • Notification level: the notification level only provides information, the functionality of the device is not affected. Interface messages active or inactive, or system restart are displayed at the notification level.

INSTALLATION INFORMATION

In addition to specifying severity, syslog messages also contain information about the installation. Syslog installations are service identifiers that identify and categorize system status data to report error and event messages.
The available registry installation options are specific to the network device. For example, Cisco 2960 series switches and Cisco 1941 routers support 24 installation options that are categorized into 12 types of installation.
Some common syslog message installations that are reported on Cisco IOS routers include the following:


By default, the format of syslog messages in Cisco IOS software is as follows:
seq no: timestamp:% facility-severity-MNEMONIC: description
For example, the example result of a Cisco switch for an EtherChannel link that changes to the active state is as follows:
00:00:46:% LINK-3-UPDOWN: Interface 
Port-channel1, changed state to up
Here the installation is LINK, and the severity level is 3, with the UPDOWN MNEMOTECHNICAL.
The most common messages are the active link and the inactive link, and the messages that a device produces when it exits configuration mode. If the ACL log is configured, the device generates syslog messages when the packets match a parameter condition.

SERVICE TIME STAMP

Log messages can be marked with the time, and the source address of syslog messages can be set. This improves debugging and administration in real time.
When the global service timestamps log uptime configuration mode command is entered , the amount of time that has elapsed since the last time the switch was started in the logged events is displayed. A more useful version of this command applies the datetime keyword instead of the uptime keyword ; This causes each registered event to show the date and time associated with the event.
When the datetime keyword is used , the clock must be set on the network device. This can be achieved in two ways:

  • Manual configuration using the clock set command
  • Automatic configuration using the NTP protocol

To allow an NTP time server to synchronize the software clock, use the global configuration mode command:
ntp server  ip-address
In the illustration, an example configuration is shown. R1 is configured as an NTP client, while router R2 functions as an authoritative NTP server. A network device can be configured as an NTP server, so that the other devices synchronize outside their time, or as an NTP client.

R2 (config) # ntp master 1
R1 (config) # ntp server 10.1.1.1
For the rest of the chapter, it is assumed that the clock was set and the service timestamps log datetime command was configured on all devices.

SYSLOG SERVER

To view syslog messages, a syslog server must be installed on a network workstation. There are several versions of freeware and shareware of syslog, as well as business versions to buy.
The syslog server provides a relatively user-friendly interface to see the result of syslog. The server analyzes the result and places the messages in predefined columns to interpret them easily.

Network administrators can easily navigate through a large amount of data that is collected on a syslog server. An advantage of viewing syslog messages on a syslog server is the ability to perform granular searches through the data. In addition, a network administrator can quickly remove syslog messages that are not important from the database.

DEFAULT REGISTRATION

By default, Cisco routers and switches send log messages to the console for all severity levels. In some versions of IOS, the device also buffers log messages by default. To enable these two settings, use the global logging console and logging buffered configuration commands , respectively.
The show logging command shows the default configuration of the registration service on a Cisco router, as shown in the illustration. In the first lines of the result, information about the registration process is provided, and at the end of the result the registration messages are indicated.

  • In the highlighted first line, it is indicated that this router is registered in the console and debug messages are included. This actually means that all debug level messages, as well as any lower level messages (such as notification level messages), are logged in the console. The result also indicates that 32 of these messages were recorded.
  • In the second highlighted line, it is indicated that this router is registered in an internal buffer. Since registration on an internal buffer was enabled on this router, the show logging command also indicates the messages in that buffer.

ROUTER AND SWITCH COMMANDS FOR SYSLOG CLIENTS

There are three steps to configure the router to send system messages to a syslog server where they can be stored, filtered and analyzed:

  • Step 1 . Configure the name of the destination host or the IP address of the syslog server in global configuration mode:

R1 (config) # logging 192.168.1.3

  • Step 2 . Control the messages that are sent to the syslog server with the global configuration mode logging trap level command . For example, to limit messages to levels 4 and below (0 to 4), use one of two equivalent commands:

R1 (config) # logging trap 4
R1 (config) # logging trap warning

  • Step 3 . Optionally, configure the source interface with the global configuration mode command:

logging source-interface  interface-type interface number
This specifies that syslog packets include the IPv4 or IPv6 address of a specific interface, regardless of the interface the packet uses to exit the router. For example, to set the source interface to g0 / 0, use the following command:

R1 (config) # logging source-interface g0 / 0

SYSLOG CONFIGURATION EXAMPLE

In Image 8, R1 was configured to send log messages of levels 4 and below to the syslog server at 192.168.1.3. The source interface was established in the G0 / 0 interface. A loopback interface is created, deactivated and reactivated. The result of the console reflects these actions.

The only messages that appear on the syslog server are those with a severity level of 4 or less (more serious). Messages with a severity level of 5 or more (less severe) appear in the result of the router console, but do not appear in the result of the syslog server, because the logging trap command limits the syslog messages that are sent to the syslog server according to severity level.

VERIFICATION OF SYSLOG

You can use the show logging command to view any message that is logged. When the registration buffer is large, it is convenient to use the vertical bar option (|) with the show logging command. The vertical bar option allows the administrator to specifically indicate which messages should be displayed.
For example, by issuing the show logging | include changed state to up , it is ensured that only interface notifications showing " changed state to up " are displayed .
In Image , it is also shown that by issuing the show logging | begin June 12 22:35 shows the contents of the registration buffer that occurred on June 12 or after this date.

Types of Remote Access VPN and Its Implementations

Types of Remote Access VPN and Its Implementations

This post is on Types of Remote Access VPN and Its Implementations. We also compare remote access VPNs with IPsec and SSL is also made.

 Remote Access VPN Types

VPNs became the logical solution for remote access connectivity for many reasons. VPNs provide secure communications with access rights tailored to individual users, such as employees, contractors and partners. They also increase productivity by extending the network and business applications securely, while reducing communication costs and increasing flexibility.

Basically, with VPN technology, employees can take the office with them, including access to email and network applications. VPNs also allow contractors and partners to have limited access to the servers, web pages or specific files required. This network access allows them to contribute to the company's productivity without compromising network security.
There are two main methods to implement VPN remote access:

  1. Secure Sockets Layer (SSL)
  2. IP Security (IPsec)

The type of VPN method implemented is based on user access requirements and the organization's IT processes.
Both VPN technology with SSL and VPN technology with IPsec offer access to virtually any application or network resource. VPNs with SSL offer features such as easy connectivity from desktop computers not managed by the company, low or no maintenance of desktop software and web portals customized by the user when logging in.

CISCO SSL VPN

Cisco IOS VPN with SSL is the first VPN-based SSL solution based on routers in the industry. It offers connectivity from any location.
The SSL protocol supports various cryptographic algorithms for operations, such as server and client authentication with each other, certificate transmission and session key setting. Cisco SSL VPN solutions can be customized for businesses of any size.
These solutions offer many features and advantages of remote access connectivity:

  • Full network access, without clients and web-based, without previously installed desktop software.
  • Protection against viruses, worms, spyware and hackers on a VPN connection by integrating network and terminal security into the Cisco SSL VPN platform.
  • Use of a single device for both VPN with SSL and VPN with IPsec.
Cisco IOS VPN with SSL is a technology that provides remote access through a web browser and the native SSL encryption of the web browser. Alternatively, you can provide remote access through the Cisco AnyConnect Secure Mobility Client software .

Cisco ASA provides two main modes of implementation found in Cisco SSL VPN solutions, as shown in the illustration:

  • Cisco AnyConnect Secure Mobility Client with SSL : requires the Cisco AnyConnect client.
  • Cisco Secure Mobility Clientless SSL VPN : requires an Internet browser.
  • Cisco ASA must be configured to support the VPN connection with SSL.

REMOTE ACCESS TO IPSEC

Many applications require the security of a remote access VPN connection with IPsec to authenticate and encrypt data. When VPNs are implemented for remote workers and small branches, ease of implementation is critical if technical resources are not available for VPN configuration on a remote site router.
The feature of the Cisco Easy VPN solution offers flexibility, scalability and ease of use for VPNs with IPsec from site to site and remote access. The Cisco Easy VPN solution consists of three components:

  • Cisco Easy VPN Server : is a router with Cisco IOS or a Cisco ASA firewall that functions as a VPN header terminal on site-to-site or remote-access VPNs.
  • Cisco Easy VPN Remote : is a router with Cisco IOS or a Cisco ASA firewall that functions as a remote VPN client.
  • Cisco VPN Client : a compatible application on a computer that is used to access a Cisco VPN server.

Using Cisco Easy VPN Server allows mobile and remote workers who use a VPN client on their computers or use Cisco Easy VPN Remote on a perimeter router to create secure IPsec tunnels to access the central office intranet, as shown in the illustration.

CISCO EASY VPN SERVER

The Cisco Easy VPN Server allows mobile and remote workers who use VPN client software on their computers to create secure IPsec tunnels to access the central office intranet where fundamental data and applications are located.
It allows Cisco IOS routers and Cisco ASA firewalls to function as header terminals for site-to-site or remote-access VPNs.
Remote office devices use the Cisco Easy VPN Remote feature or the Cisco VPN Client application to connect to the server, which then inserts the security policies defined on the remote VPN device. This ensures that those connections have the updated policies before the connection is established.

CISCO EASY VPN REMOTE

Cisco Easy VPN Remote allows software clients or routers with Cisco IOS to function as remote VPN clients.
These devices can receive Cisco Easy VPN Server security policies, which minimizes the VPN configuration requirements in the remote location.
This cost-effective solution is ideal for remote offices with little IT support or for large-scale client local equipment (CPE) implementations where it is impractical to configure several remote devices individually.

The illustration shows three network devices with Easy VPN Remote enabled, all connected to Easy VPN Server to obtain the configuration parameters.

COMPARISON OF IPSEC AND SSL

Both VPN technology with SSL and IPsec offer access to virtually any application or network resource, as shown in the following table.
Comparison Table between IPsec and SSL.
SSLIPsec
Web-enabled applications , file sharing, emailAll applications based on IP.
Moderate to secure encryption . Key lengths from 40 bits to 256 bits.Secure encryption . Key lengths from 56 bits to 256 bits.
Unidirectional or bidirectional authentication .Bidirectional authentication through shared secrets or digital certificates.
The connection only requires a web browser.The connection can be difficult for users without technical knowledge.
Any device can be connected.Only specific devices with a specific configuration can be connected.
VPNs with SSL offer features such as easy connectivity from desktop computers not managed by the company, low or no maintenance of desktop software and web portals customized by the user when logging in.
IPsec outperforms SSL in many important ways:

  • The number of applications it supports
  • The strength of encryption
  • The strength of authentication
  • General security

When security represents a problem, IPsec is the best option. If support and ease of implementation are the main problems, consider using SSL.
IPsec and VPNs with SSL complement each other because they solve different problems. Depending on the needs, an organization can implement one or both. This complementary approach allows a single device, such as an ISR router or an ASA firewall device, to satisfy all the requirements of remote access users.

Internet Protocol Security IPSec VPN

Internet Protocol Security IPSec VPN

In this post you will learn about the IPSec (Internet Protocol Security) VPN. How to configure IPsec on Cisco router and different IPSec terminologies. VPNs with IPsec offer flexible and scalable connectivity. Site-to-site connections can provide a secure, fast and reliable remote connection.
With a VPN with IPsec, information from a private network is transported securely through a public network. GRE VPN Tunnels

What Is IPSEC ?

Internet Protocol Security or IPsec is an IETF standard that defines how a VPN can be configured securely using the Internet protocol.
IPsec is an open standards framework that details the rules for secure communications. IPSec is not limited to any specific type of encryption, authentication, security algorithm or key creation technology. Actually, IPsec depends on existing algorithms to implement secure communications. It also allows new and better algorithms to be implemented without modifying existing IPsec standards.
IPsec works at the network layer, so it protects and authenticates IP packets between participating IPsec devices, also known as peers. IPsec protects a route between a pair of gateways, a pair of hosts or a gateway and a host. As a result, IPsec can protect virtually all traffic in an application, since protection can be implemented from layer 4 to layer 7.
All IPsec implementations have a layer 3 header of unencrypted text, so there are no routing problems. IPsec works on all Layer 2 protocols, such as Ethernet, ATM or Frame Relay.
The characteristics of IPsec can be summarized as follows:
  • It is a framework of open standards that does not depend on algorithms.
  • It provides confidentiality and integrity of data, and authentication of the origin.
  • It works at the network layer, so it protects and authenticates IP packets.

IPSEC Security Features

IPsec security services provide four fundamental functions:

  • Confidentiality (encryption) : In a VPN implementation, private data is transferred through a public network. For this reason, the confidentiality of the data is essential. This can be achieved by encrypting the data before transmitting it over the network. This is the process of taking all the data that one computer sends to another and encoding them in a way that only the other computer can decode.
  • Data Integrity : the receiver can verify that the data has been transmitted over the Internet without suffering any modifications or alterations. While it is important that the data through a public network be encrypted, it is also important to verify that they have not been modified when they were in transit.
  • Authentication : verifies the identity of the origin of the data that is sent. This is necessary for protection against various attacks that depend on the impersonation of the issuer. IPsec uses Internet key exchange (IKE) to authenticate users and devices that can carry out communication independently.
  • Anti- reproduction protection : it is the ability to detect and reject reproduced packets, and helps prevent phishing. Verify that each package is unique and not duplicated. IPsec packets are protected by comparing the sequence number of received packets with a sliding window on the destination host or security gateway. A package that has a sequence number before the sliding window is considered to be late or duplicated.

IPSec ENCRYPTION ALGORITHMS

The degree of security depends on the length of the encryption algorithm key. The longer the key, the more difficult it is to decipher it . However, a longer key requires more processor resources to encrypt and decrypt data.
DES and 3DES are no longer considered safe; therefore, it is recommended to use AES for IPSec encryption. The best security for IPSec encryption of VPNs between Cisco devices is provided by the 256-bit AES option.
In addition, since 512-bit and 768-bit Rivest, Shamir and Adleman (RSA) keys were decrypted , Cisco recommends using 2048-bit keys with the RSA option if it was used during the IKE authentication phase.

SYMMETRIC ENCRYPTION

Encryption algorithms, such as AES, require a shared secret key for encryption and decryption. Each of the two network devices must know the key to decode the information. With symmetric key encryption, also called "secret key encryption," each device encrypts the information before sending it over the network to the other device.
Symmetric key encryption requires knowing which devices communicate with each other in order to configure the same key on each device.


  • For example, a sender creates an encrypted message in which each letter is replaced by another letter that is two places later in the alphabet: A becomes C, B becomes D and so on. In this case, the word SECRET becomes UGETGV.
  • The sender has already told the recipient that the secret code is two letters.
  • When the recipient receives the UGETGV message, the recipient's computer decodes the message by running two letters back and calculates the word SECRET.
  • Anyone who sees the message only sees the encrypted message, which seems meaningless, unless the person knows the secret key.

Below is a synopsis for symmetric algorithms:

  • They use symmetric key cryptography.
  • Encryption and decryption use the same key.
  • Usually they are used to encrypt the content of the message.
  • Examples: DES, 3DES and AES

How do encryption and decryption devices have a shared secret key? To send the shared secret keys to the administrators of the devices, you could use email, the common courier service or express delivery. Another safer method is asymmetric encryption.

ASYMMETRIC ENCRYPTION

Asymmetric encryption uses different keys for encryption and decryption. Even if you know one of the keys, a hacker cannot deduce the second key and decode the information. A key encrypts the message, while a second key decrypts the message. It is not possible to encrypt and decrypt with the same key.

  • Public key encryption is a variant of asymmetric encryption that uses a combination of a private and a public key.
  • The recipient provides a public key to any sender with whom he wishes to communicate.
  • The sender uses a private key that is combined with the recipient's public key to encrypt the message. In addition, the issuer must share his public key with the recipient.
  • To decrypt a message, the recipient uses the sender's public key with his own private key.

Below is a synopsis for asymmetric algorithms:

  • They use public key cryptography.
  • Encryption and decryption use different keys.
  • Usually they are used in digital certification and key management.
  • Examples: RSA

IPSec DIFFIE-HELLMAN KEY EXCHANGE

Diffie-Hellman (DH) is not an encryption mechanism and is not usually used to encrypt data. Instead, it is a method to safely exchange the keys that encrypt data . Algorithms (DH) allow two parties to establish the shared secret key used by encryption and hash algorithms.
DH was the first system to use the public key or asymmetric cryptographic keys. Currently, DH is part of the IPsec standard. In addition, a protocol called OAKLEY uses a DH algorithm. OAKLEY is a protocol used by the IKE protocol, which is part of the general framework called " key management protocol and Internet security association ".
Encryption algorithms, such as DES, 3DES and AES, as well as the MD5 and SHA-1 hash algorithms, require a symmetric shared secret key to perform encryption and decryption. How do encryption and decryption devices obtain the shared secret key? The simplest method of key exchange is a method of exchanging public keys between encryption and decryption devices.
The DH algorithm specifies a public key exchange method that provides a way for two peers to establish a shared secret key that only they know, even if they communicate through an insecure channel. Like all cryptographic algorithms, DH key exchange is based on a mathematical sequence of steps.

INTEGRITY WITH HASH ALGORITHMS

Hash algorithms handle the integrity and authentication of VPN traffic. The hashes provide data integrity and authentication by ensuring that unauthorized persons do not alter the transmitted messages.
A hash, also called " message synthesis ", is a number that is generated from a text string. The hash is shorter than the text itself. It is generated by using a formula, such that it is very unlikely that other text will produce the same hash value.
The original sender generates a hash of the message and sends it with the message itself. The recipient analyzes the message and hash, produces another hash from the received message and compares both hashes. If they are the same, the recipient can be sure enough of the integrity of the original message.

HASH ALGORITHM EXAMPLE

In the illustration, Gail sent Alex an EFT of USD 100. Jeremiah intercepted and altered this EFT to show himself as the recipient and the amount is USD 1000. In this case, if a data integrity algorithm was used, the hashes they would not match, and the transaction would not be valid.
VPN data is transported via the public Internet. As shown, there is a possibility that these data will be intercepted and modified. To protect them against this threat, hosts can add a hash to the message.
VPNs use a message authentication code to verify the integrity and authenticity of a message, without using any additional mechanisms.

HMAC

Hash-based message authentication code (HMAC) is a mechanism for message authentication using hash functions.
A password HMAC is a data integrity algorithm that guarantees the integrity of a message.
An HMAC has two parameters: a message entry and a secret key known only to the author of the message and the intended recipients.

  • The message sender uses an HMAC function to produce a value (the message authentication code) that is formed by compressing the secret key and entering the message.
  • The message authentication code is sent along with the message.
  • The receiver calculates the message authentication code in the message received with the same key and the same HMAC function that the sender used.
  • The receiver then compares the result that was calculated with the message authentication code that was received.

There are two common HMAC algorithms:

  • MD5 : uses a 128-bit shared secret key. The variable length message and the 128-bit shared secret key are combined and processed with the HMAC-MD5 hash algorithm. The result is a 128 bit hash. The hash is attached to the original message and sent to the remote end.
  • SHA : SHA-1 uses a 160-bit secret key. The variable length message and the 160-bit shared secret key are combined and processed with the HMAC-SHA1 hash algorithm. The result is a 160-bit hash. The hash is attached to the original message and sent to the remote end.

Cisco IOS also supports 256-bit, 384-bit, and 512-bit SHA implementations.

IPSEC AUTHENTICATION

VPNs with IPsec support authentication. When conducting long-distance business, it is necessary to know who is on the other side of the phone, email or fax. The same goes for VPN networks.
The device at the other end of the VPN tunnel must be authenticated so that the communication path is considered secure, as indicated in the illustration. There are two peer authentication methods :

  • PSK : is a secret key that is shared between the two parties that use a secure channel before it needs to be used. Pre-shared keys (PSK) use cryptographic algorithms of symmetric key. A PSK is entered into each peer manually and used to authenticate the peer. At each end, the PSK is combined with other information to form the authentication key.
  • RSA signatures : digital certificates are exchanged to authenticate peers. The local device derives a hash and encrypts it with its private key. The encrypted hash, or digital signature, is linked to the message and forwarded to the remote end. At the remote end, the hash encrypted with the public key of the local end is decrypted. If the decrypted hash matches the recalculated hash, the signature is genuine .
  • IPsec uses RSA (cryptographic public key system) for authentication in the context of IKE. The RSA signature method uses a digital signature configuration in which each device signs a set of data digitally and sends it to the other party.


GRE Tunnels Features and Configuration

GRE Tunnels Features and Configuration

This section describe the purpose and benefits of GRE tunnels. It also teaches how to configure a GRE site to site tunnel on a Ciso Router with compete configurations commands.

WHAT IS GRE Tunnels 

Generic routing encapsulation (GRE) is an example of a basic and non-secure site-to-site VPN tunneling protocol. GRE is a tunneling protocol developed by Cisco that can encapsulate a wide variety of protocol packet types within IP tunnels, which creates a virtual point-to-point link to Cisco routers at remote points through an IP internetwork.
GRE is designed to manage the transport of multiprotocol and IP multicast traffic between two or more sites, which probably only have IP connectivity. It can encapsulate various types of protocol packet within an IP tunnel.
As shown in the illustration, a tunnel interface supports a header for each of the following protocols:

  • An encapsulated protocol (or passenger protocol), such as IPv4, IPv6, AppleTalk, DECnet or IPX
  • An encapsulation (or carrier) protocol, such as GRE
  • A transport delivery protocol, such as IP, which is the protocol that transports the encapsulated protocol

GRE Features and Characteristics

The IP tunneling that GRE uses enables network expansion through a unique protocol backbone environment. This is achieved by connecting multiprotocol subnets in a single protocol backbone environment.

The characteristics of GRE are the following:

  • GRE is defined as an IETF standard (RFC 2784).
  • In the external IP header, the number 47 is used in the protocol field to indicate that what follows is a GRE header.
  • GRE encapsulation uses a protocol type field in the GRE header to support encapsulation of any layer 3 protocol of the OSI model. Protocol types are defined in RFC 1700 as "EtherTypes."
  • GRE itself has no status; By default, it does not include any flow control mechanism.
  • GRE does not include any solid security mechanism to protect its content.
  • The GRE header, together with the IP tunneling header shown in the illustration, creates at least 24 bytes of additional overhead for packets that are sent per tunnel.

GRE TUNNEL CONFIGURATION

GRE is used to create a VPN tunnel between two sites, as shown in Image.
To implement a GRE tunnel, the network administrator must first discover the IP addresses of the terminals. Then, five steps must be followed to configure a GRE tunnel:

  1. Step 1 . Create a tunnel interface with the interface tunnel number command .
  2. Step 2 . Specify the source IP address of the tunnel.
  3. Step 3 . Specify the destination IP address of the tunnel.
  4. Step 4 . Configure an IP address for the tunnel interface.
  5. Step 5 . (Optional) Specify the GRE tunnel mode as the tunnel interface mode. The GRE tunnel mode is the default tunnel interface mode for Cisco IOS software.

GRE TUNNEL CONFIGURATION COMMANDS

A basic GRE tunnel configuration for router R1 is detailed:

R1 (config) # interface Tunnel0
R1 (config-if) # tunnel mode gre ip
R1 (config-if) # ip address 192.168.2.1 255.255.255.0
R1 (config-if) # tunnel source 209.165.201.1
R1 (config-if) # tunnel destination 198.133.219.87
R1 (config-if) # router ospf 1
R1 (config-router) # network 192.168.2.0 0.0.0.255 area 0
The R2 configuration reflects the R1 configuration:
R2 (config) # interface Tunnel0
R2 (config-if) # tunnel mode gre ip
R2 (config-if) # ip address 192.168.2.2 255.255.255.0
R2 (config-if) # tunnel source 198.133.219.87
R2 (config-if) # tunnel destination 209.165.201.1
R2 (config-if) # router ospf 1
R2 (config-router) # network 192.168.2.0 0.0.0.255 area 0
The minimum configuration requires the specification of the source and destination addresses of the tunnel. The IP subnet must also be configured to provide IP connectivity through the tunnel link.
Both tunnel interfaces have the tunnel origin established in the local serial interface S0 / 0/0 and the tunnel destination established in the serial interface S0 / 0/0 of the peer router. The IP address is assigned to the tunnel interfaces on both routers. OSPF was also configured to exchange routes through the GRE tunnel.
Descriptions of individual GRE tunnel commands are shown in Figure 4.
GRE Tunnel Command Table.
CommandDescription
tunnel mode gre ipSpecifies that the tunnel interface mode is GRE over IP.
tunnel source ip_addressSpecifies the source address of the tunnel.
tunnel destination ip_addressSpecify the destination address of the tunnel.
ip address ip_address maskSpecifies the IP address of the tunnel interface.
The tunnel source and tunnel destination commands refer to the IP addresses of the previously configured physical interfaces. The ip address command on the tunnel interfaces refers to an IP network specially designed for the purposes of the GRE tunnel.

 GRE TUNNEL VERIFICATION

There are several commands that can be used to control GRE tunnels and solve related problems. To determine if the tunnel interface is active or inactive, use the show ip interface brief command .

To verify the status of a GRE tunnel, use the show interface tunnel command .

The line protocol on a GRE tunnel interface remains active as long as there is a route to the tunnel destination. Before implementing a GRE tunnel, IP connectivity must already be operational between the IP addresses of the physical interfaces at opposite ends of the potential GRE tunnel. The tunnel transport protocol is shown in the result.
If OSPF was also configured to exchange routes through the GRE tunnel, verify that an OSPF adjacency has been established through the tunnel interface with the show ip ospf neighbor command . In Figure 2, note that the interconnection address for the OSPF neighbor is in the IP network created for the GRE tunnel.

CONCLUSION

GRE is considered a VPN because it is a private network that is created with tunneling through a public network. Through encapsulation, a GRE tunnel creates a virtual point-to-point link to Cisco routers at remote points through an IP internetwork.

  • The advantages of GRE are that it can be used to channel non-IP traffic through an IP network, which allows network expansion by connecting multiprotocol subnets in a single protocol backbone environment.
  • In addition, GRE supports IP multicast tunneling. This means that routing protocols can be used through the tunnel, which enables the dynamic exchange of routing information in the virtual network.
  • Finally, it is common to create GRE IPv6 tunnels through IPv4, where IPv6 is the encapsulated protocol and IPv4 is the transport protocol. In the future, these functions are likely to be reversed when IPv6 becomes the standard IP protocol function.

However, GRE does not provide encryption or any other security mechanism. Therefore, the data that is sent through a GRE tunnel is not secure. If secure data communication is required, VPN networks with IPsec or SSL must be configured.