Скачать презентацию CNIT 221 Security Module 5 2 ver 2 Скачать презентацию CNIT 221 Security Module 5 2 ver 2

e839b1866a0dff609899c2d1b008f3f9.ppt

  • Количество слайдов: 32

CNIT 221 Security Module 5 2 ver. 2 City College of San Francisco Spring CNIT 221 Security Module 5 2 ver. 2 City College of San Francisco Spring 2007 © 2004, Cisco Systems, Inc. All rights reserved. © 2005 Cisco Systems, Inc. All rights reserved. 1 1

Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates © 2005 Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates © 2005 Cisco Systems, Inc. All rights reserved. 2

Learning Objectives 5. 1 Configure CA Support on a Cisco Router 5. 2 Configure Learning Objectives 5. 1 Configure CA Support on a Cisco Router 5. 2 Configure an IOS Router Site-to-Site VPN Using Digital Certificates 5. 3 Configure a PIX Security Appliance Site-to-Site VPN Using Digital Certificates © 2005 Cisco Systems, Inc. All rights reserved. 3

Module 5 – Configure Site-to-Site VPNs Using Digital Certificates 5. 1 Configure CA Support Module 5 – Configure Site-to-Site VPNs Using Digital Certificates 5. 1 Configure CA Support on a Cisco Router © 2005 Cisco Systems, Inc. All rights reserved. 4

Cisco IOS Software CA Configuration Procedure Step 1 – (Optional) Manage the NVRAM memory Cisco IOS Software CA Configuration Procedure Step 1 – (Optional) Manage the NVRAM memory usage. Step 2 – Set the router time and date. clock timezone clock set Step 3 – Configure the router hostname and domain name. hostname ip domain-name Step 4 – Generate an RSA key pair. crypto key generate rsa usage keys Step 5: Declare a CA. crypto pki trustpoint name © 2005 Cisco Systems, Inc. All rights reserved. 5

Cisco IOS Software CA Configuration Procedure (Continued) Step 6 – Authenticate the CA crypto Cisco IOS Software CA Configuration Procedure (Continued) Step 6 – Authenticate the CA crypto pki authenticate name Step 7 – Request a certificate for the router crypto pki enroll name Step 8 – Save the configuration copy running-config startup-config Step 9 – (Optional) Monitor and maintain CA interoperability crypto pki trustpoint name Step 10 – Verify the CA support configuration show crypto pki certificates show crypto key mypubkey | pubkey-chain © 2005 Cisco Systems, Inc. All rights reserved. 6

Step 1 – (Optional) Manage NVRAM Memory Usage Types of certificates stored on a Step 1 – (Optional) Manage NVRAM Memory Usage Types of certificates stored on a router: The identity certificate of the router The root certificate of the CA Root certificates obtained from CA servers Two RA certificates, these are CA vendor-specific The number of CRLs stored on a router: One, if the CA does not support an RA Multiple, if the CA supports an RA © 2005 Cisco Systems, Inc. All rights reserved. 7

Step 2 – Set the Router Time and Date router(config)# clock timezone hours [minutes] Step 2 – Set the Router Time and Date router(config)# clock timezone hours [minutes] • Sets the router time zone and offset from UTC Router. A(config)# clock timezone cst -6 router# clock set hh: mm: ss day month year clock set hh: mm: ss month day year • Sets the router time and date Router. A# clock set 23: 59 17 February 2005 © 2005 Cisco Systems, Inc. All rights reserved. 8

Step 3 – Add a CA Server Entry to the Router Host Table Site Step 3 – Add a CA Server Entry to the Router Host Table Site 1 Router. A A 10. 0. 1. 0 Site 2 Router. B Internet 172. 30. 1. 2 B 172. 30. 2. 2 10. 0. 2. 0 CA 172. 30. 1. 51 router(config)# hostname • Specifies a unique name for the router(config)# hostname Router. A router(config)# ip domain-name • Specifies a unique domain name for the router Router. A(config)# ip domain-name xyz. com © 2005 Cisco Systems, Inc. All rights reserved. 9

Static Name-to-Address Mapping Site 1 Router. A A 10. 0. 1. 0 172. 30. Static Name-to-Address Mapping Site 1 Router. A A 10. 0. 1. 0 172. 30. 1. 2 Site 2 Router. B Internet B 172. 30. 2. 2 10. 0. 2. 0 CA 172. 30. 1. 51 vpnca router(config)# ip host name address 1 [address 2. . . address. N] • Defines a static hostname-to-address mapping for the CA server • Step necessary if the domain name is not resolvable Router. A(config)# ip host vpnca 172. 30. 1. 51 © 2005 Cisco Systems, Inc. All rights reserved. 10

Step 4 – Generate an RSA Key Pair Site 1 Router. A A Site Step 4 – Generate an RSA Key Pair Site 1 Router. A A Site 2 Router. B Internet B 10. 0. 2. 0 10. 0. 1. 0 CA router(config)# crypto key generate rsa [general-keys | usage-keys] • Using the keyword usage-keys generates two sets of RSA keys: – Use one key set for RSA signatures. – Use one key set for RSA encrypted nonces. Router. A(config)# crypto key generate rsa © 2005 Cisco Systems, Inc. All rights reserved. 11

Step 4 – Generate RSA Keys – Example Output Router. A(config)# crypto key generate Step 4 – Generate RSA Keys – Example Output Router. A(config)# crypto key generate rsa The name for the keys will be: router. cisco. com Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 512 Generating RSA keys. . . [OK] Router. A# show crypto key mypubkey rsa % Key pair was generated at: 23: 58: 59 Key name: Router. A. cisco. com Usage: General Purpose Key Data: 305 C 300 D 06092 A 86 4886 F 70 D 01010105 CCDB 8784 19 AE 1 CD 8 95 B 30953 1 EDD 30 D 1 C 929 A 25 E 521688 A 1 295907 F 4 E 98 BF 920 © 2005 Cisco Systems, Inc. All rights reserved. UTC Dec 31 2000 00034 B 00 30480241 00 A 9443 B 62 FDACFB 380219 D 6 4636 E 015 4 D 7 C 6 F 33 4 DC 1 F 6 E 0 6 A 81 CE 57 28 A 21116 E 3020301 0001 12

Step 5 – Declare a CA Site 1 Router. A A 10. 0. 1. Step 5 – Declare a CA Site 1 Router. A A 10. 0. 1. 0 172. 30. 1. 2 Site 2 Router. B Internet B 172. 30. 2. 2 10. 0. 2. 0 CA 172. 30. 1. 51 VPNCA router(config)# crypto pki trustpoint name • Specifies the desired CA server name • Puts the administrator in the ca-trustpoint configuration mode Router. A(config)# crypto pki trustpoint vpnca Router. A(ca-trustpoint)# © 2005 Cisco Systems, Inc. All rights reserved. 13

Step 5 – Commands Used to Declare a CA Router. A(config)# crypto pki trustpoint Step 5 – Commands Used to Declare a CA Router. A(config)# crypto pki trustpoint vpnca Router. A(ca-trustpoint)# ? ca trustpoint configuration commands: crl CRL option default Set a command to its defaults enrollment Enrollment parameters exit Exit from certificate authority identity entry mode no Negate a command or set its defaults query Query parameters Router. A(ca-trustpoint)# enrollment ? http-proxy HTTP proxy server for enrollment mode Mode supported by the Certicicate Authority retry Polling parameters url CA server enrollment URL © 2005 Cisco Systems, Inc. All rights reserved. 14

Step 5 – Declare a CA Site 1 Router. A A 10. 0. 1. Step 5 – Declare a CA Site 1 Router. A A 10. 0. 1. 0 172. 30. 1. 2 Site 2 Router. B Internet B 172. 30. 2. 2 10. 0. 2. 0 CA 172. 30. 1. 51 VPNCA Router. A(config)# crypto pki trustpoint VPNCA Router. A(ca-trustpoint)# enrollment url http: //vpnca/certsrv/mscep. dll Router. A(ca-trustpoint)# enrollment mode ra Router. A(ca-trustpoint)# crl optional • Specifies the URL for the CA server • Minimum configuration to declare a CA © 2005 Cisco Systems, Inc. All rights reserved. 15

Step 6 – Authenticate the CA Site 1 Router. A Site 2 Router. B Step 6 – Authenticate the CA Site 1 Router. A Site 2 Router. B Internet A B 10. 0. 2. 0 10. 0. 1. 0 Get CA/RA Cert CA/RA Dnld CA/RA Fingerprint xxxx aaaa zzzz bbbb CA 172. 30. 1. 51 VPNCA CA/RA Fingerprint xxxx aaaa zzzz bbbb Compare router(config)# crypto pki authenticate name Manually authenticates the public key of the CA by contacting the CA administrator to compare the fingerprint of the CA certificate Router. A(config)# crypto pki authenticate VPNCA © 2005 Cisco Systems, Inc. All rights reserved. 16

Step 7 – Request a Certificate for the Router Site 1 Router. A Site Step 7 – Request a Certificate for the Router Site 1 Router. A Site 2 Router. B Internet A B 10. 0. 2. 0 10. 0. 1. 0 Enroll request and password Identity certificate download CA 172. 30. 1. 51 VPNCA router(config)# crypto pki enroll name Requests a signed identity certificate from the CA/RA Router. A(config)# crypto pki enroll VPNCA © 2005 Cisco Systems, Inc. All rights reserved. 17

Step 8 – Save the Configuration Site 1 Router. A A 10. 0. 1. Step 8 – Save the Configuration Site 1 Router. A A 10. 0. 1. 0 172. 30. 1. 2 Site 2 Router. B Internet B 172. 30. 2. 2 10. 0. 2. 0 CA 172. 30. 1. 51 VPNCA Router. A# copy running-config startup-config • Saves the running configuration of the router to NVRAM © 2005 Cisco Systems, Inc. All rights reserved. 18

Step 9 – Monitor and Maintain CA Interoperability • The following steps are optional, Step 9 – Monitor and Maintain CA Interoperability • The following steps are optional, depending on the particular requirements: Request a CRL Query a CRL Delete RSA Keys from the router Delete peer public keys Delete certificates from the configuration View keys and certificates © 2005 Cisco Systems, Inc. All rights reserved. 19

Step 10 Verify the CA Support Configuration Site 1 Router. A A 10. 0. Step 10 Verify the CA Support Configuration Site 1 Router. A A 10. 0. 1. 0 172. 30. 1. 2 router# Site 2 Router. B Internet B 172. 30. 2. 2 10. 0. 2. 0 CA 172. 30. 1. 51 VPNCA show crypto pki certificates • View any configured CA or RA certificates router# show crypto key {mypubkey | pubkey-chain} rsa • View RSA keys for the router and other IPSec peers enrolled with a CA © 2005 Cisco Systems, Inc. All rights reserved. 20

CA Support Configuration Example Router. A# show running-config ! hostname Router. A ! ip CA Support Configuration Example Router. A# show running-config ! hostname Router. A ! ip domain-name cisco. com ! crypto pki trustpoint VPNCA enrollment mode ra enrollment url http: //vpnca: 80 query url ldap: //vpnca crl optional crypto pki certificate chain entrust certificate 37 C 6 EAD 6 30820299 30820202 A 0030201 02020437 C 6 EAD 630 0 D 06092 A 864886 F 7 0 D 010105 (certificates concatenated) © 2005 Cisco Systems, Inc. All rights reserved. 21

Module 5 – Configure Site-to-Site VPNs Using Digital Certificates 5. 2 Configure an IOS Module 5 – Configure Site-to-Site VPNs Using Digital Certificates 5. 2 Configure an IOS Router Site-to-Site VPN Using Digital Certificates © 2005 Cisco Systems, Inc. All rights reserved. 22

Configuration Tasks • Prepare for ISAKMP and IPSec. • Configure CA support. • Configure Configuration Tasks • Prepare for ISAKMP and IPSec. • Configure CA support. • Configure ISAKMP. • Configure IPSec. • Test and verify IPSec. © 2005 Cisco Systems, Inc. All rights reserved. 23

Prepare for IPSec • Step 1 Plan for CA support • Step 2 Determine Prepare for IPSec • Step 1 Plan for CA support • Step 2 Determine the ISAKMP (IKE phase one) policy • Step 3 Determine the IPSec (IKE phase two) policy • Step 4 Check the current configuration • Step 5 Ensure the networks without encryption • Step 6 Ensure that access lists are compatible with IPSec © 2005 Cisco Systems, Inc. All rights reserved. 24

Configure the Router for CA Support • Step 1 Manage the non-volatile RAM (NVRAM) Configure the Router for CA Support • Step 1 Manage the non-volatile RAM (NVRAM) memory usage. • Step 2 Set the router time and date. • Step 3 Configure the router hostname and domain name. • Step 4 Generate an RSA key pair • Step 5 Declare a CA. • Step 6 Authenticate the CA. • Step 7 Request a certificate. • Step 8 Save the configuration. • Step 9 Monitor and maintain CA interoperability (Optional). • Step 10 Verify the CA support configuration. © 2005 Cisco Systems, Inc. All rights reserved. 25

Create IKE Policies © 2005 Cisco Systems, Inc. All rights reserved. 26 Create IKE Policies © 2005 Cisco Systems, Inc. All rights reserved. 26

Configure IPSec Encryption • Configure transform set suites with the crypto ipsec transform-set command. Configure IPSec Encryption • Configure transform set suites with the crypto ipsec transform-set command. • Configure global IPSec security association lifetimes with the crypto ipsec securityassociation lifetime command. • Configure crypto access lists with the accesslist command. © 2005 Cisco Systems, Inc. All rights reserved. 27

Test and Verify IPSec • Display the configured transform sets using the show crypto Test and Verify IPSec • Display the configured transform sets using the show crypto ipsec transform set command. • Display the current state of the IPSec SAs with the show crypto ipsec sa command. • View the configured crypto maps with the show crypto map command. • Debug IKE and IPSec traffic through the Cisco IOS with the debug crypto ipseec and debug crypto isakmp commands. • Debug CA events through the Cisco IOS using the debug crypto key-exchange and debug crypto pki commands. © 2005 Cisco Systems, Inc. All rights reserved. 28

Module 5 – Configure Site-to-Site VPNs Using Digital Certificates 5. 3 Configure a PIX Module 5 – Configure Site-to-Site VPNs Using Digital Certificates 5. 3 Configure a PIX Security Appliance Site-to. Site VPN Using Digital Certificates © 2005 Cisco Systems, Inc. All rights reserved. 29

CA Server Fulfilling Requests from IPSec Peers © 2005 Cisco Systems, Inc. All rights CA Server Fulfilling Requests from IPSec Peers © 2005 Cisco Systems, Inc. All rights reserved. 30

Enroll a PIX Security Appliance with a CA © 2005 Cisco Systems, Inc. All Enroll a PIX Security Appliance with a CA © 2005 Cisco Systems, Inc. All rights reserved. 31

© 2005, Cisco Systems, Inc. All rights reserved. 32 © 2005, Cisco Systems, Inc. All rights reserved. 32