NetwerkbeveiligingSven Sanders

1

Gastles 19/4

• Peter Van Hemlryck – Fortinet▫ Fortigate firewall + praktische voorbeelden• Opdracht:▫ 3 “lessons learned”

Wat vind je belangrijk/relevant om te onthouden Wat mag gevraagd worden op het examen▫ Indienen op A4▫ Onmiddellijk na gastles • Inhoud onderdeel van leertof eigen

samenvatting

Sven Sanders - Odisee

2

Lessons learned encryptie

• Symmetrische encryptie vs asymmetrische encryptie▫ 1 geheime sleutel vs public-private paar▫ Snelheid vs gemak sleuteluitwisseling• SSL verbinding maakt gebruik van beide kwaliteiten: ▫ Asymmetrische encryptie voor uitwisselen van

symmetrische sleutel▫ Symmetrische encryptie voor datauitwisseling• Certificaten bevestigen identiteit eigenaar public key▫ Chain of trust

Sven Sanders - Odisee

3

VPN

Sven Sanders - Odisee

4

VPN

• Veilige verbinding over onveilig netwerk▫ Door toepassen encryptie• Soorten:▫ Site-to-site – dial-in▫ IPsec – SSL

Sven Sanders - Odisee

5

IPsec

• Tunnel opbouwen▫ Vertrouwelijkheid: data encrypteren▫ Integriteit: message authentication ▫ Authentication: PSK of certificaat▫ Anti-replay: nummering• Tunnel modus – transport modus• ESP - AH

Sven Sanders - Odisee

6

IPsec

• Internet key exchange▫ Phase 1:

Veilig kanaal met DH Authenticatie Opzetten veilig kanaal symmetrische encryptie Aggressive of main mode▫ Phase 2:

Opzetten van tunnel voor data DH en symmetrische encryptie van data▫ Perfect forward secrecy

lifetime

Sven Sanders - Odisee

7

Route based site-to-site VPN

• Alternatief: policy based▫ Niet op palo alto, kan aan ander eindpunt tunnel

Sven Sanders - Odisee

8

10.2.0.0/24192.168.10.0/24

Ethernet 1/3

24.1.1.12

Ethernet 1/8

161.10.12.64

IPsec Tunnel

Tunnel.1

Routing Table

10.2.0.0/24 > Tunnel.1

Configuratie VPN

• Aanmaken tunnel interface• IPsec tunnel configureren▫ IPsec tunnel ▫ IKE gateway▫ Crypto profiles• Statische route toevoegen

Sven Sanders - Odisee

9

Tunnel interface

Sven Sanders - Odisee

10

Network > Interfaces > Tunnel

Adres enkel nodig indien IP verkeer nodig tussen

eindpunten tunnel, ihb routing protocol en tunnel monitor

Adres enkel nodig indien IP verkeer nodig tussen

eindpunten tunnel, ihb routing protocol en tunnel monitor

Tunnel IdentifierTunnel Identifier

IKE gateway

Sven Sanders - Odisee

11

Network > Network Profiles > IKE Gateways

IKE gateway

Sven Sanders - Odisee

12

In passive mode start de firewall het proces niet zelf

In passive mode start de firewall het proces niet zelf

IKE cryptographic profile

Sven Sanders - Odisee

13

Network > Network Profiles > IKE Crypto

Symmetric Bulk Data Encryption

Symmetric Bulk Data Encryption

Asymmetric Key Exchange

Asymmetric Key Exchange

Authentication supports md5, sh1, sha256,

sha384, sha512

Authentication supports md5, sh1, sha256,

sha384, sha512

IPsec tunnel

Sven Sanders - Odisee

14

Network > IPSec Tunnel

IKE GatewayIKE Gateway

Phase 2 crypto proposal

Phase 2 crypto proposal

To confirm route validity(if Tunnel interface has been configured with an IP address)

To confirm route validity(if Tunnel interface has been configured with an IP address)

IPsec cryptographic profiles

Sven Sanders - Odisee

15

Network > Network Profiles > IPSec Crypto Asymmetric Key Exchange:

DH Group 1, 2, 5, 14, no-pfs

Asymmetric Key Exchange:

DH Group 1, 2, 5, 14, no-pfs

Enable PFS

Enable PFS

IPsec tunnel

Sven Sanders - Odisee

16

Network > IPSec Tunnel

Override Default Proxy ID

Override Default Proxy ID

Static route

• Tunnel interface als exit interface• Next hop niet belangrijk

Sven Sanders - Odisee

17

Troubleshooting

Sven Sanders - Odisee

18

Issue Initiator Error Responder Error

Wrong IP / no connection P1 - Timeout P1 - Timeout

No matching P1 proposal P1 - Timeout No suitable proposal (P1)

Mismatched peer ID P1 - Timeout Peer identifier does not match

No matching P2 proposal No proposal chosen No suitable proposal (P2)

PFS Group mismatch P2 - Timeout PFS group mismatch

Mismatched proxy ID P2 - TimeoutCannot find matching phase-2 tunnel

Log messages (system log)

Sven Sanders - Odisee

19

peer identifier (type fqdn [bad.peer]) does not match remote Remote2.

IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID. received local id: 192.168.41.1/24 type IPv4_subnet protocol 0 port 0, received remote id: 192.168.42.1/24 type IPv4_subnet protocol 0 port 0.

Name of Local Phase 1 IKE Gateway ObjectRemote Sides Phase 1 Peer Configuration

The “Remote Proxy ID” from the other sideThe “Local Proxy ID” from the other side

GlobalProtect

Sven Sanders - Odisee

20

GlobalProtect

• Dial-in VPN oplossing (+)• Host Information Profile (HIP)▫ Beperking ook op basis van AV, OS patches, disk

encryption

Sven Sanders - Odisee

21

Componenten

Sven Sanders - Odisee

22

Portal

Gateway

GP Agent

Gateway

Gateway

Gateway

Secur

e VPN

Config Info to Client

Opbouw verbinding

Sven Sanders - Odisee

23

Bepaling intern-extern

Sven Sanders - Odisee

24

Client

External DNS Server

Reverse DNS Lookup

Internal DNS Server

Client

Reverse DNS Lookup

Installatie Agent

• Client downloaden op firewall portal

Sven Sanders - Odisee

25

1

2

Simple Topology

Sven Sanders - Odisee

26

Single GlobalProtect Gateway/Portal

Advanced topology

Sven Sanders - Odisee

27

GlobalProtect GatewayGlobalProtect Portal

GlobalProtect Gateway

GlobalProtect Gateway

VPN

VPN

Large scale VPN

Sven Sanders - Odisee

28

configuratie

Sven Sanders - Odisee

29

Certificaten

• CA certificaat▫ Optioneel: self signed/externe CA• GlobalProtect Portal certificaat• GlobalProtect gateway certificaat▫ Manueel op alle gateways• Optioneel: client certificaat

Sven Sanders - Odisee

30

Global Protect portal

Sven Sanders - Odisee

31

Network > GlobalProtect > Portals

Profiles and certificates are

created in advance

Interface hosting the portal

Pages loaded inDevice > Response

Pages

Global protect portal

Sven Sanders - Odisee

32

CA Certificate

Network > GlobalProtect > Portals

Client configuration - general

Sven Sanders - Odisee

33

If the hostname resolves to the IP address, then the internal gateway is used

Connection methods

Sven Sanders - Odisee

34

Client configuration - users

• Default: any

Sven Sanders - Odisee

35

Client configuration - gateways

Sven Sanders - Odisee

36

Client configuration – agent tab

Sven Sanders - Odisee

37

View the Troubleshooting tab in the agent

Upgrade Options

Client VPN interfaces that take precedence

over the GlobalProtect interface

Global Protect gateway

Sven Sanders - Odisee

38

Network > GlobalProtect > Gateways

GP gateway – tunnel

Sven Sanders - Odisee

39

Network > GlobalProtect > Gateways > Client Configuration

This is the default. To make SSL the primary

method, uncheck this box.

Required for IPsec client connections

GP gateway - User

Sven Sanders - Odisee

40

GP gateway – network settings

Sven Sanders - Odisee

41

Network > GlobalProtect > Gateways > Client Configuration > Network Settings

IP addresses distributed to clients

Routes installed on clients’ VPN connection

0.0.0.0/0 enforces

fixed-tunneling

GP gateway – network services

• Beschikbaar in tunnel mode

Sven Sanders - Odisee

42

Network > GlobalProtect > Gateways > Client Configuration > Network Settings

Global protect Agent

Sven Sanders - Odisee

43

Can be left blank if using single

sign-on

Do not include HTTP:// or HTTPS:// in the portal

name!

Manual gateway selection