jaki vpn wybra w 2015
play

Jaki VPN wybra w 2015? Piotr Matusiak Security Consultant, Cisco - PowerPoint PPT Presentation

Feb 20, 2023 •173 likes •1.11k views

Jaki VPN wybra w 2015? Piotr Matusiak Security Consultant, Cisco AS Education CCIE #19860, CCDE 2015::1, C|EH, SFCE Your Presenter Visit us: http://www.cisco.com/go/ase Piotr Matusiak Security Cyber Security (SCYBER) Security Consultant

  1. Jaki VPN wybra ć w 2015? Piotr Matusiak Security Consultant, Cisco AS Education CCIE #19860, CCDE 2015::1, C|EH, SFCE

  2. Your Presenter Visit us: http://www.cisco.com/go/ase Piotr Matusiak Security Cyber Security (SCYBER) Security Consultant SourceFire (SSFIPS, SSFAMP, RULES, SNORT) Cisco AS Education Data Center 16 years in IT Nexus Switches (CCNDC, CCNDC-T, CCNDC-V) CCIE Data Center (DCXUC, DCXUF) 6 years in Cisco (total) Cloud Automation & Prime Services 5 years in Cisco AS Specialization: Security R&S + IoT Industrial Networking (IMINS, IE2k, IE3k) Service Provider (ASR9k, CRS-1, CRS-3, 7600, ASR1k, Metro Ethernet)

  3. Agenda • Preprocessors • IPS Policy Layering • Application Detection • AMP for Networks • Cloud Intelligence • Correlation Policies • Remediation • Event Analysis

  4. VPN Technology Positioning Data Center Core Internet IPSec Edge Agg. GM GM Remote Access KS KS SW Clients WAN Edge Internet/Shared GET MPLS/Private Network Encrypted Network Site-to- Site VPN DMVPN/FlexVPN GETVPN GM EzVPN/ GETVPN GM GETVPN GM Spoke FlexVPN Client Spoke 4

  5. Virtual Tunnel Interface (VTI)

  6. SVTI Configuration IPSec Static Virtual Tunnel Interfaces . . .1 1 92.168.100.0/30 .1 192.168.2.0/24 192.168.1.0/24 crypto isakmp policy 1 crypto isakmp policy 1 authentication pre-share authentication pre-share encr aes encr aes crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto ipsec transform-set TSET esp-aes esp-sha-hmac crypto ipsec transform-set TSET esp-aes esp-sha- hmac crypto ipsec profile TP set transform-set TSET crypto ipsec profile TP set transform-set TSET interface Tunnel0 ip address 192.168.100.1 255.255.255.0 interface Tunnel0 tunnel source FastEthernet0/0 ip address 192.168.100.2 255.255.255.0 tunnel destination 1.1.1.2 tunnel source FastEthernet0/0 tunnel mode ipsec ipv4 tunnel destination 1.1.1.1 tunnel protection ipsec profile TP tunnel mode ipsec ipv4 tunnel protection ipsec profile TP ip route 192.168.2.0 255.255.255.0 Tunnel0 ip route 192.168.1.0 255.255.255.0 Tunnel0 6

  7. Virtual Tunnel Interface • IPsec in tunnel mode between VPN peers • Simplifies VPN configuration • Two types - Static VTI and Dynamic VTI (Enhanced EasyVPN) • Supports Quality of Service (QoS), multicast, and other routing functions that previously required GRE • Limited VPN interoperability support with non-Cisco platforms 7

  8. Static VTI • Statically configured tunnel via ‘tunnel mode ipsec ipv4/ipv6’ and tunnel protection • Always up • Interface state tied to underlying crypto socket state (IPsec SA) • Can initiate and accept only one IPsec SA per VTI • Routing determines traffic to be protected • IPsec SA re-keyed even in the absence of any traffic 8

  9. When do you use it § Used with site-to-site VPNs – to provide always-on traffic protection § Need for routing protocols and/or multicast traffic to be protected by IPsec tunnel § Eliminates the need of GRE § Need for QoS, firewall, or other security services on a per tunnel basis 9

  10. SVTI Advantages Disadvantages • Support for IGP dynamic routing protocol over the • No support for non-IP protocols VPN (EIGRP, OSPF, etc.) • Limited support for multi-vendor • Support for multicast • IPsec stateful failover not available • Application of features such as NAT, ACLs, and • Similar scaling properties of IPsec and GRE QoS and apply them to clear-text or encrypted over IPsec text • Only tunnel mode • Simpler configuration • IPsec sessions not tied to any interface 10

  11. Dynamic VTI § Dynamically instantiated IPsec virtual-access interface (not configurable) cloned from a pre-defined virtual-template § Created on an incoming IPsec tunnel request § Interface state tied to underlying crypto socket state (IPsec SA) § Can support multiple IPsec SAs per DVTI § Avoids the need for a routing protocol and hence scales better 11

  12. Dynamic VTI § Mainly used as Enhanced Easy VPN server for terminating • Enhanced Easy VPN Remote • Legacy Easy VPN Remote § Easy VPN Remote supports 3 modes of operation • client mode • network extension mode • network extension plus mode § A single DVTI can terminate tunnels using static VTIs or crypto map § Can only terminate and cannot initiate an IPSec tunnel (except in the case of Enhanced Easy VPN Remote) 12

  13. SVTI to DVTI interface Tunnel0 ip unnumbered Loopback1 Branch tunnel source FastEthernet0 tunnel destination 192.168.2.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile VTI Crypto Head End IKE pkts to 192.168.2.1 192.168.2.1 tunnel protect ipsec profile … interface Virtual-Access n crypto isakmp profile Data Plane interface Virtual-Template n Control Plane Virtual-Access interface is spawned from the Virtual-Template 13

  14. When do you use it • Scalable connectivity for remote-access VPNs • Need for QoS, firewall, or other security services on a per tunnel basis • Single touch configuration needed on hub • No need for routing protocols as it uses reverse route injection 14

  15. DVTI (SVTI to DVTI) Hub (DVTI) Spoke (SVTI) crypto isakmp policy 1 crypto isakmp policy 1 encr aes encr aes authentication pre-share authentication pre-share group 2 group 2 crypto isakmp key cisco123 address 0.0.0.0 crypto isakmp key cisco123 address 0.0.0.0 crypto isakmp profile VPN crypto ipsec transform-set TSET esp-aes esp- keyring default sha-hmac match identity address 0.0.0.0 virtual-template 1 crypto ipsec profile TP set transform-set TSET crypto ipsec transform-set TSET esp-aes esp-sha-hmac interface Tunnel0 crypto ipsec profile TP ip unnumbered Loopback0 set transform-set TSET tunnel source 1.1.1.2 set isakmp-profile VPN tunnel destination 1.1.1.1 tunnel mode ipsec ipv4 interface Virtual-Template1 type tunnel tunnel protection ipsec profile TP ip unnumbered Loopback0 tunnel source Ethernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile TP 15

  16. Enhanced EasyVPN Client To Server (using DVTI) Enhanced Easy VPN server: Enhanced Easy VPN remote: crypto isakmp client configuration group cisco crypto ipsec client ezvpn EZ key cisco connect manual dns 192.168.1.10 group cisco key cisco pool VPNPOOL local-address Ethernet0/0 acl 101 mode network-plus peer 1.1.1.1 crypto isakmp profile VPN virtual-interface 1 match identity group cisco xauth userid mode interactive isakmp authorization list default ! client configuration address respond interface Virtual-Template1 type tunnel virtual-template 1 ip unnumbered Loopback0 tunnel mode ipsec ipv4 crypto ipsec transform-set TSET esp-3des esp-sha-hmac crypto ipsec profile TP interface Ethernet0/0 set transform-set TSET ip address 1.1.1.3 255.255.255.0 set isakmp-profile VPN crypto ipsec client ezvpn EZ ! interface Virtual-Template1 type tunnel interface Ethernet0/1 ip unnumbered Loopback0 ip address 192.168.3.1 255.255.255.0 tunnel source Ethernet0/0 crypto ipsec client ezvpn EZ inside tunnel mode ipsec ipv4 tunnel protection ipsec profile TP 16

  17. DVTI Advantages Disadvantages • Simple configuration of headend once and • Requires ip unnumbered done • No support for non-IP protocols • Scalable • No direct spoke to spoke • Support for IGP dynamic routing protocol communication over the VPN • No IPsec stateful failover • Support for IP multicast • Support for per-branch QoS and traffic shaping • Centralized Policy Push (Easy VPN) • Support for x-auth (Easy VPN) • Cross platform support • IPsec sessions not tied to any interface 17

  18. Dynamic Multipoint VPN (DMVPN)

  19. What is Dynamic Multipoint VPN? DMVPN is a Cisco IOS software solution for building IPsec+GRE VPNs in an easy, dynamic and scalable manner § Configuration reduction and no-touch deployment § Dynamic spoke-spoke tunnels for partial/full mesh scaling § Can be used without IPsec Encryption (optional) § Wide variety of network designs and options 19

  20. DMVPN Components • Next Hop Resolution Protocol (NHRP ) • Creates a distributed (NHRP) mapping database of all the spoke’s tunnel to real (public interface) addresses • Multipoint GRE Tunnel Interface (mGRE) • Single GRE interface to support multiple GRE/IPsec tunnels • Simplifies size and complexity of configuration • IPsec tunnel protection • Dynamically creates and applies encryption policies (optional) • Routing • Dynamic advertisement of branch networks; almost all routing protocols (EIGRP, RIP, OSPF, BGP, ODR) are supported 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Psychological Factors and Issues in Return to Play After ACL Reconstruction JAKI HITZELBERGER,

Psychological Factors and Issues in Return to Play After ACL Reconstruction JAKI HITZELBERGER,

Psychological Factors and Issues in Return to Play After ACL Reconstruction JAKI HITZELBERGER, LMHC, MGCP Athletes Perception ACL INJURY continuum This is the worst Okay, what do I thing that could need to do to get ever happen

474 views • 32 slides
Entropy production in viscous fluid flows Armen Shirikyan Coauthors: V. Jaki c, V.

Entropy production in viscous fluid flows Armen Shirikyan Coauthors: V. Jaki c, V.

General philosophy References Randomly forced NavierStokes equations Entropy production in viscous fluid flows Armen Shirikyan Coauthors: V. Jaki c, V. Nersesyan, C.-A. Pillet Quantissima in the Serenissima III Venice, Italy August

293 views • 15 slides
Digital ACE Safeguarding Presenters Jaki Bradley, Principal , Thurrock Adult and Prevent

Digital ACE Safeguarding Presenters Jaki Bradley, Principal , Thurrock Adult and Prevent

28/09/2020 Digital ACE Safeguarding Presenters Jaki Bradley, Principal , Thurrock Adult and Prevent Community College Jill Newton, Safeguarding and EDI Lead, Essex Simon Martin HOLEX Board member, Executive Consultant - Sutton

507 views • 16 slides
Multi-objective dose-finding Thomas Jaki Medical and Pharmaceutical Statistics Research Unit,

Multi-objective dose-finding Thomas Jaki Medical and Pharmaceutical Statistics Research Unit,

Multi-objective dose-finding Thomas Jaki Medical and Pharmaceutical Statistics Research Unit, Department of Mathematics and Statistics, Lancaster University, UK December 7, 2018 Acknowledgement: This project has received funding from the

999 views • 76 slides
adaptive design strategies in establishment surveys Melissa Mitchell Kathy Ott Jaki S. McCarthy

adaptive design strategies in establishment surveys Melissa Mitchell Kathy Ott Jaki S. McCarthy

Challenges of implementing adaptive design strategies in establishment surveys Melissa Mitchell Kathy Ott Jaki S. McCarthy National Agricultural Statistics Service . . . providing timely, accurate, and useful statistics in service to U.S.

290 views • 16 slides
The Role of Health Surveillance Jaki Leaker HSE Specialist Inspector of Health & Safety

The Role of Health Surveillance Jaki Leaker HSE Specialist Inspector of Health & Safety

Health and Safety Health and Safety Executive Executive The Role of Health Surveillance Jaki Leaker HSE Specialist Inspector of Health & Safety (Occupational Health) Health Surveillance Programme The aims of a health surveillance

568 views • 9 slides
Bayesian sian var variable able select lection ion and nd classif ssification ication with

Bayesian sian var variable able select lection ion and nd classif ssification ication with

Bayesian sian var variable able select lection ion and nd classif ssification ication with h contro ntrol l of pre redict dictiv ive e value values Eleni Vradi 1 , Thomas Jaki 2 , Richardus Vonk 1 , Werner Brannath 3 1 Bayer AG,

168 views • 15 slides
HAU at the GermEval 2019 Shared Task on the Identification of Offensive Language in Microposts

HAU at the GermEval 2019 Shared Task on the Identification of Offensive Language in Microposts

HAU at the GermEval 2019 Shared Task on the Identification of Offensive Language in Microposts System Description of Word List, Statistical and Hybrid Approaches afer 1 , Tom De Smedt 2 , and Sylvia Jaki 3 Johannes Sch 1 Institute for

493 views • 28 slides
The Impact of Targeted Data Collection on Nonresponse Bias in an Establishment Survey A

The Impact of Targeted Data Collection on Nonresponse Bias in an Establishment Survey A

The Impact of Targeted Data Collection on Nonresponse Bias in an Establishment Survey A Simulation Study of Adaptive Survey Design Jaki S. McCarthy, USDA, National Agricultural Statistics Service James Wagner, University of Michigan Herschel

1.05k views • 24 slides
SPECIAL TOPICS IN ION BEAM ANALYSIS PART 1 THE MeV SIMS (or, can we analize molecules?)

SPECIAL TOPICS IN ION BEAM ANALYSIS PART 1 THE MeV SIMS (or, can we analize molecules?)

SPECIAL TOPICS IN ION BEAM ANALYSIS PART 1 THE MeV SIMS (or, can we analize molecules?) Milko Jaki Laboratory for Ion Beam Interactions, Experimental physics division Ruer Bokovi Institute Zagreb, Croatia OUTLINE Ion

859 views • 49 slides
Conducting survey methods research in an official statistics production environment: Why is it

Conducting survey methods research in an official statistics production environment: Why is it

Conducting survey methods research in an official statistics production environment: Why is it hard? How do you make it work? Jaki S. McCarthy USDAs National Agricultural Statistics Service B Based on a poster presented at d d the

876 views • 12 slides
A framework for estimation of area under the concentration versus time curves (AUCs) in complete

A framework for estimation of area under the concentration versus time curves (AUCs) in complete

Introduction Estimating the AUC Results Discussion A framework for estimation of area under the concentration versus time curves (AUCs) in complete and incomplete sampling designs Thomas Jaki 1 Martin J. Wolfsegger 2 1 Department of

360 views • 25 slides
Adaptive Design in an Establishment Survey: Adaptive Design in an Establishment Survey: Strategic

Adaptive Design in an Establishment Survey: Adaptive Design in an Establishment Survey: Strategic

Adaptive Design in an Establishment Survey: Adaptive Design in an Establishment Survey: Strategic Targeting in the Agricultural Resource Management Survey (ARMS) Dr. Jaki McCarthy T l Tyler Wilson Wil Research and Development Division,

734 views • 22 slides
2015 OUTLOOK Q1 2015 21 May 2015 Copenhagen CONTENTS Overview Q1 2015 Outlook 2015

2015 OUTLOOK Q1 2015 21 May 2015 Copenhagen CONTENTS Overview Q1 2015 Outlook 2015

1 DFDS RAISES 2015 OUTLOOK Q1 2015 21 May 2015 Copenhagen CONTENTS Overview Q1 2015 Outlook 2015 MGO transition Channel judgment Capital structure and distribution Strategy, goals and priorities The statements

340 views • 12 slides
SPECIAL TOPICS IN ION BEAM ANALYSIS PART 2 SINGLE ION TECHNIQUES: STIM & IBIC Milko

SPECIAL TOPICS IN ION BEAM ANALYSIS PART 2 SINGLE ION TECHNIQUES: STIM & IBIC Milko

SPECIAL TOPICS IN ION BEAM ANALYSIS PART 2 SINGLE ION TECHNIQUES: STIM & IBIC Milko Jaki Laboratory for Ion Beam Interactions, Experimental physics division Ruer Bokovi Institute Zagreb, Croatia Ion Beam Analysis &

524 views • 36 slides
A weighted differential entropy based approach for dose-escalation trials Pavel Mozgunov, Thomas

A weighted differential entropy based approach for dose-escalation trials Pavel Mozgunov, Thomas

A weighted differential entropy based approach for dose-escalation trials Pavel Mozgunov, Thomas Jaki Medical and Pharmaceutical Statistics Research Unit, Department of Mathematics and Statistics, Lancaster University, UK September 29, 2016 5th

418 views • 30 slides
M-Theory on Calabi-Yau 5-folds K.S. Stelle Workshop on Holonomy Groups and applications Hamburg

M-Theory on Calabi-Yau 5-folds K.S. Stelle Workshop on Holonomy Groups and applications Hamburg

M-Theory on Calabi-Yau 5-folds K.S. Stelle Workshop on Holonomy Groups and applications Hamburg 16 July 2008 Work with Alexander Haupt and Andr Lukas; previous work with Hong L, Chris Pope and Paul T ownsend 1 Motivation CY 3

542 views • 31 slides
Non-perturbative study of the viscosity in SU ( 2 ) lattice gluodynamics. V. V. Braguta, A. Yu.

Non-perturbative study of the viscosity in SU ( 2 ) lattice gluodynamics. V. V. Braguta, A. Yu.

Non-perturbative study of the viscosity in SU ( 2 ) lattice gluodynamics. V. V. Braguta, A. Yu. Kotov " " Oct 30, 2013

676 views • 22 slides
Logarithmic and Riesz Equilibrium for Multiple Sources on the Sphere the Exceptional Case .

Logarithmic and Riesz Equilibrium for Multiple Sources on the Sphere the Exceptional Case .

OPCOP 2017, Peter Dragnev, IPFW Logarithmic and Riesz Equilibrium for Multiple Sources on the Sphere the Exceptional Case . D. Dragnev P Indiana University-Purdue University Fort Wayne (IPFW) with J. Brauchart - TU Graz, E. Saff -

399 views • 37 slides
Progress on the study of electromagnetic corrections to K decay Norman H. Christ & Xu

Progress on the study of electromagnetic corrections to K decay Norman H. Christ & Xu

Progress on the study of electromagnetic corrections to K decay Norman H. Christ & Xu Feng (RBC and UKQCD collaborations) Lattice 2018 @ East Lansing, July 23-28, 2018 Subsequent report of Normans talk @ Lattice 2017 EPJ Web

525 views • 21 slides
River Engineering Nothing in these lectures will be exact. We are talking about the modelling of

River Engineering Nothing in these lectures will be exact. We are talking about the modelling of

It is EXACT, Jane a story told to the lecturer by a botanist colleague. The most important river in Australia is the Murray River, 2 375 km (Danube 2 850 km ), maximum recorded ow 3 950 m 3 s 1 (Danube at Iron Gate Dam: 15 400 m 3

696 views • 45 slides
The computations of acting agents and the agents acting in computations Philipp Hennig ICERM 5

The computations of acting agents and the agents acting in computations Philipp Hennig ICERM 5

The computations of acting agents and the agents acting in computations Philipp Hennig ICERM 5 June 2017 Research Group for Probabilistic Numerics Max Planck Institute for Intelligent Systems Tbingen, Germany Some of the presented work was

1.12k views • 76 slides
ECE-8843 http://www.csc.gatech.edu/copeland/jac/8813-03/ Prof. John A. Copeland

ECE-8843 http://www.csc.gatech.edu/copeland/jac/8813-03/ Prof. John A. Copeland

ECE-8843 http://www.csc.gatech.edu/copeland/jac/8813-03/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: GCATT Bldg 579 email or call for office visit, or call Kathy Cheek, 404 894-5696 Chapter 7:

476 views • 13 slides
A Protocol for Secure Public Instant Messaging Mohammad Mannan and Paul C. van Oorschot Digital

A Protocol for Secure Public Instant Messaging Mohammad Mannan and Paul C. van Oorschot Digital

Secure Public Instant Messaging Financial Cryptography - Feb 27, 2006 A Protocol for Secure Public Instant Messaging Mohammad Mannan and Paul C. van Oorschot Digital Security Group Carleton University, Canada Mohammad Mannan Feb 27, 2006 1

399 views • 15 slides

More recommend