3 % ----------------------------------------------------------------------
5 \label{section:IPSECgeneral}
7 % ciphersuites current 2013-12-09
10 \subsubsection{Settings}
12 \paragraph*{Assumptions}\mbox{}\\
13 We assume the use of IKE (v1 or v2) and ESP for this document.
15 \paragraph*{Authentication}\mbox{}\\
16 IPSEC authentication should optimally be performed via RSA signatures,
17 with a key size of 2048 bits or more. Configuring only the trusted CA
18 that issued the peer certificate provides for additional protection
19 against fake certificates.
21 If you need to use Pre-Shared Key authentication:
24 \item Choose a \textbf{random}, \textbf{long enough} PSK (see below)
25 \item Use a \textbf{separate} PSK for any IPSEC connection
26 \item Change the PSKs regularly
29 The size of the PSK should not be shorter than the output size of
30 the hash algorithm used in IKE \footnote{It is used in a HMAC, see
31 RFC2104\cite{rfc2104} and the discussion starting
32 in \url{http://www.vpnc.org/ietf-ipsec/02.ipsec/msg00268.html}.}.
34 For a key composed of upper- and lowercase letters, numbers, and two
35 additional symbols\footnote{64 possible values = 6 bits},
36 table~\ref{tab:IPSEC_psk_len} gives the minimum lengths in characters.
43 IKE Hash & PSK length \\
51 \label{tab:IPSEC_psk_len}
54 \paragraph*{Cryptographic Suites}\mbox{}\\
55 IPSEC Cryptographic Suites are pre-defined settings for all the items
56 of a configuration; they try to provide a balanced security level and
57 make setting up VPNs easier.
58 \footnote{RFC6379\cite{rfc6379}, RFC4308\cite{rfc4308}}
60 When using any of those suites, make sure to enable ``Perfect Forward
61 Secrecy`` for Phase 2, as this is not specified in the suites. The
62 equivalents to the recommended ciphers suites in section
63 \ref{section:recommendedciphers} are shown in
64 table~\ref{tab:IPSEC_suites}.
69 \begin{tabular}{p{2.5cm}p{2.5cm}l}
71 Configuration A & Configuration B & Notes\\
73 \verb|Suite-B-GCM-256| &
74 \verb|Suite-B-GCM-128| \newline
76 & All Suite-B variants use NIST elliptic curves\\
79 \caption{IPSEC Cryptographic Suites}
80 \label{tab:IPSEC_suites}
83 \paragraph*{IKE or Phase 1}\mbox{}\\
85 Alternatively to the pre-defined cipher suites, you can define your
86 own, as described in this and the next section.
88 IKE or Phase 1 is the mutual authentication and key exchange phase;
89 table~\ref{tab:IPSEC_ph1_params} shows the parameters.
91 Use only ``main mode``, as ``aggressive mode`` has known security
92 vulnerabilities \footnote{\url{http://ikecrack.sourceforge.net/}}.
99 & Configuration A & Configuration B \\
101 Mode & Main Mode & Main Mode \\
102 Encryption & AES-256 & AES, CAMELLIA (-256 or -128) \\
103 Hash & SHA2-* & SHA2-*, SHA1 \\
104 DH Group & Group 14-18 & Group 14-18 \\
105 % Lifetime & \todo{need recommendations; 1 day seems to be common
109 \caption{IPSEC Phase 1 parameters}
110 \label{tab:IPSEC_ph1_params}
113 \paragraph*{ESP or Phase 2}\mbox{}\\
115 ESP or Phase 2 is where the actual data are protected; recommended
116 parameters are shown in table \ref{tab:IPSEC_ph2_params}.
123 & Configuration A & Configuration B \\
125 Perfect Forward Secrecy & yes & yes \\
127 \parbox[t]{5cm}{\raggedright
128 \mbox{AES-GCM-16}, \mbox{AES-CTR}, \mbox{AES-CCM-16}, \mbox{AES-256}}
130 \parbox[t]{5cm}{\raggedright
131 \mbox{AES-GCM-16}, \mbox{AES-CTR}, \mbox{AES-CCM-16}, \mbox{AES-256}, \mbox{CAMELLIA-256}, \mbox{AES-128}, \mbox{CAMELLIA-128}} \\
132 Hash & SHA2-* (or none for AEAD) & SHA2-*, SHA1 (or none for AEAD) \\
133 DH Group & Same as Phase 1 & Same as Phase 1 \\
134 % Lifetime & \todo{need recommendations; 1-8 hours is common} & \\
137 \caption{IPSEC Phase 2 parameters}
138 \label{tab:IPSEC_ph2_params}
141 \subsubsection{References}
144 ``A Cryptographic Evaluation of IPsec'', Niels Ferguson and Bruce
145 Schneier: \url{https://www.schneier.com/paper-ipsec.pdf}
148 %----------------------------------------------------------------------
149 \subsection{Check Point FireWall-1}
152 \subsubsection{Tested with Version}
154 \item R77 (should work with any currently supported version)
158 \subsubsection{Settings}
159 Please see section \ref{section:IPSECgeneral} for guidance on
160 parameter choice. In this section, we will configure a strong setup
161 according to ``Configuration A''.
163 This is based on the concept of a ``VPN Community'', which has all the
164 settings for the gateways that are included in that community.
165 Communities can be found in the ``IPSEC VPN'' tab of SmartDashboard.
169 \includegraphics[width=0.592\textwidth]{img/checkpoint_1.png}
170 \caption{VPN Community encryption properties}
171 \label{fig:checkpoint_1}
174 Either chose one of the encryption suites in the properties dialog
175 (figure \ref{fig:checkpoint_1}), or proceed to
176 ``Custom Encryption...'', where you can set encryption and hash for
177 Phase 1 and 2 (figure \ref{fig:checkpoint_2}).
181 \includegraphics[width=0.411\textwidth]{img/checkpoint_2.png}
182 \caption{Custom Encryption Suite Properties}
183 \label{fig:checkpoint_2}
186 The Diffie-Hellman groups and Perfect Forward Secrecy Settings can be
187 found under ``Advanced Settings'' / ``Advanced VPN Properties''
188 (figure \ref{fig:checkpoint_3}).
192 \includegraphics[width=0.589\textwidth]{img/checkpoint_3.png}
193 \caption{Advanced VPN Properties}
194 \label{fig:checkpoint_3}
198 \subsubsection{Additional settings}
199 For remote Dynamic IP Gateways, the settings are not taken from the
200 community, but set in the ``Global Properties'' dialog under ``Remote
201 Access'' / ``VPN Authentication and Encryption''. Via the ``Edit...''
202 button, you can configure sets of algorithms that all gateways support
203 (figure \ref{fig:checkpoint_4}).
207 \includegraphics[width=0.474\textwidth]{img/checkpoint_4.png}
208 \caption{Remote Access Encryption Properties}
209 \label{fig:checkpoint_4}
212 Please note that these settings restrict the available algorithms for
213 \textbf{all} gateways, and also influence the VPN client connections.
215 %\subsubsection{Justification for special settings (if needed)}
217 %\subsubsectionLimitations}
219 \subsubsection{References}
222 \href{https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/html_frameset.htm}{VPN R77 Administration Guide} (may require a UserCenter account to access)
225 % \subsubsection{How to test}
228 %% cipherstrings current 2013-12-09
229 % ----------------------------------------------------------------------
233 \subsubsection{Tested with Version}
235 \item OpenVPN 2.3.2 from Debian ``wheezy-backports'' linked against openssl (libssl.so.1.0.0)
236 \item OpenVPN 2.2.1 from Debian 7.0 linked against openssl (libssl.so.1.0.0)
237 \item OpenVPN 2.3.2 for Windows
241 \subsubsection{Settings}
242 \paragraph{General}\mbox{}\\
243 We describe a configuration with certificate-based authentication; see
244 below for details on the \verb|easyrsa| tool to help you with that.
246 OpenVPN uses TLS only for authentication and key exchange. The
247 bulk traffic is then encrypted and authenticated with the OpenVPN
248 protocol using those keys.
250 Note that while the \verb|tls-cipher| option takes a list of ciphers
251 that is then negotiated as usual with TLS, the \verb|cipher|
252 and \verb|auth| options both take a single argument that must match on
255 \paragraph{Server Configuration}\mbox{}\\
257 % the cipherlist here is config B without the ECDHE strings, because
258 % it must fit in 256 bytes...
259 % DO NOT CHANGE TO THE CIPHERSTRING MACRO!
260 tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
265 \paragraph{Client Configuration}\mbox{}\\
266 Client and server have to use compatible configurations, otherwise they can't communicate.
267 The \verb|cipher| and \verb|auth| directives have to be identical.
269 % the cipherlist here is config B without the ECDHE strings, because
270 % it must fit in 256 bytes...
271 % DO NOT CHANGE TO THE CIPHERSTRING MACRO!
273 tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
277 # http://openvpn.net/index.php/open-source/documentation/howto.html#mitm
278 remote-cert-tls server
280 tls-remote server.example.com
283 \subsubsection{Justification for special settings}
284 OpenVPN 2.3.1 changed the values that the \verb|tls-cipher| option
285 expects from OpenSSL to IANA cipher names. That means from that
286 version on you will get ``Deprecated TLS cipher name'' warnings for
287 the configurations above. You cannot use the selection strings from
288 section \ref{section:recommendedciphers} directly from 2.3.1 on, which
289 is why we give an explicit cipher list here.
291 In addition, there is a 256 character limit on configuration file line
292 lengths; that limits the size of cipher suites, so we dropped all
295 The configuration shown above is compatible with all tested versions.
298 \subsubsection{References}
300 \item OpenVPN Documentation: \emph{Security Overview} \url{http://openvpn.net/index.php/open-source/documentation/security-overview.html}
303 %\subsubsection{How to test}
306 \subsubsection{Additional settings}
308 \paragraph{Key renegotiation interval}\mbox{}\\
309 The default for renegotiation of encryption keys is one hour
310 (\verb|reneg-sec 3600|). If you
311 transfer huge amounts of data over your tunnel, you might consider
312 configuring a shorter interval, or switch to a byte- or packet-based
313 interval (\verb|reneg-bytes| or \verb|reneg-pkts|).
315 \paragraph{Fixing ``easy-rsa''}\mbox{}\\
316 When installing an OpenVPN server instance, you are probably using
317 {\it easy-rsa} to generate keys and certificates.
318 The file \verb|vars| in the easyrsa installation directory has a
319 number of settings that should be changed to secure values:
323 export KEY_EXPIRE=365
324 export CA_EXPIRE=1826
327 This will enhance the security of the key generation by using RSA keys
328 with a length of 2048 bits, and set a lifetime of one year for the
329 server/client certificates and five years for the CA certificate.
331 In addition, edit the \verb|pkitool| script and replace all occurences
332 of \verb|sha1| with \verb|sha256|, to sign the certificates with
336 \subsubsection{Limitations}
337 Note that the ciphersuites shown by \verb|openvpn --show-tls| are {\it
338 known}, but not necessarily {\it
339 supported} \footnote{\url{https://community.openvpn.net/openvpn/ticket/304}}.
341 Which cipher suite is actually used can be seen in the logs:
343 \verb|Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-CAMELLIA256-SHA, 2048 bit RSA|
346 % ----------------------------------------------------------------------
349 PPTP is considered insecure, Microsoft recommends to ``use a more secure VPN
350 tunnel''\footnote{\url{http://technet.microsoft.com/en-us/security/advisory/2743314}}.
352 There is a cloud service that cracks the underlying MS-CHAPv2
353 authentication protocol for the price of USD~200\footnote{\url{https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/}},
354 and given the resulting MD4 hash, all PPTP traffic for a user can
357 % ----------------------------------------------------------------------
358 \subsection{Cisco ASA}
359 The following settings reflect our recommendations as best as possible on the Cisco ASA platform. These are - of course - just settings regarding SSL/TLS (i.e. Cisco AnyConnect) and IPSec. For further security settings regarding this platform the appropriate Cisco guides should be followed.
361 \item[Tested with Version:]
362 9.1(3) - X-series model
363 \item[Settings:] \mbox{}
365 crypto ipsec ikev2 ipsec-proposal AES-Fallback
366 protocol esp encryption aes-256 aes-192 aes
367 protocol esp integrity sha-512 sha-384 sha-256
368 crypto ipsec ikev2 ipsec-proposal AES-GCM-Fallback
369 protocol esp encryption aes-gcm-256 aes-gcm-192 aes-gcm
370 protocol esp integrity sha-512 sha-384 sha-256
371 crypto ipsec ikev2 ipsec-proposal AES128-GCM
372 protocol esp encryption aes-gcm
373 protocol esp integrity sha-512
374 crypto ipsec ikev2 ipsec-proposal AES192-GCM
375 protocol esp encryption aes-gcm-192
376 protocol esp integrity sha-512
377 crypto ipsec ikev2 ipsec-proposal AES256-GCM
378 protocol esp encryption aes-gcm-256
379 protocol esp integrity sha-512
380 crypto ipsec ikev2 ipsec-proposal AES
381 protocol esp encryption aes
382 protocol esp integrity sha-1 md5
383 crypto ipsec ikev2 ipsec-proposal AES192
384 protocol esp encryption aes-192
385 protocol esp integrity sha-1 md5
386 crypto ipsec ikev2 ipsec-proposal AES256
387 protocol esp encryption aes-256
388 protocol esp integrity sha-1 md5
389 crypto ipsec ikev2 sa-strength-enforcement
390 crypto ipsec security-association pmtu-aging infinite
391 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group14
392 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256-GCM AES192-GCM AES128-GCM AES-GCM-Fallback AES-Fallback
393 crypto map Outside-DMZ_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
394 crypto map Outside-DMZ_map interface Outside-DMZ
396 crypto ikev2 policy 1
397 encryption aes-gcm-256
400 prf sha512 sha384 sha256 sha
401 lifetime seconds 86400
402 crypto ikev2 policy 2
403 encryption aes-gcm-256 aes-gcm-192 aes-gcm
406 prf sha512 sha384 sha256 sha
407 lifetime seconds 86400
408 crypto ikev2 policy 3
409 encryption aes-256 aes-192 aes
410 integrity sha512 sha384 sha256
412 prf sha512 sha384 sha256 sha
413 lifetime seconds 86400
414 crypto ikev2 policy 4
415 encryption aes-256 aes-192 aes
416 integrity sha512 sha384 sha256 sha
418 prf sha512 sha384 sha256 sha
419 lifetime seconds 86400
420 crypto ikev2 enable Outside-DMZ client-services port 443
421 crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
423 ssl server-version tlsv1-only
424 ssl client-version tlsv1-only
425 ssl encryption dhe-aes256-sha1 dhe-aes128-sha1 aes256-sha1 aes128-sha1
426 ssl trust-point ASDM_TrustPoint0 Outside-DMZ
429 \item[Justification for special settings (if needed):] \mbox{}
430 New IPsec policies have been defined which do not make use of ciphers that may be cause for concern. Policies have a "Fallback" option to support legacy devices.
432 3DES has been completely disabled as such Windows XP AnyConnect Clients will no longer be able to connect.
434 The Cisco ASA platform does not currently support RSA Keys above 2048bits.
436 Legacy ASA models (e.g. 5505, 5510, 5520, 5540, 5550) do not offer the possibility to configure for SHA256/SHA384/SHA512 nor AES-GCM for IKEv2 proposals.
439 \url{http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html}\\
440 \url{http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html}
442 % add any further references or best practice documents here
444 %%\item[How to test:]
445 % describe here or point the admin to tools (can be a simple footnote or \ref{} to the tools section) which help the admin to test his settings.
455 % ----------------------------------------------------------------------
456 %%\subsection{Juniper VPN}
457 %%\todo{write this subsubsection. AK: ask Hannes}
462 % ----------------------------------------------------------------------
463 %\subsection{L2TP over IPSec}
464 %\todo{write this subsubsection}
469 % ----------------------------------------------------------------------
471 %\todo{write this subsubsection}