2 \todo{write this subsection}
4 \label{section:IPSECgeneral}
7 \todo{cm: check if there are downgrade attacks for checkpoint \& co} \\
11 \item[Settings:] \mbox{}
13 \paragraph*{Assumptions}\mbox{}\\
15 We assume the usage of IKE (v1 or v2) for this document, and ESP.
17 \paragraph*{Authentication}\mbox{}\\
19 IPSEC authentication should optimally be performed via RSA signatures,
20 with a key size of 2048 bits or more. Configuring only the trusted CA
21 that issued the peer certificate provides for additional protection
22 against fake certificates.
24 If you need to use Pre-Shared Key authentication:
27 \item Choose a \textbf{random}, \textbf{long enough} PSK (see below)
28 \item Use a \textbf{separate} PSK for any IPSEC connection
29 \item Change the PSKs regularily
32 The size of the PSK should not be shorter than the output size of
33 the hash algorithm used in IKE \footnote{It is used in a HMAC, see
34 \url{http://www.ietf.org/rfc/rfc2104.txt}.}.
36 For a key composed of upper- and lowercase letters, numbers, and two
37 additional symbols \footnote{64 possible values = 6 bits}, that gives
38 the following minimum lengths in characters:
45 IKE Hash & PSK length \\
54 \paragraph*{Cryptographic Suites}\mbox{}\\
56 IPSEC Cryptographic Suites are pre-defined settings for all the
57 items of a configuration; they try to provide a balanced security
58 level and make setting up VPNs easier.
60 When using any of those suites, make sure to enable ``Perfect Forward
61 Secrecy`` for Phase 2, as this is not specified in the suites. The
62 equivalents to the recommended ciphers suites in section
63 \ref{section:recommendedciphers} are:
70 Configuration A & Configuration B & Notes\\
72 \verb|Suite-B-GCM-256|\footnote{\url{http://tools.ietf.org/html/rfc6379}} &
73 \verb|Suite-B-GCM-128| & Uses NIST elliptic curves
74 \\ & \verb|VPN-B|\footnote{\url{http://tools.ietf.org/html/rfc4308}} &
80 \paragraph*{IKE or Phase 1}\mbox{}\\
82 Alternatively to the pre-defined cipher suites, you can define your
83 own, as described in this and the next section.
85 IKE or Phase 1 is the mutual authentication and key exchange phase.
87 Use only ``main mode``, as ``aggressive mode`` has known security
88 vulnerabilities \footnote{\url{http://ikecrack.sourceforge.net/}}.
90 \todo{how to make footnotes in a table appear in the output document?}
97 & Configuration A & Configuration B \\
99 Mode & Main Mode & Main Mode \\
100 Encryption & AES-256 & AES-256, CAMELLIA-256 \\
101 Hash & SHA2-* & SHA2-*, SHA1 \\
102 DH Group & Group 14--18 \footnote{2048--8192 bit DH},
103 19--21\footnote{(256--521 bit ECDH)} & Group 14--21 \\
104 Lifetime & \todo{need recommendations; 1 day seems to be common
110 \paragraph*{ESP or Phase 2}\mbox{}\\
112 ESP or Phase 2 is where the actual data are protected.
114 \todo{make the tables appear right here!}
121 & Configuration A & Configuration B \\
123 Perfect Forward Secrecy & yes & yes \\
124 Encryption & AES-GCM-16, AES-CTR, AES-CCM-16, AES-256 & AES-GCM-16, AES-CTR, AES-CCM-16, AES-256, CAMELLIA-256 \\
125 Hash & SHA2-* (or none for AES-GCM) & SHA2-*, SHA1 (or none for AES-GCM) \\
126 DH Group & Same as Phase 1 & Same as Phase 1 \\
127 Lifetime & \todo{need recommendations; 1-8 hours is common} & \\
132 \item[References:] \mbox{}
134 ``A Cryptographic Evaluation of IPsec'', Niels Ferguson and Bruce
135 Schneier: \url{https://www.schneier.com/paper-ipsec.pdf}
139 \subsubsection{Check Point FireWall-1}
142 \item[Tested with Version:] \mbox{}
145 \item R77 (should work with any currently supported version)
148 \item[Settings:] \mbox{}
150 Please see section \ref{section:IPSECgeneral} for guidance on
151 parameter choice. In this section, we will configure a strong setup
152 according to ``Configuration A''.
154 This is based on the concept of a ``VPN Community'', which has all the
155 settings for the gateways that are included in that community.
156 Communities can be found in the ``IPSEC VPN'' tab of SmartDashboard.
158 \todo{make those graphics prettier -- whoever has the right LaTeX
161 \includegraphics{checkpoint_1.png}
163 Either chose one of the encryption suites here, or proceed to
164 ``Custom Encryption...'', where you can set encryption and hash for
167 \includegraphics{checkpoint_2.png}
169 The Diffie-Hellman groups and Perfect Forward Secrecy Settings can be
170 found under ``Advanced Settings'' / ``Advanced VPN Properties'':
172 \includegraphics{checkpoint_3.png}
174 \item[Additional settings:]
176 For remote Dynamic IP Gateways, the settings are not taken from the
177 community, but set in the ``Global Properties'' dialog under ``Remote
178 Access'' / ``VPN Authentication and Encryption''. Via the ``Edit...''
179 button, you can configure sets of algorithms that all gateways support:
181 \includegraphics{checkpoint_4.png}
183 Please note that these settings restrict the available algorithms for
184 \textbf{all} gateways, and also influence the VPN client connections.
186 %\item[Justification for special settings (if needed):]
190 \item[References:]\mbox{}
195 \href{https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/html_frameset.htm}{VPN
196 R77 Administration Guide} (may require a
197 UserCenter account to access)
201 % \item[How to test:]
206 \subsubsection{OpenVPN}
210 \item[Tested with Version:] OpenVPN 2.3.2 from Debian backports linked against openssl (libssl.so.1.0.0)
212 \todo{cm: please write this subsubsection}
213 \todo{We suppose user uses easy-rsa which is roughly used in all HOWTO\footnote{\url{http://openvpn.net/index.php/open-source/documentation/howto.html}}}
216 \item[Additional settings:] \mbox{}
218 \paragraph{Fine tuning at installation level}
220 When installing an OpenVPN server instance, you are probably using {\it easy-rsa} tools to generate the crypto stuff needed.
221 From the directory where you will run them, you can enhance you configuration by changing the following variables in \verb|vars|:
223 \begin{lstlisting}[breaklines]
225 export KEY_EXPIRE=365
226 export CA_EXPIRE=1826
229 This will enhance the security of the key generation by using RSA keys
230 with a length of 2048 bits, and set a lifetime of one year for the
231 keys and five years for the CA certificate.
233 In addition, edit the \verb|pkitool| script and replace all occurences
234 of \verb|sha1| with \verb|sha256|, to sign the certificates with
237 \paragraph{Server Configuration}
239 In the server configuration file, you can select the algorithm that will be used for traffic encryption.
240 Based on previous recommendation established in that document, select AES with a 256 bits key in CBC mode.
242 Note that TLS is used only for negotiation bla bla bla...
244 \todo{cm: explain how openvpn crypto works; make configA/B sections/tables}
246 \item[Settings:] \mbox{}
248 % openvpn --show-ciphers
251 \todo{cm: changelog 2.3.1: ``Switch to IANA names for TLS ciphers'' --
252 give both types of strings?}
254 \begin{lstlisting}[breaklines]
255 cipher AES-256-CBC # AES
259 tls-cipher EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA
269 % tls-cipher is a list, C&P the string!
270 % what about: TLS-DHE-RSA-WITH-AES-256-CBC-SHA
271 % DH params/DH key sizes
273 \todo{Explain a little bit tls-auth and auth directives + TEST}
274 \todo{also test with network-damager?}
276 The following ciphers are avaible and recommended\footnote{You can retrieve the list of supported algorithm on your OpenVPN installation thanks to the command {\it openvpn --show-ciphers}}
277 \begin{lstlisting}[breaklines]
288 \paragraph{Client Configuration}
290 Client and server have to use identical configuration otherwise they can't communicate.
291 The {\it cipher} directive has then to be identical in both server and client configuration.
293 \begin{lstlisting}[breaklines]
294 cipher AES-256-CBC # AES
296 remote-cert-tls server # http://openvpn.net/index.php/open-source/documentation/howto.html#mitm
298 tls-remote server.example.com
302 \todo{what about tls-auth keys/ta.key? }.
303 \todo{what about auth sha512 ?}
305 \item[Justification for special settings (if needed):]
307 \item[References:] \url{http://openvpn.net/index.php/open-source/documentation/security-overview.html}
310 \todo{write me please}
318 PPTP is considered insecure, Microsoft recommends to ``use a more secure VPN
319 tunnel''\footnote{\url{http://technet.microsoft.com/en-us/security/advisory/2743314}}.
321 There is a cloud service that cracks the underlying MS-CHAPv2
322 authentication protocol for the price of USD~200\footnote{\url{https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/}},
323 and given the resulting MD4 hash, all PPTP traffic for a user can
326 \subsubsection{Cisco IPSec}
327 \todo{write this subsubsection}
330 \item[Tested with Version:] \todo{version?}
332 \item[Settings:] \mbox{}
334 \begin{lstlisting}[breaklines]
335 %Here goes your setting string
338 \item[Additional settings:] \mbox{}
340 %Here you can add additional settings
342 \begin{lstlisting}[breaklines]
343 %copy \& paste additional settings
346 \item[Justification for special settings (if needed):] \mbox{}
348 % in case you have the need for further justifications why you chose this and that setting or if the settings do not fit into the standard Variant A or Variant B schema, please document this here
350 \item[References:] \todo{add references}
352 % add any further references or best practice documents here
355 % describe here or point the admin to tools (can be a simple footnote or \ref{} to the tools section) which help the admin to test his settings.
365 \subsubsection{Juniper VPN}
366 \todo{write this subsubsection. AK: ask Hannes}
370 \item[Tested with Version:] \todo{version?}
372 \item[Settings:] \mbox{}
374 \begin{lstlisting}[breaklines]
375 %Here goes your setting string
378 \item[Additional settings:] \mbox{}
380 %Here you can add additional settings
382 \begin{lstlisting}[breaklines]
383 %copy \& paste additional settings
386 \item[Justification for special settings (if needed):] \mbox{}
388 % in case you have the need for further justifications why you chose this and that setting or if the settings do not fit into the standard Variant A or Variant B schema, please document this here
390 \item[References:] \todo{add references}
392 % add any further references or best practice documents here
395 % describe here or point the admin to tools (can be a simple footnote or \ref{} to the tools section) which help the admin to test his settings.
403 \subsubsection{L2TP over IPSec}
404 \todo{write this subsubsection}
408 \item[Tested with Version:] \todo{version?}
410 \item[Settings:] \mbox{}
412 \begin{lstlisting}[breaklines]
413 %Here goes your setting string
416 \item[Additional settings:] \mbox{}
418 %Here you can add additional settings
420 \begin{lstlisting}[breaklines]
421 %copy \& paste additional settings
424 \item[Justification for special settings (if needed):] \mbox{}
426 % in case you have the need for further justifications why you chose this and that setting or if the settings do not fit into the standard Variant A or Variant B schema, please document this here
428 \item[References:] \todo{add references}
430 % add any further references or best practice documents here
433 % describe here or point the admin to tools (can be a simple footnote or \ref{} to the tools section) which help the admin to test his settings.
442 \subsubsection{Racoon}
443 \todo{write this subsubsection}
447 \item[Tested with Version:] \todo{version?}
449 \item[Settings:] \mbox{}
451 \begin{lstlisting}[breaklines]
452 %Here goes your setting string
455 \item[Additional settings:] \mbox{}
457 %Here you can add additional settings
459 \begin{lstlisting}[breaklines]
460 %copy \& paste additional settings
463 \item[Justification for special settings (if needed):] \mbox{}
465 % in case you have the need for further justifications why you chose this and that setting or if the settings do not fit into the standard Variant A or Variant B schema, please document this here
467 \item[References:] \todo{add references}
469 % add any further references or best practice documents here
472 % describe here or point the admin to tools (can be a simple footnote or \ref{} to the tools section) which help the admin to test his settings.