3 \label{section:IPSECgeneral}
5 % ciphersuites current 2013-12-09
8 \item[Settings:] \mbox{}
10 \paragraph*{Assumptions}\mbox{}\\
12 We assume the use of IKE (v1 or v2) and ESP for this document.
14 \paragraph*{Authentication}\mbox{}\\
16 IPSEC authentication should optimally be performed via RSA signatures,
17 with a key size of 2048 bits or more. Configuring only the trusted CA
18 that issued the peer certificate provides for additional protection
19 against fake certificates.
21 If you need to use Pre-Shared Key authentication:
24 \item Choose a \textbf{random}, \textbf{long enough} PSK (see below)
25 \item Use a \textbf{separate} PSK for any IPSEC connection
26 \item Change the PSKs regularily
29 The size of the PSK should not be shorter than the output size of
30 the hash algorithm used in IKE \footnote{It is used in a HMAC, see
31 \url{http://www.ietf.org/rfc/rfc2104.txt}.}.
33 For a key composed of upper- and lowercase letters, numbers, and two
34 additional symbols\footnote{64 possible values = 6 bits},
35 table~\ref{tab:IPSEC_psk_len} gives the minimum lengths in characters.
42 IKE Hash & PSK length \\
50 \label{tab:IPSEC_psk_len}
53 \paragraph*{Cryptographic Suites}\mbox{}\\
55 IPSEC Cryptographic Suites are pre-defined settings for all the items
56 of a configuration; they try to provide a balanced security level and
57 make setting up VPNs easier.
58 \footnote{\url{http://tools.ietf.org/html/rfc6379}}
59 \footnote{\url{http://tools.ietf.org/html/rfc4308}}
61 When using any of those suites, make sure to enable ``Perfect Forward
62 Secrecy`` for Phase 2, as this is not specified in the suites. The
63 equivalents to the recommended ciphers suites in section
64 \ref{section:recommendedciphers} are shown in
65 table~\ref{tab:IPSEC_suites}.
70 \begin{tabular}{p{2.5cm}p{2.5cm}l}
72 Configuration A & Configuration B & Notes\\
74 \verb|Suite-B-GCM-256| \newline \verb|Suite-B-GMAC-256| &
75 \verb|Suite-B-GCM-128| \newline \verb|Suite-B-GMAC-128| \newline
77 & All Suite-B variants use NIST elliptic curves\\
80 \caption{IPSEC Cryptographic Suites}
81 \label{tab:IPSEC_suites}
84 \paragraph*{IKE or Phase 1}\mbox{}\\
86 Alternatively to the pre-defined cipher suites, you can define your
87 own, as described in this and the next section.
89 IKE or Phase 1 is the mutual authentication and key exchange phase;
90 table~\ref{tab:IPSEC_ph1_params} shows the parameters.
92 Use only ``main mode``, as ``aggressive mode`` has known security
93 vulnerabilities \footnote{\url{http://ikecrack.sourceforge.net/}}.
100 & Configuration A & Configuration B \\
102 Mode & Main Mode & Main Mode \\
103 Encryption & AES-256 & AES, CAMELLIA (-256 or -128) \\
104 Hash & SHA2-* & SHA2-*, SHA1 \\
105 DH Group & Group 14--18, 19--21 & Group 14--21 \\
106 % Lifetime & \todo{need recommendations; 1 day seems to be common
110 \caption{IPSEC Phase 1 parameters}
111 \label{tab:IPSEC_ph1_params}
114 \paragraph*{ESP or Phase 2}\mbox{}\\
116 ESP or Phase 2 is where the actual data are protected; recommended
117 parameters are shown in table \ref{tab:IPSEC_ph2_params}.
124 & Configuration A & Configuration B \\
126 Perfect Forward Secrecy & yes & yes \\
128 \parbox[t]{5cm}{\raggedright
129 \mbox{AES-GCM-16}, \mbox{AES-CTR}, \mbox{AES-CCM-16}, \mbox{AES-256}}
131 \parbox[t]{5cm}{\raggedright
132 \mbox{AES-GCM-16}, \mbox{AES-CTR}, \mbox{AES-CCM-16}, \mbox{AES-256}, \mbox{CAMELLIA-256}, \mbox{AES-128}, \mbox{CAMELLIA-128}} \\
133 Hash & SHA2-* (or none for AES-GCM) & SHA2-*, SHA1 (or none for AES-GCM) \\
134 DH Group & Same as Phase 1 & Same as Phase 1 \\
135 % Lifetime & \todo{need recommendations; 1-8 hours is common} & \\
138 \caption{IPSEC Phase 2 parameters}
139 \label{tab:IPSEC_ph2_params}
142 \item[References:] \mbox{}
144 ``A Cryptographic Evaluation of IPsec'', Niels Ferguson and Bruce
145 Schneier: \url{https://www.schneier.com/paper-ipsec.pdf}
149 \subsubsection{Check Point FireWall-1}
152 \item[Tested with Version:] \mbox{}
155 \item R77 (should work with any currently supported version)
158 \item[Settings:] \mbox{}
160 Please see section \ref{section:IPSECgeneral} for guidance on
161 parameter choice. In this section, we will configure a strong setup
162 according to ``Configuration A''.
164 This is based on the concept of a ``VPN Community'', which has all the
165 settings for the gateways that are included in that community.
166 Communities can be found in the ``IPSEC VPN'' tab of SmartDashboard.
170 \includegraphics[width=0.592\textwidth]{checkpoint_1.png}
171 \caption{VPN Community encryption properties}
172 \label{fig:checkpoint_1}
175 Either chose one of the encryption suites in the properties dialog
176 (figure \ref{fig:checkpoint_1}), or proceed to
177 ``Custom Encryption...'', where you can set encryption and hash for
178 Phase 1 and 2 (figure \ref{fig:checkpoint_2}).
182 \includegraphics[width=0.411\textwidth]{checkpoint_2.png}
183 \caption{Custom Encryption Suite Properties}
184 \label{fig:checkpoint_2}
187 The Diffie-Hellman groups and Perfect Forward Secrecy Settings can be
188 found under ``Advanced Settings'' / ``Advanced VPN Properties''
189 (figure \ref{fig:checkpoint_3}).
193 \includegraphics[width=0.589\textwidth]{checkpoint_3.png}
194 \caption{Advanced VPN Properties}
195 \label{fig:checkpoint_3}
198 \item[Additional settings:] \mbox{}
200 For remote Dynamic IP Gateways, the settings are not taken from the
201 community, but set in the ``Global Properties'' dialog under ``Remote
202 Access'' / ``VPN Authentication and Encryption''. Via the ``Edit...''
203 button, you can configure sets of algorithms that all gateways support
204 (figure \ref{fig:checkpoint_4}).
208 \includegraphics[width=0.474\textwidth]{checkpoint_4.png}
209 \caption{Remote Access Encryption Properties}
210 \label{fig:checkpoint_4}
213 Please note that these settings restrict the available algorithms for
214 \textbf{all} gateways, and also influence the VPN client connections.
216 %\item[Justification for special settings (if needed):]
220 \item[References:]\mbox{}
225 \href{https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/html_frameset.htm}{VPN
226 R77 Administration Guide} (may require a
227 UserCenter account to access)
231 % \item[How to test:]
236 %% cipherstrings current 2013-12-09
237 \subsubsection{OpenVPN}
241 \item[Tested with Version:] \mbox{}\\
244 \item OpenVPN 2.3.2 from Debian ``wheezy-backports'' linked against openssl (libssl.so.1.0.0)
245 \item OpenVPN 2.2.1 from Debian 7.0 linked against openssl
247 \item OpenVPN 2.3.2 for Windows
250 \item[Settings:] \mbox{}
252 \paragraph{General}\mbox{}
254 We describe a configuration with certificate-based authentication; see
255 below for details on the \verb|easyrsa| tool to help you with that.
257 OpenVPN uses TLS only for authentication and key exchange. The
258 bulk traffic is then encrypted and authenticated with the OpenVPN
259 protocol using those keys.
261 Note that while the \verb|tls-cipher| option takes a list of ciphers
262 that is then negotiated as usual with TLS, the \verb|cipher|
263 and \verb|auth| options both take a single argument that must match on
266 \paragraph{Server Configuration}\mbox{}
268 % this is only a DoS-protection, out of scope:
269 % # TLS Authentication
274 % ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:AES256-SHA
275 % the cipherlist here is config B without the ECDHE strings, because
276 % it must fit in 256 bytes...
277 \begin{lstlisting}[breaklines]
278 tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
281 # generate with 'openssl dhparam -out dh2048.pem 2048':
285 \paragraph{Client Configuration}\mbox{}
287 Client and server have to use compatible configurations, otherwise they can't communicate.
288 The \verb|cipher| and \verb|auth| directives have to be identical.
290 \begin{lstlisting}[breaklines]
291 tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
295 # http://openvpn.net/index.php/open-source/documentation/howto.html#mitm
296 remote-cert-tls server
298 tls-remote server.example.com
301 \item[Justification for special settings (if needed):] \mbox{}\\
303 OpenVPN 2.3.1 changed the values that the \verb|tls-cipher| option
304 expects from OpenSSL to IANA cipher names. That means from that
305 version on you will get ``Deprecated TLS cipher name'' warnings for
306 the configurations above. You cannot use the selection strings from
307 section \ref{section:recommendedciphers} directly from 2.3.1 on, which
308 is why we give an explicit cipher list here.
310 In addition, there is a 256 character limit on configuration file line
311 lengths; that limits the size of cipher suites, so we dropped all
314 The configuration shown above is compatible with all tested versions.
316 \item[References:] \mbox{}\\
318 \url{http://openvpn.net/index.php/open-source/documentation/security-overview.html}
323 \item[Additional settings:] \mbox{}
325 \paragraph{Key renegotiation interval}\mbox{}
327 The default for renegotiation of encryption keys is one hour
328 (\verb|reneg-sec 3600|). If you
329 transfer huge amounts of data over your tunnel, you might consider
330 configuring a shorter interval, or switch to a byte- or packet-based
331 interval (\verb|reneg-bytes| or \verb|reneg-pkts|).
333 \paragraph{Fixing ``easy-rsa''}\mbox{}
335 When installing an OpenVPN server instance, you are probably using
336 {\it easy-rsa} to generate keys and certificates.
337 The file \verb|vars| in the easyrsa installation directory has a
338 number of settings that should be changed to secure values:
340 \begin{lstlisting}[breaklines]
342 export KEY_EXPIRE=365
343 export CA_EXPIRE=1826
346 This will enhance the security of the key generation by using RSA keys
347 with a length of 2048 bits, and set a lifetime of one year for the
348 server/client certificates and five years for the CA certificate.
350 In addition, edit the \verb|pkitool| script and replace all occurences
351 of \verb|sha1| with \verb|sha256|, to sign the certificates with
354 \item[Limitations:] \mbox{}
356 Note that the ciphersuites shown by \verb|openvpn --show-tls| are {\it
357 known}, but not necessarily {\it
358 supported} \footnote{\url{https://community.openvpn.net/openvpn/ticket/304}}.
360 Which cipher suite is actually used can be seen in the logs:
362 \verb|Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-CAMELLIA256-SHA, 2048 bit RSA|
369 PPTP is considered insecure, Microsoft recommends to ``use a more secure VPN
370 tunnel''\footnote{\url{http://technet.microsoft.com/en-us/security/advisory/2743314}}.
372 There is a cloud service that cracks the underlying MS-CHAPv2
373 authentication protocol for the price of USD~200\footnote{\url{https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/}},
374 and given the resulting MD4 hash, all PPTP traffic for a user can
377 \subsubsection{Cisco ASA}
378 The following settings reflect our recommendations as best as possible on the Cisco ASA platform. These are - of course - just settings regarding SSL/TLS (i.e. Cisco AnyConnect) and IPSec. For further security settings regarding this platform the appropriate Cisco guides should be followed.
380 \item[Tested with Version:]
382 \item[Settings:] \mbox{}
383 \begin{lstlisting}[breaklines]
384 crypto ipsec ikev2 ipsec-proposal AES-Fallback
385 protocol esp encryption aes-256 aes-192 aes
386 protocol esp integrity sha-512 sha-384 sha-256
387 crypto ipsec ikev2 ipsec-proposal AES-GCM-Fallback
388 protocol esp encryption aes-gcm-256 aes-gcm-192 aes-gcm
389 protocol esp integrity sha-512 sha-384 sha-256
390 crypto ipsec ikev2 ipsec-proposal AES128-GCM
391 protocol esp encryption aes-gcm
392 protocol esp integrity sha-512
393 crypto ipsec ikev2 ipsec-proposal AES192-GCM
394 protocol esp encryption aes-gcm-192
395 protocol esp integrity sha-512
396 crypto ipsec ikev2 ipsec-proposal AES256-GCM
397 protocol esp encryption aes-gcm-256
398 protocol esp integrity sha-512
399 crypto ipsec ikev2 ipsec-proposal AES
400 protocol esp encryption aes
401 protocol esp integrity sha-1 md5
402 crypto ipsec ikev2 ipsec-proposal AES192
403 protocol esp encryption aes-192
404 protocol esp integrity sha-1 md5
405 crypto ipsec ikev2 ipsec-proposal AES256
406 protocol esp encryption aes-256
407 protocol esp integrity sha-1 md5
408 crypto ipsec ikev2 sa-strength-enforcement
409 crypto ipsec security-association pmtu-aging infinite
410 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group14
411 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256-GCM AES192-GCM AES128-GCM AES-GCM-Fallback AES-Fallback
412 crypto map Outside-DMZ_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
413 crypto map Outside-DMZ_map interface Outside-DMZ
415 crypto ikev2 policy 1
416 encryption aes-gcm-256
419 prf sha512 sha384 sha256 sha
420 lifetime seconds 86400
421 crypto ikev2 policy 2
422 encryption aes-gcm-256 aes-gcm-192 aes-gcm
425 prf sha512 sha384 sha256 sha
426 lifetime seconds 86400
427 crypto ikev2 policy 3
428 encryption aes-256 aes-192 aes
429 integrity sha512 sha384 sha256
431 prf sha512 sha384 sha256 sha
432 lifetime seconds 86400
433 crypto ikev2 policy 4
434 encryption aes-256 aes-192 aes
435 integrity sha512 sha384 sha256 sha
437 prf sha512 sha384 sha256 sha
438 lifetime seconds 86400
439 crypto ikev2 enable Outside-DMZ client-services port 443
440 crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
442 ssl server-version tlsv1-only
443 ssl client-version tlsv1-only
444 ssl encryption dhe-aes256-sha1 dhe-aes128-sha1 aes256-sha1 aes128-sha1
445 ssl trust-point ASDM_TrustPoint0 Outside-DMZ
448 \item[Justification for special settings (if needed):] \mbox{}
449 New IPsec policies have been defined which do not make use of ciphers that may be cause for concern. Policies have a "Fallback" option to support legacy devices.
451 % in case you have the need for further justifications why you chose this and that setting or if the settings do not fit into the standard Variant A or Variant B schema, please document this here
454 \url{http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html}
456 % add any further references or best practice documents here
458 %%\item[How to test:]
459 % describe here or point the admin to tools (can be a simple footnote or \ref{} to the tools section) which help the admin to test his settings.
469 %%\subsubsection{Juniper VPN}
470 %%\todo{write this subsubsection. AK: ask Hannes}
473 %%\begin{description}
474 %%\item[Tested with Version:] \todo{version?}
476 %%\item[Settings:] \mbox{}
478 %%\begin{lstlisting}[breaklines]
479 %% %Here goes your setting string
482 %%\item[Additional settings:] \mbox{}
484 %Here you can add additional settings
486 %%\begin{lstlisting}[breaklines]
487 %% %copy \& paste additional settings
490 %%\item[Justification for special settings (if needed):] \mbox{}
492 % in case you have the need for further justifications why you chose this and that setting or if the settings do not fit into the standard Variant A or Variant B schema, please document this here
494 %%\item[References:] \todo{add references}
496 % add any further references or best practice documents here
498 %%\item[How to test:]
499 % describe here or point the admin to tools (can be a simple footnote or \ref{} to the tools section) which help the admin to test his settings.
505 \subsubsection{L2TP over IPSec}
506 \todo{write this subsubsection}
510 \item[Tested with Version:] \todo{version?}
512 \item[Settings:] \mbox{}
514 \begin{lstlisting}[breaklines]
515 %Here goes your setting string
518 \item[Additional settings:] \mbox{}
520 %Here you can add additional settings
522 \begin{lstlisting}[breaklines]
523 %copy \& paste additional settings
526 \item[Justification for special settings (if needed):] \mbox{}
528 % in case you have the need for further justifications why you chose this and that setting or if the settings do not fit into the standard Variant A or Variant B schema, please document this here
530 \item[References:] \todo{add references}
532 % add any further references or best practice documents here
535 % describe here or point the admin to tools (can be a simple footnote or \ref{} to the tools section) which help the admin to test his settings.
544 \subsubsection{Racoon}
545 \todo{write this subsubsection}
549 \item[Tested with Version:] \todo{version?}
551 \item[Settings:] \mbox{}
553 \begin{lstlisting}[breaklines]
554 %Here goes your setting string
557 \item[Additional settings:] \mbox{}
559 %Here you can add additional settings
561 \begin{lstlisting}[breaklines]
562 %copy \& paste additional settings
565 \item[Justification for special settings (if needed):] \mbox{}
567 % in case you have the need for further justifications why you chose this and that setting or if the settings do not fit into the standard Variant A or Variant B schema, please document this here
569 \item[References:] \todo{add references}
571 % add any further references or best practice documents here
574 % describe here or point the admin to tools (can be a simple footnote or \ref{} to the tools section) which help the admin to test his settings.