Supported Vpn's
Páginas: 8 (1996 palabras)
Publicado: 2 de octubre de 2012
A P P E N D I X
E
Supported VPN Standards and Security Proposals
This appendix lists the VPN standards supported by PIX Firewall. It contains the following sections:
• • • •
IPSec, page E-1 Internet Key Exchange (IKE), page E-2 Certification Authorities (CA), page E-3 Supported Easy VPN Proposals, page E-3
IPSec
•
IPSec—IP Security Protocol. IPSec is a framework of openstandards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer; it uses IKE to handle negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts,between a pair of security gateways, or between a security gateway and a host. IPSec is documented in a series of Internet RFCs, all available at the following website: http://www.ietf.org/html.charters/ipsec-charter.html The overall IPSec implementation is guided by “Security Architecture for the Internet Protocol,” RFC 2401.
•
Internet Key Exchange (IKE)—A hybrid protocol that implementsOakley and SKEME key exchanges inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. While IKE can be used with other protocols, its initial implementation is with the IPSec protocol. IKE provides authentication of the IPSec peers, negotiates IPSec security associations, and establishes IPSec keys. AH—Authentication Header. A security protocol that provides dataauthentication and optional anti-replay services. AH is embedded in the data to be protected (a full IP datagram). The AH protocol (RFC 2402) allows for the use of various authentication algorithms; PIX Firewall has implemented the mandatory MD5-HMAC (RFC 2403) and SHA-HMAC (RFC 2404) authentication algorithms.
IPSec as implemented in PIX Firewall supports the following additional standards:
•Cisco PIX Firewall and VPN Configuration Guide 78-15033-01
E-1
Appendix E Internet Key Exchange (IKE)
Supported VPN Standards and Security Proposals
•
ESP—Encapsulating Security Payload. A security protocol that provides data privacy services and optional data authentication, and anti-replay services. ESP encapsulates the data to be protected. The ESP protocol (RFC 2406) allowsfor the use of various cipher algorithms and (optionally) various authentication algorithms. The PIX Firewall implements the mandatory 56-bit DES-CBC with Explicit IV (RFC 2405); as the encryption algorithm, and MD5-HMAC (RFC 2403) or SHA-HMAC (RFC 2404) as the authentication.
Internet Key Exchange (IKE)
IKE is implemented per “The Internet Key Exchange” (RFC 2409). ISAKMP—The InternetSecurity Association and Key Management Protocol. A protocol framework that defines payload formats, the mechanics of implementing a key exchange protocol, and the negotiation of a security association. ISAKMP is implemented per “Internet Security Association and Key Management Protocol (ISAKMP)” (RFC 2408). Oakley—A key exchange protocol that defines how to derive authenticated keying material. Skeme—Akey exchange protocol that defines how to derive authenticated keying material, with rapid key refreshment. The component technologies implemented for use by IKE include:
• • • •
DES—Data Encryption Standard (DES) is used to encrypt packet data. IKE implements the 56-bit DES-CBC with Explicit IV standard. See “CBC.” Triple DES (3DES)—A variant of DES, which iterates three times with threeseparate keys, effectively tripling the strength of DES. CBC—Cipher Block Chaining (CBC) requires an initialization vector (IV) to start encryption. The IV is explicitly given in the IPSec packet. Diffie-Hellman—A public-key cryptography protocol which allows two parties to establish a shared secret over an unsecure communications channel. Diffie-Hellman is used within IKE to establish session keys....
E
Supported VPN Standards and Security Proposals
This appendix lists the VPN standards supported by PIX Firewall. It contains the following sections:
• • • •
IPSec, page E-1 Internet Key Exchange (IKE), page E-2 Certification Authorities (CA), page E-3 Supported Easy VPN Proposals, page E-3
IPSec
•
IPSec—IP Security Protocol. IPSec is a framework of openstandards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer; it uses IKE to handle negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts,between a pair of security gateways, or between a security gateway and a host. IPSec is documented in a series of Internet RFCs, all available at the following website: http://www.ietf.org/html.charters/ipsec-charter.html The overall IPSec implementation is guided by “Security Architecture for the Internet Protocol,” RFC 2401.
•
Internet Key Exchange (IKE)—A hybrid protocol that implementsOakley and SKEME key exchanges inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. While IKE can be used with other protocols, its initial implementation is with the IPSec protocol. IKE provides authentication of the IPSec peers, negotiates IPSec security associations, and establishes IPSec keys. AH—Authentication Header. A security protocol that provides dataauthentication and optional anti-replay services. AH is embedded in the data to be protected (a full IP datagram). The AH protocol (RFC 2402) allows for the use of various authentication algorithms; PIX Firewall has implemented the mandatory MD5-HMAC (RFC 2403) and SHA-HMAC (RFC 2404) authentication algorithms.
IPSec as implemented in PIX Firewall supports the following additional standards:
•Cisco PIX Firewall and VPN Configuration Guide 78-15033-01
E-1
Appendix E Internet Key Exchange (IKE)
Supported VPN Standards and Security Proposals
•
ESP—Encapsulating Security Payload. A security protocol that provides data privacy services and optional data authentication, and anti-replay services. ESP encapsulates the data to be protected. The ESP protocol (RFC 2406) allowsfor the use of various cipher algorithms and (optionally) various authentication algorithms. The PIX Firewall implements the mandatory 56-bit DES-CBC with Explicit IV (RFC 2405); as the encryption algorithm, and MD5-HMAC (RFC 2403) or SHA-HMAC (RFC 2404) as the authentication.
Internet Key Exchange (IKE)
IKE is implemented per “The Internet Key Exchange” (RFC 2409). ISAKMP—The InternetSecurity Association and Key Management Protocol. A protocol framework that defines payload formats, the mechanics of implementing a key exchange protocol, and the negotiation of a security association. ISAKMP is implemented per “Internet Security Association and Key Management Protocol (ISAKMP)” (RFC 2408). Oakley—A key exchange protocol that defines how to derive authenticated keying material. Skeme—Akey exchange protocol that defines how to derive authenticated keying material, with rapid key refreshment. The component technologies implemented for use by IKE include:
• • • •
DES—Data Encryption Standard (DES) is used to encrypt packet data. IKE implements the 56-bit DES-CBC with Explicit IV standard. See “CBC.” Triple DES (3DES)—A variant of DES, which iterates three times with threeseparate keys, effectively tripling the strength of DES. CBC—Cipher Block Chaining (CBC) requires an initialization vector (IV) to start encryption. The IV is explicitly given in the IPSec packet. Diffie-Hellman—A public-key cryptography protocol which allows two parties to establish a shared secret over an unsecure communications channel. Diffie-Hellman is used within IKE to establish session keys....
Leer documento completo
Regístrate para leer el documento completo.