Understanding Cisco SSL VPN vs IPSec VPN

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

and so looking at the different types of VPN connectivity we have client lists which simply means you're using a browser Firefox Chrome Safari whatever your browser of choice is and in this case we're going to use SSL which is TCP for four three four communications when we get to a full tunnel based VPN with the anyconnect it can use SSL or it can use IPSec there's an older IPSec VPN from Cisco they just refer to as cisco VPN which is IPSec only and then our site-to-site VPN s tend to be IPSec only so you'll see SSL marketed as something newer and fancier and better right it costs more money because we have to actually pay for the number of currently concurrently connected users for SSL VPN but when comparing SSL to IPSec is SSL more secure any ideas it seems like it's newer it must be better right but Sean says it's not any more secure is it faster as their less overhead I don't think so either does it save us any money no it costs more so why on earth are we doing SSL instead of IP sac any ideas this has definitely gained a lot of popularity it would be the more fashionable Sean says I run PCI scans regularly and every day there's a new SSL vulnerability right there's no way that heartbleed would have affected IP sac Ashley says less management overhead of client machines Sean says ease of use tell you what this is remote access only IPSec is site to site and remote access so this is only a remote access technology which starts to clue us in to what's actually happening with IPSec remember when you create a VPN connection from your hotel / hotel Wi-Fi or over the network at the hotel we'll just imagine there's a cable here and you hit this hotel router or firewall we don't know who owns this we don't know what brand it is we don't know what the rules are but if I try to create an IPSec VPN you know let's let's finish this drawing we'll say here's the internet here's our a sa and it's located at headquarters so when I build a VPN into this thing if I were to use IPSec does anybody know what ports are required to be functional on the hotel gateway and Shaun is nailing this that's the spoiler alert SSL is generally opened outbound anywhere so Ashley says for this to work with IPSec there's a few things we have to allow first off UDP 500 needs to be permitted out kind of a weird one this is used for ISO camp negotiations internet security association key management protocol works on UDP 500 what they do there over UDP 500 is they talk about setting up a VPN so you can authenticate and you can negotiate security associations we can negotiate essays once our essays have been created perfect Shaun's just feeding me the answers he's you seen this episode before he notice how this goes we can use ESP to encapsulate all of our data now when an ESP packet hits this firewall what might be the problem and it doesn't always have to be the problem but we have no idea what type of device that is could be a d-link it could be a Linksys it could be something crummy ESP could be blocked actually got this a lot on the CCNA Security exam perfect this is most commonly why remote access VPN fails because we're sending in ESP packets what layer does ESP work at of the OSI model anybody know it's going to be later for it rights on top of IP which rides on top of Ethernet the problem is what is this remote router or firewall doing at this hotel what is he doing to all of the hotel guests traffic when it traverses this device when my laptop's going out to Google what's happening to this IP header is perfect so NAT and more specifically port address translation so every packet that goes through needs a port number so it can be padded well if we look at an ESP packet and let's just do that real quick we'll pop over to it spend like an entire 30 minutes without going to Google Images if you've sat in class with me before you know that Google can make prettier images faster than I can so let's take a look at what an ESP header looks like there you have it it's got something called a security parameter index which is a 32-bit value for each flow it has a sequence number it has encrypted payload which is going to be variable based on how much we're encrypting and then a pointer that shows us what the next header is again encrypted and then authentication data which is basically for an integrity check so to make sure that this encrypted data wasn't altered as it passed through the internet we can do an integrity check on it what don't we see here the TCP and UDP have port numbers so if you look at an AAS a ASA's are actually smart enough to do inspection of the security parameter index so they think spi let's see ESP inspection maybe SPI is a little bit heavily utilized a sa inspection with IPSec so you can use an a sa and you can actually do inspection of ESP traffic and he can have multiple VPNs going through the a SA and he adds them to the state table by using stateful packet inspection and using the ESP header in focusing on the security parameter index he uses that just like a port number but it's off by default so this is something that ASA's can do that's off by default and additionally it's something not a lot of people are aware of so what that brings us to is this situation so we know that Pat needs to occur we know that we need port numbers which ESP doesn't have an A si can save the day but to do so he needs to do inspection of ESP so chances are this hotel may not have a si firewalls it might have something really simple that can't do that ESP inspection so what happens is we negotiate our VPN tunnel over UDP 500 what does that look like well you launch your VPN client you connect to the a si it prompts you for authentication you type in your username and password it assigns you an IP address over Ike it signs you a firewall policy a split tunneling policy and so forth it tells you that you are connected now you open up remote desktop connection you try to already pee into something you try to access H into something and you don't connect you open up your VPN client and you look at the packet count you see lots of packets transmitted none received what's happening there's your setting those ESP packets out they're hitting the first hop router and they're being discarded because there's no port number so you connect to the VPN but you can actually pass traffic back and forth so the way that we resolve that is by coming in here and wrapping this ESP header with the UDP header so this is extra overhead extra encapsulation but it fixes our issue with Pat right we can Pat that traffic through because now we have port numbers which makes this firewall happy what's the caveat to doing NAT traversal or not t-this is great because it can get us through the firewall but sometimes this doesn't work any ideas as to why some of the guys that run these firewalls on cruise ships and Airlines and hotels they don't know to allow UDP 4503 so we can enable Matt T or NAT traversal it can be pushed down from the headquarters a si to the user it'll tell him you should be using natural mercial and he goes awesome I'm going to send packets out on UDP 4,500 but the administrator that firewall goes I'm only going to allow required protocols I'm going to allow TCP 443 TCP port 80 TCP port 25 UDP 53 and nowhere in his list of top 10 port numbers was he thinking of this one so it is pretty it's phenomenal when it works right but what you're going to have our users that say I don't know what the heck the problem is this worked all week last week when I was in Seattle now I'm in Minneapolis and the VPN won't connect and you look at the a SA and you go to the monitoring tab and you go we've got 63 users connected it's not the a SA he's fine I see you authenticating it says you logged in something must be wrong with your network so this have you had this problem of remote users never being able to predict what was going on wherever they were going to be be it a cruise ship all-inclusive resort let's think about happy places not just technical conferences but you know whenever they travel they want to make sure that they can get in what SSL VPN is going to allow us to do is go over TCP 4 4 3 so the general population believes SSL VPN is better when in reality you're using the same many times encryption and hashing algorithms you have additional overhead you have retransmissions of data so it's over it's not as efficient as it was but it always works I say always loosely because TCP 443 is commonly so we got pretty nerdy there for like the first moment of the first day we're like three slides in and were like alright let's jump into protocol headers but I hope this all made sense how are you guys doing give me a thumbs up if you're keeping up everybody doing alright fantastic awesome so this is this is kind of why SSL is preferred over IPSec they're using the same encryption of using the same hashing it's just TCP 443 is probably going to work so we'll get into some more detail on what's going on in the background as we as we progress just in case you're not a the type of person that reads crypto books at nighttime or over breakfast with your cereal when you see SSL this is really the same thing as TLS not TSL but TLS transport layer security SSL was designed by netscape wasn't officially a standard so TLS or transport layer security is d TLS is Datagram TLS what that means is it can use UDP 443 because UDP packets have less overhead than a TCP packet in in the event that my remote desktop traffic drops for my ssh traffic drops let's say I'm running putty over here and I'm on hotel Wi-Fi and hotel Wi-Fi just sometimes isn't very good so I was I've got maybe about 20 percent packet loss well whenever that packet loss is occurring it's getting worse because putty wants to of course use TCP in retransmit well my SSL VPN clients as well sees a packet lost so he retransmits so anytime you're using TCP for a VPN you could have dual retransmissions does that make sense I know that orange doesn't stand up very good on this on this particular color background but just to kind of highlight this putty is using TCP and the anyconnect client is using TCP so you've got this TCP header here for a VPN and you've got a TCP header that's being encrypted those dual retransmissions are making things even slower and even worse what DTLS does Datagram TLS and I assume losing the ship on blue very well uses UDP 443 so now we're back into no-man's land we've got these protocols that not everybody is going to allow through but if they do allow it through we're going to be able to send data more efficiently efficiently we have less overhead and we no longer have dual retransmissions so SSL in TLS for our purposes today are the same thing d TLS is slightly different because this is a UDP implementation of TLS so what happens is your session starts off TCP 443 and then it tries to transition into DTLS if for some reason you DP 443 isn't allowed through we detect the failure and we do what's called DTLS fallback you can guess what that is d TLS isn't working so we're going to go back to using traditional TLS

Info

Channel: Ryan Lindfield

Views: 204,802

Rating: 4.9080458 out of 5

Keywords: Cisco, SSLvpn, SSL VPN, IPSec, Cisco IOS, Cisco ASA, Transport Layer Security (Protocol), DTLS, Virtual Private Network (Invention)

Id: F9Jt14PWm3U

Channel Id: undefined

Length: 15min 16sec (916 seconds)

Published: Wed Jun 04 2014