Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Session ITMCCS-2268
ASR1000 and how to fulfill PCI DSS requirements in PBZ bank
Nenad Juras, PBZ
Matija Petrović, IBM
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 3
Agenda
About Privredna banka Zagreb PBZ Metro Ethernet network Implementing new aggregation platform Improving Quality of Service PCI DSS and other requirements GET overview GET implementation in test environment GET implementation in production Issues encountered Next steps
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 4
About Privredna banka Zagreb
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 5
About Privredna Banka Zagreb (PBZ)
Founded 1962
Acquired 1999 by Banca Commerciale Italiana
Member of group Intesa Sanpaolo since 2007
Second largest bank in Croatia, 20% market share
1,550,000 customers Hyperlink: www.pbz.hr
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 6
About Intesa Sanpaolo Group
Leading banking group in Italy, 17% market share
5800 branch offices and 11.3 million domestic clients
1800 branch offices and 8.6 million clients abroad
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 7
Privredna banka Zagreb - organization
5 regions 18 regional centers 203 branch offices more than 3500
employees in PBZ more than 4400
employees in PBZ Group
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 8
PBZ Metro Ethernet network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 9
Migration to Metro Ethernet
Migration started in 2006
Two service providers
Regional branches connected with redundant ME links from both service providers
Branch offices connected with ME links & ISDN backup lines
Cisco 2821 in branch offices, Cisco 3825/45 in regional branches
IP telephony implemented together with Metro Ethernet
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 10
Network topology – Metro Ethernet with ISDN Primary datacenter Secondary datacenter
Regionalbranch
Branch office 2 Branch office 2.....
DWDM DWDM
Branch office 1 Branch office 1
Regionalbranch
ISDN
SiSi SiSi SiSi SiSi
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 11
Metro Ethernet challenges
Two service providers – two technologies (E-Line & E-LAN)
Shared media with E-LAN Expensive backup solution – 2 to 4 ISDN
BRA per branch office Bandwidth difference between primary link
and backup link – 2 Mbps vs. 256-512 Kbps Voice class traffic limited to backup
bandwidth – requirement of IP Telephony
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 12
Metro Ethernet - improving backup Using ME link from alternative
service provider for backup in branch offices
Different access technologies – copper and fiber
Same bandwidth on primary and backup link
Backup link always active – simple switchover when required
Additional router port required – HWIC-1FE
Higher running costs offset with better functionality
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 13
Network topology – Metro Ethernet 2 providers
Primary datacenter Secondary datacenter
Regionalbranch
Branch office 3 Branch office 3
DWDM DWDM
Branch office 2 Branch office 2
RegionalbranchBranch office 1
Branchoffice 1
SiSi SiSi SiSi SiSi
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 14
Implementing new aggregation platform
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 15
New platform for Metro Ethernet aggregation
ASR 1000 platform identified as suitable solution
presented first time on Cisco Expo 2008
hierarchical QoS
high availability features
support for DMPVN and GET encryption
high performance with all features on (QoS, IPSec, FW)
modular design with scalable performance (ESP 5, 10, 20)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 16
ASR 1000 – Production configuration
ASR 1002 – 4 pcs ESP5 1×SPA-5X1GE 9 GE ports total Advanced Ent. Services FPI, IPSEC
provider separation
easier maintenance
no need for ESP 10 performance
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 17
Network topology – ASR 1002 in production
Primary datacenter Secondary datacenter
Regionalbranch
Branch office 3 Branch office 3
DWDM DWDM
Branch office 2 Branch office 2
RegionalbranchBranch office 1
Branchoffice 1
SiSi SiSi SiSi SiSi
PWRSTAT STBY
ASR1000-ESP10F0 F0
PWR
STAT
ASR 1002
CRIT
MAJ
MIN
ACTV
STAT GE0 GE1 GE2 GE3 BOOT
2 CLASS 1 LASER PRODUCT
BITSCARRIER LINK
3
MGMT CON AUX PWRCC
STAT
PWRSTAT STBY
ASR1000-ESP10F0 F0
PWR
STAT
ASR 1002
CRIT
MAJ
MIN
ACTV
STAT GE0 GE1 GE2 GE3 BOOT
2 CLASS 1 LASER PRODUCT
BITSCARRIER LINK
3
MGMT CON AUX PWRCC
STAT
PWRSTAT STBY
ASR1000-ESP10F0 F0
PWR
STAT
ASR 1002
CRIT
MAJ
MIN
ACTV
STAT GE0 GE1 GE2 GE3 BOOT
2 CLASS 1 LASER PRODUCT
BITSCARRIER LINK
3
MGMT CON AUX PWRCC
STAT
PWRSTAT STBY
ASR1000-ESP10F0 F0
PWR
STAT
ASR 1002
CRIT
MAJ
MIN
ACTV
STAT GE0 GE1 GE2 GE3 BOOT
2 CLASS 1 LASER PRODUCT
BITSCARRIER LINK
3
MGMT CON AUX PWRCC
STAT
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 18
Improving Quality of Service
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 19
Implementation of hierarchical QoS on ASR WAN Metro Ethernet links
ASR provides variety of options for implementing QoS
Main challenge - how to implement appropriate QoS model on WAN links
Two Metro Ethernet technologies on WAN links E-LAN – shared interface E-Line – subinterfaced
QoS configuration has to be as uniform as possible for easier maintenance and suitable for future changes
Design, test and implement hierarchical QoS for each WAN link and for each logical network region
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 20
PBZ WAN network topology
Regions accros Croatia – 15 of them , From 5 till 25 branches in region
Zagreb region 52 branches
E-LAN Regional
E-LAN National
E-LAN Regional
E-LINE (Regional, Natonal)
ISDN backup
ASR = Route hubs
Regional hubs
ASR = Route hubs
Branches
ISDN backup hub ISDN backup hub
Branches
Primary datacenter Secondary datacenter
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 21
QoS configuration – marking interesting traffic
Traffic is marked on ingress interface from datacenter
Packets matching done with standard mechanism: ACL and NBAR
Traffic is classified
Different classes receivied different dscp marking with ingress policy map according to cisco best practices
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 22
QoS configuration – marking interesting traffic - example
NBAR ip nbar port-map custom-03 tcp 2000 2001 2002 ip nbar port-map custom-02 udp 2427 2727 ip nbar port-map custom-02 tcp 2427 2428 2727 ip nbar port-map custom-01 tcp 1645 1646
ACL ip access-list extended APP_CENTAR_POSL_PZ remark /************************************** remark QOS_access_lista za Aplikativni promet deny tcp host 10.100.12.21 any eq www permit tcp 10.100.12.0 0.0.3.255 eq 443 any …. …. ….. permit ip host 10.203.9.43 any
Class maps class-map match-all Voice match protocol rtp audio …. …. class-map match-any APP2POSL_PZ match access-group name APP_CENTAR_POSL_PZ match protocol kerberos
Policy map policy-map OZNACI class Voice set ip dscp ef class Voice-Sig set ip dscp cs3 class Nadzor set ip dscp cs2 class APP2POSL_PZ set ip dscp af21
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 23
QoS configuration – marking interesting traffic - example
Implementation on ingress interfaces
interface GigabitEthernet0/0/2
service-policy input OZNACI
ip nbar protocol-discovery
interface GigabitEthernet0/0/3
service-policy input OZNACI
ip nbar protocol-discovery
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 24
QoS implementation on ASR routers
Gi0/0/x
Ingress i-faces = marking
Gi0/0/2 Gi0/0/3 Gi0/0/2 Gi0/0/3
X Mbps
RD-ASR0X LA-ASR0X
Metro Ethernet
Regional hub orbranch
0,4 x X Mbps0,4 x X Mbps
Max non-marked traffic from ASR toward regional hub or branch
Ingress i-faces = marking
Primary datacenter Secondary datacenter
MAX 0.8X for dscp default traffic
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 25
QoS configuration – managing marked traffic on WAN interfaces
Class maps for child policy map class-map match-any WAN_Voice match dscp ef class-map match-any WAN_Voice-Sig match dscp cs3 class-map match-any WAN_Nadzor match dscp cs2 class-map match-any WAN_APP2POSL_PZ match dscp af21
Child policy map policy-map GENERIC-ASR class WAN_Voice priority percent 18 class WAN_Voice-Sig bandwidth percent 2 random-detect class WAN_Nadzor bandwidth percent 5 random-detect class WAN_APP2POSL_PZ bandwidth percent 25 random-detect dscp-based class class-default bandwidth percent 20 random-detect dscp-based police rate percent 40 conform-action transmit exceed-action drop
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 26
QoS configuration – managing marked traffic on WAN interfaces
Class maps for parent policy map class-map /router_hostname_branch/region/ match access-group name /
router_hostname_branch/region/ This class map uniqely define region or branch class-map match-any eigrp match ip dscp cs6 Routing packets protection
Parent policy map policy-map WAN_T-COM_GRADSKI class eigrp bandwidth 20
class /router_hostname_branch/region/ shape average 2000000 service-policy GENERIC-ASR
ACL for classes used in parent policy map ip access-list extended /router_hostname_branch/region/ permit ip any 10.X.0.0 0.0.63.255 ->LAN
network on this branch/region
Implementation on egress interface interface GigabitEthernetx/y/z bandwidth 40000 service-policy output WAN_T-COM_GRADSKI
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 27
PCI DSS and other requirements
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 28
PCI DSS requirements
Card processing is outsourced to Intesa Sanpaolo Card (ISP Card)
PCI DSS is currently not implemented in PBZ
Data from ATMs and POS devices in branch offices transmitted through PBZ Metro Ethernet network
PCI DSS Requirement 4: Encrypt transmission of cardholder data across open, public networks
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 29
Other regulatory requirements
Intesa Sanpaolo security guidelines: plan the use of appropriate security mechanisms (e.g., cryptography, backup, digital signature) to ensure information confidentiality, integrity and non-repudiation
Croatian National Bank recommends encrypting network traffic over service provider links
External IT auditor requires encrypting certain types of network traffic and traffic with third parties
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 30
GET overview
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 31
What is Group Encrypted Transport VPN (GET VPN)?
GetVPN (Group Encrypted Transport VPN) has emerged in response to the need for encrypting traffic on the WAN private networks
GET VPN is a group key based tunnel-less VPN solution for the enterprise network using private MPLS/IP core
Enables secure end-to-end fully meshed network, for Data, Voice, Video and other applications, using QoS, multicast and existing routing
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 32
What is Group Encrypted Transport VPN (GET VPN)?
Relies on Open standard technologies Group Domain Of Interpretation (GDOI) RFC 3547 Provides cryptographic keys and polices to a group of VPN gateway that share the same security policies
IPSec encryptions Supports 3DES, AES128/192/256 algorithms
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 33
GET VPN components
Group Member
Group Member
Group Member
Group Member
Key Server
Routing Members
Group Member • Encryption Devices • Route Between Secure / Unsecure Regions • Multicast Participation
Key Server • Validate Group Members • Manage Security Policy • Create Group Keys • Distribute Policy / Keys
Routing Member • Forwarding • Replication • Routing
Note: In PBZ WAN Network Routing Members = Group Members
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 34
GET VPN components
KS – Key server • KS is a central place for creating and maintaining encryption policy within GETVPN • KS is a router on which the configured encryption algorithms, hash algorithms, interesting traffic, rekey timers • KS created and maintained by KEK (Key Encryption Key), TEK (Traffic Encryption Key) keys and pseudo-timer • KS can not be Group Member
COOP KS • KS is a central point for creating and maintaining encryption policy has important role in GETVPN Network • COOP KS is a protocol that allows synchronization between multiple KS • Only the primary KS distribute policy update in the network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 35
GET VPN components
GM – Group Member • GM is a router in the network charge encrypt / decrypt IP Traffic • GM is configured only with IKE settings and information about the KS / Group • On GM can be configured necessary exceptions in Global Policy • IPsec policy obtained from KS
GDOI – Group Domain of Interpretation • GDOI (RFC3547) is a control protocol between the Group Member and Key Server • GDOI used to distribute Group policy and cryptographic keys to group members
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 36
GET VPN features
IP Header Preservation • Unlike IPsec Tunnel or Transport mode, GetVPN copies the original IP header and sets it to the start of an encrypted packet • IP header preservation allows the use of the existing routing in the network, as the QOS and multicast
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 37
Step 1: Group Members (GM) “register” via GDOI (IKE) with the Key Server (KS)
KS authenticates & authorizes the GM KS returns a set of IPsec SAs for the GM to use
Step 2: Data Plane Encryption
GM exchange encrypted traffic using the group keys
The traffic uses IPSEC Tunnel Mode with “address preservation”
Step 3: Periodic Rekey of Keys
KS pushes out replacement IPsec keys before current IPsec keys expire. This is called a “rekey”
GETVPN – How does it work
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 38
GETVPN benefits
Previous Limitations New Features and Associated Benefits
Multicast traffic encryption was supported through IPsec tunnels:
– Not scalable
– Difficult to troubleshoot
Encryption supported for Native Multicast and
Unicast traffic with Group Security Association
– Allows higher scalability
– Simplifies Troubleshooting
– Extensible standards-based framework
Overlay VPN Network
– Overlay Routing
– Sub-optimal Multicast replication
– Lack of Virtualized QoS
– Peer Mesh of IPSec States
No Overlay
– Leverages Core network for Multicast replication via IP Header Preservation
– Optimal Routing introduced in VPN
– Standard QoS for encrypted traffic
– Global Distributed IPSec State
Full Mesh Connectivity
– Hub and Spoke primary support
– Spoke to Spoke not scalable
Any to Any Instant Enterprise Connectivity
– Leverages core for instant communication
– Optimal for Voice over VPN deployments li
24
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 39
Clear-text Transition Methods
Four methods Receive-Only Selective Inclusion Selective Exclusion Logical Transition
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 40
Clear-text: Receive-Only Method Goal
Incrementally deploy infrastructure without encryption Immediate transition to encryption controlled by KS
Method Deploy KS with Receive-only SA’s (don’t encrypt, allow decryption) Deploy GM throughout infrastructure and monitor rekey processes Transition KS to Normal SA (encrypt, decrypt)
Assessment Pro: Simple transition to network-wide encryption Con: Correct policies imperative Con: Deferred encryption until all CE are capable of GM functions
permit ip 10.1.4.0 0.0.3.255 10.1.4.0 0.0.3.255
GM GM
GM
GM
KS 10.1.4.0/24
10.1.6.0/24
10.1.5.0/24 10.1.7.0/24
GM GM
GM
GM
GET
KS 10.1.4.0/24
10.1.6.0/24
10.1.5.0/24 10.1.7.0/24
permit ip 10.1.4.0 0.0.1.255 10.1.4.0 0.0.1.255
GET GET
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 41
Clear-text: Receive-Only with Passive Mode Method Goal
Incrementally deploy infrastructure without encryption Incrementally transition to encryption controlled by GM
Method Deploy KS with Receive-only SA’s (don’t encrypt, allow decryption) Deploy GM throughout infrastructure and monitor rekey processes Transition each GM to Passive Mode SA (encrypt, decrypt) Transition KS to Normal Mode Transition each GM to Normal Mode
Assessment Pro: Simple transition to network-wide encryption Pro: Incremental validation of policies Pro: No flash cut-over Con: Deferred encryption until all CE are capable of GM functions
permit ip any any (receive only)
GM GM
GM
GM
KS 10.1.4.0/24
10.1.6.0/24
10.1.5.0/24 10.1.7.0/24
GM GM
GM
GM
GET
KS 10.1.4.0/24
10.1.6.0/24
10.1.5.0/24 10.1.7.0/24
permit ip any any (receive only)
GET
GET
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 42
Clear-text: Selective Encryption Method Goal
Incrementally deploy infrastructure and encryption Only encrypt specific traffic
Method Deploy KS with SA with narrow scope of encryption Expand scope of encryption as sites are added Add sites in groups according to CIDR blocks
Assessment Pro: Conservative approach to introducing encryption Pro: Incremental introduction of encryption between CE’s Con: Policies can become complex for large networks Con: Requires clean CIDR aggregates to simplify policies Con: Memory constraints based on complex set of SA
permit ip 10.1.4.0 0.0.3.255 10.1.4.0 0.0.3.255
GM GM
GM
GM
GET
KS 10.1.4.0/24
10.1.6.0/24
10.1.5.0/24 10.1.7.0/24
GM GM
GM
GM
GET
KS 10.1.4.0/24
10.1.6.0/24
10.1.5.0/24 10.1.7.0/24
permit ip 10.1.4.0 0.0.1.255 10.1.4.0 0.0.1.255
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 43
Clear-text: Exception Encryption Method Goal
Incrementally deploy infrastructure and encryption Encrypt all traffic with explicit exceptions
Method Deploy KS with SA using a global (any-any) scope of encryption Explicitly deny encryption (globally or locally) for all sites not capable of encryption Add sites in groups according to CIDR aggregates
Assessment Pro: Conservative approach to introducing encryption Pro: Incremental introduction of encryption between CE’s Con: Policies can become complex for large networks Con: Requires clean CIDR aggregates to simplify policies Con: Local deny statements to minimize global policy size
permit ip any any
GM GM
GM
GM
GET
KS 10.1.4.0/24
10.1.6.0/24
10.1.5.0/24 10.1.7.0/24
GM GM
GM
GM
GET
KS 10.1.4.0/24
10.1.6.0/24
10.1.5.0/24 10.1.7.0/24
deny ip 10.1.6.0 0.0.1.255 permit ip any any
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 44
Clear-text: Logical Transition Goal
Incrementally deploy topological infrastructure and encryption Encrypt all traffic on the new topological infrastructure
Method Deploy KS with SA using global (any-any) scope of encryption Incorporate transition sites into the encryption system with local deny (any-any) Transition sites from clear-text infrastructure to encrypted infrastructure and remove local deny
Assessment Pro
Easy transition of individual CE’s No requirement to deal with
CIDR aggregates Simplified policy throughout
transition Con
Requires changing the logical topology
GM GM
GM
GM
GET
KS 10.1.4.0/24
10.1.6.0/24
10.1.5.0/24 10.1.7.0/24
permit ip any any
GM
GM GM
GM
GM
GET
KS 10.1.4.0/24
10.1.6.0/24
10.1.5.0/24 10.1.7.0/24
permit ip any any
GM
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 45
GET implementation in test environment
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 46
GETVPN implementation requirements in PBZ WAN network
preservation of the existing network design and routing
preservation of Original IP addresses and DSCP
preservation of the existing QoS
upgrade existing platforms with the AIM-VPN/SSL modules in regional centers
SW upgrade to a version that supports all the existing demands on the network as well as new functionality such as a getvpn
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 47
GET VPN implementation requirements in PBZ WAN network
Existing platforms New Software Releases AIM module
ASR 1002 3.1.2S
Cisco 2821 12.4(24)T4
Cisco 2821-SRST/K9 12.4(24)T4 AIM-VPN/SSL-2
Cisco 2821-V/K9 12.4(24)T4 AIM-VPN/SSL-2
Cisco 3825-SRST/K9 12.4(24)T4 AIM-VPN/SSL-3
Cisco 3825-V/K9 12.4(24)T4 AIM-VPN/SSL-3
Cisco 3845-SRST/K9 12.4(24)T4 AIM-VPN/SSL-3
Key servers
CISCO3825-HSEC/K9 12.4(24)T4 AIM-VPN/SSL-3
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 48
GET implementation in test environment (Oct 01-Dec 18)
test equipment and IOS versions defined
testing in lab environment • routing • QoS • CPU • high availability (SW and HW redundancy)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 49
Test environment
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 50
GET implementation in production
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 51
GET implementation in pilot production (Dec 18-Jan 31)
testing in production environment: • installation of KS in primary data center • installation of KS in secondary data center • IOS upgrade for routers in pilot regional center (from SP services
to Advanced IP Services) and upgrade with AIM module (AIM-VPN/SSL-3, AIM-VPN/SSL-2)
• IOS upgrade for routers in pilot branch offices (from IP Base to Advanced Security) – Flash memory upgrade required
• implementation of encryption on pilot locations • testing KS coop • testing routing, QoS, CPU load, application and voice traffic on
pilot locations
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 52
GET VPN Topology in Production Environment
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 53
Primary KS configuration
crypto isakmp policy 10 encr aes authntication pre-share group 2 crypto isakmp key Cisco address 10.0.0.0 255.0.0.0 crypto isakmp keepalive 15 periodic ! crypto ipsec transform-set VPN esp-aes 256 esp-sha-
hmac ! crypto ipsec profile GDOI set security-association lifetime seconds 7200 set transform-set VPN ! crypto gdoi group GET identity number 1 server local rekey retransmit 40 number 3 rekey authentication mypubkey rsa GETVPN rekey transport unicast authorization address ipv4 50 sa ipsec 1 profile GDOI match address ipv4 KRIPTO_POLICY replay time window-size 5 address ipv4 10.100.200.6 redundancy local priority 100 peer address ipv4 10.200.200.6
ip access-list extended KRIPTO_POLICY remark **Prevent recursive encryption of transitive ESP ** deny esp any any remark **telnet* deny tcp any any eq telnet deny tcp any eq telnet any remark **eigrp* deny eigrp any any remark **isakmp* deny udp any eq isakmp any eq isakmp remark **gdoi** deny udp any eq 848 any eq 848 remark **ssh** deny tcp any eq 22 any deny tcp any any eq 22 remark **tftp** deny udp any eq tftp any deny udp any any eq tftp remark **netflow** deny udp any eq 2055 any deny udp any any eq 2055 remark *domain controller* deny ip any host 10.100.1.253 deny ip any host 10.100.1.254 deny ip any host 10.200.1.254 deny ip host 10.200.1.254 any deny ip host 10.100.1.254 any deny ip host 10.100.1.253 any remark ** dns ** deny udp any any eq domain deny udp any eq domain any remark **ntp** deny udp any any eq ntp deny udp any eq ntp any remark **syslog** deny udp any any eq syslog deny udp any eq syslog any remark **multicast** deny ip any 224.0.0.0 15.255.255.255 permit ip any any
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 54
Secondary KS configuration
crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key Cisco address 10.0.0.0 255.0.0.0 crypto isakmp keepalive 15 periodic ! ! crypto ipsec transform-set VPN esp-aes 256 esp-sha-
hmac ! crypto ipsec profile GDOI set security-association lifetime seconds 7200 set transform-set VPN ! crypto gdoi group GET identity number 1 server local rekey retransmit 40 number 3 rekey authentication mypubkey rsa GETVPN rekey transport unicast authorization address ipv4 50 sa ipsec 1 profile GDOI match address ipv4 KRIPTO_POLICY replay time window-size 5 address ipv4 10.200.200.6 redundancy local priority 75 peer address ipv4 10.100.200.6
ip access-list extended KRIPTO_POLICY remark **Prevent recursive encryption of transitive ESP ** deny esp any any remark **telnet* deny tcp any any eq telnet deny tcp any eq telnet any remark **eigrp* deny eigrp any any remark **isakmp* deny udp any eq isakmp any eq isakmp remark **gdoi** deny udp any eq 848 any eq 848 remark **ssh** deny tcp any eq 22 any deny tcp any any eq 22 remark **tftp** deny udp any eq tftp any deny udp any any eq tftp remark **netflow** deny udp any eq 2055 any deny udp any any eq 2055 remark *domain controller* deny ip any host 10.100.1.253 deny ip any host 10.100.1.254 deny ip any host 10.200.1.254 deny ip host 10.200.1.254 any deny ip host 10.100.1.254 any deny ip host 10.100.1.253 any remark ** dns ** deny udp any any eq domain deny udp any eq domain any remark **ntp** deny udp any any eq ntp deny udp any eq ntp any remark **syslog** deny udp any any eq syslog deny udp any eq syslog any remark **multicast** deny ip any 224.0.0.0 15.255.255.255 permit ip any any
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 55
GET VPN Topology in Production Environment
ASR crypto isakmp policy 10 encr aes authentication pre-share group 2 lifetime 1200 crypto isakmp key Cisco address 10.100.200.6 crypto isakmp key Cisco address 10.200.200.6 ! ! crypto gdoi group GET identity number 1 server address ipv4 10.100.200.6 server address ipv4 10.200.200.6 passive ! ! crypto map METRONET local-address Loopback0 crypto map METRONET 10 gdoi set group GET
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 56
GET VPN Topology in Production Environment
Regional center ip access-list extended CRYPTO remark novska deny ip any 10.73.0.0 0.0.63.255 remark petrinja deny ip any 10.168.0.0 0.0.63.255 ! crypto isakmp policy 10 encr aes authentication pre-share group 2 lifetime 1200 crypto isakmp key Cisco address 10.100.200.6 crypto isakmp key Cisco address 10.200.200.6 ! ! crypto gdoi group GET identity number 1 server address ipv4 10.100.200.6 server address ipv4 10.200.200.6 passive ! ! crypto map GETVPN local-address Loopback0 crypto map GETVPN 10 gdoi set group GET match address CRYPTO
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 57
GET VPN Topology in Production Environment
Branch Office crypto isakmp policy 10 encr aes authentication pre-share group 2 lifetime 1200 crypto isakmp key Cisco address 10.100.200.6 crypto isakmp key Cisco address 10.200.200.6 ! ! crypto gdoi group GET identity number 1 server address ipv4 10.100.200.6 server address ipv4 10.200.200.6 passive ! ! crypto map GETVPN local-address Loopback0 crypto map GETVPN 10 gdoi set group GET
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 58
Issues encountered
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 59
Issues encountered – ASR 1000
Shared interface issue When ASR receives encrypted traffic which is intended for unencrypted
location ASR drops these packets. ASR is forwarding packets from unencrypted to encrypted location.
• Cisco has recognized the problem, PBZ and IBM are closely working with Cisco bussines unit – solution expected in future IOS XE release
• Suggested workaround from Cisco with current IOS XE release is going to be tested after this conference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 60
Other issues encountered
Key server issue discontinuous subnet entries in crypto ACL on Key server are not
supported - solution does not yet exist, we stopped using discontinuous subnets
Issues with encrypted network traffic
problem in communication between domain controllers and workstations – this traffic is currently excluded from encryption
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 61
Next steps
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 62
Next steps
IOS upgrade for routers in regional centers (from SP services to Advanced IP Services)
IOS upgrade for routers in branch offices (from IP Base to Advanced Security) – requires Flash memory upgrade
Continuing implementation of GETVPN
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 63
Summary
GETVPN provides a scalable technology for implementing encryption in enterprise Metro Ethernet networks
Succesful implementation in limited production environment – minor issues encountered
“Fine tuning” for full production
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID 64
Q&A