Ipsec Access Control; Ipsec - Alcatel-Lucent OmniAccess 700 Cli Configuration Manual

IP A C
SEC CCESS ONTROL
IPsec access control happens after the device Authentication. As defined by the
IPsec standard, the networks, host, and ports that are allowed to traverse the
network are defined in the Security Policy Database or SPD. It is advisable to
have an inbound control list when configuring VPN for site-to-site traffic.
IP
SEC
IPsec provides numerous security features. The following are some features that
can be configured:
•
Device Authentication and credentials
•
Data Encryption
•
Data Integrity
•
SA aging
IPsec standard requires the use of either data integrity or data encryption. It is
recommended to have both data integrity and data encryption.
Data encryption is brought about by using algorithms, such as DES, 3-DES, AES-
128, AES-192, and AES-256. Most common deployments use 3-DES in place of
DES. The drawback of using 3-DES is the loss of performance. It is
recommended to use AES-128 than 3-DES as it improves upon the performance.
AES-128 is also widely accepted by the federal government of U.S. Reference to
the same can be found at the following site: http://www.nist.gov/public_affairs/
releases/g01-111.htm
Data Integrity is brought about using HASH algorithms like MD5 and SHA-1. SHA-
1 is considered to be more secure than MD5 because of its greater bit strength.
SHA-1 uses 160- bit hash algorithm while MD5 uses only 128-bit. It is
recommended to use SHA-1 instead of MD-5.
Both the IPsec phases offer the ability to change the lifetime of a Security
Association. Lesser the lifetime more secure is the connection. But it has to be
kept in mind that if the lifetime is too small i.e for a few seconds, tunnel negotiation
would keep on happening without the tunnel being setup for the flow of data
traffic. Hence, it is recommended that SA lifetime is kept in the magnitude of
minutes/hours instead of seconds so that the data traffic is more than the control
traffic.
Perfect Forward Secrecy (PFS) generates a new key based on new seed material
altogether by carrying out DH group exponentiation every time a new quick-mode
SA needs new key generation. This option increases the level of the security but
also increases the processor overhead. Some of the VPN devices do provide an
option of not configuring PFS due to this reason. Enabling of PFS also depends
upon the sensitivity of the data being tunneled. If the data mandates higher
security, PFS can be enabled. The strength of Diffie-Hellman exponentiation is
configurable.
CLI Configuration Guide
Beta
Except on the first page, right running head:
Heading1 or Heading1NewPage text (automatic)
Best Practices For Deploying IPsec VPN
Alcatel-Lucent
797
Beta