The BorderWare IPSec VPN Server provides a high-performance standards based solution for providing secure encrypted communications between remote networks and systems.

The IPSec VPN Server is an optional module added to the Firewall Server after installation and configuration and is licensed separately. Setting up connections is managed via the console or via BWClient, where a connection "wizard" leads the administrator through the simple steps.

BorderWare's IPSec VPN Server is fully standards compliant and supports connections with any other compliant device or system. For remote connections from workstations, use the BorderWare IPSec VPN Client. Fully compatible with the IPSec Server and available for all Windows versions, the IPSec Client is easy to setup and is transparent to the user.

FEATURE SUMMARY

VPN'S IN DETAIL

Before the use of VPNs, there were two options for connecting remote networks: use of the Internet or dedicated leased lines. Using the internet is cheap, but poses an unacceptable risk of exposure. Leased lines are more secure, but are expensive.

Roaming and remote employees pose another problem: they can access the internet but how do they securely access head-office resources and systems?

Virtual Private Networks are cost-effective alternatives to creating large private networks using dedicated network connections. VPNs send data over existing communication infrastructure, such as an Internet connection, greatly reducing the overall cost of implementing a Wide Area Network. In addition, they provide support for connections from roaming and remote users that are both authenticated and encrypted, effectively extending the network to include these intermittent connections.

The BorderWare Firewall Server further reduces this implementation cost by integrating the VPN capability into the corporate firewall, meaning less hardware, software and administration effort. Furthermore, having a VPN terminate at a firewall allows an organization's security policy to be centrally located, rather than spread across many different devices.

back to top

IPSec refers to the IP Security protocols, which are a set of proposed Internet Standards published by the Internet Engineering Task Force (IETF). These protocols have been adopted worldwide for securing communications over IP-based networks. IPSec supports both client-server connections and server-server connections, making it applicable to a wide range of security implementations.

IPSec compliance means that the BorderWare Firewall Server can participate in secure communication with any other IPSec compliant device. For example, there are IPSec implementations available for most operating systems, making it easy to connect almost any computer to the BorderWare Firewall Server using IPSec connections.

The BorderWare Firewall Server allows for transparent network access to the firewall’s Internal and SSN networks, as specified by the firewall administrator. Once this access is granted, the hosts at the remote end of the VPN are treated as if they belong to the Internal or SSN networks, and no traffic restrictions are enforced. If neither Internal nor SSN access is desired, then the VPN connection can exist as an external tunnel, where the traffic is transmitted securely but no additional network access is granted. In this case, the hosts at the remote end of the VPN are treated as any other host external to the firewall is. When using an external tunnel it is still possible to use the firewall’s proxies and access rules to grant access to protected resources.

back to top

IPSec is the proposed Internet standard for including security to the IP Protocol. It details the use of various methods to achieve confidentiality, authentication and integrity for data transmissions over IP networks. Understanding the terminology used in IPSec implementations is an important part of planning and deploying an IPSec VPN. This section introduces the different components that make up the IPSec protocol, and summarizes the IPSec implementation on the BorderWare Firewall Server IPSec VPN Option.

back to top

This is an IP header added to an IP packet that provides a cryptographic checksum on the entire IP packet. It is used to achieve data authentication and integrity, to insure that the packet has been sent by the correct source and has not been modified in transit. This header is separate to the ESP header described below.

back to top

This is a header applied to an IP packet after the packet has been encrypted.It provides for data confidentiality so that the original packet cannot be read in transit. This header can also provide for data authentication and integrity checking as well, making the Authentication Header less necessary in certain circumstances.

In newer IPSec implementations including the BorderWare Firewall Server, data authentication is always performed within the ESP header.

back to top

These are the building blocks of IPSec communication. Before any two devices can communicate via IPSec, they must first establish a set of Security Associations. These associations specify the important cryptographic parameters that must be agreed upon before data can be transferred securely. Many connection specific parameters are set, such as:

The BorderWare Firewall Server supports the use of DES (56-bit), 3DES (168-bit), CAST (128-bit) and Blowfish (128-bit) for encryption with HMAC-MD5 and HMAC-SHA1 available for authentication. It is important to note that some encryption algorithms may not be available to due Government Export Regulations. Contact your local BorderWare sales representative for details.

The BorderWare Firewall Server supports three modes for establishing SA's and managing VPN keys: Internet Key Exchange (IKE), Manual, and BorderWare Version 5.2 compliant mode. IKE provides automatic key management capabilities, so that SA’s are negotiated transparently by the two VPN devices. This is described in more detail below. When using Manual or BorderWare Version 5.2 modes, the firewall administrator must manually establish the SA’s before VPN communication can occur. These modes are only to be used when the remote VPN device does not support the IKE standard for key management, as they require more administration effort while providing for lower overall VPN security, since the same keys are used until the administrator manually changes them.

back to top

This is the protocol for performing automated key management for IPSec. Once the necessary configuration has been done on the firewall to create a VPN connection, the IKE process automatically negotiates with the remote VPN device to establish the parameters for individual Security Associations. IKE is currently the most widely employed key management scheme in use, and is based on the earlier ISAKMP/Oakley standards. As a result, the Firewall Server can be used with a wide range of other IKE compliant VPN devices.

IKE creates two types of Security Associations to allow for encrypted traffic. First an IKE SA is negotiated to allow for secure key exchange. Once the IKE SA is established, session SAs are negotiated for securing normal VPN traffic. These are referred to as IKE Phase-1 and Phase-2 negotiations, respectively. The session SA's are short-lived and are re-negotiated at regular intervals, which insures that the keys are discarded regularly and the same keys are only used for limited amounts of data.

The BorderWare IPSec VPN supports the use of Main Mode and Aggressive Mode for IKE Phase-1 negotiation. Main Mode provides for increased security during Phase-1 by encrypting the initial IKE traffic at the expense performance. Aggressive Mode is used in cases where the initial traffic cannot be encrypted, as is the case for dynamic IP VPN clients, or when performance is an important factor.

Session keys negotiated by IKE are exchanged frequently, but it is important that the compromise of one key does not lead to the compromise of any other keys. BorderWare provides this protection with Perfect Forward Secrecy for both IKE Phase-1 and Phase-2 Security Associations. Using this protection insures that the compromise of any key by an attacker can only yield useful information for the lifetime of that particular key. No past or future communication can be tampered with as a result of the compromise.

During IKE Phase-1 and Phase-2 negotiation, the two VPN devices must agree upon encryption and authentication algorithms that will be used. The BorderWare Firewall Server allows the administrator to specify a list of algorithms that can be used, which the firewall uses when negotiating new SAs. As a result, the administrator need not know the algorithms supported by the remote VPN device in order to set up a valid VPN connection.

VPN Authentication and Digital Certificates

When establishing VPN connections, it is important for the firewall to be able to verify the identity of the remote VPN device before engaging in any VPN communication. This can be achieved by exchanging information that is secret, like a password or through the use of digital certificates.

Digital Certificates are pieces of information that help to prove someone or something's identity. For VPNs, certificates can be used to establish the identity of the remote VPN device and obtain its public key. A certificate contains information about the owner of the certificate as well as its public key. These certificates can also be verified by a trusted third party, called a Certificate Authority, to make sure that the certificate is authentic and the public key is correct.

Version 6.1.2 of the BorderWare Firewall Server supports VPN authentication through use of a shared password called a Pre-Shared Key. Both sides of the VPN agree on a Pre-Shared Key over a secure medium (like a telephone), and then input this key into the VPN configuration information. Support for certificate-based authentication will be added in a patch release in the near future.