Gateway Placement

Architecture

The architecture of the IPsec implementation refers to the selection of devices and software to provide IPsec services and the placement of IPsec endpoints within the existing network infrastructure. These two considerations are often closely tied together; for example, a decision could be made to use the existing Internet firewall as the IPsec gateway. This section will explore three particular aspects of IPsec architecture: gateway placement, IPsec client software for hosts, and host address space management.

4.2.1.1 Gateway Placement

Due to the layered defense strategy used to protect enterprise networks, IPsec gateway placement is often a challenging task. As described later in this section, the gateway’s placement has security, functionality, and performance implications. Also, the gateway’s placement may have an effect on other network devices, such as firewalls, routers, and switches. Incorporating an IPsec gateway into a network architecture requires strong overall knowledge of the network and security policy. The following are major factors to consider for IPsec gateway placement:

Device Performance. IPsec can be computationally intensive, primarily because of encryption

and decryption. Providing IPsec services from another device (e.g., firewall, router) may put too high of a load on the device during peak usage, causing service disruptions. A possible

alternative is to offload the cryptography operations to a specialized hardware device, such as a card with built-in cryptography functions. Organizations should also review their network architecture to determine if bottlenecks are likely to occur due to network devices (e.g., routers, firewalls) that cannot sustain the processing of peak volumes of network traffic that includes IPsec-encapsulated packets.52

Traffic Examination. If IPsec-encrypted traffic passes through a firewall, it cannot tell what

protocols the packets’ payloads contain, so it cannot filter the traffic based on those protocols. Intrusion detection systems encounter the same issue; they cannot examine encrypted traffic for attacks. It is generally recommended to design the IPsec architecture so that a firewall and intrusion detection software can examine the unencrypted traffic. Organizations most commonly

52 _{The network architecture review is also beneficial in identifying intermediate network devices that may need to be}

address this by using their Internet firewalls as VPN gateways or placing VPN gateway devices just outside their Internet firewalls.

Traffic Not Protected by IPsec. Organizations should consider carefully the threats against

network traffic after it has been processed by the receiving IPsec gateway and sent without IPsec protection across additional network segments. For example, an organization that wants to place its VPN gateway outside its Internet firewalls should ensure that the traffic passing between the IPsec gateway and the Internet firewalls has sufficient protection against breaches of

confidentiality and integrity.

Gateway Outages. The architecture should take into consideration the effects of IPsec gateway

outages, including planned maintenance outages and unplanned outages caused by failures or attacks. For example, if the IPsec gateway is placed inline near the Internet connection point, meaning that all network traffic passes through it, a gateway failure could cause a loss of all Internet connectivity for the organization. Also, larger IPsec implementations may use a gateway management server; a server failure could severely impact management of all gateways.

Generally, if the network is designed to be redundant, the IPsec gateways and management servers should also be designed to be redundant.

NAT. NAT provides a mechanism to use private addresses on the internal network while using

public addresses to connect to external networks. NAT can map each private address to a

different public address, while the Network Address Port Translation (NAPT) variant of NAT can map many private addresses to a single public address, differentiating the original addresses by assigning different public address ports.53 _{NAT is often used by enterprises, small offices, and}

residential users that do not want to pay for more IP addresses than necessary or wish to take advantage of the security benefits and flexibility of having private addresses assigned to internal hosts. Unfortunately, as described in Section 3, there are known incompatibilities between IPsec and NAT because NAT modifies the IP addresses in the packet, which directly violates the packet integrity assurance provided by IPsec. However, there are a few solutions to this issue, as

follows:

–

Perform NAT before applying IPsec. This can be accomplished by arranging the devices in a particular order, or by using an IPsec gateway that also performs NAT. For example, the gateway can perform NAT first and then IPsec for outbound packets.

–

Use UDP encapsulation of ESP packets. UDP encapsulation can be used with tunnel mode ESP or Layer 2 Tunneling Protocol (L2TP) (as described in Section 4.2.1.3) over transport mode ESP. UDP encapsulation appends a UDP header to each packet, which provides an IP address and UDP port that can be used by NAT (including NAPT). This removes conflicts between IPsec and NAT in most environments.54 An IKE enhancement known as IPsec NAT Traversal (NAT-T) allows IKE to negotiate the use of UDP encapsulation. During the IKE phase one exchange, both endpoints declare their support of NAT-T through a vendor ID payload (containing the hash of a well-known vendor ID value and static phrase), then perform NAT discovery to determine if NAT services are running between the two IPsec endpoints. NAT discovery involves each endpoint sending a hash of its original source address and port to the other endpoint, which compares the original values to the actual

53 _{Additional information on NAT and NAPT is available from RFC 2663, IP Network Address Translator (NAT) Terminology}

and Considerations, available at http://www.ietf.org/rfc/rfc2663.txt.

54 _{In some cases, either the network architecture or the type of traffic may require additional measures to allow IPsec traffic to}

negotiate NAT successfully. For example, protocols such as Session Initiation Protocol (SIP) for Voice over IP (VoIP) and File Transfer Protocol (FTP) have IP addresses embedded in the application data. Handling such traffic correctly in NAT environments may require the use of application layer gateways (ALG).

values to determine if NAT was applied. IKE then moves its communications from UDP port 500 to port 4500, to avoid inadvertent interference from NAT devices that perform

proprietary alterations of IPsec-related activity. NAT-T can also cause the host to send keepalive packets to the other endpoint, which should keep the NAPT port-to-address mapping from being lost. Although UDP encapsulation and NAT-T can be helpful in

overcoming NAT-related issues, not all IPsec software and hardware devices support them at this time.55

–

At small or home offices, configure cable and Digital Subscriber Line (DSL) routers performing NAT to permit IPsec NAT pass-through for the IPsec client systems.

In document Recommendations of the National Institute of Standards and Technology (Page 53-55)