CESG protects the vital interests of the UK by providing policy and assistance on the security of communications and electronic data, working in partnership with industry and academia.
CESG IPSEC GUIDES
CESG have produced some guidance for IPSEC VPN’s – guidance adhered to by government departments & associated bodies.
- Version2.1 CESG IPSEC Security Gateway Guide can be found on the CESG site
- Version 2.3 CESG IPSEC VPN FOR REMOTE WORKING – SOFTWARE CLIENT Guide can be found on the CESG site
Juniper MAG Devices with Juniper Pulse Secure Access Service
The Juniper Pulse Secure Access Service running version 7.4+ software on a Juniper MAG device can be used for CESG IPSEC VPNs which supports ECDHE Ciphers & IKEv2
A caveat is that MAG devices don’t support FIPS level 3 compliant cryptographic modules – but FIPS is not referenced directly in the guide.
ECDHE Ciphers supported by SA
With Elliptic-Curve Cryptography (ECC) certificates:
With RSA Certificates:
Any IKEv2 Client can be used for CESG IPSEC eg:
CESG IPSEC refers to use of IKEv2. More information can be found on the Juniper Website. Also please note the following:
- On the Juniper SA/MAG Device – IKEv2 does not support automatic cluster failover. After cluster failover, IKEv2 users must reconnect to Secure Access Service.
- On the Juniper SA/MAG Device -IKEv2 uses UDP port 500 with Juniper Pulse Secure Access Service.
Notes about use with Certificates
For IKEv2 with client certification authentication to work with Windows 7 IKEv2 client, the certificate imported in to Secure Access Service must have the enhanced key usage (EKU) value set to serverAuth(126.96.36.199.188.8.131.52.1)
Also ECC certificates are currently only supported on MAG and Virtual Appliance platforms, they are not usable on SAx500 devices. See Chapter 32, Elliptic Curve Cryptography, in the 7.4 or later Admin Guide for more details on these certificates and setting custom cipher options.
- Windows 7 with Certificates
- Machine Certificate
- Assigning an ECC P-256 Certificate to an External Virtual Port and Giving Preference to Suite B Ciphers
FIPS level 1 Supported Platforms
- The following platforms support FIPS level 1:
- Junos Pulse Gateway MAG2600
- Junos Pulse Gateway MAG4610
- Junos Pulse Gateway MAG6610
- Junos Pulse Gateway MAG6611
- Junos Pulse Gateway MAG-SM160
- Junos Pulse Gateway MAG-SM360
- Secure Access Service and Access Control Service virtual appliances
More info here
FIPS Level 3 Supported Platforms
- Juniper SA4500 FIPS
- Juniper SA6500 FIPS
- FIPS Level 3 refers to a Cryptographic Hardware Security Module
- You cannot run FIPS level 1 support on a hardware FIPS platform such as the SA4500/6500 FIPS SSL VPN Appliance
- SA4500/6500 FIPS SSL VPN Appliances do not support newer ECC certificates.
The last point leaves a conundrum – go with MAG and have a higher encrypted channel across the Internet or go with SA and have a weaker encrypted channel & a higher protected stored private key.
I was at a financial customer last week who was moving their entire estate to Rackspace. To give indication of size their financial assets are in the Billions and they employ hundreds of staff.
Rackspace will provide them effectively a managed Data Center like environment in the cloud – completely managing the Network environment at the DC along with VMware infrastructure.
Leaving behind an office full of PCs & phones & an MPLS connection.
no more server rooms…!
They no longer have visibility of VMware Vcenter – so whats the future of admins with these skills if its all going Cloud based?
The bit Rackspace don’t do – is managing the server apps – so as long as you have GUI skills you are still in business!
Our 10 most important security takeaways from the RSA Conference