I - 6 I'7 - - r 7 - - - - 3 34 i 27 October 2009 The overall classification for this brief is TO USA TOP TO USA FVEY VPN Technology Overview - Dataflows and Interfaces - LPT Implementation - Metrics TOP Tr FVFY TOP TO USA FVEY Overview VPN Mission Opportunity Exploit Virtual Private Network VPN communications that use IP Security IPsec algorithms and protocols U ISAKMP Internet Security Association and Key Management Protocol RFC2407 RFC2408 provides an authentication and key exchange framework U IKE Internet Key Exchange RFC2409 provides authentication and key exchange mechanisms U ESP - Encapsulating Security Payload RFC2406 provides traffic confidentiality and optional integrity protection U AH Authentication Header RFC2402 provides integrity protection that includes lP Header Sometimes AH is used to wrap ESP for additional integrity Phase 1 Phaset Phase 2 Handshake Phase 2 ISAKMP SA ISAKMP an Security Asaociatiun Database ESP ESP Security Association Database JP Source IP lillestinationjI J TOP TO FVFY TOP TO USA FVEY UNCLASSIFIED 5 Internet Key Exchange RFC 2409 Internet Security Association and liteyr Management Protocol I3AKMP RFC 2403 1 2 3 Versionl IHL I Type of Service Total Length Identification Flags I Fragment D set IF Time to Live Protocol 1 Header Cheokeum Header Source Address Deetinalion Address Source Port 5011 Destination Port 500 um Length Checkgum Header Initiator Cookie Initiator Cookie Responder Cookie ME I Responder Cookie ISAKMP Next Payload Ver Mn Ver Exchange Type Flege Header Message ID Length Key Management Data UNCLASSIFIED TOP Tr FVFY TOP TO USA FVEY UNCLASSIFIED Encapsulating Security Payload - RFC 2405 1 2 3 Versionl IHL IType deeWice Total Length Identificaiinn Flags I Fragment Offset Time 10 Live I Fratn u 5-D CHECKSLIITI Headef Sdurce Address Destination Address Securily Parameter Index ESP Sequence Number Header Data UNCLASSIFIED TOP Tr FVFY TOP TO USA FVEY UNCLASSIFIED If Authentication Header RFC 2402 Eneapsulating Security Payload ESP - RFC 2406 0 1 2 3 Vemienl IHL Type efServiee Total Length Idenlifieetien Flags I Fragment foeet Time to Live Preteen-l 51 Header Chem-teem Herder Source Address Destination Address Next Heeder 50 Header Length Reserved Security Parameter Index Sequence Number Hezzer Integrity Check Value Variable length Security Parameter Index Sequence Number Header Date UNCLASSIFIED TOP Tn FVFY TOP TO USA FVEY Overview VPN lPsec Collection 00 00 Hours IKE IKE IKE IKE Phase 2 Phase 2 Phase 2 Phase 2 Internal IP Addresses A 1 Internal IP Addresses 10 160 11 34to10 161 271 111 i A Inlernal IP Addresses 10 160 11 84le10 161 231 111 A 1 24 01 Hours Tunnslecl IP Sessions IP Sessions Tunnelsd IP Sessions IKE VPN Tunnel External Addresses I 172 3 1053 l0 192 168 100 86 Collection requires dwell time to capture IKE associated with ESP Collection requires link diversity to capture IKE associated with ESP There is no guarantee that IKE and ESP will use the same link Collection requires multiple selectors to target external and tunneled sessions VPN Tunnel External IP Addresses To Target Strong Selectors on Internal IP Links To Target VPN Content TOP TO FVFY Customer SIGINT Analyst Network Analysis Center NAC Office of Target Pursuit -Target and Analyze Traffic Report SIGINT -Identify target IKE and ESP Metadata Report VPN Target IDs and Links -Search and survey for of interest Func ons TOP TO USA FVEY Needs Target IDs Target Links Target Value Targeted Traffic -VPN IKE and ESP Metadata OTP Report VPN Traffic Intelligence Value Surveys -VPN Surveys Systems Analysis Office -Identify VPN Technologies -VPN IKE and ESP Metadata SAO -Identify VPN Vulnerabilities Surveys -Support VPN Exploitation Quality DTP OTP DTP TOPI TUPI TOPI A A A 00 00 r x mm Tunneled IP Sessions Tunneled IP Sessions Tunneled IP Sessions Hours Phase 2 Phase 2 Phase 2% Phase 2 a a x HAC- CITP NAG OTP NAG DTP HACFVFY TOP TO USA FVEY Target Protocol IP Security IF- sectt Internet Key Exchange Internet Security Association Key Management Protocol Pmducts Data ws I I VPN metadata with full-take IKE and sampled ESP Metadata Dataflow Tar et ProtocoI Selected application sessions recovered from IP Security sessions selected for and re-injection Encapsulating Security Payload ESP Transform data ow i I TU REUPLNENCE I sessions selected for deeryption and sUrvey Survey dataflow 5 VPN sessions selected for analysis AnglE Target Protocol IP Security IPsec VPN sessions selected for deeryption Authentication Header that fail to using provided key Encapsulating Security Payload ESP TransfoerA Dataflowi 0 IP Address Selector Actions Transform Transform 3 NoTransfoerA Transform 3 Survey Transform Survey 8 NoTransfoerA Analyze Transform Analyze Transform Analyze NoTransfoerA Transform 8 Analyze 8 Survey Transform Analyze 3 NoTransformCtA 3 Survey TOP Tr FVFY Customer SIGINT Analyst Network Analysis Center NAC Office of Target Pursuit OTP Systems Analysic Office Needs Target IDs Target Links Target Value Targeted Traffic IKE and ESP Metadata -VPN IKE and ESP Metadata Surveys -VPN Surveys IKE and ESP Metadata TOP TO USA FVEY Products Transform Dataflow Metadata Dataflow IKE Fulltake Metadata Dataflow ESP Samples Metadata Dataflow IKE Fulltake Metadata Dataflow ESP Samples -Analysis Dataflow -Survey Dataflow Metadata Dataflow IKE Fulltake SAO Metadata Dataflow ESP Samples Surveys -Analysis Dataflow If -VPN Qualify -TransfnerA Dataflow Transform Survey Dataflow Dataflow A A A 100 24 00 Hm Tunneled IP Sessions Tunneled IP Sessions Tunneled IP Sessions Hours IK IKE IKE IKE IKE Phase 2 Phase 2 Phase 2 Phase 2 - MAC OTP MAC DTP DTP SAD DTP 5A0 SAU- SAD Metadata Dataflow Metadata Dataflow TOP TO FVFY Metad ata Dataflow Analysis Dataflow Analysis Dataflow TransfoerA Dataflow TOP TO USA FVEY Classic Internet Key Exchange Internet Security Association Key Management Protocol ISAKM Authentication Header Encapsulating Security Payload ESP was VPNE T Socket Connection o lKEisHiesF Records C IKEIAHIESP Records F SOTF TUBE F SOTF TURMOIL C Content EXDPUMP 4 a F'F rmai Vin VPN12 T ITs we T T MAILDRDER I o IKEEAHFESF Records IKE Records METROTUBE o IKE Sessions so F soTF F TGIF PRESSURE Analytic WAVE TOYGRIPPE VPN Metadata in TOYGRIPPE is full-take VPN ESP Metadata Sessions in PRESSUREWAVE is sampled 1 16t VPN Metadata Sessions in PRESSUREWAVE is sampled 1 16th TOP Tr FVFY TOP TO USA FVEY Dataflows and Interfaces IKE Metadata New and Improved SECRETHCOMINTHREL T0 USA FVEY Internet Key Exchange IKE I Internet Security Association Key Management Protocol US4KE-MD1 Socket Connection C lPseci'lKE Records Transport F SDTF Content F Format T MAILORDER o IF'seci'lKE Metadata I F ASDF T MAILORDER C IPsecr'lKE Metadata 3 FALLDUT TOYGRIPPE VPN Metadata in TOYGRIPPE is full-take VPN ESP Metadata Sessions in PRESSUREWAVE is sampled 1 16i VPN Metadata Sessions in PRESSUREWAVE is sampled 1 16t TOP Tn FVFY TOP TO USA FVEY SECRETHCOMIN THREL T0 USA FVEY Authentication Header Enoapeulaiing Securityr Payload ESP T Socket Connection C Etadata BUHUIES InterfaCE' F ASDF in eon Transport ve-ESP-Moz TUB TURMOIL Content MAILORDER I Form at o Meiadata I vs-ESP-ima FIASDF T MAILORDER C IPseanSP Metaoata F ASDF FALLDUT TOP Tr FVFY TOP TO USA FVEY Dataflows and Interfaces - Analyze T Secket Connection EXOPUMP Encapsulating SeCUrity Payload ESP T Becket Csnnectisn C IKE 8 ESP Sessions selected for Analysis C Eels-star Hit F - TUBE - TURMQIL KEYCARD was 5 T MAILORDER i C IKE 3x ESP Sessions Selected ferAnalysis IT JMS seTF i i C IKE 3 Sessions Selected for Analysis F KMLISOTF PRESSURE- WAVE KEYCARD IP Target Action must be ANAL YZE Full-take of Sessions No Analytic at this time TOP Tn liRA FVFY Interface Keg Transport Content F mem TOP TO USA FVEY TOP SECRETHCOMINTHREL TO USA FVEY 13 Internet Key Exch ge IKE Internet Security Association Key Management Protocol ISAKNE Authentication Header AH IEnca sulatin Securit Pa load ESP wm TI TU Ci Selector Hit Ouergrr Respmse Itrt E merr KEYCARD WNW Content T Secure Socket 33L me at c PIG Blade Management vim I 4 FlutebiSDCKEI C and ResGrid $5 Resource I Allocation PIQ 13 Manager B ade IKE Messages 5 GRAM I I LE 3 a were A 3'5 LIJ a to ESPIieyRequtes KEYCARD IP Target Action must be TRANSFORM SURVEY Candidate Sessions for include BME vpnID Sessions include BME vpnID i TOP Tr FVFY TOP TO USA FVEY Dataflows and Interfaces - Transform TOP SECRETHCOMINTUREL TO USA FVEY Internet Ke Exchan IKE nternet Securit Association He Mana ement Protocol ISAKMP Authentication Header AH Erica sulatin Securit Pa load ESP 1tr'Pli'H VPNE TI SOCKET CONNECTION T Socket Connection Ct Selector Hit Ouenrt'Response Interface KB T Transpon TUBE 2 cdntent C PIQ Blade Management Note F 5 Selected Application Sessions DOC 1 CES 5 are identi ed and selected trom PC the pacltets extracted - RESDU 1 1mm the VPN tunnel and inserted Grid intothe TURMOIL input stream 5 WM Resource VPN4 3 Allocation PIQ talus a ct C Selected Application Sessons -I- Manager 3 SOTF SEWICES IKE Messages GRAM _l LIL '5 5 EXDPU MP is Wits C0 2 - IT was 2 to esp Hey Red-Pies a 0 -- i iHisoePJ T pins PRESSURE- 4 I- C Selected Appl Sessions WAVE EL 0 F Kit-'1 'x PIQ Blade provides PlQ-Services PICARESQUE ECI Compartmented Transform is Sanitization of VPN AHIESP Session Transform capability is not available in Spin 12 KEYCARD IP Target Action must be TRANSFORM sessions have BME vpnID 5 TOP Tn FVFY TOP TO USA FVEY 1 TO SECR ETHCO MIN THREL TO SA FVEY ENDACE 2 b 1 TE x1 giggly-OHS I I 3 TBUS 1 DU er Packers Is I I Stage 1 JQPN TE VPN I Sessr' ns Sessr ons i I Fig 1 Ietadata Mea adaaSESSIONS I ppr'Jenfs Metadaia Meta-data I Meta-data Pmcessm 1 Inn n I 1 'Stagez' I Stage 0 I CC 1' KEYCARD ng Sew-ms Encrma ed mi - ESP Heqf esp SESSIONS VPN TE Sessr onsl POI 3 ON PI CI gig 1 - I IT Packers I Other 1 IP Payload I I Decompressor MBUS I makers ppI'E'rem s I 3075 'l Meradaa a K TOP Tn FVFY TOP TO USA FVEY 31 TOP SECR ETHCO MIN THREL TO USA FVEY ENDACE 2 I VFW I b' Stage 1 JVPN TE Sessr ons' I get I mus 0 Er OiherTE's I r3 r 'x I In I SessIons I 'IEtadElta I1 etadaa a I rocessor ll Stage 0 I I ng Sew-ms narrated mi - ESP Heqf esp VPN TE Sessr onSI POISON PIG owned gill-- NUT -T -- Services jackets I Other IP Payload Sessf ns I Packets 30m I I TOP Tn FVFY TOP TO USA FVEY Sample stats 14-22 Oct 2009 System KeyRequests KeyResponses KeyNotRecovered Packets 8076 0 0 0 26501 12200 0 8041883 1725 0 0 0 SM K6 43087 4755 0 1413532 TOP Tr FVFY VI A 0 IlaIlmi IainFVFY