384 Class Note for IST 451 at PSU
384 Class Note for IST 451 at PSU
Popular in Course
Popular in Department
verified elite notetaker
One Day of Notes
verified elite notetaker
verified elite notetaker
One Day of Notes
verified elite notetaker
verified elite notetaker
verified elite notetaker
This 24 page Class Notes was uploaded by an elite notetaker on Friday February 6, 2015. The Class Notes belongs to a course at Pennsylvania State University taught by a professor in Fall. Since its upload, it has received 17 views.
Reviews for 384 Class Note for IST 451 at PSU
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 02/06/15
Topic 3 Virtual Private Network V PN Topic lessons 1 Introduction 2 Virtual Private Networks VPN 3 VPN Implementation 4 Fundamental IP security IPSec 5 IPSec Security Protocols 6 WrapUp Lesson 1 Introduction Topical Goals In today s economy companies have dramatically expanded the scope of their businesses They may need to set up offices and facilities across the country or even around the world How to maintain fast secure and reliable communications among different business locations and remote users becomes very important for those businesses Until fairly recently many of them use leased lines to connect their private networks at different geographic area The advantages of leased line are its reliability performance and security But using leased lines can be expensive and often the cost rises exponentially as the distance between the offices increases As the popularity of the Internet grew many companies are turning to the Internet to extend their own networks and accommodate the needs of remote employees and distant offices Virtual Private Network VPN brings these companies such a solution to use the open distributed infrastructure of the Internet to provide remote offices or individual users with secure access to a company s private network This topic will provide a fundamental description of VPN along with an important security standard IPSec which ensures the communications over VPN are private and secure After reading this topic you should be able to 0 Give an overview of VPN including its benefit different types and its security mechanisms 0 Describe the implementation of two different types of VPN 0 Introduce IPSec and the security services provided by IPSec 0 Discuss two important protocols supported by IPSec AH and ESP Lesson 2 Virtual Private Network V PN Lesson Objectives When a company tries to connect its private networks together using a public resource meaning the wires and routers that make up the Internet it has no control over the other people who are using the public resource This leaves the company susceptible to security issues when the data is transmitted between private networks over the Internet The older solution is to build a dedicated and direct connection such as a leased line between private networks that can only be used by the authorized users of the company Many companies have chosen this route because of the need for security and reliability in connecting their remote of ces It is reliable fast but it is very expensive to build and maintain this connection even the sites are very close to each other Virtual private network VPN provides a solution for an organization to use a public network infrastructure such as the Internet to offer secure and reliable data communication between its private networks at different geographic locations This lesson provides an overview of the basic principles which are important to understand VPN technology including the benefit different types of VPN and the security mechanisms used by VPN After reading this lesson you should be able to Define a VPN and explain how a VPN works Highlight VPN benef1ts Define remoteaccess VPN and sitetosite VPN Overview four security mechanisms of a VPN What is a VPN VPN stands for Virtual Private Network It is a network infrastructure constructed over a public infrastructure ie the Internet to deliver private network services A VPN permits companies through the use of security mechanisms such as encryption and tunneling to establish secure and encrypted connections between private networks over the Internet Figure 31 shows a typical VPN It has a single central network at the corporate office of a company a single LAN local area network at its remote office a single LAN at its partner s office and individual users connecting from out in the field or working from home The VPN enables other LANs and individual users to communicate with the central network in a secure and reliable manner Instead of using a dedicated real wire connection such as a leased line a VPN uses the Internet as the medium to build virtual connections that link the company s central network to the remote sites or mobile employee The traffic is encrypted for confidentiality and then quotwrappedquot with enough networking information for the intervening machines on the virtual connections to pass it to the destination The intervening machines can not read contents of the data packet Thus the tra ic can be routed back and forth with privacy and security Business Mobile user Partner quot Corporate Office Office ome J Office Figure 31 Atypical VPN VPN is transparent to end users End users do not need any knowledge about VPN components and how to establish a VPN connection to access the corporate LAN For example when a mobile user wants to check email the user simply uses his or her e mail client to request a download as if directly connected to the corporate LAN From a user s perspective the nature of the intermediate network over the Internet that a VPN utilizes to build virtual connections is irrelevant because it appears as if the data is being sent over a dedicated private connection In this way the secure connection across the intermediate network appears to the user as a private network communication despite the fact that this communication is occurring over the Internet This is why we call it a virtual connection and is essentially how a VPN works VPN Bene t VPN is a popular costeffective way to securely connect of ces remote workers and mobile workers back into the corporate network It provides many bene ts for a company including Security 7 VPN provides a high level of security using advanced security methods e g encryption and authentication that protect data from unauthorized access It uses the Internet as the medium for transporting data while maintaining the privacy of communications to ensure only authorized users can access the network and the data cannot be intercepted It completely hides you from others on the public network infrastructure Scalability 7 VPN that utilizes the Internet enables companies to add large amount of capacity without adding signi cant infrastructure A VPN can grow to accommodate more users and different locations as long as the Internet access is available Adding additional components to a VPN infrastructure is much easier than a lease line system previously used by many companies Flexibility 7 VPN allows a company to keep its employees and partners securely connected to central network resources no matter where they are It provides access to the entire network with anytoany connectivity VPN can be developed with different applications such as FullMesh topology for voice and HubandSpoke for Internet access The geographic locations of each office matter little in the creation of a VPN Cost effectiveness 7 VPN helps to reduce connectivity charges and operational costs due to the sharing of Internet infrastructure It enables network connections between sites by utilizing Internet to connect remote offices and remote users to the main corporate site The cost of traditional lease lines by contrast can increases dramatically as an organization grows with more remote users and offices added to its corporate network VPN Types There are two common types of VPN networks remote access and sitetosite Remote Access VPN A remote access VPN allows remote employee and telecommuters to securely connect to the company s corporate network inexpensively using the Internet or an Internet Service Provider s ISP s backbone It is also called a virtual private dialup network VPDN In the past the company supported remote users through a tollfree call to reach the company s private network directly With the advent of VPN the remote users can make a local call to their ISP and use the VPN client software on their computers to access the company s private network They can basically access the company via the Internet from wherever they are Remoteaccess VPNs permit secure encrypted connections between a company39s private network and remote users and save the expenditures of using tollfree numbers For instance a company with hundreds of sales people in the field would greatly benefit from a remoteaccess VPN SitetoSite VPN Sitetosite VPN can be used to connect a company s multiple fixed sites such as remote offices and central offices over the Internet It has replaced a lease line or frame relay connection often used previously by companies to connect sites There are two types of sitetosite VPN Intranet VPN 7 An intranet VPN is built to connect all of a company s remotes sites to be a single private network where companies can share information with employees and others with authorization Extranet VPN 7 An extranet VPN is built to connect a company with other companies that it has a working relationship such as a partner supplier or customer This allows all of the various companies to work in a shared environment with controlled network access VPN Security Mechanisms A VPN generally uses the following security mechanisms to keep the connection and data secure rewalls encryption IPSec and AAA server Firewallbased VPN A firewall provides a strong barrier between your private network and the Internet A firewallbased VPN can manage the VPN network terminate the VPN sessions and also take advantage of the firewall s builtin security mechanisms such as restricting access to the internal network It may also perform network address translation from a public IP address to the corporate office private IP address and serve up realtime alarms and extensive logging The existing firewall systems can be enhanced to support VPN serv1ces Enc ption Encryption ensures privacy and confidentiality of information during its transit over the VPN It is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode Encryption is the security mechanism that provides the P privacy in VPN In a VPN network the data is encrypted by using different encryption protocols at the sending end and decrypted at the receiving end An additional level of security involves encrypting not only the data but also the originating and receiving network addresses Popular encryption methods include Data Encryption Standard DES Triple DES 3DES and Blowfish IPSec Internet Protocol Security IPSec is a security protocol used by most VPNs to set up private connections that span the Internet between the separate company sites It is designed to address data con dentiality integrity authentication and key management in addition to tunneling Tunneling can be thought of as the act of encapsulating original nonsecure IP packets inside of encrypted secure IP packets This works as if sending the data through a quottunnelquot that cannot be quotenteredquot by data that is not properly encrypted Also tunneling supports the routing of nonroutable private IP addresses over public networks such as the Internet which brings us to the V virtual in VPN so that you can send the information to a private address that do not have a public address IPSec will be discussed in more detail later in this topic AAA Server For a more secure access in a remoteaccess VPN the request to establish a session from a dialup client can be sent to an AAA authentication authorization and accounting server to check the following Who you are authentication What you can do authorization What you actually do accounting The accounting information is used for tracking client usage of the network resources security auditing billing and reporting Lesson Wrap Up VPN solution supports remote access and private data communications over public network as a cheaper alternative to owned or leased lines that can only be used by one company By addressing security and performance issues a VPN delivers tangible business benefits with secure communicates and significant cost saving versus other remoteaccess solutions Understanding the various VPN solutions can help companies build infrastructures that will support their tactical business needs today as well as their strategic business needs for tomorrow Now that you have completed this lesson you should be able to Define a VPN and explain how a VPN works Highlight VPN benefits Define remoteaccess VPN and sitetosite VPN Overview four security mechanisms of VPN Lesson 3 VPN Implementation Lesson Objective A VPN is a combination of software and hardware that allow mobile employees telecommuters business partners and remote sites to use a public or unsecured medium such as the Internet to establish a secure private connection with a central network With a VPN deployed across the Internet virtual private connections can be established from almost anywhere in the world A wide variety of VPN technologies are deployed today This lesson will discuss components needed in a VPN implementation and two different types of VPN It will also talk about Cisco s VPN solution in building these two types of VPN After reading this lesson you should be able to 0 Discuss the basic components of a VPN 0 Describe how remoteaccess VPN and sitetosite VPN work 0 Introduce Cisco s VPN solutions VPN Components There are variations of VPN implementations depending on whether the VPN is managed by the customer or the service provider In all cases the VPN comprises two endpoints peers that may be represented by routers firewalls client workstations or servers Specifically the following options are available for remote users or remote sites to implement a VPN Software VPN client access option used by remote users to build VPN connections ie Cisco VPN so ware client Remotesite firewall option used by remote sites to support firewalling function and VPN connectivity to corporate networks Hardware VPN client option used by remote sites for VPN connectivity to corporate networks The following options are available in corporate main network to implement a VPN Dedicated VPN server for remoteaccess VPN eg Cisco VPN concentrator VPN router to route traffic and terminate VPN sessions Firewall with VPN functionality e g Cisco PIX firewall The company configures the equipment at each end so that data can be transmitted over VPN connections between two VPN peers with privacy Note that a VPN does not provide complete endtoend security between user applications and server applications Antivirus software system patches additional layers of encryption to finish the link between user applications and server applications are still required for system security In addition firewalls and other security measures are still recommended The Remote Access VPN model A remoteaccess VPN refers to the implementation in which individual remote users access the corporate network via their PCs A remoteaccess VPN follows a client and server approach All the remote user requires is a computer with VPN client software and connectivity to the Internet or ISP network via a dialin or Ethernet connection VPN clients authenticate users encrypt data and manage VPN connections and disconnections with VPN servers located on corporate networks rnet E User s machine VPN Cllent ai Tunnel 7 VPN connection Corporate Office LAN Applrcanon VPN Sener Server Figure 32 Remote access VPN model Figure 32 illustrates a remoteaccess VPN model to support a remote user to access an application server e g web server on the corporate office LAN The remote user is connected to the Internet through either dialup or Ethernet connection The VPN client on the user s computer establishes a secure VPN connection to the VPN server maintained at the corporate network The request from the user is encrypted and then sent to the VPN server through the VPN connection The data is encrypted until it reaches the VPN server The VPN server then decrypts the received data and forwards it on to the target application server Thus the remote user can communicate with the application server just as securely over the public network as if it resided on the internal corporate LAN From the user s perspective the VPN connection is a pointtopoint connection between the user s computer and the company s application server However the information that the user sends out will lose its VPN level of protection when the VPN server receives it and sends it along to the application server After that point security is the user s and the application server s responsibility For example you should not send password or credit card information to a Web page that is not SSLencrypted e g a page does not begin with https even if you re using a VPN connection Therefore a VPN client does not replace antivirus software operating system and any localarea networking security practices A virus that is downloaded in an encrypted packet will still infect your system when your VPN client decrypts it for your applications to read The Site to Site VPN Model A sitetosite VPN refers to a wide area network WAN implementation in which the network of one location is connected to the network of another location via a VPN It is often used to connect branch offices home offices or business partners sites to all or portions of a company39s network Rather than a clientserver connection it can be viewed as a serverserver VPN connection that joins two networks to form an extended intranet or extranet VPN site1 VPN siteZ r 7 r router router E 39 lt7 Cleartext 4 Encryptedtext F be Cleartext 4 mm mm Figure 33 Sitetosite VPN model In a sitetosite VPN there are VPN servers at each site to authenticate each other and establish the VPN connection between the sites VPN servers can act as gateways intemetworking devices to the computers behind it on the subnet securely passing traf c through endtoend encrypted tunnels between the sites This is also referred as gatewaytogateway VPN application VPN routers with firewall function can support this functionality and also provide networklevel protection of remotesite resources and filtering of traffic Figure 33 shows a sitetosite VPN model in which the remote sites use the VPN router to provide both firewall function and VPN connectivity between two sites When information is transmitted from one location to anther the VPN router at one location encrypts information before sending it through the VPN connection on the Internet At the other location the receiving VPN router decrypts the information into cleartext and sends it to its LAN Cisco IP VPN Solutions Cisco has VPN products to support both remoteaccess VPN and sitetosite VPN For remote access VPNs there are Cisco VPN 3000 Series Concentrators the PIX Firewall and the Cisco VPN client For sitetosite VPNs there are Cisco VPN routers and the PIX Firewall Cisco Remote Access VPNs CISCO VPN so ware client Mobile user Small of ce of Customer CWSCO Concenlralor g in E Telecommuter Hardware VPN 3 client Cisco VPN software client Figure 34 Remote access VPNs 7 Cisco VPN client and Concentrator In a remoteaccess VPN model as shown in gure 34 the mobile user and telecommuter have Cisco VPN software client loaded on their PCs The customer has a standalone Cisco hardware client located in its small office On the corporate end a Cisco Concentrator is placed to function as a VPN server The Concentrator can communicate with both Cisco VPN software client and Cisco Hardware client Note that a small Cisco Pix Firewall can act as a VPN server as well VPN connections are formed from the VPN client to the VPN server ie Cisco Concentrator The Cisco VPN client allows secure connection between client machines and the VPN server The VPN server terminates VPN connections initiated by remote users running Cisco VPN software client on their PCs This exibility makes it possible for remote or mobile users such as sales people on the road or telecommuters to access their headquarters intranet where critical data and applications eXist The VPN server can also terminate VPN tunnels initiated from customer s VPN hardware client to enable customers with limited access to the company s corporate resource VPN Concentrator series is built specifically for creating a remoteaccess VPN with the most advanced encryption and authentication techniques available It authenticates individual remote users and terminates their VPN connections It includes components 10 that enable users to easily increase capacity and throughput The concentrator series is offered in models suitable for everything from small businesses with up to 100 remote access users to large organizations with up to 10000 simultaneous remote users Cisco SitetoSite VPNs Cisco provides a suite of VPNoptimized routers and PIX Firewall 500 series to cover the entire spectrum of VPN sitetosite applications Cisco VPNoptimized routers from the 800 series to the 7200 series routers can be scaled to meet different VPN requirements and network sizes from smallof cehomeof ce access through centralsite VPN aggregation to largescale enterprise needs VPNoptimized routers provide VPN solutions for hybrid VPN environment where modularity port density and exibility are required for private WAN aggregation and other classic WAN applications As shown in gure 35 these routers run the range of VPN applications from small of ceshome of ces with the Cisco 800900 series to small branch of ce connectivity with Cisco 17002000 series to enterprise partner branch with Cisco 36003700 series and to enterprise headquarters highend VPN connectivity with Cisco 7100 7200 7400 series routers Remote Office 17002000 Series Parnter Office Corporate Office 710072007400 Series small office 36003700 I Series home office BOO900 Series Extranet Figure 35 SitetoSite VPNs 7 Cisco Routers Cisco secure PIX private Internet exchange rewall can be used in remote site It combines dynamic network address translation proxy server packet ltration rewalling and VPN capabilities in a single piece of hardware The primary role of the PIX rewall is security while the secondary role is terminating VPN traf c It has the ability to handle a variety of protocols for extreme robustness and performance The 500 series PIX rewall product is best positioned to satisfy the security requirements 11 Lesson Wrap Up There is a growing demand for VPNs Cisco39s unique endtoend VPN products support both remoteaccess VPN and sitetosite VPN and allow customers to secure their network infrastructures without costly changes to every computer With VPN deployed in your network applications gain privacy integrity and authenticity controls without affecting individual users or applications Now that you have completed this lesson you should be able to 0 Discuss the basic components of a VPN 0 Describe how remoteaccess VPN and sitetosite VPN work 0 Introduce Cisco s VPN solutions Lesson 4 Fundamental IP security IPSec Lesson Objective The main concern of using any type of VPN is security while crossing the public Internet Most VPNs rely on the Internet Protocol Security IPSec to manage security issues such as loss of privacy identity spoofing and denialofservice The goal of IPSec is to address these threats in the network infrastructure itself without requiring expensive host and application modifications This lesson presents an overview of IPSec along with its four critical security services After reading this lesson you should be able to 0 Define IPSec and explain basic concepts of IPSec 0 Explain four critical IPSec security services What is IPSec Short for Internet Protocol Security IPSec is a framework of open standards to provide security for transmission of sensitive information over unprotected networks such as the Internet IPsec has been deployed widely to implement Virtual Private Networks VPNs The IPSec protocol typically works on the edges of a protected network domain It supports secure data exchange between a pair of participating IPSec devices peers such as PIX Firewalls Cisco routers Concentrators Cisco VPN Clients and other IPSec compliant products For example IPSec can encrypt data between a Cisco router to another Cisco router a firewall to a router a PC to a router or a PC to a VPN server eg Concentrator 12 Basically IPSec provides security by building tunnels between two peers You de ne which packets are considered sensitive and should be sent through these secure tunnels When the IPSec peer sees such a sensitive packet it encapsulates a packet by wrapping another packet around it This wrapped traf c forms a secure tunnel through which the packet is sent to the remote peer across an otherwise unsecured network IPsec has two main framework protocols Authentication Header AH which essentially allows authentication of the sender of data and Encapsulating Security Payload ESP which supports both authentication of the sender and encryption of data ESP and AH can either be used together or separately depending on the environment IPSec is not bound to any speci c encryption or authentication algorithms keying technology or security algorithms It allows for newer and better algorithms to be implemented without patching the existing IPSec standards IPSec Security Services IPSec provides four critical security services Con dentialit enc tion 0 6 Encryption key Decryption Key Alice Login alm102 Alice Login alm102 Password dbd3lop Password dbd3lop Encryption algorith Encrypt Encryption algorith Decrypt A 2hDXMoN97IAB 2hDXMoN97lAB U45TPPotVBnO U45TPPotVBnO Figure 36 Con dentiality Encryption Con dentiality protects the privacy of information being exchanged between communicating peers Clear text data transported over the public Internet can be intercepted and read In order to keep the data private the sender can encrypt the packets before transmitting them across a network Encryption is a technique that scrambles information so that it is dif cult or impossible to read and unscrambles information so that it can be read again For encryption to 13 work both the sender and receiver need to know the rules used to transform the original message into an unreadable ciphertext Rules are based on an encryption algorithm and a key An encryption algorithm is a repeatable technique for scrambling encrypting and unscrambling decrypting information that can be performed by people or computers A key is a secret code that is used by the encryption algorithm to create a unique version of the ciphertext There are two types of encryption keys symmetric and asymmetric With symmetric key encryption each peer uses the same key to encrypt and decrypt the data With asymmetric key encryption the local end uses one key to encrypt and the remote end uses another key to decrypt the traffic For example as shown in figure 36 a file containing login and password information for a user Alice needs to be sent across the Internet At the local end the document is encrypted by an encryption algorithm combined with a key The output is unreadable ciphertext The ciphertext is then sent through the Internet At the remote end the message is recombined with a key and sent back through the encryption algorithm The output is the original document in cleartext Data integrity Integrity ensures that the data is not changed or tampered in any way during transmission over the public Internet There are the following three technologies to guarantee integrity of the data One way hash functions 7 A hash function is a oneway algorithm that transforms an arbitrarily large message into a unique fixedlength number called hash or hash value Hashing is not an encryption and this process is irreversible meaning it is computationally impossible to derive the original message from the hash For example for a message 39LOGIN L 0 l 0 011 0 0 O 0 l 0 0 11 11 G 0 l 0 0 01 l l I 0 l 0 01 0 01 N 0 l 0 0 11 l 0 A hash value can be generated by XORing each byte of the message that is L XOR O XOR G XOR I XOR N With XOR operation 14 0XOR00 0XOR11 1XOR01 1XOR10 Therefore the hash is 01000011 You cannot derive the original message LOGIN from the hash 01000011 The method of oneway hash functions validates the integrity of the original message by attaching a hash to each message The hash is transmitted from the local end to the remote end with the original message At the remote end if the hash calculated from the received message using the same hash function matches the hash it receives the message has not been altered otherwise the message was altered Examples of hash algorithms are MDS SHAl and RIPEMD 160 Host A Host B El 1 Bonus forAIice is 1000quot Hash algorithm Hashing Match No Changes U45TP PotVBnO No match Aterations Bonus forAlice is 2thMoN97IAB 2000 V Bonus forAIice is 1000quot 2thMoN97IAB Figure 37 Data integrity 7 Hash function Example Let s look at an example in which the manager on host A sends a HR person on host B a message Bonus for Alice is 1000 as shown in gure 37 The manager does not care if the message would be seen by others but he wants to make sure that any changes to the message during transit will be signaled at the remote end In this example we don t need consider data con dentiality however we do need to consider data integrity which can be accomplished using the following steps 1 Host A generates a hash for the original cleartext message using a hash function 2 Host A sends both the cleartext message and the generated hash to Host B 3 Host B receives the message and the hash from host A 15 4 Host B generates a hash from the received message The newly generated hash U45TPPotVBnO does not match the received hash 2thMoN97lAB therefore the received message has been altered during transmission Note that the method used in this example is not very secure because the attacker may alter the original hash if he she knows the hash function used by the sender For example the attacker can change the message to Bonus for Alice is 2000 and then calculates a new hash based on the changed message using the same hash function used on host A Host B cannot tell if the message has been altered when receiving the forged message and hash A hash function combined with a key is more secure because the attacker has no knowledge about the key H ashed message authentication codes HMAC 7 HMAC adds a key to hash functions A sender would create a message and calculate a hash value by sending the message and a shared secret key through a hash algorithm The message and hash value are sent over the network When the recipient receives them it recalculates the hash value by sending the received message and shared secret key through the same hash algorithm If the original hash and recalculated hash match the integrity of the message is guaranteed If any part of the original message is changed during transit the hash values are different Digital signatures 7 Digital signature guarantees that the information received is authentic and has integrity that is to say the information is from the system which claims to have sent it and the information has not been altered in any way To guarantee the integrity of a message you create a digital signature for that message and include it with the message which is referred to as a signed message This will be discussed more in topic 6 Origin Authentication Origin authentication ensures the identity of the source of participating IPSec devices guaranteeing and certifying the source of the packets VPN typically uses one or more forms of authentication which are usually based on the following methods Password authentication shared secrets 7 is the most prevalent form of user authentication used in computer system today Strong password such as Onetime password OTP and encrypted password are recommended as a stronger form of authentication For example many VPNs support SecurID a token card that combines secret key encryption with a onetime password The password is automatically generated by encrypting a timestamp with the secret key This onetime password will be valid for a short interval usually 30 to 60 seconds Digital Certificate 7 is a technology to let people and systems authenticate or identify each other without using passwords Digital certi cate relies on digital signature technology A digital certi cate is a special type of signed message that ties to a sender The sender digitally quotsignsquot a document with their private encryption key and the recipient can verify the signature via the sender s public key If the signature is genuine l6 the sender is authenticated It is used during the initial establishment of a VPN tunnel to authenticate both ends to the tunnel There are two common digital signature algorithms RSA and Directory System Agent DSA In VPN networking it is necessary to authenticate the device on the other end of the VPN tunnel before the communication path is considered secure This is called peer authentication There are three peer authentication methods Preshared keys 7 Manually enter a secret key value into each peer to authenticate the peer RSA signatures 7 Uses the exchange of digital certi cates to authenticate the peers RSA encrypted nonces 7 Uses the RSA encryption public key cryptography standard Each peer generates a random number nonce and encrypts it in the other party s RSA public key The nonces are then exchanged between peers The two nonces are used during the peer authentication process Antireplay protection Antireplay protection veri es that each packet is unique not duplicated IPSec packets are protected by comparing the sequence number of the received packets and a sliding window on the destination host The sequence number indicates the number of packets sent over the security tunnel for the communication The destination host checks the sequence number against the sliding window to verify if a packet is considered late or duplicate Late and duplicate packets are dropped Lesson Wrap UP IPSec provides numerous security features that enable encrypted communication between users and devices It is ideally positioned to enforce corporate network security and can be implemented transparently and seamlessly into the network infrastructure IPSec security headers are inserted between the standard IP header and the upperlayer data e g a TCP packet and therefore any network service or user applications that use IP eg Telnet and FTP can use IPSec without modifications Also IPSec traffic can pass transparently through existing IP routers on the Internet Now that you have completed this lesson you should be able to 0 Define IPSec and explain basic concepts of IPSec 0 Explain four critical IPSec security services Lesson 5 IPSec Security Protocols Lesson Objective l7 IPSec is a framework of open standards for ensuring secure private communications over the Internet IPSec provides security services to ensure con dentiality integrity and authenticity of data communications across the Internet The security services within IPSec are provided by one of two protocols the Authentication Header AH and the Encapsulating Security Payload ESP Each protocol provides certain services and may be used separately or together This lesson will explain how each of these two protocols provides security service and how IPSec works in steps After reading this lesson you should be able to Describe Authentication Header AH Describe Encapsulating Security PayloadvESP Discuss modes ofuse of IPSec De ne IKE and list operation steps of IPSec Authentication Header AH Authentication Header AH provides origin authentication and integrity for IP packets passed between two systems Integrity means the original IP packet was not modi ed in transit from the source to the destination Origin authentication means the data was truly originated from the two communicating systems and the data was not generated by impersonator Router Y IP header data key Hash function 9 IP header AH Data Authentication data ZeDBCAEF Internet IP header data key IP header AH Data Hash function Received Reecomputed 39 hash 7 hash v 2eDBCAEF ZeDBCAEF Router X b Figure 38 AH Authentication and Integrity 18 The origin authentication and integrity functions are achieved by applying a keyed one way hash function to the packet to create a hash AH The AH is combined with the original message and transmitted Changes in any part of the packet that occur during transit are detected by the recipient when it performs the same oneway hash function on the received packet and compares the value of the hash that the sender has supplied By recomputing AH using the received message and comparing it with the hash value received the receiver can verify if the message has been altered or not during transit As shown in figure 38 AH works as follows 1 The IP header and data payload is hashed through a hash function to create AH 2 The AH is inserted into the IP packet between the IP header and the data payload 3 The new packet is transmitted from the IPSec peer router X to router Y 4 The peer router Y receives the packet and hashes the IP header and data payload 5 The peer router Y compares the AH from the received packet with the AH it re computed in step 4 The two AH must exactly match Even if one bit is changed in the transmitted packet the hash output on the received packet will change and the AH header will not match There are different algorithms that can be applied to calculate AH such as hashed based message authentication code HMAC coupled with the Message Digest 5 MD5 hash function and HMAC coupled with the SHAl hash function AH also provides an antireplay service that can be used to counter a denial of service attack Note that AH does not keep the contents of the packets confidential data encryption and all text is transported in the clear Therefore it is not widely used for IPSec implementations across the Internet For confidentiality the ESP must be used Encapsulating Security Payload ESP Encapsulating Security Payload ESP provides con dentiality encryption origin authentication and integrity which protect against data tampering and importantly provide data content protection ESP provides confidentiality by performing encryption for the IP packet IP packet encryption conceals the data payload and the identities of the ultimate source and destination ESP supports a variety of symmetric encryption algorithms to encrypt the packet payload The default algorithm for IPSec is 56bit DES Cisco products also support the use of 3DES for stronger encryption The ESP encryption by itself does not provide authentication or data integrity so you should use ESP encryption with an authentication and data integrity service There are two ways to do this use the authenticated ESP format or combine ESP within AH nested ESP in AH 19 VPN site1 VPN site2 H router 1 router 39 IP Header Data IP Header Data New IP Header ESP Header IP Header Data ESP Trailer ESP Auth L7 Encrypted j L7 Authenticated Figure 39 Authenticated ESP With authenticated ESP IPSec rst encrypts the payload using one symmetric key and then sends the encrypted payload with a second symmetric key through a hash algorithm such as HMACSHAl or HMACMDS to calculate an ESP authentication value The authentication value is used to provide origin authentication and data integrity for the data payload It is appended to the end of the packet as shown in gure 39 The recipient computes its own authentication value for the encrypted data payload using the second symmetric key and the same algorithm The recipient compares the result with the transmitted authentication value If the values match the recipient then decrypts the encrypted portion of the packet with the rst symmetric key and extracts the original data Nested ESP in AH P Header AH Header ESP Header Data ESP Trailer lt7 gt Encrypted Authenticated gt Figure 310 Nested ESP in AH The second method allows an ESP packet to be nested within an AH packet as shown in gure 310 For example a 3DES ESP packet can be nested within an HMACMDS packet IPSec rst uses 3DES to build an ESP packet with the data payload encrypted using a symmetric key IPSec then nests the ESP packet within an AH packet using a second symmetric key All the contents of the packet are authenticated except the mutable elds of the IP header Alternatively ESP may also enforce antireplay protection by requiring that a receiving host set the reply bit in the header to indicate that the packet has been seen 20 For the example as shown in gure 39 between two IPSec peer routers the original payload is well protected because the entire original IP data packet is encrypted An ESP header and trailer are added to the encrypted payload With authenticated ESP format the encrypted IP data packet and the ESP header or trailer are included in the hashing process Last a new IP header is placed to the front of the authenticated payload The new IP address is used to route the packet through the Internet When both ESP authentication and encryption are selected encryption is performed first before authentication Prior to decrypting the packet the receiver can authenticate inbound packets This order of processing facilitates rapid detection and rejection of replayed or bogus packets by the receiving IPSec device By doing this it can detect the problems and potentially reduce the impact of denial of service DoS attacks Internet Key Exchange IKE As noted above AH and ESP need to share secret key between IPSec peers Internet Key Exchange IKE provides ways to negotiate keys in secrecy for communication between distant locations It is designed to securely establish a trust relationship between each IPSec peer to negotiate security options and dynamically generate shared secret key The agreement of security settings associated with keying material is called a security association also known as an SA These keys will provide authenticity integrity and optionally encryption of IP packets that are sent using the security association IKE is optional You can configure secret keys manually for AHESP However traffrc can be easily compromised when repetitively using the same secret key for a long period of time If secret keys are compromised IPsec protocols can no longer be secure Modes of Use IPsec can either be used to directly encrypt the tra ic between two peer devices known as Transport Mode or to build virtual tunnelsquot between two subnets which could be used for secure communication between two corporate networks known as Tunnel Mode The latter is more commonly known as a Virtual Private Network WN Figure 311 shows the transformed IP packets in these two modes of use The transport mode only encrypts the IP payload but leave the IP header untouched in the clear It allows devices on the public network to see the source and destination IP address in the IP header in order to route the packet through the Internet Unfortunately by passing the IP header in the clear transport mode allows an attacker to perform some traffrc analysis For example an attacker could see when a company sent a lot of packets to another company However the attacker would only know that IP packets were sent the attacker would not be able to determine the content of the data for example if they were email or another application 21 IP Header Data Tunnel Mode New IP Header ESP Header IP Header Data ESP trailer ESP Auth lt7 Encrypted 39 Authenticated 39 IP Header Data IP Header ESP Heade Data ESPtrailer ESP Auth Transport Mode Encrypted 39 lt Authenticated gt Figure 311 Modes oste 7 Tunnel Mode and Transport Mode IPSec transport mode can only be used when both the source and the destination systems understand IPSec The tunnel mode encrypts the entire original IP datagram and the result becomes the payload in a new IP packet This mode is used when either end of the tunnel is a security gateway such as a Concentrator a VPN optimized router or a PIX Firewall The security gateway performs encryption and authentication of the original IP packet on behalf of the hosts Next a new IP header is appended to the front of the encrypted packet The new IP address is used to route the packet through the Internet to the remote end security gateway Then the destination gateway decrypts the original IP datagram and forwards it on to the destination host based on the original IP header Tunnel mode provides security for the whole original IP packet It encrypts both the header and the payload of each packet On the receiVing side an IPSeccompliant deVice decrypts each packet The big advantage of tunnel mode is that the end hosts do not need to be modified to enjoy the bene ts of IP Security For sitetosite applications the security gateway can simply perform the encryption and encapsulation rather than loading IPSec on all the computers at the remote and corporate offices For remoteaccess applications the IPSec client running on the PC at a home office performs the IPSec encapsulation and encryption and at the corporate of ce the router deencapsulates and decrypts the packet 22 Tunnel mode also protects against traffic analysis With tunnel mode an attacker can only determine the tunnel endpoints and not the true source and destination of the tunneled packets even if they are the same as the tunnel endpoints How IPSec operates The goal of IPSec is to protect the desired data with the needed security services Figure 312 illustrates how IPSec operates between two IPSec peer routers in five primary steps Stepl Interesting traffic 7 The IPSec peer routers X and Y recognize the traffic you want to protect SA negotiations IKE I IKE i l SA pair SA pair i El I Secure IP Packets 39 E El D D i Router X Internet Router Y Figure 312 IPSec operation steps Step2 IKE Phase I 7 The IPSec peer routers X and Y negotiate IKE policy sets used to protect all subsequent communications authenticate each other and set up a secure communications channel between them Step3 IKE Phase II 7 The IPSec peer routers X and Y negotiate IPSec SA parameters and set up matching IPSec SAs in the peers to protect data and message exchanged between them Step4 Data Transfer 7 The IPSec peer routers X and Y transfer secure IP packets based on IPSec SA parameters and defined security services Step5 IPSec tunnel termination 7 IPSec tunnel is terminated through deletion or by timing out Lesson Wrap Up IPSec provides the power to enable privacy integrity and authenticity for customers network infrastructure These security services are provided by two important protocols AH and ESP AH provides data authentication to IP packets helps to reduce IP spoofing and provide the possibility of nonrepudiation ESP provides data confidentiality and data authentication to the payload of IP packets 23 AH and ESP can operate in two modes of operationitransport and tunnel mode In most cases you deploy IPSec with tunnel mode Doing so allows you to implement IPSec in the network architecture without modifying the operating system or any applications on your PCs servers and hosts Now that you have completed this lesson you should be able to Describe Authentication Header AH Describe Encapsulating Security PayloadVESP Discuss modes ofuse of IPSec De ne IKE and list operation steps of IPSec Lesson 6 Topic Wrap Up The Internet holds unlimited promise for changing the way we do business but not without first addressing the security risks Recently many companies have turned to virtual private network VPN technology to supply secure network connectivity across a shared infrastructure ie the Internet and costeffectively extend their corporate networks to locations that may not have been justified before There are an everincreasing number of types of VPN available Many of them use Internet Protocol Security IPSec to enforce data privacy integrity authenticity and antireplay protection for network traffic IPSec provides a key piece of the solution and will work in concert with other security mechanisms and help your organization become a global networked business The security services of IPSec are provided through the combination of specific encryption or authentication algorithms keying technology or security algorithms We will discuss these technologies in the next few topics Now that you have completed this topic you should be able to 0 Give an overview of VPN including its benefit different types and its security mechanisms 0 Describe the implementation of two different types of VPN 0 Introduce IPSec and the security services provided by IPSec 0 Discuss two important protocols supported by IPSec AH and ESP 24
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'