New User Special Price Expires in

Let's log you in.

Sign in with Facebook


Don't have a StudySoup account? Create one here!


Create a StudySoup account

Be part of our community, it's free to join!

Sign up with Facebook


Create your account
By creating an account you agree to StudySoup's terms and conditions and privacy policy

Already have a StudySoup account? Login here

Network Security

by: Ms. Jovany Will

Network Security IST 451

Ms. Jovany Will
Penn State
GPA 3.75


Almost Ready


These notes were just uploaded, and will be ready to view shortly.

Purchase these notes here, or revisit this page.

Either way, we'll remind you when they're ready :)

Preview These Notes for FREE

Get a free preview of these Notes, just enter your email below.

Unlock Preview
Unlock Preview

Preview these materials now for free

Why put in your email? Get access to more of this material and other relevant free materials for your school

View Preview

About this Document

Class Notes
25 ?




Popular in Course

Popular in OTHER

This 0 page Class Notes was uploaded by Ms. Jovany Will on Sunday November 1, 2015. The Class Notes belongs to IST 451 at Pennsylvania State University taught by Staff in Fall. Since its upload, it has received 18 views. For similar materials see /class/233016/ist-451-pennsylvania-state-university in OTHER at Pennsylvania State University.


Reviews for Network Security


Report this Material


What is Karma?


Karma is the currency of StudySoup.

You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!

Date Created: 11/01/15
Topic 3 Virtual Private Network V PN Topic lessons 1 Introduction 2 Virtual Private Networks VPN 3 VPN Implementation 4 Fundamental IP security IPSec 5 IPSec Security Protocols 6 WrapUp Lesson 1 Introduction Topical Goals In today s economy companies have dramatically expanded the scope of their businesses They may need to set up offices and facilities across the country or even around the world How to maintain fast secure and reliable communications among different business locations and remote users becomes very important for those businesses Until fairly recently many of them use leased lines to connect their private networks at different geographic area The advantages of leased line are its reliability performance and security But using leased lines can be expensive and often the cost rises exponentially as the distance between the offices increases As the popularity of the Internet grew many companies are turning to the Internet to extend their own networks and accommodate the needs of remote employees and distant offices Virtual Private Network VPN brings these companies such a solution to use the open distributed infrastructure of the Internet to provide remote offices or individual users with secure access to a company s private network This topic will provide a fundamental description of VPN along with an important security standard IPSec which ensures the communications over VPN are private and secure After reading this topic you should be able to 0 Give an overview of VPN including its benefit different types and its security mechanisms Describe the implementation of two different types of VPN Introduce IPSec and the security services provided by IPSec Discuss two important protocols supported by IPSec AH and ESP Lesson 2 Virtual Private Network V PN Lesson Objectives When a company tries to connect its private networks together using a public resource meaning the wires and routers that make up the Internet it has no control over the other people who are using the public resource This leaves the company susceptible to security issues when the data is transmitted between private networks over the Internet The older solution is to build a dedicated and direct connection such as a leased line between private networks that can only be used by the authorized users of the company Many companies have chosen this route because of the need for security and reliability in connecting their remote of ces It is reliable fast but it is very expensive to build and maintain this connection even the sites are very close to each other Virtual private network VPN provides a solution for an organization to use a public network infrastructure such as the Internet to offer secure and reliable data communication between its private networks at different geographic locations This lesson provides an overview of the basic principles which are important to understand VPN technology including the benefit different types of VPN and the security mechanisms used by VPN After reading this lesson you should be able to Define a VPN and explain how a VPN works Highlight VPN benef1ts Define remoteaccess VPN and sitetosite VPN Overview four security mechanisms of a VPN What is a VPN VPN stands for Virtual Private Network It is a network infrastructure constructed over a public infrastructure ie the Internet to deliver private network services A VPN permits companies through the use of security mechanisms such as encryption and tunneling to establish secure and encrypted connections between private networks over the Internet Figure 31 shows a typical VPN It has a single central network at the corporate office of a company a single LAN local area network at its remote office a single LAN at its partner s office and individual users connecting from out in the field or working from home The VPN enables other LANs and individual users to communicate with the central network in a secure and reliable manner Instead of using a dedicated real wire connection such as a leased line a VPN uses the Internet as the medium to build virtual connections that link the company s central network to the remote sites or mobile employee The traffic is encrypted for confidentiality and then quotwrappedquot with enough networking information for the intervening machines on the virtual connections to pass it to the destination The intervening machines can not read contents of the data packet Thus the tra ic can be routed back and forth with privacy and security 39l Business Mobile user Partner quot Figure 31 Atypical VPN VPN is transparent to end users End users do not need any knowledge about VPN components and how to establish a VPN connection to access the corporate LAN For example when a mobile user wants to check email the user simply uses his or her e mail client to request a download as if directly connected to the corporate LAN From a user s perspective the nature of the intermediate network over the Internet that a VPN utilizes to build virtual connections is irrelevant because it appears as if the data is being sent over a dedicated private connection In this way the secure connection across the intermediate network appears to the user as a private network communication despite the fact that this communication is occurring over the Internet This is why we call it a virtual connection and is essentially how a VPN works VPN Bene t VPN is a popular costeffective way to securely connect of ces remote workers and mobile workers back into the corporate network It provides many bene ts for a company including Security 7 VPN provides a high level of security using advanced security methods e g encryption and authentication that protect data from unauthorized access It uses the Internet as the medium for transporting data while maintaining the privacy of communications to ensure only authorized users can access the network and the data cannot be intercepted It completely hides you from others on the public network infrastructure Scalability 7 VPN that utilizes the Internet enables companies to add large amount of capacity without adding signi cant infrastructure A VPN can grow to accommodate more users and different locations as long as the Internet access is available Adding additional components to a VPN infrastructure is much easier than a lease line system previously used by many companies Flexibility 7 VPN allows a company to keep its employees and partners securely connected to central network resources no matter where they are It provides access to the entire network with anytoany connectivity VPN can be developed with different applications such as FullMesh topology for voice and HubandSpoke for Internet access The geographic locations of each office matter little in the creation of a VPN Cost effectiveness 7 VPN helps to reduce connectivity charges and operational costs due to the sharing of Internet infrastructure It enables network connections between sites by utilizing Internet to connect remote offices and remote users to the main corporate site The cost of traditional lease lines by contrast can increases dramatically as an organization grows with more remote users and offices added to its corporate network VPN Types There are two common types of VPN networks remote access and sitetosite Remote Access VPN A remote access VPN allows remote employee and telecommuters to securely connect to the company s corporate network inexpensively using the Internet or an Internet Service Provider s ISP s backbone It is also called a virtual private dialup network VPDN In the past the company supported remote users through a tollfree call to reach the company s private network directly With the advent of VPN the remote users can make a local call to their ISP and use the VPN client software on their computers to access the company s private network They can basically access the company via the Internet from wherever they are Remoteaccess VPNs permit secure encrypted connections between a company39s private network and remote users and save the expenditures of using tollfree numbers For instance a company with hundreds of sales people in the field would greatly benefit from a remoteaccess VPN SitetoSite VPN Sitetosite VPN can be used to connect a company s multiple fixed sites such as remote offices and central offices over the Internet It has replaced a lease line or frame relay connection often used previously by companies to connect sites There are two types of sitetosite VPN Intranet VPN 7 An intranet VPN is built to connect all of a company s remotes sites to be a single private network where companies can share information with employees and others with authorization Extranet VPN 7 An extranet VPN is built to connect a company with other companies that it has a working relationship such as a partner supplier or customer This allows all of the various companies to work in a shared environment with controlled network access VPN Security Mechanisms A VPN generally uses the following security mechanisms to keep the connection and data secure rewalls encryption IPSec and AAA server Firewallbased VPN A firewall provides a strong barrier between your private network and the Internet A firewallbased VPN can manage the VPN network terminate the VPN sessions and also take advantage of the firewall s builtin security mechanisms such as restricting access to the internal network It may also perform network address translation from a public IP address to the corporate office private IP address and serve up realtime alarms and extensive logging The existing firewall systems can be enhanced to support VPN serv1ces Enc ption Encryption ensures privacy and confidentiality of information during its transit over the VPN It is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode Encryption is the security mechanism that provides the P privacy in VPN In a VPN network the data is encrypted by using different encryption protocols at the sending end and decrypted at the receiving end An additional level of security involves encrypting not only the data but also the originating and receiving network addresses Popular encryption methods include Data Encryption Standard DES Triple DES 3DES and Blowfish IPSec Internet Protocol Security IPSec is a security protocol used by most VPNs to set up private connections that span the Internet between the separate company sites It is designed to address data con dentiality integrity authentication and key management in addition to tunneling Tunneling can be thought of as the act of encapsulating original nonsecure IP packets inside of encrypted secure IP packets This works as if sending the data through a quottunnelquot that cannot be quotenteredquot by data that is not properly encrypted Also tunneling supports the routing of nonroutable private IP addresses over public networks such as the Internet which brings us to the V virtual in VPN so that you can send the information to a private address that do not have a public address IPSec will be discussed in more detail later in this topic AAA Server For a more secure access in a remoteaccess VPN the request to establish a session from a dialup client can be sent to an AAA authentication authorization and accounting server to check the following Who you are authentication What you can do authorization What you actually do accounting The accounting information is used for tracking client usage of the network resources security auditing billing and reporting Lesson Wrap Up VPN solution supports remote access and private data communications over public network as a cheaper alternative to owned or leased lines that can only be used by one company By addressing security and performance issues a VPN delivers tangible business benefits with secure communicates and significant cost saving versus other remoteaccess solutions Understanding the various VPN solutions can help companies build infrastructures that will support their tactical business needs today as well as their strategic business needs for tomorrow Now that you have completed this lesson you should be able to Define a VPN and explain how a VPN works Highlight VPN benefits Define remoteaccess VPN and sitetosite VPN Overview four security mechanisms of VPN Lesson 3 VPN Implementation Lesson Objective A VPN is a combination of software and hardware that allow mobile employees telecommuters business partners and remote sites to use a public or unsecured medium such as the Internet to establish a secure private connection with a central network With a VPN deployed across the Internet virtual private connections can be established from almost anywhere in the world A wide variety of VPN technologies are deployed today This lesson will discuss components needed in a VPN implementation and two different types of VPN It will also talk about Cisco s VPN solution in building these two types of VPN After reading this lesson you should be able to 0 Discuss the basic components of a VPN 0 Describe how remoteaccess VPN and sitetosite VPN work 0 Introduce Cisco s VPN solutions VPN Components There are variations of VPN implementations depending on whether the VPN is managed by the customer or the service provider In all cases the VPN comprises two endpoints peers that may be represented by routers firewalls client workstations or servers Specifically the following options are available for remote users or remote sites to implement a VPN Software VPN client access option used by remote users to build VPN connections ie Cisco VPN so ware client Remotesite firewall option used by remote sites to support firewalling function and VPN connectivity to corporate networks Hardware VPN client option used by remote sites for VPN connectivity to corporate networks The following options are available in corporate main network to implement a VPN Dedicated VPN server for remoteaccess VPN eg Cisco VPN concentrator VPN router to route traffic and terminate VPN sessions Firewall with VPN functionality e g Cisco PIX firewall The company configures the equipment at each end so that data can be transmitted over VPN connections between two VPN peers with privacy Note that a VPN does not provide complete endtoend security between user applications and server applications Antivirus software system patches additional layers of encryption to finish the link between user applications and server applications are still required for system security In addition firewalls and other security measures are still recommended The Remote Access VPN model A remoteaccess VPN refers to the implementation in which individual remote users access the corporate network via their PCs A remoteaccess VPN follows a client and server approach All the remote user requires is a computer with VPN client software and connectivity to the Internet or ISP network via a dialin or Ethernet connection VPN clients authenticate users encrypt data and manage VPN connections and disconnections with VPN servers located on corporate networks i 1 ternet User s machine i I VPN Cllent Tunnel 7 l connection Corporate Office I LAN 0 Appllcahon VPN Sener Figure 32 Remote access VPN model Figure 32 illustrates a remoteaccess VPN model to support a remote user to access an application server e g web server on the corporate office LAN The remote user is connected to the Internet through either dialup or Ethernet connection The VPN client on the user s computer establishes a secure VPN connection to the VPN server maintained at the corporate network The request from the user is encrypted and then sent to the VPN server through the VPN connection The data is encrypted until it reaches the VPN server The VPN server then decrypts the received data and forwards it on to the target application server Thus the remote user can communicate with the application server just as securely over the public network as if it resided on the internal corporate LAN From the user s perspective the VPN connection is a pointtopoint connection between the user s computer and the company s application server However the information that the user sends out will lose its VPN level of protection when the VPN server receives it and sends it along to the application server After that point security is the user s and the application server s responsibility For example you should not send password or credit card information to a Web page that is not SSLencrypted e g a page does not begin with https even if you re using a VPN connection Therefore a VPN client does not replace antivirus software operating system and any localarea networking security practices A virus that is downloaded in an encrypted packet will still infect your system when your VPN client decrypts it for your applications to read The Site to Site VPN Model A sitetosite VPN refers to a wide area network WAN implementation in which the network of one location is connected to the network of another location via a VPN It is often used to connect branch offices home offices or business partners sites to all or portions of a company39s network Rather than a clientserver connection it can be viewed as a serverserver VPN connection that joins two networks to form an extended intranet or extranet i E lt7 Clear text cm VPN Site1 VPN SiteZ VPN router Encryptedtext Clear text a Figure 33 Sitetosite VPN model In a sitetosite VPN there are VPN servers at each site to authenticate each other and establish the VPN connection between the sites VPN servers can act as gateways intemetworking devices to the computers behind it on the subnet securely passing traf c through endtoend encrypted tunnels between the sites This is also referred as gatewaytogateway VPN application VPN routers with firewall function can support this functionality and also provide networklevel protection of remotesite resources and filtering of traffic Figure 33 shows a sitetosite VPN model in which the remote sites use the VPN router to provide both firewall function and VPN connectivity between two sites When information is transmitted from one location to anther the VPN router at one location encrypts information before sending it through the VPN connection on the Internet At the other location the receiving VPN router decrypts the information into cleartext and sends it to its LAN Cisco IP VPN Solutions Cisco has VPN products to support both remoteaccess VPN and sitetosite VPN For remote access VPNs there are Cisco VPN 3000 Series Concentrators the PIX Firewall and the Cisco VPN client For sitetosite VPNs there are Cisco VPN routers and the PIX Firewall Cisco Remote Access VPNs CISCD VPN so ware client Mobile user Small of ce of customer CWSCO Concenlralor Telecommuter Hardware VPN a client VPN m so ware client Figure 34 Remote access VPNs 7 Cisco VPN client and Concentrator In a remoteaccess VPN model as shown in gure 34 the mobile user and telecommuter have Cisco VPN software client loaded on their PCs The customer has a standalone Cisco hardware client located in its small office On the corporate end a Cisco Concentrator is placed to function as a VPN server The Concentrator can communicate with both Cisco VPN software client and Cisco Hardware client Note that a small Cisco Pix Firewall can act as a VPN server as well VPN connections are formed from the VPN client to the VPN server ie Cisco Concentrator The Cisco VPN client allows secure connection between client machines and the VPN server The VPN server terminates VPN connections initiated by remote users running Cisco VPN software client on their PCs This exibility makes it possible for remote or mobile users such as sales people on the road or telecommuters to access their headquarters intranet where critical data and applications eXist The VPN server can also terminate VPN tunnels initiated from customer s VPN hardware client to enable customers with limited access to the company s corporate resource VPN Concentrator series is built specifically for creating a remoteaccess VPN with the most advanced encryption and authentication techniques available It authenticates individual remote users and terminates their VPN connections It includes components that enable users to easily increase capacity and throughput The concentrator series is offered in models suitable for everything from small businesses with up to 100 remote access users to large organizations with up to 10000 simultaneous remote users Cisco SitetoSite VPNs Cisco provides a suite of VPNoptimized routers and PIX Firewall 500 series to cover the entire spectrum of VPN sitetosite applications Cisco VPNoptimized routers from the 800 series to the 7200 series routers can be scaled to meet different VPN requirements and network sizes from smallof cehomeof ce access through centralsite VPN aggregation to largescale enterprise needs VPNoptimized routers provide VPN solutions for hybrid VPN environment where modularity port density and exibility are required for private WAN aggregation and other classic WAN applications As shown in gure 35 these routers run the range of VPN applications from small of ceshome of ces with the Cisco 800900 series to small branch of ce connectivity with Cisco 17002000 series to enterprise partner branch with Cisco 36003700 series and to enterprise headquarters highend VPN connectivity with Cisco 7100 7200 7400 series routers Remote Office 17002000 Series Corporate Office 710072007400 Series Parnter Office small office 36003700 I Series home office 800900 Series Exti anet Figure 35 SitetoSite VPNs 7 Cisco Routers Cisco secure PIX private Internet exchange rewall can be used in remote site It combines dynamic network address translation proxy server packet ltration rewalling and VPN capabilities in a single piece of hardware The primary role of the PIX rewall is security while the secondary role is terminating VPN traf c It has the ability to handle a variety of protocols for extreme robustness and performance The 500 series PIX rewall product is best positioned to satisfy the security requirements Lesson Wrap Up There is a growing demand for VPNs Cisco39s unique endtoend VPN products support both remoteaccess VPN and sitetosite VPN and allow customers to secure their network infrastructures without costly changes to every computer With VPN deployed in your network applications gain privacy integrity and authenticity controls without affecting individual users or applications Now that you have completed this lesson you should be able to 0 Discuss the basic components of a VPN 0 Describe how remoteaccess VPN and sitetosite VPN work 0 Introduce Cisco s VPN solutions Lesson 4 Fundamental IP security IPSec Lesson Objective The main concern of using any type of VPN is security while crossing the public Internet Most VPNs rely on the Internet Protocol Security IPSec to manage security issues such as loss of privacy identity spoofing and denialofservice The goal of IPSec is to address these threats in the network infrastructure itself without requiring expensive host and application modifications This lesson presents an overview of IPSec along with its four critical security services After reading this lesson you should be able to 0 Define IPSec and explain basic concepts of IPSec 0 Explain four critical IPSec security services What is IPSec Short for Internet Protocol Security IPSec is a framework of open standards to provide security for transmission of sensitive information over unprotected networks such as the Internet IPsec has been deployed widely to implement Virtual Private Networks VPNs The IPSec protocol typically works on the edges of a protected network domain It supports secure data exchange between a pair of participating IPSec devices peers such as PIX Firewalls Cisco routers Concentrators Cisco VPN Clients and other IPSec compliant products For example IPSec can encrypt data between a Cisco router to another Cisco router a firewall to a router a PC to a router or a PC to a VPN server eg Concentrator Basically IPSec provides security by building tunnels between two peers You de ne which packets are considered sensitive and should be sent through these secure tunnels When the IPSec peer sees such a sensitive packet it encapsulates a packet by wrapping another packet around it This wrapped traf c forms a secure tunnel through which the packet is sent to the remote peer across an otherwise unsecured network IPsec has two main framework protocols Authentication Header AH which essentially allows authentication of the sender of data and Encapsulating Security Payload ESP which supports both authentication of the sender and encryption of data ESP and AH can either be used together or I 39J r J39 on the IPSec is not bound to any speci c encryption or authentication algorithms keying technology or security algorithms It allows for newer and better algorithms to be implemented without patching the existing IPSec standards IPSec Security Services IPSec provides four critical security services Con dentialit enc tion 0 s EHCWPUO key Decryption key Alice Login alm102 Alice Login alm102 Password dbd3lop Password ddelop 2thMoN97IAB U45TPPotVBnO Figure 36 Con dentiality Encryption 2hDXMoN97IAB U45TPPotVBnO Con dentiality protects the privacy of information being exchanged between communicating peers Clear text data transported over the public Internet can be intercepted and read In order to keep the data private the sender can encrypt the packets before transmitting them across a network Encryption is a technique that scrambles information so that it is dif cult or impossible to read and unscrambles information so that it can be read again For encryption to work both the sender and receiver need to know the rules used to transform the original message into an unreadable ciphertext Rules are based on an encryption algorithm and a key An encryption algorithm is a repeatable technique for scrambling encrypting and unscrambling decrypting information that can be performed by people or computers A key is a secret code that is used by the encryption algorithm to create a unique version of the ciphertext There are two types of encryption keys symmetric and asymmetric With symmetric key encryption each peer uses the same key to encrypt and decrypt the data With asymmetric key encryption the local end uses one key to encrypt and the remote end uses another key to decrypt the traffic For example as shown in figure 36 a file containing login and password information for a user Alice needs to be sent across the Internet At the local end the document is encrypted by an encryption algorithm combined with a key The output is unreadable ciphertext The ciphertext is then sent through the Internet At the remote end the message is recombined with a key and sent back through the encryption algorithm The output is the original document in cleartext Data integrity Integrity ensures that the data is not changed or tampered in any way during transmission over the public Internet There are the following three technologies to guarantee integrity of the data One way hash functions 7 A hash function is a oneway algorithm that transforms an arbitrarily large message into a unique fixedlength number called hash or hash value Hashing is not an encryption and this process is irreversible meaning it is computationally impossible to derive the original message from the hash For example for a message 39LOGIN L 0 l 0 011 0 0 O 0 l 0 0 11 11 G 0 l 0 0 01 l l I 0 l 0 01 0 01 N 0 l 0 0 11 l 0 A hash value can be generated by XORing each byte of the message that is L XOR O XOR G XOR I XOR N With XOR operation 0XOR00 0XOR11 1XOR01 1XOR10 Therefore the hash is 01000011 You cannot derive the original message LOGIN from the hash 01000011 The method of oneway hash functions validates the integrity of the original message by attaching a hash to each message The hash is transmitted from the local end to the remote end with the original message At the remote end if the hash calculated from the received message using the same hash function matches the hash it receives the message has not been altered otherwise the message was altered Examples of hash algorithms are MDS SHAl and RIPEMD 160 Host B Bonus forAIice is 1000quot Hash algorithm quot Hashing 2hDXMoN97IAB Bonus for Alice is 1000quot 2hDXMoN97IAB Figure 37 Data integrity 7 Hash function El U45TPPotVBnO V Hash algorithm Hashing Match No Changes No match Alterations Example Let s look at an example in which the manager on host A sends a HR person on host B a message Bonus for Alice is 1000 as shown in figure 37 The manager does not care if the message would be seen by others but he wants to make sure that any changes to the message during transit will be signaled at the remote end In this example we don t need consider data con dentiality however we do need to consider data integrity which can be accomplished using the following steps 1 Host A generates a hash for the original cleartext message using a hash function 2 Host A sends both the cleartext message and the generated hash to Host B 3 Host B receives the message and the hash from host A 4 Host B generates a hash from the received message The newly generated hash U45TPPotVBnO does not match the received hash 2thMoN97lAB therefore the received message has been altered during transmission Note that the method used in this example is not very secure because the attacker may alter the original hash if he she knows the hash function used by the sender For example the attacker can change the message to Bonus for Alice is 2000 and then calculates a new hash based on the changed message using the same hash function used on host A Host B cannot tell if the message has been altered when receiving the forged message and hash A hash function combined with a key is more secure because the attacker has no knowledge about the key H ashed message authentication codes HMAC 7 HMAC adds a key to hash functions A sender would create a message and calculate a hash value by sending the message and a shared secret key through a hash algorithm The message and hash value are sent over the network When the recipient receives them it recalculates the hash value by sending the received message and shared secret key through the same hash algorithm If the original hash and recalculated hash match the integrity of the message is guaranteed If any part of the original message is changed during transit the hash values are different Digital signatures 7 Digital signature guarantees that the information received is authentic and has integrity that is to say the information is from the system which claims to have sent it and the information has not been altered in any way To guarantee the integrity of a message you create a digital signature for that message and include it with the message which is referred to as a signed message This will be discussed more in topic 6 Origin Authentication Origin authentication ensures the identity of the source of participating IPSec devices guaranteeing and certifying the source of the packets VPN typically uses one or more forms of authentication which are usually based on the following methods Password authentication shared secrets 7 is the most prevalent form of user authentication used in computer system today Strong password such as Onetime password OTP and encrypted password are recommended as a stronger form of authentication For example many VPNs support SecurID a token card that combines secret key encryption with a onetime password The password is automatically generated by encrypting a timestamp with the secret key This onetime password will be valid for a short interval usually 30 to 60 seconds Digital Certificate 7 is a technology to let people and systems authenticate or identify each other without using passwords Digital certi cate relies on digital signature technology A digital certi cate is a special type of signed message that ties to a sender The sender digitally quotsignsquot a document with their private encryption key and the recipient can verify the signature via the sender s public key If the signature is genuine the sender is authenticated It is used during the initial establishment of a VPN tunnel to authenticate both ends to the tunnel There are two common digital signature algorithms RSA and Directory System Agent DSA In VPN networking it is necessary to authenticate the device on the other end of the VPN tunnel before the communication path is considered secure This is called peer authentication There are three peer authentication methods Preshared keys 7 Manually enter a secret key value into each peer to authenticate the peer RSA signatures 7 Uses the exchange of digital certi cates to authenticate the peers RSA encrypted nonces 7 Uses the RSA encryption public key cryptography standard Each peer generates a random number nonce and encrypts it in the other party s RSA public key The nonces are then exchanged between peers The two nonces are used during the peer authentication process Antireplay protection Antireplay protection veri es that each packet is unique not duplicated IPSec packets are protected by comparing the sequence number of the received packets and a sliding window on the destination host The sequence number indicates the number of packets sent over the security tunnel for the communication The destination host checks the sequence number against the sliding window to verify if a packet is considered late or duplicate Late and duplicate packets are dropped Lesson Wrap UP IPSec provides numerous security features that enable encrypted communication between users and devices It is ideally positioned to enforce corporate network security and can be implemented transparently and seamlessly into the network infrastructure IPSec security headers are inserted between the standard IP header and the upperlayer data e g a TCP packet and therefore any network service or user applications that use IP eg Telnet and FTP can use IPSec without modifications Also IPSec traffic can pass transparently through existing IP routers on the Internet Now that you have completed this lesson you should be able to 0 Define IPSec and explain basic concepts of IPSec 0 Explain four critical IPSec security services Lesson 5 IPSec Security Protocols Lesson Objective


Buy Material

Are you sure you want to buy this material for

25 Karma

Buy Material

BOOM! Enjoy Your Free Notes!

We've added these Notes to your profile, click here to view them now.


You're already Subscribed!

Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'

Why people love StudySoup

Steve Martinelli UC Los Angeles

"There's no way I would have passed my Organic Chemistry class this semester without the notes and study guides I got from StudySoup."

Janice Dongeun University of Washington

"I used the money I made selling my notes & study guides to pay for spring break in Olympia, Washington...which was Sweet!"

Bentley McCaw University of Florida

"I was shooting for a perfect 4.0 GPA this semester. Having StudySoup as a study aid was critical to helping me achieve my goal...and I nailed it!"

Parker Thompson 500 Startups

"It's a great way for students to improve their educational experience and it seemed like a product that everybody wants, so all the people participating are winning."

Become an Elite Notetaker and start selling your notes online!

Refund Policy


All subscriptions to StudySoup are paid in full at the time of subscribing. To change your credit card information or to cancel your subscription, go to "Edit Settings". All credit card information will be available there. If you should decide to cancel your subscription, it will continue to be valid until the next payment period, as all payments for the current period were made in advance. For special circumstances, please email


StudySoup has more than 1 million course-specific study resources to help students study smarter. If you’re having trouble finding what you’re looking for, our customer support team can help you find what you need! Feel free to contact them here:

Recurring Subscriptions: If you have canceled your recurring subscription on the day of renewal and have not downloaded any documents, you may request a refund by submitting an email to

Satisfaction Guarantee: If you’re not satisfied with your subscription, you can contact us for further help. Contact must be made within 3 business days of your subscription purchase and your refund request will be subject for review.

Please Note: Refunds can never be provided more than 30 days after the initial purchase date regardless of your activity on the site.