Click here to load reader

VPN Types and Ipsec VPN Features

  • View
    75

  • Download
    6

Embed Size (px)

DESCRIPTION

read all the types of VPN and IPSEC core features and terms.like our facebook page or join our study group for more

Text of VPN Types and Ipsec VPN Features

  • This Document is The property of INECERT.com and issued just for Knowledge no Selling of this document. INECERT will not be responsible for Any illegal use of this document

    VPN TYPES and IPSEC Basic Protocols and Features

    What you can learn from This Document?

    1) Types of VPN

    2) What is IPSEC?

    a. Core Concept of IPSEC

    b. Features of IPSEC.

    c. ESP and AH Protocol Features and Working

    VPN (virtual private network):=

    There are three types of VPN topologies

    1. INTERNET VPN:

    A private communication channel over internet with public IPs. this type of VPNs has

    following two sub categories

    Connecting remote office across the internet

    Connecting remote dial users to their home gateway via an ISP

    2. INTRANET VPN:

    A private communication channel with in a private network it may or may not

    use wan connection for communication

    3. EXTRANET VPN:

    A private communication channel between two separate entities it may use

    internet or some other wan media

    VPN types:

    1. IPSEC VPN:

    2. Remote Access VPN

    3. Site to site VPN

    4. SSL VPN (web VPN)

    5. Any connect VPN:

    Cisco Tunnel Based solution is called any connect VPN.

    IP SEC VPN :

    IPSec was defined in RFC 2401

  • This Document is The property of INECERT.com and issued just for Knowledge no Selling of this document. INECERT will not be responsible for Any illegal use of this document

    IPSec is not a protocol its a architecture which is made up of protocols IPSEC is used to negotiate, establish, authenticate, manage keys, encrypt/decrypt and

    control data. There are two VPNS which are called IPSEC VPN (remote access & Site to Site VPN) it enables the following security appliance VPN features:

    1. Data confidentiality:

    The IPSec sender can encrypt packets before transmitting them across a network.

    2. Data integrity:

    The IPSec receiver can authenticate IPSec peers and packets sent by the IPSec sender to ensure that the data has not been altered during transmission.

    3. Data origin authentication:

    The IPSec receiver can authenticate the source of the IPSec packets that are sent. This service is dependent upon the data integrity service.

    4. Anti-replay:

    The IPSec receiver can detect and reject replayed packets, helping to prevent spoofing and man-in-the-middle attacks

    IP SEC FEATURES:

    Transport modeProtects payload of the original IP datagram; typically used for end-to-end sessions Tunnel modeProtects the entire IP datagram by encapsulating the entire IP datagram

    in a new IP datagram Consists of open standards for securing private communications Has network layer encryption that ensures data confidentiality, integrity, and

    authentication Scales from small to very large networks. IPSec acts at the network layer, protecting and authenticating IP packets between a

    security appliance and other participating IPSec devices

    Cisco security appliances support the following IPSec and related standards: IPSec Internet Key Exchange (IKE) Data Encryption Standard (DES) Triple Data Encryption Standard (3DES) Advanced Encryption Standard (AES)

    Diffie-Hellman (DH)

    Message Digest 5 (MD5) Secure Hash Algorithm-1 (SHA-1) Rivest, Shamir, and Adleman (RSA) Signature

  • This Document is The property of INECERT.com and issued just for Knowledge no Selling of this document. INECERT will not be responsible for Any illegal use of this document

    CA

    IPSec consists of the following two main protocols:

    1) Authentication Header (AH):

    A security protocol that provides authentication and optional replay-detection services. AH acts as a digital signature to ensure that tampering has not occurred with the data in the IP packet. AH does not provide data encryption and decryption services. AH is not supported on your security appliance.

    2) Encapsulating Security Payload (ESP):

    A security protocol that provides data confidentiality and protection with optional authentication and replay-detection services. The security appliance uses ESP to encrypt the data payload of IP packets Below are the core concepts and Features of ESP, I will describe more in my Tutorial for IPSEC.

    I. Internet Key Exchange:

    IKE is a hybrid protocol that provides utility services for IPSec: authentication of the IPSec peers, negotiation of IKE and IPSec security associations (SAs), and establishment of keys for encryption algorithms used by IPSec. IKE is synonymous with Internet Security Association and Key Management Protocol (ISAKMP) in security appliance configuration.

    II. Data Encryption Standard:

    DES is used to encrypt and decrypt packet data. DES is used by both IPSec and IKE. DES uses a 56-bit key, ensuring high-performance encryption.

    III. Triple Data Encryption Standard:

    3DES is a variant of DES that iterates three times with three separate keys, effectively doubling the strength of DES. 3DES is used by IPSec to encrypt and decrypt data traffic. 3DES uses a 168-bit key, ensuring strong encryption.

    IV. Advanced Encryption Standard:

    The National Institute of Standards and Technology (NIST) recently adopted the new AES to replace DES encryption in cryptographic devices. AES provides stronger security than DES And is computationally more efficient than 3DES. AES offers three different key strengths: 128-, 192-, and 256-bit keys.

    V. Diffie-Hellman:

    DH is a public-key cryptography protocol. It enables two parties to establish a shared secret key over an insecure communications channel. DH is used within IKE to establish session keys.

  • This Document is The property of INECERT.com and issued just for Knowledge no Selling of this document. INECERT will not be responsible for Any illegal use of this document

    VI. Message Digest 5:

    MD5 is a hash algorithm used to authenticate packet data. The security appliance uses the MD5 Hash-based Message Authentication Code (HMAC) variant, which provides an additional level of hashing. A hash is a one-way encryption algorithm that takes an input message of arbitrary length and produces a fixed-length output message. IKE and ESP use MD5 for authentication.

    VII. Secure Hash Algorithm-1:

    SHA is a hash algorithm used to authenticate packet data. The security appliance uses the SHA-1 HMAC variant, which provides an additional level of hashing. IKE and ESP use SHA-1 for authentication.

    VIII. RSA Signature

    RSA is a public-key cryptographic system used for authentication. IKE on the security Appliance uses a DH exchange to determine secret keys on each IPSec peer used by encryption Algorithms. The DH exchange can be authenticated with RSA (or pre-shared keys).

    IX. Certificate Authority

    The CA support of the security appliance enables the IPSec-protected network to scale by providing the equivalent of a digital identification card to each device. When two IPSec peers Wish to communicate; they exchange digital certificates to prove their identities (thus removing The need to manually exchange public keys with each peer or to manually specify a shared key At each peers). The digital certificates are obtained from a CA. CA support on the security Appliance uses Directory System Agent (DSA) Signature and RSA Signature to authenticate the CA exchange.

    X. Security Association

    The concept of an SA is fundamental to IPSec. An SA is a connection between IPSec peers that determines the IPSec services available between the peers, similar to a TCP or UDP port. Each IPSec peer maintains an SA database in memory containing SA parameters. SAs are uniquely identified by the IPSec peer address, security protocol, and security parameter index (SPI). You will need to configure SA parameters and monitor SAs on the security appliance

    Steps to implement IP-SEC vpn:

    The goal of IPSec is to protect the desired data with the needed security services. IPSec operation can be broken down into five primary steps:

    Interesting traffic:

    Traffic is deemed interesting when the VPN device recognizes that the traffic you want to send needs to be protected.

    IKE Phase 1:

    A basic set of security services are negotiated and agreed upon between peers. these security services protect all subsequent communications between the peers. IKE Phase 1 sets up a secure communication channel between peers.

  • This Document is The property of INECERT.com and issued just for Knowledge no Selling of this document. INECERT will not be responsible for Any illegal use of this document

    IKE Phase 2:

    IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers. These security parameters are used to protect data and messages that are exchanged between endpoints.

    Data transfer:

    Data is transferred between IPSec peers based on the IPSec parameters and keys that are stored in the SA database.

    IPSec tunnel termination:

    IPSec SAs terminate through deletion or by timing out..

    The security appliance supports two data origin authentication methods: Pre-shared keys: A secret key value entered for each peer is manually used to authenticate

    The peer RSA Signature: Specifies RSA Signature as the authentication method DSA Signature: Specifies DSA Signature as the authentication method

    There are Two phases of IKE

    IKE Phase 1 Two ISAKMP peers establish a secure, authenticated channel. This channel is known as the ISAKMP SA. There are two modes defined by ISAKMP: Main Mode and Aggressive Mode.

    In routers by default main-mode is used s

Search related