Tutorial Week 9

Question 1

(1) What are the four main functions of IPSec, give examples of each?

Answer 1

• Confidentiality IPSec uses encryption algorithms to provide encryption (DES, 3DES, AES & SEAL)
• Integrity IPSec uses hashing algorithms to ensure packets have not been altered between source and destination (HMAC, MD5, SHA-256)
• Origin Authentication IPSec uses IKE to authenticate source and destination. Methods of authentication include Pre-shared keys, RSA or digital certificates.
• Secure Key Exchange using Diffie Hellman

Question 2

Research the benefits & limitations of deploying a VPN?

Answer 2

Benefits
* Reduced equipment and leased line costs
* Unlimited geographic connectivity
* Increased flexibility and versatility of worker location
* Improved privacy and confidentiality due to strong encryption
* Verified transmission integrity
* Rapid deployment options
* Flexible integration with existing networks and technologies
* Reduced support burden on ISP

Limitations
* Does not ensure QoS ~ Dependent on upon stability, throughput and availability of the ISP connection.
* Fragmentation due to large packet size can cause latency
* Vulnerability in endpoints
* We cannot compress encrypted traffic. Compression works by removing redundancies or repeated sections within the data set. Properly encrypted data produces cipher text that does not contain redundancies or recognisable patterns. If cipher text had these characteristics it would not be secure.

Question 3

(What are the major differences between a site to site VPN and remote access VPN?

Answer 3

A site-to-site VPN is created when VPN terminating devices, also called VPN gateways, are preconfigured with information to establish a secure tunnel. VPN traffic is only encrypted between these devices. Internal hosts have no knowledge that a VPN is being used.
Remote-access VPNs are typically enabled dynamically by the user when required. Remote access VPNs can be created using either IPsec or SSL. A remote user must initiate a remote access VPN connection.

Question 4

What are the two methods we can use to authenticate an IPSec peer, explain how each are implemented??

Answer 4

Pre-Shared Keys
A pre-shared secret key (PSK) value is entered into each peer manually. The PSK is combined with other information to form the authentication key. PSKs are easy to configure manually, but do not scale well, because each IPsec peer must be configured with the PSK of every other peer with which it communicates.

RSA Authentication
Rivest, Shamir, and Adleman (RSA) authentication uses digital certificates to authenticate the peers. The local device derives a hash and encrypts it with its private key. The encrypted hash is attached to the message and is forwarded to the remote end and acts like a signature.

At the remote end, the encrypted hash is decrypted using the public key of the local end. If the decrypted hash matches the recomputed hash, the signature is genuine. Each peer must authenticate its opposite peer before the tunnel is considered secure.

Question 5

There are two ways to encapsulate a packet. One method is called authentication header (AH) and the other is encapsulation security protocol (ESP).” Briefly explain each of these and why one would be used over the other?

Answer 5

AH provides authentication and data integrity it cannot provide encryption.
Integrity: MD5 or SHA
Authentication: PSK or RSA
DH: DH!, DH2 DH3….

ESP provides encryption, integrity and authentication. It provides confidentiality by encrypting the IP packet and provides authentication for the inner IP packet and ESP header. Authentication provides data origin and data integrity. ESP can also enforce anti-replay protection which verifies that each packet is unique and not duplicated. It does this through verifying that the sequence number of the packet is not duplicated and is received in the correct order.

Encryption is performed first and then authentication as this facilitates the rapid detection and rejection of replayed packets by the receiving device.

Question 6

VPNs are implemented using the internet key exchange (IKE) standard. What do you think IKE does?

Answer 6

IKE is a key management protocol that negotiates IPSec security associations and enables IPSec secure communication. It implements key exchange protocols inside the Internet Security Association Key Management Protocol (ISAKMP) framework. ISAKMP (pronounced “Ice-a-camp”) defines the message format, the mechanics of a key exchange protocol, and the negotiation process to build a SA for IPsec.

IKE phase 1:
The purpose of Phase 1 is to negotiate the ISAKMP policy, authenticate the peers, and set up a secure tunnel between the peers. We can refer to this as the management phase.
This policy will then be used in Phase 2 to negotiate the IPsec policy, as shown in the figure.

Exchange One
* Encryption (AES)
* Hashing Algorithm (SHA-1)
* Pre-Shared Keys
* DH type
* Lifetime

Exchange Two
* Diffie Hellman key exchange

Exchange Three
* Verify Peer Identity

IKE phase 2:
Using the policy negotiated in phase 1 the IPSec policy for sending traffic is negotiated, that is the encryption and hashing algorithm used to send the data through the IPsec tunnel. We configure a transform set for this phase.

Question 7

Refer to the topology above. When should R1 establish a VPN tunnel with R3 and how is this achieved?

Answer 7

The tunnel should be implemented when traffic from the R1 LAN is going to the R3 LAN. The VPN should not be established if traffic is destined for any other destination. For example, the 192.168.2.0 LAN. We identify interesting traffic using an ACL.

Question 8

Explain the difference between tunnel and transport mode giving an example of when you would use each of these?

Answer 8

Transport mode
Provides security for the transport layer and above,
The original IP header when is used to route the packet and is unencrypted.
A tunnel would need to be established between every device individually and it is used between hosts
Protocol 50
Authentication: ESP Header to Trailer
Encryption: TCP Header / TCP Data & ESP Trailer

Tunnel mode
Provides security for the complete original IP packet.
The original IP packet is encrypted and encapsulated in second IP packet. This is known as IP-in-IP encryption
The IP address on the outside IP packet is used to route the packet through the internet.
The figure shows that ESP tunnel mode is used between a host and a security gateway, or between two security gateways.
* Protocol 50
* New IP header
* Authenticated ESP Header to ESP Trailer
* Encrypted IPv4 Header / TCP Header / TCP Data

Question 9

What type of show commands do you think would be useful when it comes to VPNs?”

Answer 9

show commands to verify IKE phase 1, IKE Phase 2, if the VPN is operational, and more.
show crypto isakmp policy (verify the IKE policy
show crypto ipsec transform-set (displays IPSec policy)
show crypto map (shows crypto maps applied to router)

Question 10

When the CLI is used to configure an ISR for a site-to-site VPN connection, which two items must be specified to enable a crypto map policy?

Answer 10

Answer:
ACL
Peer

Question 11

Five tasks must be completed to implement the site-to-site VPN on the ISR:

Answer 11

Step 1. Configure the ISAKMP policy for IKE Phase 1
Step 2. Configure the IPsec Policy for IKE Phase 2
Step 3. Configure an ACL to define interesting traffic
Step 4. Configure a crypto map for the IPsec policy
Step 5. Apply the crypto map to the outgoing interface

Question 12

Assume you have configured the IKE phase parameters, the crypto ACL, and how to encapsulate the packet using a transform set.” What do you think IPsec needs to do next?”

Answer 12

We need to bind those elements together in a crypto map and apply this to an interface in the relevant direction.
Step 1. Bind the ACL and the transform set to the map.
Step 2. Specify the peer’s IP address.
Step 3. Configure the DH group.
Step 4. Configure the IPsec tunnel lifetime.

Question 13

What is perfect forward secrecy in IKE phase 2?

Answer 13

PFS generates new key material for IPSec traffic encryption and authentication. It improves the security of communication transmitted across the Internet using public key cryptography