due 3/27/13

csec640_08.pdf

Home >Computer Science homework help >due 3/27/13

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Contents Topic 1: Analogy .............................................................................................................................. 2

A Different Way to Connect ......................................................................................................... 2 Topic 2: Module Introduction ........................................................................................................... 4 Topic 3: Basics of Virtual Private Networks ..................................................................................... 5

Introduction .................................................................................................................................. 5 Tunneling ..................................................................................................................................... 7

Topic 4: IPsec Virtual Private Networks .......................................................................................... 9 Introduction to IPsec .................................................................................................................... 9 IPsec Mode ................................................................................................................................ 10 IPsec Security Association ......................................................................................................... 14

Topic 5: IPsec Components .......................................................................................................... 15 Introduction to IPsec Components ............................................................................................. 15 Authentication Header ............................................................................................................... 16 Activity: Identifying Mutable Fields ............................................................................................. 17 Authentication Header (AH) Modes ........................................................................................... 18 IPsec Encapsulating Security Payload (ESP) ............................................................................ 19 Encapsulating Security Payload (ESP) Modes .......................................................................... 21 Cryptographic Key Management Procedures and Protocols ..................................................... 22 Activity: Making a Secure VPN Connection ............................................................................... 24

Topic 6: Summary.......................................................................................................................... 30 Glossary ......................................................................................................................................... 31

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Topic 1: Analogy

A Different Way to Connect

IPsec VPN CSEC 640 – Module 8

A Different Way to Connect A virtual private network (VPN) uses the Internet to establish connections between members spread over wide geographic areas as if they were on a local private network. To better understand how a VPN works, compare the remote sites and users of a private network to a group of islands. The inhabitants of the Faraway Islands use a series of connections to travel between the islands. The analogy explains how these connections are similar to a VPN. Analogy Step 1 The individual islands comprising the Faraway Islands are connected by waterways. Similarly, the members of a network are connected to each other through the Internet. Step 2 The residents of the Faraway Islands usually travel from one island to another by using a public transport system such as a ferry. However, they have no control over the route or schedule. In addition, although the public ferry is cheap, it does not offer the islanders any privacy. Fellow travelers can easily guess where people are headed and see what cargo is being carried. Similarly, companies with remote offices and remote workers usually use Web servers to connect with each other. Internet users have no control over the wires and routers of public servers. Also, even though using the Internet is cheap, it offers little privacy. Other users can often see which users are connected and what data is being transmitted between them. Step 3 To overcome the disadvantages of using a public ferry, the residents can build a bridge connecting the islands. However, building a bridge is practical only if the distance between the islands is short, the traffic is frequent, and the cost is not too high. Similarly, although networks can be connected using wide area networks (WANs) and leased lines, the cost of connections is determined by the distance between a network’s members.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Sometimes, the cost of connecting to a small, far-flung remote site could be many times that of connecting to a larger site nearby. Step 4 The islanders also have the option of buying their own boats. With a private ferry, travelers can plan their routes as well as their schedules at their convenience. Also, even if other travelers see the private boat in the ocean, they have no inkling about its source, its destination, or what is being carried in the boat. Similarly, the installation of a VPN offers a different and private way to connect over the public Internet. A VPN allows its users to schedule and route their data in a secure way. Step 5 Private ownership of boats necessitates building marinas on the islands to enable connections. Boat owners are free to choose from several marinas. In turn, marina owners can support many types of boats. Similarly, companies opting for a VPN need VPN components such as VPN gateways and VPN client software to establish connections. Step 6 Boat owners can keep adding to the existing number of private boats and routes. Similarly, a VPN can be scaled to accommodate more users and locations without replacing the existing infrastructure.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Topic 2: Module Introduction Today, most businesses are Internet-driven. The ever-evolving Internet helps companies extend business networks to tap a world of opportunities. The use of the Internet started with companies setting up intranets to offer their employees a secure means to communicate with each other. Now the Internet helps companies create their own VPNs to accommodate their growing telecommuting requirements through a secure and scalable private network. This module examines the basics of a VPN. It discusses different VPN architectures, the basis of VPN technology, and modes of data transmission. The module explores Internet Protocol Security (IPsec) and its components. It also covers the phases involved in setting up secure IPsec tunnels between endpoints.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Topic 3: Basics of Virtual Private Networks

Introduction

VPNs are based on the concept of creating a private “tunnel” to route data over an insecure public infrastructure such as the Internet. With VPN technology, Host A in the private local area network (LAN) A can securely communicate with Host B in another network as if Host B were located in the private LAN A. A typical VPN might consist of a main LAN at the headquarters of a company, other LANs at the branch offices, and remote users that connect from the field. VPN Types VPNs use two types of VPN architecture to transport data: remote access VPN, or host- to-gateway architecture, and site-to-site intranet VPN, or gateway-to-gateway architecture. 1. Remote Access VPN Architecture

A remote access VPN is a user-to-LAN connection enabled by deploying a VPN router or gateway on the network. A remote access VPN allows people in remote geographic locations to establish secure connections with their company’s network and work as if they were plugged in directly.

Consider the case of Cohere Auto Spares Manufacturer (CASM), an organization with corporate headquarters in Baltimore, Maryland, and 12 branch offices across North America, Europe, and Asia. In addition, the company has a sizeable number of salespeople in the field and an equal number of employees working from their homes.

CASM uses leased lines and maintains a WAN to connect its workforce across the globe. However, maintaining the WAN using leased lines is expensive because of the increase in the number of connections to the CASM network. In addition, the cost of maintaining the connections increases with the distance between the offices and the length of time that the employees stay connected.

Companies such as CASM can deploy a VPN router or gateway onto their network to enjoy the benefits of remote access VPN architecture, of which some are listed below.

Reduction in Networking Costs Remote users usually use dial-up access to connect from their homes or other remote locations to their company’s network. A dial-up connection is comparable to a long-distance carrier that requires payments to be made to the intermediaries who have facilitated the connection. However, remote access VPN users do not have to pay any intermediaries since they can use the Internet and therefore achieve significant reduction in costs.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Security Regardless of an employee’s location, a VPN allows remote users to share sensitive resources without the fear of interception or loss of security.

2. Site-to-Site Intranet VPN In a site-to-site intranet VPN, a secure connection can be established between different physical locations such as the headquarters, remote offices, and branch offices of an organization. Gateways exist at various physical locations within the same business, and tunnels are created using IPsec.

For companies like CASM, which need to link remote users from homes and sales fields as well as hundreds of employees across CASM’s branch offices, a site-to-site intranet VPN is an apt choice. VPN gateways at the CASM office sites ensure the establishment of secure communication channels. Therefore, an employee on a computer in the Baltimore office can communicate with another employee in the Fairfax, Virginia, office through this secure VPN channel without being aware of the channel in between.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Topic 3: Basics of Virtual Private Networks

Tunneling

The key concept of VPNs is tunneling. Tunneling is the technique of moving data through a public network such that the routing nodes in the public network do not recognize that the data transmission is part of a private network. Tunneling allows users to establish private network connections to send data over public networks. That is why this technology is called a virtual private network. Types of Tunneling Using tunneling protocols provides a standardized way of encapsulating data packets. Several tunneling protocols have been developed for securing VPN connections, and they can be broadly classified into Layer 2 and Layer 3 tunneling protocols. Tunneling Protocols

Layer 2 Tunneling Protocols

Layer 3 Tunneling Protocols

Correspond to the data-link layer. Correspond to the network layer.

Use frames as the unit of data exchange.

Use packets as the unit of data exchange.

Encapsulate data in a Point-to-Point Protocol (PPP) frame before sending it across a network.

Encapsulate data in the Authentication Header (AH) and/or Encapsulating Security Payload (ESP) before sending it across a network.

Examples: Point to Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and Layer 2 Forwarding (L2F)

Example: IPsec

Advantages of Tunneling Tunneling offers the following advantages.  It allows the transport of many different protocols over an IP infrastructure since one

protocol is encapsulated within another. In other words, it is more efficient to transport many different protocols, such as Hypertext Transfer Protocol (HTTP) and Telnet, over a single VPN tunnel.

 It allows public networks to carry data on behalf of users as though the users had access to their own private network by routing privately addressed packets through a public infrastructure.

 It assures the integrity, security, reliability, and confidentiality of routed data.  It is easy to implement as it requires no major changes to the existing infrastructure.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Try This! Choose the correct answer. Question: Which tunneling protocol uses packets as its unit of data exchange? a. PPTP b. L2F c. IPsec d. L2TP Correct answer: Option c Feedback for correct answer: That’s correct. IPsec is a layer 3 tunneling protocol, and it uses packets as its unit of data exchange. Feedback for incorrect answer: Not quite. This is a layer 2 tunneling protocol, and it uses frames as its unit of data exchange.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Topic 4: IPsec Virtual Private Networks

Introduction to IPsec

Of all the tunneling protocols researched and developed for establishing a secure VPN connection, the most significant protocol is IPsec. However, IPsec is not a single protocol but a framework that includes related open standards developed by the Internet Engineering Task Force. In Which Situations Can IPsec Be Used? IPsec provides security in the following situations: host-to-site or gateway architecture and gateway-to-gateway or site-to-site architecture. IPsec is most commonly used for the gateway-to-gateway architecture.

How Does IPsec Provide Security? IPsec ensures private and secure communication over Internet Protocol (IP) networks by securing all IP traffic at the network layer. IPsec framework also secures all network applications and communications that use the IP network. IPsec combines cryptographic algorithms such as hashing, symmetric key, and asymmetric key. This IPsec ability helps to enhance data security by offering enhanced confidentially, integrity, authentication, replay detection, and nonrepudiation.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Topic 4: IPsec Virtual Private Networks

IPsec Mode

There are two methods by which an IPsec protocol can be applied to an IP packet when data is to be encapsulated before being transmitted between two users or IPsec peers over a public network. One is the transport mode and the other is the tunnel mode. Transport Mode Transport mode protects the higher-layer protocols such as TCP, UDP, and application layers, and is generally used in host-to-host architecture. In transport mode, the IPsec header is inserted between the original IP header and the payload. However, transport mode is available only when the source and destination of the original IP datagram are IPsec endpoints. Step 1: This step shows the data to be transmitted from Host A to Host B.

Step 2: The image shows the data packet with the original IP header and the data portion.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Step 3: An IPsec header is inserted between the original IP header and the data portion.

Step 4: The new data packet is transmitted in IPsec transport mode.

Tunnel Mode Tunnel mode is generally deployed in a site-to-site VPN architecture. In the tunnel mode, IPsec encapsulates the full IP header as well as the payload. Therefore, an original IP packet becomes the payload of another, new IP packet. The IP address in the new IP header is used to route the packet through the Internet. Once the packet arrives at a destination network, the IP address in the original IP header is used to route the packet within the destination network. The tunnel mode is selected if IP addresses of hosts in each site are not known or revealed. Step 1: The animation shows the data to be transmitted from IPsec Peer Site 1 to IPsec Peer Site 2.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Step 2: The image shows the data packet with the original IP header and the data portion.

Step 3: An IPsec header is inserted between the new IP header and data portion.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Step 4: The new data packet is transmitted in IPsec tunnel mode.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Topic 4: IPsec Virtual Private Networks

IPsec Security Association

Certain security measures require that they be applied to an IP packet when it is being transmitted over an IPsec tunnel. The IPsec security association (IPsec SA) defines these security measures. SAs can be negotiated dynamically between two communication peers when they want to use security services provided by IPsec. An IPsec SA can be identified by three parameters.  Destination IP Address

The Destination IP Address parameter contains the destination IP address of the endpoint of the SA.

 Security Protocol Identifier

The Security Protocol Identifier specifies a protocol number. For example, the AH protocol number is 51 and ESP protocol number is 50. Note that this protocol number is specified in the IP header.

 Security Parameter Index

The Security Parameter Index (SPI) is a 32-bit number chosen by the destination endpoint of the SA.

Note that the source IP address is not used to define an SA, which means that an SA is a unidirectional connection established between IPsec peers. Therefore, if two peers need to exchange information in both directions, two SAs are required.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Topic 5: IPsec Components

Introduction to IPsec Components

IPsec employs three components to ensure that data is protected when transported over IP networks. The components include:  The AH protocol, which provides only authentication  The ESP protocol, which offers data confidentiality but can also provide

authentication  Cryptographic key management procedures and protocols, such as the Internet

Security Association and Key Management Protocol (ISAKMP) or the Internet Key Exchange (IKE), which provide mechanisms for session key creation, its exchange, and/or secure data exchange

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Topic 5: IPsec Components

Authentication Header

When confidentiality is not required, an administrator can deploy an IPsec with the AH protocol instead of the ESP protocol. The AH protocol offers data integrity and authentication using Hash-Based Message Authentication Code (HMAC). A hash is created on both an IP packet and a secret key that is shared by the two communication endpoints. This hash is then added to the AH. Authentication cannot be provided over the whole IP header because some fields in the IP header may change during transit. The most important AH fields are the SPI and Sequence Number fields.  Security Parameter Index

The 32-bit long SPI value is used together with the destination IP address and IPsec security protocol number to uniquely identify the Ipsec SA for an IP packet. The Ipsec SA is typically chosen by the destination system when the Ipsec SA is established.

 Sequence Number

The sequence number is a sequential number assigned to each packet. Only packets within a sliding window of sequence numbers are accepted. Any packet with an invalid or out-of-range sequence number is rejected. This enables AH to offer anti-replay protection.

 Authentication Data

This field contains a hash value created by a keyed hash algorithm, also known as a Message Authentication Code (MAC) algorithm.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Topic 5: IPsec Components

Activity: Identifying Mutable Fields

Now that you have learned about the IPsec AH header, answer the following question. Question: Which field of an IP header can be authenticated by IPsec AH? a. Time to Live (TTL) b. Fragment Offset c. Fragmentation Flag d. Header Checksum e. Type of Service (TOS) f. Source IP Address Correct answer: Option F Feedback: TTL, fragment offset, fragmentation flag, header checksum, and TOS are all mutable fields in the IP header. No mutable IP field can be used as an input to a hash function. Therefore, only the source IP address field can be authenticated by IPsec AH. The TTL value of an IP header decreases by one every time the IP packet passes a routing device. Also, whenever an IP packet takes a path having different maximum transmission unit (MTU) links, it gets fragmented into pieces, and both the fragment offset and the fragmentation flag fields change. In addition, with changes in an IP packet, the header checksum value changes. Moreover, a router can change TOS value during transit. Only the source IP address does not change.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Topic 5: IPsec Components

Authentication Header (AH) Modes

AH can be deployed in transport as well as in tunnel mode. In both modes, the entire IP packet is authenticated.  AH in Transport Mode

In transport mode, the original IP header is retained, and the AH is inserted between the IP header and the TCP header.

 AH in Tunnel Mode

In tunnel mode, a new IP header is created for the new IP packet. The AH is inserted between the new IP header and the original header. The original IP packet is encapsulated in the new IP header. The new IP header contains the source and destination IP addresses of the IPsec gateways between which the new packet will travel.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Topic 5: IPsec Components

IPsec Encapsulating Security Payload (ESP)

The IPsec ESP protocol operates by adding a header and a trailer around each packet’s payload. Unlike AH, ESP fields are spread throughout an IP packet. When an IP packet is fragmented, the ESP process is applied to the whole IP packet. The entire IP packet is then reassembled by security devices, such as VPN gateways or VPN enabled firewalls, before it is processed further. The ESP header consists of two fields: SPI and Sequence Number.

Security Parameter Index (SPI) 32-bit Each endpoint of each IPsec connection contains a randomly chosen SPI value. This SPI value acts as a unique identifier for the connection. Just like the AH header, the receiver uses the SPI value, along with the destination IP address and the IPsec protocol type, to determine which SA is being used. Sequence Number 32-bit As with AH, in ESP the sequence number is a sequential number assigned to each packet. Only packets within a sliding window of sequence numbers are accepted. Any packet with an invalid or out-of-range sequence number is rejected. This enables AH to offer anti-replay protection. ESP Functions ESP provides confidentiality, integrity, and authentication of data. Data Confidentiality ESP offers encryption services to translate a readable message into an unreadable format in order to hide the contents of the message or make the message confidential. The receiver decrypts the message to read the data. The ESP protocol encrypts the payload using symmetric key ciphers, such as:  Data Encryption Standard (DES), which uses a 56-bit key  Triple Data Encryption Standard (3DES), which uses a 128-bit key  Advanced Encryption Standard (AES), which uses a 257-bit key

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Data Integrity and Authentication Like AH, ESP also uses keyed HMAC algorithms to provide data integrity and authentication services. Two typical HMAC algorithms used in VPN are Secure Hash Algorithm-1 (SHA-1) HMAC and Message Digest 5 (MD5) HMAC. When security needs are higher, SHA-1 HMAC is used instead of MD5 HMAC since SHA-1 HMAC is cryptographically stronger.

Source: Frankel, S., Kent, K., Lewkowski, R., Ritchey, R., & Sharma, S. (2005). Guide to IPsec VPNs. (NIST Special Publication 800-77). Retrieved from http://csrc.nist.gov/publications/nistpubs/800-77/sp800-77.pdf

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Topic 5: IPsec Components

Encapsulating Security Payload (ESP) Modes

The ESP protocol can be deployed in transport or tunnel mode. ESP can be used alone or with AH. ESP alone can provide authentication services in addition to encryption, so it is often used without AH. If the authentication is not applied, the ESP authentication segment is not appended. When ESP encryption is applied, all the fields between the ESP header and the ESP trailer are encrypted. ESP Transport Mode ESP transport mode encrypts the TCP header field, data field, and ESP trailer field while leaving the original IP header in open clear text. In addition, in the ESP transport mode, all the fields except the IP header are authenticated as shown in the diagram.

Note that the ESP header is inserted between the original IP header and TCP header. ESP Tunnel Mode ESP tunnel mode encrypts the entire packet except the new IP header field. In addition, in the ESP tunnel mode, all the fields except the new IP header are authenticated as shown in the diagram.

Note that the ESP header is inserted between the new IP header and original IP header fields.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Topic 5: IPsec Components

Cryptographic Key Management Procedures and Protocols

Introduction IPsec uses two protocols for secure key determination and key distribution mechanisms: Internet Key Exchange (IKE) and Internet Security Association and Key Management Protocol (ISAKMP). ISAKMP describes the set of procedures that two VPN gateways go through to set up VPN connections. ISAKMP also specifies the procedure and packet formats necessary to establish, negotiate, modify, and remove SAs at the two IPsec endpoints. In addition, ISAKMP defines the framework for key management between the two VPN endpoints. In the absence of a proper key-management setup, IPsec cannot exist. However, ISAKMP does not offer any actual mechanism to exchange keys. The IKE protocol establishes a secure channel over which to exchange security parameters. IKE defines a proper key-exchange mechanism for creating and exchanging cryptographic keys when two VPN endpoints communicate. Through IKE, the two endpoints derive authenticated keying material and negotiate SAs that are used for ESP and AH protocols. IKE Phases ISAKMP defines two phases in the procedures that two VPN endpoints go through when trying to make a secure VPN connection: IKE Phase 1 and IKE Phase 2. The main goal of the IKE protocol is to create and negotiate security associations (SAs). Note that SA is a term used to refer to a set of values that define IPsec features and protection mechanisms applied to an IPsec VPN connection. IKE Phase 1 The main purpose of IKE Phase 1 is for two IPsec endpoints to successfully negotiate an IKE SA. The negotiation of the IKE SAs during IKE Phase 1 includes:  Encryption algorithms: select DES, 3DES, or AES.  Integrity protection algorithms: select either SHA-1 or MD5 HMAC algorithm.  Authentication method: select preshared Keys (PSKs), Rivest, Shamir, and Adleman

(RSA) signature, or RSA encryption nonces for authentication.  Specify the Diffie-Hellman (DH) key group by making a choice between DH1, DH2,

DH5, or DH7. Note that higher group numbers are more secure, but require more computation power to compute the key.

The goal of the IKE SA is to provide bidirectional encryption and authentication for the IKE Phase 2. During IKE Phase 2, another SA, known as IPsec SA, is negotiated. Step 1: Negotiate Policy In this step, two VPN entities negotiate and agree upon the encryption and authentication algorithms, mode, protocols, HMAC, lifetime, IPsec value, and DH key that will be used in subsequent IKE communication.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Step 2: DH Key Exchange Based on the parameters negotiated, a shared secret master key is generated by the DH public key algorithm. This symmetric encryption key is then used to generate all other encryption and authentication keys. Step 3: Authenticate Peers Next, the two parties authenticate each other using a predetermined mechanism. Typically, VPN entities use authentication protocols such as PSKs, RSA encrypted nonces, or RSA signatures that are X.509-certified and require X.509 CA. IKE Phase 2 The goal of IKE Phase 2 is to establish another SA, known as IPsec SA, for the actual IPsec connection. IPsec SA is unidirectional. This means that two SAs are required for bidirectional data flow between two VPN endpoints, as shown in the diagram. Since there are two network flows from Router A to Router B and Router B to Router A, two different SPI values exist. The communications occurring during IKE Phase 2 are protected by the methods specified in IKE Phase 1. After the IPsec SAs are established during IKE Phase 2, all active SAs are stored in a security association database. The following information is included in the security association database for each VPN connection.  Source/destination IP addresses  SPI  IPsec security protocol (AH or ESP)  IPsec mode (transport or tunnel mode)  Integrity protection algorithm (MD5 or SHA HMAC).  SA lifetime

An IPsec SA is uniquely defined by three important parameters: the destination IP address, the SPI, and the IPsec security protocol.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Topic 5: IPsec Components

Activity: Making a Secure VPN Connection

Introduction An Enhanced Interior Gateway Routing Protocol (EIGRP) is running on CASM’s three routers, R1, R2, and R3. R2 connects R1 and R3. An IPsec VPN tunnel has been established between R1 and R3. The goal of this IPsec tunnel is to achieve authentication. R1 authenticates the traffic originating from R3 at the Fairfax, Virginia, office. The R3 gateway router authenticates the network traffic originating from CASM’s Baltimore, Maryland, office.

The applications running at both sites cannot tolerate any significant delay, and confidentiality is not required. Therefore, the gateway routers do not encrypt or decrypt IP packets and quickly process the IP packets. In the following activity, you will analyze the IP packets captured during data transmission between R1 and R3. Workspace Analyze the following screenshots and choose the correct option. Question 1: Which of the following screenshots shows an IP packet traveling through the IPsec tunnel between the Baltimore and Fairfax gateway routers?

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

a. Option 1

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.

b. Option 2

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Correct answer: Option a Feedback: Since the goal of the IPsec tunnel is to achieve authentication, not confidentiality, only AH is used. The correct IP packet has only an AH header. The first packet has an AH header inside the packet. Question 2: In the screenshot below, identify the SPI used in AH.

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. Options: a. Next Header: IPIP (0x04) b. Length: 24 c. AH SPI: 0x5a84fcd1 d. AH Sequence: 8 e. AH ICV: 26fe6bb17f689ab324998216 Correct answer: Option c Feedback: The bottom window shows the detail of packet 8. In the AH in the bottom window, one of the fields says “AH SPI: 0X5a84fcd1”; it tells you the value of SPI. Question 3: The screenshot indicates that a ping packet has been sent from the Baltimore LAN (172.16.1.0/24) to the Fairfax LAN (172.16.3.0/24) using the IPsec tunnel. Analyze these packets to find which protocol and which mode each packet has used.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Packet A

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. Answer the question based on your analysis of the screenshot. Packet A uses the AH Tunnel mode. a. True b. False Correct answer: Option A Feedback: You can safely conclude that AH mode is used since Packet A has only the AH header. Also, you can see that it uses the tunnel mode because the screenshot displays two different pairs of IP addresses: 172.16.3.1/172.16.3.3 and 192.168.12.1/192.168.23.3. Question 4: The screenshot indicates that a ping packet has been sent from the Baltimore LAN (172.16.1.0/24) to the Fairfax LAN (172.16.3.0/24) using the IPsec tunnel. Analyze these packets to find which protocol and which mode each packet has used.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Packet B

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. Answer the question based on your analysis of the screenshot. Packet B uses the ESP Tunnel mode. a. True b. False Correct answer: Option A Feedback: A careful observation reveals that ESP mode is used since Packet B has only the ESP header. Also, you can see that it uses the tunnel mode because the screenshot displays only one pair of IP addresses, 192.168.12.1/192.168.23.3, even though the ping packet is sent from 172.16.1.1 to 172.16.3.1. This means a new pair of IP addresses is added to the original IP packet, an indication that the tunnel mode is used. Review The scenario presented in this activity uses a preshared key as an authentication method. A preshared key method is appropriate only when the number of gateway routers is small and simple to configure. In general, RSA encryption and RSA signature authentication methods are more common in practice. RSA signatures used are generally X.509 certificate-based and require X.509 CA.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Further Challenges Study an SSL VPN technology and compare it with IPsec VPN. What are the advantages and disadvantages of each VPN technology?

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Topic 6: Summary We have come to the end of Module 8. The key concepts covered in this module are listed below.

 A virtual private network (VPN) is a private computer network created using a public network, such as the Internet. It allows distant users to communicate privately, with reduced costs.

 The VPN architecture implemented by a company may be remote access or site- to-site Intranet.

 VPN technology is based on the tunneling capacity of Internet protocols. Data may be transmitted in transport or tunnel mode.

 There are two types of tunneling protocols: Layer 2 tunneling protocols and Layer 3 tunneling protocols. PPTP, L2TP, and L2F are Layer 2 protocols. IPsec is a Layer 3 protocol.

 IPsec is the most commonly used protocol for secure VPN connections. IPsec propagates data across a network in tunnel or transport mode.

 IPsec components such as Authentication Header (AH), Encapsulating Security Protocol (ESP), Internet Security Association and Key Management Protocol (ISAKMP), and Internet Key Exchange (IKE) play an important role in ensuring data integrity, authentication, and confidentiality.

 ISAKMP and IKE protocols provide key management mechanisms without which an IPsec cannot exist.

 ISAKMP defines two phases, IKE Phase 1 and IKE Phase 2, for data transfer between two IPsec peers.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Glossary

Term Definition

Advanced Encryption Standard

Advanced Encryption Standard (AES) is a widely accepted standard for encryption that uses 128-bit block size ciphers with key sizes of 128, 192, and 256 bits.

Algorithm An algorithm is a mathematical formula or set of steps to accomplish any given task—in this case, encryption and decryption.

Asymmetric Encryption

Asymmetric encryption uses two sets of encryption keys— a private and public key—to encrypt information. To decrypt the information, a user must have both the public key, which can be freely made public, and the private key, which is known only to the sender and receiver of the encrypted information.

Authentication Authentication involves confirming a user's identity. A form of access control, authentication requires users to confirm their identity before they access the system.

Checksum Checksum is a simple error-detection scheme to ensure that a message is not garbled. In checksum, each transmitted message is accompanied by a numerical value. The receiver then applies the same formula to the message and checks to make sure the accompanying numerical value is the same. If it is not, the receiver can assume that the message has been garbled.

Confidentiality Confidentiality means allowing only authorized individuals or systems to access certain types of information. Confidentiality is also known as secrecy.

Data Encryption Standard Data Encryption Standard (DES) is an encryption standard that uses a simple 56-bit key to encrypt data. Since it is not very secure, alternatives to DES such as triple DES and AES have been created.

Diffie-Hellman Key The Diffie-Hellman key is a specific method of changing keys in the field of cryptography.

Encryption Encryption is the process of using algorithms to change readable text into a format that is unreadable by unauthorized persons.

Fragmentation Fragmentation is a method in which an IP datagram is fragmented into IP packets and reassembled at the receiving host.

Fragment Flag Fragment flag is a field in an IP header that stores information about the IP packet and is involved in packet fragmentation. There are various 3-bit control flags.

Fragment Offset Fragment offset is a field that tells the sender where a particular fragment falls in relation to other fragments in the original larger packet.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Term Definition

Gateway A gateway is a network device that acts as an entrance to another network.

Hash-Based Message Authentication Code

Hash-Based Message Authentication Code (HMAC) is used to decode MACs by using a cryptographic function along with a secret key. HMAC is used in many authentication protocols.

Hash Value A hash function mathematically transforms a variable length data input into a fixed length, random-character output called a hash value. Some commonly used hash functions include Message Digest 5 (MD5) and the Secure Hash Algorithms (SHA-0, SHA-1, and SHA-256).

Header A header is a temporary set of data that is added at the beginning of a communication message in order to transfer it over the network. It contains the source and destination addresses as well as data that describe the content of the message.

Identification Identification is part of the access-control software and requires users to provide identification in the form of a user name or account number before they are allowed to access a system.

Integrity The goal of integrity is to ensure that unauthorized individuals or systems are unable to modify data.

IP Address An Internet Protocol (IP) address is a numeric label that identifies each device within a computer network that communicates over the Internet.

Key Generation Key generation is the process of creating cryptographic keys.

Key Management Key management is the system of controlling and managing the generation, exchange, storage, safety, application, and replacement of encryption keys.

Logical Connection A logical connection refers to the connection between two systems at the same level of the OSI or TCP/IP model.

Message Authentication Code

In cryptography, a Message Authentication Code (MAC) is a short piece of information used to authenticate a message.

Message-Digest Algorithm 5

Message-Digest Algorithm 5 (MD5) is a popular cryptographic hash function that uses a 128-bit hash value.

Nonrepudiation Nonrepudiation refers to giving a guarantee about the authenticity of a document or message. The sending parties cannot deny that they sent data.

Nonce Nonce is an abbreviation of “number used once.” It is often a random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Term Definition

Open Source Open source refers to software that is distributed with its source code so that other users can modify it for their own purposes.

Payload Payload refers to the actual data in a packet or file, without all headers attached for transport and/or description.

Preshared Keys Preshared keys are shared secrets that were previously shared between two endpoints using some secure channel before they need to be used.

Replay Attack A replay attack is a breach of network security in which a valid data transmission is repeated or delayed with malicious intent.

RSA RSA is an encryption algorithm that uses public-key cryptography to secure information and is a widely used protocol for encrypting data.

Secure Hash Algorithm 1 Secure Hash Algorithm 1 (SHA-1) is a cryptographic hash algorithm. The SHA-1 algorithm was designed by the National Security Agency.

Session Key A randomly generated encryption and decryption key that is used to ensure the security of a communication session.

Signature A signature is a digital code that can be attached to a message. Like a written signature, the signature uniquely identifies the sender and is a guarantee that the individual sending the message is really who he or she claims to be.

Time to Live Time to Live (TTL) is a field in the Internet Protocol (IP) that specifies how many more hops a packet can travel before being discarded or returned.

Triple DES Triple DES is a symmetric algorithm that involves repeating the basic DES algorithm three times, using either two or three unique keys, for a key size of 112 or 168 bits. This provides additional resistance to a brute-force attack.

Type of Service Type of Service (TOS) is a field in an IP packet that is used for quality of service.

X.509 X.509 is a standard used in cryptography that specifies formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.