Tunneling and IPSec Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:04
>> After you choose whether or
00:04
not you want to be in tunnel mode,
00:04
or transport mode,
00:04
the next decision you want to make is what
00:04
protocols you want to use for IPSec.
00:04
There are two main ones that
00:04
provide the security service.
00:04
One is called AH,
00:04
which stands for Authentication Header.
00:04
Authentication Header will provide non-repudiation,
00:04
because what will happen is IPSec and authentication,
00:04
is the Authentication Header is going
00:04
to run something called an ICV,
00:04
an Integrity Check Value.
00:04
That Integrity Check Value is essentially a hash.
00:04
We haven't talked about what hashing is yet,
00:04
but the whole purpose of a hash
00:04
is to detect modification.
00:04
By running this Integrity Check Value
00:04
on the header of the packet,
00:04
that guarantees the header hasn't been modified.
00:04
When a packet is spoofed,
00:04
it's the IP header that does get modified.
00:04
What we get is an assurance that
00:04
the IP header has not been manipulated,
00:04
which gives us authenticity.
00:04
That giving us authenticity is great,
00:04
but we do not get confidentiality with the AH.
00:04
Honestly, a lot of times we
00:04
use IPSec for confidentiality.
00:04
We want to encrypt our data, so often,
00:04
we're going to use a different protocol called ESP.
00:04
ESP stands for Encapsulating Security Payload.
00:04
That's the protocol that's going
00:04
to provide us with encryption.
00:04
It also uses something called a MAC,
00:04
which is a message authentication code to
00:04
determine whether or not there's been
00:04
modification of the packet.
00:04
You really get pretty decent integrity checking,
00:04
and little bit of authenticity,
00:04
and encryption with ESP,
00:04
so it's a very popular choice.
00:04
The third protocol mentioned here is one
00:04
called IKE, Internet Key Exchange.
00:04
I always think about IKE like
00:04
you think about a roadie at a concert.
00:04
You go to a concert,
00:04
you show up early and there's
00:04
a guy in a t-shirt and cut-off jeans,
00:04
no matter what the weather is,
00:04
and he's laying out cable,
00:04
he's checking the lights,
00:04
checking the sound, tuning instruments.
00:04
Nobody's really there to see
00:04
that guy unless it's his mom.
00:04
We're here to see the main act, and that's IKE.
00:04
IKE doesn't provide the security services.
00:04
IKE doesn't get any of the glory.
00:04
All IKE does is go out ahead of the communication,
00:04
or a head of the exchange of information
00:04
>> and sets up and negotiates algorithms and keys,
00:04
>> Internet Key Exchange.
00:04
>> Actually, IKE is made up of two sub protocols,
00:04
one called Oakley and the other called ISAKMP.
00:04
Oakley initiates the key agreement
00:04
through an algorithm called Diffie-Hellman.
00:04
More to come on that later.
00:04
ISAKMP sets up what is
00:04
referred to as a security association.
00:04
The security association is
00:04
something you can think of like a channel,
00:04
or a unique identifier to
00:04
reference each secure connection.
00:04
If I have three different secure connections
00:04
with three different systems,
00:04
I have various SAs, security associations.
00:04
To identify each one is unique,
00:04
and actually, I'll have two SAs,
00:04
one for outgoing communication
00:04
and one for an incoming communication.
00:04
Again, that security association
00:04
allows me to keep each session as unique.
00:04
It has an identifier called the
00:04
Security Parameters Index,
00:04
and that one field will always be unique
00:04
>> even if I have multiple security sessions opened
00:04
>> up on the same system.
00:04
>> The SPI will provide
00:04
the randomness or at least the pseudo-randomness.
00:04
Next we got GRE,
00:04
which is another protocol
00:04
called Generic Routing Encapsulation.
00:04
GRE doesn't really provide
00:04
>> encryption or authentication.
00:04
>> It's just about encapsulation.
00:04
We saw this back in the olden days
00:04
with systems using Apple Talk,
00:04
trying to traverse a TCPI network,
00:04
so GRE would be used for encapsulation.
00:04
Now we see it with IPv4 to IPv6 networks.
00:04
Sometimes you'll see it for a multicast traffic because
00:04
a multicast traffic can't traverse typical VPNs,
00:04
so GRE is something that's
00:04
a protocol coming back into favor.
00:04
Let's wrap it up for remote access.
00:04
We looked at dial-up and talked
00:04
about Point-to-Point protocol,
00:04
and the fact that it uses PAP,
00:04
CHAP, and EAP for authentication.
00:04
We said point-to-point protocol provides the layer to
00:04
connectivity and framing for WAN connectivity,
00:04
and to get authentication we needed PAP, CHAP and EAP.
00:04
PAP is sending passwords in plain text.
00:04
>> We don't like it.
00:04
>> CHAP protects our passwords better,
00:04
but it's still only capable
00:04
>> for password authentication.
00:04
>> Then EAP is what we're using today in a lot of areas,
00:04
because it will support more than just passwords,
00:04
things like tokens, certificates, and so on.
00:04
What replaced dial-up connectivity
00:04
is tunneling and creating our VPNs.
00:04
We're certainly looking at other ways to
00:04
connect today beyond the VPNs,
00:04
but the VPNs were created with tunneling protocols.
00:04
We have Point-to-Point Tunneling Protocols,
00:04
which is really the first main tunneling protocol.
00:04
We've got L2TP that enhance
00:04
Point-to-Point Tunneling Protocol and
00:04
allowed it to separate from IP networks.
00:04
Remember, L2TP has no built-in security
00:04
and it uses IPSec to secure its traffic.
00:04
We have Generic Routing Encapsulation
00:04
and we also talked about IPSec,
00:04
which can either be used for VPN tunnels,
00:04
but it can certainly also be used on
00:04
internal networks to protect traffic.
00:04
Those are your key takeaways.
Up Next