Tunneling and IPSec Part 2

00:05

now, after you choose whether or not you want to be in tunnel mode or transport mode, the next decision you want to make is what sort of protocols you want to use for I p sec.

00:14

There are two main ones that provide the security service.

00:17

One is called a H, which stands for authentication. Hutter

00:21

Authentication header will provide non repudiation

00:25

because what will happen is I p sack and authentication is the authentication header is going to run something called an I c v

00:32

an integrity check value.

00:34

That integrity check value is essentially a hash.

00:38

We haven't talked about what hashing is yet, but the whole purpose of a hash is to detect modification

00:44

by running this integrity check value on the header of the packet that guarantees the header hasn't been modified.

00:51

When a packet is spoofed, it's the IP header that does get modified.

00:55

So what we get is an assurance that the I P header has not been manipulated, which gives us authenticity

01:00

that giving us authenticity is great.

01:03

But we do not get confidentiality with the H

01:08

Honestly, a lot of times we use IP sec for confidentiality.

01:12

We want to encrypt our data so often we're going to use a different protocol called ESPN.

01:19

ESPN stands for encapsulating security payload.

01:23

That's the protocol that's going to provide us with encryption.

01:26

It also uses something called a Mac, which is a message authentication code to determine whether or not there's been modification of the packet.

01:34

You really get pretty decent integrity, checking a little bit of authenticity and encryption with the SP, so it's a very popular choice.

01:45

The third protocol mentioned here is one called Ike Internet Key Exchange.

01:49

I always think about like like you think about a roadie at a concert.

01:53

You go to a concert, you show up early and there's a guy in a T shirt and cut off jeans no matter what the weather is. And he's laying out cable. He's checking the lights, checking the sound, tuning the instruments.

02:06

Nobody is really there to see that guy unless it's his mom, right?

02:09

We're here to see the main act, and that's like

02:13

like doesn't provide the security services.

02:15

Ike doesn't get any of the glory.

02:17

All ICP does is go out ahead of the communication or ahead of the exchange of information and sets up and negotiates algorithms and keys, Internet key exchange

02:28

and actually like, is made up of two sub protocols.

02:31

Wang called Oakley and the other called

02:35

S a KMP.

02:38

Oakley initiates the key agreement through an algorithm called Diffie Hellman.

02:42

More to come on that later

02:44

I s a KMP sets up was referred to as a security association

02:50

And the security association is something you can think of, like a channel or unique identifier to reference each secure connection.

02:58

So if I have three different secure connections with three different systems,

03:01

have various essays, security associations

03:06

to identify, each one is unique. And actually, I'll have two essays, one for outgoing communication and one for an incoming communication

03:15

again. That Security Association allows me to keep each session as unique.

03:21

It has an identifying called the Security Parameters Index

03:24

and that one field will always be unique. Even if I have multiple secure sessions opened up on the same system,

03:30

the S P I will provide the randomness, or at least the pseudo randomness.

03:38

Next we got G R E, which is another protocol called generic routing encapsulation.

03:44

G R E doesn't really provide encryption or authentication.

03:47

It's just about encapsulation.

03:51

We saw this back in the olden days with systems using apple talk trying to traverse a TCP I network

03:57

so g r E would be used for encapsulation.

04:00

Now we see it with I P v s forward to IBV six networks.

04:03

Sometimes you'll see it for multicast traffic because multicast traffic can't traverse typical VPNs.

04:11

So G r E is something that's a protocol coming back into favor.

04:15

So let's wrap it up for remote access. We looked at dial up and talked about point to point protocol and the fact that it uses P A P C H A P and eat for authentication.

04:27

We said Point to point protocol provides the layer two connectivity and framing for w and connectivity and get authentication. We needed P A P, C h a p and eat

04:38

p a p. Sending passwords in plain text. We don't like it.

04:41

C H. A P protects our passwords better, but it's still only capable for password authentication.

04:47

And then keep is what we're using today in a lot of areas, because it will support more than just passwords, things like token certificates and so on.

04:58

What replaced dial up connectivity is tunneling and creating our VPNs,

05:01

and we're certainly looking at other ways to connect today beyond the VPNS.

05:05

But the VPNS were created with tunneling protocols.

05:10

We have point to point tunneling protocols, which was really the first main tunneling protocol.

05:15

We've got l two tp that enhance point to point tunneling protocol and allowed it to separate from I p networks.

05:21

Remember,

05:23

L two tp has no built in security and it uses IP SEC to secure its traffic.

05:29

We have generic routing encapsulation, and we also talked about I P SEC, which can either be used for VPN tunnels. But it can certainly also be used on internal networks to protect traffic.