Virtual Private Networks
|
|
- Lisa Morrison
- 6 years ago
- Views:
Transcription
1 Virtual Private Networks Petr Grygárek rek Agenda: VPN Taxonomy VPN Principles and Usage Cryptography Basics IPSec 1
2 Basic Terminology and Mechanisms of Network Security and Cryptography 2
3 Confidentality Data Protection unauthorized listener cannot understand data meaning implemented by encryption Authentication verification of data sender identity Data integrity verification that data were not modified during transport Non-repudiation data source cannot repudiate that it sent particular piece of data (i.e. it signed it) 3
4 Cryptographic Hash Function (1) one-way function (algorithm) that converts (arbitrary, long) block of data to (short) fixed-size hash value easy to compute infeasible to find a message with a given hash infeasible to modify a message without changing its hash Infeasible to find 2 different messages with the same hash 4
5 Cryptographic Hash Function (2) often used as Hashed Message Authentication Code (HMAC) the hash is computed from [data+secret] block algorithms commonly used as hash function HMAC-MD5 Message Digest 5 (128b message digest) HMAC-SHA1 Secure Hash Algorithm (stronger -160b message digest) 5
6 Cryptographic System plain text Encryption cyper text Decryption plain text Key Key Implementation options Conceal encryption/decryption algorithm If the algorithm is revealed, implementation is useless Conceal keys Keys used to parametrize (known) algorithm Enough number of possible keys has to be available 6
7 Symmetric Cryptosystem 7
8 Properties of Symmetric Cryptosystem Shared secret key Effective algorithm implementations speed, relative simplicity possible to implement in hardware DES, 3DES, AES, Problem with secure secret key distribution 8
9 Authentication in Symmetric Cryptosystem Sender encrypts username u using shared key, receiver decrypts using the same key and tests username validity Requires database of valid usernames Alternative validity check implementation: Sender appends username hash behind username, then encrypts whole block with shared key Receiver decrypts [username+hash] with shared key, computes username hash and compares with received hash Does not require to maintain username database Combines authentication with data integrity check 9
10 Data Integrity Check Implementation [message+shared shared secret key]->hash message+hash is sent receiver appends shared secret key behind received message, calculates hash by itself and compares with received hash Combines origin authentication and data integrity check 10
11 Asymmetric Cryptosystem 11
12 Public and Private Keys K A_PUBLIC K A_PRIVATE K B_PUBLIC K B_PRIVATE ALICE Encryption Decryption BOB public key K B_PUBLIC private key K B_PRIVATE Certification authority KA_PUBLIC K B_PUBLIC Keys generated as pair public and private key One key of pair used for encryption, second one for decryption no matter which one for what uses identical or complementary algorithms for encryption and decryption 12
13 Features of Asymmetric Cryptosystem More calculations comparing to symmetric algorithm => slower RSA, El-Gammal Problem of secure public key distribution no need to conceal them,, but we need a mechanism to protect public keys against modification during transport certification authority digitally signs public keys packed together with owner information (so called certificates ) 13
14 Usages of asymmetric metric system Digital signatures No problem with secret key distribution Exchange of keys for symmetric system Often dynamically generated keys with limited lifetime 14
15 Certification authority (1) Trusted entity Digitally signs public keys packed together with owner information - certificates First contact with CA must be physical (identity verification) obtaining of private+public key pair private key + signed certificate There exist ways how to deliver encrypted private key + certificate (containing signed public key) without physical contact need to authenticate certificate request (e..g with existing trusted password already used for something else) LDAP password etc. prenegotiated password used between user and CA to encrypt private key and certificate before sending it to user private+public key generation may take place at client OS Only client keeps private key and sends public key for signing to CA using HTTPS 15
16 Certification authority (2) Public key of CA needed by communicating parties to verify certificates of other communicating peers Public key of CA has to be inserted into every system by some trustworthy manner built-in into OS/WWW browser installation files, Advantage: only one public key (CA certificate) has to be preconfigured manually 16
17 Authenti entication and Data Integrity Check in Asymmetric System Hash comparison ALICE Data Hash Data Hash BOB K A_PUBLIC K A_PRIVATE K B_PUBLIC K A_PRIVATE K B_PRIVATE K A_PUBLIC K B_PUBLIC K B_PRIVATE 17
18 Virtual Private Networks (VPN) 18
19 What is VPN? VPN allow to build private WANs using (public) shared infrastructure with the same level of security and configuration options as with private infrastructure Cheaper and flexible method for interconnection of geographically dispersed sites Note: In principle, VPN overlay itself does NOT have to be encrypted Trasport over secure infra, encryption on application level,... 19
20 Advantages of VPNs over Physical Private WAN Infrastructure Lower cost Short time of deployment Flexibility of (virtual) topology topology defined purely by configuration No WAN link maintenance and management needed provider (ISP) takes responsibility of infrastructure 20
21 Some VPN Classification Criteria (1) Level of customer trust to the shared infrastructure provider trusted/secured (+ level of security) Protocol/technology applied in the infrastructure provider's (underlay) network L3: packet-based (IPv4/IPv6), VxLANs,... L2: Virtual-circuit based (Frame Relay, ATM, VLANs) L2.5: IP/MPLS VPN Location of tunnel termination (CE/PE) 21
22 Some VPN Classification Criteria (2) Amount of routing information exchanged between provider and customer sites Overlay (CPE-based) model Peer-to-peer (network-based) model Mixed model (MPLS VPN) Virtual topology options Point-to-point (virtual private lines) + topologies built from virtual P2P links Multipoint (virtual routed/switched network) 22
23 Some VPN Classification Criteria (3) OSI layer of overlay connectivity L2 L2-technology dependent May support interworking L3 protocol transparent L3 Independent on L2 protocols L3-protocol dependent unicast/multicast/both traffic support Application scenarios Site-to-site (L2L VPN) / Remote access (Client VPN) / VPDN 23
24 Some VPN Classification Criteria (4) Manual/Automatic configuration automatic configuration requires signaling & authentication automatic configuration is almost inevitable for interconnection of hundreds of thousands of customer sites 24
25 Overlay model Uses tunneling methods Encryption and authentication applied in most cases Does not utilize underlying infrastructure efficiently unless ovoerlay full mesh is configured Customers have no visibility of provider's network and vice versa No special contract with infrastructure provider is needed ISP musr not filter tunneling protocols (GRE, IPSec AH/ESP etc.) 25
26 Peer-to-Peer model Provider network devices have to carry all customers' routes Problems with overlapping (private) addresses non-unique destination addresses Complicated filtering has to be configured poor scalability, risk of misconfiguration Optimal routing across provider's shared infrastructure 26
27 Tunnel Virtual point-to-point connection over shared infrastructure often authenticated and encrypted Carries packets of some protocol encapsulated in another protocol sometimes in the same protocol (IP( over IP) tunnel can carry layer 2 frames also allows other protocols to be carried over underlay (mostly IP) network (even nonroutable protocols such as NetBEUI etc.) 27
28 VPN Protocols and Tunneling Techniques IP/IP (v4xv6), GRE, VxLAN L2TP (PPP frames), MPLS, IPSec SSL... 28
29 Most Common VPN Implementation Options Internetwork-wide VPNs => tunnels at or above layer 3 Layer 3 VPN IPSec media independent (above hop-by-hop L2 security) application independent connectionless security Layer 4 VPN SSL/TLS for TCP DTLS for UDP Layer 7 VPN application level (WWW) Neighbor-to-neighbor protection in today's LANs Later2: MACSec/TrustSec 29
30 Most Common VPN Implementation Scenarios Router-to-router (firewall( firewall) Site-to-site VPNs Single router may terminate multiple tunnels Remote User to VPN concentrator Remote access VPNs user has to have special encryption software installed (VPN client) Often used also over corporate LANs for production network managenent access 2009 Petr Grygárek, FEI VŠB-TU Ostrava, Computer Networks (Bc.) 30
31 Common VPN Applications (1) Site-to-site VPNs Router to router router (firewall to firewall) secure interconnection of (multiple) distant LANs counterpart with classical WAN networks Site-to-sitetunnel Encryption, Decryption Unsecurepublic infrastructure (Internet) Encryption, Decryption Secureintranet (2) Secureintranet (1) 31
32 Common VPN Applications (2/1) Remote access VPNs Client-initiated Remote user to VPN concentratortor user has special encryption software installed (VPN( client) NAS-initiated Remote user dials in to service provider s NAS using some connection-oriented telecommunication network (e.g. PSTN, ISDN) considered trustworthy NAS initiates secure tunnel to secure corporate network 32
33 Common VPN applications (2/2) PSTN NAS-initiated VPN tunnel Encryption tunnels modem User without any special software ISP NAS Unsecure public infrastructure (Internet) VPN concentrator Decryption Encryption User with VPN client software Client-initiated VPN tunnel Secure intranet 33
34 Virtual Private Dial-up Networks Provides connection of remote users into private networks Saves customers from maintaining their own physical RAS solution and interconnection to Telco Interoperation between provider's and customers' AAA infrastructures L2TP carries PPP sessions LAC L2TP Access Concentrator LNS L2TP Network Server 34
35 IPSec 35
36 IPSec (RFC 2401) IPSec = suite of protocols and algorithms used for data security implementation at network layer Open standards framework General, independent to actual algorithms used flexible and stable no need for complete change when particular algorithm is compromised Provides authenti entication, data integrity y and confidentality using particular preconfigured or negotiated algorithms, not by itself Only for unicast IP traffic but other protocols including IP broadcasts/multicasts can be encapsulated into IP before transportation over IPSec mechanism Implemented as additional mechanism for IPv4, natively built-in into IPv6 36
37 Basic IPSec terminology Security Association Set of policies and keys for data protection Shared by (two) communicating partners Authentication Header Header appended to IP packet to carry authentication system information (HMAC etc.) Encapsulating Security Payload Header Header appended to IP packet to carry security system information (authentication, confidenitality) 37
38 Security Association (1) Defines encryption and authentication parameters used between two partners communicating over IPSec tunnel encryption and authentication algorithm, key size, key lifetime encryption and authentication key (symmetric) IPSec mode (tunnel/transport) encapsulation protocol (AH/ESP) specification of traffic to be encrypted (/decrypted) ( proxyid ) Pre-configured or dynamically negotiated between partners during IPSec tunnel establishment 38
39 Security Association (2) Independent for both traffic directions Independent SAs for individual security protocols i.e. AH, ESP, IKE Internet Key Exchange (IKE) provides secure tunnel for dynamic SA negotiation Limited lifetime time/bytes transferred new SA is negotiated before lifetime expiration Stored in Security Association Database (SADB) Security Parameter Index (SPI) + SA values 39
40 IPSec modes: Tunnel and Transport Tunnel mode Transport Mode 40
41 End-to-end security Transport Mode Needs IPSec support in end-user stations operating system AH and ESP inserted between L3 anda L4 headers Impossible to filter traffic according to L4 header in the network (L4 header is encrypted) Next-header field of AH/ESP header identifies L4 header (L4 protocol) Original IP header unencrypted But protected by authenti entication/data integrity => incompatible with NAT 41
42 Tunnel Mode IPSec tunnel between routers connecting secure LANs to unsecure shared infrastructure (IPSec gateways) no need for IPSec support in users station operating systems IP packets encapsulated by another IP packets (tunnel) AH and ESP inserted at the beginning of encapsulating packet data field, original unchanged (tunneled) packet follows Packets encrypted including their IP headers => > potential spy in insecure network cannot even determine which stations of secure networks speak together Used most commonly today. 42
43 Transfer of IPSec Control C Information Authentication Header Information for authentication and data integrity Encapsulating Security Payload Information for encryption, authentication and data integrity and optionally anti-replay May completely supersede authentication header AH defined earlier, still maintained for compatibility with older implementations 43
44 Authentication header Assures authentication and (connectionless) data integrity Protects IP headerh (unchanging fields) and IP packet data carries authentication information (HMAC) carries Security Parameters Index (SPI) to identify particular security association used for current packet if multiple SAs used concurrently Optional support for anti-replay Sender inserts sequence numbers into packets, receiver may optionally verify them Protects transport IP header => > incompatible with NAT 44
45 AH transport mode 45
46 AH tunnel mode 46
47 Encapsulating Security Payload-ESP Carries control information for data encryption (and authentication) encapsulates protected data Optional data authentication and integrity check (only user data) Optional anti-replay check May provide all functions of authentication header 47
48 ESP transport mode 48
49 ESP tunnel mode 49
50 Dynamic SA negotiation Manual configuration of SAs at multiple stations is tedious and error-prone task Need for reoccurring reconfiguration - periodic change of authentication/encryption keys is necessary 50
51 Dynamic SA Negotiation Frameworks Internet Security Association and Key Management Protocol (ISAKMP) framework for secure (dynamic) key exchange and negotiation of security associations does not define any particular algorithms, provides only mechanics of parameter negotiation and key exchange protocols payload formats etc. Internet Key Interchange (IKE) operates within ISAKMP framework key exchange protocol (Oakley Key Exchange + Skeme Key Exchange) used to negotiate IPSec SAs SA negotiation protected by tunnel encrypted with dynamically negotiated keys (Diffie-Hellma( Diffie-Hellman algorithm) 51
52 Diffie-Hellman algorithm Used to negotiate shared secret key between two parties over unsecure channel Key value never sent over unsecure channel Based on public/private key pair generation on both sides, public key interchange and calculations with big prime numbers communicating parties have to be authenticated by some external mechanism prevents man-in-the-middle attack pre-shared key or certificates commonly used 52
53 1. Practical IPSec Operation 1. Interesting traffic detected 2. i.e. traffic whose encryption is required 2. IKE Phase 1 3. IPSec peer authentication (pre-shared keys, RSA signatures (X.509)) Negotiation of IKE SAs (Diffie-Hellman) Encryption algorithm, hash algorithm, keys, key lifetime, Establishes secure channel for IPSec SA negotiation 3. IKE Phase 2 4. Negotiation of IPSec SAs (for both directions) According to policies supported by peers Multiple priorized policies may be defined 4. Secure data exchange using IPSec SAs renegotiated by IKE if lifetime expires 5. After inactivity timeout, IPSec tunnel closed (SAs discarded) 5. 53
54 Which Traffic should be Encrypted? Crypto Access Lists (corresponds ProxyIDs) Outbound - indicate which data have to be protected by IPSec Inbound - filter out and discard traffic that should have been protected by IPSec (but is not) 54
55 Required ACL Modification for Operation of IPSec Underlying infrastructure has to allow these types of traffic: ISAKMP UDP port 500 ESP IP protocol 50 AH IP protocol 51 55
56 IPSec NAT Traversal Changing of IP header fields by NAT causes HMAC mismatch Encapsulates IPSec-protected packet with another UDP/IP envelope NAT-T - UDP port 4500 Negotiated in IKE 56
Sample excerpt. Virtual Private Networks. Contents
Contents Overview...................................................... 7-3.................................................... 7-5 Overview of...................................... 7-5 IPsec Headers...........................................
More informationCSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Security in Network Layer Implementing security in application layer provides flexibility in security
More informationSonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide
SonicWALL 6.2.0.0 Addendum A Supplement to the SonicWALL Internet Security Appliance User's Guide Contents SonicWALL Addendum 6.2.0.0... 3 New Network Features... 3 NAT with L2TP Client... 3 New Tools
More informationIP Security IK2218/EP2120
IP Security IK2218/EP2120 Markus Hidell, mahidell@kth.se KTH School of ICT Based partly on material by Vitaly Shmatikov, Univ. of Texas Acknowledgements The presentation builds upon material from - Previous
More informationTable of Contents 1 IKE 1-1
Table of Contents 1 IKE 1-1 IKE Overview 1-1 Security Mechanism of IKE 1-1 Operation of IKE 1-1 Functions of IKE in IPsec 1-2 Relationship Between IKE and IPsec 1-3 Protocols 1-3 Configuring IKE 1-3 Configuration
More informationIndex. Numerics 3DES (triple data encryption standard), 21
Index Numerics 3DES (triple data encryption standard), 21 A B aggressive mode negotiation, 89 90 AH (Authentication Headers), 6, 57 58 alternatives to IPsec VPN HA, stateful, 257 260 stateless, 242 HSRP,
More informationThe Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,
1 The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME, PGP), client/server (Kerberos), Web access (Secure Sockets
More informationVPN Overview. VPN Types
VPN Types A virtual private network (VPN) connection establishes a secure tunnel between endpoints over a public network such as the Internet. This chapter applies to Site-to-site VPNs on Firepower Threat
More informationConfiguration of an IPSec VPN Server on RV130 and RV130W
Configuration of an IPSec VPN Server on RV130 and RV130W Objective IPSec VPN (Virtual Private Network) enables you to securely obtain remote access to corporate resources by establishing an encrypted tunnel
More informationSecuring Networks with Cisco Routers and Switches
SNRS Securing Networks with Cisco Routers and Switches Volume 2 Version 2.0 Student Guide Editorial, Production, and Web Services: 02.06.07 DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO
More informationiii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11
iii PPTP................................................................................ 7 L2TP/IPsec........................................................................... 7 Pre-shared keys (L2TP/IPsec)............................................................
More informationIPSec. Slides by Vitaly Shmatikov UT Austin. slide 1
IPSec Slides by Vitaly Shmatikov UT Austin slide 1 TCP/IP Example slide 2 IP Security Issues Eavesdropping Modification of packets in transit Identity spoofing (forged source IP addresses) Denial of service
More informationCryptography and Network Security. Sixth Edition by William Stallings
Cryptography and Network Security Sixth Edition by William Stallings Chapter 20 IP Security If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death, together with
More informationCryptography and Network Security Chapter 16. Fourth Edition by William Stallings
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Chapter 16 IP Security If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death,
More informationVPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009
VPN and IPsec Network Administration Using Linux Virtual Private Network and IPSec 04/2009 What is VPN? VPN is an emulation of a private Wide Area Network (WAN) using shared or public IP facilities. A
More informationVirtual Private Network
VPN and IPsec Virtual Private Network Creates a secure tunnel over a public network Client to firewall Router to router Firewall to firewall Uses the Internet as the public backbone to access a secure
More informationA-B I N D E X. backbone networks, fault tolerance, 174
I N D E X A-B access links fault tolerance, 175 176 multiple IKE identities, 176 182 single IKE identity with MLPPP, 188 189 with single IKE identity, 183 187 active/standby stateful failover model, 213
More informationNetwork Security CSN11111
Network Security CSN11111 VPN part 2 12/11/2010 r.ludwiniak@napier.ac.uk Five Steps of IPSec Step 1 - Interesting Traffic Host A Router A Router B Host B 10.0.1.3 10.0.2.3 Apply IPSec Discard Bypass IPSec
More informationVirtual Private Networks
EN-2000 Reference Manual Document 8 Virtual Private Networks O ne of the principal features of routers is their support of virtual private networks (VPNs). This document discusses transmission security,
More informationConfiguring L2TP over IPsec
CHAPTER 62 This chapter describes how to configure L2TP over IPsec on the ASA. This chapter includes the following topics: Information About L2TP over IPsec, page 62-1 Licensing Requirements for L2TP over
More informationVPNs and VPN Technologies
C H A P T E R 1 VPNs and VPN Technologies This chapter defines virtual private networks (VPNs) and explores fundamental Internet Protocol Security (IPSec) technologies. This chapter covers the following
More informationJunos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services
Junos Security Chapter 8: IPsec VPNs 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net Worldwide Education Services Chapter Objectives After successfully completing this chapter, you will
More informationVPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist
VPN World MENOG 16 Istanbul-Turkey By Ziad Zubidah Network Security Specialist What is this Van used for?! Armed Van It used in secure transporting for valuable goods from one place to another. It is bullet
More informationCSC 6575: Internet Security Fall 2017
CSC 6575: Internet Security Fall 2017 Network Security Devices IP Security Mohammad Ashiqur Rahman Department of Computer Science College of Engineering Tennessee Tech University 2 IPSec Agenda Architecture
More informationCONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements
CONTENTS Preface Acknowledgements xiii xvii Chapter 1 TCP/IP Overview 1 1.1 Some History 2 1.2 TCP/IP Protocol Architecture 4 1.2.1 Data-link Layer 4 1.2.2 Network Layer 5 1.2.2.1 Internet Protocol 5 IPv4
More information(2½ hours) Total Marks: 75
(2½ hours) Total Marks: 75 N. B.: (1) All questions are compulsory. (2) Makesuitable assumptions wherever necessary and state the assumptions made. (3) Answers to the same question must be written together.
More informationVPN. Agenda VPN VPDN. L84 - VPN and VPDN in IP. Virtual Private Networks Introduction VPDN Details (L2F, PPTP, L2TP)
VPN Virtual Private Networks Introduction VPDN Details (L2F, PPTP, L2TP) Agenda VPN Classical Approach Overview IP Based Solutions IP addresses non overlapping IP addresses overlapping MPLS-VPN VPDN RAS
More informationBCRAN. Section 9. Cable and DSL Technologies
BCRAN Section 9 Cable and DSL Technologies Cable and DSL technologies have changed the remote access world dramatically. Without them, remote and Internet access would be limited to the 56 kbps typical
More informationL2TP over IPsec. About L2TP over IPsec/IKEv1 VPN
This chapter describes how to configure /IKEv1 on the ASA. About /IKEv1 VPN, on page 1 Licensing Requirements for, on page 3 Prerequisites for Configuring, on page 4 Guidelines and Limitations, on page
More informationProtocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science
Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science History of computer network protocol development in 20 th century. Development of hierarchical
More informationConfiguring Security for VPNs with IPsec
This module describes how to configure basic IPsec VPNs. IPsec is a framework of open standards developed by the IETF. It provides security for the transmission of sensitive information over unprotected
More informationService Managed Gateway TM. Configuring IPSec VPN
Service Managed Gateway TM Configuring IPSec VPN Issue 1.2 Date 12 November 2010 1: Introduction 1 Introduction... 3 1.1 What is a VPN?... 3 1.2 The benefits of an Internet-based VPN... 3 1.3 Tunnelling
More informationIPsec NAT Transparency
sec NAT Transparency First Published: November 25, 2002 Last Updated: March 1, 2011 The sec NAT Transparency feature introduces support for Security (sec) traffic to travel through Network Address Translation
More informationIPsec NAT Transparency
The feature introduces support for IP Security (IPsec) traffic to travel through Network Address Translation (NAT) or Port Address Translation (PAT) points in the network by addressing many known incompatibilities
More informationINF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang
INF3510 Information Security University of Oslo Spring 2011 Lecture 9 Communication Security Audun Jøsang Outline Network security concepts Communication security Perimeter security Protocol architecture
More informationVPN Ports and LAN-to-LAN Tunnels
CHAPTER 6 A VPN port is a virtual port which handles tunneled traffic. Tunnels are virtual point-to-point connections through a public network such as the Internet. All packets sent through a VPN tunnel
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationIPSec. Overview. Overview. Levente Buttyán
IPSec - brief overview - security associations (SAs) - Authentication Header (AH) protocol - Encapsulated Security Payload () protocol - combining SAs (examples) Overview Overview IPSec is an Internet
More informationCisco Exam Questions & Answers
Cisco 300-209 Exam Questions & Answers Number: 300-209 Passing Score: 800 Time Limit: 120 min File Version: 35.4 http://www.gratisexam.com/ Exam Code: 300-209 Exam Name: Implementing Cisco Secure Mobility
More informationCryptography and Network Security
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown Chapter 15 Electronic Mail Security Despite the refusal of VADM Poindexter and LtCol North to appear,
More informationCS Computer Networks 1: Authentication
CS 3251- Computer Networks 1: Authentication Professor Patrick Traynor 4/14/11 Lecture 25 Announcements Homework 3 is due next class. Submit via T-Square or in person. Project 3 has been graded. Scores
More informationConfiguring Internet Key Exchange Security Protocol
Configuring Internet Key Exchange Security Protocol This chapter describes how to configure the Internet Key Exchange (IKE) protocol. IKE is a key management protocol standard that is used in conjunction
More informationOverview of the IPsec Features
CHAPTER 2 This chapter provides an overview of the IPsec features of the VSPA. This chapter includes the following sections: Overview of Basic IPsec and IKE Configuration Concepts, page 2-1 Configuring
More informationThe EN-4000 in Virtual Private Networks
EN-4000 Reference Manual Document 8 The EN-4000 in Virtual Private Networks O ne of the principal features of routers is their support of virtual private networks (VPNs). This document discusses transmission
More informationCS 356 Internet Security Protocols. Fall 2013
CS 356 Internet Security Protocols Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5
More informationIPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security
IPsec (AH, ESP), IKE Guevara Noubir noubir@ccs.neu.edu Securing Networks Control/Management (configuration) Applications Layer telnet/ftp: ssh, http: https, mail: PGP (SSL/TLS) Transport Layer (TCP) (IPSec,
More informationIPSec Site-to-Site VPN (SVTI)
13 CHAPTER Resource Summary for IPSec VPN IKE Crypto Key Ring Resource IKE Keyring Collection Resource IKE Policy Resource IKE Policy Collection Resource IPSec Policy Resource IPSec Policy Collection Resource
More informationSchool of Computer Sciences Universiti Sains Malaysia Pulau Pinang
School of Computer Sciences Universiti Sains Malaysia Pulau Pinang Information Security & Assurance Assignment 2 White Paper Virtual Private Network (VPN) By Lim Teck Boon (107593) Page 1 Table of Content
More informationGrandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide
Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide Table of Contents SUPPORTED DEVICES... 5 INTRODUCTION... 6 GWN7000 VPN FEATURE... 7 OPENVPN CONFIGURATION... 8 OpenVPN
More informationProtocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.
P2 Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE 802.11i, IEEE 802.1X P2.2 IP Security IPsec transport mode (host-to-host), ESP and
More informationConfiguring LAN-to-LAN IPsec VPNs
CHAPTER 28 A LAN-to-LAN VPN connects networks in different geographic locations. The ASA 1000V supports LAN-to-LAN VPN connections to Cisco or third-party peers when the two peers have IPv4 inside and
More informationHillstone IPSec VPN Solution
1. Introduction With the explosion of Internet, more and more companies move their network infrastructure from private lease line to internet. Internet provides a significant cost advantage over private
More informationVirtual Private Networks
Chapter 12 Virtual Private Networks Introduction Business has changed in the last couple of decades. Companies now have to think about having a global presence, global marketing, and logistics. Most of
More informationComputer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1
Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1415/ Chapter 16: 1 Chapter 16: Communications Security Chapter 16: 2 Agenda Threat model Secure tunnels Protocol design principles IPsec
More informationSet Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers
Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers Objective A Virtual Private Network (VPN) is a private network that is used to virtually
More informationSecurity for VPNs with IPsec Configuration Guide, Cisco IOS XE Release 3S
Security for VPNs with IPsec Configuration Guide, Cisco IOS XE Release 3S Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000
More informationInt ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28
Int ernet w orking Internet Security Literature: Forouzan: TCP/IP Protocol Suite : Ch 28 Internet Security Internet security is difficult Internet protocols were not originally designed for security The
More informationCryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption
and secure channel May 17, 2018 1 / 45 1 2 3 4 5 2 / 45 Introduction Simplified model for and decryption key decryption key plain text X KE algorithm KD Y = E(KE, X ) decryption ciphertext algorithm X
More informationConfiguring a VPN Using Easy VPN and an IPSec Tunnel, page 1
Configuring a VPN Using Easy VPN and an IPSec Tunnel This chapter provides an overview of the creation of Virtual Private Networks (VPNs) that can be configured on the Cisco 819, Cisco 860, and Cisco 880
More informationLAN-to-LAN IPsec VPNs
A LAN-to-LAN VPN connects networks in different geographic locations. You can create LAN-to-LAN IPsec connections with Cisco peers and with third-party peers that comply with all relevant standards. These
More informationTransport Level Security
2 Transport Level Security : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l12, Steve/Courses/2013/s2/css322/lectures/transport.tex,
More informationGlenda Whitbeck Global Computing Security Architect Spirit AeroSystems
Glenda Whitbeck Global Computing Security Architect Spirit AeroSystems History 2000 B.C. Egyptian Hieroglyphics Atbash - Hebrew Original alphabet mapped to different letter Type of Substitution Cipher
More informationSecurity for VPNs with IPsec Configuration Guide, Cisco IOS Release 15M&T
Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15M&T Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000
More informationACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL II. VERSION 2.0
ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL II. VERSION 2.0 Module 1: Intrusion Detection and Prevention Technology 1.1 Overview of Intrusion
More informationSharing IPsec with Tunnel Protection
The feature allows sharing an IPsec security association database (SADB) between two or more generic routing encapsulation (GRE) tunnel interfaces when tunnel protection is used. Shared tunnel interfaces
More informationCSC 4900 Computer Networks: Security Protocols (2)
CSC 4900 Computer Networks: Security Protocols (2) Professor Henry Carter Fall 2017 Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message Integrity 8.4 End point Authentication
More informationThe IPsec protocols. Overview
The IPsec protocols -- components and services -- modes of operation -- Security Associations -- Authenticated Header (AH) -- Encapsulated Security Payload () (c) Levente Buttyán (buttyan@crysys.hu) Overview
More informationIPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router
IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router Objective Internet Protocol Security (IPSec) is used to protect communications through the encryption of IP packets during a communication
More informationNetwork Security: IPsec. Tuomas Aura
Network Security: IPsec Tuomas Aura 3 IPsec architecture and protocols Internet protocol security (IPsec) Network-layer security protocol Protects IP packets between two hosts or gateways Transparent to
More informationInternet security and privacy
Internet security and privacy IPsec 1 Layer 3 App. TCP/UDP IP L2 L1 2 Operating system layers App. TCP/UDP IP L2 L1 User process Kernel process Interface specific Socket API Device driver 3 IPsec Create
More informationMicrosoft Privacy Protected Network Access: Virtual Private Networking and Intranet Security
Operating System Microsoft Privacy Protected Network Access: Virtual Private Networking and Intranet Security White Paper Abstract The Microsoft Windows operating system includes technology to secure communications
More informationCSE509: (Intro to) Systems Security
CSE509: (Intro to) Systems Security Fall 2012 Invited Lecture by Vyas Sekar IPSec 2005-12 parts by Matt Bishop, used with permission Security in Real Life: Motivation Site SF Company X $$$ Site NY Site
More informationIP Security. Have a range of application specific security mechanisms
IP Security IP Security Have a range of application specific security mechanisms eg. S/MIME, PGP, Kerberos, SSL/HTTPS However there are security concerns that cut across protocol layers Would like security
More informationChapter 5: Network Layer Security
Managing and Securing Computer Networks Guy Leduc Mainly based on Network Security - PRIVATE Communication in a PUBLIC World C. Kaufman, R. Pearlman, M. Speciner Pearson Education, 2002. (chapters 17 and
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
More informationSecure channel, VPN and IPsec. stole some slides from Merike Kaeo
Secure channel, VPN and IPsec stole some slides from Merike Kaeo 1 HTTP and Secure Channel HTTP HTTP TLS TCP TCP IP IP 2 SSL and TLS SSL/TLS SSL v3.0 specified
More informationIP Security. Cunsheng Ding HKUST, Kong Kong, China
IP Security Cunsheng Ding HKUST, Kong Kong, China Agenda Some attacks against the IP Brief introduction to IPSec Building Block: Security Association Building Block: Security Association Database Building
More informationCryptography (Overview)
Cryptography (Overview) Some history Caesar cipher, rot13 substitution ciphers, etc. Enigma (Turing) Modern secret key cryptography DES, AES Public key cryptography RSA, digital signatures Cryptography
More informationChapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University
Chapter 6 IP Security Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University +91 9426669020 bhargavigoswami@gmail.com Topic List 1. IP Security Overview 2. IP Security Architecture 3.
More information8. Network Layer Contents
Contents 1 / 43 * Earlier Work * IETF IP sec Working Group * IP Security Protocol * Security Associations * Authentication Header * Encapsulation Security Payload * Internet Key Management Protocol * Modular
More informationINFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP
INFS 766 Internet Security Protocols Lectures 7 and 8 IPSEC Prof. Ravi Sandhu IPSEC ROADMAP Security Association IP AH (Authentication Header) Protocol IP ESP (Encapsulating Security Protocol) Authentication
More informationVirtual Private Networks Advanced Technologies
Virtual Private Networks Advanced Technologies Petr Grygárek rek Agenda: Supporting Technologies (GRE, NHRP) Dynamic Multipoint VPNs (DMVPN) Group Encrypted Transport VPNs (GET VPN) Multicast VPNs (mvpn)
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through
More informationNetwork Security 2. Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys
1 1 Network Security 2 Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys 2 Learning Objectives 4.1 Prepare a Router for Site-to-Site VPN using Pre-shared Keys 4.2 Configure a Router for IKE Using
More informationLehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec
Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München ilab Lab 8 SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one specific port SSL
More informationHC-711 Q&As. HCNA-CBSN (Constructing Basic Security Network) - CHS. Pass Huawei HC-711 Exam with 100% Guarantee
HC-711 Q&As HCNA-CBSN (Constructing Basic Security Network) - CHS Pass Huawei HC-711 Exam with 100% Guarantee Free Download Real Questions & Answers PDF and VCE file from: 100% Passing Guarantee 100% Money
More informationCLEARPASS CONFIGURING IPsec TUNNELS
TECHNICAL NOTE CLEARPASS CONFIGURING IPsec TUNNELS Revised By Date Changes Jerrod Howard Nov 2015 Draft Controller to ClearPass Tech Note Dennis Boas Dennis Boas Jan 2016 Version 1 1344 CROSSMAN AVE SUNNYVALE,
More informationLAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example
LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example Document ID: 26402 Contents Introduction Prerequisites Requirements Components Used Conventions Configure
More informationCloudBridge :31:07 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement
CloudBridge 1.1 2013-06-30 04:31:07 UTC 2013 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement Contents CloudBridge 1.1... 3 CloudBridge... 4 About the CloudBridge...
More informationVirtual Tunnel Interface
This chapter describes how to configure a VTI tunnel. About s, on page 1 Guidelines for s, on page 1 Create a VTI Tunnel, on page 2 About s The ASA supports a logical interface called (VTI). As an alternative
More informationIPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP
About Tunneling, IPsec, and ISAKMP, on page 1 Licensing for IPsec VPNs, on page 3 Guidelines for IPsec VPNs, on page 4 Configure ISAKMP, on page 5 Configure IPsec, on page 18 Managing IPsec VPNs, on page
More informationVirtual private networks
Technical papers Virtual private networks Virtual private networks Virtual private networks (VPNs) offer low-cost, secure, dynamic access to private networks. Such access would otherwise only be possible
More informationIPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP
About Tunneling, IPsec, and ISAKMP, page 1 Licensing for IPsec VPNs, page 3 Guidelines for IPsec VPNs, page 5 Configure ISAKMP, page 5 Configure IPsec, page 17 Managing IPsec VPNs, page 36 About Tunneling,
More informationDPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0
DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0 i Hangzhou DPtech Technologies Co., Ltd. provides full- range technical support. If you need any
More informationNetwork Security - ISA 656 IPsec IPsec Key Management (IKE)
Network Security - ISA 656 IPsec IPsec (IKE) Angelos Stavrou September 28, 2008 What is IPsec, and Why? What is IPsec, and Why? History IPsec Structure Packet Layout Header (AH) AH Layout Encapsulating
More informationDeploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels
Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels This article provides a reference for deploying a Barracuda Link Balancer under the following conditions: 1. 2. In transparent (firewall-disabled)
More informationFirepower Threat Defense Site-to-site VPNs
About, on page 1 Managing, on page 3 Configuring, on page 3 Monitoring Firepower Threat Defense VPNs, on page 11 About Firepower Threat Defense site-to-site VPN supports the following features: Both IPsec
More informationChapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS
Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces. 2017 Cisco and/or its affiliates. All rights
More informationVirtual Private Networks.
Virtual Private Networks thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/ Content Virtual Private Networks VPN Basics Protocols (IPSec, PPTP, L2TP) Objectives of VPNs Earlier Companies
More informationChapter 6/8. IP Security
Chapter 6/8 IP Security Prof. Bhargavi H Goswami Department of MCA, Sunshine Group of Institutes, Rajkot, Gujarat, India. Mob: +918140099018. Email: bhargavigoswami@gmail.com Topic List 1. IP Security
More information