Understanding VPNs: Virtual Private Networks

Questions and Answers

Which of the following is the most accurate description of a VPN's primary function?

• To provide secure transmission of controlled information between known parties across a non-secure network. (correct)
• To increase the speed and performance of Internet connections by bypassing network congestion.
• To reduce data transfer costs by utilizing public networks instead of private WANs.
• To guarantee complete anonymity on the Internet by masking the user’s IP address.

Which of the following is a critical function of VPNs, regarding the sender and receiver of data?

• Optimizing data packets for faster transmission, regardless of content.
• Verifying the sender's identity to the receiver and validating the data's origin. (correct)
• Dynamically allocating bandwidth based on the type of data being transmitted.
• Ensuring complete anonymity of the sender to prevent traffic analysis.

In the context of VPN technology, what is the role of 'tunneling'?

• To encapsulate data within another protocol for secure transport across a network. (correct)
• To bypass firewall restrictions by creating alternate routes for data packets.
• To compress data packets for faster transmission across networks.
• To encrypt data by adding an additional header to each packet.

What is a fundamental requirement for establishing a VPN tunnel between two endpoints?

Each endpoint must agree on configuration variables, including encryption parameters. (C)

Why is a secure firewall a necessary element within a VPN setup?

To guard the private network from potential hackers and offensive web content. (A)

In a VPN infrastructure, how does the VPN client software contribute to ensuring secure communication?

By establishing a secure connection to the VPN server, thereby securing data transmission. (D)

What is the primary role of a Network Access Server (NAS) in the context of VPNs?

To authenticate clients and associate them with specific VPN servers. (B)

What is the key distinction between the 'tunnel' and the 'VPN connection' within a VPN?

The 'tunnel' signifies the portion of the connection where data is encapsulated, and the 'VPN connection' is where data is encrypted. (D)

Which of the following accurately describes a significant disadvantage of using Internet-based VPNs?

Reliance on stable internet service to ensure consistent VPN reliability and performance. (D)

Which challenge arises from attempting to use VPN products from multiple vendors?

Potential compatibility issues due to variations in VPN technology standards. (D)

Which VPN type enables remote users, such as mobile workers, to have secure access to their corporate networks, creating a virtual presence in their offices?

Access VPNs. (A)

What distinguishes Extranet VPNs from other types of VPNs regarding access privileges?

They offer limited access to specific areas of the corporate intranet, often referred to as the DMZ, for business partners. (D)

In a typical access VPN setup, what role does the Point-to-Point Protocol (PPP) play?

It defines the format of the frame for data exchange and allows devices to negotiate link establishment. (D)

In VPN architecture, what is the significance of the 'point of presence' (POP)?

It is the switching office prepared by the ISP. (B)

How does Point to Point Tunneling Protocol handle encryption?

PPTP relies on PPP's native encryption capability. (D)

What characteristic describes the fundamental difference between Layer 2 Forwarding (L2F) and Point-to-Point Tunneling Protocol (PPTP)?

L2F supports a broader range of network protocols, including IPX and AppleTalk, while PPTP is strictly IP-centric. (C)

In NAS-initiated VPNs, which statement accurately describes the involvement of the client?

The client does not actively participate in its creation and is compelled to use it. (C)

Which security vulnerability is most pronounced in NAS-initiated VPNs?

The connection between the client and the NAS occurs outside the tunnel, making the VPN vulnerable to attacks. (D)

In client-initiated VPNs, what role does the Network Access Server (NAS) play in tunnel establishment?

The NAS is not involved in the tunnel establishment. (B)

What encapsulates the role of IPSec?

IPSec helps create authenticated and confidential packets for the IP layer. (D)

How is IPSec implemented at the host level?

All IPSec into all hosts devices enables end-to-end security between any two devices on the network. (A)

In which IPSec mode are both the IP header and the payload encrypted, thus providing a higher level of security?

Tunnel Mode. (D)

Which of the following accurately describes the function of the Authentication Header (AH) protocol in IPSec?

It authenticates the source host and ensures the integrity of the payload carried in the IP packet. (B)

In IPSec, what value replaces the original protocol field in the IP header when an Authentication Header (AH) is used?

The value of 51. (B)

What is the purpose of the 'Payload Length' field in the Authentication Header (AH) of IPSec?

It defines the length of the authentication header in 4-byte multiples, excluding the initial 8 bytes. (B)

Which of the following best describes the role of the Security Parameter Index (SPI) in IPSec?

It is a virtual circuit identifier and is the same for all packets sent during a connection called a Security Association. (B)

Which statement is true about AH regarding confidentiality in IPSec?

AH does not provide confidentiality, only source authentication and data integrity. (D)

In the context of the Encapsulating Security Payload (ESP) protocol, what value is placed in the protocol field of the IP header?

50. (C)

Which of the following does the ESP protocol add to a packet for security?

Header and trailer. (B)

In Security Association term, what is a contract?

Security Association is a contract between two parties that creates a secure channel between them. (D)

Which element constitutes the triple index used for selecting entries in an inbound Security Association Database (SAD)?

Security parameter index, destination address, and protocol (AH or ESP). (C)

What is the primary input to the outbound Security Policy Database (SPD) when following combined security associations?

The sextuple index. (D)

What action best represents the output of an outbound Security Policy Database (SPD)?

drop (packet cannot be sent), bypass (bypassing security header) and apply (applying the security according to the SAD, if no SAD, creating one. (A)

When a packet arrives at the receiving end, what action signifies the use of an inbound Security Policy Database (SPD)?

discard (drop the packet), bypass (bypassing the security and delivering the packet to the transport layer), and apply (applying the policy using the SAD). (C)

Which set of protocols serves as the foundation for the Internet Key Exchange (IKE) protocol?

Oakley, SKEME, and ISAKMP. (A)

What is the primary function of the Internet Key Exchange (IKE) protocol in IPsec?

To create outbound Security Associations. (C)

Which is a limitation of IpsSec?

IPSec is more difficult to implement and require special support in routers,etc. (B)

Flashcards

What is a VPN?

A network that is private but uses virtual connections routed through a public network, like the Internet.

What is Authentication?

Ensuring the receiver is certain of the sender's identity and that data is validated.

What is Access Control?

Restricting unauthorized users to access the network.

What is Confidentiality?

Ensuring that messages are understandable only to the intended receiver.

What is Data Integrity?

Ensuring that the data has not been altered.

What is Tunneling?

The process used by VPNs to transport encrypted data across the Internet.

What is logical path?

Virtual path, created from end to end, which transfers data from one network to another.

What is a firewall?

A program or hardware device that protects the network from potential hackers.

What is VPN client software?

Software on the user's computer that allows VPN access to a private network.

What is a dedicated VPN server?

Piece of hardware or software that acts as a gateway to a network or a single computer.

What is a Network Access Server (NAS)?

A network device that authenticates clients and associates them with specific VPN servers.

What is a Tunnel?

The section of the VPN connection where your data is encapsulated.

What is a VPN connection?

The section of the VPN connection where your data is encrypted.

What are Access VPNs?

Remote users such as road warriors and telecommuters with reliable access to corporate networks.

What are Intranet VPNs?

Branch offices to be linked to corporate headquarters using Internet-based networks.

What are Extranet VPNs?

Allow customers, suppliers, and partners to access corporate intranet.

What is Point-to-Point Protocol (PPP)?

Defines the format of the frame to be exchanged between devices.

What is a Network Access Server (NAS)?

A device that terminates dial-up calls over analog or ISDN circuits.

What is point of presence (POP)?

Public switched telephone is a switching office prepared by the ISP.

What is a PPTP access concentrator (PAC)?

Allow the remote user to initiate a VPN call.

What is Layer 2 Forwarding (L2F)?

A protocol developed by Cisco Systems that runs ATM networks.

What is NAS-initiated VPN?

VPN initiated by the NAS that calls Internet.

What is a client-initiated VPN?

VPN client is VPN-enabled.

What is IP Security (IPSec)?

Protocols designed to provide security for a packet at the network level.

What is host-host implementation?

Putting all IPSec into all hosts devices enables end-to-end security devices.

What is Transport mode?

Used when we need host-to-host protection of data.

What is Tunnel mode?

Protects the entire IP packet.

What is Authentication Header (AH)?

Designed to authenticate the source host and to ensure the integrity of the payload carried in the IP packet.

What is Encapsulating Security Payload (ESP)?

An alternative protocol that provides source authentication, integrity, and confidentiality.

What is AH in transport mode and tunnel mode?

AH is then placed in the appropriate location, based on the mode.

What is Security Association?

There are two SAs between Alice and Bob.

What is in SA need inbound and outbound?

It is there to allow bidirectional communication

What is a triple index?

Each entry in the inbound is selected using a security parameter index.

What is Security Policy (SP)?

Which defines the type of security applied to a packet when it is to be sent or when it has arrived.

What is Internet Key Exchange (IKE)?

A complex protocol based on three other protocols: Oakley, SKEME, and ISAKMP.

What is the Oakley?

Is a key creation protocol.

What is SKEME?

SKEME is another protocol for key exchange. It uses public-key encryption for entity authentication .

What is ISAKMP?

Allows the IKE exchanges to take place.

Study Notes

What is VPN?

• VPN stands for "Virtual Private Network" or "Virtual Private Networking"
• A VPN is a network that is private but virtual
• VPN's are private because it guarantees privacy inside the organization
• VPN's are virtual because it does not use real private WANs; the network is physically public but virtually private
• A VPN carries controlled information, protected by various security mechanisms (e.g. cryptography), between known parties
• The goal of a VPN is to provide a secure passage for users' data over the non-secure Internet
• VPNs enable companies to use the Internet as the virtual backbone for their corporate networks
• VPNs allow secure virtual links between their corporate office and branch or remote offices via the Internet
• The cost benefits of VPN service have prompted corporations to move more of their data from private WANs to Internet-based VPNs

VPNs Four Critical Functions

• Authentication means the receiver needs to be sure of the sender's identity, validating the data sent from the sender
• Access control limits unauthorized users from accessing the network
• Confidentiality ensures the transmitted message makes sense to only the intended receiver
• Data Integrity ensures that the data has not been altered

Tunneling

• VPN uses the tunneling process to transport encrypted data across the Internet
• Tunneling is a method to transfer data from one network over another, and it encapsulates the frame in an additional header
• Tunneling is a mechanism for encapsulating one protocol in another protocol
• Tunneling allows protocols such as IPX, AppleTalk, and IP to be encrypted and then encapsulated in IP in the context of the Internet
• Encapsulated packets are routed between tunnel endpoints over the internetwork
• Tunnel = logical path
• Tunnel endpoints must agree to the tunnel and negotiate configuration variables, such as address assignment or encryption parameters
• Once the tunnel is established, encapsulated data is sent
• Tunnel server accepts the packet, removes the header, and forms data to the target network

VPN Elements

• Secure firewall
• VPN client software on user desktop
• Dedicated VPN server
• Network Access Server (NAS)
• Tunnel
• VPN Connection

VPN Elements: Secure Firewall

• A firewall is a program or hardware device that guards the virtual private network from potential hackers and offensive web sites
• A firewall filters by blocking or letting through the information coming from the Internet connection to the network

VPN Elements: VPN Client Software

• The organization provides VPN client software on the user's computer for VPN access to a private network
• The user runs the VPN Client software to establish the connection to the VPN server to keep connection and data secure

VPN Elements: Dedicated VPN Server

• A VPN server can be a piece of hardware or software that acts as a gateway to a network or a single computer
• Generally, it waits for a VPN client to connect to it and processes requests from the VPN client

VPN Elements: Network Access Server (NAS)

• A network access server is a network device that authenticates clients and associates clients with specific VPN servers
• Internet Service Providers (ISPs) use them for remote-access VPN users

VPN Elements: Tunnel and VPN Connection

• Tunnel: The portion of the connection in which data is encapsulated
• VPN connection: The portion of the connection in which data is encrypted
• For secure VPN connections, the data is encrypted and encapsulated along the same portion of the connection

VPN Advantages

• Better network performance
• Easy to add/remove users
• Reduced cost
• Mobility
• Improved Security

VPN Disadvantages

• Understanding of security issues: VPNs require a detailed understanding of network security issues and careful installation/configuration to ensure sufficient protection on a public network like the Internet
• Unpredictable Internet traffic: the reliability and performance of an Internet-based VPN is not under an organization's direct control
• Difficult to accommodate products from different vendors: VPN products and solutions from different vendors have not always been compatible due to issues with VPN technology standards
• Attempting to mix and match equipment may cause technical problems, and using equipment from one provider may not give as great a cost savings

Types of VPNs

• Access VPNs
• Intranet VPNs
• Extranet VPNs

Types of VPNs: Access VPNs

• Access VPNs provide remote users such as road warriors (or mobile users) and telecommuters with reliable access to corporate networks
• Ideal VPNs enable remote users to work as if they are at their workstations in their offices
• Many organizations have allowed more employees to telecommute due to their business requirements, such as sales representatives on the road or software developers who work at home

Types of VPNs: Intranet VPNs

• Intranet VPNs allow branch offices to be linked to corporate headquarters in a secure manner using Internet-based networks as an alternative to private networks based on public network services such as leased lines

Types of VPNs: Extranet VPNs

• Extranet VPNs allow customers, suppliers, and partners to access corporate intranet in a secure manner
• Limited access of corporate resources is given to business partners, such as customers or suppliers, enabling them to access shared information
• These users are allowed to access specific areas of the Intranet that are referred to as the De-Militarized Zone (DMZ)
• The firewall and access management facilities differentiate between the company's employees and other users as well as each group's privileges
• Connection requests by the company's employees are directed to the company Intranet, while those by a third party must be directed to the DMZ

Architecture of VPNs

• A remote user (or VPN client) initiates a Point-to-Point Protocol (PPP) connection with the Internet Service Provider (ISP's) NAS via the public switched telephone network (PSTN) in a typical access VPN connection
• PPP defines the format of the frame to be exchanged between devices, and defines how two devices can negotiate the establishment of the link and the exchange of data
• PPP is designed to accept payloads from several network layers (not only IP), and Authentication is also provided in the protocol, but it is optional
• An NAS is a device that terminates dial-up calls over analog (basic telephone service) or Integrated Services Digital Network (ISDN) circuits
• The NAS is owned by the ISP, and is usually implemented in the ISP's POP
• ISDN is a set of communication standards for simultaneous digital transmission of voice, video, data, and other network services over the traditional circuits of the public switched telephone network
• Point of presence (POP) is a switching office prepared by the ISP
• After the user has been authenticated by the appropriate authentication method, the NAS directs the packet to the tunnel that connects both the NAS and the VPN server
• The VPN server may reside in the ISP's POP or at the corporate site, depending on the VPN model that is implemented
• The VPN server recovers the packet from the tunnel, unwraps it, and delivers it to the corporate network

Point-to-Point Tunneling Protocol (PPTP)

• PPTP is a protocol developed by Microsoft and a group of network equipment vendors
• It permits IPX, NetBEUI, and IP packets to be encapsulated inside IP packets, enabling non-IP applications to run over the Internet
• As an extension of PPP, it handles only point-to-point connections; it does not support point-to-multipoint connections
• PPTP is an IP-centric protocol that is designed only for IP networks
• The NAS that allows the remote user to initiate a VPN call is called the PPTP access concentrator (PAC)
• The VPN server is called the PPTP network server (PNS)
• PPTP does not provide packet-by-packet encryption and relies on PPP's native encryption capability
• A PPTP packet is encapsulated in Generic Routing Encapsulation (GRE), which is then carried over IP
• PPTP uses TCP, which allows it to support flow control
• PPTP supports a rate control mechanism that limits the amount of data in transit, minimizing the need for retransmission due to dropped packets

Layer 2 Forwarding (L2F)

• L2F is a proprietary protocol that was developed by Cisco Systems, it is protocol-independent and can run ATM networks
• Asynchronous transfer mode (ATM) is a switching technique used by telecommunication networks that uses asynchronous time-division multiplexing to encode data into small, fixed-sized cells
• This differs from Ethernet or internet, which use variable packet sizes for data or frames
• L2F supports private IP, IPX, and AppleTalk, and uses UDP for Internet tunneling
• In L2F, the VPN server is called the Home Gateway
• L2F uses PPP for dial-up user authentication
• Unlike PPTP, L2F defines its own encapsulation header, which is not dependent on IP and GRE
• This capability permits L2F to work in different types of networks

VPN Models: NAS-Initiated VPN

• In NAS-initiated VPN, a VPN client initiates a dial-up session with the ISP's NAS
• The NAS assigns the user an IP address independent of the user's IP address for the local network
• The NAS is responsible for tunneling the packet through the Internet to the VPN server
• The VPN connection extends only between the NAS and the VPN server
• A NAS-initiated VPN is also called a compulsory VPN because the client does not participate in its creation and is compelled to use it
• One advantage of NAS-initiated VPN is that it can support multiple connections, which reduces the overhead associated with establishing one VPN for each connection
• However, the connection between the client and the NAS occurs outside the tunnel, making the VPN vulnerable to attacks

VPN Models: Client-Initiated VPN

• In a client-initiated VPN, the VPN client is VPN-enabled and the VPN software is already installed
• The VPN client dials up the ISP's local POP to establish a PPP session
• Then, using the Internet connection, the client establishes a VPN connection with the VPN server
• In this model, the tunnel extends from the VPN client to the VPN server, and the NAS is not involved in the tunnel establishment
• A client-initiated VPN is also called a voluntary VPN because the user determines when and where to establish the VPN

IP Security (IPSec)

• IP Security (IPSec) is a collection of protocols designed by the Internet Engineering Task Force (IETF) to provide security for a packet at the network level
• IPSec helps create authenticated and confidential packets for the IP layer
• At the network layer, security is applied between two hosts, two routers, or a host and a router
• The purpose of network-layer security is to protect applications that use the service of the network layer directly, such as routing protocols

IPSec Architecture

• Host-host implementation: All IPSec installed into all hosts devices enables end-to-end security between any two devices on the network
• Router implementation means less work
• Router implementation means changes to only a few routers instead of hundreds of clients
• Router implementation provides protection only between pairs of routers

IPSec Modes

• Transport Mode
• Tunnel Mode

IPSec Modes: Transport Mode

• In transport mode, IPSec protects what is delivered from the transport layer to the network layer
• Transport mode protects the payload to be encapsulated in the network layer
• IPSec in transport mode does not protect the IP header, and only protects the payload from the transport layer
• Transport mode is normally used when host-to-host (end-to-end) protection of data is needed
• The sending host uses IPSec to authenticate and/or encrypt the payload delivered from the transport layer
• The receiving host uses IPSec to check the authentication and/or decrypt the IP packet and deliver it to the transport layer

IPSec Modes: Tunnel Mode

• In tunnel mode, IPSec protects the entire IP packet
• Tunnel mode takes an IP packet (including the header), applies IPSec security methods to the entire packet, and then adds a new IP header
• The new IP header has different information than the original IP header
• Tunnel mode is normally used between two routers, between a host and a router, or between a router and a host

IPSec Modes: Comparison

• In transport mode, the IPSec layer comes between the transport layer and the network layer
• In tunnel mode, the flow is from the network layer to the IPSec layer and then back to the network layer again

IPSec Protocols

• IPSec defines two protocols: the Authentication Header (AH) Protocol and the Encapsulating Security Payload (ESP)
• The AH & ESP protocols provide authentication and/or encryption for packets at the IP level

Authentication Header (AH)

• The Authentication Header (AH) protocol is designed to authenticate the source host and to ensure the integrity of the payload carried in the IP packet
• The AH protocol uses a hash function and a symmetric (secret) key to create a message digest, and the digest is inserted in the authentication header
• The AH is then placed in the appropriate location, based on the mode (transport or tunnel)
• When an IP datagram carries an authentication header, the original value in the protocol field of the IP header is replaced by the value 51
• A field inside the authentication header (the next header field) holds the original value of the protocol field (the type of payload being carried by the IP datagram)
• The addition of an authentication header follows these steps:
  • An authentication header is added to the payload with the authentication data field set to 0
  • Padding may be added to make the total length appropriate for a particular hashing algorithm
  • Hashing is based on the total packet, but only those fields of the IP header that do not change during transmission are included in the calculation of the message digest (authentication data)
  • The authentication data is inserted in the authentication header
  • The IP header is added after changing the value of the protocol field to 51
• Next Header: The 8-bit next header field defines the type of payload carried by the IP datagram (such as TCP, UDP, ICMP, or OSPF)
• Payload Length: The name of this 8-bit field is misleading
• It does not define the length of the payload, but defines the length of the authentication header in 4-byte multiples, but it does not include the first 8 bytes
• Security Parameter Index: The 32-bit security parameter index (SPI) field plays the role of a virtual circuit identifier and is the same for all packets sent during a connection called a Security Association
• Sequence Number: A 32-bit sequence number provides ordering information for a sequence of datagrams
• Authentication Data: The authentication data field is the result of applying a hash function to the entire IP datagram except for the fields that are changed during transit (e.g., time-to-live)

Encapsulating Security Payload (ESP)

• The AH protocol does not provide confidentiality, only source authentication and data integrity
• IPSec later defined an alternative protocol, Encapsulating Security Payload (ESP)
• ESP provides source authentication, integrity, and confidentiality
• ESP adds a header and trailer
• ESP's authentication data are added at the end of the packet, which makes calculation easier
• When an IP datagram carries an ESP header and trailer, the value of the protocol field in the IP header is 50
• A field inside the ESP trailer (the next-header field) holds the original value of the protocol field
• Procedure:
  • An ESP trailer is added to the payload
  • The payload and the trailer are encrypted.
  • The ESP header is added
  • The ESP header, payload, and ESP trailer are used to create the authentication data
  • The authentication data is added to the end of the ESP trailer
  • The IP header is added after changing the protocol value to 50
• Security Parameter Index: The 32-bit security parameter index field is similar to the one defined for the AH protocol
• Sequence Number: The 32-bit sequence number field is similar to the one defined for the AH protocol
• Padding: This variable-length field (0 to 255 bytes) of 0s serves as padding
• Pad Length: The 8-bit pad-length field defines the number of padding bytes
• Next Header: The 8-bit next-header field is similar to that defined in the AH protocol
• Authentication Data: The authentication data field is the result of applying an authentication scheme to parts of the datagram
• In AH, part of the IP header is included in the calculation of the authentication data; in ESP, it is not

AH Comparison

• Only adds a header
• Only provides authentication and integrity
• Parts of the IP header included in the authentication calculation
• Authentication data added in the AH itself
• Has number 51

ESP Comparison

• Adds header and trailer
• Provides authentication, integrity, and confidentiality
• IP header not included in the authentication calculations
• Authentication data added at the end of the packet
• Has number 50

Combining Security Association

• A Security Association is a contract between two parties that creates a secure channel between them
• Unidirectionally If Alice and Bob are interested only in the confidentiality aspect of security, they can get a shared secret key between themselves
• Each of them stores the value of:
• the key in one variable
• name of the encryption/decryption algorithm (DES, RSA…) in another
• Alice uses the algorithm and the key to encrypt a message to Bob, and Bob uses the algorithm and the key when he needs to decrypt the message received from Alice
• The Security Association can be more involved if the two parties need message integrity and authentication
• Each association needs other data such as the algorithm for message integrity, the key, and other parameters
• A Security Association can be very complex, particularly true if Alice wants to send messages to many people and Bob needs to receive messages from many people
• Each site needs to have both inbound and outbound SAs to allow bidirectional communication
• "A set of SAs that can be collected into a database", is called the Security Association Database (SAD)

Security Association Database (SAD)

• SAD is a database with a 2D table
• Each row defines a single SA SN: Sequence number SPI: Security parameter index OF: Overflow flag ARW: Anti-replay window DA: Destination address LT: Lifetime AH/ESP: Information MTU: Path MTU P: Protocol Mode: IPSec mode flag
• Normally, one inbound & outbound

Host Needs to send a packet

• The host needs to find the corresponding entry in the:
• outbound SAD to find the information for applying security to the packet

Host Receives a packet

• The host needs to find the corresponding entry in the:
• inbound SAD to find the information for checking the security of the packet

Inbound SAD is selected using a triple index:

• security parameter index (a 32-bit number that defines the SA at the destination)
• destination address
• protocol (AH or ESP).

Security Policy (SP)

Which defines the type of security applied to a packet:

• when it is to be sent
• when it has arrived
• Before using the SAD, a host must determine the predefined policy for the packet

The Security Policy Database (SPD)

Needs to keep a:

• inbound SPD
• outbound SPD
• Each entry in the SPD can be accessed using a sextuple index:
• source address
• destination address
• name
• protocol
• source port
• destination port
• The Name usually defines a DNS entity
• The Protocol is either AH or ESP

Combinding Security Association: SPD's

• Is consulted when a packet is to be sent out

• Input is the sextuple index

• The Output is one of the three following cases:

• drop (packet cannot be sent)

• bypass (bypassing security header)

• apply (applying the security according to the SAD - if no SAD - creating one).

  • Is consulted when a packet arrives
  • Input is the sextuple index
  • The Output is one of the three following cases:

• discard (drop the packet)

• bypass (bypassing the security and delivering the packet to the transport layer)

• apply (applying the policy using the SAD).

Key Management - IKE

• The Internet Key Exchange (IKE) protocol, designed to create outbound Security Associations
• A peer consults the Security Policy Database (SPD)
• When a peer needs to send an IP packet, it consults the Security Policy Database (SPD) to see if there is an SA for that type of traffic
• If there is no SA - IKE is called to establish one
• IKE is based on 3 other protocols:Oakley, SKEME, And ISAKMP

Internet Key Exchange (IKE) - Protocols

Oakley: Key creation protocol SKEME: Key exchange - Uses public-key encryption for entity authentication ISAKMP: Designed by NSA, it defines several packets, protocols and parameters that allow the Ike exchanges to take place in standardized formatted protocols

IPSec Benefits

IP sec Provides Security directly on the IP Network Layer Provides security on everything put on top of the IP Network Layer The protocol has also been an Internet standard for quite some time Proven To be a secure + trusted method of securing data

IPSec Limitations

Although IPSec has more features than SSH and TLS/SSL Difficult to Implement Requires special support in routers