Chapter 7 - 01 - Discuss Essential Network Security Protocols - 06_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Internet Protocol Security (IPsec) OQ IPSec is a protocol suite developed by the IETF for securing IP communications by authenticating and encrypting each IP packet of a communication session Q Itis 1tis deployed widely to implement VPNs and for remote user access through dial-up connection to private networks Copyright © by e Components of IPsec @ Benefits of IPsec o Network-level peer authentication (IKE) o Data origin authentication Internet Security o Data integrity o Data confidentiality (encryption) o Replay protection o |IPsec Driver o Internet Key Exchange o L All Rights Reserved. Reproductionis Strictly Prohibited. Association Key Management Protocol o Oakley o IPsec Policy Agent Copyright © by Module 07 Page 710 L All Rights Reserved. Reproductionis Strictly Prohibited. Prohibited Certified Cybersecurity Technician Copyright © by EC-Council EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Internet Protocol Security (IPsec) (Cont’d) Modes Transport Mode of IPsec encrypted ———> ::.Imm“-,_-: _—':ln!emei.": =E B=—=a Psec 1Psec taner 1P » 1P header | header beader | meader header < v I - Chetwonz = ESP Protocol b: P P P e : :5 [ vV PR e Authentication Authentication Algorithm P P- 1Psec traler traller Ppoyed (€5# (€% only) > encrypted ——> encrypted——> P I T : H2 P i. v @ ".- Encryption Algorithm Q SARES ]: sE : v : === = Interpretation (DOI) v 9 payload encrypted < } --------}"."".E v E Tunnel - mode encapsulation Outer 1P IPsec Architecture Architecture IPsec AH Protocol Transportdata Transportdata < < Assansennnnl [ e """"" [ T el :- mode encap =- Mode P».Ei] |-I - é. Policy Policy oL ok Key Management A BS b sTR S Copyright © by EC e Se ae e e b e b S, ey ILIL All Rights Isis Strictly Prohibited Rights Reserved. Reserved. Reproduction Reproduction Internet Protocol Security (IPsec) Internet Protocol Security (IPsec) is a set of protocols that the Internet Engineering Task Force (IETF) developed to support the secure exchange of packets at the IP layer. It ensures interoperable cryptographically based security for IPv4 and IPv6, and it supports network level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection. It is widely used to implement VPNs and for remote user access through dial-up connection to private networks. It supports transport and tunnel encryption modes, although sending and receiving devices must share a public key. IPsec policies can be assigned through the Group Policy configuration of Active Directory domains, organizational units, and IPsec deployment policies at the domain, site, or organizational-unit level. The security services offered by IPsec include the following: = Rejection of replayed packets (a form of partial sequence integrity) = Data confidentiality (encryption) = Access control = Connectionless integrity = Data origin authentication = Data integrity = Limited traffic-flow confidentiality = Network level peer authentication = Replay protection Module 07 Page 711 Certified Cybersecurity Technician Copyright © by EC-Council EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 At the IP layer, IPsec provides all the above-mentioned services, offering the protection of IP and/or upper-layer protocols such as TCP, UDP, ICMP, and Border Gateway Protocol (BGP). s*=** - LAN — Internal IP i : LAN — Internal IP Internet Firewall. : Firewall — — IPsec Tunnel External IP External IP Figure 7.17: Working of IPsec Components of IPsec = |Psec driver: Software that performs protocol-level functions required to encrypt and decrypt packets. ® Internet Key Exchange (IKE): An protocol that produces security keys for IPsec and other protocols. = Internet Security Association and Key Management Protocol (ISAKMP): Software that allows two computers to communicate by encrypting the data exchanged between them. = Qakley: A protocol that uses the Diffie—Hellman algorithm to create a master key and a key that is specific to each session in IPsec data transfer. = IPsec Policy Agent: A service included in Windows OS that enforces IPsec policies for all the network communications initiated from that system. The following are the steps involved in the IPsec process. = A consumer sends a message to a service provider. ®= The consumer's IPsec driver attempts to match the outgoing packet's address or the packet type against the IP filter. = The IPsec driver notifies ISAKMP to initiate security negotiations with the service provider. = The service provider's ISAKMP receives the security negotiation request. = Both principles initiate a key exchange, establishing an ISAKMP Security Association (SA) and a shared secret key. = Both principles discuss the security level for the information exchange, establishing both IPsec SAs and keys. = The consumer's IPsec driver transfers transmission to the service provider. = The provider receives the packets and transfers them to the IPsec driver. Module 07 Page 712 packets to the appropriate connection type for Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 ®= The provider's IPsec uses the inbound SA and decryption. key to check the digital signature and begin = The provider's IPsec driver transfers decrypted packets to the OSI transport layer for further processing. Modes of IPsec The configuration of IPsec involves two different modes: the tunnel mode and transport mode. These modes are associated with the functions of two core protocols: the Encapsulation Security Payload (ESP) and Authentication Header (AH). The model selection depends on the requirements and implementation of IPsec. = Transport Mode In the transport mode (also ESP), IPsec encrypts only the payload of the IP packet, leaving the header untouched. It authenticates two connected computers and provides the option of encrypting data transfer. It is compatible with network address translation (NAT); therefore, it can be used to provide VPN services for networks utilizing NAT. 0‘ | = e *- * Internet sPi®n, sPi®e, " av¥Ea, ev¥Ea, * % w " ". N O» | » -- - * 0.......“O.....-“O ‘. N * Transport — mode encapsulation P header < IPsec | header Transport data (TCP, UDP, etc.) IPsec trailer (ESP only) encrypted Figure 7.18: Transport mode encapsulation * Tunnel Mode In the tunnel mode (also AH), the IPsec encrypts both the payload and header. Hence, in the tunnel mode has higher security than the transport mode. After receiving the data, the IPsec-compliant device performs decryption. The tunnel model is used to create VPNs over the Internet for network-to-network communication (e.g., between routers and link sites), host-to-network communication host communication traversal. (e.g., remote user access), and host-to- (e.g., private chat). It is compatible with NAT and supports NAT In the tunnel mode, the system encrypts entire IP packets (payload and IP header) and encapsulates the encrypted packets into a new IP packet with a new header. In this mode, ESP encrypts and optionally authenticates entire inner IP packets, whereas AH Module 07 Page 713 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 authenticates entire inner IP packets and selected fields of outer IP headers. The tunnel mode is usually useful between two gateways or between a host and gateway. suw, :I.I.IIIIIIII.II- * Network1 : » Hostl...‘. GW1.“ -IIIII.IIIIIIII.:..' Internet ': - " » E o. ML Network 2 [ « GW2 ‘IIII.II-IIIIII:. : Host2 * :l..lllll'll..l' Tunnel — mode encapsulation Outer IP IPsec header | header < Inner IP | header 1P pavload payloa IPsec trailer (ESP only) encrypted > Figure 7.19: Tunnel mode encapsulation IPsec Architecture IPsec offers security services at the network layer. This provides the freedom to select the required security protocols as well as the algorithms used for services. To provide the requested services, the corresponding cryptographic keys can be employed, if required. Security services offered by IPsec include access control, data origin authentication, connectionless integrity, anti-replay, and confidentiality. To meet these objectives, IPsec uses two traffic security protocols, AH and ESP, as well as cryptographic key management protocols and procedures. The protocol structure of the IPsec architecture is as follows. Authentication Header (AH): It offers integrity and data origin authentication, with optional anti-replay features. Encapsulating Security Payload (ESP): It offers all the services offered by AH as well as confidentiality. IPsec Domain exchange, and of Interpretation naming (DOI): conventions for It defines security the payload information such formats, as types of cryptographic algorithms or security policies. IPsec DOI instantiates ISAKMP for use with IP when IP uses ISAKMP to negotiate security associations. Internet Security Association and Key Management Protocol (ISAKMP): It is a key protocol in the IPsec architecture that establishes the required security for various communications over the Internet, such as government, private, and commercial communications, by combining the security concepts of authentication, key management, and security associations. Module 07 Page 714 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls - Technical Controls = Exam 212-82 Policy: IPsec policies are useful in providing network security. They define when and how to secure data, as well as security methods to use at different levels in the network. One can configure IPsec policies to meet the security requirements of a system, domain, site, organizational unit, and so on. -[ IPsec Architecture } \'4 [ \'4 AH Protocol P ] v [ _V i v Authentication P -v s’. 38 o ([ i Algorithm ] [ A.v 4 < Interpretation (DOI) : A N } =D. }-: E| 3 ]: |.. P Pl : re Policy v Encryption Algorithm i ’ IPsec Domain of "'>L [ ESP Protocol -» >» 4 -= Key Management \.\, : Figure 7.20: IPsec architecture Module 07 Page 715 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.