Chapter 7 - 07 - Discuss Fundamentals of VPN and its importance in Network Security - 06_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

'VPN Core
|'Functio
Functionality:
nality: X727 £4 QQ Packets sent over a VPN are encrypted
| i [ to maintain
to confidentially ofof the
the confidentially
maintain the the
Encryption
Encryptlon =vh=7 information
information
O
QO Packets are read by decrypting with the
encryption key from the sender

/’ Key is sent
Key senttoto /™
/) >
"’/ VPNuserto | >
O Common VPN N...,.ce.,
UBEL?/ S50, doarype doe
Encryption Technologies Certificate Branch Office
Authority(CA)
= Triple Data Encryption
Standard (3DES)

= Secure Sockets Layer l
l.............
Key isIs sent to
Key
(SSL) N, 0 oEmms 0 T, (%)
/7% VPN userto
Certificates are "~"~w5
Certificates are aaaTa) decryptt data
decryp

*= OpenVPN emanaged by
certificate server

Main Office
Main Offi
SRS Home Office

Copyright © by E All Rights
Rights Reserved. Reproduction
Reproductionis Strictly Prohibited
Prohibited.

VPN Core Functionality: Encryption
A VPN uses encryption to provide an additional layer of security to data transmitted over the
VPN. Encryption plays an important role when sensitive data in an organization are transferred
over the Internet. All data that enter the VPN tunnel are encrypted, and decryption is
performed as soon as the data reach the end of the tunnel. An encryption key is used in the
process of encryption and decryption. Encryption disables monitoring, logging, or tampering of
the data in an organization.
Encryption helps secure the data passing through the network. The sender encrypts the data
passing through the network, and the receiver decrypts the data. No encryption is required on
the communication link between a dial-up client and the internal service provider, as the
process of encryption occurs between the VPN client and VPN server.
Keyis sentto g
/";"/ VPN user to ! >
[ : v'j/
UM\/// Caj decrypt data
decrypt data |%
%
JM\ Is
= ///‘e,. cenf‘fj ca e o B
Y Cates y,, or,
Certificate Branch Office
Authority(CA) (s

Key is sent to
(F5% VPN user to
Certificates are ™. aaaa decrypt
decrypt data
data
managed by [ gl e T -
certificateserver [n
w |il
mabel e
M
e
Main Office
Home Office

Figure 7.110: VPN encryption

Module 07 Page 933 EG-Council
Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

In VPN encryption, both the sender and the receiver must have a common encryption key that
is sent along with the data. If a packet traveling through the VPN connection does not have the
keys associated with it, then it is of no use to the computer. There are many mechanisms to
determine the length of the encryption key. The encryption of messages using the same key
enables the easy interpretation of the encrypted data. The administrator can always select the
encryption keys used for a connection.
In end-to-end encryption, the encryption occurs between the client application and server.
IPsec is used with an end-to-end connection once a remote-access connection is established.
IPsec works as follows:

= A packet is encrypted using an encryption key. The key is known only to the sender and
the receiver.
= An encapsulation header, a sub-protocol, conceals the sensitive information of the
packets including the sender’s identity.

VPN Encryption Technologies
= Triple DES algorithm: It is a 64-bit block of data that processes each block three times
with a 56-bit key. 3DES eliminates the chances of breaking the encryption key.

= Secure Socket Layer (SSL): SSL is a secure technology that enables communication
between a server and client. SSL technology enables the secure transmission of credit
card numbers, login credentials, etc. over the Internet.

= OpenVPN: Open VPN is an open-source VPN instance that works with the SSL/TLS
protocol. OpenVPN can be used as both software and a VPN protocol that utilizes VPN
techniques to protect site-to-site and point-to-point network connections. It creates a
secure tunnel between a VPN client and server. Using the OpenSSL library, OpenVPN
handles both encryption and authentication. OpenVPN can also use TCP or UDP for data
transmission.

Module 07 Page 934 Certified Cybersecurity Technician Copyright © by EC-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

VPN Core Functionality: Authentication
O Users are authenticated to access the VPN and its resources

QO It uses digital certificates to authenticate users

O Common user authentication techniques for a VPN
= |PSec é®

= MS-CHAP

= Kerberos

11
VPN Router 200. 15.150.3
VPN Router 200, 15.150.3
i
VPN Router 203. 12.205.40
=
=
=
-
-

4,4. Database check determines -t
-—
:H :: whether
whether authentication was
authentkation was :§
v WO" v successhul :H

GOy
A | A
S. p 6)&..>‘ e _>/Inxemel
[ internet \\
\\_ _____BN
SRR [SRRRR—
¢ oovs0eeesesssssronagassessasransed {LR
{ «> = 7.
? -
g> aam m
- B H
B P
A -
A:: A: o 2.1. Aorusson
Athoration
puoe & 98
3K Successul
Successhul -
- i
requested v H
:
: :
: =
r—
1, Packet(unencrypted) : Not Successtul =
‘—,.
-
: Packet is refused and error message
message -—
a—
2. Packet(encrypted and returned to sender
encapsulated)
encapsulated) Network 22
Network

Copyright © byby EC:- L|., All
Al Rights Reserved.
Reserved, Reproductionis Strictly Prohibited.
Prohibited.

VPN Core Functionality: Authentication
Authentication is an integral part of VPN technology, as the hosts receiving VPN communication
must ensure the authenticity of the hosts initiating and sending the VPN connections. Users
must be authenticated to access the VPN and its resources, and authentication uses digital
certificates. A VPN employs the following three types of authentication.
= User authentication: In this type of authentication, the VPN employs the mutual
authentication concept. The VPN server authenticates the VPN client to check whether
the client has the permission to connect. Moreover, the VPN client can authenticate a
VPN server for proper permissions.

=* Computer authentication with L2TP/IPsec: Remote-access computers are
authenticated for proper permissions using IPsec and L2TP/IPsec.
*== Data authentication and integrity: All L2TP/IPsec packets sent are included with a
cryptographic checksum based on the encryption key. Only the sender and the receiver
know this checksum. This is to ensure that the data sent are not manipulated during
transit.
Authentication Techniques Used in VPN
= |IPsec Family
|Psec
o Internet Protocol Security (IPsec): All application traffic is secured using the IP
network. IPsec conducts session authentication and data packet authentication for
any two securely connected entities. IPsec ensures a secure connection between
two networks or remote networks to the main network.
o Layer 2 Tunneling Protocol (L2TP): This protocol initiates a connection between two
L2TP connections. L2TP is always combined with IPsec to confirm security.

Module 07 Page 935 Certified Cybersecurity Technician Copyright © by EC-Council
EG-Council
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Kerberos

Kerberos consists of a record of clients and their private keys. Only the client and
Kerberos know the details of the private key, and Kerberos generates session keys that
encrypt the messages between two clients.
Password Authentication Protocol (PAP)
PAP uses a cleartext authentication mechanism for authenticating users. It sends a
username and password as per the NAS request. The NAS receives the username and
password in cleartext, which implies that the NAS receives the details in an unencrypted
form. This makes it easy for attackers to establish a connection with the NAS to acquire
all the information.
Shiva Password Authentication Protocol (SPAP)
SPAP is a reversible encryption mechanism that is more secure than PAP. SPAP plays its
role when a Shiva client attempts to access a server. However, this authentication
mechanism is less secure than the Challenge Handshake Authentication Protocol (CHAP)
or Microsoft CHAP (MS-CHAP).
Challenge Handshake Authentication Protocol (CHAP)
CHAP is more secure than PAP and uses an encryption authentication technique, which
transmits a password representation instead of an actual password during the
authentication process. The server sends a challenge message to the client to
authenticate users. Users respond with a hash value created using a hash algorithm. The
server then compares this hash value with its own calculation of the hash. If they match,
then authentication is acknowledged. The remote client creates a hash of the session ID,
challenge, and password. It uses the MD-5 one-way hashing algorithm.
Microsoft CHAP (MS-CHAP)
MS-CHAP uses a remote-access server to send a session identifier and a challenge string
to the remote-access client. The client, in turn, sends an encrypted form of the identifier
and challenge string to the server. This encrypted form is irreversible.
Extensible Authentication Protocol (EAP)
With EAP, the data for authentication are compared against an authentication database
server. The EAP authentication protocol allows new plug-ins to be added at the client
and server.
E1 - VPN Router 200. 15.150.3 VPN Router 203. 12.205.40 E\ -

- 4.Database check determines =
: whether authentication was

Oe o o) =.
H g v successful j

S:
— ,
—
| "
A (e
>amn emet ) TR
>
4
6
nterne
s
|
H P
“.n
‘et
Ao
—
= J
: A 3.Authorization