Chapter 7 - 07 - Discuss Fundamentals of VPN and its importance in Network Security - 06_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Controls — Technical Controls 'VPN Core | Functionality: i X7 [ Encryptlon Exam 212-82 £ Q Packets sent over a VPN are encrypted to maintain the confidentially of the =vh information O "’/ O N Common VPN Encryption Technologies = Triple Data Encryp...

Certified Cybersecurity Technician Network Security Controls — Technical Controls 'VPN Core | Functionality: i X7 [ Encryptlon Exam 212-82 £ Q Packets sent over a VPN are encrypted to maintain the confidentially of the =vh information O "’/ O N Common VPN Encryption Technologies = Triple Data Encryption Standard (3DES) = Secure Sockets Layer (SSL) Key is sentto /™ VPNuserto.., | doarype doe Certificate > Branch Office Authority(CA) l Certificates are "~ (%) w5 managed by certificate server = OpenVPN Packets are read by decrypting with the encryption key from the sender Main Offi SRS Key Is sent to VPN userto decrypt data Home Office Copyright © by E All Rights Reserved. Reproductionis Strictly Prohibited. VPN Core Functionality: Encryption A VPN uses encryption to provide an additional layer of security to data transmitted over the VPN. Encryption plays an important role when sensitive data in an organization are transferred over the Internet. All data that enter the VPN tunnel are encrypted, and decryption is performed as soon as the data reach the end of the tunnel. An encryption key is used in the process of encryption and decryption. Encryption disables monitoring, logging, or tampering of the data in an organization. Encryption helps secure the data passing through the network. The sender encrypts the data passing through the network, and the receiver decrypts the data. No encryption is required on the communication link between a dial-up client and the internal service provider, as the process of encryption occurs between the VPN client and VPN server. Keyis sentto VPN user to [ : v'j/ decrypt data cenf‘fj Is JM\/// Y Cates y,, or, Certificate Authority(CA) g ! > |% Branch Office Key is sent to Certificates are ™. managed by certificateserver (F5% [ gl T [n il decrypt data - e Main Office VPN user to M Home Office Figure 7.110: VPN encryption Module 07 Page 933 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 In VPN encryption, both the sender and the receiver must have a common encryption key that is sent along with the data. If a packet traveling through the VPN connection does not have the keys associated with it, then it is of no use to the computer. There are many mechanisms to determine the length of the encryption key. The encryption of messages using the same key enables the easy interpretation of the encrypted data. The administrator can always select the encryption keys used for a connection. In end-to-end IPsec is used encryption, the encryption with an end-to-end occurs between connection once the client application and server. a remote-access connection is established. IPsec works as follows: = A packet is encrypted using an encryption key. The key is known only to the sender and the receiver. = An encapsulation header, a sub-protocol, packets including the sender’s identity. conceals the sensitive information of the VPN Encryption Technologies = Triple DES algorithm: It is a 64-bit block of data that processes each block three times with a 56-bit key. 3DES eliminates the chances of breaking the encryption key. = Secure Socket Layer (SSL): SSL is a secure technology that enables communication between a server and client. SSL technology enables the secure transmission of credit card numbers, login credentials, etc. over the Internet. = OpenVPN: Open VPN is an open-source VPN instance that works with the SSL/TLS protocol. OpenVPN can be used as both software and a VPN protocol that utilizes VPN techniques to protect site-to-site and point-to-point network connections. It creates a secure tunnel between a VPN client and server. Using the OpenSSL library, OpenVPN handles both encryption and authentication. OpenVPN can also use TCP or UDP for data transmission. Module 07 Page 934 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 VPN Core Functionality: Authentication O Users are authenticated to access the VPN and its resources QO It uses digital certificates to authenticate users O Common user authentication techniques for a VPN = |PSec ® = MS-CHAP = Kerberos 1 VPN Router 200, 15.150.3 VPN Router 203. 12.205.40 : v Oy > | A aam W m.>‘ p e 6)& [ internet H \\_ : : v BN : 4, Database check determines whether authentication was successhul [SRRRR— P 1, Packet(unencrypted) LR { = ‘—, -— returned to sender Copyright © by EC- 7 - - Packet is refused and error message encapsulated) § H i r— Not Successtul : 2. Packet(encrypted and - -t Successhul & 3K 1. Athoration puoe o A: A: " = = - Network 2 |, Al Rights Reserved, Reproductionis Strictly Prohibited. VPN Core Functionality: Authentication Authentication is an integral part of VPN technology, as the hosts receiving VPN communication must ensure the authenticity of the hosts initiating and sending the VPN connections. Users must be authenticated to access the VPN and its resources, and authentication uses digital certificates. A VPN employs the following three types of authentication. = User authentication: In this type of authentication, the VPN employs the mutual authentication concept. The VPN server authenticates the VPN client to check whether the client has the permission to connect. Moreover, the VPN client can authenticate a VPN server for proper permissions. * Computer authentication with L2TP/IPsec: Remote-access authenticated for proper permissions using IPsec and L2TP/IPsec. = Data authentication and integrity: All L2TP/IPsec packets sent computers are included are with a cryptographic checksum based on the encryption key. Only the sender and the receiver know this checksum. This is to ensure that the data sent are not manipulated during transit. Authentication Techniques Used in VPN = |IPsec Family o Internet Protocol Security (IPsec): All application traffic is secured network. using the IP IPsec conducts session authentication and data packet authentication for any two securely connected entities. IPsec ensures a secure connection between two networks or remote networks to the main network. o Layer 2 Tunneling Protocol (L2TP): This protocol initiates a connection between two L2TP connections. L2TP is always combined with IPsec to confirm security. Module 07 Page 935 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Kerberos Kerberos consists of a record of clients and their private keys. Only the client and Kerberos know the details of the private key, and Kerberos generates session keys that encrypt the messages between two clients. Password Authentication Protocol (PAP) PAP uses a cleartext authentication username and password mechanism for authenticating users. It sends a as per the NAS request. The NAS receives the username and password in cleartext, which implies that the NAS receives the details in an unencrypted form. This makes it easy for attackers to establish a connection with the NAS to acquire all the information. Shiva Password Authentication Protocol (SPAP) SPAP is a reversible encryption mechanism that is more secure than PAP. SPAP plays its role when a Shiva client attempts to access a server. However, this authentication mechanism is less secure than the Challenge Handshake Authentication Protocol (CHAP) or Microsoft CHAP (MS-CHAP). Challenge Handshake Authentication Protocol (CHAP) CHAP is more secure than PAP and uses an encryption authentication technique, which transmits a password representation instead of an actual password during the authentication process. The server sends a challenge message to the client to authenticate users. Users respond with a hash value created using a hash algorithm. The server then compares this hash value with its own calculation of the hash. If they match, then authentication is acknowledged. The remote client creates a hash of the session ID, challenge, and password. It uses the MD-5 one-way hashing algorithm. Microsoft CHAP (MS-CHAP) MS-CHAP uses a remote-access server to send a session identifier and a challenge string to the remote-access client. The client, in turn, sends an encrypted form of the identifier and challenge string to the server. This encrypted form is irreversible. Extensible Authentication Protocol (EAP) With EAP, the data for authentication are compared against an authentication database server. The EAP authentication protocol allows new plug-ins to be added at the client and server. E1 - VPN Router 200. 15.150.3 - S: — =1 - — Oe H , | — " : : J - g (e >amn 1. Packet(unencrypted) J _ Network A : 1 VPN Router 203. 12.205.40 E\ - 4.Database check determines o o) emet ) TR v > 4 6 nterne successful | H s A P 3.Authorization requested : :

Use Quizgecko on...
Browser
Browser