Chapter 7 - 07 - Discuss Fundamentals of VPN and its importance in Network Security - 10_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Controls - Technical Controls Exam 212-82 VPN Security Copyright © by EC-Council. Al Rights Reserved. Reproductionis Strictly Prohibited. VPN Security This sub-section discusses various VPN security measures. Module 07 Page 954 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls ° Exam 212-82 QO Firewalls establish a protection barrier between the VPN and the Internet QO Before implementing a VPN, ensure that a good firewall is in place O Firewalls should be configured to restrict open ports, the types of packets and protocols that traffic is allowed to pass through to the VPN Corporate Network Wireless terminals Branch Server Firewalls Firewalls establish a protection barrier between the VPN and the Internet. Before implementing a VPN, ensure that a good firewall is installed. A firewall can allow or deny the flow of data through the network. Firewalls should be configured to restrict open ports as well as the types of packets and protocols that are allowed to pass through to the VPN. They are also used to terminate VPN sessions. Firewalls generally help in protecting Firewalls can be used in the following two ways with a VPN. = network from attackers. The VPN server is connected to the Internet, and the firewall is located between VPN server and intranet. o = the the Here, packet filters are added to allow only VPN traffic to and from the IP address of the VPN server. A firewall is attached to the Internet, and the VPN server is located between the firewall and intranet. o Here, the firewall has input and output filters on the Internet interface to maintain traffic and the passage of traffic to the VPN server. Module 07 Page 955 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 IPSEC TUNNEL or WAN Gorrrrnnnnnnnnnns. ey Firewall S Corporate Network [ 10 o LAN PCs Wireless terminals www.sports.com Branch Server Figure 7.119: Depiction of firewall in VPN security Module 07 Page 956 Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 IPsec Server QO The IPsec server enhances VPN security through the use of strong encryption algorithms and authentication Tunnel mode Both header and payload of each packet is encrypted Payload contains NO encryption modes Transport mode Only payload of each packet is encrypted Copyright © by EC All Rights Reserved. Reproductionis Strictly Prohibited. IPsec Server An IPsec server has the following two types of encryption modes. = Transport Mode This is the default mode for an IPsec server. These are generally used for end-to-end communication between a server and a client. In the transport mode, IPsec encrypts the IP payload through an authentication header (AH) or encapsulating security payload (ESP) header. The IP payloads can be TCP segments (containing a TCP header and TCP segment data), UDP messages (containing a UDP header and message data), or ICMP messages (containing an ICMP header and ICMP message data). AH does not generally encrypt the data and only provides authentication, integrity, and anti-replay protection. From an AH, it is possible to read the data, but it denies any kind of change to the data. AH assesses the integrity check value (ICV) over the source and destination address; therefore, it cannot be utilized to traverse NATs. ESP traverses NATs as it does not utilize the outermost address value for ICV calculation. When AH and ESP are used together, then the ESP will be applied first, followed by AH, which authenticates the entire new packet. o AH in transport mode: The AH can be used individually or along with ESP. The AH header protects the entire packet. In the transport mode, a new IP header is not created before the data packet; rather, a copy of the original IP header is placed with minor changes in the protocol ID. Hence, it fails to provide complete protection to all the fields in the IP header. AH is recognized in the new IP header with an IP protocol ID of 51. Module 07 Page 957 Certified Cybersecurity Technician Copyright © by EG-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82. B v. Original IP Packet Signed by Authentication Header Figure 7.120: AH in Transport Mode o ESPin transport mode: The original IP header is moved to the front position. Placing the sender’s IP header at the front position by making minor changes to the protocol ID will prove that the transport mode will not protect or encrypt the original IP header, and the ESP will be recognized in the new IP header with an IP protocol ID of 50. Original IP Packet Encrypted with ESP Header Signed by ESP Auth Trailer Figure 7.121: ESP in Transport Mode * Tunnel Mode In the tunnel mode, IPsec encrypts both the IP payload and the header to protect an entire IP packet by encapsulating it with an AH or ESP header and an additional IP header. This mode is useful for protecting traffic between different networks and is primarily used for interoperability with gateways. The tunnel mode of IPsec is generally implemented in configurations such as gatewayto-gateway, server-to-gateway, and server-to-server configurations. The IPsec tunnel mode is useful in protecting traffic while it is passing through untrusted networks. o AH in tunnel mode: The AH header defends the entire packet. However, IP header in case of some change in that does not change in transit. AH protocol ID of 51. Module 07 Page 958 can be used individually or along with ESP. It AH does not safeguard all the fields of the new transit. Nevertheless, it safeguards everything is recognized in the new IP header with an IP Certified Cybersecurity Technician Copyright © by EC-Council Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Original IP Packet TCP/ v - Signed by Authentication Header Figure 7.122: AH in Tunnel Mode o ESP in tunnel mode: ESP is recognized in the new IP header with an IP protocol ID of 50. l-----Original IP Packet Encrypted with ESP Header Signed by ESP Auth Trailer Figure 7.123: ESP in Tunnel Mode Module 07 Page 959 Certified Cybersecurity Technician Copyright © by EC-Council