prev
next
out of 15

CCNA 4 CH7

Embed Size (px)

DESCRIPTION

ccna 4 chapter 7

Citation preview

  • CH7 SecuringSitetoSiteConnectivitySecurityisaconcernwhenusingthepublicInternettoconductbusiness.VirtualPrivateNetworks(VPNs)areusedtoensurethesecurityofdataacrosstheInternet.AVPNisusedtocreateaprivatetunneloverapublicnetwork.DatacanbesecuredbyusingencryptioninthistunnelthroughtheInternetandbyusingauthenticationtoprotectdatafromunauthorizedaccess.

    ThischapterexplainstheconceptsandprocessesrelatedtoVPNs,aswellasthebenefitsofVPNimplementationsandtheunderlyingprotocolsrequiredtoconfigureVPNs.

    VPNsataGlance

    Asmalltomediumsizedbusinessisgrowingandneedscustomers,teleworkers,andwired/wirelessemployeestobeabletoaccessthemainnetworkfromanylocation.Asthenetworkadministratorforthebusiness,youhavedecidedtoimplementVPNsforsecurity,networkaccessease,andcostsavings.

    ItisyourjobtoensurethatallofthenetworkadministratorsstarttheVPNplanningprocesswiththesameknowledgeset.

    FourbasicVPNinformationalareasneedtoberesearchedandpresentedtothenetworkadministrativeteam:

    ConcisedefinitionofVPNs SomegeneralVPNfacts IPsecasaVPNsecurityoption WaysVPNsusetunneling

    FundamentalsofVPNsOrganizationsneedsecure,reliable,andcosteffectivewaystointerconnectmultiplenetworks,suchasallowingbranchofficesandsupplierstoconnecttoacorporationsheadquarternetwork.Additionally,withthegrowingnumberofteleworkers,enterpriseshaveanincreasingneedforsecure,reliable,andcosteffectivewaystoconnectemployeesworkinginsmalloffice/homeoffice(SOHO)andotherremotelocations,withresourcesoncorporatesites.

    Thefigureillustratesthetopologiesthatmodernnetworksusetoconnectremotelocations.Insomecases,theremotelocationsconnectonlytotheheadquarterslocation,whileinothercases,remotelocationsconnecttoadditionalsites.

    OrganizationsuseVPNstocreateanendtoendprivatenetworkconnectionoverthirdpartynetworkssuchastheInternetorextranets.Thetunneleliminatesthedistancebarrierandenablesremoteuserstoaccesscentralsitenetworkresources.AVPNisaprivatenetworkcreatedviatunnelingoverapublicnetwork,usuallytheInternet.AVPNisacommunicationsenvironmentinwhichaccessisstrictlycontrolledtopermitpeerconnectionswithinadefinedcommunityofinterest.

    ThefirstVPNswerestrictlyIPtunnelsthatdidnotincludeauthenticationorencryptionofthedata.Forexample,GenericRoutingEncapsulation(GRE)isatunnelingprotocoldevelopedbyCiscothatcanencapsulateawidevarietyofnetworklayerprotocolpackettypesinsideIPtunnels.ThiscreatesavirtualpointtopointlinktoCiscoroutersatremotepointsoveranIPinternetwork.

  • Today,asecureimplementationofVPNwithencryption,suchasIPsecVPNs,iswhatisusuallymeantbyvirtualprivatenetworking.

    ToimplementVPNs,aVPNgatewayisnecessary.TheVPNgatewaycouldbearouter,afirewall,oraCiscoAdaptiveSecurityAppliance(ASA).AnASAisastandalonefirewalldevicethatcombinesfirewall,VPNconcentrator,andintrusionpreventionfunctionalityintoonesoftwareimage.

    Asshowninthefigure,aVPNusesvirtualconnectionsthatareroutedthroughtheInternetfromtheprivatenetworkofanorganizationtotheremotesiteoremployeehost.Theinformationfromaprivatenetworkissecurelytransportedoverthepublicnetwork,toformavirtualnetwork.

    ThebenefitsofaVPNincludethefollowing:

    CostsavingsVPNsenableorganizationstousecosteffective,thirdpartyInternettransporttoconnectremoteofficesandremoteuserstothemainsitetherefore,eliminatingexpensive,dedicatedWANlinksandmodembanks.Furthermore,withtheadventofcosteffective,highbandwidthtechnologies,suchasDSL,organizationscanuseVPNstoreducetheirconnectivitycostswhilesimultaneouslyincreasingremoteconnectionbandwidth.

    ScalabilityVPNsenableorganizationstousetheInternetinfrastructurewithinISPsanddevices,whichmakesiteasytoaddnewusers.Therefore,organizationsareabletoaddlargeamountsofcapacitywithoutaddingsignificantinfrastructure.

    CompatibilitywithbroadbandtechnologyVPNsallowmobileworkersandtelecommuterstotakeadvantageofhighspeed,broadbandconnectivity,suchasDSLandcable,toaccesstotheirorganizationsnetworks.Broadbandconnectivityprovidesflexibilityandefficiency.Highspeed,broadbandconnectionsalsoprovideacosteffectivesolutionforconnectingremoteoffices.

    SecurityVPNscanincludesecuritymechanismsthatprovidethehighestlevelofsecuritybyusingadvancedencryptionandauthenticationprotocolsthatprotectdatafromunauthorizedaccess.

    TherearetwotypesofVPNnetworks:

    Sitetosite Remoteaccess

    SitetoSiteVPN

    AsitetositeVPNiscreatedwhendevicesonbothsidesoftheVPNconnectionareawareoftheVPNconfigurationinadvance,asshowninthefigure.TheVPNremainsstatic,andinternalhostshavenoknowledgethataVPNexists.InasitetositeVPN,endhostssendandreceivenormalTCP/IPtrafficthroughaVPNgateway.TheVPNgatewayisresponsibleforencapsulatingandencryptingoutboundtrafficforalltrafficfromaparticularsite.TheVPNgatewaythensendsitthroughaVPNtunnelovertheInternettoapeerVPNgatewayatthetargetsite.Uponreceipt,thepeerVPNgatewaystripstheheaders,decryptsthecontent,andrelaysthepackettowardthetargethostinsideitsprivatenetwork.

    AsitetositeVPNisanextensionofaclassicWANnetwork.SitetositeVPNsconnectentirenetworkstoeachother,forexample,theycanconnectabranchofficenetworktoacompanyheadquartersnetwork.Inthepast,aleasedlineorFrameRelayconnectionwasrequiredtoconnectsites,butbecausemostcorporationsnowhaveInternetaccess,theseconnectionscanbereplacedwithsitetositeVPNs.

    RemoteaccessVPNs

  • WhereasitetositeVPNisusedtoconnectentirenetworks,aremoteaccessVPNsupportstheneedsoftelecommuters,mobileusers,andextranet,consumertobusinesstraffic.AremoteaccessVPNiscreatedwhenVPNinformationisnotstaticallysetup,butinsteadallowsfordynamicallychanginginformation,andcanbeenabledanddisabled.RemoteaccessVPNssupportaclient/serverarchitecture,wheretheVPNclient(remotehost)gainssecureaccesstotheenterprisenetworkviaaVPNserverdeviceatthenetworkedge.

    RemoteaccessVPNsareusedtoconnectindividualhoststhatmustaccesstheircompanynetworksecurelyovertheInternet.Internetconnectivityusedbytelecommutersistypicallyabroadband,DSL,wireless,orcableconnection,asindicatedinthefigure.

    VPNclientsoftwaremayneedtobeinstalledonthemobileusersenddeviceforexample,eachhostmayhaveCiscoAnyConnectSecureMobilityClientsoftwareinstalled.Whenthehosttriestosendanytraffic,theCiscoAnyConnectVPNClientsoftwareencapsulatesandencryptsthistraffic.TheencrypteddataisthensentovertheInternettotheVPNgatewayattheedgeofthetargetnetwork.Uponreceipt,theVPNgatewaybehavesasitdoesforsitetositeVPNs.

    Note:TheCiscoAnyConnectSecureMobilityClientsoftwarebuildsonpriorCiscoAnyConnectVPNClientandCiscoVPNClientofferingstoimprovethealwaysonVPNexperienceacrossmorelaptopandsmartphonebasedmobiledevices.ThisclientsupportsIPv6.

    FundamentalsofGenericRoutingEncapsulationGenericRoutingEncapsulation(GRE)isoneexampleofabasic,nonsecure,sitetositeVPNtunnelingprotocol.GREisatunnelingprotocoldevelopedbyCiscothatcanencapsulateawidevarietyofprotocolpackettypesinsideIPtunnels.GREcreatesavirtualpointtopointlinktoCiscoroutersatremotepoints,overanIPinternetwork.

    GREisdesignedtomanagethetransportationofmultiprotocolandIPmulticasttrafficbetweentwoormoresites,thatmayonlyhaveIPconnectivity.ItcanencapsulatemultipleprotocolpackettypesinsideanIPtunnel.

    Asshowninthefigure,atunnelinterfacesupportsaheaderforeachofthefollowing:

    Anencapsulatedprotocol(orpassengerprotocol),suchasIPv4,IPv6,AppleTalk,DECnet,orIPX Anencapsulationprotocol(orcarrier),suchasGRE Atransportdeliveryprotocol,suchasIP,whichistheprotocolthatcarriestheencapsulatedprotocol

  • GREisatunnelingprotocoldevelopedbyCiscothatcanencapsulateawidevarietyofprotocolpackettypesinsideIPtunnels,creatingavirtualpointtopointlinktoCiscoroutersatremotepointsoveranIPinternetwork.IPtunnelingusingGREenablesnetworkexpansionacrossasingleprotocolbackboneenvironment.Itdoesthisbyconnectingmultiprotocolsubnetworksinasingleprotocolbackboneenvironment.

    GREhasthesecharacteristics:

    GREisdefinedasanIETFstandard(RFC2784). IntheouterIPheader,47isusedintheprotocolfieldtoindicatethataGREheaderwillfollow. GREencapsulationusesaprotocoltypefieldintheGREheadertosupporttheencapsulationofanyOSILayer3

    protocol.ProtocolTypesaredefinedinRFC1700as"EtherTypes". GREitselfisstatelessbydefaultitdoesnotincludeanyflowcontrolmechanisms. GREdoesnotincludeanystrongsecuritymechanismstoprotectitspayload. TheGREheader,togetherwiththetunnelingIPheaderindicatedinthefigure,createsatleast24bytesofadditional

    overheadfortunneledpackets.

    GREisusedtocreateaVPNtunnelbetweentwosites,asshowninFigure1.ToimplementaGREtunnel,thenetworkadministratormustfirstlearntheIPaddressesoftheendpoints.Afterthat,therearefivestepstoconfiguringaGREtunnel:

    Step1.Createatunnelinterfaceusingtheinterfacetunnelnumbercommand.

    Step2.SpecifythetunnelsourceIPaddress.

    Step3.SpecifythetunneldestinationIPaddress.

    Step4.ConfigureanIPaddressforthetunnelinterface.

    Step5.(Optional)SpecifyGREtunnelmodeasthetunnelinterfacemode.GREtunnelmodeisthedefaulttunnelinterfacemodeforCiscoIOSsoftware.

    ThesampleconfigurationinFigure2illustratesabasicGREtunnelconfigurationforrouterR1.

  • TheconfigurationofR2inFigure3mirrorstheconfigurationofR1.

    Theminimumconfigurationrequiresspecificationofthetunnelsourceanddestinationaddresses.TheIPsubnetmustalsobeconfiguredtoprovideIPconnectivityacrossthetunnellink.BothtunnelinterfaceshavethetunnelsourcesetasthelocalserialS0/0/0interfaceandthetunneldestinationsetasthepeerrouterserialS0/0/0interface.TheIPaddressisassignedtothetunnelinterfacesonbothrouters.OSPFhasalsobeenconfiguredtoexchangeroutesovertheGREtunnel.

    TheindividualGREtunnelcommanddescriptionsaredisplayedinFigure4.

    Note:WhenconfiguringGREtunnels,itcanbedifficulttorememberwhichIPnetworksareassociatedwiththephysicalinterfacesandwhichIPnetworksareassociatedwiththetunnelinterfaces.RememberthatbeforeaGREtunneliscreated,thephysicalinterfaceshavealreadybeenconfigured.ThetunnelsourceandtunneldestinationcommandsreferencetheIPaddressesofthepreconfiguredphysicalinterfaces.TheipaddresscommandonthetunnelinterfacesreferstoanIPnetworkspecificallymanufacturedforthepurposesoftheGREtunnel.

    ThereareseveralcommandsthatcanbeusedtomonitorandtroubleshootGREtunnels.Todeterminewhetherthetunnelinterfaceisupordown,usetheshowipinterfacebriefcommand,asshowninFigure1.

    ToverifythestateofaGREtunnel,usetheshowinterfacetunnelcommand.ThelineprotocolonaGREtunnelinterfaceisupaslongasthereisaroutetothetunneldestination.BeforeimplementingaGREtunnel,IPconnectivitymustalreadybeineffectbetweentheIPaddressesofthephysicalinterfacesonoppositeendsofthepotentialGREtunnel.Thetunneltransportprotocolisdisplayedintheoutput,alsoshowninFigure1.

    IfOSPFhasalsobeenconfiguredtoexchangeroutesovertheGREtunnel,verifythatanOSPFadjacencyhasbeenestablishedoverthetunnelinterfaceusingtheshowipospfneighborcommand.InFigure2,notethatthepeeringaddressfortheOSPFneighborisontheIPnetworkcreatedfortheGREtunnel.

  • InFigure3,usetheSyntaxCheckertoconfigureandverifyaGREtunnelonR2followedbyR1.

    GREisconsideredaVPNbecauseitisaprivatenetworkthatiscreatedbytunnelingoverapublicnetwork.Usingencapsulation,aGREtunnelcreatesavirtualpointtopointlinktoCiscoroutersatremotepointsoveranIPinternetwork.TheadvantagesofGREarethatitcanbeusedtotunnelnonIPtrafficoveranIPnetwork,allowingfornetworkexpansionbyconnectingmultiprotocolsubnetworksacrossasingleprotocolbackboneenvironment.GREalsosupportsIPmulticasttunneling.Thismeansthatroutingprotocolscanbeusedacrossthetunnel,enablingdynamicexchangeofroutinginformationinthevirtualnetwork.Finally,itiscommonpracticetocreateIPv6overIPv4GREtunnels,whereIPv6istheencapsulatedprotocolandIPv4isthetransportprotocol.Inthefuture,theseroleswilllikelybereversedasIPv6takesoverasthestandardIPprotocol.

    However,GREdoesnotprovideencryptionoranyothersecuritymechanisms.Therefore,datasentacrossaGREtunnelisnotsecure.Ifsecuredatacommunicationisneeded,IPsecorSSLVPNsshouldbeconfigured.

    IPsecVPNsofferflexibleandscalableconnectivity.Sitetositeconnectionscanprovideasecure,fast,andreliableremoteconnection.WithanIPsecVPN,theinformationfromaprivatenetworkissecurelytransportedoverapublicnetwork.ThisformsavirtualnetworkinsteadofusingadedicatedLayer2connection,asshowninthefigure.Toremainprivate,thetrafficisencryptedtokeepthedataconfidential.

    IPsecisanIETFstandardthatdefineshowaVPNcanbeconfiguredinasecuremannerusingtheInternetProtocol.

    IPsecisaframeworkofopenstandardsthatspellsouttherulesforsecurecommunications.IPsecisnotboundtoanyspecificencryption,authentication,securityalgorithms,orkeyingtechnology.Rather,IPsecreliesonexistingalgorithmstoimplementsecurecommunications.IPsecallowsnewerandbetteralgorithmstobeimplementedwithoutamendingtheexistingIPsecstandards.

    IPsecworksatthenetworklayer,protectingandauthenticatingIPpacketsbetweenparticipatingIPsecdevices,alsoknownaspeers.IPsecsecuresapathbetweenapairofgateways,apairofhosts,oragatewayandhost.Asaresult,IPseccanprotectvirtuallyallapplicationtrafficbecausetheprotectioncanbeimplementedfromLayer4toLayer7.

    AllimplementationsofIPsechaveaplaintextLayer3header,sotherearenoissueswithrouting.IPsecfunctionsoverallLayer2protocols,suchasEthernet,ATM,orFrameRelay.

    IPseccharacteristicscanbesummarizedasfollows:

    IPsecisaframeworkofopenstandardsthatisalgorithmindependent. IPsecprovidesdataconfidentiality,dataintegrity,andoriginauthentication. IPsecactsatthenetworklayer,protectingandauthenticatingIPpackets.

    IPsecsecurityservicesprovidefourcriticalfunctions,asshowninthefigure:

    Confidentiality(encryption)InaVPNimplementation,privatedatatravelsoverapublicnetwork.Forthisreason,dataconfidentialityisvital.Itcanbeattainedbyencryptingthedatabeforetransmittingitacrossthenetwork.Thisistheprocessoftakingallthedatathatonecomputerissendingtoanotherandencodingitintoaformthatonlytheothercomputerwillbeabletodecode.Ifthecommunicationisintercepted,itcannotbereadbyahacker.IPsecprovidesenhancedsecurityfeatures,suchasstrongencryptionalgorithms.

    DataIntegrityThereceivercanverifythatthedatawastransmittedthroughtheInternetwithoutbeingchangedoralteredinanyway.Whileitisimportantthatdataisencryptedoverapublicnetwork,itisjustasimportanttoverifythatithasnotbeenchangedwhileintransit.IPsechasamechanismtoensurethattheencryptedportionofthe

  • packet,ortheentireheaderanddataportionofthepacket,hasnotbeenchanged.IPsecensuresdataintegritybyusingchecksums,whichisasimpleredundancycheck.Iftamperingisdetected,thepacketisdropped.

    AuthenticationVerifytheidentityofthesourceofthedatathatissent.Thisisnecessarytoguardagainstanumberofattacksthatdependonspoofingtheidentityofthesender.Authenticationensuresthattheconnectionismadewiththedesiredcommunicationpartner.Thereceivercanauthenticatethesourceofthepacketbycertifyingthesourceoftheinformation.IPsecusesInternetKeyExchange(IKE)toauthenticateusersanddevicesthatcancarryoutcommunicationindependently.IKEusesseveraltypesofauthentication,includingusernameandpassword,onetimepassword,biometrics,presharedkey(PSK),anddigitalcertificates.

    AntiReplayProtectionThisistheabilitytodetectandrejectreplayedpacketsandhelpspreventspoofing.Antireplayprotectionverifiesthateachpacketisuniqueandnotduplicated.IPsecpacketsareprotectedbycomparingthesequencenumberofthereceivedpacketswithaslidingwindowonthedestinationhostorsecuritygateway.Apacketthathasasequencenumberthatisbeforetheslidingwindowisconsideredtobelateoraduplicatepacket.Lateandduplicatepacketsaredropped.

    TheacronymCIAisoftenusedtohelprememberthefirstthreeofthesefunctions:confidentiality,integrity,andauthentication.

    Confidentiality

    VPNtrafficiskeptconfidentialwithencryption.PlaintextdatathatistransportedovertheInternetcanbeinterceptedandread.Encryptthedatetokeepitprivate.Digitallyencryptingthedatarendersitunreadableuntilitisunencryptedbytheauthorizedreceiver.

    Forencryptedcommunicationtowork,boththesenderandthereceivermustknowtherulesthatareusedtotransformtheoriginalmessageintoitscodedform.Rulesarebasedonalgorithmsandassociatedkeys.Inthecontextofencryption,analgorithmisamathematicalsequenceofstepsthatcombinesamessage,text,digits,orallthreewithastringofdigitsthatarecalledakey.Theoutputisanunreadablecipherstring.Theencryptionalgorithmalsospecifieshowanencryptedmessageisdecrypted.Decryptionisextremelydifficultorimpossiblewithoutthecorrectkey.

    Inthefigure,Gailwantstosendanelectronicfundstransfer(EFT)acrosstheInternettoJeremy.Atthelocalend,thedocumentiscombinedwithakeyandrunthroughanencryptionalgorithm.Theoutputisencryptedciphertext.TheciphertextisthensentthroughtheInternet.Attheremoteend,themessageisrecombinedwithakeyandsentbackthroughtheencryptionalgorithm.Theoutputistheoriginalfinancialdocument.

    ConfidentialityisachievedthroughtheencryptionoftrafficasittravelsthroughaVPN.Thedegreeofsecuritydependsonthekeylengthoftheencryptionalgorithmandthesophisticationofthealgorithm.Ifahackertriestohackthekeythroughabruteforceattack,thenumberofpossibilitiestotryisafunctionofthekeylength.Thetimetoprocessallofthepossibilitiesisafunctionofthecomputerpoweroftheattackingdevice.Theshorterthekey,theeasieritistobreak.Forexample,wherearelativelysophisticatedcomputermaytakeapproximatelyoneyeartobreaka64bitlongkey,thesamecomputermaytakeanywherefrom10to19yearstodecrypta128bitlongkey.

    Thedegreeofsecuritydependsonthekeylengthoftheencryptionalgorithm.Askeylengthincreases,itbecomesmoredifficulttobreaktheencryption.However,alongerkeyrequiresmoreprocessorresourceswhenencryptinganddecryptingdata.

    DESand3DESarenolongerconsideredsecuretherefore,itisrecommendedthatAESbeusedforIPsecencryption.ThegreatestsecurityforIPsecencryptionofVPNsbetweenCiscodevicesisprovidedbythe256bitoptionofAES.Inaddition,

  • 512bitand768bitRivestShamirAdleman(RSA)keyshavebeencrackedandCiscorecommendsusing2048bitkeyswiththeRSAoption,ifusedduringtheauthenticationphaseofIKE.

    SymmetricEncryption

    Encryptionalgorithms,suchasAES,requireasharedsecretkeytoperformencryptionanddecryption.Eachofthetwonetworkingdevicesmustknowthekeytodecodetheinformation.Withsymmetrickeyencryption,alsocalledsecretkeyencryption,eachdeviceencryptstheinformationbeforesendingitoverthenetworktotheotherdevice.Symmetrickeyencryptionrequiresknowledgeofwhichdevicestalktoeachothersothatthesamekeycanbeconfiguredoneachdevice,asdepictedinFigure1.

    Forexample,asendercreatesacodedmessagewhereeachletterissubstitutedwiththeletterthatistwolettersdowninthealphabetAbecomesC,BbecomesD,andsoon.Inthiscase,thewordSECRETbecomesUGETGV.Thesenderhasalreadytoldtherecipientthatthesecretkeyisshiftby2.WhentherecipientreceivesthemessageUGETGV,therecipientcomputerdecodesthemessagebyshiftingbacktwolettersandcalculatingSECRET.Anyoneelsewhoseesthemessageseesonlytheencryptedmessage,whichlookslikenonsense,unlessthepersonknowsthesecretkey.

    Hereisasynopsisforsymmetricalgorithms:

    Usessymmetrickeycryptography Encryptionanddecryptionusethesamekey Typicallyusedtoencryptthecontentofthemessage Examples:DES,3DES,andAES

    Howdotheencryptinganddecryptingdevicesbothhaveasharedsecretkey?Onecoulduseemail,courier,orovernightexpresstosendthesharedsecretkeystotheadministratorsofthedevices.Another,moresecuremethodisasymmetricencryption.

    AsymmetricEncryption

    Asymmetricencryptionusesdifferentkeysforencryptionanddecryption.Knowingoneofthekeysdoesnotallowahackertodeducethesecondkeyanddecodetheinformation.Onekeyencryptsthemessage,whileasecondkeydecryptsthemessage,asdepictedinFigure2.Itisnotpossibletoencryptanddecryptwiththesamekey.

    Publickeyencryptionisavariantofasymmetricencryptionthatusesacombinationofaprivatekeyandapublickey.Therecipientgivesapublickeytoanysenderwithwhomtherecipientwantstocommunicate.Thesenderusesaprivatekeythatiscombinedwiththepublickeyoftherecipienttoencryptthemessage.Also,thesendermustshareitspublickeywiththerecipient.Todecryptamessage,therecipientwillusethepublickeyofthesenderwithitsownprivatekey.

    Hereisasynopsisforasymmetricalgorithms:

    Usespublickeycryptography Encryptionanddecryptionuseadifferentkey Typicallyusedindigitalcertificationandkeymanagement Examples:RSA

    DataIntegrity

  • DiffieHellman(DH)isnotanencryptionmechanismandisnottypicallyusedtoencryptdata.Instead,itisamethodtosecurelyexchangethekeysthatencryptdata.(DH)algorithmsallowtwopartiestoestablishasharedsecretkeythatisusedbyencryptionandhashalgorithms.

    IntroducedbyWhitfieldDiffieandMartinHellmanin1976,DHwasthefirstsystemtoutilizepublickeyorasymmetriccryptographickeys.Today,DHispartoftheIPsecstandard.Also,aprotocolknownasOAKLEYusesaDHalgorithm.OAKLEYisusedbytheIKEprotocol,whichispartoftheoverallframeworkcalledInternetSecurityAssociationandKeyManagementProtocol.

    EncryptionalgorithmssuchasDES,3DES,andAES,aswellastheMD5andSHA1hashingalgorithmsrequireasymmetric,sharedsecretkeytoperformencryptionanddecryption.Howdotheencryptinganddecryptingdevicesgetthesharedsecretkey?Theeasiestkeyexchangemethodisapublickeyexchangemethodbetweentheencryptinganddecryptingdevices.

    TheDHalgorithmspecifiesapublickeyexchangemethodthatprovidesawayfortwopeerstoestablishasharedsecretkeythatonlytheyknow,althoughtheyarecommunicatingoveraninsecurechannel.Likeallcryptographicalgorithms,DHkeyexchangeisbasedonamathematicalsequenceofsteps.

    TheintegrityandauthenticationofVPNtrafficishandledbyhashalgorithms.Hashesprovidedataintegrityandauthenticationbyensuringthatunauthorizedpersonsdonottamperwithtransmittedmessages.Ahash,alsocalledamessagedigest,isanumberthatisgeneratedfromastringoftext.Thehashissmallerthanthetextitself.Itisgeneratedbyusingaformulainsuchawaythatitisextremelyunlikelythatsomeothertextwillproducethesamehashvalue.

    Theoriginalsendergeneratesahashofthemessageandsendsitwiththemessageitself.Therecipientparsesthemessageandthehash,producesanotherhashfromthereceivedmessage,andcomparesthetwohashes.Iftheyarethesame,therecipientcanbereasonablysureoftheintegrityoftheoriginalmessage.

    Inthefigure,GailsentAlexanEFTof$100.JeremyhasinterceptedandalteredthisEFTtoshowhimselfastherecipientandtheamountas$1000.Inthiscase,ifadataintegrityalgorithmwereused,thehasheswouldnotmatch,andthetransactionwouldbeinvalid.

    VPNdataistransportedoverthepublicInternet.Asshown,thereispotentialforthisdatatobeinterceptedandmodified.Toguardagainstthisthreat,hostscanaddahashtothemessage.Ifthetransmittedhashmatchesthereceivedhash,theintegrityofthemessagehasbeenpreserved.However,ifthereisnomatch,themessagewasaltered.

    VPNsuseamessageauthenticationcodetoverifytheintegrityandtheauthenticityofamessage,withoutusinganyadditionalmechanisms.

    HashbasedMessageAuthenticationCode(HMAC)isamechanismformessageauthenticationusinghashfunctions.AkeyedHMACisadataintegrityalgorithmthatguaranteestheintegrityofamessage.AnHMAChastwoparameters,amessageinputandasecretkeythatisknownonlytothemessageoriginatorandintendedreceivers.ThemessagesenderusesanHMACfunctiontoproduceavalue(themessageauthenticationcode)thatisformedbycondensingthesecretkeyandthemessageinput.Themessageauthenticationcodeissentalongwiththemessage.ThereceivercomputesthemessageauthenticationcodeonthereceivedmessageusingthesamekeyandHMACfunctionasthesenderused.Thenthereceivercomparestheresultthatiscomputedwiththereceivedmessageauthenticationcode.Ifthetwovaluesmatch,themessagehasbeencorrectlyreceivedandthereceiverisassuredthatthesenderisamemberofthecommunityofusersthatsharethekey.ThecryptographicstrengthoftheHMACdependsuponthecryptographicstrengthoftheunderlyinghashfunction,onthesizeandqualityofthekey,andonthesizeofthehashoutputlengthinbits.

  • TherearetwocommonHMACalgorithms:

    MD5Usesa128bitsharedsecretkey.Thevariablelengthmessageand128bitsharedsecretkeyarecombinedandrunthroughtheHMACMD5hashalgorithm.Theoutputisa128bithash.Thehashisappendedtotheoriginalmessageandforwardedtotheremoteend.

    SHASHA1usesa160bitsecretkey.Thevariablelengthmessageandthe160bitsharedsecretkeyarecombinedandrunthroughtheHMACSHA1hashalgorithm.Theoutputisa160bithash.Thehashisappendedtotheoriginalmessageandforwardedtotheremoteend.

    Note:CiscoIOSalsosupports,256bit,384bit,and512bitSHAimplementations.

    Authentication

    IPsecVPNssupportauthentication.Whenconductingbusinesslongdistance,itisnecessarytoknowwhoisattheotherendofthephone,email,orfax.ThesameistrueofVPNnetworks.ThedeviceontheotherendoftheVPNtunnelmustbeauthenticatedbeforethecommunicationpathisconsideredsecure,asindicatedinthefigure.Therearetwopeerauthenticationmethods:

    PSKAsecretkeythatissharedbetweenthetwopartiesusingasecurechannelbeforeitneedstobeused.Presharedkeys(PSKs)usesymmetrickeycryptographicalgorithms.APSKisenteredintoeachpeermanuallyandisusedtoauthenticatethepeer.Ateachend,thePSKiscombinedwithotherinformationtoformtheauthenticationkey.

    RSAsignaturesDigitalcertificatesareexchangedtoauthenticatepeers.Thelocaldevicederivesahashandencryptsitwithitsprivatekey.Theencryptedhash,ordigitalsignature,isattachedtothemessageandforwardedtotheremoteend.Attheremoteend,theencryptedhashisdecryptedusingthepublickeyofthelocalend.Ifthedecryptedhashmatchestherecomputedhash,thesignatureisgenuine.

    IPsecusesRSA(publickeycryptosystem)forauthenticationinthecontextofIKE.TheRSAsignaturemethodusesadigitalsignaturesetupinwhicheachdevicedigitallysignsasetofdataandsendsittotheotherparty.RSAsignaturesuseacertificateauthority(CA)togenerateauniqueidentitydigitalcertificatethatisassignedtoeachpeerforauthentication.TheidentitydigitalcertificateissimilarinfunctiontoaPSK,butprovidesmuchstrongersecurity.EachinitiatorandrespondertoanIKEsessionusingRSAsignaturessendsitsownIDvalue,itsidentitydigitalcertificate,andanRSAsignaturevalueconsistingofavarietyofIKEvalues,allencryptedbythenegotiatedIKEencryptionmethod(suchasAES).

    TheDigitalSignatureAlgorithm(DSA)isanotheroptionforauthentication.

    Asstatedearlier,theIPsecprotocolframeworkdescribesthemessagingtosecurethecommunications,butitreliesonexistingalgorithms.

    TherearetwomainIPsecprotocolsdepictedinFigure1:

    AuthenticationHeader(AH)AHistheappropriateprotocoltousewhenconfidentialityisnotrequiredorpermitted.ItprovidesdataauthenticationandintegrityforIPpacketsthatarepassedbetweentwosystems.However,AHdoesnotprovidedataconfidentiality(encryption)ofpackets.Alltextistransportedinplaintext.Usedalone,theAHprotocolprovidesweakprotection.

    EncapsulatingSecurityPayload(ESP)AsecurityprotocolthatprovidesconfidentialityandauthenticationbyencryptingtheIPpacket.IPpacketencryptionconcealsthedataandtheidentitiesofthesourceanddestination.ESPauthenticatestheinnerIPpacketandESPheader.Authenticationprovidesdataoriginauthenticationanddata

  • integrity.AlthoughbothencryptionandauthenticationareoptionalinESP,ataminimum,oneofthemmustbeselected.

    Figure2illustratesthecomponentsofIPsecconfiguration.TherearefourbasicbuildingblocksoftheIPsecframeworkthatmustbeselected.

    IPsecframeworkprotocolWhenconfiguringanIPsecgatewaytoprovidesecurityservices,anIPsecprotocolmustbeselected.ThechoicesaresomecombinationofESPandAH.Realistically,theESPorESP+AHoptionsarealmostalwaysselectedbecauseAHitselfdoesnotprovideencryption,asshowninFigure3.

    Confidentiality(IfIPsecisimplementedwithESP)Theencryptionalgorithmchosenshouldbestmeetthedesiredlevelofsecurity:DES,3DES,orAES.AESisstronglyrecommended,withAESGCMprovidingthegreatestsecurity.

    IntegrityGuaranteesthatthecontenthasnotbeenalteredintransit.Implementedthroughtheuseofhashalgorithms.ChoicesincludeMD5andSHA.

    AuthenticationRepresentshowdevicesoneitherendoftheVPNtunnelareauthenticated.ThetwomethodsarePSKorRSA.

    DHalgorithmgroupRepresentshowasharedsecretkeyisestablishedbetweenpeers.Thereareseveraloptions,butDH24providesthegreatestsecurity.

    Itisthecombinationofthesebuildingblocksthatprovidestheconfidentiality,integrity,andauthenticationoptionsforIPsecVPNs.

    Note:ThissectionintroducedIPsectoprovideanunderstandingofhowIPsecsecuresVPNtunnels.ConfiguringIPsecVPNsarebeyondthescopeofthiscourse.

    RemoteaccessVPNSolutionsVPNshavebecomethelogicalsolutionforremoteaccessconnectivityformanyreasons.VPNsprovidesecurecommunicationswithaccessrightstailoredtoindividualusers,suchasemployees,contractors,andpartners.Theyalsoenhanceproductivitybyextendingthecorporatenetworkandapplicationssecurelywhilereducingcommunicationcostsandincreasingflexibility.

    UsingVPNtechnology,employeescanessentiallytaketheirofficewiththem,includingaccesstoemailsandnetworkapplications.VPNscanalsoallowcontractorsandpartnerstohavelimitedaccesstothespecificservers,webpages,orfilesrequired.Thisnetworkaccessallowsthemtocontributetobusinessproductivitywithoutcompromisingnetworksecurity.

    TherearetwoprimarymethodsfordeployingremoteaccessVPNs:

    SecureSocketsLayer(SSL) IPSecurity(IPsec)

    ThetypeofVPNmethodimplementedisbasedontheaccessrequirementsoftheusersandtheorganizationsITprocesses.

  • BothIPsecandSSLVPNtechnologiesofferaccesstovirtuallyanynetworkapplicationorresource.SSLVPNsoffersuchfeaturesaseasyconnectivityfromnoncompanymanageddesktops,littleornodesktopsoftwaremaintenance,andusercustomizedwebportalsuponlogin.

    CiscoIOSSSLVPNistheindustrysfirstrouterbasedSSLVPNsolution.Itoffersanywhereconnectivitynotonlyfromcompanymanagedresource,butalsofromemployeeownedPCs,contractororbusinesspartnerdesktops,andInternetkiosks.

    TheSSLprotocolsupportsvariouscryptographicalgorithmsforoperations,suchasauthenticatingtheserverandclienttoeachother,transmittingcertificates,andestablishingsessionkeys.CiscoSSLVPNsolutionscanbecustomizedforbusinessesofanysize.Thesesolutionsdelivermanyremoteaccessconnectivityfeaturesandbenefits,including:

    Webbased,clientlessaccessandcompletenetworkaccesswithoutpreinstalleddesktopsoftware.Thisfacilitatescustomizedremoteaccessbasedonuserandsecurityrequirements,anditminimizesdesktopsupportcosts.

    Protectionagainstviruses,worms,spyware,andhackersonaVPNconnectionbyintegratingnetworkandendpointsecurityintheCiscoSSLVPNplatform.Thisreducescostandmanagementcomplexitybyeliminatingtheneedforadditionalsecurityequipmentandmanagementinfrastructure.

    UseofasingledeviceforbothSSLVPNandIPsecVPN.ThisreducescostandmanagementcomplexitybyfacilitatingrobustremoteaccessandsitetositeVPNservicesfromasingleplatformwithunifiedmanagement.

    CiscoIOSSSLVPNisatechnologythatprovidesremoteaccessbyusingawebbrowserandthewebbrowsersnativeSSLencryption.Alternatively,itcanprovideremoteaccessusingtheCiscoAnyConnectSecureMobilityClientsoftware.

    TheCiscoASAprovidestwomaindeploymentmodesthatarefoundinCiscoSSLVPNsolutions,asshowninthefigure:

    CiscoAnyConnectSecureMobilityClientwithSSLRequirestheCiscoAnyConnectClient CiscoSecureMobilityClientlessSSLVPNRequiresaninternetbrowser

    TheCiscoASAmustbeconfiguredtosupporttheSSLVPNconnection.

  • CiscoAnyConnectSecureMobilityClientwithSSL

    ClientBasedSSLVPNsprovideauthenticateduserswithLANlike,fullnetworkaccesstocorporateresources.However,theremotedevicesrequireaclientapplication,suchastheCiscoVPNClientorthenewerAnyConnectclienttobeinstalledontheenduserdevice.

    InabasicCiscoASAconfiguredforfulltunnelingandaremoteaccessSSLVPNsolution,remoteusersusetheCiscoAnyConnectSecureMobilityClient,showninFigure1,toestablishanSSLtunnelwiththeCiscoASA.AftertheCiscoASAestablishestheVPNwiththeremoteuser,theremoteusercanforwardIPtrafficintotheSSLtunnel.TheCiscoAnyConnectSecureMobilityClientcreatesavirtualnetworkinterfacetoprovidethisfunctionality.Theclientcanuseanyapplicationtoaccessanyresource,subjecttoaccessrules,behindtheCiscoASAVPNgateway.

    CiscoSecureMobilityClientlessSSLVPN

    TheclientlessSSLVPNdeploymentmodelenablescorporationstoprovideaccesstocorporateresourcesevenwhentheremotedeviceisnotcorporatelymanaged.Inthisdeploymentmodel,theCiscoASAisusedasaproxydevicetonetworkresources.Itprovidesawebportalinterfaceforremotedevicestonavigatethenetworkusingportforwardingcapabilities.

    InabasicCiscoASAclientlessSSLVPNsolution,remoteusersemployastandardwebbrowsertoestablishanSSLsessionwiththeCiscoASA,asshowninFigure2.TheCiscoASApresentstheuserwithawebportaloverwhichtheusercanaccessinternalresources.Inthebasicclientlesssolution,theusercanaccessonlysomeservices,suchasinternalwebapplications,andbrowserbased,filesharingresources,asshowninFigure3.

    ManyapplicationsrequirethesecurityofanIPsecremoteaccessVPNconnectionforauthenticationandencryptionofdata.WhendeployingVPNsfortelecommutersandsmallbranchoffices,easeofdeploymentiscriticaliftechnicalresourcesarenotavailableforVPNconfigurationonaremotesiterouter.

    TheCiscoEasyVPNsolutionfeatureoffersflexibility,scalability,andeaseofuseforbothsitetositeandremoteaccessIPsecVPNs.TheCiscoEasyVPNsolutionconsistsofthreecomponents:

    CiscoEasyVPNServerACiscoIOSrouterorCiscoASAFirewallactingastheVPNheadenddeviceinsitetositeorremoteaccessVPNs.

    CiscoEasyVPNRemoteACiscoIOSrouterorCiscoASAFirewallactingasaremoteVPNclient. CiscoVPNClientAnapplicationsupportedonaPCusedtoaccessaCiscoVPNserver.

    UsingtheCiscoEasyVPNservermakesitpossibleformobileandremoteworkersusingaVPNClientontheirPCs,orusingCiscoEasyVPNRemoteonanedgerouter,tocreatesecureIPsectunnelstoaccesstheirheadquarters'intranet,asshowninthefigure.

    CiscoEasyVPNServer

    TheCiscoEasyVPNServermakesitpossibleformobileandremoteworkersusingVPNClientsoftwareontheirPCstocreatesecureIPsectunnelstoaccesstheirheadquarters'intranetwherecriticaldataandapplicationsexist.ItenablesCiscoIOSroutersandCiscoASAFirewallstoactasVPNheadenddevicesinsitetositeorremoteaccessVPNs.RemoteofficedevicesusetheCiscoEasyVPNRemotefeatureortheCiscoVPNClientapplicationtoconnecttotheserver,whichthenpushesdefinedsecuritypoliciestotheremoteVPNdevice.Thisensuresthatthoseconnectionshaveuptodatepoliciesinplacebeforetheconnectionisestablished.

  • CiscoEasyVPNRemote

    TheCiscoEasyVPNRemoteenablesCiscoIOSroutersorsoftwareclientstoactasremoteVPNclients.ThesedevicescanreceivesecuritypoliciesfromaCiscoEasyVPNServer,minimizingVPNconfigurationrequirementsattheremotelocation.ThiscosteffectivesolutionisidealforremoteofficeswithlittleITsupportorforlargecustomerpremisesequipment(CPE)deploymentswhereitisimpracticaltoindividuallyconfiguremultipleremotedevices.

    ThefigureshowsthreenetworkdeviceswithEasyVPNRemoteenabled,allconnectingtoanEasyVPNserverforconfigurationparameters.

    CiscoVPNClient

    TheCiscoVPNClientissimpletodeployandoperate.Itallowsorganizationstoestablishendtoend,encryptedVPNtunnelsforsecureconnectivityformobileemployeesortelecommuters.

    ToinitiateanIPsecconnectionusingtheCiscoVPNclient,alltheusermustdoisopentheCiscoVPNclientwindow,asshowninFigure1.TheCiscoVPNclientapplicationliststheavailablepreconfiguredsites.TheuserdoubleclicksasitetoselectitandtheVPNclientinitiatestheIPsecconnection.Intheuserauthenticationdialogbox,theuserisauthenticatedwithausernameandpassword,asshowninFigure2.Afterauthentication,theCiscoVPNClientdisplaysaconnectedstatus.

    MostoftheVPNparametersaredefinedontheCiscoIOSEasyVPNServertosimplifydeployment.AfteraremoteclientinitiatesaVPNtunnelconnection,theCiscoEasyVPNServerpushestheIPsecpoliciestotheclient,minimizingconfigurationrequirementsattheremotelocation.

    ThissimpleandhighlyscalablesolutionisidealforlargeremoteaccessdeploymentswhereitisimpracticaltoconfigurepoliciesindividuallyformultipleremotePCs.Thisarchitecturealsoensuresthatthoseconnectionsareusinguptodatesecuritypoliciesandeliminatestheoperationalcostsassociatedwithmaintainingaconsistentpolicyandkeymanagementmethod.

    Note:ConfiguringtheCiscoVPNclientisbeyondthescopeofthiscourse.Checkwww.cisco.comformoreinformation.

    BothIPsecandSSLVPNtechnologiesofferaccesstovirtuallyanynetworkapplicationorresource,asshowninthefigure.SSLVPNsoffersuchfeaturesaseasyconnectivityfromnoncompanymanageddesktops,littleornodesktopsoftwaremaintenance,andusercustomizedwebportalsuponlogin.

    IPsecexceedsSSLinmanysignificantways:

    Numberofapplicationsthataresupported Strengthofencryption Strengthofauthentication Overallsecurity

    Whensecurityisanissue,IPsecisthesuperiorchoice.Ifsupportandeaseofdeploymentaretheprimaryissues,considerSSL.

    IPsecandSSLVPNarecomplementarybecausetheysolvedifferentproblems.Dependingonitsneeds,anorganizationcanimplementoneorboth.ThiscomplementaryapproachallowsasingledevicesuchasanISRrouteroranASAfirewallappliancetoaddressallremoteaccessuserrequirements.WhilemanysolutionsoffereitherIPsecorSSL,Cisco

  • remoteaccessVPNsolutionsofferbothtechnologiesintegratedonasingleplatformwithunifiedmanagement.OfferingbothIPsecandSSLtechnologiesenablesorganizationstocustomizetheirremoteaccessVPNwithoutanyadditionalhardwareormanagementcomplexity.

    VPNsareusedtocreateasecureendtoendprivatenetworkconnectionoverathirdpartynetwork,suchastheInternet.AsitetositeVPNusesaVPNgatewaydeviceattheedgeofbothsites.TheendhostsareunawareoftheVPNandhavenoadditionalsupportingsoftware.

    AremoteaccessVPNrequiressoftwaretobeinstalledontheindividualhostdevicethataccessesthenetworkfromaremotelocation.ThetwotypesofremoteaccessVPNsareSSLandIPsec.SSLtechnologycanprovideremoteaccessusingaclientswebbrowserandthebrowsersnativeSSLencryption.UsingCiscoAnyConnectsoftwareontheclient,userscanhaveLANlike,fullnetworkaccessusingSSL.

    GREisabasic,nonsecuresitetositeVPNtunnelingprotocolthatcanencapsulateawidevarietyofprotocolpackettypesinsideIPtunnels,thusallowinganorganizationtodeliverotherprotocolsthroughanIPbasedWAN.TodayitisprimarilyusedtodeliverIPmulticasttrafficorIPv6trafficoveranIPv4unicastonlyconnection.

    IPsec,anIETFstandard,isasecuretunneloperatingatLayer3oftheOSImodelthatcanprotectandauthenticateIPpacketsbetweenIPsecpeers.Itcanprovideconfidentialitybyusingencryption,dataintegrity,authentication,andantireplayprotection.Dataintegrityisprovidedbyusingahashalgorithm,suchasMD5orSHA.AuthenticationisprovidedbythePSKorRSApeerauthenticationmethod.

    Thelevelofconfidentialityprovidedbyencryptiondependsonthealgorithmusedandthekeylength.Encryptioncanbesymmetricalorasymmetrical.DHisamethodusedtosecurelyexchangethekeystoencryptdata.


Exam en Final Ccna 4

Exam en Final Ccna 4

Documents
CCNA 4 OLD EWAN EX

CCNA 4 OLD EWAN EX

Documents
CCNA 4 EXAMEN FINAL – Redes de conexión _ CCNA V5.pdf

CCNA 4 EXAMEN FINAL – Redes de conexión _ CCNA V5.pdf

Documents
CCNA Exploration 4 Modulo 3

CCNA Exploration 4 Modulo 3

Documents
CCNA 4 Final Exam

CCNA 4 Final Exam

Documents
Capitulo 4 CCNA 1

Capitulo 4 CCNA 1

Technology
CCNA 4 Exam Final Francais

CCNA 4 Exam Final Francais

Documents
CCNA 4 Final

CCNA 4 Final

Documents
CCNA Exploration 4

CCNA Exploration 4

Documents
Chapitre 4 CCNA 4 Version 2012

Chapitre 4 CCNA 4 Version 2012

Documents
CCNA 2 Final Discovery 4

CCNA 2 Final Discovery 4

Documents
CCNA 4 CH2

CCNA 4 CH2

Documents
CCNA 4 Examen

CCNA 4 Examen

Documents
Examenes finales ccna 4

Examenes finales ccna 4

Documents
CCNA - Modulo 4 - Tecnologias WAN

CCNA - Modulo 4 - Tecnologias WAN

Documents
ccna 2 cap 4

ccna 2 cap 4

Documents
Practicas ACL CCNA 4

Practicas ACL CCNA 4

Documents
CCNA 4 - Essentiel

CCNA 4 - Essentiel

Documents
Ccna 4-wan

Ccna 4-wan

Documents
Ccna Discovery 4-1

Ccna Discovery 4-1

Documents
ccna 4 Lab 1.4.1 CompLete

ccna 4 Lab 1.4.1 CompLete

Documents
Ccna 1 pertemuan 4

Ccna 1 pertemuan 4

Education
II Dirigente scolastico - IC BOIARDO · 2019. 4. 2. · completa realizzazione del Piano medesimo, ... CCNA I/ CCNA 2 / CCNA 3 / CCNA 4 punti 5 (x ciascuno) Certificazioni informatiche

II Dirigente scolastico - IC BOIARDO · 2019. 4. 2. · completa realizzazione del Piano medesimo, ... CCNA I/ CCNA 2 / CCNA 3 / CCNA 4 punti 5 (x ciascuno) Certificazioni informatiche

Documents
CCNA 3 y 4

CCNA 3 y 4

Documents
CCNA 4 Capitulo 2

CCNA 4 Capitulo 2

Documents
Ccna 4 Essentiel

Ccna 4 Essentiel

Documents
Cisco CCNA 4 Exploration

Cisco CCNA 4 Exploration

Documents
Capítulo 4 do CCNA

Capítulo 4 do CCNA

Education
Examenes Ccna 4 2012 Eng

Examenes Ccna 4 2012 Eng

Documents
Exam ccna 4

Exam ccna 4

Documents