CCNA Complete Guide 2nd Edition.pdf - Cisco Learning Home
CCNA Complete Guide 2nd Edition.pdf - Cisco Learning Home
CCNA Complete Guide 2nd Edition.pdf - Cisco Learning Home
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
- The Internet Security Association and Key Management Protocol (ISAKMP) defines the<br />
procedures for authenticating peers, IKASAMP and IPsec SAs establishment, negotiation,<br />
modification, and deletion; key generation, and threat mitigation (eg: DoS and replay attacks).<br />
- Instead of ISAKMP (the use of ipsec-isakmp keyword along with the crypto map global<br />
configuration command), manual keying (the use of ipsec-manual keyword along with the<br />
crypto map global configuration command) which require manual entry of the shared secret<br />
session keys (used for hashing and encryption) on both crypto endpoints is also possible.<br />
- IPsec operation requires both ends to be configured with the same transform set, which<br />
specifies the methods for encrypt and decrypt the data. IPsec uses 2 primary security protocols –<br />
Authentication Header (AH) and Encapsulating Security Payload (ESP). These protocols are<br />
used for secured data transmission through an IPsec-based VPN tunnel. IPsec-based VPNs can<br />
be established using AH only, ESP only, or both AH and ESP.<br />
- The Authentication Header (AH) protocol provides authentication for both the IP header and<br />
data of a packet using a one-way hash function. The sender first generates a one-way hash, and<br />
then the receiver generates the same one-way hash. If the packet has changed in any way,<br />
it won’t be authenticated and will be dropped. IPsec relies upon AH to guarantee authenticity.<br />
AH provides integrity check on the entire packet, but it doesn’t provide any encryption services.<br />
- ESP only provides integrity check (and encrypts) on the data of a packet (and the ESP header);<br />
while AH checks the entire packet – both header and data. AH is used for authentication only,<br />
while ESP can be used for either encryption or authentication only; or both.<br />
- Although AH and ESP are typically used independently, they are often being used together to<br />
provide data encryption service. Note: It is important to use authentication even if encryption is<br />
used, as encrypt-only implementations are subject to some forms of effective attacks.<br />
- ESP provides the following 4 functionalities or capabilities:<br />
Confidentiality (Encryption) Provided through the use of symmetric encryption algorithms,<br />
eg: DES, 3DES. Confidentiality can be selected separately<br />
from all other services, but the confidentiality selected must be<br />
the same on all VPN endpoints.<br />
Data Origin Authentication<br />
and Connectionless Integrity<br />
Joint services offered as an option in conjunction with the<br />
confidentiality option. Authentication ensures that the<br />
connection is established with the desired system.<br />
Anti-Replay Protection This service works only if data origin authentication is<br />
selected. It is based upon the receiver – it is effective only if<br />
the receiver checks the sequence number of the received<br />
packets with a sliding window of the destination gateway or<br />
host to prevent replay attacks.<br />
Traffic Flow Confidentiality This service works only when tunnel mode is selected.<br />
It is most effective if implemented at a security gateway,<br />
where the source-destination patterns of attacks is visible.<br />
- The degree of security of IPsec VPN is based on the encryption algorithm used and the length of<br />
the pre-shared key. The longer the key, the harder it is to be broken.<br />
- IPsec is not bound to any specific encryption or authentication algorithm, keying or technology,<br />
or security algorithms, which allows IPsec to support newer and better algorithms.<br />
297<br />
Copyright © 2008 Yap Chin Hoong<br />
yapchinhoong@hotmail.com