Secure network communication is of utmost importance in today's business world. Having worked in network security for the past several years, I find that the only thing that seems to trump security is cost. If something costs too much, companies are usually willing to take a risk. That's why things like HIPPA and SOX come into play, and while they sometimes make life difficult, I'm glad they are there to keep our information safe.
At any rate, IPSec is a layer 3 protocol framework that encrypts everything from layer 4 up to layer 7. I call it a framework, because it actually is a protocol that you configure other protocols to fit into to work together. This way, as encryption protocols become out-dated and compromised, IPSec can simply plug in the latest and greatest protocol and off you go!
IPSec handles encryption, which is securing your data from anyone else being able to read it. Protocols used for encryption are (ordering from weakest to strongest): DES, 3DES, AES. DES uses a 56-bit key, 3DES runs DES 3 times and AES uses 128, 192 or 256-bit encryption. These are all examples of symmetric encryption, where the key that is used to encrypt data is also used to decrypt data. Assymmetric encryption, such as PKI, uses a public/private key pair. Anything encrypted with the public key can only be decrypted with the private key and vice versa.
To solve the problem of having to configure symmetric encryption keys on all parties attempting to secure data between themselves, Diffie-Hellman Key Exchange (or DH) is used. DH works by having both clients exchange the results of a complex mathematical equation and use the results to create a secure shared key.
SSL is an encryption method that is assymmetric, using a public and private key to secure transmission of a shared secret key. Essentially, once the SSL connection is initiated, the sending party uses the receiving party's public key to encrypt a shared secret key that it generated. Only the receiver can decrypt it, because only they will have their private key.
Authentication and data integrity are handled by the older MD5 and the newer, more secure SHA-1. These protocols run a mathematical algorithm on the data to be sent, creating a "hash" that identifies the data to be sent. When the receiving party runs the algorithm against the same data, it will come up with the same hash. If the hash is different, the data has been corrupted or modified in transit and the receiving party can discard it.
Lastly, the IPSec protocol itself consists of the AH(Authentication Header) and ESP(Encapsulating Security Protocol). AH was developed first and only provided authentication and data integrity, and ESP was developed to provide encryption, which AH lacked.
VPN technologies are available in most modern versions of Cisco IOS, making them what Cisco calls "ISR" or "Integrated Security Routers." VPN technology is also included in the ASA (Adaptive Security Appliance). The 3 main benefits of using VPN technology are that: 1) it costs less to use an Internet connection to secure communication between remote sites than point-to-point leased lines, 2) provides higher speed connectivity to remote users by means of broadband and DSL connections in remote sites, compared to the old dial-up lines companies used to use, and 3) scalability is enhanced because new remote sites can be brought online without significant infrastructure enhancements. The down side to VPN technology is that the Internet is not typically as reliable as a point-to-point line, and there is increased overhead on routers and firewalls as they handle the encryption and decryption of data.
There are two types of VPNs: Site-to-site and remote-access.
Site-to-site VPN's create a secure "tunnel" through the Internet from one site to another. The users in one site have no idea what type of equipment their data passes through. As far as they are concerned, it is a direct connection. The Internet doesn't see any of the user's data, because it is encrypted before it traverses the line. These are configured to be either "permanent" or "semi-permanent" where the permanent VPN is always up, offering speed but greater overhead because the tunnel is up whether you are using it or not. Semi-permanent VPN's are brought up by the sending device when data needs to go to the remote site, and torn down wehn they are no longer in use. This takes a load off the router or firewall, but there will be some latency in the initial connection.
Remote-access VPN's are always semi-permanent. They are brought online when a user establishes a connection to the firewall or router by use of a client. Historically, they would load up a VPN client application that was configured for use by the administrator, enter their username and password (or token if 3-factor authentication is being used) and they would have network connectivity as if on the LAN. The latest and greatest method of remote-access VPN for Cisco is the SSL VPN, or WebVPN or Clientless VPN (they are all names for the same thing).
The WebVPn has a user access a secure website (watch for the https:// in the url). Once engaged in the secure web communication, they enter authentication by means of a username and password. At that point, as long as the web connection stays open they are securely connected to the LAN. In a true clientless situation,m they are presented with a directory listing in the web browser of resources to which they have access. In thin-client situations, an Active-X or java client is dlownloaded and run on the remote user, giving them the ability to use any tcp-based application on their computer. The clientless connection does not allow a user to run programs on their computer.
There is much, much, much more involved in these technologies, but from what I gather all we need for the CCNA is the broad overview and familiarity with the terms and protocols. I'll leave the in-depth analysis for my future certification blog...
No comments:
Post a Comment