Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
58 Cards in this Set
- Front
- Back
Common examples of Layer 3 VPNs |
GRE, Multiprotocol Label Switching (MPLS), IPsec. |
|
GRE |
point-to-point site connections |
|
ipsec and gre |
any-to-any site connections |
|
remote-access vpn |
is created when VPN information is not statically set up, but instead allows for dynamically changing connection information, which can be enabled and disabled when needed. |
|
site-to-site vpn |
is created when devices on both sides of the VPN connection are aware of the VPN configuration in advance. |
|
Multiprotocol Label Switching (MPLS) VPN |
a set of sites that are interconnected by means of an MPLS provider core network When a new site is added to an MPLS VPN, only the service provider’s edge device that provides services to the customer site needs to be updated. |
|
Dynamic Multipoint VPN (DMVPN) |
enables the auto-provisioning of site-to-site IPsec VPNs, combining three Cisco IOS software features: Next Hop Resolution Protocol (NHRP), multipoint Generic Routing Encapsulation (GRE), and IPsec VPN. |
|
Group Encrypted Transport VPN (GETVPN). |
uses a trusted group to eliminate point-to-point tunnels and their associated overlay routing GET VPN is “tunnel-less.” All group members share a common security association also known as a group SA |
|
Hairpinning |
a situation in which VPN traffic that enters an interface may also be routed out of that same interface. |
|
split tunneling |
can be used if the corporate policy dictates that VPN traffic must be split between traffic destined for the corporate subnets (trusted) and traffic destined to the Internet (untrusted). |
|
IPsec |
IETF standard (RFC 2401-2412) protects and authenticates IP packets between source and destination. protect virtually all traffic L4 -L7 |
|
IPsec provides these essential security functions: |
Confidentiality using encryption Integrity using hashing algorithms Authentication using Internet Key Exchange (IKE) Secure key exchange using the Diffie-Hellman (DH) algorithm |
|
IPsec Protocol |
Authentication Header (AH), Encapsulation Security Protocol (ESP), or both. AH authenticates the Layer 3 packet. ESP encrypts the Layer 3 packet. |
|
Confidentiality |
Encryption ensures confidentiality of the Layer 3 packet. Data Encryption Standard (DES), Triple DES (3DES), Advanced Encryption Standard (AES), Software-Optimized Encryption Algorithm (SEAL). |
|
Integrity |
Integrity ensures that data arrives unchanged at the destination using a hash algorithm, such as message-digest 5 (MD5) or Secure Hash Algorithm (SHA) |
|
Authentication |
Internet Key Exchange (IKE) to authenticate users and devices that can carry out communication independently |
|
IKE uses several types of authentication, |
username and password, one-time password, biometrics, pre-shared keys (PSKs), digital certificates using the Rivest, Shamir, and Adleman (RSA) algorithm. |
|
Diffle-hellman |
provide a public key exchange method for two peers to establish a shared secret key. |
|
several DH groups |
DH14, 15, 16 and DH 19, 20, 21 and 24. DH1, 2 and 5 are no longer recommended. |
|
DES |
56 bit key |
|
3DES |
uses three independent 56-bit encryption keys per 64-bit block, |
|
AES |
computationally more efficient than 3DES. 128 bits, 192 bits, 256 bits keys |
|
SEAL |
a stream cipher, encrypts data continuously rather than encrypting blocks of data. 160 bit key |
|
Message-Digest 5 (MD5) |
128-bit shared-secret key. The variable-length message and 128-bit shared secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash. |
|
SHA |
160-bit secret key. The variable-length message and the 160-bit shared secret key are combined and run through the HMAC-SHA-1 algorithm. The output is a 160-bit hash. |
|
pre-shared secret key (PSK) |
do not scale well, because each IPsec peer must be configured with the pre-shared key of every other peer with which it communicates. |
|
RSA |
The local device derives a hash and encrypts it with its private key. The encrypted hash is attached to the message and is forwarded to the remote end and acts like a signature. At the remote end, the encrypted hash is decrypted using the public key of the local end. If the decrypted hash matches the recomputed hash, the signature is genuine. |
|
DH groups 1, 2, and 5 support |
exponentiation over a prime modulus with a key size of 768 bits, 1024 bits, and 1536 bits, respectively not recommended |
|
DH groups 14, 15, and 16 |
2048 bits, 3072 bits, and 4096 bits, respectively, recommended till 2030 |
|
DH groups 19, 20, 21 and 24 |
key sizes 256 bits, 384 bits, 521 bits, and 2048 bits support Elliptical Curve Cryptography (ECC), which reduces the time needed to generate keys DH group 24 is the preferred next generation encryption. |
|
DH group 1 |
support only DES and 3DES encryption, |
|
If the encryption or authentication algorithms use a 128-bit key, use |
14, 19, 20 or 24. |
|
If the encryption or authentication algorithms use a 256-bit key or higher, use |
group 21 or 24 |
|
RFC 4869 defines a set of cryptographic algorithms to adhere to National Security Agency (NSA) standards for classified information.
Suite B, it includes these specified algorithms: |
Encryption should use AES 128 or 256-bit keys Hashing should use SHA-2 Digital Signatures should use Elliptic Curve Digital Signature Algorithm (ECDSA) with 256- or 384-bit prime moduli Key exchange should use Elliptic Curve Diffie-Hellman (ECDH) |
|
Authentication Header (AH) |
IP protocol 51 and is appropriate only when confidentiality(encryption) is not required or permitted. AH supports MD5 and SHA algorithms. AH may not work if the environment uses NAT. achieves authenticity by applying a keyed one-way hash function to the packet to create a hash or message digest. |
|
Encapsulation Security Protocol (ESP) |
IP protocol 50 and provides both confidentiality and authentication. default algorithm for IPsec is 56-bit DES support the use of 3DES, AES, and SEAL ESP can also enforce anti-replay protection. |
|
Anti-replay |
protection verifies that each packet is unique and is not duplicated. works by keeping track of packet sequence numbers and using a sliding window on the destination end. |
|
Transport Mode |
security is provided only for the transport layer of the OSI model and above. protects the payload of the packet but leaves the original IP address in plaintext. original IP address is used to route the packe
|
|
Tunnel Mode |
provides security for the complete original IP packet. original IP packet is encrypted and then it is encapsulated in another IP packet. This is known as IP-in-IP encryption. IP address on the outside IP packet is used to route the packet |
|
IKE |
mplements key exchange protocols inside the Internet Security Association Key Management Protocol (ISAKMP) framework. uses UDP port 500 to exchange IKE information between the security gateways. uses UDP port 500 to exchange IKE information between the security gateways. |
|
IKE uses ISAKMP for phase 1 |
negotiates a security association (a key) between two IKE peers. enables IKE peers to communicate securely in phase 2. purpose of Phase 1 is to negotiate ISAKMP policy, authenticate the peers, and set up a secure tunnel between the peers. |
|
IKE uses ISAKMP for phase 2 |
IKE establishes keys (security associations) for other applications, such as IPsec. purpose of IKE Phase 2 is to negotiate the IPsec security parameters that will be used to secure the IPsec tunnel called quick mode |
|
Phase 1 modes |
main mode aggressive mode(faster but vulnerable to brute force attacks) |
|
NAT Traversal (NAT-T) |
IKE version 2 supports NAT detection during Phase 1 f both VPN devices are NAT-T capable, and if they detect that they are connecting to each other through a NAT device, NAT-T is auto detected and auto negotiated NAT-T encapsulates ESP packets inside UDP and assigns both the Source and Destination ports as 4500 |
|
ipsec negotiation steps |
interesting traffic is sent negotiation of isakmp sa policy negotiation of ipsec sa policy tunnel is formed once traffic is ended tunnel is terminated |
|
Site-to-Site IPsec VPN |
necessary ISAKMP security associations created on each site both sites are configured with ipsec security associations |
|
configuration tasks for ipsec vpn |
Task 1: Configure the ISAKMP policy for IKE Phase 1 Task 2: Configure the IPsec Policy for IKE Phase 2 Task 3: Configure a Crypto Map for the IPsec Policy Task 4: Apply the IPsec Policy Task 5: Verify the IPsec Tunnel is Operational |
|
permit isakmp traffic |
access-list acl permit udp source wildcard destination wildcard eq isakmp |
|
permit esp traffic |
access-list acl permit esp source wildcard destination wildcard |
|
permit ah traffic |
access-list acl permit ahp source wildcard destination wildcard |
|
what does ipsec need to support eigrp or ospf |
gre tunneling |
|
HAGLE five SAs to configure: |
Hash Authentication GroupL ifetime Encryption |
|
pre-shared key config |
crypto isakmp key keystring address peer-address |
|
verify a ipsec tunnel exists |
show crypto isakmp sa |
|
Configure a transform set using the |
crypto ipsec transform-set R1-R2 esp-aes esp-sha-hmac |
|
crypto mapping |
crypto map (map-name) (seq-num) ipsec-isakmp |
|
apply crypto map to what int |
the outbound interface |
|
to verify a tunnel is working use |
show crypto isakmp sa show crypto ipsec sa |