Config Router

You are here: Home / Cisco / Network Security FAQ: Virtual Private Networks

Network Security FAQ: Virtual Private Networks

by

Network Security FAQ: Virtual Private Networks

Q1. Name three types of VPN solutions.

Answer: Three types of VPN solutions include remote access, site-to-site, and firewall-based.

Q2. What are the four major functions of IPSec?

Answer: The four major functions of IPSec are confidentiality, data integrity, origin authentication, and antireplay protection.

Q3. Describe the two HMAC algorithms that are commonly used today to provide data integrity.

Answer: The two HMAC algorithms that are commonly used today to provide data integrity are as follows:

  • HMAC-MD5 This protocol uses a 128-bit shared key. The key and the message combine to form a 128-bit hash.
  • HMAC-SHA-1 This protocol uses a 160-bit shared key. The length of the hash is 160 bits, so this protocol is considered stronger because of the longer key.

Q4. What are the three peer authentication methods used in IPSec?

Answer: Three peer authentication methods used in IPSec are as follows:

  • Preshared keys A secret key is entered into each peer manually.
  • RSA signatures This uses the exchange of digital certificates to authenticate the peers.
  • RSA encryption nonces Nonces (a random number generated by the peers) are encrypted and then exchanged between peers. The two nonces are used during the peer authentication process.

Q5. There are two main IPSec framework protocols available. State their names and give a brief explanation of what they do.

Answer: The two main IPSec framework protocols are as follows:

  • AH AH is the protocol to use when confidentiality is not required. It provides data authentication and integrity for IP packets between two systems. It verifies that the origin of the packet is correct and that the packet is not modified during transport. It does not encrypt the data packet. All text is transported in clear text.
  • ESP This protocol can be used to provide encryption and authentication. It provides confidentiality by performing encryption at the IP packet layer. ESP provides authentication for the IP packet and the ESP header. As with AH, ESP verifies three things: that the packet originated from where it declares it did, that the packet is what it says it is, and that the packet has not been modified during transport.

Q6. Both ESP and AH can be applied to IP packets in two different ways. List those two modes and explain the difference between them.

Answer: The two modes are as follows:

  • Transport mode This mode is primarily used for end-to-end connections between hosts or devices acting as hosts. Transport mode protects the payload of the packet but leaves the original IP address readable. This address is used to route packets through the Internet. Transport mode provides security to the higher layer protocols only.
  • Tunnel mode This mode is used between gateways such as routers, PIX Firewalls, or VPN concentrators. Tunnel mode is used when the final destination is not a host but a VPN gateway. In this mode, instead of shifting the original IP header to the left and then inserting the IPSec header, the original header is copied and shifted to the left to form a new IP header. The IPSec header is then placed between the new and the original IP headers. The original datagram is left intact.

Q7. List the functions for which IKE Phase 1 is responsible.

Answer: IKE Phase 1 is responsible for the following functions:

  • Authenticating the IPSec peers
  • Negotiating an IKE security association between the peers
  • Initiating a secure tunnel for IPSec using the Internet Security Association and Key Management Protocol (ISAKMP)

Q8. List the functions for which IKE Phase 2 is responsible.

Answer: IKE Phase 2 is responsible for the following functions:

  • Negotiating the set of security parameters for the tunnel
  • Creating the IPSec tunnel

Q9. What steps should be completed before configuring a device to use IPSec?

Answer: Before configuring a device to use IPSec, you should complete the following steps:
Step 1. Establish an IKE policy This policy must be identical on both sides of the VPN.
Step 2. Establish an IPSec policy Only certain traffic has to go through the IPSec tunnel. Of course, you can decide to send all traffic between peers through that tunnel, but there is a significant performance penalty when using IPSec. It is better to be selective. As in step 1, both peers need to have the same IPSec policies.
Step 3. Examine the existing configuration Check your devices to avoid conflicts with existing settings on one of the devices.
Step 4. Test the network before IPSec Check whether you can ping the peers that are going to participate in IPSec. If you cannot ping them, you must fix this before you can configure IPSec.
Step 5. Permit IPSec ports and protocols If there are access lists enabled on the devices along the path of the VPN, make sure that those devices permit the IPSec traffic.

Q10. Describe briefly how the IPSec process works.

Answer: The following steps outline how an IPSec process works:
Step 1. Interesting traffic initiates the setup of an IPSec tunnel.
Step 2. IKE Phase 1 authenticates peers and establishes a secure tunnel for IPSec negotiation.
Step 3. IKE Phase 2 completes the IPSec negotiation and establishes the tunnel.
Step 4. Secure VPN communication can occur.
Step 5. When there is no traffic to use IPSec, the tunnel is torn down, either explicitly or because the SA timed out.