Network Security FAQ: Virtual Private Networks
Q1. Name three types of VPN solutions.
Q2. What are the four major functions of IPSec?
Q3. Describe the two HMAC algorithms that are commonly used today to provide data integrity.
Answer: The two HMAC algorithms that are commonly used today to provide data integrity are as follows:
- HMAC-MD5 This protocol uses a 128-bit shared key. The key and the message combine to form a 128-bit hash.
- HMAC-SHA-1 This protocol uses a 160-bit shared key. The length of the hash is 160 bits, so this protocol is considered stronger because of the longer key.
Q4. What are the three peer authentication methods used in IPSec?
Answer: Three peer authentication methods used in IPSec are as follows:
- Preshared keys A secret key is entered into each peer manually.
- RSA signatures This uses the exchange of digital certificates to authenticate the peers.
- RSA encryption nonces Nonces (a random number generated by the peers) are encrypted and then exchanged between peers. The two nonces are used during the peer authentication process.
Q5. There are two main IPSec framework protocols available. State their names and give a brief explanation of what they do.
Answer: The two main IPSec framework protocols are as follows:
- AH AH is the protocol to use when confidentiality is not required. It provides data authentication and integrity for IP packets between two systems. It verifies that the origin of the packet is correct and that the packet is not modified during transport. It does not encrypt the data packet. All text is transported in clear text.
- ESP This protocol can be used to provide encryption and authentication. It provides confidentiality by performing encryption at the IP packet layer. ESP provides authentication for the IP packet and the ESP header. As with AH, ESP verifies three things: that the packet originated from where it declares it did, that the packet is what it says it is, and that the packet has not been modified during transport.
Q6. Both ESP and AH can be applied to IP packets in two different ways. List those two modes and explain the difference between them.
Answer: The two modes are as follows:
- Transport mode This mode is primarily used for end-to-end connections between hosts or devices acting as hosts. Transport mode protects the payload of the packet but leaves the original IP address readable. This address is used to route packets through the Internet. Transport mode provides security to the higher layer protocols only.
- Tunnel mode This mode is used between gateways such as routers, PIX Firewalls, or VPN concentrators. Tunnel mode is used when the final destination is not a host but a VPN gateway. In this mode, instead of shifting the original IP header to the left and then inserting the IPSec header, the original header is copied and shifted to the left to form a new IP header. The IPSec header is then placed between the new and the original IP headers. The original datagram is left intact.
Q7. List the functions for which IKE Phase 1 is responsible.
Answer: IKE Phase 1 is responsible for the following functions:
- Authenticating the IPSec peers
- Negotiating an IKE security association between the peers
- Initiating a secure tunnel for IPSec using the Internet Security Association and Key Management Protocol (ISAKMP)
Q8. List the functions for which IKE Phase 2 is responsible.
Answer: IKE Phase 2 is responsible for the following functions:
- Negotiating the set of security parameters for the tunnel
- Creating the IPSec tunnel
Q9. What steps should be completed before configuring a device to use IPSec?
Q10. Describe briefly how the IPSec process works.