due 3/27/13

Master level response!! 2 QUESTIONS….2 REFERENCES PER ANSWERS. DO NOT USE WIKI,

ONE REFRENCE MUST BE FROM ATTACH MODULE THE OTHER FROM THE INTERNET. 130 WORDS PER ANSWER

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing

CSEC 640

Contents
Topic 1: Analogy ……………………………………………………………………………………………………………… 2

A Different Way to Connect …………………………………………………………………………………………… 2
Topic 2: Module Introduction …………………………………………………………………………………………….. 4
Topic 3: Basics of Virtual Private Networks …………………………………………………………………………. 5

Introduction …………………………………………………………………………………………………………………. 5
Tunneling ……………………………………………………………………………………………………………………. 7

Topic 4: IPsec Virtual Private Networks ……………………………………………………………………………… 9
Introduction to IPsec …………………………………………………………………………………………………….. 9
IPsec Mode ……………………………………………………………………………………………………………….. 10
IPsec Security Association …………………………………………………………………………………………… 14

Topic 5: IPsec Components ……………………………………………………………………………………………. 15
Introduction to IPsec Components ………………………………………………………………………………… 15
Authentication Header ………………………………………………………………………………………………… 16
Activity: Identifying Mutable Fields ………………………………………………………………………………… 17
Authentication Header (AH) Modes ………………………………………………………………………………. 18
IPsec Encapsulating Security Payload (ESP) …………………………………………………………………. 19
Encapsulating Security Payload (ESP) Modes ……………………………………………………………….. 21
Cryptographic Key Management Procedures and Protocols …………………………………………….. 22
Activity: Making a Secure VPN Connection ……………………………………………………………………. 24

Topic 6: Summary………………………………………………………………………………………………………….. 30
Glossary ……………………………………………………………………………………………………………………….. 31

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing

CSEC 640

Topic 1: Analogy

A Different Way to Connect

IPsec VPN
CSEC 640 – Module 8

A Different Way to Connect
A virtual private network (VPN) uses the Internet to establish connections between
members spread over wide geographic areas as if they were on a local private network.

To better understand how a VPN works, compare the remote sites and users of a private
network to a group of islands. The inhabitants of the Faraway Islands use a series of
connections to travel between the islands. The analogy explains how these connections
are similar to a VPN.

Analogy

Step 1
The individual islands comprising the Faraway Islands are connected by waterways.

Similarly, the members of a network are connected to each other through the Internet.

Step 2
The residents of the Faraway Islands usually travel from one island to another by using a
public transport system such as a ferry. However, they have no control over the route or
schedule.

In addition, although the public ferry is cheap, it does not offer the islanders any privacy.
Fellow travelers can easily guess where people are headed and see what cargo is being
carried.

Similarly, companies with remote offices and remote workers usually use Web servers to
connect with each other. Internet users have no control over the wires and routers of
public servers.

Also, even though using the Internet is cheap, it offers little privacy. Other users can
often see which users are connected and what data is being transmitted between them.

Step 3
To overcome the disadvantages of using a public ferry, the residents can build a bridge
connecting the islands.

However, building a bridge is practical only if the distance between the islands is short,
the traffic is frequent, and the cost is not too high.

Similarly, although networks can be connected using wide area networks (WANs) and
leased lines, the cost of connections is determined by the distance between a network’s
members.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing

CSEC 640

Sometimes, the cost of connecting to a small, far-flung remote site could be many times
that of connecting to a larger site nearby.

Step 4
The islanders also have the option of buying their own boats. With a private ferry,
travelers can plan their routes as well as their schedules at their convenience.

Also, even if other travelers see the private boat in the ocean, they have no inkling about
its source, its destination, or what is being carried in the boat.

Similarly, the installation of a VPN offers a different and private way to connect over the
public Internet. A VPN allows its users to schedule and route their data in a secure way.

Step 5
Private ownership of boats necessitates building marinas on the islands to enable
connections. Boat owners are free to choose from several marinas. In turn, marina
owners can support many types of boats.

Similarly, companies opting for a VPN need VPN components such as VPN gateways
and VPN client software to establish connections.

Step 6
Boat owners can keep adding to the existing number of private boats and routes.

Similarly, a VPN can be scaled to accommodate more users and locations without
replacing the existing infrastructure.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Topic 2: Module Introduction

Today, most businesses are Internet-driven. The ever-evolving Internet helps companies
extend business networks to tap a world of opportunities. The use of the Internet started
with companies setting up intranets to offer their employees a secure means to
communicate with each other. Now the Internet helps companies create their own VPNs
to accommodate their growing telecommuting requirements through a secure and
scalable private network.

This module examines the basics of a VPN. It discusses different VPN architectures, the
basis of VPN technology, and modes of data transmission. The module explores Internet
Protocol Security (IPsec) and its components. It also covers the phases involved in
setting up secure IPsec tunnels between endpoints.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Topic 3: Basics of Virtual Private Networks

Introduction

VPNs are based on the concept of creating a private “tunnel” to route data over an
insecure public infrastructure such as the Internet. With VPN technology, Host A in the
private local area network (LAN) A can securely communicate with Host B in another
network as if Host B were located in the private LAN A.

A typical VPN might consist of a main LAN at the headquarters of a company, other
LANs at the branch offices, and remote users that connect from the field.

VPN Types
VPNs use two types of VPN architecture to transport data: remote access VPN, or host-
to-gateway architecture, and site-to-site intranet VPN, or gateway-to-gateway
architecture.

1. Remote Access VPN Architecture

A remote access VPN is a user-to-LAN connection enabled by deploying a VPN
router or gateway on the network. A remote access VPN allows people in remote
geographic locations to establish secure connections with their company’s network
and work as if they were plugged in directly.

Consider the case of Cohere Auto Spares Manufacturer (CASM), an organization
with corporate headquarters in Baltimore, Maryland, and 12 branch offices across
North America, Europe, and Asia. In addition, the company has a sizeable number of
salespeople in the field and an equal number of employees working from their
homes.

CASM uses leased lines and maintains a WAN to connect its workforce across the
globe. However, maintaining the WAN using leased lines is expensive because of
the increase in the number of connections to the CASM network. In addition, the cost
of maintaining the connections increases with the distance between the offices and
the length of time that the employees stay connected.

Companies such as CASM can deploy a VPN router or gateway onto their network to
enjoy the benefits of remote access VPN architecture, of which some are listed
below.

Reduction in Networking Costs
Remote users usually use dial-up access to connect from their homes or other
remote locations to their company’s network. A dial-up connection is comparable to a
long-distance carrier that requires payments to be made to the intermediaries who
have facilitated the connection. However, remote access VPN users do not have to
pay any intermediaries since they can use the Internet and therefore achieve
significant reduction in costs.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Security
Regardless of an employee’s location, a VPN allows remote users to share sensitive
resources without the fear of interception or loss of security.

2. Site-to-Site Intranet VPN
In a site-to-site intranet VPN, a secure connection can be established between
different physical locations such as the headquarters, remote offices, and branch
offices of an organization. Gateways exist at various physical locations within the
same business, and tunnels are created using IPsec.

For companies like CASM, which need to link remote users from homes and sales
fields as well as hundreds of employees across CASM’s branch offices, a site-to-site
intranet VPN is an apt choice. VPN gateways at the CASM office sites ensure the
establishment of secure communication channels. Therefore, an employee on a
computer in the Baltimore office can communicate with another employee in the
Fairfax, Virginia, office through this secure VPN channel without being aware of the
channel in between.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Topic 3: Basics of Virtual Private Networks

Tunneling

The key concept of VPNs is tunneling. Tunneling is the technique of moving data
through a public network such that the routing nodes in the public network do not
recognize that the data transmission is part of a private network. Tunneling allows users
to establish private network connections to send data over public networks. That is why
this technology is called a virtual private network.

Types of Tunneling
Using tunneling protocols provides a standardized way of encapsulating data packets.
Several tunneling protocols have been developed for securing VPN connections, and
they can be broadly classified into Layer 2 and Layer 3 tunneling protocols.

Tunneling Protocols

Layer 2 Tunneling Protocols

Layer 3 Tunneling Protocols

Correspond to the data-link layer. Correspond to the network layer.

Use frames as the unit of data exchange.

Use packets as the unit of data
exchange.

Encapsulate data in a Point-to-Point
Protocol (PPP) frame before sending it
across a network.

Encapsulate data in the Authentication
Header (AH) and/or Encapsulating
Security Payload (ESP) before sending it
across a network.

Examples: Point to Point Tunneling
Protocol (PPTP), Layer 2 Tunneling
Protocol (L2TP), and Layer 2 Forwarding
(L2F)

Example: IPsec

Advantages of Tunneling
Tunneling offers the following advantages.
 It allows the transport of many different protocols over an IP infrastructure since one

protocol is encapsulated within another. In other words, it is more efficient to
transport many different protocols, such as Hypertext Transfer Protocol (HTTP) and
Telnet, over a single VPN tunnel.

 It allows public networks to carry data on behalf of users as though the users had
access to their own private network by routing privately addressed packets through a
public infrastructure.

 It assures the integrity, security, reliability, and confidentiality of routed data.
 It is easy to implement as it requires no major changes to the existing infrastructure.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Try This!

Choose the correct answer.

Question: Which tunneling protocol uses packets as its unit of data exchange?
a. PPTP
b. L2F
c. IPsec
d. L2TP

Correct answer: Option c

Feedback for correct answer:
That’s correct.

IPsec is a layer 3 tunneling protocol, and it uses packets as its unit of data exchange.

Feedback for incorrect answer:
Not quite.

This is a layer 2 tunneling protocol, and it uses frames as its unit of data exchange.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Topic 4: IPsec Virtual Private Networks

Introduction to IPsec

Of all the tunneling protocols researched and developed for establishing a secure VPN
connection, the most significant protocol is IPsec. However, IPsec is not a single
protocol but a framework that includes related open standards developed by the Internet
Engineering Task Force.

In Which Situations Can IPsec Be Used?
IPsec provides security in the following situations: host-to-site or gateway architecture
and gateway-to-gateway or site-to-site architecture. IPsec is most commonly used for
the gateway-to-gateway architecture.

How Does IPsec Provide Security?
IPsec ensures private and secure communication over Internet Protocol (IP) networks by
securing all IP traffic at the network layer. IPsec framework also secures all network
applications and communications that use the IP network.

IPsec combines cryptographic algorithms such as hashing, symmetric key, and
asymmetric key. This IPsec ability helps to enhance data security by offering enhanced
confidentially, integrity, authentication, replay detection, and nonrepudiation.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Topic 4: IPsec Virtual Private Networks

IPsec Mode

There are two methods by which an IPsec protocol can be applied to an IP packet when
data is to be encapsulated before being transmitted between two users or IPsec peers
over a public network. One is the transport mode and the other is the tunnel mode.

Transport Mode
Transport mode protects the higher-layer protocols such as TCP, UDP, and application
layers, and is generally used in host-to-host architecture.

In transport mode, the IPsec header is inserted between the original IP header and the
payload. However, transport mode is available only when the source and destination of
the original IP datagram are IPsec endpoints.

Step 1:
This step shows the data to be transmitted from Host A to Host B.

Step 2:
The image shows the data packet with the original IP header and the data portion.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Step 3:
An IPsec header is inserted between the original IP header and the data portion.

Step 4:
The new data packet is transmitted in IPsec transport mode.

Tunnel Mode
Tunnel mode is generally deployed in a site-to-site VPN architecture. In the tunnel mode,
IPsec encapsulates the full IP header as well as the payload. Therefore, an original IP
packet becomes the payload of another, new IP packet. The IP address in the new IP
header is used to route the packet through the Internet.

Once the packet arrives at a destination network, the IP address in the original IP header
is used to route the packet within the destination network. The tunnel mode is selected if
IP addresses of hosts in each site are not known or revealed.

Step 1:
The animation shows the data to be transmitted from IPsec Peer Site 1 to IPsec Peer
Site 2.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Step 2:
The image shows the data packet with the original IP header and the data portion.

Step 3:
An IPsec header is inserted between the new IP header and data portion.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Step 4:
The new data packet is transmitted in IPsec tunnel mode.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Topic 4: IPsec Virtual Private Networks

IPsec Security Association

Certain security measures require that they be applied to an IP packet when it is being
transmitted over an IPsec tunnel. The IPsec security association (IPsec SA) defines
these security measures.

SAs can be negotiated dynamically between two communication peers when they want
to use security services provided by IPsec.

An IPsec SA can be identified by three parameters.

 Destination IP Address

The Destination IP Address parameter contains the destination IP address of the
endpoint of the SA.

 Security Protocol Identifier

The Security Protocol Identifier specifies a protocol number. For example, the AH
protocol number is 51 and ESP protocol number is 50. Note that this protocol
number is specified in the IP header.

 Security Parameter Index

The Security Parameter Index (SPI) is a 32-bit number chosen by the destination
endpoint of the SA.

Note that the source IP address is not used to define an SA, which means that an SA is
a unidirectional connection established between IPsec peers. Therefore, if two peers
need to exchange information in both directions, two SAs are required.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Topic 5: IPsec Components

Introduction to IPsec Components

IPsec employs three components to ensure that data is protected when transported over
IP networks. The components include:
 The AH protocol, which provides only authentication
 The ESP protocol, which offers data confidentiality but can also provide

authentication
 Cryptographic key management procedures and protocols, such as the Internet

Security Association and Key Management Protocol (ISAKMP) or the Internet Key
Exchange (IKE), which provide mechanisms for session key creation, its exchange,
and/or secure data exchange

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Topic 5: IPsec Components

Authentication Header

When confidentiality is not required, an administrator can deploy an IPsec with the AH
protocol instead of the ESP protocol.

The AH protocol offers data integrity and authentication using Hash-Based Message
Authentication Code (HMAC). A hash is created on both an IP packet and a secret key
that is shared by the two communication endpoints. This hash is then added to the AH.

Authentication cannot be provided over the whole IP header because some fields in the
IP header may change during transit.

The most important AH fields are the SPI and Sequence Number fields.

 Security Parameter Index

The 32-bit long SPI value is used together with the destination IP address and IPsec
security protocol number to uniquely identify the Ipsec SA for an IP packet. The
Ipsec SA is typically chosen by the destination system when the Ipsec SA is
established.

 Sequence Number

The sequence number is a sequential number assigned to each packet. Only
packets within a sliding window of sequence numbers are accepted. Any packet with
an invalid or out-of-range sequence number is rejected. This enables AH to offer
anti-replay protection.

 Authentication Data

This field contains a hash value created by a keyed hash algorithm, also known as a
Message Authentication Code (MAC) algorithm.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Topic 5: IPsec Components

Activity: Identifying Mutable Fields

Now that you have learned about the IPsec AH header, answer the following question.

Question: Which field of an IP header can be authenticated by IPsec AH?
a. Time to Live (TTL)
b. Fragment Offset
c. Fragmentation Flag
d. Header Checksum
e. Type of Service (TOS)
f. Source IP Address

Correct answer: Option F

Feedback:
TTL, fragment offset, fragmentation flag, header checksum, and TOS are all mutable
fields in the IP header. No mutable IP field can be used as an input to a hash function.
Therefore, only the source IP address field can be authenticated by IPsec AH.

The TTL value of an IP header decreases by one every time the IP packet passes a
routing device. Also, whenever an IP packet takes a path having different maximum
transmission unit (MTU) links, it gets fragmented into pieces, and both the fragment
offset and the fragmentation flag fields change. In addition, with changes in an IP packet,
the header checksum value changes. Moreover, a router can change TOS value during
transit. Only the source IP address does not change.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Topic 5: IPsec Components

Authentication Header (AH) Modes

AH can be deployed in transport as well as in tunnel mode. In both modes, the entire IP
packet is authenticated.

 AH in Transport Mode

In transport mode, the original IP header is retained, and the AH is inserted between
the IP header and the TCP header.

 AH in Tunnel Mode

In tunnel mode, a new IP header is created for the new IP packet. The AH is inserted
between the new IP header and the original header. The original IP packet is
encapsulated in the new IP header. The new IP header contains the source and
destination IP addresses of the IPsec gateways between which the new packet will
travel.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Topic 5: IPsec Components

IPsec Encapsulating Security Payload (ESP)

The IPsec ESP protocol operates by adding a header and a trailer around each packet’s
payload. Unlike AH, ESP fields are spread throughout an IP packet. When an IP packet
is fragmented, the ESP process is applied to the whole IP packet. The entire IP packet is
then reassembled by security devices, such as VPN gateways or VPN enabled firewalls,
before it is processed further.

The ESP header consists of two fields: SPI and Sequence Number.

Security Parameter Index (SPI) 32-bit
Each endpoint of each IPsec connection contains a randomly chosen SPI value. This
SPI value acts as a unique identifier for the connection. Just like the AH header, the
receiver uses the SPI value, along with the destination IP address and the IPsec
protocol type, to determine which SA is being used.

Sequence Number 32-bit
As with AH, in ESP the sequence number is a sequential number assigned to each
packet. Only packets within a sliding window of sequence numbers are accepted. Any
packet with an invalid or out-of-range sequence number is rejected. This enables AH to
offer anti-replay protection.

ESP Functions
ESP provides confidentiality, integrity, and authentication of data.

Data Confidentiality
ESP offers encryption services to translate a readable message into an unreadable
format in order to hide the contents of the message or make the message confidential.
The receiver decrypts the message to read the data.

The ESP protocol encrypts the payload using symmetric key ciphers, such as:
 Data Encryption Standard (DES), which uses a 56-bit key
 Triple Data Encryption Standard (3DES), which uses a 128-bit key
 Advanced Encryption Standard (AES), which uses a 257-bit key

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Data Integrity and Authentication
Like AH, ESP also uses keyed HMAC algorithms to provide data integrity and
authentication services. Two typical HMAC algorithms used in VPN are Secure Hash
Algorithm-1 (SHA-1) HMAC and Message Digest 5 (MD5) HMAC.

When security needs are higher, SHA-1 HMAC is used instead of MD5 HMAC since
SHA-1 HMAC is cryptographically stronger.

Source: Frankel, S., Kent, K., Lewkowski, R., Ritchey, R., & Sharma, S. (2005). Guide to IPsec VPNs. (NIST
Special Publication 800-77). Retrieved from http://csrc.nist.gov/publications/nistpubs/800-77/sp800-77

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Topic 5: IPsec Components

Encapsulating Security Payload (ESP) Modes

The ESP protocol can be deployed in transport or tunnel mode.

ESP can be used alone or with AH. ESP alone can provide authentication services in
addition to encryption, so it is often used without AH. If the authentication is not applied,
the ESP authentication segment is not appended. When ESP encryption is applied, all
the fields between the ESP header and the ESP trailer are encrypted.

ESP Transport Mode
ESP transport mode encrypts the TCP header field, data field, and ESP trailer field while
leaving the original IP header in open clear text. In addition, in the ESP transport mode,
all the fields except the IP header are authenticated as shown in the diagram.

Note that the ESP header is inserted between the original IP header and TCP header.

ESP Tunnel Mode
ESP tunnel mode encrypts the entire packet except the new IP header field. In addition,
in the ESP tunnel mode, all the fields except the new IP header are authenticated as
shown in the diagram.

Note that the ESP header is inserted between the new IP header and original IP header
fields.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Topic 5: IPsec Components

Cryptographic Key Management Procedures and Protocols

Introduction
IPsec uses two protocols for secure key determination and key distribution mechanisms:
Internet Key Exchange (IKE) and Internet Security Association and Key Management
Protocol (ISAKMP).

ISAKMP describes the set of procedures that two VPN gateways go through to set up
VPN connections. ISAKMP also specifies the procedure and packet formats necessary
to establish, negotiate, modify, and remove SAs at the two IPsec endpoints.

In addition, ISAKMP defines the framework for key management between the two VPN
endpoints. In the absence of a proper key-management setup, IPsec cannot exist.
However, ISAKMP does not offer any actual mechanism to exchange keys.

The IKE protocol establishes a secure channel over which to exchange security
parameters. IKE defines a proper key-exchange mechanism for creating and exchanging
cryptographic keys when two VPN endpoints communicate. Through IKE, the two
endpoints derive authenticated keying material and negotiate SAs that are used for ESP
and AH protocols.

IKE Phases
ISAKMP defines two phases in the procedures that two VPN endpoints go through when
trying to make a secure VPN connection: IKE Phase 1 and IKE Phase 2.

The main goal of the IKE protocol is to create and negotiate security associations (SAs).
Note that SA is a term used to refer to a set of values that define IPsec features and
protection mechanisms applied to an IPsec VPN connection.

IKE Phase 1
The main purpose of IKE Phase 1 is for two IPsec endpoints to successfully negotiate an
IKE SA. The negotiation of the IKE SAs during IKE Phase 1 includes:
 Encryption algorithms: select DES, 3DES, or AES.
 Integrity protection algorithms: select either SHA-1 or MD5 HMAC algorithm.
 Authentication method: select preshared Keys (PSKs), Rivest, Shamir, and Adleman

(RSA) signature, or RSA encryption nonces for authentication.
 Specify the Diffie-Hellman (DH) key group by making a choice between DH1, DH2,

DH5, or DH7. Note that higher group numbers are more secure, but require more
computation power to compute the key.

The goal of the IKE SA is to provide bidirectional encryption and authentication for the
IKE Phase 2. During IKE Phase 2, another SA, known as IPsec SA, is negotiated.

Step 1: Negotiate Policy
In this step, two VPN entities negotiate and agree upon the encryption and
authentication algorithms, mode, protocols, HMAC, lifetime, IPsec value, and DH key
that will be used in subsequent IKE communication.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Step 2: DH Key Exchange
Based on the parameters negotiated, a shared secret master key is generated by the
DH public key algorithm. This symmetric encryption key is then used to generate all
other encryption and authentication keys.

Step 3: Authenticate Peers
Next, the two parties authenticate each other using a predetermined mechanism.
Typically, VPN entities use authentication protocols such as PSKs, RSA encrypted
nonces, or RSA signatures that are X.509-certified and require X.509 CA.

IKE Phase 2
The goal of IKE Phase 2 is to establish another SA, known as IPsec SA, for the actual
IPsec connection. IPsec SA is unidirectional. This means that two SAs are required for
bidirectional data flow between two VPN endpoints, as shown in the diagram. Since
there are two network flows from Router A to Router B and Router B to Router A, two
different SPI values exist. The communications occurring during IKE Phase 2 are
protected by the methods specified in IKE Phase 1.

After the IPsec SAs are established during IKE Phase 2, all active SAs are stored in a
security association database. The following information is included in the security
association database for each VPN connection.
 Source/destination IP addresses
 SPI
 IPsec security protocol (AH or ESP)
 IPsec mode (transport or tunnel mode)
 Integrity protection algorithm (MD5 or SHA HMAC).
 SA lifetime

An IPsec SA is uniquely defined by three important parameters: the destination IP
address, the SPI, and the IPsec security protocol.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Topic 5: IPsec Components

Activity: Making a Secure VPN Connection

Introduction
An Enhanced Interior Gateway Routing Protocol (EIGRP) is running on CASM’s three
routers, R1, R2, and R3. R2 connects R1 and R3.

An IPsec VPN tunnel has been established between R1 and R3. The goal of this IPsec
tunnel is to achieve authentication. R1 authenticates the traffic originating from R3 at the
Fairfax, Virginia, office. The R3 gateway router authenticates the network traffic
originating from CASM’s Baltimore, Maryland, office.

The applications running at both sites cannot tolerate any significant delay, and
confidentiality is not required. Therefore, the gateway routers do not encrypt or decrypt
IP packets and quickly process the IP packets.

In the following activity, you will analyze the IP packets captured during data
transmission between R1 and R3.

Workspace
Analyze the following screenshots and choose the correct option.

Question 1: Which of the following screenshots shows an IP packet traveling through
the IPsec tunnel between the Baltimore and Fairfax gateway routers?

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

a. Option 1

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.

b. Option 2

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Correct answer: Option a

Feedback:
Since the goal of the IPsec tunnel is to achieve authentication, not confidentiality, only
AH is used. The correct IP packet has only an AH header. The first packet has an AH
header inside the packet.

Question 2: In the screenshot below, identify the SPI used in AH.

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.

Options:
a. Next Header: IPIP (0x04)
b. Length: 24
c. AH SPI: 0x5a84fcd1
d. AH Sequence: 8
e. AH ICV: 26fe6bb17f689ab324998216

Correct answer: Option c

Feedback:
The bottom window shows the detail of packet 8. In the AH in the bottom window, one of
the fields says “AH SPI: 0X5a84fcd1”; it tells you the value of SPI.

Question 3: The screenshot indicates that a ping packet has been sent from the
Baltimore LAN (172.16.1.0/24) to the Fairfax LAN (172.16.3.0/24) using the IPsec
tunnel. Analyze these packets to find which protocol and which mode each packet has
used.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Packet A

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.

Answer the question based on your analysis of the screenshot.

Packet A uses the AH Tunnel mode.
a. True
b. False

Correct answer: Option A

Feedback:
You can safely conclude that AH mode is used since Packet A has only the AH header.
Also, you can see that it uses the tunnel mode because the screenshot displays two
different pairs of IP addresses: 172.16.3.1/172.16.3.3 and 192.168.12.1/192.168.23.3.

Question 4: The screenshot indicates that a ping packet has been sent from the
Baltimore LAN (172.16.1.0/24) to the Fairfax LAN (172.16.3.0/24) using the IPsec
tunnel. Analyze these packets to find which protocol and which mode each packet has
used.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Packet B

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.

Answer the question based on your analysis of the screenshot.

Packet B uses the ESP Tunnel mode.
a. True
b. False

Correct answer: Option A

Feedback:
A careful observation reveals that ESP mode is used since Packet B has only the ESP
header. Also, you can see that it uses the tunnel mode because the screenshot displays
only one pair of IP addresses, 192.168.12.1/192.168.23.3, even though the ping packet
is sent from 172.16.1.1 to 172.16.3.1. This means a new pair of IP addresses is added
to the original IP packet, an indication that the tunnel mode is used.

Review
The scenario presented in this activity uses a preshared key as an authentication
method. A preshared key method is appropriate only when the number of gateway
routers is small and simple to configure. In general, RSA encryption and RSA signature
authentication methods are more common in practice. RSA signatures used are
generally X.509 certificate-based and require X.509 CA.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Further Challenges
Study an SSL VPN technology and compare it with IPsec VPN. What are the
advantages and disadvantages of each VPN technology?

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Topic 6: Summary

We have come to the end of Module 8. The key concepts covered in this module are
listed below.

 A virtual private network (VPN) is a private computer network created using a
public network, such as the Internet. It allows distant users to communicate
privately, with reduced costs.

 The VPN architecture implemented by a company may be remote access or site-
to-site Intranet.

 VPN technology is based on the tunneling capacity of Internet protocols. Data
may be transmitted in transport or tunnel mode.

 There are two types of tunneling protocols: Layer 2 tunneling protocols and Layer
3 tunneling protocols. PPTP, L2TP, and L2F are Layer 2 protocols. IPsec is a
Layer 3 protocol.

 IPsec is the most commonly used protocol for secure VPN connections. IPsec
propagates data across a network in tunnel or transport mode.

 IPsec components such as Authentication Header (AH), Encapsulating Security
Protocol (ESP), Internet Security Association and Key Management Protocol
(ISAKMP), and Internet Key Exchange (IKE) play an important role in ensuring
data integrity, authentication, and confidentiality.

 ISAKMP and IKE protocols provide key management mechanisms without which
an IPsec cannot exist.

 ISAKMP defines two phases, IKE Phase 1 and IKE Phase 2, for data transfer
between two IPsec peers.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Glossary

Term Definition

Advanced Encryption
Standard

Advanced Encryption Standard (AES) is a widely accepted
standard for encryption that uses 128-bit block size ciphers
with key sizes of 128, 192, and 256 bits.

Algorithm An algorithm is a mathematical formula or set of steps to
accomplish any given task—in this case, encryption and
decryption.

Asymmetric
Encryption

Asymmetric encryption uses two sets of encryption keys—
a private and public key—to encrypt information. To
decrypt the information, a user must have both the public
key, which can be freely made public, and the private key,
which is known only to the sender and receiver of the
encrypted information.

Authentication Authentication involves confirming a user’s identity. A form
of access control, authentication requires users to confirm
their identity before they access the system.

Checksum Checksum is a simple error-detection scheme to ensure
that a message is not garbled. In checksum, each
transmitted message is accompanied by a numerical value.
The receiver then applies the same formula to the
message and checks to make sure the accompanying
numerical value is the same. If it is not, the receiver can
assume that the message has been garbled.

Confidentiality Confidentiality means allowing only authorized individuals
or systems to access certain types of information.
Confidentiality is also known as secrecy.

Data Encryption Standard Data Encryption Standard (DES) is an encryption standard
that uses a simple 56-bit key to encrypt data. Since it is not
very secure, alternatives to DES such as triple DES and
AES have been created.

Diffie-Hellman Key The Diffie-Hellman key is a specific method of changing
keys in the field of cryptography.

Encryption Encryption is the process of using algorithms to change
readable text into a format that is unreadable by
unauthorized persons.

Fragmentation Fragmentation is a method in which an IP datagram is
fragmented into IP packets and reassembled at the
receiving host.

Fragment Flag Fragment flag is a field in an IP header that stores
information about the IP packet and is involved in packet
fragmentation. There are various 3-bit control flags.

Fragment Offset Fragment offset is a field that tells the sender where a
particular fragment falls in relation to other fragments in the
original larger packet.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Term Definition

Gateway A gateway is a network device that acts as an entrance to
another network.

Hash-Based Message
Authentication Code

Hash-Based Message Authentication Code (HMAC) is
used to decode MACs by using a cryptographic function
along with a secret key. HMAC is used in many
authentication protocols.

Hash Value A hash function mathematically transforms a variable
length data input into a fixed length, random-character
output called a hash value. Some commonly used hash
functions include Message Digest 5 (MD5) and the Secure
Hash Algorithms (SHA-0, SHA-1, and SHA-256).

Header A header is a temporary set of data that is added at the
beginning of a communication message in order to transfer
it over the network. It contains the source and destination
addresses as well as data that describe the content of the
message.

Identification Identification is part of the access-control software and
requires users to provide identification in the form of a user
name or account number before they are allowed to
access a system.

Integrity The goal of integrity is to ensure that unauthorized
individuals or systems are unable to modify data.

IP Address An Internet Protocol (IP) address is a numeric label that
identifies each device within a computer network that
communicates over the Internet.

Key Generation Key generation is the process of creating cryptographic
keys.

Key Management Key management is the system of controlling and
managing the generation, exchange, storage, safety,
application, and replacement of encryption keys.

Logical Connection A logical connection refers to the connection between two
systems at the same level of the OSI or TCP/IP model.

Message Authentication
Code

In cryptography, a Message Authentication Code (MAC) is
a short piece of information used to authenticate a
message.

Message-Digest
Algorithm 5

Message-Digest Algorithm 5 (MD5) is a popular
cryptographic hash function that uses a 128-bit hash value.

Nonrepudiation Nonrepudiation refers to giving a guarantee about the
authenticity of a document or message. The sending
parties cannot deny that they sent data.

Nonce Nonce is an abbreviation of “number used once.” It is often
a random number issued in an authentication protocol to
ensure that old communications cannot be reused in replay
attacks.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

Term Definition

Open Source Open source refers to software that is distributed with its
source code so that other users can modify it for their own
purposes.

Payload Payload refers to the actual data in a packet or file, without
all headers attached for transport and/or description.

Preshared Keys Preshared keys are shared secrets that were previously
shared between two endpoints using some secure channel
before they need to be used.

Replay Attack A replay attack is a breach of network security in which a
valid data transmission is repeated or delayed with
malicious intent.

RSA RSA is an encryption algorithm that uses public-key
cryptography to secure information and is a widely used
protocol for encrypting data.

Secure Hash Algorithm 1 Secure Hash Algorithm 1 (SHA-1) is a cryptographic hash
algorithm. The SHA-1 algorithm was designed by the
National Security Agency.

Session Key A randomly generated encryption and decryption key that
is used to ensure the security of a communication session.

Signature A signature is a digital code that can be attached to a
message. Like a written signature, the signature uniquely
identifies the sender and is a guarantee that the individual
sending the message is really who he or she claims to be.

Time to Live Time to Live (TTL) is a field in the Internet Protocol
(IP) that specifies how many more hops a packet can travel
before being discarded or returned.

Triple DES Triple DES is a symmetric algorithm that involves repeating
the basic DES algorithm three times, using either two or
three unique keys, for a key size of 112 or 168 bits. This
provides additional resistance to a brute-force attack.

Type of Service Type of Service (TOS) is a field in an IP packet that is used
for quality of service.

X.509 X.509 is a standard used in cryptography that specifies
formats for public key certificates, certificate revocation
lists, attribute certificates, and a certification path validation
algorithm.

1. Part 1) Choose your own topic related to web technologies/applications, you consider important, and describe the topic in detail. Do not select any security related topic.

Below is a list of sample topics you may choose:

HTTP protocol (HTTP requests/responses/methods, HTTP headers, Cookies, status codes, difference between HTML and HTTP)

Client side technologies (e.g., JavaScript, HTML or …)

Server side technologies (e.g., PHP, Java platform or …).

Web caching/proxy (also known as content delivery network).

Many more.

Part 2) Conduct research on web security vulnerabilities. Select one vulnerability, you consider important, and describe it in detail. Explain how the vulnerability you described can be overcome or prevented. In addition, briefly explain why you chose the vulnerability.

2, Part A) Give one good example of a covert storage channel. Explain how the covert storage channel you described can be mitigated or prevented.

Part B) Give one good example of a covert timing channel. Explain how the covert timing channel you described can be mitigated or prevented.

Turn in your highest-quality paper
Get a qualified writer to help you with

“ due 3/27/13 ”

Get high-quality paper

Guarantee! All work is written by expert writers!

Still stressed from student homework?

Get quality assistance from academic writers!

Order now