Encryption

Question 1

What is Symmetric and Asymmetric Encryption?

Answer 1

In symmetric encryption, a single key is used both to encrypt and decrypt traffic. It is also referred as shared key or shared secret encryption. Symmetric encryption algorithms include DES, 3DES, AES.
In Asymmetric encryption two keys are used to encrypt and decrypt traffic, one for encryption and one for decryption. The most common asymmetric encryption algorithm is RSA.

Question 2

Define Digital Signatures?

Answer 2

Digital signature is an attachment to an electronic message used for security purposes. It is used to verify the authenticity of the sender.

Question 3

What are the 3 protocols used in IPSec?

Answer 3

1. Authentication Header (AH).
2. Encapsulating Security Payload (ESP).
3. Internet Key Exchange (IKE).

Question 4

Explain IPsec Protocol Headers?

Answer 4

1.<u>Encapsulating Security Payload (ESP) - It is an IP-based protocol which uses Protocol 50 in the IP header. ESP is used to protect the confidentiality, integrity and authenticity of the data and offers anti-replay protection.
Drawback - ESP does not provide protection to the outer IP Header</u>

2. Authentication Header (AH) - It is also an IP-based protocol that uses Protocol 51in the IP header. AH is used to protect the integrity and authenticity of the data and offers anti-replay protection.
   Unlike ESP, AH provides protection to the IP header also.
   Drawback - AH does not provide confidentiality protection.</u>

Question 5

How ESP & AH provides anti-replay protection?

Answer 5

Both ESP and AH protocols provide an anti-reply protection based on sequence numbers. The sender increments the sequence number after each transmission, and the receiver checks the sequence number and reject the packet if it is out of sequence.

Question 6

At what layer IPsec works?

Answer 6

IPsec secures IP traffic at the Layer 3 (Network Layer) of the OSI model.

Question 7

Name a major drawback of IPSec?

Answer 7

IPSec only supports unicast IP traffic.

Question 8

What is IPSec VPN?

Answer 8

IP Security Protocol VPN means VPN over IP Security. It allows two or more users to communicate in a secure manner by authenticating and encrypting each IP packet of a communication session. IPsec provides data confidentiality, data integrity and data authentication between participating peers.

Question 9

What is Authentication, Confidentiality Integrity?

Answer 9

Authentication - Verifies that the packet received is actually from the claimed sender. It verifies the authenticity of sender. Pre-shared Key, Digital Certificate are some methods that can be used for authentication.

Integrity - Ensures that the contents of the packet has not been altered in between by man-in-middle. Hashing Algorithm includes MD5, SHA.

Confidentiality - Encrypts the message content through encryption so that data is not disclosed to unauthorized parties. Encryption algorithms include DES (Data Encryption Standard), 3DES (Triple-DES), AES (Advanced Encryption Standard).

Question 10

At what protocol does IKE works?

Answer 10

IKE uses UDP port 500.

Question 11

Where does the ESP header go in relation to the IP header?

Answer 11

The ESP header is inserted after the IP header and before the next layer protocol header (transport mode) or before an encapsulated IP header (tunnel mode).

Question 12

Describe Tunnel mode

Answer 12

IPSec tunnel mode is thedefault mode. With tunnel mode, the entire original IP packet is protected by IPSec. This means IPSec wraps the original packet, encrypts it, adds a new IP header and sends it to the other side of the VPN tunnel (IPSec peer).

Tunnel modeis most commonly used between gateways (Cisco routers or ASA firewalls), or at an end-station to a gateway, the gateway acting as a proxy for the hosts behind it.

Tunnel mode is used to encrypt traffic between secure IPSec Gateways, for example two Cisco routers connected over the Internet via IPSec VPN.

Question 13

Describe ESP vs AH Protocols

Answer 13

In tunnel mode, an IPSec header (AHorESP header) is inserted between the IP header and the upper layer protocol. Between AH and ESP, ESP is most commonly used in IPSec VPN Tunnel configuration.

Question 14

How is ESP distinguished in the IP header?

Answer 14

ESP is identified in theNew IP headerwith an IPprotocol IDof 50.

Question 15

How is AH distinguished in the IP header?

Answer 15

AH is identified in theNew IP headerwith an IPprotocol IDof51.

Question 16

How does one get Multicast across an IPsec VPN?

Answer 16

GRE TunnelWithMulticast Support. Generic Routing Encapsulation (GRE)isa tunneling protocol developed by Cisco andiswidely used for IP-to-IP tunneling. Since itcanencapsulate all kinds of IP traffic,GRE canbe used to transportmulticasttraffic over networks that have no multicast support.

Question 17

Explain how IKE/ISAKMP Phase 1 Works?

Answer 17

IKE is a two-phase protocol-
Phase 1
IKE phase 1 negotiates the following:
1.It protects the phase 1 communication itself (using crypto and hash algorithms).
2.It generates Session key using Diffie-Hellman groups.
3.Peers will authenticate each other using pre-shared, public key encryption, or digital signature.
4.It also protects the negotiation of phase 2 communication.

Question 18

What are the parts of IKE v1 Phase 1

Answer 18

HAGLE

Hashing

Authentication

(Group) Diffie-Hellman group

Lifetime

Encryption

Question 19

What are the components of a crypto map?

Answer 19

Configure the crypto map, which contains these components:

The peer IP address

The defined access list that contains the traffic of interest

The Transform Set

An optional Perfect Forward Secrecy (PFS) setting, which creates a new pair of Diffie-Hellman keys that are used in order to protect the data (both sides must be PFS-enabled before Phase 2 comes up)

Question 20

On a Cisco ASA what command need to be inplace so that VPN traffic can bypass the Outside interface ACL?

Answer 20

Since we have the command

“sysopt connection permit-vpn”

enabled on an ASA means VPN traffic will bypass the Outside interface ACL, and an explicit ACL is not needed for the Inbound VPN traffic, even though the VPN traffic from a 3rd party is coming Inbound to us.

Question 21

The crypto map once created get applied to what?

Answer 21

outside interface

Question 22

On an ASA what is the command to verify Phase 1 is working, from the CLI?

Answer 22

show crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 172.16.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

Question 23

On an ASA what is the command to verify Phase 2 is working, from the CLI?

Answer 23

Phase 2 = IPSec

show crypto ipsec sa

command shows the IPsec SAs that are built between the peers.

You can see the two ESP SAs built for the inbound and outbound traffic.

Question 24

In ASA ver 8.4 and above what is the command to debug Phase 1

Answer 24

debug crypto ikev1 127 (Phase 1)

Question 25

In ASA ver 8.4 and above what is the command to debug Phase 2

Answer 25

debug crypto ipsec 127 (Phase 2)

Question 26

what is Perfect Forward Secrecy (PFS)

Answer 26

Creates a new pair of Diffie-Hellman keys that are used in order to protect the data (both sides must be PFS-enabled before Phase 2 comes up)

Perfect Forward Secrecy (PFS), is a feature of specific key agreement protocols that gives assurances your session keys will not be compromised even if the private key of the server is compromised. Forward secrecy protects past sessions against future compromises of secret keys or passwords. By generating a unique session key for every session a user initiates, even the compromise of a single session key will not affect any data other than that exchanged in the specific session protected by that particular key.

Question 27

What is ISAKMP?

Answer 27

ISAKMP is the negotiation protocol that lets two hosts agree on how to build an IPsec security association (SA). It provides a common framework for agreeing on the format of SA attributes. This includes negotiating with the peer about theSA, and modifying or deleting theSA. ISAKMPseparates negotiation into two phases: Phase 1 and Phase 2. Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data. IKE uses ISAKMP to setup the SA for IPsec to use. IKE creates the cryptographic keys used to authenticate peers. The ASA supports IKEv1 for connections from the legacy Cisco VPN client, and IKEv2 for the AnyConnect VPN client.

Question 28

On an ASA whats is used to configure Phase 1

Answer 28

The IKE Policy. To set the terms of the ISAKMP negotiations, you create an IKE policy.

• The authentication type required of the IKEv1 peer, either RSA signature using certificates or preshared key (PSK).
• An encryption method, to protect the data and ensure privacy.
• A Hashed Message Authentication Codes (HMAC) method to ensure the identity of the sender, and to ensure that the message has not been modified in transit.
• A Diffie-Hellman group to determine the strength of the encryption-key-determination algorithm. The ASA uses this algorithm to derive the encryption and hash keys.
• For IKEv2, a separate pseudo-random function (PRF) used as the algorithm to derive keying material and hashing operations required for the IKEv2 tunnel encryption.
• A limit to the time the ASA uses an encryption key before replacing it. With IKEv1 policies, for each parameter, you set one value

Question 29

On an ASA what commands can be run to see if a Lan2Lan IPSec tunnel is up?

Answer 29

To verify that the tunnel is up and running, use the following commands

show vpn-sessiondb summary,

show vpn-sessiondb detail l2l

show crypto ipsec sa command.

Question 30

On an ASA what is the Transform Set?

Answer 30

Create an IKEv1 Transform Set An IKEv1 transform set combines an encryption method and an authentication method. During the IPsec security association negotiation with ISAKMP, the peers agree to use a particular transform set to protect a particular data flow. The transform set must be the same for both peers. A transform set protects the data flows for the ACL specified in the associated crypto map entry. You can create transform sets in the ASA configuration, and then specify a maximum of 11 of them in a crypto map or dynamic crypto map entry. The table below lists valid encryption and authentication methods.

Question 31

What is a limitation with IKE v1 authentication?

Answer 31

IKEv1 allows only one type of authentication at both VPN ends (that is, either preshared key or certificate).

However, IKEv2 allows asymmetric authentication methods to be configured (that is, preshared key authentication for the originator but certificate authentication for the responder) using separate local and remote authentication CLIs. Therefore, with IKEv2 you have asymmetric authentication, in which one side authenticates with one credential and the otherside uses another credential (either a preshared key or certificate).

Question 32

On an ASA how is the Tunnel Group created?

Answer 32

To establish a basic LAN-to-LAN connection, you must set two attributes for a tunnel group:

• Set the connection type to IPsec LAN-to-LAN.
• Configure an authentication method for the IP address (that is, a preshared key for IKEv1 and IKEv2).