IPsec Flashcards
Generic Routing Encapsulation (GRE)
Encapsulates almost any L3 protocol in a virtual point-to-point link. It’s used for tunneling, but has no other VPN functions on its own; consequently, it’s often just one part of a VPN solution.
Point-to-Point Tunneling Protocol (PPTP)
A basic VPN protocol initially developed by a vendor consortium. It encapsulates PPP packets over GRE to provide VPN tunneling features, but it relies on vendor implementation to provide encryption and authentication. Most widely supported PPTP implementations, such as Microsoft’s, aren’t very secure; you shouldn’t use it when other alternatives are available. PTTP can be applied seamlessly to all sorts of network traffic, but its control functions require TCP port 1723 and GRE port 47 to be open on the firewall.
L2TP/IPsec
Layer 2 Tunneling Protocol is an IETF standard based on elements of PPTP and Cisco’s similar Layer 2 Forwarding Protocol (L2F); it has several security enhancements over either. Most commonly, L2TP uses RADIUS or TACACS+ authentication and IPsec encryption. That particular combination is called L2TP/IPsec and is natively supported by most modern operating systems. When implemented correctly, it can be very secure, but it uses a double encapsulation method that can hurt performance. An L2TP/IPSec VPN requires UDP ports 500 and 1701; if NAT traversal is required, it also needs UDP port 4500 to be open.
IKEv2/IPsec
IPsec in tunnel mode can perform as a complete VPN solution along with its associated IKEv2 protocol. It provides similar functionality to L2TP/IPsec while offering higher performance and better firewall traversal. Drawbacks are more complicated server-end implementation and lack of non-IP protocol support. IKEv2 VPN support is built into some newer operating systems and is also available from third-party clients.
HTML5 (Clientless VPN)
SSL/TLS can provide tunneling, strong encryption, and certificate-based authentication. Some NGFW appliances allow it to be used for VPN connections without any local software on the client computer. Instead, it is an HTML5 web application that executes entirely within the browser. Remote users can log into the enterprise NGFW via a web portal, then access the intranet via browser-based TLS tunnel. Clientless VPNs often have limited features and reduced performance next to a client-based VPN, but they can work in situations where users can’t install or configure a normal VPN in their local network environment.
SSL/TLS (Client-based)
VPN clients can use SSL/TLS to tunnel the entire IP stack; the result is a robust and secure alternative to L2TP/IPsec, often even with higher performance. SSL/TLS VPNs are available from many vendors, but their capabilities vary. Common examples include the open-source OpenVPN and Microsoft’s Secure Socket Tunneling Protocol (SSTP). One benefit is that they often only need TCP port 443 to be opened, just like an HTTPS server. They also can limit access to the network, restricting the damage done by a compromised client.
Secure Shell
SSL has encryption, authentication, and tunneling features so it can be used as a limited VPN, typically for port forwarding or tunneling a single application at a time. It’s useful in specific situations and can provide reasonably strong security. SSH itself operates on TCP port 22, but when used as a VPN, it often opens other ports for particular applications.
IKE
Internet Key Exchange negotiates and authenticates SAs between two hosts and exchanges encryption keys to set up a secure channel. It also manages existing SAs, and periodically replaces keys during a session. It’s actually a specific implementation of the Internet Security Association and Key Management Protocol (ISAKMP) framework for key exchange.
AH
Authentication Header provides data integrity and source authentication through cryptographic hashes of the packet contents and source identity. Also provides protection features for the IP header itself.
ESP
Encapsulating Security Payload encrypts the packet payload, along with integrity and authentication information.
