Section 16.152 Securing Network Communications Flashcards
Objective 3.2 Given a scenario, you must be able to apply security principles to secure enterprise architecture. Objective 4.5 Given a scenario, you must be able to modify enterprise capabilities to enhance security
Virtual Private Networks (VPNs)
Extend private networks across public networks to allow remote users to securely connect to an organisations network
■ Can be configured as site-to-site, client-to-site, or clientless VPNs
■ In addition to site-to-site and client-to-site VPNs, we have to decide whether we are going to use a full tunnel or split tunnel VPN configuration
VPNs
Site-to-Site VPN
○ Connects two sites cost-effectively
○ Replaces expensive leased lines
○ Utilises a VPN tunnel over the public internet
○ Encrypts and secures data between sites
○ Slower, but more secure
VPNs
Client-to-Site VPN
○ Connects a single host (e.g., laptop) to the central office
○ Ideal for remote user access to the central network
○ Options for full tunnel and split tunnel configurations
VPNs
Clientless VPN
○ Uses a web browser to establish secure, remote-access VPN
○ No need for dedicated software or hardware client
○ Utilises HTTPS and TLS protocols for secure connections to websites
VPNs
Full Tunnel VPN
Can be used with either site to site or client to site VPN
○ Encrypts and routes all network requests through the VPN
○ Provides high security, clients fully part of central network
○ Limits access to local resources
○ Suitable for remote access to central resources
Default for organisations offers more security
VPNs
Split Tunnel VPN
Can be used with either site to site or client to site VPN
○ Divides traffic, routing some through the VPN, some directly to
the internet
○ Enhances performance by bypassing VPN for non-central traffic
○ Less secure; potential exposure to attackers
○ Recommended for better performance but requires caution on untrusted networks
offers better peformance
Transport Layer Security (TLS)
A protocol that provides cryptographic security for secure connections and is used for secure web browsing and data transfer
■ Used for secure connections in web browsers (HTTPS)
■ Uses Transmission Control Protocol (TCP) for secure connections between a client
and a server
may slow down the connection
Datagram Transport Layer Security (DTLS)
A UDP-based version of TLS protocol that offers the same security level as TLS while maintaining faster operations
● Ensures end-user security and protects against eavesdropping in clientless VPN connections
● Ensures confidentiality, integrity, and authentication of data
Internet Protocol Security (IPSec)
A secure protocol suite for IP communication through authentication and data encryption in IP networks
■ Provides confidentiality, integrity, authentication, and anti-replay protection
■ Used for both site-to-site and client-to-site VPNs
■ Five key steps in establishing an IPSec VPN
Five key steps in establishing an IPSec VPN
1 Request to start the Internet Key Exchange (IKE)
PC1 initiates traffic to PC2, triggering IPSec tunnel creation by
RTR1
Five key steps in establishing an IPSec VPN
2 Authentication - IKE Phase 1
RTR1 and RTR2 negotiate security associations for the IPSec IKE Phase 1 (ISAKMP) tunnel
Five key steps in establishing an IPSec VPN
3 Negotiation - IKE Phase 2
IKE Phase 2 establishes a tunnel within the tunnel
Five key steps in establishing an IPSec VPN
4 Data transfer
Data transfer between PC1 and PC2 takes place securely
Five key steps in establishing an IPSec VPN
5 Tunnel termination
Tunnel torn down including the deletion of IPSec security
associations
IPSec Tunneling Modes (Data transfer step 4)
Transport Mode
Uses original IP header
○ Suitable for client-to-site VPNs
○ Avoids potential fragmentation issues from MTU constraints
MTU (Maximum Transmission Unit): et by default at 1500 bytes and may cause fragmentation and other VPN problems
Does not increase packet size
