Virtual Private Networks

Question 1

What is a VPN?

Answer 1

A VPN connects the resources and components of one network to another over a public infrastructure, such that it appears as if data is being sent over a dedicated link

Question 2

What are the types of VPN?

Answer 2

Access - connection to remote users
Extranet - connection to suppliers/partners/clients
WAN - Connection to branch offices

Question 3

Why use VPN’s?

Answer 3

• Cost effectiveness
• Flexibility
• Scalability

Question 4

How does a VPN work?

Answer 4

A VPN establishes tunnels through the Internet to send packets. A tunnel is a logical stream of packets in which each packet is encapsulated with an additional header as it travels through the public network

Question 5

How does a tunnel provide security?

Answer 5

• With an extra header, the rest of the payload can be encrypted; the packet can also be authenticated and certified
• Firewall provides access control
• Result: all 7 security goals

Question 6

What is the IPSEC Tunneling protocol?

Answer 6

• IPSEC is supposedly the best security solution for building VPN’s
• It is a network layer tunneling protocol for IP
• Provides per packet, end to end, protection
• Accommodates a wide variety of cryptographic algorithms for confidentiality, integrity, and authentication
• High flexibility allows nesting or bundling of its component protocols
• Efficient key management and exchange procedure

Question 7

What are the components of IPSEC?

Answer 7

1 - Authentication header
2 - Encapsulating security payload
3 - internet key exchange

Question 8

What is an authentication header (AH)?

Answer 8

• Provides integrity and authentication
• contains a message digest for the contents of the packet
• no encryption provided by AH

Has a next header code, header length, sequence number, message digest, SPI (security parameters index), authentication data/message digest/secure hash

Question 9

Describe the AH modes

Answer 9

Transport mode:
Original IP Header ->AH->Payload

Tunnel mode:
New IP Header ->AH->Original IP Header->Payload

Question 10

What is an encapsulating security payload (ESP)

Answer 10

• provides confidentiality, integrity, and authentication
• encryption algorithms DES, 3DES, etc

Has next header code, header length, security parameters index, sequence number, message digest

Question 11

Describe the ESP modes

Answer 11

Transport mode:
Original IP header -> ESP header -> Payload -> ESP Tailer

Tunnel mode:
New IP header -> ESP header -> original IP header -> Payload -> ESP tailer

Question 12

What is the Internet Key Exchange?

Answer 12

• secure exchange of keys is critical to the security of a tunneling protocol
• Two main phases
• • Establishment of a security association
• • Secure exchange of messages

Question 13

What is a security association (SA)?

Answer 13

• A security association between the two tunnel peers defines the encryption and authentication algorithms, the key lengths, and their lifetimes

Question 14

Describe IKE Phase I

Answer 14

• Security Association messages are sent and negotiated in messages 1 and 2
• Diffie hellman exchanges are done in messages 3 and 4 and a SKEYID (master key) is established
• Digital signatures and certificates are exchanges in messages 5 and 6, they are encrypted using SKEYID. The two nodes authenticate each other

Question 15

Describe IKE Phase 2

Answer 15

• Using encrypted packets and protected by digital signatures they do another DH exchange
• This generates the secret session key
• Data is transferred using the secret session key
• Keys are refreshed every few minutes in Phase II
• Uses a private key encryption algorithm using the secret key from this phase