VPN Flashcards
VPNs
“IPSec
Transport Layer Security (SSL/TLS)
Datagram Transport Layer Security (DTLS)
Secure Socket Tunneling Protocol (SSTP)
MPVPN (Multi Path Virtual Private Network)
Secure Shell (SSH) VPN”
An SSL VPN (Secure Sockets Layer virtual private network)
“is a form of VPN that can be used with a standard Web browser.
In contrast to the traditional Internet Protocol Security (IPsec) VPN, an SSL VPN does not require the installation of specialized client software on the end user’s computer. It’s used to give remote users with access to Web applications, client/server applications and internal network connections.”
Datagram Transport Layer Security (DTLS)
“DTLS allows datagram-based applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.
The DTLS protocol is based on the stream-oriented TLS protocol and is intended to provide similar security guarantees.
The datagram semantics of the underlying transport are preserved by the DTLS protocol — the application will not suffer from the delays associated with stream protocols, but will have to deal with packet reordering, loss of datagram and data larger than a datagram packet size.”
IPSec
”- protocol suite provides a method of setting up a secure channel for protected data exchange between two devices.
- IPSec has strong encryption and authentication methods, and although it can be used to enable tunneled communication between two computers, it is usually employed to establish virtual private networks (VPNs) among networks across the Internet.
IPSec uses two basic security protocols:
- Authentication Header (AH) - AH is the authenticating protocol.
- Encapsulating Security Payload (ESP). and ESP is an authenticating and encrypting protocol that uses cryptographic mechanisms to provide source authentication, confidentiality, and message integrity. “
IPSEC - Each device will have at least one security association (SA)
“
- The SA, which is critical to the IPSec architecture, is a record of the configurations the device needs to support an IPSec connection.
- When two devices complete their handshaking process, which means they have agreed upon a long list of parameters they will use to communicate, these data must be recorded and stored somewhere, which is in the SA.
- The SA can contain the authentication and encryption keys, the agreed-upon algorithms, the key lifetime, and the source IP address.
- When a device receives a packet via the IPSec protocol, it is the SA that tells the device what to do with the packet.
- So if device B receives a packet from device C via IPSec, device B will look to the corresponding SA to tell it how to decrypt the packet, how to properly authenticate the source of the packet, which key to use, and how to reply to the message if necessary.
- SAs are directional, so a device will have one SA for outbound traffic and a different SA for inbound traffic for each individual communication channel.
- If a device is connecting to three devices, it will have at least six SAs, one for each inbound and outbound connection per remote device.
IPSEC - So how can a device keep all of these SAs organized and ensure that the right SA is invoked for the right connection?
- With the mighty security parameter index (SPI), that’s how.
- Each device has an SPI that keeps track of the different SAs and tells the device which one is appropriate to invoke for the different packets it receives.
The SPI value is in the header of an IPSec packet, and the device reads this value to tell it which SA to consult, as for each secure connection it uses.
IPSec can work in one of two modes:
- transport mode - in which the payload of the message is protected.
- tunnel mode - in which the payload and the routing and header information are protected.
ESP in transport mode encrypts the actual message information so it cannot be sniffed and uncovered by an unauthorized entity.
Tunnel mode provides a higher level of protection by also protecting the header and trailer data an attacker may find useful.
Secure Shell (SSH) VPN
SSL Portal VPN:
This type of SSL VPN allows for a single SSL connection to a Web site so the end user can securely access multiple network services. The site is called a portal because it is one door (a single page) that leads to many other resources. The remote user accesses the SSL VPN gateway using any modern Web browser, identifies himself to the gateway using an authentication method supported by the gateway and is then presented with a Web page that acts as the portal to the other services.
SSL Tunnel VPN:
This type of SSL VPN allows a Web browser to securely access multiple network services, including applications and protocols that are not Web-based, through a tunnel that is running under SSL. SSL tunnel VPNs require that the Web browser be able to handle active content, which allows them to provide functionality that is not accessible to SSL portal VPNs. Examples of active content include Java, JavaScript, Active X, or Flash applications or plug-ins.
SSL VPN
A type of virtual private network (VPN) that can be used with a standard Web browser, a Secure Sockets Layer virtual private network, or SSL VPN, In this way it is different from the traditional Internet Protocol Security (IPsec) VPN. An SSL VPN SSL VPN is designed to give remote users with access to Web applications, client/server applications and internal network connections.
“There are two major types of SSL VPNs:
“
”- SSL Portal VPN: Allows for a single SSL connection to a website, allowing the end user to securely access multiple network services. This type of site is called a portal because it is one door (a single page) that leads to many other resources.
- SSL Tunnel VPN: Allows a Web browser – and therefore users – to securely access multiple network services, including applications and protocols that are not Web-based. Access is provided through a tunnel running under SSL.
These SSL capabilities are:
* Authenticating a server to a client
* Encrypting communications between a client and server
* Authenticating a client to a server”
PGP encryption
“PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and, finally, public-key cryptography;
each step uses one of several supported algorithms. Each public key is bound to a user name and/or an e-mail address. The first version of this system was generally known as a web of trust to contrast.”
S/MIME (Secure/Multipurpose Internet Mail Extensions)
”- Secure MIME (S/MIME) is a standard for public encryption and digitally signing electronic mail and for providing secure data transmissions.
- S/MIME extends the MIME standard by allowing for the encryption of e-mail and attachments.
- The encryption and hashing algorithms can be specified by the user of the mail package, instead of having it dictated to them.
- S/MIME follows the Public Key Cryptography Standards (PKCS).
- S/MIME provides confidentiality through encryption algorithms, integrity through hashing algorithms, authentication through the use of X.509 public key certificates, and nonrepudiation through cryptographically signed message digests.”
X.509
”- X.509, which dictates the different fields used in the certificate and the valid values that can populate those fields.
- X.509 is an ITU-T standard for a public key infrastructure (PKI) for single sign-on (SSO) and Privilege Management Infrastructurestandard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.
“
