Week 2 Flashcards
-to create end-to-end private networks to create end-to-end private network connections
-is virtual in that it carries information within a private network, but that information is actually transported over a public network.
-is private in that the traffic is encrypted to keep the data confidential while it is transported acrosss the public network.
Virtual Private Network (VPN)
(VPN Benefits)
-organizations can use VPNs to reduce their connectivity costs while simultaneously increasing remote connection bandwidth.
cost savings
(VPN Benefits)
-encryption and authentication protocols data from unauthorized access.
security
(VPN Benefits)
-VPNs allow organizations to use the internet, making it easy to add new users wihtout adding significant infrastructure.
scalability
(VPN Benefits)
-VPNs can be implemented across a wide variety of WAN link options including broadband technologies. Remote workers can use these high-speed connections to gain secure access to corporate networks.
compatibility
-common solution for securing enterprise traffic across the internet. Site-to-seite and remote access VPNs are created and managed by the enterprise using IPsec and SSL VPNs/
Enterprise VPNs
-created and managed by the provider network, The provider uses Multiprotocol Label Switching (MPLS) at Layer 2 or Layer 3 to create secure channels between an enterprise’s sites, effecticely segregating the traffic from other customer traffic.
Service Provider VPNs
-does not ask you to install for connection, you can use the browser to connect
Client SSL Connection
-let remote and mobile users securely connect to the enterprise.
-are typically enabled dramatically by the user when required and can be created using either IPsec or SSL.
Remote-access VPNs
(remote-access VPNs)
-the connection is secured using a web browser SSL connection
clientless VPN connection
(remote-access VPNs)
-VPN client software such as Cisco AnyConnect Secure Mobility Client must be installed on the remote user’s end device.
Client-based VPN connection
-uses the public key infrastructure and digitial certificates to authenticate peers. The type of VPN method implemented is based on the access requirements of the users and the organization’s IT processes.
SSL VPNs
-connect networks across an untrusted network such as the internet.
site-to-site VPNs
(site-to-site IPsec VPNs)
–send and receive normal unencrypted TCP/IP traffic through a VPN gateway.
end hosts
(site-to-site IPsec VPNs)
-encapsulates and encrypts outbound traffic from a site and sends the traffic through the VPN tunnel to the VPN gateway strips the headers, decrypts thw contect and relays the packet toward the target host inside its private network.
VPN gateway
-is a non-secure site-to-site VPN tunneling protocol
-does not default support encryption; and therefore, it does not provide a secure VPN tunnel.
-its packet can be encapsulated into an IPsec packet to forward it securely to the destination VPN gateway.
Generic Routing Encapsulation (GRE)
(GRE over IPsec)
-can encapsulate various network layer protocols as well as multicast and broadcast traffic.
GRE tunnel
(GRE over IPsec)
-this is the original packet that is to be encapsulated by GRE. It could be an IPv4 or IPv6 pakcet, a routing update, and more.
passenger protocol
(GRE over IPsec)
-that encapsulates the original passenger packet
carrier protocol
(GRE over IPsec)
-this is the protocol that will actually be used to forward the packet. This could be IPv4 or IPv6.
Transport protocol
-is a Cisco software slolution for building multiple VPNs in an easy, dynamic, and scalale manner
-simplifies the VPN tunnel configuration and provides a flexible option to connect a central site with branch sites.
Dynamic Multipoint VPNs (DMVPN)
(Dynamic Multipoint VPNs)
-establish secure VPN tunnels with the hub site.
-can also obtain information about each other, and alternatively build direct tunnels between themselves (spoke-to-spoke tunnels)
spoke sites
-simplifies the configuration process required to support multiple sites and remote access.
-configurations are applied to a virtual interface instead of static mapping the IPsec sessions to a physical interface.
-is capable of sending and receving both IP unicast anf multicast encrypted traffic. Therefore, routing protocols are automatically supported without having to configure GRE tunnels
-can be configured between sites or in a hub-and-spoke topology.
IPsec Virtual Tunnel Interface (IPsec VTI)
(service provider MPLS VPNs)
-is forwarded through the MPLS backbone using labels.
-is secure because service provider customers cannot see each other’s traffic.
traffic
-can provide clients with managed VPN solutions; therefore, securing traffic between client sites in the responsibility of the service provider.
-is an open standard but cisco has its implementations
MPLS
(MPSL VPN solutions)
-the service provider participates in stomer routing by establishing a peering between the customer’s routers and the provider’s routers
Layer 3 MPLS VPN
(MPSL VPN solutions)
-the service provider is not involved in the customer routing. Instead, the provider deploys a Virtual Private LAN Service (VPLS) to emulate an Ethernet multiaccess LAN segment over the MPLS network. No routing is involved. The cutomer’s routers effecticely belong to the same multiaccess network.
layer 2 MPLS VPN
-is an IETF standard that defines how A VPN can be secured across IP networks.
-protects and authenticates IP packets between source and destination and provides these essential security functions.
-is open-standard-you can configure it in non-cisco devices
-alone is good enough for implementation of VPN; it is a complete package.
-is not bound to any specific rules for secure cmmunications
-can easily integrate new security technologies without updating existing IPsec standards.
-encapsulates packets using Authentication Header (AH) or Encapsualtion Security Protocol (ESP).
IPsec
(IPsec Technologies)
-uses encryption algorithms to prevet cybercriminals from reading the packet contents.
-the degree depends on the encryption algorithm and the length of the key used in the encryption algorithm.
confidentiality
(IPsec Technologies)
-uses hashing algorithms to ensure that pakcets have not been altered between source and destination
-is computed using thr hash code
-means that the data has not changed in transit
Integrity
(IPsec Technologies)
-uses the internet key exchange (IKE) protocol to authenticate source and destination.
origin authentication
(IPsec Technologies)
-used to secure key exchange
-allows two peers to establish a shared secret key over an insecure channel.
diffie-hellman
(IP sec Protocol Encapsulation)
-is appropriate only when confidentiality is not required or permitted
AH (Authentication Header)
(IPsec Protocol Encapsulation)
-provides both confidentiality and authentication
ESP (Enscapsulation Security Protocol)
(confidentiality)
-Uses a 56-bit key
DES
(confidentiality)
-uses three independent 56-bit encryption keys per 64-bit block
3DES
(confidentiality)
-offers three different key lengths: 128 bits, 192 bits, and 256 bots
AES
(confidentiality)
-is a stream cipher, which means it encrypts data continuously rather than encrypting blocks of data.
-uses a 160-bit key.
SEAL
(integrity)
-is a data integrity algorithm that guarantees the integrity of the message using a hash value.
Hashed Message Authentication Code (HMAC)
(integrity)
-uses a 128-bit shared-secret key
Message-Digest 5 (MD5)
(integrity)
-uses a 160-bit secret key
Secure Hash Algorithm (SHA)
