6.2.4 - Broadband Wireless Link to Packet Tracer Exploration: Broadband Services
6.3 VPN Technology 6.3.1 VPNs and Their Benefits
Page 1:
The Internet is a worldwide, publicly accessible IP network. Because of its vast global proliferation, it has become an attractive way to interconnect remote sites. However, the fact that it is a public infrastructure poses security risks to enterprises and their internal networks. Fortunately, VPN technology enables organizations to create private networks over the public Internet infrastructure that maintain confidentiality and security.
Organizations use VPNs to provide a virtual WAN infrastructure that connects branch offices, home offices, business partner sites, and remote telecommuters to all or portions of their corporate network. To remain private, the traffic is encrypted. Instead of using a dedicated Layer 2 connection, such as a leased line, a VPN uses virtual connections that are routed through the Internet.
Earlier in this course, an analogy involving getting priority tickets for a stadium show was introduced. An extension to that analogy will help explain how a VPN works. Picture the stadium as a public place in the same way as the Internet is a public place. When the show is over, the public leaves through public aisles and doorways, jostling and bumping into each other along the way. Petty thefts are threats to be endured.
Consider how the performers leave. Their entourage all link arms and form cordons through the mobs and protect the celebrities from all the jostling and pushing. In effect, these cordons form tunnels. The celebrities are whisked through tunnels into limousines that carry them cocooned to their destinations. This section describes how VPNs work in much the same way, bundling data and safely moving it across the Internet through protective tunnels. An understanding of VPN technology is essential to be able to implement secure teleworker services on enterprise networks.
Analogy: Each LAN Is an IsLANd
We will use another analogy to illustrate the VPN concept from a different point of view. Imagine that you live on an island in a huge ocean. There are thousands of other islands all around you, some very close and others farther away. The normal way to travel is to take a ferry from your island to whichever island you wish to visit. Traveling on a ferry means that you have almost no privacy. Anything you do can be seen by someone else.
Assume that each island represents a private LAN, and the ocean is the Internet. When you travel by ferry, it is similar to when you connect to a web server or to another device through the Internet. You have no control over the wires and routers that make up the Internet, just like you have no control over the other people on the ferry. This leaves you susceptible to security issues if you try to connect between two private networks using a public resource.
Your island decides to build a bridge to another island so that there is an easier, more secure and direct way for people to travel between the two. It is expensive to build and maintain the bridge, even though the island you are connecting with is very close. But the need for a reliable, secure path is so great that you do it anyway. Your island would like to connect to a second island that is much farther away, but you decide that it is too expensive.
This situation is very much like having a leased line. The bridges (leased lines) are separate from the ocean (Internet), yet they are able to connect the islands (LANs). Many companies have chosen this route because of the need for security and reliability in connecting their remote offices. However, if the offices are very far apart, the cost can be prohibitively high-just like trying to build a bridge that spans a great distance.
So how does VPN fit into this analogy? We could give each inhabitant of the islands their own small submarine with these properties:
Fast Easy to take with you wherever you go Able to hide you completely from any other boats or submarines Dependable Costs little to add additional submarines to your fleet once the first is purchased
Although they are traveling in the ocean along with other traffic, the inhabitants of our two islands could travel back and forth whenever they wanted to with privacy and security. That is essentially how a VPN works. Each remote member of your network can communicate in a secure and reliable manner using the Internet as the medium to connect to the private LAN. A VPN can grow to accommodate more users and different locations much easier than a leased line. In fact, scalability is a major advantage that VPNs have over typical leased lines. Unlike leased lines, where the cost increases in proportion to the distances involved, the geographic locations of each office matter little in the creation of a VPN.
6.3.1 - VPN's and Their Benefits The diagram depicts a description of VPN's and various VPN connections.
A VPN is: - Virtual: Information within a private network is transported over a public network. - Private: The traffic is encrypted to keep the data confidential.
Network Topology: A main site building is shown with a perimeter router, firewall, legacy concentrator, and a corporate network attached. Various external locations connect to the main site using VPN technology:
- Business partner with a router connects to the perimeter router. - Regional office with a firewall connects to the perimeter router. The connection between the firewall and the perimeter router is labeled IPSec. - SOHO with an ISDN/DSL router connects to a POP with an access server. - Mobile worker with a VPN client on a laptop computer router connects to a POP with an access server. - Access server connects to the perimeter router.
Page 2:
Organizations using VPNs benefit from increased flexibility and productivity. Remote sites and teleworkers can connect securely to the corporate network from almost any place. Data on a VPN is encrypted and undecipherable to anyone not entitled to have it. VPNs bring remote hosts inside the firewall, giving them close to the same levels of access to network devices as if they were in a corporate office.
The figure shows leased lines in red. The blue lines represent VPN-based connections. Consider these benefits when using VPNs:
Cost savings - Organizations can use cost-effective, third-party Internet transport to connect remote offices and users to the main corporate site. This eliminates expensive dedicated WAN links and modem banks. By using broadband, VPNs reduce connectivity costs while increasing remote connection bandwidth. Security - Advanced encryption and authentication protocols protect data from unauthorized access. Scalability - VPNs use the Internet infrastructure within ISPs and carriers, making it easy for organizations to add new users. Organizations, big and small, are able to add large amounts of capacity without adding significant infrastructure.
6.3.1 - VPN's and Their Benefits The diagram depicts the benefits of VPN's. A branch office, a mobile user, and a SOHO are each shown connecting to the central site using traditional Layer 2 WAN technologies and VPN's through the public Internet.
Compared to leased-line options, VPN benefits include cost savings, added security, and increased scalability.
6.3.2 Types of VPNs
Page 1:
Organizations use site-to-site VPNs to connect dispersed locations in the same way as a leased line or Frame Relay connection is used. Because most organizations now have Internet access, it makes sense to take advantage of the benefits of site-to-site VPNs. As illustrated in the figure, site-to-site VPNs also support company intranets and business partner extranets.
In effect, a site-to-site VPN is an extension of classic WAN networking. Site-to-site VPNs connect entire networks to each other. For example, they can connect a branch office network to a company headquarters network.
In a site-to-site VPN, hosts send and receive TCP/IP traffic through a VPN gateway, which could be a router, PIX firewall appliance, or an Adaptive Security Appliance (ASA). The VPN gateway is responsible for encapsulating and encrypting outbound traffic for all of the traffic from a particular site and sending it through a VPN tunnel over the Internet to a peer VPN gateway at the target site. On receipt, the peer VPN gateway strips the headers, decrypts the content, and relays the packet toward the target host inside its private network.
6.3.2 - Types of VPN's The diagram depicts a topology that connects external sites to the central site using site-to-site VPN's. Site-to-site VPN's are extensions of the classic WAN.
Network Topology: A main site building cloud is shown with a perimeter router at the edge. Inside the central site cloud is an adaptive security appliance (ASA), router, and firewall, each of which can be used to terminate the external VPN connections. Various external locations connect to the main site using site-to-site VPN technology.
Remote Site - Connects to a POP using DSL or cable. The POP connects the Internet.
Intranet - Site with two routers. One connects to a POP, and the other connects directly to the Internet.
Extranet - Router connects directly to the Internet.
Page 2:
Mobile users and telecommuters use remote access VPNs extensively. In the past, corporations supported remote users using dialup networks. This usually involved a toll call and incurring long distance charges to access the corporation.
Most teleworkers now have access to the Internet from their homes and can establish remote VPNs using broadband connections. Similarly, a mobile worker can make a local call to a local ISP to access the corporation through the Internet. In effect, this marks an evolutionary advance in dialup networks. Remote access VPNs can support the needs of telecommuters, mobile users, as well as extranet consumer-to-business.
In a remote-access VPN, each host typically has VPN client software. Whenever the host tries to send any traffic, the VPN client software encapsulates and encrypts that traffic before sending it over the Internet to the VPN gateway at the edge of the target network. On receipt, the VPN gateway handles the data in the same way as it would handle data from a site-to-site VPN.
6.3.2 - Types of VPN's The diagram depicts a topology that connects external sites to the central site using remote access VPN's. Remote access VPN's mark an evolutionary step in dialup and ISDN networks.
Network Topology: A main site building cloud is shown with a perimeter router at the edge. Inside the central site cloud is a VPN concentrator, an ASA, a router, and a firewall, each of which can be used to terminate the external VPN connections. Various external locations connect to the main site using remote access VPN technology.
Remote Access Clients: Telecommuter - Connects to a POP using DSL or cable. The POP connects to the Internet.
Mobile User - Connects to a POP using wireless. The POP connects to the Internet.
Extranet Consumer-to-Business - Connects to a POP using wireless. The POP connects to the Internet.
6.3.3 VPN Components
Page 1:
A VPN creates a private network over a public network infrastructure while maintaining confidentiality and security. VPNs use cryptographic tunneling protocols to provide protection against packet sniffing, sender authentication, and message integrity.
The figure illustrates a typical VPN topology. Components required to establish this VPN include:
An existing network with servers and workstations A connection to the Internet VPN gateways, such as routers, firewalls, VPN concentrators, and ASAs, that act as endpoints to establish, manage, and control VPN connections Appropriate software to create and manage VPN tunnels
The key to VPN effectiveness is security. VPNs secure data by encapsulating or encrypting the data. Most VPNs can do both.
Encapsulation is also referred to as tunneling, because encapsulation transmits data transparently from network to network through a shared network infrastructure. Encryption codes data into a different format using a secret key. Decryption decodes encrypted data into the original unencrypted format.
Encapsulation and encryption are discussed in more detail later in this course.
6.3.3 - VPN Components The diagram depicts a topology and the VPN components that connect external sites to the corporate network.
Network Topology: A corporate network building is shown with a perimeter router at the edge. Inside the central site cloud, the router is connected to a firewall and a VPN concentrator. These provide access to the corporate servers and other resources. Various external locations connect to the corporate network using site-to-site VPN technology and components.
Business Partner with Router - Connects to the Internet cloud, which connects to the corporate perimeter router.
Remote Office with Router - Connects to the Internet cloud, which connects to the corporate perimeter router.
Regional Office with Firewall - Connects to the Internet cloud, which connects to the corporate perimeter router.
SOHO with broadband connection - Router connects to a POP, which contains an access server. The POP connects to the Internet cloud, which connects to the corporate perimeter router.
Teleworker with a VPN Client on a Laptop Computer - Client connects to a POP, which contains an access server. The POP connects to the Internet cloud, which connects to the corporate perimeter router.
6.3.4 Characteristics of Secure VPNs
Page 1:
VPNs use advanced encryption techniques and tunneling to permit organizations to establish secure, end-to-end, private network connections over the Internet.
The foundation of a secure VPN is data confidentiality, data integrity, and authentication:
Data confidentiality - A common security concern is protecting data from eavesdroppers. As a design feature, data confidentiality aims at protecting the contents of messages from interception by unauthenticated or unauthorized sources. VPNs achieve confidentiality using mechanisms of encapsulation and encryption. Data integrity - Receivers have no control over the path the data has traveled and therefore do not know if the data has been seen or handled while it journeyed across the Internet. There is always the possibility that the data has been modified. Data integrity guarantees that no tampering or alterations occur to data while it travels between the source and destination. VPNs typically use hashes to ensure data integrity. A hash is like a checksum or a seal that guarantees that no one has read the content, but it is more robust. Hashes are explained in the next topic. Authentication - Authentication ensures that a message comes from an authentic source and goes to an authentic destination. User identification gives a user confidence that the party with whom the user establishes communications is who the user thinks the party is. VPNs can use passwords, digital certificates, smart cards, and biometrics to establish the identity of parties at the other end of a network.
6.3.4 - Characteristics of Secure VPN's The diagram depicts secure VPN characteristics and their purpose. With VPN's, data confidentiality and data integrity depend on encryption and encapsulation.
Characteristic: Data Confidentiality Purpose: Protects data from eavesdroppers (spoofing).
Characteristic: Data Integrity Purpose: Guarantees that no tampering or alterations occur.
Characteristic: Authentication Purpose: Ensures that only authorized senders and devices enter the network.
6.3.5 VPN Tunneling
Page 1:
Incorporating appropriate data confidentiality capabilities into a VPN ensures that only the intended sources and destinations are capable of interpreting the original message contents.
Tunneling allows the use of public networks like the Internet to carry data for users as though the users had access to a private network. Tunneling encapsulates an entire packet within another packet and sends the new, composite packet over a network. This figure lists the three classes of protocols that tunneling uses.
To illustrate the concept of tunneling and the classes of tunneling protocols, consider an example of sending a holiday card through traditional mail. The holiday card has a message inside. The card is the passenger protocol. The sender puts the card inside an envelope (encapsulating protocol) with proper addressing applied. The sender then drops the envelope into a mailbox for delivery. The postal system (carrier protocol) picks up and delivers the envelope to the mailbox of the recipient. The two endpoints in the carrier system are the "tunnel interfaces." The recipient removes the holiday card (extracts the passenger protocol) and reads the message.
Click the Encapsulation button in the figure to view an illustration of the encapsulation process.
This figure illustrates an e-mail message traveling through the Internet over a VPN connection. PPP carries the message to the VPN device, where the message is encapsulated within a Generic Route Encapsulation (GRE) packet. GRE is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. In the figure, the outer packet source and destination addressing is assigned to "tunnel interfaces" and is made routable across the network. Once a composite packet reaches the destination tunnel interface, the inside packet is extracted.
6.3.5 - VPN Tunneling The diagram depicts tunneling protocols and the VPN packet encapsulation process.
Tunneling Protocols: Carrier protocol: - The protocol over which the information is traveling (Frame Relay, ATM, MPLS). Encapsulating protocol: - The protocol that is wrapped around the original data (GRE, IPSec, L2F, P P T P, L2TP). Passenger protocol: - The protocol over which the original data was being carried (IPX, AppleTalk, IPv4, IPv6).
Encapsulation: In the diagram, a sender computer sends a packet to a VPN device. From there, it enters the VPN tunnel in the Internet. It exits the tunnel at a VPN device on the other end. The packet then goes to an access server and then to the receiver.
The diagram illustrates an SMTP e-mail message traveling through the Internet over a VPN connection. P P P carries the message to the VPN device, where the message is encapsulated within a generic route encapsulation (GRE) packet. The outer packet source and destination addressing is assigned to tunnel interfaces and is made routable across the network. When the composite packet reaches the destination tunnel interface, the inside packet is extracted.
Packet Encapsulation Protocols (inside to outside):
Packet from the client computer: SMTP to TCP to IP to P P P
Packet in transmission through the Internet VPN tunnel: SMTP to TCP to IP to P P P to GRE to IP to IPSec
Packet from the VPN to the receiving computer: SMTP to TCP to IP to P P P
6.3.6 VPN Data Integrity
Page 1:
If plain text data is transported over the public Internet, it can be intercepted and read. To keep the data private, it needs to be encrypted. VPN encryption encrypts the data and renders it unreadable to unauthorized receivers.
For encryption to work, both the sender and the receiver must know the rules used to transform the original message into its coded form. VPN encryption rules include an algorithm and a key. An algorithm is a mathematical function that combines a message, text, digits, or all three with a key. The output is an unreadable cipher string. Decryption is extremely difficult or impossible without the correct key.
In the example, Gail wants to send a financial document to Jeremy across the Internet. Gail and Jeremy have previously agreed on a secret shared key. At Gail's end, the VPN client software combines the document with the secret shared key and passes it through an encryption algorithm. The output is undecipherable cipher text. The cipher text is then sent through a VPN tunnel over the Internet. At the other end, the message is recombined with the same shared secret key and processed by the same encryption algorithm. The output is the original financial document, which is now readable to Jeremy.
6.3.6 - VPN Data Integrity The diagram depicts VPN encryption of a financial transaction with a hacker attempting to intercept and decipher the message.
The message "Pay Jeremy $100" is sent from Gail and goes through an encryption algorithm as it enters the VPN. The encrypted message is shown, and the hacker cannot decipher it. At the receiving end, Jeremy's VPN device applies a decryption algorithm, allowing him to read the message.
Page 2:
The degree of security provided by any encryption algorithm depends on the length of the key. For any given key length, the time that it takes to process all of the possibilities to decrypt cipher text is a function of the computing power of the computer. Therefore, the shorter the key, the easier it is to break, but at the same time, the easier it is to pass the message.
Some of the more common encryption algorithms and the length of keys they use are as follows:
Data Encryption Standard (DES) algorithm - Developed by IBM, DES uses a 56-bit key, ensuring high-performance encryption. DES is a symmetric key cryptosystem. Symmetric and asymmetric keys are explained below. Triple DES (3DES) algorithm - A newer variant of DES that encrypts with one key, decrypts with another different key, and then encrypts one final time with another key. 3DES provides significantly more strength to the encryption process. Advanced Encryption Standard (AES) - The National Institute of Standards and Technology (NIST) adopted AES to replace the existing DES encryption in cryptographic devices. AES provides stronger security than DES and is computationally more efficient than 3DES. AES offers three different key lengths: 128, 192, and 256-bit keys. Rivest, Shamir, and Adleman (RSA) - An asymmetrical key cryptosystem. The keys use a bit length of 512, 768, 1024, or larger.
Symmetric Encryption
Encryption algorithms such as DES and 3DES require a shared secret key to perform encryption and decryption. Each of the two computers must know the key to decode the information. With symmetric key encryption, also called secret key encryption, each computer encrypts the information before sending it over the network to the other computer. Symmetric key encryption requires knowledge of which computers will be talking to each other so that the same key can be configured on each computer.
For example, a sender creates a coded message where each letter is substituted with the letter that is two letters down in the alphabet; "A" becomes "C," and "B" becomes "D", and so on. In this case, the word SECRET becomes UGETGV. The sender has already told the recipient that the secret key is "shift by 2." When the recipient receives the message UGETGV, the recipient computer decodes the message by shifting back two letters and calculating SECRET. Anyone else who sees the message sees only the encrypted message, which looks like nonsense unless the person knows the secret key.
The question is, how do the encrypting and decrypting devices both have the shared secret key? You could use e-mail, courier, or overnight express to send the shared secret keys to the administrators of the devices. Another easier and more secure method is asymmetric encryption.
Asymmetric Encryption
Asymmetric encryption uses different keys for encryption and decryption. Knowing one of the keys does not allow a hacker to deduce the second key and decode the information. One key encrypts the message, while a second key decrypts the message. It is not possible to encrypt and decrypt with the same key.
Public key encryption is a variant of asymmetric encryption that uses a combination of a private key and a public key. The recipient gives a public key to any sender with whom the recipient wants to communicate. The sender uses a private key combined with the recipient's public key to encrypt the message. Also, the sender must share their public key with the recipient. To decrypt a message, the recipient will use the public key of the sender with their own private key.
6.3.6 - VPN Data Integrity The diagram depicts two types of VPN encryption algorithms, symmetric and asymmetric, used to convert plain text to cipher text.
Symmetric algorithm: - Secret key cryptography. - Encryption and decryption use the same key. - Typically used to encrypt the content of a message. - Examples: D E S, 3D E S, A E S.
Asymmetric algorithm: - Public key cryptography. - Encryption and decryption use different keys. - Typically used in digital certification and key management. - Example: RSA.
Page 3:
Hashes contribute to data integrity and authentication by ensuring that unauthorized persons do not tamper with transmitted messages. A hash, also called a message digest, is a number generated from a string of text. The hash is smaller than the text itself. It is generated using a formula in such a way that it is extremely unlikely that some other text will produce the same hash value.
The original sender generates a hash of the message and sends it with the message itself. The recipient decrypts the message and the hash, produces another hash from the received message, and compares the two hashes. If they are the same, the recipient can be reasonably sure the integrity of the message has not been affected.
In the figure, someone is trying to send Jeremy a check for US$100. At the remote end, Alex Jones (likely a criminal) is trying to cash the check for $1,000. As the check progressed through the Internet, it was altered. Both the recipient and dollar amounts were changed. In this case, if a data integrity algorithm was used, the hashes would not match, and the transaction would no longer be valid.
VPN data is transported over the public Internet. As shown, there is potential for this data to be intercepted and modified. To guard against this threat, hosts can add a hash to the message. If the transmitted hash matches the received hash, the integrity of the message has been preserved. However, if there is no match, the message was altered.
VPNs use a message authentication code to verify the integrity and the authenticity of a message, without using any additional mechanisms. A keyed hashed message authentication code (HMAC) is a data integrity algorithm that guarantees the integrity of the message.
A HMAC has two parameters: a message input and a secret key known only to the message originator and intended receivers. The message sender uses a HMAC function to produce a value (the message authentication code), formed by condensing the secret key and the message input. The message authentication code is sent along with the message. The receiver computes the message authentication code on the received message using the same key and HMAC function as the sender used, and compares the result computed with the received message authentication code. If the two values match, the message has been correctly received and the receiver is assured that the sender is a member of the community of users that share the key. The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, on the size and quality of the key, and the size of the hash output length in bits.
There are two common HMAC algorithms:
Message Digest 5 (MD5) - Uses a 128-bit shared secret key. The variable length message and 128-bit shared secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash. The hash is appended to the original message and forwarded to the remote end. Secure Hash Algorithm 1 (SHA-1) - Uses a 160-bit secret key. The variable length message and the 160-bit shared secret key are combined and run through the HMAC-SHA-1 hash algorithm. The output is a 160-bit hash. The hash is appended to the original message and forwarded to the remote end.
Click the VPN Authentication button in the figure.
When conducting business long distance, it is necessary to know who is at the other end of the phone, e-mail, or fax. The same is true of VPN networks. The device on the other end of the VPN tunnel must be authenticated before the communication path is considered secure. There are two peer authentication methods:
Pre-shared key (PSK) - A secret key that is shared between the two parties using a secure channel before it needs to be used. PSKs use symmetric key cryptographic algorithms. A PSK is entered into each peer manually and is used to authenticate the peer. At each end, the PSK is combined with other information to form the authentication key. RSA signature - Uses the exchange of digital certificates to authenticate the peers. The local device derives a hash and encrypts it with its private key. The encrypted hash (digital signature) is attached to the message and forwarded to the remote end. At the remote end, the encrypted hash is decrypted using the public key of the local end. If the decrypted hash matches the recomputed hash, the signature is genuine.
Take a look at an RSA demonstration for an example of RSA encryption.
6.3.6 - VPN Data Integrity The diagram depicts the use of hashes for data integrity and VPN peer authentication.
Hash operation: - A match means no changes. - No match means something was altered.
Hashing: The transaction from Gail payable to Jeremy for $100 has been altered to pay Alex Jones $1000. The starting hash and ending hash are now different.
VPN Authentication: In the diagram, a remote office computer connects to a router that connects to the Internet cloud. On the other side of the cloud, the HR server at the Corporate Office connects to a router that connects to the Internet. Peer authentication occurs between the two routers.
IPsec is protocol suite for securing IP communications which provides encryption, integrity, and authentication. IPsec spells out the messaging necessary to secure VPN communications, but relies on existing algorithms.
There are two main IPsec framework protocols.
Authentication Header (AH) - Use when confidentiality is not required or permitted. AH provides data authentication and integrity for IP packets passed between two systems. It verifies that any message passed from R1 to R2 has not been modified during transit. It also verifies that the origin of the data was either R1 or R2. AH does not provide data confidentiality (encryption) of packets. Used alone, the AH protocol provides weak protection. Consequently, it is used with the ESP protocol to provide data encryption and tamper-aware security features. Encapsulating Security Payload (ESP) - Provides confidentiality and authentication by encrypting the IP packet. IP packet encryption conceals the data and the identities of the source and destination. ESP authenticates the inner IP packet and ESP header. Authentication provides data origin authentication and data integrity. Although both encryption and authentication are optional in ESP, at a minimum, one of them must be selected.
Click the IPsec Framework button in the figure.
IPsec relies on existing algorithms to implement encryption, authentication, and key exchange. Some of the standard algorithms that IPsec uses are as follows:
DES - Encrypts and decrypts packet data. 3DES - Provides significant encryption strength over 56-bit DES. AES - Provides stronger encryption, depending on the key length used, and faster throughput. MD5 - Authenticates packet data, using a 128-bit shared secret key. SHA-1 - Authenticates packet data, using a 160-bit shared secret key. DH - Allows two parties to establish a shared secret key used by encryption and hash algorithms, for example, DES and MD5, over an insecure communications channel.
The figure shows how IPsec is configured. IPsec provides the framework, and the administrator chooses the algorithms used to implement the security services within that framework. There are four IPsec framework squares to be filled.
When configuring an IPsec gateway to provide security services, first choose an IPsec protocol. The choices are ESP or ESP with AH. The second square is an encryption algorithm if IPsec is implemented with ESP. Choose the encryption algorithm that is appropriate for the desired level of security: DES, 3DES, or AES. The third square is authentication. Choose an authentication algorithm to provide data integrity: MD5 or SHA. The last square is the Diffie-Hellman (DH) algorithm group. Which establishes the sharing of key information between peers. Choose which group to use, DH1 or DH2.
6.3.7 - IPSec Security Protocols The diagram depicts IPSec security protocols and the IPSec framework.
IPSec Protocols: Authentication Header (A H) - Provides data authentication and integrity for IP packets passed between two systems.
Encapsulating Security Payload (ESP) - Provides confidentiality and authentication by encrypting the IP packet.
IPSec Framework: The diagram depicts the IPSec framework of an IPSec gateway providing security service. Four categories can be selected from to fill in the framework:
One. IPSec protocol: The choices are ESP, ESP + A H, or A H. Two. Encryption algorithm (if IPSec is implemented with ESP). Choices are D E S, 3D E S, or A E S. Three. Authentication. Choices are MD5 or S H A. Four. Diffie-Hellman (DH) algorithm group. Choices are DH1 or DH2.
Page 2:
6.3.7 - IPSec Security Protocols The diagram depicts a simulation activity in which you configure a central and branch routers to provide a site-to-site IPSec VPN. Read the scenario and match the proper values to the entries in the Linksys Web interface screen for each VPN device.
Note: You may wish to contact your instructor for assistance in performing this activity.
Scenario: A small company has set up Internet connectivity using two Linksys WRVS 4400 N business class routers. One is located at the central site and the other at the branch site. The company would like to access resources between sites, but they are concerned that the Internet traffic would not be secure. To address this concern, it has been suggested that the company implements a site-to-site VPN between the two sites. A VPN would enable the branch site office to connect to the central site office securely by creating a VPN tunnel that encrypts and decrypts data.
Network Topology: Central Site: - PC1 is connected to the central site router on the 192.168.1.0/24 network. - The central site router LAN interface IP address is 192.168.1.1. - The central site router Internet VPN interface IP address is 209.165.200.225.
Branch Site: - PC2 is connected to the branch site router on the 192.168.101.0/24 network. - The branch site router LAN interface IP address is 192.168.101.1. - The branch site router Internet VPN interface IP address is 209.165.202.129.
Referencing the topology description above, fill in the blanks to configure the settings and enable a VPN called Site-to-Site using MD5 authentication, 3D E S encryption, and a pre-shared key of cisco 1 2 3. Select from the choices listed below for both the central site and branch site routers.
Required Configuration Entries:
Central Site Linksys router: IPSec VPN Tunnel Name: BLANK Local Security Group IP Address: BLANK Remote Security Group IP Address: BLANK Remote Security Gateway IP Address: BLANK Key Management Encryption: BLANK Key Management Authentication: BLANK Key Management Pre-Shared Key: BLANK
Branch Site Linksys router: IPSec VPN Tunnel Name: BLANK Local Security Group IP Address: BLANK Remote Security Group IP Address: BLANK Remote Security Gateway IP Address: BLANK Key Management Encryption: BLANK Key Management Authentication: BLANK Key Management Pre-Shared Key: BLANK
Entry choices for both routers: MD5 Site-to-Site 192.168.101.0 209.165.202.129 192.168.1.0 3D E S cisco 1 2 3 cisco 1 2 3 192.168.1.1 192.168.101.0 209.165.200.0 209.165.200.255 209.165.202.0 D E S A E S S H A Remote Access
Page 3:
6.3.7 - IPSec Security Protocols The diagram depicts a simulation activity in which you configure a central site router and a VPN client to provide VPN access for a remote user. Read the scenario and match the proper values to the entries in the Linksys Web interface screen for each VPN device.
Note: You may wish to contact your instructor for assistance in performing this activity.
Scenario: A small company has set up Internet connectivity using a Linksys WRVS 4400 N business class router at their central site. The company would like to provide remote access to select users from remote locations, but they are concerned that the Internet traffic would not be secure. To address this concern, it has been suggested that they implement a remote access VPN that would allow telecommuters to securely access the central site network. Using the Linksys Quick VPN client software, remote users would be able to connect and establish a remote access VPN connection that encrypts and decrypts data.
Referencing the topology description above, fill in the blanks in the Linksys router's Web configuration utility to configure the remote VPN settings and configure a user account. The user's name is BobV, and his password is cisco 1 2 3.
Next Bob will initiate a remote VPN connection to the central site router using the Linksys Quick VPN client software. Fill in the blanks in the VPN client configuration utility to configure the client side of the VPN. The profile name is Central Site. Reference the correct username, password, and IP address.
Network Topology: Central Site: - A server is connected to the central site router on the 192.168.1.0/24 network. - The central site router LAN interface IP address is 192.168.1.1. - The central site router Internet VPN interface IP address is 209.165.200.225.
Remote User: Remote user PC2 is connected to the Internet cloud VPN tunnel.
Required Configuration Entries for the Central Site Linksys router: User Name: BLANK Password: BLANK Re-enter to Confirm: BLANK Entry Choices for Linksys Central Site router: 192.168.1.0 Robert 209.165.200.255 cisco 1 2 3 cisco 1 2 3 cisco 1 2 3 BobV
Required Configuration Entries for the Remote VPN Client: Profile Name: BLANK User Name: BLANK Password: BLANK Server Address: BLANK
Entry Choices for the Remote VPN Client: User Central Site 192.168.1.0 209.165.200.255 BobV cisco 1 2 3 cisco 1 2 3 192.168.1.1 cisco 1 2 3 Branch Site Robert cisco 1 2 3 cisco 1 2 3
6.4 Chapter Summary 6.4.1 Chapter Summary
Page 1:
In this chapter, you learned of the growing importance of teleworkers. You can describe an organization's requirements for providing teleworker services in terms of what the teleworker needs and what the organization needs to provide: reliable, cost-effective connectivity. Among the favored ways to connect teleworkers, you can describe how to use broadband services including DSL, cable, and wireless. Further, you know how VPN technology can be used to provide secure teleworker services in organizations, including the importance, benefits, role, and impact of VPN technology, and the types of access, components, tunneling, and encryption.
6.4.1 - Summary and Review In this chapter, you have learned to: - Describe the enterprise requirements for providing teleworker services, including the differences between private and public network infrastructures. - Describe the teleworker requirements and recommended architecture for providing teleworking services. - Explain how broadband services extend enterprise networks using DSL, cable, and wireless technology. - Describe the importance of VPN technology, including its role and benefits for enterprises and teleworkers. - Describe how VPN technology can be used to provide secure teleworker services to an enterprise network.
Page 2:
6.4.1 - Summary and Review This is a review and is not a quiz. Questions and answers are provided. Question One. Describe the organizational, social, and environmental benefits of teleworking.
Answer: Organizational Benefits: - Continuity of operations. - Increased responsiveness. - Secure, reliable, and manageable access to information. - Cost-effective integration of data, voice, video, and applications. - Increased employee productivity, satisfaction, and retention.
Social Benefits: - Increased employment opportunities for marginalized groups. - Less traveling and commuter-related stress.
Environmental Benefits: - Reduced carbon footprints, both for individual workers and organizations.
Question Two. Describe the four main connection methods used by homes and SOHO businesses. Answer: Dialup access: - Dialup access is an inexpensive option that uses any phone line and a modem. - It is the slowest connection option, and is typically used in areas where higher speed connections are not available. DSL: - DSL is more expensive than dialup, but provides a faster connection. - It also uses telephone lines, but unlike dialup access, DSL provides a continuous connection to the Internet. - This connection option uses a special high-speed modem that separates the DSL signal from the telephone signal and provides an Ethernet connection to a host computer or LAN. Cable modem: - A cable modem is a connection option offered by cable television service providers. - The Internet signal is carried on the same coaxial cable that delivers cable television to homes and businesses. - A special cable modem separates the Internet signal from the other signals carried on the cable and provides an Ethernet connection to a host computer or LAN. Satellite: - Satellite connection is an option offered by satellite service providers. - The user's computer connects through Ethernet to a satellite modem that transmits radio signals to the nearest POP within the satellite network.
Question Three. Describe the two types of VPN's.
Answer: Site-to-Site VPN's: - A site-to-site VPN is an extension of classic WAN networking and can connect a branch office network to a company headquarters network. - Hosts send and receive TCP/IP traffic through a VPN "gateway" which could be a router, PIX firewall appliance, or an Adaptive Security Appliance (ASA). - The VPN gateway is responsible for encapsulating and encrypting outbound traffic for all of the traffic from a particular site and sending it through a VPN tunnel over the Internet to a peer VPN gateway at the target site. - On receipt, the peer VPN gateway strips the headers, decrypts the content, and relays the packet toward the target host inside its private network. Remote Access VPN's: - Mobile users and telecommuters use remote access VPN's extensively. - Remote VPN connections typically take advantage of the broadband connections. - Each host typically has VPN client software that encapsulates and encrypts that traffic before sending it over the Internet to the VPN gateway at the edge of the target network. - On receipt, the VPN gateway handles the data in the same way as it would handle data from a site-to-site VPN.
Page 3:
This activity requires you to configure a default route as well as dynamic routing using RIP version 2. You will also add broadband devices to the network. Finally, you will set up ACLs on two routers to control network traffic.
Detailed instructions are provided within the activity as well as in the PDF link below.
Activity Instructions (PDF)
Click the Packet Tracer icon for more details.
6.4.1 - Summary and Review Link to Packet Tracer Exploration: Packet Tracer Skills Integration Challenge
6.5 Chapter Quiz 6.5.1 Chapter Quiz
Page 1:
6.5.1 - Chapter Quiz 1.A technician is attempting to explain broadband technology to a customer. Which two descriptions or examples should be used to educate the customer? (Choose two.) A.Includes dialup connections using POTS. B.Incompatible with multiplexing. C.Uses a wide band of frequencies. D.Offer sustained speeds of 128k or more. E.Requires line-of-sight connection with the service provider.
2.When accommodating a teleworker, which type of connection should be used when mobile access during traveling is required and broadband options are unavailable? A.Residential cable B.DSL C.Dialup D.Satellite
3.When comparing DOCSIS and Euro-DOCSIS, what is the primary difference between the two specifications? A.Flow control mechanisms B.Maximum data rates C.Access methods D.Channel bandwidths
4.If asked to describe DSL technology, which three statements would help the user develop a better understanding of the technology? (Choose three.) A.DSL is available in any location that has a telephone. B.A DSL typically has a higher download bandwidth than available upload bandwidth. C.In home installation, a splitter separates the A DSL and voice signals at the N ID, allowing multiple A DSL outlets in the house. D.DSL speeds can exceed the speeds available with a typical T1 line. E.Transfer rates vary by the length of the local loop. F.All varieties of DSL provide the same bandwidth, although they use different technologies to achieve upload and download.
5.In a DSL installation, which two devices are installed at the customer site? (Choose two.) A.CM B.DOCSIS C.D SLAM D.Microfilter E.DSL transceiver
6.Refer to the topology description below to answer the question.
Network Topology: Three locations connect to the corporate network through the Internet cloud. Corporate Network - A VPN concentrator and PIX appliance connect to Router R10, which connects to the Internet cloud. Business Partner - Switch SW1 connects to router R1, which connects to the Internet cloud. Remote Office - Switch SW2 connects to router R2, which connects to the Internet cloud. Regional Office - Switch SW3 connects to a PIX appliance, which connects to the Internet cloud.
On the basis of the network topology above, which devices or software applications provide encapsulation and encryption for the VPN traffic? A.VPN client software installed on the machines of the users at the regional office only. B.PIX appliances at the corporate network and regional office only. C.Router and PIX appliance at the corporate network, and the routers and PIX appliance at all remote locations. D.LAN switches and routers at the remote locations only.
7.Which two techniques can be used to secure the traffic sent over a VPN connection? (Choose two.) A.Data labeling to mark and separate the VPN traffic for different customers. B.Data encapsulation to transmit data transparently from network to network through a shared network infrastructure. C.Data encryption to code data into a different format using a secret key. D.Second routing protocol to transport the traffic over the VPN tunnel. E.Dedicated connection over the company's private leased line.
8.Match the description on the left with the corresponding VPN characteristic on the right. Descriptions: A. Uses passwords, digital certificates, smart cards, and biometrics. B. Prevents tampering and alterations to data while data travels between the source and destination. C. Protects the contents of messages from interception by unauthenticated or unauthorized sources. D. Uses hashes. E. Ensures that the communicating peers are who they say they are. F. Uses encapsulation and encryption.
Characteristics: One. Data Confidentiality Two. Data Integrity Three. Authentication
9.Which is an example of a tunneling protocol developed by Cisco? A.A E S B.D E S C.RSA D.ESP E.GRE
10.Match the description to the corresponding type of tunneling protocol. Descriptions: A. Frame Relay, ATM, MPLS. B. The protocol that is wrapped around the original data. C. The protocol over which the original data was being carried. D. IPX, AppleTalk, IPv4, IPv6. E. GRE, IPSec, L2F, P P T P, L2TP. F. The protocol over which the information is traveling.
Type of Tunneling Protocol: One. Carrier Protocol Encapsulating Protocol Passenger Protocol
11.Match the description to the correct algorithm. Descriptions: A. Encryption and decryption use the same key. B. Public key cryptography. C. Encryption and decryption use different keys. D. D E S, 3D E S, A E S E. RSA F. Shared secret key cryptology
12.What type of connection is the most cost-effective to adequately support a SOHO teleworker to access the Internet? A.Direct T1 link to the Internet B.56k dialup C.One-way multicast satellite Internet system D.DSL to an ISP
13.Which wireless standard operates in both licensed and unlicensed bands of the spectrum from 2 to 8 GHz and allows for transmission rates of 70 Mbps at a range of up to 50 kilometers? A.8 0 2 dot 11g B.8 0 2 dot 11n C.8 0 2 dot 11b D.8 0 2 dot 16 E.8 0 2 dot 11e
14.What is typically deployed to support high-speed transmissions of data to SOHO cable modems? A.Hybrid fiber-coaxial (HFC) B.High-speed dialup cable modems C.Broadband copper coaxial D.1000 Base TX
