Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.

Published byPhebe Bethany Paul Modified over 9 years ago

Similar presentations

Presentation on theme: "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San."— Presentation transcript:

1 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San Francisco Spring 2007

2 2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 3 – Encryption and VPN Technology

3 3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives –3.1 Encryption Basics –3.2 Integrity Basics –3.3 Implementing Digital Certificates –3.4 VPN Topologies –3.5 VPN Technologies –3.6 IPSec

4 4 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Encryption and VPN Technology 3.1 Encryption Basics

5 5 © 2005 Cisco Systems, Inc. All rights reserved. Symmetric Encryption Process

6 6 © 2005 Cisco Systems, Inc. All rights reserved. Asymmetric Encryption Process public key encryption

7 7 © 2005 Cisco Systems, Inc. All rights reserved. Asymmetric Encryption Some of the more common public key algorithms are the Rivest-Shamir-Adleman (RSA) algorithm and the El Gamal algorithm. –public key encryption algorithms are typically used in applications using digital signatures and key management.

8 8 © 2005 Cisco Systems, Inc. All rights reserved. RSA Encryption RSA encryption generates a value known as a nonce. A nonce is temporary random string, which is generated and combined with the peer public key.

9 9 © 2005 Cisco Systems, Inc. All rights reserved. Diffie-Hellman Algorithm Diffie-Hellman algorithm provides a way for two parties to establish a shared secret key, even though they are communicating over an insecure channel. DH begins with a large random number that is kept secret. The Diffie-Hellman algorithm is then performed, whereby both partners carry out some computations and exchange results. These results are used to generate the private and public keys. Once the public key is created it is exchanged between partners and a shared secret is created.

10 10 © 2005 Cisco Systems, Inc. All rights reserved. Diffie-Hellman Algorithm

11 11 © 2005 Cisco Systems, Inc. All rights reserved. Diffie-Hellman Key Exchange

12 12 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Encryption and VPN Technology 3.2 Integrity Basics

13 13 © 2005 Cisco Systems, Inc. All rights reserved. Integrity and Hashing To guard against traffic being intercepted and modified, each message has a hash attached to it. A hash is a method of verifying that the contents of a transmission are the same at both ends of the path, similar to a checksum. A hash is a fixed-size string generated from the packet. The hash guarantees the integrity of the original message. Two common hashing algorithms are Message Digest (MD) and Secure Hash Algorithm (SHA).

14 14 © 2005 Cisco Systems, Inc. All rights reserved. The Hashing Process If the hash at the receiving end does not match the hash that was sent then the packet or transaction is dropped.

15 15 © 2005 Cisco Systems, Inc. All rights reserved. Hashed Method Authentication Code A Hashed Message Authentication Code (HMAC) guarantees the integrity of the message. HMAC is similar to the hash process discussed earlier except that HMAC combines a secret key with the message. There are two common hashing algorithms: –HMAC-MD5 uses a 128-bit shared secret key. –HMAC-SHA-1 uses a 160-bit secret key.

16 16 © 2005 Cisco Systems, Inc. All rights reserved. The Keyed Hashing Process - HMAC

17 17 © 2005 Cisco Systems, Inc. All rights reserved. Certificate-Based Authentication

18 18 © 2005 Cisco Systems, Inc. All rights reserved. Digital Certificates A digital signature, or digital certificate, is an encrypted hash that is appended to a document. Digital certs are used to confirm the identity of the sender and the integrity of the document. A digital certificate contains information to identify a user or device, such as the name, serial number, company, department or IP address as well as copy of the entity’s public key. A Certificate Authority (CA) signs the certificate. –The CA is a third party that is explicitly trusted by the receiver to validate identities and to create digital certificates

19 19 © 2005 Cisco Systems, Inc. All rights reserved. Digital Signatures

20 20 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Encryption and VPN Technology 3.3 Implementing Digital Certificates

21 21 © 2005 Cisco Systems, Inc. All rights reserved. Simple Certificate Enrollment Protocol (SCEP) The Simple Certificate Enrollment Protocol (SCEP) is a Cisco, Verisign, Entrust, Microsoft, Netscape, and Sun Microsystems initiative that provides a standard way of managing the certificate life cycle. SCEP provides manual authentication and authentication based on pre-shared secret keys. Manual authentication uses an MD5 fingerprint Pre-shared key authentication challenges the user for password. –The user then uses the pre-shared key as the password.

22 22 © 2005 Cisco Systems, Inc. All rights reserved. IPSec Peers Enroll with the CA Server Cisco devices can also enroll with a CA to sign digital certificates

23 23 © 2005 Cisco Systems, Inc. All rights reserved. Enrolling a Device with a CA

24 24 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Encryption and VPN Technology 3.4 VPN Topologies

25 25 © 2005 Cisco Systems, Inc. All rights reserved. Site-to-Site VPNs A Site-to-Site VPN is an Extension of the classic WAN

26 26 © 2005 Cisco Systems, Inc. All rights reserved. Site-to-Site VPNs—Cisco Routers

27 27 © 2005 Cisco Systems, Inc. All rights reserved. Remote Access VPNs

28 28 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Encryption and VPN Technology 3.5 VPN Technologies

29 29 © 2005 Cisco Systems, Inc. All rights reserved. VPN Technology Options

30 30 © 2005 Cisco Systems, Inc. All rights reserved. WebVPN

31 31 © 2005 Cisco Systems, Inc. All rights reserved. WebVPN Features

32 32 © 2005 Cisco Systems, Inc. All rights reserved. Tunneling Protocols GRE = Generic Routing Encapsulation Protocol

33 33 © 2005 Cisco Systems, Inc. All rights reserved. GRE Encapsulation Process

34 34 © 2005 Cisco Systems, Inc. All rights reserved. Selecting VPN Technologies

35 35 © 2005 Cisco Systems, Inc. All rights reserved. Tunnel Interfaces

36 36 © 2005 Cisco Systems, Inc. All rights reserved. GRE Tunnel Example

37 37 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Encryption and VPN Technology 3.6 VPN

38 38 © 2005 Cisco Systems, Inc. All rights reserved. IP Header with IPSec Information

39 39 © 2005 Cisco Systems, Inc. All rights reserved. Two Types of IPSec Security Protocols

40 40 © 2005 Cisco Systems, Inc. All rights reserved. Advantages of IPSec

41 41 © 2005 Cisco Systems, Inc. All rights reserved. How an AH is Generated in IPSec

42 42 © 2005 Cisco Systems, Inc. All rights reserved. AH Fields

43 43 © 2005 Cisco Systems, Inc. All rights reserved. The ESP Header Format

44 44 © 2005 Cisco Systems, Inc. All rights reserved. Tunnel Versus Transport Mode

45 45 © 2005 Cisco Systems, Inc. All rights reserved. AH Header Placement in Transport Mode

46 46 © 2005 Cisco Systems, Inc. All rights reserved. AH Header Placement in Tunnel Mode

47 47 © 2005 Cisco Systems, Inc. All rights reserved. ESP Header Placement in Transport Mode

48 48 © 2005 Cisco Systems, Inc. All rights reserved. ESP Header Placement in Tunnel Mode

49 49 © 2005 Cisco Systems, Inc. All rights reserved. IPSec Process Negotiation SA = Security Association

50 50 © 2005 Cisco Systems, Inc. All rights reserved. IKE and IPSec Flowchart

51 51 © 2005 Cisco Systems, Inc. All rights reserved. Configuration crypto isakmp policy 10 encr 3des hash sha authentication pre-share group 2 ! crypto isakmp key address 65.214.126.x ! crypto ipsec transform-set esp-3des esp-md5-hmac ah-md5-hmac crypto ipsec transform-set EZVPN esp-3des esp-md5-hmac ah-md5-hmac crypto ipsec transform-set OURVPN esp-3des ah-md5-hmac ! crypto map DDBVPN 10 ipsec-isakmp set peer 38.115.25.x set transform-set EZVPN OURVPN match address 110 ! IKE Phase 1 = IKE SA IKE Phase 2 = IPSec SA

52 52 © 2005 Cisco Systems, Inc. All rights reserved. Configuration (cont) access-list 110 remark VPN INTERESTING TRAFFIC - CRYPTO ACL access-list 110 permit ip 66.151.148.x 0.0.0.15 38.115.182.x 0.0.0.255 access-list 110 permit ip 66.151.148.x 0.0.0.15 162.44.190.x 0.0.0.255 ! ip access-list extended INBOUND_ALLOW_VPN_TRAFFIC permit udp any host 64.95.143.161 eq isakmp log-input permit esp any host 64.95.143.161 log-input permit ahp any host 64.95.143.161 log-input ! interface GigabitEthernet0/0 description outside interface ip address 64.95.155.161 255.255.255.252 ip access-group INBOUND_ALLOW_VPN_TRAFFIC in ip nat outside ip inspect CBAC-ALL out ip virtual-reassembly crypto map DDBVPN

53 53 © 2005 Cisco Systems, Inc. All rights reserved. VPN 3005 Concentrator

54 54 © 2005 Cisco Systems, Inc. All rights reserved. VPN Hardware Clients

55 55 © 2005 Cisco Systems, Inc. All rights reserved. 55 © 2005, Cisco Systems, Inc. All rights reserved.

Download ppt "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San."

Similar presentations

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Virtual Private Networks (VPNs)

Virtual Private Networks (VPNs)
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
Introduction to Cryptography

Introduction to Cryptography
Agenda VPN tunnels Configuration of basic core network components Maintenance of Cisco devices Exercises & troubleshooting.

Agenda VPN tunnels Configuration of basic core network components Maintenance of Cisco devices Exercises & troubleshooting.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Kapitel 7: Securing Site-to-Site Connectivity

Kapitel 7: Securing Site-to-Site Connectivity
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
Cryptography and Network Security

Cryptography and Network Security
CCNA 5.0 Planning Guide Chapter 7: Securing Site-to-Site Connectivity

CCNA 5.0 Planning Guide Chapter 7: Securing Site-to-Site Connectivity

Similar presentations

Ads by Google