Cisco CCIE Security 350-701 – IPSec – IP Protocol Security

  1. What is IPSec ?

Okay, so the next thing we need to understand what is IPsec? IPsec stands for Internet Protocol Security. So IPsec is actually a combination of protocols, or we can say, a set of protocols developed by IETF, which provides a secure communication between two or more sites. Like in the previous section, we discussed the VPN types where we can use something like side to side VPNs where we can connect two different sites to talk to each other. Or we can also use a remote user, can connect to the gateway and you can access the resources of your corporate network. But again, while doing this, security is also important because most of the VPNs, like specially the VPNs we use in today’s network, can also build over Internet or can be on any other transport network.

But the important part is security. So how secure your communication is. So we need to make sure that the communication between these devices, whether it is between the two sites or maybe a user accessing, should be secured. And that is done by IPsec with the help of some protocols. So it’s going to authenticate the connections at the same time, it will also encrypt the entire communication process between the devices in general IPsec. So probably we’ll talk about more on this IPsec VPNs, how exactly they work in detail.

But the IPsec is a protocol which is used for secure communication between two or more networks, maybe a side to side or remote side. So IPsec feature is normally supported in small to very large networks, including Cisco routers, which means we can set up a VPN, IPsec VPN or VPN with IPsec between the two devices, maybe from router to router, or maybe from router to ASA, or maybe from ASA to ASA, site to site. Or even we can install some kind of VPN client software like IPsec VPN client software, which can be used to connect on the remote side as well. And this gateway can be either an ASA or the router itself.

  1. IPsec Security Services

Now the next thing we need to understand about some IPsec security services offered by IPsec like data origin, authentication, data integrity, confidentiality and antireplay detection and key management. So most of this you might be already ever like authentication is to ensure that we are trying to connect between the two sides. Or maybe you are trying to communicate between these two networks and you are actually connecting to the proper side. Like from the router one you’re trying to establish a VPN connection or maybe you want to connect to this device.

Now there is a possibility that an attacker may spoof as if he’s 250 zero two. So to prevent these things, so we don’t want the router one to get established a connectivity to a site which is like an invalid device or maybe some kind of attacker. To prevent this, we can configure some kind of keys. Generally we can call it as preshape keys on both the devices and the connection. The IPsec will only establish between the two devices if the key matches. Or we can also use some kind of signatures from the certificate authority. So who is going to provide or authorize the specific keys or some kind of certificates. So authentication is to prevent the attacker from spoofing to be the source of the packet. And it’s like verifying the messages. Whatever you receive it is from the valid user or not or valid source or not. The next thing integrity. Integrity, the basic terminology like no one can modify your information. So it’s also important when you establish a connection between any two devices, whether it is VPN or anywhere you implement IPsec. So we need to make sure that the data is not modified by any unauthorized individuals. So again, it uses some kind of algorithms, we call it a mass hashing algorithms used by IPsec to make sure that data is not modified and it uses some common algorithm on both the sides.

The next thing confidentiality, nothing but encryption. So when we are establishing connectivity between the two sides, we need to make sure that the data is not seen by anyone in the transit network. So especially in the VPNs when we connect VPNs over Internet, there is a possibility that someone sitting on the internet may try to capture your packets and extract the contents. So we need to make sure that when it is sent, it is sent with some encrypted format and using some kind of strong encryption algorithms. So with respect to VPNs, our focus will be with respect to VPNs with Ipsick, but technically you might be using Ipsic in other implementations also. Now the antireplay, antireplay detection is nothing, but this is like attacker may try to use or repeat the same packets which are valid, valid packets with the sequences. Like take an example, the current sequence is something going on.

This like 101, the current sequence is 164. Probably what attacker can do is he can repeat the existing valid sessions or the sequences to reinitiate the connection. And maybe my device will think that this particular sequence or the packet is actually a valid one. It may end up allowing that particular packet to travel. So, IPsec has an inbuilt anti replay detection, which will ensure that your packets are received only once, and it will automatically reject or reject the old or duplicate packets if they try to come again. So it’s like preventing the replay attacks, which we call it as replay attacks, and the solution is like anti replay detection. Now, finally, one more service like key management. The key management is important in general. Like, take an example here I’m connecting two sites, and these two sites, we want to establish some connectivity between these two sites. We use some kind of encryption hashing algorithms or some kind of preshape keys for authentication.

So they use some kind of keys. So we need to make sure that they use some keys for encryption and for hashing. And to ensure that both the sides will use the same encryption and the hashing, they need to extend some keys between the sides. Now, again, if these keys are leaked, then probably an attacker can use those keys and it can also connect. So probably, just to avoid those kind of things, we need to make sure that the keys are exchanged securely. So we have a special key exchange method used by IPSA called Defihelmain, defihelmi algorithms. So the film algorithms are used to exchange the keys. So exchange the algorithm keys between the two beats.

So probably without actually exchanging it, because they don’t exchange the keys, but they derive some kind of algorithms and some keys it will derive. So at the end, you will be getting the common algorithm on both the sets based on some calculations. So it’s like exchanging the keys, deriving the common keys on both the sets without actually exchanging it. So typically, this is done with the help of some Ike protocol, v One and V Two protocols. So this protocol is majorly responsible for setting up your phase one, where you need to define what algorithms you are going to use. And also you need to make sure that you exchange the keys between them. You need to derive a common case, and that is done with the help of some Dfelme algorithms. So the IPsec provides security with the help of all these methods. So probably we need to configure all these parameters. That’s something we’ll be seeing later on. But these are the five different security services what IPsec offers, ensuring that your data, the communication established between any two sites, is secure.

  1. IPSec Modes – Tunnel vs Transport

The next thing is IPsec modes. IPsec operates in two different modes. Either we can configure tunnel mode or transparent mode, sorry, transport mode. Now, most of the time when we are implementing side to side VPNs, it by default uses something called tunnel mode. Let’s see the differences. Now, in the tunnel mode, what happens is whenever you are trying to communicate between this internal network, let’s say this is my LAN, maybe I’m using 192, 116, eight, one dot network. So I’ll just use some network here and this is my remote site network, one 9162 dot network. Now we want the communication between this one nine to 1681 dot network and this station is two dot network. So when the packet travels, generally it carries your TCP UDP payload. You can save some other information now once it reaches the weapon gateways. So we are going to establish side to side weekends, we are going to establish between the two gateways and this gateway can be areas Cisco’s router or an ASA firewall now on the interface which is connecting to the internet.

Now, this is your internet and we have some registered public IPS, let’s say some public IP. I’m using 150 here, so 250, zero, two. So I’m just trying to use the IPS what generally I’ll be using in my lab scenarios, but the diagram might have different IPS. So once it reaches the VPN gateway, so it’s going to add a new IP header and this new IP header will be your public IPS on the VPN gateways and then your packet is routed based on this IPS between these two interfaces. And once it reaches the next gateway, it’s going to remove that IP header and then send it back with a normal IP address, like with the source of one dot and two dot networks. So the main advantage with the tunnel mode is whatever the IP addressing we are using internally, we can use any kind of private IP networks. And automatically when it reaches the VPN gateway, it’s going to add the VPN gateway addresses and then your pack is routed based on this addresses irrespective of what addresses we use in our lamp. So again, a complete communication can be encrypted. So the encryption happens between the two gateways.

So encryption, whatever the security is applied between these two gateways. So it’s going to add a new IP header to the existing IP header. So it’s going to add a new IP packet with a new IP header, commonly between the two categories. So more common when you are implementing some IP six side to side weekends. But let’s say if you are implementing, if you’re using something like transport mode, in the case of transport mode, there’s no additional IP address added. So if you just get back to the tunnel mode, the IP header how it looks, this is your normal data IP header, so it remains the same you can see. So additionally it is going to add a new IP header that will be the gateway IP addresses. We can say the public IP if you are using some kind of internet and then it’s going to add some other information like ESP or authentication header protocols. These are the protocols used for IPsec.

So it’s going to add some ESP header trailer. These are the additional headers added for applying IPsec. So if it is in tunnel mode, the main thing is it’s going to add this new IP header and your packet is routed based on the new IP header, which will ensure that whatever the IP we use internally, it’s not going to make any difference. So whereas in transport mode it’s the same thing. You see, this is your IP header and the data and there’s no IP header is added here. So which means it’s like end to end host communication.

Like you’re trying to access a server remotely from your computer over the internet, so you’ll be having some registered IPS and the encryption is done end to end between the host host. It’s not between the gateways, it’s like end to end, host to host to host. Encryption is applied, the IPsec kernel is created, IPsec is applied between the two end to end host. So commonly used between communication between the host, like a remote desktop connection is one of the example for this transport mode. So even in some advanced transvins, like if you go with some DMVPN or Grev pins, we’ll also use transport mode just to avoid any additional headers. But generally most of the desktop connections, they use a transport mode.

img