Chapter 7 – Securing Site-to-Site Connectivity Study Guide After completion of this chapter, you should be able to: Describe benefits of VPN technology. Describe site-to-site and remote access VPNs. Describe the purpose and benefits of GRE tunnels. Configure a site-to-site GRE tunnel. Describe the characteristics of IPsec. Explain how IPsec is implemented using the IPsec protocol framework. Explain how the Anyconnect client and clientless SSL remote access VPN implementations support business requirements. Compare IPsec and SSL remote access VPNs. 1. What is a VPN? A virtual private network created via tunneling over a public network. 2. What are some of the benefits of VPN? Cost savings, scalability, compatibility with broadband technology, security 3. Complete Activity 7.1.1.3 – Identify the benefits of VPN 4. What are some features of Site-to-Site VPNs? A static VPN connection established between two networks (ex: Branch office to company headquarters). The VPN Gateway encrypts/encapsulates all traffic. 5. What are some features of Remote-Access VPNs? Supports the needs of telecommuters/mobile users, etc… allows for dynamically changing information and can be enabled and disabled. Uses VPN client software that encapsulates and encrypts data. 6. Complete Activity 7.1.2.3 – Compare Types of VPNs 7. What is the purpose of Generic Routing Encapsulation (GRE)? GRE is designed to manage the transportation of multiprotocol and IP multicast traffic between two or more sites, that may only have IP connectivity. 8. What are some characteristics of GRE? 47 is used in the protocol field to indicate a GRE header will follow, supports the encapsulation of any Layer 3 protocol, stateless, does not include any strong security mechanism, the GRE header with the tunneling IP header create an additional 24 bytes of overhead. 9. Complete Activity 7.2.1.3 – Identify GRE Characteristics 10. In a GRE configuration, what does the “tunnel source” and “tunnel destination” commands reference? The IP addresses of the preconfigured physical interface 11. What are some advantages of GRE? It can be used to tunnel non-IP traffic over an IP network, supports IP multicast tunneling, and it can be used to create IPv6 over IPv4 tunnels. 12. What is the biggest disadvantage of GRE? It does not provide encryption or any other security mechanism. Therefore, data sent across a GRE tunnel is not secure. 13. What are some features of IPsec? IPsec works at the network layer, protecting and authenticating IP packets between participating IPsec devices. IPsec can protect virtually all application traffic because the protection can be implemented from layer 4-7. It is a framework of open standards that is algorithm-independent. 14. Explain the four critical functions that IPsec security services provide: a. Confidentiality (encryption) – the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode. b. Data Integrity – the receiver can verify that the data was transmitted through the Internet without being changed or altered in any way. c. Authentication – verify the identity of the source of the data that is sent. d. Anti-Replay Protection – verifies that each packet is unique and not duplicated, helps prevent spoofing. 15. Confidentiality is achieved through the encryption of traffic as it travels through a VPN. What determines the degree of security? The key length of the encryption algorithm 16. What are three common IPsec encryption algorithms? Of these, which one is recommended? DES, 3DES, AES (recommended) 17. What are some features of asymmetric algorithms? Uses public key cryptography, encryption and decryption use a different key, typically used in digital certification and key management, RSA is an asymmetric algorithm. 18. What is the function of the Diffie-Hellman (DH) algorithm? It is a method to securely exchange the keys that encrypt data. 19. What is the function of hashes and what are two common HMAC algorithms? Hashes provide data integrity and authentication by ensuring that unauthorized persons do not tamer with transmitted messages. Two common HMAC algorithms include MDF and SHA. 20. What bit values are available with the SHA hash algorithm? 160, 256, 384, and 512 21. Describe the two main IPsec protocols: a. Authentication Header (AH) – provides data authentication but text is transported in plain text. b. Encapsulating Security Payload (ESP) – provides confidentiality and authentication by encrypting the IP packet. 22. Complete Activity 7.3.2.7 – Identify IPsec Terminology and Concepts 23. Describe the following SSL VPNs: Cisco AnyConnect Secure Mobility Client with SSL Provide authenticated users with LAN-like, full network access to corporate resources. Remote devices require a client application installed on the end-user device. Cisco Secure Mobility Clientless SSL VPN Provide access to corporate resources even when the remote device is not corporately-managed. A web browser is used to establish an SSL session with the Cisco ASA. The user can only access some services. 24. Complete Activity 7.4.1.4 – Compare Cisco SSL VPN Solutions 25. Fill in the table below, comparing IPsec and SSL: SSL Application Encryption Web-enabled applications, file sharing, email Moderate to Strong Key lengths from 40-256 bits Authentication Moderate One-way or two-way authentication Connection Complexity Low Requires only a web browser Connection Options Any device can connect 26. Complete Activity 7.4.2.5 – Identify Remote-Access Characteristics IPsec All IP-based applications Strong Key lengths from 56-256 bits Strong Two-way authentication using shared secrets or digital certificates Medium Can be challenging to nontechnical users Only specific devices with specific configurations can connect