FORESEC Academy

FORESEC Academy Security Essentials (IV)

A P P LY IN G C R Y P TO G R A P H Y
FORESEC Academy

Applications ofEncryption

Confidentiality
- In Transit
- In Storage
Authentication & Integrity
FORESEC Academy

Confi
dentiality in Transit

Private Network
- Pro: Dedicated lines and equipment
are not shared by others
- Con: Dedicated lines are expensive,
grow more so with distance, and are
underutilized except at peak
FORESEC Academy

VirtualPrivate N etw ork (VPN )

Data is encrypted at one end of the

VPN from cleartext into
ciphertext
Ciphertext is transmitted over the
Internet
Data is decrypted at the other end of
the VPN from ciphertext back into
the
original cleartext
FORESEC Academy

VPN Advantages

Improved Flexibility
- A VPN tunnel over the Internet can be set
up rapidly. A frame circuit can take weeks.
- A good VPN will also support Quality of
Service (QoS).
Lowered Cost
- There are documented cases of a VPN paying
for itself in weeks or months.
- There are also cases where the hidden costs
sunk the project!
FORESEC Academy

Types ofRem ote Access

Client VPN
- Example: Laptop dial-up
connection
to remote access server at HQ
Site-to-Site
- Example: L.A. office connection to
D.C. office location
FORESEC Academy

VPN System Com ponents

- Routers - X.509 digital

- Firewalls certificates
- Servers & clients - Load balancing
- Failover &
- Encryption
redundancy
- LDAP server - Public Key
- QoS Infrastructure
- Key management
schemes
FORESEC Academy

Security Im plications
Bypassing Firewalls, IDS, Virus
scanners,
Web filters
Trusting the Other End
FORESEC Academy

IPSec O verview

Issued by IETF as an open standard (RFC 2401)

thus promoting multi-vendor interoperability
Enables encrypted communication between
users and devices
Implemented transparently into network
infrastructure
Scales from small to very large networks
Commonly implemented - most VPN devices
and
clients are IPSec-compliant
FORESEC Academy

Types ofIPSec H eaders

Authentication Header (AH)
- Data integrity-no modification of data in transit
- Origin authentication-identifies where data
originated
Encapsulated Security Payload (ESP)
- Data integrity-no modification of data in transit
- Origin authentication-identifies where data
originated
- Confidentiality - all data encrypted
FORESEC Academy

Types ofIPSec M odes

Tunnel mode: applied
to an
IP tunnel
- Outer IP header
specifies
IPSec processing
destination
- Inner IP header
specifies
ultimate packet
destination
Transport mode:
between
two hosts
FORESEC Academy

Exam ples ofIPSec Encryption

Data Encryption Standard (DES)

- 56-bit algorithm
Triple DES (3DES)
- The 56-bit DES algorithm run 3
times
- 112-bit triple DES includes 2 keys
- 168-bit triple DES includes 3 keys
FORESEC Academy

IPSec Key M anagem ent

Internet Key Exchange (IKE)

Security Association (SA)
Authenticates peers
- Pre-shared keys
- Public key cryptography
- Digital signatures
Negotiates policy to protect
communication
Key exchange
- Diffie-Hellman
FORESEC Academy

Exam ples ofN on-IPSec VPN s

Layer 2 Forwarding (L2F)

Layer 2 Tunneling Protocol (L2TP),
combines PPTP and L2F
PPP Extensible Authentication
Protocol
(authentication only, RFC 2284)
SOCKS protocol
PPP
SLIP
FORESEC Academy

Confi
dentiality in Storage

Pretty Good Privacy (PGP)

- Started out in 1991 as a way to bring
privacy to a very new, very public
communication medium: Email.
- Freeware accessible at:
http://www.pgpi.org/