Answer To: FINAL ASSESSMENT IN REPLACEMENT OF FINAL EXAMINATION BN305 VIRTUAL PRIVATE NETWORKS Day/Date Friday,...
Guljar answered on Jun 21 2021
Part I#
1. Discuss CIA (Confidentiality, Integrity, and Availability) in the use of VPN technologies. Your use case example/s is/are encouraged for illustrative purpose?
Answer:
Confidentiality – ensures that sensitive information is accessed only by an authorized person and kept away from those not authorized to possess them. It is implemented using security mechanisms such as usernames, passwords on AAA server, TACACS+, CISCO ISE, and access control lists (ACLs).
Integrity – Data integrity ensures data has not been altered when transmitting. In the case of VPNs, it is there to ensure data has not been intercepted and changed when traveling from one VPN gateway to another VPN gateway. A hashing mechanism is used to accomplish the integrity of data. If one bit is different, this means the message has been changed and the data integrity check will fail. VPN device uses for verifying the integrity of data are Hmac-md5 and Hmac-Sha, Hmac-Sha being the strongest of the two.
Availability – High availability (HA) is the ability of a system to operate continuously without failure for a designated period. HA works to ensure a system meets an agreed-upon operational performance level. In information technology (IT), a widely held but difficult-to-achieve. standard of availability is known as five-nines availability, which means the system or product is available 99.999% of the time. As shown below diagram we can use HSRP for High availability.
2. The staff working from home want to have a secure online conference. Propose a solution in light of VPN technology?
Answer:
A VPN, or Virtual Private Network, allows you to create a secure connection to another network over the Internet. VPNs can be used to access region-restricted websites, shield your browsing activity from prying eyes on public Wi-Fi, and more.
When you browse the web while connected to a VPN, your computer contacts the website through the encrypted VPN connection. The VPN forwards the request for you and forwards the response from the website back through the secure connection. If you’re using a USA-based VPN to access Netflix, Netflix will see your connection as coming from within the USA.
The most important reason people use VPN is its safety feature. It provides an encrypted tunnel for transferring data to and from your device and the host site. This removes all chances of spying and snooping on your data. Even your own, internet service provider (ISP) can’t access your data or track your activities.
Everything is end-to-end encrypted with a VPN. So you don't have to worry about hackers and cybercriminals.
VPN allows its users to go beyond the geo-restrictions and surf the internet from any part of the world through its remote servers. This allows you to access websites and entertainment channels that may not be accessible in your region.
A VPN will prevent apps and websites from attributing your behavior to your computer's IP address. It can also limit the collection of your location and browser history.
If you are an individual thinking about investing in a VPN for your company, one benefit is that workers can connect to your office network and look at sensitive materials on their own devices while away from the office. As remote work seems a possibility even after the pandemic ends, a VPN is a helpful investment to keep confidential material safe off-site.
3. The company is planning to secure its communication with a branch in another city and have access to all the data in the main office. What solution would you recommend to secure the data communication between the two branches?
Answer:
The traditional solution has been to implement a dedicated Wide Area Network (WAN) link between the central and branch offices. This is usually a T-1 or even a T-3 line. However, dedicated leased lines are expensive. When you have only one branch office, a single line will suffice, but if you add a third, you may need to add two more dedicated lines to ensure connectivity. The number of lines that are needed for full connectivity increases dramatically as new offices are added, and so does the cost.
A more scalable solution is to connect branch offices using a site-to-site virtual private network (VPN). Let's look at how a VPN can offer you maximum scalability while ensuring that communications between offices stay secure.
To implement a site-to-site VPN connection between your branch offices, each location needs a connection to the Internet. The Internet connection can be via a T-carrier line or a less expensive business-level broadband connection such as DSL, cable, or new fiber optic technologies such as Verizon’s FIOS. All of these provide data transfer rates at speeds far greater than a T-1 line. For example, in the Dallas-Ft. Worth, TX market, a 1.5 Mbps T-1 costs $399 or more per month. A FIOS connection provides 30 Mbps, or twenty times the bandwidth, for $199 per month.
VPN technologies solve this problem by creating a "tunnel" through the Internet from one office (site) to another. The traffic that goes through this tunnel is encrypted to protect any sensitive data.
Some advantages of site-to-site VPN include:
Cost. You don't need the multiple leased lines required for dedicated branch office WAN links. You can use a single leased line to the Internet for each office, or lower-cost business broadband Internet connections.
Performance. You can use very high-speed Internet connections at each office for data transfer rates that approach or surpass some Ethernet links.
Flexibility. If you move one or more offices, it’s much easier to "take it with you" than a dedicated lease line link. The VPN can be set up easily at the new site.
Scalability. Adding new sites/connections is simple as long as each location has a connection to the Internet. With leased lines, greater distance between offices means higher cost. Because the VPN uses a connection to the Internet instead of a point-to-point connection between offices, it’s much more scalable.
There are some different ways to create a site-to-site VPN. First, you need to consider the protocols you'll use to create the tunnel and encrypt the traffic. Popular tunneling protocols include:
Point to Point Tunnelling Protocol (PPTP). One of the first VPN methods, and supported by many VPN software and hardware vendors, but less secure than some other choices. More often used for remote access VPN but can be used for site-to-site VPNs.
Layer 2 Tunnelling Protocol (L2TP). Based on a combination of Microsoft’s PPTP and Cisco’s Layer 2 Forwarding (L2F). L2TP creates the tunnel and IPSec is used to encrypt the traffic inside the tunnel.
Internet Protocol Security (IPSec). IPSec can itself be used to create a VPN tunnel in "tunnel mode."
4. Explain five different components that are negotiated in IPSec Phase 1?
Answer:
Phase 1 negotiation can happen in two modes, either using the Main Mode or using Aggressive Mode. . IKEv1 Phase 1 Main mode has three pairs of messages (total six messages) between IPSec peers. IKE Phase 1 Aggressive Mode has only three message exchanges. The purpose of IKEv1 Phase 1 is to establish IKE SA. Phase 1 is used to negotiate the parameters and key material required to establish IKE Security Association (SA) between two IPSec peers. The Security Associations (SAs) negotiated in Phase 1 are then used to protect future IKE communication.
Five different components that are negotiated in IPSec Phase 1
Encryption – DES,3DES,AES,AES256 etc
Hashing Algorithms MD5, SHA1, SHA252, etc
DH-Group- 1/2/5/14, etc
VPN peer authentication method- Pre-shared key or Certificate
Life-time- In Cisco Router by default 86400 seconds
Encryption:
In technical terms, it is the process of converting human-readable plaintext to incomprehensible text, also known as ciphertext. Encryption requires the use of a cryptographic key: a set of mathematical values that both the sender and the recipient of an encrypted message agree on.
HTTPS uses the encryption protocol called Transport Layer Security (TLS). In the past, an earlier encryption protocol called Secure Sockets Layer (SSL) was the standard, but TLS has replaced SSL. A website that implements HTTPS will have a TLS certificate installed on its origin server.
Hashing Algorithms:
If you are transferring a file from one computer to another, how do you ensure that the copied file is the same as the source? One method you could use is called hashing, which is essentially a process that translates information about the file into a code. Two hash values (of the original file and its copy) can be compared to ensure the files are equal.
Hashing is an algorithm that calculates a fixed-size bit string value from a file. A file contains blocks of data. Hashing transforms this data into a far shorter fixed-length value or key which represents the original string. The hash value can be considered the distilled summary of everything within that file. A hash is usually a hexadecimal string of several characters. Hashing is also a unidirectional process so you can never work backward to get back the original data.
DH-Group:
Diffie-Hellman (D-H) is a public-key cryptography protocol. It allows two parties to establish a shared secret key used by encryption algorithms (DES or MD5, for example) over an insecure communications channel. D-H is used within IKE (described later in this article) to establish session keys. 768-bit and 1024-bit D-H groups are supported in the Cisco routers and PIX Firewall. The 1024-bit group is more secure.
VPN peer authentication method:
Authentication is used to prove a user or entity is allowed access, and so provides a form of access control. For example when your logging on to your Windows desktop, and when you specify a username and password at the login screen, you are authenticating yourself. You are telling Windows you're a valid and authenticated user, and you prove this by providing a username and password.
Life-time:
IPSec VPNs using IKE utilize lifetimes to control when a tunnel will need to re-establish. When these lifetimes are misconfigured, an IPSec tunnel will still establish but will show connection loss when these timers expire.
Cisco Meraki products, by default, use a lifetime of 8 hours (28800 seconds) for both IKE phase 1 and IKE phase 2.
5. Discuss the advantages of IKEV2 over IKEV1?
Answer:
IKEv2 provides the following benefits over IKEv1:
In IKEv2 Tunnel endpoints exchange fewer messages to establish a tunnel. IKEv2 uses four messages; IKEv1 uses either six messages (in the main mode) or three messages (in aggressive mode).
IKEv2 has Built-in NAT-T functionality which improves compatibility between vendors.
IKEv2 supports EAP authentication.
IKEv2 has the Keep Alive option enabled as default.
IKEv2 Supports Mobility and Multi-homing Protocol (MOBIKE) making it more stable.
The Mobility and Multi-homing Protocol (MOBIKE) for IKEv2 provide the ability for maintaining a VPN session, when a user moves from one IP address to another, without the need for re-establishing IKE security associations with the gateway. For example, a user could establish a VPN tunnel while using a fixed Ethernet connection in the office. MOBIKE allows the user to disconnect the laptop and move to the office's wireless LAN without interrupting the VPN session.
MOBIKE operation is transparent and does not require any extra configuration by you or consideration by users.
Security Associations in IKEv2 are called Child SAs and can be created, modified, and deleted independently at any time during the life of the VPN tunnel.
IKEv2 reduces the number of Security Associations required per tunnel, thus reducing required bandwidth as VPNs grow to include more and more tunnels between multiple nodes or gateways,
IKEv2 is more reliable as...