Ch. 7- VPNs (ebook, quiz, and lecture)
Using PPTP authentication technology authentication protocol __ __ __ __: - in step 3 the server checks the response from the client against its own calculation of the expected hash value. - If the values match, the authentication is acknowledged; otherwise, the connection is usually terminated.
(CHAP) Challenge Handshake Authentication Protocol
Protocols for what? (MP) __ Multilink Protocol (MP+) Ascend's Multilink Protocol Plus (MPLS) Multiprotocol Label Switching
(PPP) Point to Point Protocol
SSL/TLS handshake process for establishing VPN connection: Step 1: The __ sends the __ information to the server that the server needs to communicate with the __ using SSL Step 2: The __ sends the __ information to the client that the client needs to communicate with the __ over SSL Step 3: Client authenticates the server with the CA ---doesn't occur today- only verifies the digital signature from the server Step 4: Client creates, encrypts, and then sends the __ __ secret to the server Step 5: __ has session key and finishes handshake. Step 6: __ has session key and finishes handshake
1- Client 2- Server 3- n/a 4- encrypted pre-master 5- Client 6- Server
Kerberos steps simplified Step 1: User is authenticated by __ Step 2: AS directs __ to create __ Step 3: TGT is sent back to user. Encrypted with __ key known only to __. Step 4: User requests service tickets, sends __ to __ Step 5: KDC sends __ __to user. Good for <5 min symmetric key known to KDC and Service Step 6: User sends __ __ to service
1. AS 2. TGS, TGT 3. symmetric, KDC 4. TGT to KDC 5. service ticket 6. service ticket
PPP established a standard for these tasks: 1. assignment and management of __ addresses 2. asynchronous and bit-oriented synchronous __ 3. network protocol __ 4. link __ 5. link __ testing 6. error __
1. IP 2. encapsulation 3. multiplexing 4. configuration 5. quality 6. detection
MS-CHAP is consistent where possible with CHAP. Differences include: 1. The MS-CHAP __ packet is in a format designed for compatibility with Microsoft's Windows __ products. 2. The MS-CHAP format (does or does not?) require the authenticator to store a clear-text or reversibly encrypted password.
1. response, networking 2. does not
PPTP is currently widely used in part because almost all VPN equipment vendors support PPTP. Another important benefit of PPTP is that it operates at layer __ of the OSI model (the __ layer), allowing different networking __ to run over a PPTP tunnel. - can be used to transport __, __, and other data
2, data link protocols IPX NetBEUI
L2TP also supports other authentication methods, for a total of six: 1. EAP 2. CHAP 3. MS-__ 4. P__ 5. S___ 6. K__
3. MS-CHAP 4. PAP 5. SPAP 6. Kerberos
MS-CHAP is consistent where possible with CHAP. Differences include: 3. MS-CHAP provides authenticator-controlled __ and __ mechanisms. -- These mechanisms are compatible with the mechanisms used in Windows networks. 4. MS-CHAP defines a set of reason-for-failure codes that are returned in the failure packet's message field if the authentication fails. -- These are codes that Windows software is able to read and interpret, thus providing the __ with the reason for the __ __.
3. retry and password-changing 4. user, failed authentication
The Cisco VPN Solution: - uses __ encryption (an improved version of DES). - can handle packets larger than _ bytes. It can create up to 60 new virtual __ per second, a good feature if a lot of users might be logging on or off.
3DES (But AES is preferred and strongly recommended.) 500 tunnels
Which IPSec mode/process is this? -squeezes the IKE SA negotiation into three packets, with all data required for the SA passed by the initiator. -The responder sends the proposal, key material, and ID, and authenticates the session in the next packet. -The initiator replies by authenticating the session. -Negotiation is quicker, and the initiator and responder ID pass in the clear.
Aggressive Mode
IPSec's protocols 1. A_ 2. E__ 3. I__ 4. I_____
Authentication Header (AH) Encapsulating Security Payload (ESP) Internet Key Exchange (IKE) Internet Security Association and Key Management Protocol (ISAKMP)
The IPSec __ protocol provides a mechanism for authentication only.
Authentication Header (AH):
What protects the actual packet data in IPSec? A. CHAP B. SPAP C. ESP D. AH
C
Built-in VPN server and client connections might not be adequate for larger scale operations in which multiple users connect via VPN. For those situations, a dedicated VPN solution might be necessary. Such as these implementations: - __ solutions - __ solutions - __ - Others
Cisco Service Openswan
Like PPTP, L2TP supports _ and _ for authentication.
EAP and CHAP
The IPSec __ protocol provides: - data confidentiality (encryption) and - authentication (data integrity, data origin authentication, and replay protection). -can be used with confidentiality only, authentication only, or both confidentiality and authentication.
Encapsulating Security Payload (ESP)
PPTP supports two separate technologies for accomplishing PPTP Authentication: __ and __.
Extensible Authentication Protocol (EAP) Challenge Handshake Authentication Protocol (CHAP)
T or F? VPNs connect to networks as if a user was local to the machine, but doesn't ensure a secure connection.
False
T or F? Visiting a site that uses SSL/TLS means you're on a VPN
False VPN would give you access the the whole network
__, is used in setting up security associations in IPSec.
IKE, or Internet Key Exchange
L2TP is often combined with __ to achieve a high level of security.
IPSec
Openswan uses __, making it a highly secure VPN solution.
IPSec
The ______ provides a framework for authentication and key exchange. Once the IKE protocol sets up the SA, then it is time to actually perform the authentication and key exchange.
Internet Security Association and Key Management Protocol (ISAKMP)
L2TP Compared to PPTP, regarding encryption Which is which? __uses IPSec __ uses MPPE
L2TP uses IPSec PPTP uses MPPE
IPSec is incorporated with __ operating systems as well as many other operating systems. IPSec is a set of protocols developed by the __ to support secure exchange of packets. uses __ __encryption technology
Microsoft IETF (Internet Engineering Task Force) symmetric key
As the name suggests, MS-CHAP is a __ extension to CHAP. MS-CHAP was created to authenticate remote __ __
Microsoft-specific Windows workstations.
The __ product is an open source VPN solution available for __ operating systems. As an open source product, one of its biggest advantages is that it is free.
Openswan Linux
Shiva Password Authentication Protocol (SPAP) is a proprietary version of __. Most experts consider SPAP more secure than __ because the username and password are both __ when they are sent, unlike __.
PAP PAP encrypted PAP
PPTP is a tunneling protocol that enables an older connection protocol, __, to have its __ __ within Internet Protocol (IP) packets and forwarded over any IP network, including the Internet itself.
PPP (Point-to-Point Protocol) packets encapsulated
L2TP Compared to PPTP Windows NT only supports __, but Windows 2000 and later versions also support __, making it an attractive option for Windows network administrators because it supports more network connection and authentication options and is more secure.
PPTP L2TP
EAP was designed specifically with __ and is meant to work as part of __.
PPTP PPP
L2TP Compared to PPTP, regarding authentication Which is which? uses EAP and CHAP uses EAP, MS-CHAP, CHAP, SPAP, PAP,and Kerberos
PPTP uses EAP and CHAP L2TP uses EAP, MS-CHAP, CHAP, SPAP, PAP, and Kerberos
You can use __, __, or __ for VPN creation/encryption. __ is considered the most secure of the three.
PPTP, L2TP, or IPSec IPSec
L2TP Compared to PPTP, regarding Non IP Networks Which is which? public IP addresses only can work over X.25 networks and ATM networks (unregistered and private IPs)
PPTP: public IP addresses only L2TP: can work over X.25 networks and ATM networks
Multiple ways exist to achieve the encryption needs of a VPN. The two most commonly used network protocols for this encryption are __ and __.
Point-to-Point Tunneling Protocol (PPTP) Layer 2 Tunneling Protocol (L2TP).
Layer 2 Tunneling Protocol (L2TP) is an extension or enhancement of the __ that is often used to __ virtual private networks over the Internet.
Point-to-Point Tunneling Protocol (PPTP) operate
Which IPSec mode/process is this? Once the IKE SA is established, this begins. - similar to an Aggressive Mode IKE negotiation, except negotiation must be protected within an IKE SA. - negotiates the SA for the data encryption and manages the key exchange for that IPSec SA. In other words, uses the Diffie-Hellman keys exchanged in main mode, to continue exchanging symmetric keys that will be used for actual encryption in the VPN.
Quick Mode IPSec negotiation or Quick Mode
If you see a website beginning with HTTPS, then traffic to and from that website is encrypted using __ or __.
SSL or TLS Today, we almost always mean TLS when we say SSL. It is just that many people became accustomed to saying SSL since it came first, and the phrase stuck.
Advantages of what type of VPN implementation? - doesn't require any particular VPN skill on the part of the internal IT department. - A department that lacks these specific skill areas but wants to implement a VPN might find that using an outside service is the right solution.
Service Solution
SSL = Secure __ Layer TLS = __ Layer Security
Sockets Transport
T or F? PPP supports its functions by providing an extensible Link Control Protocol (LCP) and a family of Network Control Protocols (NCPs) to negotiate optional configuration parameters and facilities.
True
T or F? PPTP is an older protocol than L2TP or IPSec.
True
T or F? Whether you are using SSL to connect to an e-commerce website or to establish a VPN, the SSL handshake process is needed to establish the secure/encrypted connection.
True
This uses an existing connections to provide a secure connection.
VPN
A new type of firewall uses SSL/TLS to provide __ access through a __ portal. Essentially, SSL/TLS are the protocols used to secure __.
VPN web websites
A VPN must provide both the same level of __ and the same level of __ as a direct connection. VPNs provide a solution to: - the administrator's need for security in remote connections - while solving the user's need to connect from virtually anywhere.
access security
IPSec protocols AH and ESP can be used either: __ to protect an IP packet, or applied __ to the same IP packet.
alone together
The following are Kerberos terms to know: Ticket: Used to __ to the __. Contains identity of client, session key, timestamp, and checksum. Encrypted with server's key. Session key: __ __ key. Authenticator: __ session key was recently created. Often expires within 5 __.
authenticate, server Temporary encryption Proves minutes
VPNs solve the issues of: - neither end of transmissions being __ - data being transmitted back and fourth is __
authenticated unencrypted
EAP works from within PPP's __ protocol, providing a framework for several different __ methods.
authentication, authentication
Due to CHAP, the __ of a client connection has three stages.
authorization
The following are Kerberos terms to know: Realm: A __ within an organization. Each realm has its own AS and TGS. Remote Ticket Granting Server (RTGS): A __ in a remote realm. Ticket Granting Ticket (TGT): The ticket that is granted during the __ process.
boundary TGS authentication
CHAP is actually a three-part handshaking procedure between a Remote PC and VPN Server. Step 1: After the connection is established, the server sends a __ message to the client. Step 2: Client responds by sending back a value calculated using a __ function. Step 3: Server check the __ against its own calculation
challenge hash response
The main weakness with PAP: -the transmissions of the passwords are in __- text, - and __. The basic authentication feature built into the __ protocol uses PAP.
clear unencrypted HTTP
PPP is used to establish and configure the __ and the __, also to encapsulate datagrams.
communications link network layer protocols
In PPTP __ tunneling, the server selects the encryption and authentication protocols
compulsory
Basic VPN technology - Remote users are not the only beneficiaries - Site-to-site __ can also be made - Enables an organization to move away from expensive dedicated __ lines
connections data
PPTP is often used to __ VPNs.
create
The Internet Protocol Security (IPSec) is a technology used to __ virtual private networks. IPSec is used in __ to the IP protocol that adds security and privacy to TCP/IP communication.
create addition
IPSec's transport mode works by encrypting the __ in each packet but leaves the __ unencrypted. This means that the source and destination addresses, as well as other header information, are not encrypted - less secure, but faster
data header
As its name suggests, L2TP operates at the __ layer of the OSI model (like PPTP).
data link
PPP was designed for moving __ across serial point-to-point links. It sends packets over a __ link, a serial cable set up between two computers.
datagrams physical
At the receiving end, an IPSec-compliant device __ each packet. For IPSec to work, the sending and receiving devices must share a __, an indication that IPSec is a __ encryption technology.
decrypts key single-key
In voluntary tunneling, a remote user __ into a service provider's network and a standard PPP session is established that enables the user to __ to the provider's network. The user then launches the __ software to establish a PPTP session back to the PPTP remote-access server in the central network.
dials log on VPN
To accomplish its purpose, the VPN must emulate a __
direct network connection.
To emulate a dedicated point-to-point link, data is __, or __, with a __ that provides routing information, allowing it to transmit across the Internet to reach its destination. This creates a virtual network connection between the two points.
encapsulated, or wrapped, with a header
Administrators choosing a VPN protocol should consider: - how the packets are __, - what sort of __ is used, and - whether the current __ and __ supports that technology.
encrypted authentication hardware and software
In PPTP, voluntary tunneling is different from compulsory tunneling because the user selects the type of __ and __ to use.
encryption authentication
IPSec has two __ modes: __ and __.
encryption transport and tunnel.
Service VPN Solutions: In some cases, especially with large WAN VPN situations, you might not want to invest the time, energy, and cost to __, __, and __ VPN connections. You can __ this entire process, the setup and the administration, to VPN vendors. __ provides this service for many companies.
establish, secure, and monitor contract AT&T
The goal of MS-CHAP is to: provide the __ available on the __ to remote users while integrating the __ and __ algorithms used on Windows networks.
functionality LAN encryption and hashing
IPSec's tunnel mode encrypts the __ and the ___. This is more secure than transport mode but can work more __. - more secure, but slower
header and the data slowly
The main advantage of the Cisco VPN Solution is that it __ __ with other Cisco products.
incorporates seamlessly (Administrators using a Cisco firewall or Cisco routers might find this solution to be preferable.)
Both PPTP and L2TP are considered by many experts to be __ secure than IPSec. Seeing IPSec used together with L2TP to create a __ VPN connection is __ uncommon.
less secure not
Some experts consider PPTP to be __ secure than L2TP or IPSec, but it consumes fewer __ and is supported by almost every VPN implementation. It is basically a secure extension to PPP.
less resources
Which IPSec mode/process is this? 1. The first exchange between VPN endpoints establishes the basic security policy; --- the initiator proposes the encryption and authentication algorithms it is willing to use. --- the responder chooses the appropriate proposal and sends it to the initiator. 2. The next exchange passes Diffie-Hellman public keys and other data. --- Those Diffie-Hellman public keys will be used to encrypt the data sent between the two endpoints. 3. The third exchange authenticates the ISAKMP session.
main mode
IPSec Authentication Header (AH) protocol: - Data integrity ensured using a __ __ generated by an algorithm such as HMAC-MD5 or HMAC-SHA. - Data origin authentication is ensured by using a __ __ __ to create the message digest. - Also provides an optional __ protection service.
message digest shared secret key replay
Kerberos works by sending __ back and forth between the client and the server. The actual __ (or even a __ of the __) is never sent. That makes it impossible for someone to intercept it.
messages password hash, password
Advantages: Cisco offers VPN solutions, including a __ (VPN __ for Cisco 1841, 2800 and 3800 Series Integrated Services Routers) that can be added to many of their ___ and __ to implement VPN services. It also offers client-side __ that is designed to provide an easy-to-implement yet secure client side for the VPN.
module, Modules switches and routers hardware
Password Authentication Protocol (PAP) is the __ __ form of authentication. This method is no longer used and is only presented for historical purposes. With PAP, a user's __ are transmitted in clear text, unencrypted, over a network and __ of encrypted name-password pairs.
most basic name and password compared to a table
Kerberos is one of the most well-known __ __ __. It was developed at __ and its name stems from the mythical three-headed dog that guarded the gates to Hades.
network authentication protocols MIT
Disadvantages of Cisco VPN Solution: Might not be right for those __ __ other Cisco products and those who don't have __ of Cisco systems.
not using knowledge
In Kerberos, if the user entered the wrong __, it will never get decrypted. This is a clever way to verify the password without it ever being __. Authentication happens with __ on port 88.
password transmitted UDP
SPAP is still susceptible to __ attacks (a person records the exchange and plays the message back to gain fraudulent access) Playback attacks are possible because SPAP always uses the __ __ encryption method to send the passwords over the wire.
playback same reversible
VPNs create a ___ connection over the __ that enables remote users and sites to connect to a central network.
private network Internet
EAP is meant to supersede and replace __ authentication systems and includes a variety of authentication methods to be used, including - passwords, - challenge-response tokens, and - public key infrastructure certificates.
proprietary
Internet Key Exchange (IKE and IKEv2) is used to set up an SA by: handling negotiation of __ and __, and to generate the __ and __ keys to be used.
protocols and algorithms encryption and authentication
Openswan supports either __ __ logging on via VPN, or __ __ __ connections. It also supports __ connections. However, it does not support __.
remote users site-to-site wireless NAT
A __ is formed by the two endpoints of the VPN tunnel, once they decide how they are going to encrypt and authenticate.
security association (SA)
The following are Kerberos terms to know: Principal: A __ that Kerberos can assign __ to. Authentication Service (AS): Service that authorizes the __ and connects them to the __ . (Note some books/sources say server rather than service.)
server or client tickets principal Ticket Granting Server
Regardless of which protocols you use for your VPN, you must implement your choice in some __/__ configuration. Many operating systems have __ VPN server and client connections. These are generally fine for small office or home situations.
software/hardware built-in
CHAP periodically repeats its __ process. This means that even after a client connection is authenticated, CHAP repeatedly seeks to re-authenticate that __, providing a robust level of security.
three-part handshaking client
The following are Kerberos terms to know: Ticket Granting Service (TGS): Provides __. Key Distribution Center (KDC): A __ that provides the __ ticket and handles __ requests. Often it runs both AS and TGS services.
tickets server initial TGS
The part of the VPN connection in which the data is encapsulated is referred to as the __.
tunnel
Kerberos process (explained ultra-simple): 1. When the user's __ is sent, the server looks up the stored hash of that password. 2. Then it uses that hash as an __ __ to encrypt the data and send it back to the client. 3. The client then takes the __ the user entered, and uses that as a key to __ the data.
username encryption key password, decrypt
Information server needs from client for SSL handshake: - client's SSL __ number, - __ settings, - __ specific data, and - other information that the server needs to communicate with the client using SSL.
version cipher session
Information client needs from server for SSL handshake: - server's SSL __ number, - __ settings, - __ specific data, and - other information that the client needs to communicate with the server over SSL. Same as what server needs from client with additions: - server also sends its own __, and If the client is requesting a server resource that requires client authentication, - the server requests the client's certificate.
version cipher session certificate
VPNs ensures a secure connection using __ from user to private network, through the Internet, that are __
virtual routed connections encrypted
PPTP supports two generic types of tunneling: __ and __.
voluntary compulsory