Ch 13.07.02 VPN Facts
Virtual Private Network
A _____ can be used over a local area network, across a WAN connection, over the internet, and even over a dial-up connection.
Virtual Private Network (VPN)
A _____ is a type of network that uses encryption to allow IP traffic to travel securely over the TCP/IP network.
Virtual Private Network (VPN)
A_____ is used primarily to support secure communications over an untrusted network.
Hash Message Authentication Code (HMAC)
Authentication Header provides a message integrity check with the keyed-_____.
Internet Key Exchange (IKE)
IPsec uses _____, to negotiate the connection. As two end points secure an IPsec network, they have to negotiate what is called a security association (SA). An inbound and outbound SA is necessary for each connection with a remote endpoint. IKE uses the Diffie-Hellman key exchange to generate symmetric keys used for the encryption of the negotiation of the SA.
Security Association (SA)
Internet Key Exchange, negotiates the connection. As two end points secure an IPsec network, they have to negotiate what is called a _____. An inbound and outbound SA is necessary for each connection with a remote endpoint. IKE uses the Diffie-Hellman key exchange to generate symmetric keys used for the encryption of the negotiation of the SA.
Layer 2 Tunneling Protocol (L2TP)
L2TP is an open standard for secure multi-protocol routing. +Supports multiple protocols (not just IP). +Uses IPsec for encryption. +Is not supported by older operating systems. +Uses TCP port 1701 and UDP port 500.
Point-to-Point Tunneling Protocol (PPTP)
PPTP was developed by Microsoft as one of the first VPN protocols. +Uses standard authentication protocols such as CHAP and PAP. +Supports TCP/IP only. +Encapsulates other LAN protocols and carries the data securely over an IP network. +Uses MPPE for data encryption. +Is supported by most operating systems and servers. +Uses TCP port 1723.
Virtual Private Network (VPN)
Ports must be open in firewalls to allow ____ protocols. For this reason, using SSL for the _____ often works through firewalls when other solutions do not. Additionally, some NAT solutions do not work well with _____ connections.
Secure Sockets Layer (SSL)
The _____ protocol has long been used to secure traffic generated by IP protocols such as HTTP, FTP, and email. _____ can also be used as a VPN solution, typically in a remote access scenario. +Authenticates the server to the client using public key cryptography and digital certificates. +Encrypts the entire communication session. +Uses port 443, which is already open on most firewalls. Implementations that use SSL for VPN tunneling include Microsoft's SSTP and Cisco's _____ VPN.
Remote Access
VPNs can be implemented with a _____ VPN, a server on the edge of a network (called a VPN concentrator) is configured to accept VPN connections from individual hosts in a client-to-site configuration. Hosts that are allowed to connect using the VPN connection are granted access to resources on the VPN server or the private network.
Site to Site
VPNs can be implemented with a _____ VPN, routers on the edge of each site establish a VPN with the router at the other location. Data from hosts within the site are encrypted before being sent to the other site. With this configuration, individual hosts are unaware of the VPN.
Host to Host
VPNs can be implemented with a _____ VPN, two hosts establish a secure channel and communicate directly. With this configuration, both devices must be capable of creating the VPN connection.
Dynamic Multipoint Virtual Private Network (DMVPN)
_____ allows more than one connection through a VPN. +Its infrastructure consists of a hub with multiple spokes that connect to reach the company site. +The spokes also have the ability to communicate with one another via a dynamic IPsec VPN tunnel.
Internet Protocol Security (IPsec)
_____ can be used to secure the following types of communications: +Host-to-host communications within a LAN. +VPN communications through the internet, either by itself or in conjunction with the L2TP VPN protocol. +Any traffic supported by the IP protocol, including web, email, Telnet, file transfer, SNMP traffic, and countless others.
Transport Layer Protocol (TLS)
_____ ensures that messages being transmitted on the internet are private and tamper proof. _____ is a new version of SSL and is used to increase security by encrypting data using public key cryptography. _____ is implemented through two protocols: _____ record can provide connection security with encryption (with DES for example). _____ handshake provides mutual authentication and choice of encryption method.
Datagram Transport Layer Security (DTLS)
_____ is a communication protocol similar to SSL and TLS. +Focuses on datagram-based applications. +Allows applications to communicate preventing eavesdropping and tampering. +Is based on the TLS protocol and provides similar security guarantees.
Generic Routing Encapsulation (GRE)
_____ is a tunneling protocol that was developed by Cisco. _____ can be used to route any Layer 3 protocol across an IP network.
Internet Protocol Security (IPsec)
_____ provides authentication and encryption, and it can be used in conjunction with L2TP or by itself as a VPN solution.
Authentication Header (AH)
_____, enables authentication with IPsec. +_____ provides a message integrity check with the keyed-hash message authentication code (HMAC). With HMAC, a symmetric key is embedded into a message before the message is hashed. When the message is received, the recipient's symmetric key is added back into the message before the message is hashed. If the hash values match, message integrity is proven. +_____ uses SHA-1 (secure hashing algorithm 1) or MD5 (message digest v5) for integrity validation. +_____ by itself does not provide data encryption.
Encapsulating Security Payload (ESP)
_____, provides data encryption for IPsec.
Generic Routing Encapsulation (GRE)
_____: +Creates a tunnel between two routers. +Encapsulates packets by adding a GRE header and a new IP header to the original packet. +Does not offer any type of encryption. +Can be paired with other protocols, such as IPsec or PPTP, to create a secure VPN connection.
Tunnel Endpoint
_____s are devices that can encrypt and decrypt packets. When you create a VPN, you establish a security association between the two _____s. The endpoints create a secure virtual communication channel. Only the destination_____ can unwrap packets and decrypt the packet contents.
Router
_____s use the unencrypted packet headers to deliver the packet to the destination device. Intermediate _____s along the path cannot read the encrypted packet contents.
Virtual Private Network (VPN)
_____s work by using a tunneling protocol that encrypts packet contents and wraps them in an unencrypted packet.
