Broadband technologies, such as cable, in addition to other VPN transport mechanisms, often traverse an untrusted network, such as the Internet. Therefore, a primary concern with using a broadband technology as a VPN transport is security.
VPN technologies such as IP Security (IPsec), Generic Routing Encapsulation (GRE), Layer 2 Tunneling Protocol (L2TP) and Layer 2 Forwarding (L2F) offer a variety of features, but IPsec VPNs offer strong security features. Specifically, IPsec offers CIA protection for traffic. The components of the CIA triad are:
• Confidentiality: Data confidentiality is provided by encrypting data. A third party who intercepts the encrypted data will not be able to interpret it.
• Integrity: Data integrity ensures that data is not modified in transit. For example, routers at each end of a tunnel can calculate a checksum value or a hash value for the data, and if both routers calculate the same value, the data has most likely not been modified in transit.
• Authentication: Data authentication allows parties involved in a conversation to verify that the other party is the party they claim to be.
IPsec also scales to a wide range of networks. IPsec operates at Layer 3 of the OSI model (the network layer). As a result, IPsec is transparent to applications, which means that applications do not require any sort of integrated IPsec support.
IKE Modes and Phases
IPsec uses a collection of protocols to provide its features. One of the primary protocols that IPsec uses is Internet Key Exchange(IKE). Specifically, IPsec can provide encryption between authorized peers using encryption keys that are periodically changed. IKE, however allows an administrator to manually configure keys.
IKE can use three modes of operation to set up a secure communication path between IPsec peers.
Mode | Description |
Main mode |
Main mode involves three exchanges of information between the IPsec peers. Exchange 1: The responder selects a proposal it received from the initiator. Exchange 2: Diffie-Hellman (DH) is used to securely establish a shared secret key over the unsecured medium. Exchange 3: An Internet Security Association and Key Management Protocol (ISAKMP) session is established. This secure session is then used to negotiate an IPsec session. One peer, called the initiator, sends one or more proposals to the other peer, called the responder. The proposals include supported encryptions and authentication protocols and key lifetimes. In addition, the proposals indicate whether perfect forward secrecy (PFS) ensures that a session key remains secure, even if one of the private keys used to derive the session key becomes compromised. |
Aggressive mode |
Aggressive mode more quickly achieves the same result as main mode, using only three packets. The initiator sends the first packet, which contains all the information necessary to establish a security association (SA) - that is, an agreement between the two IPsec peers about the cryptographic parameters to be used in the ISAKMP session. The responder sends the second packet, which contains the security parameters selected by the responder (the proposal, the keying material, and the ID). The responder uses this second packet to authenticate the session. The third and final packet, which is sent by the initiator, finalizes the authentication of the ISAKMP session. |
Quick mode |
Quick mode negotiates the parameters (the SA) for thr IPsec session. This negotiation occurs within the protection of an ISAKMP session. |
The IKEv1 modes reflect the two primary phases of establishing an IPsec tunnel. For example, during IKE phase 1, a secure ISAKMP session is established, using either main mode or aggressive mode. During IKE phase 1, the IPsec endpoints establish transform sets (which are collections of encryption and authentication protocols), hash methods, and other parameters needed to establish a secure ISAKMP session (sometimes called an ISAKMP tunnel or an IKE Phase 1 tunnel). This collection of parameters is called a security association (SA). With IKE phase 1, the SA is bidirectional, which means that the same key exchange is used for data flowing across the tunnel in either direction.
IKE Phase 2 occurs within the protection of an IKE Phase 1 tunnel, using the quick mode of parameter negotiation. A session formed during IKE Phase 2 is sometimes called IKE Phase 2 tunnel or simply IPsec tunnel. However, unlike Phase 1, IKE Phase 2 performs unidirectional SA negotiations, which means that each data flow uses a separate key exchange.
Although an IPsec tunnel can be established using just IKE Phase 1 and IKE Phase 2, an optional IKE Phase 1.5 can be used. IKE Phase 1.5 uses the Extended Authentication (XAuth) protocol to perform user authentication of IPsec tunnels. Like IKE Phase 2, IKE Phase 1.5 is performed within the protection of an IKE Phase 1 tunnel. The user authentication provided by this phase adds a layer of authentication for VPN clients. Also, parameters such as IP, WINS, and DNS server information can be provided to a VPN client during this optional phase. A newer version called IKEv2 combines many of the same functions of IKEv1 and uses an initial IKEv2 tunnel (instead of IKEv1 phase 1) and child security associations (SAs/tunnels) for the IPsec tunnels instead of calling them IKE Phase 2 tunnels.
About The Author
Anthony Sequeira, CCIE No. 15626, is a Cisco Certified Systems Instructor (CCSI) and author regarding all levels and tracks of Cisco Certification. Anthony formally began his career in the information technology industry in 1994 with IBM in Tampa, Florida. He quickly formed his own computer consultancy, Computer Solutions, and then discovered his true passion-teaching and writing about Microsoft and Cisco technologies. Anthony joined Mastering Computers in 1996 and lectured to massive audiences around the world about the latest in computer technologies. Mastering Computers became the revolutionary online training company, KnowledgeNet, and Anthony trained there for many years. Anthony is currently pursuing his second CCIE in the area of Security and is a full-time instructor for the next-generation of KnowledgeNet, StormWind.com. Anthony is also a VMware Certified Professional.
CompTIA Network+ N10-008 Cert Guide contains proven study features that allow you to succeed on the exam the first time. Expert instructor Anthony Sequeira shares preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills, essential for successful completion of the performance-based testing items on the exam. This complete, CompTIA-approved study package includes the following:
• A test-preparation routine proven to help you pass the exams
• Clearly defined chapter learning objectives covering all N10-008 exam topics
• Chapter-ending review questions and exam preparation exercises, which help you drill on key concepts you must know thoroughly
• The powerful Pearson Test Prep practice test software, complete with hundreds of well-reviewed, exam-realistic questions, customization options, and detailed performance reports
• 40 performance-based exercises to help you prepare for the hands-on exam questions
• A free copy of the CompTIA Network+ N10-008 Simulator Lite software, complete with meaningful lab exercises that enhance your hands-on skills
• More than 60 minutes of video mentoring
• A final preparation chapter that guides you through tools and resources to help you craft your review and test taking strategies
• An Exam Essentials appendix that quickly recaps all major chapter topics for easy reference, both in print and interactive digital format
• A key terms Glossary in both print and on the companion website, which acts as an interactive flash-card application
• Study plan suggestions and templates to help you organize and optimize your study time
• A 10% exam discount voucher (a $33+ value!)
Well regarded for its level of detail, study plans, assessment features, challenging review questions and exercises, video instruction, and hands-on labs, this approved study guide helps you master the concepts and techniques that ensure your exam success.
Master the topics on the CompTIA Network+ N10-008 exam, including:
• Network topologies and media types
• IP addressing
• Network services
• Data center architectures and cloud concepts
• Routing, Ethernet switching, and wireless networking
• Network availability and disaster recovery
• Network security
• Remote access
• Network troubleshooting
Reader Paulo Cardoso says, "This is a great book. In addition, it comes with great additional resources."
Learn more about the CompTIA Network+ N10-008 Cert Guide at amazon.com
More Network Security Articles:
• What Is Penetration Testing?
• Public Key Infrastructure
• Understanding the Dangers Your Systems Face
• Network Security
• Network User Authentication
• Email Security
• Cyber Security Tips for Small and Medium Business (SMB)
• Overview of IPsec with IKEv1
• Avoid Hacks by Rogue Wireless Devices
• Difference Between Rule and Role Based Access Control