www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
Secure connectivity is a component of the Cisco Self-Defending Network. This component aims to protect the integrity and privacy of organizations' sensitive information. With increased security risks on the rise, it is critical that security be implemented within today's network environments. Internal network segments have traditionally been considered trusted. However, internal threats are now more than ten times more expensive and destructive than external threats. Data that flows across the network needs to be secured so that its privacy and integrity are preserved. These are important concepts to keep in mind when making business decisions about securing connectivity.
The Cisco Secure Connectivity System provides secure transport for data and applications using encryption and authentication techniques. Many security technologies exist for securing data, voice, and video traffic using wired or wireless networks.
- IP Security (IPsec)
- Secure Shell (SSH)
- Multiprotocol Label Switching (MPLS) VPNs
- MPLS VPNs with IPsec
Encryption Fundamentals
Cryptography uses encryption to keep data private, thus protecting its confidentiality. The encapsulated data is encrypted with a secret key that secures the data for transport. When the data reaches the other side of the connection, another secret key is used to decrypt the data and reveal the message transmitted. The encryption and decryption can be used only by authorized users. Most encryption algorithms require the user to have knowledge of the secret keys. IPsec is an example of a security protocol framework that uses encryption algorithms to hide the IP packet payload during transmission.
Encryption Keys
An encryption session between two endpoints needs a key to encrypt the traffic and a key to decrypt the traffic at the remote endpoint. There are two ways to send a key to the remote endpoint—shared secrets and Public-Key Infrastructure (PKI):
- Shared secrets
-
- - It relies on asymmetric cryptography, which uses two different keys for encryption.
- - Public keys are used to encrypt and private keys to decrypt.
- - PKI is used by many e-commerce sites on the Internet.
-
Figure 13-9 shows what occurs during the encryption process using secret keys.
VPN Protocols
The two most common VPN protocols are IPsec and SSL:
- IPsec
- - Uses AH and ESP to secure data
- - Uses Internet Key Exchange (IKE) for dynamic key exchange
- - Endpoints need IPsec software
-
- SSL
- - Uses TCP port 443 (HTTPS)
- - Provides encrypted VPN connectivity using a web browser
- - All major browsers support SSL VPN
-
IPsec comes in two forms—IP encapsulating security payload (ESP) and IP authentication header (AH)—which use protocol numbers 50 and 51, respectively. ESP is defined in RFC 2406, and AH is defined in RFC 2402. ESP provides confidentiality, data origin authentication, integrity, and anti-replay service. AH allows for connectionless integrity, origin authentication, and anti-replay protection. These protocols can be used together or independently. Most IPsec clients or routers use IKE to exchange keys and ESP to encrypt the traffic.
SSL VPNs have become increasingly popular because of their clientless nature. A major advantage of SSL VPNs is that you do not need client software—only a web browser that can be accessed wherever an Internet connection exists.
Transmission Confidentiality
To ensure that data is kept private over insecure networks such as the Internet, transmission confidentiality is used. Because the Internet is a public network, ordinary access control mechanisms are unavailable. Therefore, you need to encrypt the data before transporting over any untrusted network such as the Internet.
To provide transmission confidentiality, IPsec VPNs that support encryption can create a secure tunnel between the source and destination. As packets leave one site, they are encrypted; when they reach the remote site, they are decrypted. Eavesdropping in the Internet can occur, but with IPsec encrypted packets, it is much more difficult.
IPsec VPNs commonly use well-known algorithms to perform the confidentiality treatment for packets. The well-known cryptographic algorithms include Triple Data Encryption Standard (3DES), Advanced Encryption Standard (AES), and Rivest Cipher 4 (RC4). These algorithms are thoroughly tested and checked and are considered trusted. However, keep in mind that cryptography can pose some performance problems, depending on the network's state. That is why it is important to carefully analyze the network before deploying VPNs with IPsec.
Data Integrity
Cryptographic protocols protect data from tampering by employing secure fingerprints and digital signatures that can detect changes in data integrity.
Secure fingerprints function by appending a checksum to data that is generated and verified with the secret key. The secret key is known only to those who are authorized. An example of secure fingerprints is Hash-based Message Authentication Code (HMAC), which maintains packet integrity and the authenticity of the data protected.
Digital signatures use a related cryptography method that digitally signs the packet data. A signer creates the signature using a key that is unique and known only to the original signer. Recipients of the message can check the signature by using the signature verification key. The cryptography inherent in digital signatures guarantees accuracy and authenticity because the originator signed it. Financial businesses rely on digital signatures to electronically sign documents and also to prove that the transactions did in fact occur.
- Analyze the need for transmission integrity.
- Factor in performance, but use the strongest cryptography.
- Always use well-known cryptographic algorithms.
No comments:
Post a Comment