BGP OSPF Questions: Difference between revisions
→IPSEC
(→IPSEC) |
|||
Line 61:
= IPSEC =
*Two modes trasnport ,tunnel mode
*Transport mode only data packet is encrypted ▼
|-----Encrypted---------------|▼
▲Transport mode only data packet is encrypted
Data | Original IP Header | ESP Header | New IP Header▼
▲tunnel mode -ESP header is placed between new IP header and data
▲|-----Encrypted---------------|
▲Data | Original IP Header | ESP Header | New IP Header
*In Transport mode only the data is encrypted, and the original IP header is places in front of the ESP header.
|--Encrypted-----|▼
Data ------ | ESP Header | Original IP Header▼
encryption algo -DES,3DES,AES▼
Phase 1 -authenticatation of IPsec peers and negotiation of SA to provide secure communication channel for phase 2▼
Phase 2-data is tranfered based on SA parameters exhange and keys stored in SA database.▼
Phase 1- securty poiclies are negotiated,Diffe helman exchange ( used to genrate the preshared keys) ,authentication of remote peer▼
Tranform sets-consist of encryption algo,authication algo,key length proposed.▼
diffe helman -public key exchange method that alows two peers to establish shared secret key.▼
secret preshared keys are manuualy entered to authiticate the remote Peer.▼
SA consist of encryption algo ,authtication algo ,destination adress ,key lenghth and life time of tunnel .▼
▲ |--Encrypted-----|
each SA has life time based on two factors either amount of data transfered or time in seconds.▼
▲ Data ------ | ESP Header | Original IP Header
1, Define ISAKMP polciy 2. Define tranform set includes encryptio and data intergrity also 3 create ACL for intersting traffic ▼
4. create crypto map which matches previously defined paramters 5. apply crypto on outgoing interface.▼
we want to use RSA Keys instead of preshared key then isakmp identity need to be defined▼
crypto isakmp policy 1▼
authentication rsa-encr▼
group 2▼
lifetime 240▼
crypto isakmp identity hostname▼
Protocol 50-ESP traffic ▼
▲ Phase 1 -
protocol 51-AH traffic ▼
▲ Phase 2 - data is tranfered based on SA parameters exhange and keys stored in SA database.
udp 500-ISKMP Traffic ▼
▲ Phase 1 - securty poiclies are negotiated,Diffe helman exchange ( used to genrate the preshared keys) ,authentication of remote peer
▲*Tranform sets-consist of encryption algo,authication algo,key length proposed.
ISAKMP: Authenticates the peers, Determines if Authentication is preshared ot RSA-ecryption, and prepares the SA which includes group(length of key in Bits) and lifetime of the tunnel.▼
▲
▲*SA consist of encryption algo ,authtication algo ,destination adress ,key lenghth and life time of tunnel .
IPSEC Trasnform set determines the encyption protocol AH/ESP with Data Encryption standards(DES/3DES) for the data to be trasported across the secure tunnel & esp-sha-hmac defines the key stregth and hashing algorithm for sharing keys▼
▲
1. Define ISAKMP polciy
Mode (Tunnel/Transport can be defind in trasform set only.▼
▲
3. create ACL for intersting traffic
▲ 4. create crypto map which matches previously defined paramters
5. apply crypto on outgoing interface.
▲ crypto isakmp policy 1
▲ crypto isakmp identity hostname
▲*Protocol 50-ESP traffic
▲*udp 500-ISKMP Traffic
All traffic that goes through the ASA is inspected using the Adaptive Security Algorithm and either allowed through or dropped. A simple packet filter can check for the correct source address, destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter also checks every packet against the filter, which can be a slow process. ▼
▲*ISAKMP: Authenticates the peers, Determines if Authentication is preshared ot RSA-ecryption, and prepares the SA which includes group(length of key in Bits) and lifetime of the tunnel.
A stateful firewall like the ASA, however, takes into consideration the state of a packet: ▼
▲*IPSEC Trasnform set determines the encyption protocol AH/ESP with Data Encryption standards(DES/3DES) for the data to be trasported across the secure tunnel & esp-sha-hmac defines the key stregth and hashing algorithm for sharing keys
Is this a new connection? ▼
▲*Mode (Tunnel/Transport can be defind in trasform set only.
▲*All traffic that goes through the ASA is inspected using the Adaptive Security Algorithm and either allowed through or dropped. A simple packet filter can check for the correct source address, destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter also checks every packet against the filter, which can be a slow process.
If it is a new connection, the ASA has to check the packet against access lists and perform other tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the session goes through the "session management path," and depending on the type of traffic, it might also pass through the "control plane path." ▼
▲*A stateful firewall like the ASA, however, takes into consideration the state of a packet:
The session management path is responsible for the following tasks: ▼
▲*If it is a new connection, the ASA has to check the packet against access lists and perform other tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the session goes through the "session management path," and depending on the type of traffic, it might also pass through the "control plane path."
▲*The session management path is responsible for the following tasks:
Performing the access list checks
Performing route lookups
Line 135 ⟶ 123:
Establishing sessions in the "fast path"
*Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the control plane path. Layer 7 inspection engines are required for protocols that have two or more channels: a data channel, which uses well-known port numbers, and a control channel, which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.
*Is this an established connection? sa
*If the connection is already established, the ASA does not need to re-check packets; most matching packets can go through the "fast" path in both directions. The fast path is responsible for the following tasks:
IP checksum verification
Line 147 ⟶ 135:
Layer 3 and Layer 4 header adjustments
*Data packets for protocols that require Layer 7 inspection can also go through the fast path.
= BGP =
| |||