WEBVTT 00:04.579 --> 00:06.660 >> After you choose whether or 00:06.660 --> 00:08.070 not you want to be in tunnel mode, 00:08.070 --> 00:09.270 or transport mode, 00:09.270 --> 00:11.250 the next decision you want to make is what 00:11.250 --> 00:13.979 protocols you want to use for IPSec. 00:13.979 --> 00:15.450 There are two main ones that 00:15.450 --> 00:17.175 provide the security service. 00:17.175 --> 00:18.645 One is called AH, 00:18.645 --> 00:21.045 which stands for Authentication Header. 00:21.045 --> 00:24.880 Authentication Header will provide non-repudiation, 00:24.880 --> 00:28.490 because what will happen is IPSec and authentication, 00:28.490 --> 00:30.410 is the Authentication Header is going 00:30.410 --> 00:32.375 to run something called an ICV, 00:32.375 --> 00:34.600 an Integrity Check Value. 00:34.600 --> 00:38.160 That Integrity Check Value is essentially a hash. 00:38.160 --> 00:40.430 We haven't talked about what hashing is yet, 00:40.430 --> 00:42.080 but the whole purpose of a hash 00:42.080 --> 00:44.245 is to detect modification. 00:44.245 --> 00:46.740 By running this Integrity Check Value 00:46.740 --> 00:48.225 on the header of the packet, 00:48.225 --> 00:51.040 that guarantees the header hasn't been modified. 00:51.040 --> 00:52.775 When a packet is spoofed, 00:52.775 --> 00:55.555 it's the IP header that does get modified. 00:55.555 --> 00:57.410 What we get is an assurance that 00:57.410 --> 00:59.555 the IP header has not been manipulated, 00:59.555 --> 01:01.160 which gives us authenticity. 01:01.160 --> 01:04.100 That giving us authenticity is great, 01:04.100 --> 01:08.340 but we do not get confidentiality with the AH. 01:08.780 --> 01:11.290 Honestly, a lot of times we 01:11.290 --> 01:13.585 use IPSec for confidentiality. 01:13.585 --> 01:16.480 We want to encrypt our data, so often, 01:16.480 --> 01:19.580 we're going to use a different protocol called ESP. 01:19.580 --> 01:23.490 ESP stands for Encapsulating Security Payload. 01:23.490 --> 01:25.240 That's the protocol that's going 01:25.240 --> 01:26.990 to provide us with encryption. 01:26.990 --> 01:29.290 It also uses something called a MAC, 01:29.290 --> 01:31.720 which is a message authentication code to 01:31.720 --> 01:33.190 determine whether or not there's been 01:33.190 --> 01:35.135 modification of the packet. 01:35.135 --> 01:38.100 You really get pretty decent integrity checking, 01:38.100 --> 01:39.810 and little bit of authenticity, 01:39.810 --> 01:41.595 and encryption with ESP, 01:41.595 --> 01:44.170 so it's a very popular choice. 01:44.550 --> 01:47.560 The third protocol mentioned here is one 01:47.560 --> 01:50.470 called IKE, Internet Key Exchange. 01:50.470 --> 01:52.450 I always think about IKE like 01:52.450 --> 01:54.515 you think about a roadie at a concert. 01:54.515 --> 01:56.005 You go to a concert, 01:56.005 --> 01:57.400 you show up early and there's 01:57.400 --> 01:59.350 a guy in a t-shirt and cut-off jeans, 01:59.350 --> 02:00.850 no matter what the weather is, 02:00.850 --> 02:02.170 and he's laying out cable, 02:02.170 --> 02:03.280 he's checking the lights, 02:03.280 --> 02:05.770 checking the sound, tuning instruments. 02:05.770 --> 02:07.480 Nobody's really there to see 02:07.480 --> 02:09.550 that guy unless it's his mom. 02:09.550 --> 02:13.000 We're here to see the main act, and that's IKE. 02:13.000 --> 02:15.910 IKE doesn't provide the security services. 02:15.910 --> 02:18.050 IKE doesn't get any of the glory. 02:18.050 --> 02:21.140 All IKE does is go out ahead of the communication, 02:21.140 --> 02:23.350 or a head of the exchange of information 02:23.350 --> 02:26.590 >> and sets up and negotiates algorithms and keys, 02:26.590 --> 02:28.549 >> Internet Key Exchange. 02:28.549 --> 02:31.830 >> Actually, IKE is made up of two sub protocols, 02:31.830 --> 02:37.575 one called Oakley and the other called ISAKMP. 02:37.575 --> 02:40.070 Oakley initiates the key agreement 02:40.070 --> 02:42.450 through an algorithm called Diffie-Hellman. 02:42.450 --> 02:44.425 More to come on that later. 02:44.425 --> 02:47.250 ISAKMP sets up what is 02:47.250 --> 02:50.070 referred to as a security association. 02:50.070 --> 02:51.920 The security association is 02:51.920 --> 02:53.840 something you can think of like a channel, 02:53.840 --> 02:55.370 or a unique identifier to 02:55.370 --> 02:57.760 reference each secure connection. 02:57.760 --> 03:00.755 If I have three different secure connections 03:00.755 --> 03:02.255 with three different systems, 03:02.255 --> 03:05.830 I have various SAs, security associations. 03:05.830 --> 03:07.905 To identify each one is unique, 03:07.905 --> 03:10.120 and actually, I'll have two SAs, 03:10.120 --> 03:12.230 one for outgoing communication 03:12.230 --> 03:15.660 and one for an incoming communication. 03:15.770 --> 03:19.015 Again, that security association 03:19.015 --> 03:21.475 allows me to keep each session as unique. 03:21.475 --> 03:23.220 It has an identifier called the 03:23.220 --> 03:25.200 Security Parameters Index, 03:25.200 --> 03:27.380 and that one field will always be unique 03:27.380 --> 03:30.050 >> even if I have multiple security sessions opened 03:30.050 --> 03:31.614 >> up on the same system. 03:31.614 --> 03:33.500 >> The SPI will provide 03:33.500 --> 03:37.140 the randomness or at least the pseudo-randomness. 03:37.930 --> 03:40.400 Next we got GRE, 03:40.400 --> 03:41.660 which is another protocol 03:41.660 --> 03:44.165 called Generic Routing Encapsulation. 03:44.165 --> 03:46.310 GRE doesn't really provide 03:46.310 --> 03:48.324 >> encryption or authentication. 03:48.324 --> 03:50.820 >> It's just about encapsulation. 03:50.820 --> 03:52.700 We saw this back in the olden days 03:52.700 --> 03:54.365 with systems using Apple Talk, 03:54.365 --> 03:56.960 trying to traverse a TCPI network, 03:56.960 --> 04:00.290 so GRE would be used for encapsulation. 04:00.290 --> 04:04.565 Now we see it with IPv4 to IPv6 networks. 04:04.565 --> 04:07.520 Sometimes you'll see it for a multicast traffic because 04:07.520 --> 04:10.850 a multicast traffic can't traverse typical VPNs, 04:10.850 --> 04:12.500 so GRE is something that's 04:12.500 --> 04:15.330 a protocol coming back into favor. 04:15.380 --> 04:18.250 Let's wrap it up for remote access. 04:18.250 --> 04:19.970 We looked at dial-up and talked 04:19.970 --> 04:21.815 about Point-to-Point protocol, 04:21.815 --> 04:23.795 and the fact that it uses PAP, 04:23.795 --> 04:26.765 CHAP, and EAP for authentication. 04:26.765 --> 04:29.650 We said point-to-point protocol provides the layer to 04:29.650 --> 04:33.225 connectivity and framing for WAN connectivity, 04:33.225 --> 04:37.750 and to get authentication we needed PAP, CHAP and EAP. 04:37.750 --> 04:40.440 PAP is sending passwords in plain text. 04:40.440 --> 04:41.699 >> We don't like it. 04:41.699 --> 04:44.465 >> CHAP protects our passwords better, 04:44.465 --> 04:46.190 but it's still only capable 04:46.190 --> 04:48.169 >> for password authentication. 04:48.169 --> 04:51.470 >> Then EAP is what we're using today in a lot of areas, 04:51.470 --> 04:53.780 because it will support more than just passwords, 04:53.780 --> 04:57.190 things like tokens, certificates, and so on. 04:57.190 --> 04:59.960 What replaced dial-up connectivity 04:59.960 --> 05:02.345 is tunneling and creating our VPNs. 05:02.345 --> 05:04.250 We're certainly looking at other ways to 05:04.250 --> 05:06.530 connect today beyond the VPNs, 05:06.530 --> 05:09.755 but the VPNs were created with tunneling protocols. 05:09.755 --> 05:12.655 We have Point-to-Point Tunneling Protocols, 05:12.655 --> 05:15.290 which is really the first main tunneling protocol. 05:15.290 --> 05:18.260 We've got L2TP that enhance 05:18.260 --> 05:20.000 Point-to-Point Tunneling Protocol and 05:20.000 --> 05:22.505 allowed it to separate from IP networks. 05:22.505 --> 05:26.405 Remember, L2TP has no built-in security 05:26.405 --> 05:29.470 and it uses IPSec to secure its traffic. 05:29.470 --> 05:32.460 We have Generic Routing Encapsulation 05:32.460 --> 05:34.520 and we also talked about IPSec, 05:34.520 --> 05:37.220 which can either be used for VPN tunnels, 05:37.220 --> 05:39.260 but it can certainly also be used on 05:39.260 --> 05:41.495 internal networks to protect traffic. 05:41.495 --> 05:44.279 Those are your key takeaways.