1. Part 1) Choose your own topic related to web technologiesappl.docx

1. Part 1) Choose your own topic related to web
technologies/applications, you consider important, and describe
the topic in detail. Do not select any security related topic.
Below is a list of sample topics you may choose:
HTTP protocol (HTTP requests/responses/methods, HTTP
headers, Cookies, status codes, difference between HTML and
HTTP)
Client side technologies (e.g., JavaScript, HTML or …)
Server side technologies (e.g., PHP, Java platform or …).
Web caching/proxy (also known as content delivery network).
Many more.
Part 2) Conduct research on web security vulnerabilities.
Select one vulnerability, you consider important, and describe
it in detail. Explain how the vulnerability you described can be
overcome or prevented. In addition, briefly explain why you
chose the vulnerability.
2, Part A) Give one good example of a covert storage channel.
Explain how the covert storage channel you described can be
mitigated or prevented.
Part B) Give one good example of a covert timing channel.
Explain how the covert timing channel you described can be
mitigated or prevented.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion
Prevention, and Penetration Testing
CSEC
640
© UMUC 2012 Page 1 of 33

Contents
Topic 1: Analogy
...............................................................................................
............................... 2
A Different Way to Connect
...............................................................................................
.......... 2
Topic 2: Module Introduction
...............................................................................................
............ 4
Topic 3: Basics of Virtual Private Networks
..................................................................................... 5
Introduction
.............................................................................................. .
................................... 5
Tunneling
...............................................................................................
...................................... 7
Topic 4: IPsec Virtual Private Networks
.......................................................................................... 9
Introduction to IPsec
...............................................................................................
..................... 9
IPsec Mode
...............................................................................................
................................. 10
IPsec Security Association
...............................................................................................
.......... 14
Topic 5: IPsec Components
...............................................................................................

........... 15
Introduction to IPsec Components
.............................................................................................
15
Authentication Header
...............................................................................................
................ 16
Activity: Identifying Mutable Fields
........................................................................................... ..
17
Authentication Header (AH) Modes
...........................................................................................
18
IPsec Encapsulating Security Payload (ESP)
............................................................................ 19
Encapsulating Security Payload (ESP) Modes
.......................................................................... 21
Cryptographic Key Management Procedures and Protocols
..................................................... 22
Activity: Making a Secure VPN Connection
............................................................................... 24
Topic 6:
Summary.................................................................................
......................................... 30
Glossary
...............................................................................................
.......................................... 31
CSEC
640

Topic 1: Analogy
IPsec VPN
CSEC 640 – Module 8
A virtual private network (VPN) uses the Internet to establish
connections between
members spread over wide geographic areas as if they were on a
local private network.
To better understand how a VPN works, compare the remote
sites and users of a private
network to a group of islands. The inhabitants of the Faraway
Islands use a series of
connections to travel between the islands. The analogy explains
how these connections
are similar to a VPN.
Analogy
Step 1
The individual islands comprising the Faraway Islands are
connected by waterways.
Similarly, the members of a network are connected to each other
through the Internet.

Step 2
The residents of the Faraway Islands usually travel from one
island to another by using a
public transport system such as a ferry. However, they have no
control over the route or
schedule.
In addition, although the public ferry is cheap, it does not offer
the islanders any privacy.
Fellow travelers can easily guess where people are headed and
see what cargo is being
carried.
Similarly, companies with remote offices and remote workers
usually use Web servers to
connect with each other. Internet users have no control over the
wires and routers of
public servers.
Also, even though using the Internet is cheap, it offers little
privacy. Other users can
often see which users are connected and what data is being
transmitted between them.
Step 3
To overcome the disadvantages of using a public ferry, the
residents can build a bridge
connecting the islands.
However, building a bridge is practical only if the distance
between the islands is short,
the traffic is frequent, and the cost is not too high.
Similarly, although networks can be connected using wide area
networks (WANs) and
leased lines, the cost of connections is determined by the

distance between a network’s
members.
CSEC
640
Sometimes, the cost of connecting to a small, far-flung remote
site could be many times
that of connecting to a larger site nearby.
Step 4
The islanders also have the option of buying their own boats.
With a private ferry,
travelers can plan their routes as well as their schedules at their
convenience.
Also, even if other travelers see the private boat in the ocean,
they have no inkling about
its source, its destination, or what is being carried in the boat.
Similarly, the installation of a VPN offers a different and
private way to connect over the
public Internet. A VPN allows its users to schedule and route
their data in a secure way.
Step 5
Private ownership of boats necessitates building marinas on the
islands to enable

connections. Boat owners are free to choose from several
marinas. In turn, marina
owners can support many types of boats.
Similarly, companies opting for a VPN need VPN components
such as VPN gateways
and VPN client software to establish connections.
Step 6
Boat owners can keep adding to the existing number of private
boats and routes.
Similarly, a VPN can be scaled to accommodate more users and
locations without
replacing the existing infrastructure.
CSEC
640
Topic 2: Module Introduction
Today, most businesses are Internet-driven. The ever-evolving
Internet helps companies
extend business networks to tap a world of opportunities. The
use of the Internet started
with companies setting up intranets to offer their employees a
secure means to

communicate with each other. Now the Internet helps companies
create their own VPNs
to accommodate their growing telecommuting requirements
through a secure and
scalable private network.
This module examines the basics of a VPN. It discusses
different VPN architectures, the
basis of VPN technology, and modes of data transmission. The
module explores Internet
Protocol Security (IPsec) and its components. It also covers the
phases involved in
setting up secure IPsec tunnels between endpoints.
CSEC
640
Introduction
VPNs are based on the concept of creating a private “tunnel” to
route data over an
insecure public infrastructure such as the Internet. With VPN
technology, Host A in the

private local area network (LAN) A can securely communicate
with Host B in another
network as if Host B were located in the private LAN A.
A typical VPN might consist of a main LAN at the headquarters
of a company, other
LANs at the branch offices, and remote users that connect from
the field.
VPN Types
VPNs use two types of VPN architecture to transport data:
remote access VPN, or host-
to-gateway architecture, and site-to-site intranet VPN, or
gateway-to-gateway
architecture.
1. Remote Access VPN Architecture
A remote access VPN is a user-to-LAN connection enabled by
deploying a VPN
router or gateway on the network. A remote access VPN allows
people in remote
geographic locations to establish secure connections with their
company’s network
and work as if they were plugged in directly.
Consider the case of Cohere Auto Spares Manufacturer
(CASM), an organization
with corporate headquarters in Baltimore, Maryland, and 12
branch offices across
North America, Europe, and Asia. In addition, the company has
a sizeable number of
salespeople in the field and an equal number of employees
working from their
homes.

CASM uses leased lines and maintains a WAN to connect its
workforce across the
globe. However, maintaining the WAN using leased lines is
expensive because of
the increase in the number of connections to the CASM
network. In addition, the cost
of maintaining the connections increases with the distance
between the offices and
the length of time that the employees stay connected.
Companies such as CASM can deploy a VPN router or gateway
onto their network to
enjoy the benefits of remote access VPN architecture, of which
some are listed
below.
Reduction in Networking Costs
Remote users usually use dial-up access to connect from their
homes or other
remote locations to their company’s network. A dial-up
connection is comparable to a
long-distance carrier that requires payments to be made to the
intermediaries who
have facilitated the connection. However, remote access VPN
users do not have to
pay any intermediaries since they can use the Internet and
therefore achieve
significant reduction in costs.

CSEC
640
Security
Regardless of an employee’s location, a VPN allows remote
users to share sensitive
resources without the fear of interception or loss of security.
2. Site-to-Site Intranet VPN
In a site-to-site intranet VPN, a secure connection can be
established between
different physical locations such as the headquarters, remote
offices, and branch
offices of an organization. Gateways exist at various physical
locations within the
same business, and tunnels are created using IPsec.
For companies like CASM, which need to link remote users
from homes and sales
fields as well as hundreds of employees across CASM’s branch
offices, a site-to-site
intranet VPN is an apt choice. VPN gateways at the CASM
office sites ensure the
establishment of secure communication channels. Therefore, an
employee on a
computer in the Baltimore office can communicate with another
employee in the
Fairfax, Virginia, office through this secure VPN channel

without being aware of the
channel in between.
CSEC
640
Tunneling
The key concept of VPNs is tunneling. Tunneling is the
technique of moving data
through a public network such that the routing nodes in the
public network do not
recognize that the data transmission is part of a private network.
Tunneling allows users
to establish private network connections to send data over
public networks. That is why
this technology is called a virtual private network.
Types of Tunneling
Using tunneling protocols provides a standardized way of
encapsulating data packets.
Several tunneling protocols have been developed for securing
VPN connections, and
they can be broadly classified into Layer 2 and Layer 3

tunneling protocols.
Tunneling Protocols
Layer 2 Tunneling Protocols
Layer 3 Tunneling Protocols
Correspond to the data-link layer. Correspond to the network
layer.
Use frames as the unit of data exchange.
Use packets as the unit of data
exchange.
Encapsulate data in a Point-to-Point
Protocol (PPP) frame before sending it
across a network.
Encapsulate data in the Authentication
Header (AH) and/or Encapsulating
Security Payload (ESP) before sending it
across a network.
Examples: Point to Point Tunneling
Protocol (PPTP), Layer 2 Tunneling

Protocol (L2TP), and Layer 2 Forwarding
(L2F)
Example: IPsec
Advantages of Tunneling
Tunneling offers the following advantages.
infrastructure since one
protocol is encapsulated within another. In other words, it is
more efficient to
transport many different protocols, such as Hypertext Transfer
Protocol (HTTP) and
Telnet, over a single VPN tunnel.
though the users had
access to their own private network by routing privately
addressed packets through a
public infrastructure.
confidentiality of routed data.
existing infrastructure.

CSEC
640
Try This!
Choose the correct answer.
Question: Which tunneling protocol uses packets as its unit of
data exchange?
a. PPTP
b. L2F
c. IPsec
d. L2TP
Correct answer: Option c
Feedback for correct answer:
That’s correct.
IPsec is a layer 3 tunneling protocol, and it uses packets as its
unit of data exchange.
Feedback for incorrect answer:
Not quite.
This is a layer 2 tunneling protocol, and it uses frames as its
unit of data exchange.

CSEC
640
Introduction to IPsec
Of all the tunneling protocols researched and developed for
establishing a secure VPN
connection, the most significant protocol is IPsec. However,
IPsec is not a single
protocol but a framework that includes related open standards
developed by the Internet
Engineering Task Force.
In Which Situations Can IPsec Be Used?
IPsec provides security in the following situations: host-to-site
or gateway architecture
and gateway-to-gateway or site-to-site architecture. IPsec is
most commonly used for
the gateway-to-gateway architecture.
How Does IPsec Provide Security?
IPsec ensures private and secure communication over Internet
Protocol (IP) networks by
securing all IP traffic at the network layer. IPsec framework
also secures all network
applications and communications that use the IP network.
IPsec combines cryptographic algorithms such as hashing,

symmetric key, and
asymmetric key. This IPsec ability helps to enhance data
security by offering enhanced
confidentially, integrity, authentication, replay detection, and
nonrepudiation.
CSEC
640
IPsec Mode
There are two methods by which an IPsec protocol can be
applied to an IP packet when
data is to be encapsulated before being transmitted between two
users or IPsec peers
over a public network. One is the transport mode and the other
is the tunnel mode.
Transport Mode
Transport mode protects the higher-layer protocols such as TCP,
UDP, and application
layers, and is generally used in host-to-host architecture.

In transport mode, the IPsec header is inserted between the
original IP header and the
payload. However, transport mode is available only when the
source and destination of
the original IP datagram are IPsec endpoints.
Step 1:
This step shows the data to be transmitted from Host A to Host
B.
Step 2:
The image shows the data packet with the original IP header and
the data portion.
CSEC
640
Step 3:
An IPsec header is inserted between the original IP header and
the data portion.

Step 4:
The new data packet is transmitted in IPsec transport mode.
Tunnel Mode
Tunnel mode is generally deployed in a site-to-site VPN
architecture. In the tunnel mode,
IPsec encapsulates the full IP header as well as the payload.
Therefore, an original IP
packet becomes the payload of another, new IP packet. The IP
address in the new IP
header is used to route the packet through the Internet.
Once the packet arrives at a destination network, the IP address
in the original IP header
is used to route the packet within the destination network. The
tunnel mode is selected if
IP addresses of hosts in each site are not known or revealed.
Step 1:
The animation shows the data to be transmitted from IPsec Peer
Site 1 to IPsec Peer
Site 2.
CSEC
640

Step 2:
The image shows the data packet with the original IP header and
the data portion.
Step 3:
An IPsec header is inserted between the new IP header and data
portion.
CSEC
640
Step 4:
The new data packet is transmitted in IPsec tunnel mode.

CSEC
640
IPsec Security Association
Certain security measures require that they be applied to an IP
packet when it is being
transmitted over an IPsec tunnel. The IPsec security association
(IPsec SA) defines
these security measures.
SAs can be negotiated dynamically between two communication
peers when they want
to use security services provided by IPsec.
An IPsec SA can be identified by three parameters.
The Destination IP Address parameter contains the destination
IP address of the
endpoint of the SA.
The Security Protocol Identifier specifies a protocol number.

For example, the AH
protocol number is 51 and ESP protocol number is 50. Note that
this protocol
number is specified in the IP header.
The Security Parameter Index (SPI) is a 32-bit number chosen
by the destination
endpoint of the SA.
Note that the source IP address is not used to define an SA,
which means that an SA is
a unidirectional connection established between IPsec peers.
Therefore, if two peers
need to exchange information in both directions, two SAs are
required.
CSEC
640
Introduction to IPsec Components

IPsec employs three components to ensure that data is protected
when transported over
IP networks. The components include:
also provide
authentication
such as the Internet
Security Association and Key Management Protocol (ISAKMP)
or the Internet Key
Exchange (IKE), which provide mechanisms for session key
creation, its exchange,
and/or secure data exchange
CSEC
640
Authentication Header

When confidentiality is not required, an administrator can
deploy an IPsec with the AH
protocol instead of the ESP protocol.
The AH protocol offers data integrity and authentication using
Hash-Based Message
Authentication Code (HMAC). A hash is created on both an IP
packet and a secret key
that is shared by the two communication endpoints. This hash is
then added to the AH.
Authentication cannot be provided over the whole IP header
because some fields in the
IP header may change during transit.
The most important AH fields are the SPI and Sequence Number
fields.
The 32-bit long SPI value is used together with the destination
IP address and IPsec
security protocol number to uniquely identify the Ipsec SA for
an IP packet. The
Ipsec SA is typically chosen by the destination system when the
Ipsec SA is
established.
The sequence number is a sequential number assigned to each
packet. Only
packets within a sliding window of sequence numbers are
accepted. Any packet with
an invalid or out-of-range sequence number is rejected. This

enables AH to offer
anti-replay protection.
This field contains a hash value created by a keyed hash
algorithm, also known as a
Message Authentication Code (MAC) algorithm.
CSEC
640
Activity: Identifying Mutable Fields
Now that you have learned about the IPsec AH header, answer
the following question.
Question: Which field of an IP header can be authenticated by
IPsec AH?
a. Time to Live (TTL)
b. Fragment Offset
c. Fragmentation Flag
d. Header Checksum

e. Type of Service (TOS)
f. Source IP Address
Correct answer: Option F
Feedback:
TTL, fragment offset, fragmentation flag, header checksum, and
TOS are all mutable
fields in the IP header. No mutable IP field can be used as an
input to a hash function.
Therefore, only the source IP address field can be authenticated
by IPsec AH.
The TTL value of an IP header decreases by one every time the
IP packet passes a
routing device. Also, whenever an IP packet takes a path having
different maximum
transmission unit (MTU) links, it gets fragmented into pieces,
and both the fragment
offset and the fragmentation flag fields change. In addition,
with changes in an IP packet,
the header checksum value changes. Moreover, a router can
change TOS value during
transit. Only the source IP address does not change.
CSEC
640

Authentication Header (AH) Modes
AH can be deployed in transport as well as in tunnel mode. In
both modes, the entire IP
packet is authenticated.
In transport mode, the original IP header is retained, and the AH
is inserted between
the IP header and the TCP header.
In tunnel mode, a new IP header is created for the new IP
packet. The AH is inserted
between the new IP header and the original header. The original
IP packet is
encapsulated in the new IP header. The new IP header contains
the source and
destination IP addresses of the IPsec gateways between which
the new packet will
travel.

CSEC
640
IPsec Encapsulating Security Payload (ESP)
The IPsec ESP protocol operates by adding a header and a
trailer around each packet’s
payload. Unlike AH, ESP fields are spread throughout an IP
packet. When an IP packet
is fragmented, the ESP process is applied to the whole IP
packet. The entire IP packet is
then reassembled by security devices, such as VPN gateways or
VPN enabled firewalls,
before it is processed further.
The ESP header consists of two fields: SPI and Sequence
Number.
Security Parameter Index (SPI) 32-bit
Each endpoint of each IPsec connection contains a randomly
chosen SPI value. This
SPI value acts as a unique identifier for the connection. Just
like the AH header, the

receiver uses the SPI value, along with the destination IP
address and the IPsec
protocol type, to determine which SA is being used.
Sequence Number 32-bit
As with AH, in ESP the sequence number is a sequential number
assigned to each
packet. Only packets within a sliding window of sequence
numbers are accepted. Any
packet with an invalid or out-of-range sequence number is
rejected. This enables AH to
offer anti-replay protection.
ESP Functions
ESP provides confidentiality, integrity, and authentication of
data.
Data Confidentiality
ESP offers encryption services to translate a readable message
into an unreadable
format in order to hide the contents of the message or make the
message confidential.
The receiver decrypts the message to read the data.
The ESP protocol encrypts the payload using symmetric key
ciphers, such as:
-bit key
-
bit key
-bit
key

CSEC
640
Data Integrity and Authentication
Like AH, ESP also uses keyed HMAC algorithms to provide
data integrity and
authentication services. Two typical HMAC algorithms used in
VPN are Secure Hash
Algorithm-1 (SHA-1) HMAC and Message Digest 5 (MD5)
HMAC.
When security needs are higher, SHA-1 HMAC is used instead
of MD5 HMAC since
SHA-1 HMAC is cryptographically stronger.
Source: Frankel, S., Kent, K., Lewkowski, R., Ritchey, R., &
Sharma, S. (2005). Guide to IPsec VPNs. (NIST
Special Publication 800-77). Retrieved from
http://csrc.nist.gov/publications/nistpubs/800-77/sp800-77.pdf
CSEC
640

Encapsulating Security Payload (ESP) Modes
The ESP protocol can be deployed in transport or tunnel mode.
ESP can be used alone or with AH. ESP alone can provide
authentication services in
addition to encryption, so it is often used without AH. If the
authentication is not applied,
the ESP authentication segment is not appended. When ESP
encryption is applied, all
the fields between the ESP header and the ESP trailer are
encrypted.
ESP Transport Mode
ESP transport mode encrypts the TCP header field, data field,
and ESP trailer field while
leaving the original IP header in open clear text. In addition, in
the ESP transport mode,
all the fields except the IP header are authenticated as shown in
the diagram.
Note that the ESP header is inserted between the original IP
header and TCP header.
ESP Tunnel Mode
ESP tunnel mode encrypts the entire packet except the new IP
header field. In addition,
in the ESP tunnel mode, all the fields except the new IP header
are authenticated as

shown in the diagram.
Note that the ESP header is inserted between the new IP header
and original IP header
fields.
CSEC
640
Cryptographic Key Management Procedures and Protocols
Introduction
IPsec uses two protocols for secure key determination and key
distribution mechanisms:
Internet Key Exchange (IKE) and Internet Security Association
and Key Management
Protocol (ISAKMP).
ISAKMP describes the set of procedures that two VPN gateways
go through to set up
VPN connections. ISAKMP also specifies the procedure and

packet formats necessary
to establish, negotiate, modify, and remove SAs at the two IPsec
endpoints.
In addition, ISAKMP defines the framework for key
management between the two VPN
endpoints. In the absence of a proper key-management setup,
IPsec cannot exist.
However, ISAKMP does not offer any actual mechanism to
exchange keys.
The IKE protocol establishes a secure channel over which to
exchange security
parameters. IKE defines a proper key-exchange mechanism for
creating and exchanging
cryptographic keys when two VPN endpoints communicate.
Through IKE, the two
endpoints derive authenticated keying material and negotiate
SAs that are used for ESP
and AH protocols.
IKE Phases
ISAKMP defines two phases in the procedures that two VPN
endpoints go through when
trying to make a secure VPN connection: IKE Phase 1 and IKE
Phase 2.
The main goal of the IKE protocol is to create and negotiate
security associations (SAs).
Note that SA is a term used to refer to a set of values that
define IPsec features and
protection mechanisms applied to an IPsec VPN connection.
IKE Phase 1
The main purpose of IKE Phase 1 is for two IPsec endpoints to
successfully negotiate an

IKE SA. The negotiation of the IKE SAs during IKE Phase 1
includes:
-1 or MD5
HMAC algorithm.
Shamir, and Adleman
(RSA) signature, or RSA encryption nonces for authentication.
-Hellman (DH) key group by making a
choice between DH1, DH2,
DH5, or DH7. Note that higher group numbers are more secure,
but require more
computation power to compute the key.
The goal of the IKE SA is to provide bidirectional encryption
and authentication for the
IKE Phase 2. During IKE Phase 2, another SA, known as IPsec
SA, is negotiated.
Step 1: Negotiate Policy
In this step, two VPN entities negotiate and agree upon the
encryption and
authentication algorithms, mode, protocols, HMAC, lifetime,
IPsec value, and DH key
that will be used in subsequent IKE communication.
CSEC
640

Step 2: DH Key Exchange
Based on the parameters negotiated, a shared secret master key
is generated by the
DH public key algorithm. This symmetric encryption key is then
used to generate all
other encryption and authentication keys.
Step 3: Authenticate Peers
Next, the two parties authenticate each other using a
predetermined mechanism.
Typically, VPN entities use authentication protocols such as
PSKs, RSA encrypted
nonces, or RSA signatures that are X.509-certified and require
X.509 CA.
IKE Phase 2
The goal of IKE Phase 2 is to establish another SA, known as
IPsec SA, for the actual
IPsec connection. IPsec SA is unidirectional. This means that
two SAs are required for
bidirectional data flow between two VPN endpoints, as shown
in the diagram. Since
there are two network flows from Router A to Router B and
Router B to Router A, two
different SPI values exist. The communications occurring
during IKE Phase 2 are
protected by the methods specified in IKE Phase 1.
After the IPsec SAs are established during IKE Phase 2, all
active SAs are stored in a
security association database. The following information is
included in the security

association database for each VPN connection.
AC).
An IPsec SA is uniquely defined by three important parameters:
the destination IP
address, the SPI, and the IPsec security protocol.
CSEC
640
Activity: Making a Secure VPN Connection
Introduction

An Enhanced Interior Gateway Routing Protocol (EIGRP) is
running on CASM’s three
routers, R1, R2, and R3. R2 connects R1 and R3.
An IPsec VPN tunnel has been established between R1 and R3.
The goal of this IPsec
tunnel is to achieve authentication. R1 authenticates the traffic
originating from R3 at the
Fairfax, Virginia, office. The R3 gateway router authenticates
the network traffic
originating from CASM’s Baltimore, Maryland, office.
The applications running at both sites cannot tolerate any
significant delay, and
confidentiality is not required. Therefore, the gateway routers
do not encrypt or decrypt
IP packets and quickly process the IP packets.
In the following activity, you will analyze the IP packets
captured during data
transmission between R1 and R3.
Workspace
Analyze the following screenshots and choose the correct
option.
Question 1: Which of the following screenshots shows an IP
packet traveling through
the IPsec tunnel between the Baltimore and Fairfax gateway
routers?

CSEC
640
a. Option 1
Reference: Wireshark product screenshot reprinted with
permission from the Wireshark Foundation.
b. Option 2
CSEC
640
Correct answer: Option a
Feedback:
Since the goal of the IPsec tunnel is to achieve authentication,
not confidentiality, only

AH is used. The correct IP packet has only an AH header. The
first packet has an AH
header inside the packet.
Question 2: In the screenshot below, identify the SPI used in
AH.
Options:
a. Next Header: IPIP (0x04)
b. Length: 24
c. AH SPI: 0x5a84fcd1
d. AH Sequence: 8
e. AH ICV: 26fe6bb17f689ab324998216
Correct answer: Option c
Feedback:
The bottom window shows the detail of packet 8. In the AH in
the bottom window, one of
the fields says “AH SPI: 0X5a84fcd1”; it tells you the value of
SPI.
Question 3: The screenshot indicates that a ping packet has been
sent from the
Baltimore LAN (172.16.1.0/24) to the Fairfax LAN
(172.16.3.0/24) using the IPsec
tunnel. Analyze these packets to find which protocol and which
mode each packet has
used.

CSEC
640
Packet A
Answer the question based on your analysis of the screenshot.
Packet A uses the AH Tunnel mode.
a. True
b. False
Correct answer: Option A
Feedback:
You can safely conclude that AH mode is used since Packet A
has only the AH header.
Also, you can see that it uses the tunnel mode because the
screenshot displays two
different pairs of IP addresses: 172.16.3.1/172.16.3.3 and
192.168.12.1/192.168.23.3.
Question 4: The screenshot indicates that a ping packet has been
sent from the
Baltimore LAN (172.16.1.0/24) to the Fairfax LAN

(172.16.3.0/24) using the IPsec
tunnel. Analyze these packets to find which protocol and which
mode each packet has
used.
CSEC
640
Packet B
Answer the question based on your analysis of the screenshot.
Packet B uses the ESP Tunnel mode.
a. True
b. False
Correct answer: Option A
Feedback:

A careful observation reveals that ESP mode is used since
Packet B has only the ESP
header. Also, you can see that it uses the tunnel mode because
the screenshot displays
only one pair of IP addresses, 192.168.12.1/192.168.23.3, even
though the ping packet
is sent from 172.16.1.1 to 172.16.3.1. This means a new pair of
IP addresses is added
to the original IP packet, an indication that the tunnel mode is
used.
Review
The scenario presented in this activity uses a preshared key as
an authentication
method. A preshared key method is appropriate only when the
number of gateway
routers is small and simple to configure. In general, RSA
encryption and RSA signature
authentication methods are more common in practice. RSA
signatures used are
generally X.509 certificate-based and require X.509 CA.
CSEC
640
Further Challenges
Study an SSL VPN technology and compare it with IPsec VPN.
What are the
advantages and disadvantages of each VPN technology?

CSEC
640
Topic 6: Summary
We have come to the end of Module 8. The key concepts
covered in this module are
listed below.
ter
network created using a
public network, such as the Internet. It allows distant users to
communicate
privately, with reduced costs.
remote access or site-
to-site Intranet.
gy is based on the tunneling capacity of
Internet protocols. Data
may be transmitted in transport or tunnel mode.

protocols and Layer
3 tunneling protocols. PPTP, L2TP, and L2F are Layer 2
protocols. IPsec is a
Layer 3 protocol.
connections. IPsec
propagates data across a network in tunnel or transport mode.
Encapsulating Security
Protocol (ESP), Internet Security Association and Key
Management Protocol
(ISAKMP), and Internet Key Exchange (IKE) play an important
role in ensuring
data integrity, authentication, and confidentiality.
ide key management
mechanisms without which
an IPsec cannot exist.
for data transfer
between two IPsec peers.

CSEC
640
Glossary
Term Definition
Advanced Encryption
Standard
Advanced Encryption Standard (AES) is a widely accepted
standard for encryption that uses 128-bit block size ciphers
with key sizes of 128, 192, and 256 bits.
Algorithm An algorithm is a mathematical formula or set of
steps to
accomplish any given task—in this case, encryption and
decryption.
Asymmetric
Encryption
Asymmetric encryption uses two sets of encryption keys—
a private and public key—to encrypt information. To
decrypt the information, a user must have both the public
key, which can be freely made public, and the private key,
which is known only to the sender and receiver of the
encrypted information.
Authentication Authentication involves confirming a user's

identity. A form
of access control, authentication requires users to confirm
their identity before they access the system.
Checksum Checksum is a simple error-detection scheme to
ensure
that a message is not garbled. In checksum, each
transmitted message is accompanied by a numerical value.
The receiver then applies the same formula to the
message and checks to make sure the accompanying
numerical value is the same. If it is not, the receiver can
assume that the message has been garbled.
Confidentiality Confidentiality means allowing only authorized
individuals
or systems to access certain types of information.
Confidentiality is also known as secrecy.
Data Encryption Standard Data Encryption Standard (DES) is an
encryption standard
that uses a simple 56-bit key to encrypt data. Since it is not
very secure, alternatives to DES such as triple DES and
AES have been created.
Diffie-Hellman Key The Diffie-Hellman key is a specific
method of changing
keys in the field of cryptography.
Encryption Encryption is the process of using algorithms to
change
readable text into a format that is unreadable by
unauthorized persons.
Fragmentation Fragmentation is a method in which an IP
datagram is
fragmented into IP packets and reassembled at the

receiving host.
Fragment Flag Fragment flag is a field in an IP header that
stores
information about the IP packet and is involved in packet
fragmentation. There are various 3-bit control flags.
Fragment Offset Fragment offset is a field that tells the sender
where a
particular fragment falls in relation to other fragments in the
original larger packet.
CSEC
640
Term Definition
Gateway A gateway is a network device that acts as an entrance
to
another network.
Hash-Based Message
Authentication Code
Hash-Based Message Authentication Code (HMAC) is
used to decode MACs by using a cryptographic function
along with a secret key. HMAC is used in many
authentication protocols.

Hash Value A hash function mathematically transforms a
variable
length data input into a fixed length, random-character
output called a hash value. Some commonly used hash
functions include Message Digest 5 (MD5) and the Secure
Hash Algorithms (SHA-0, SHA-1, and SHA-256).
Header A header is a temporary set of data that is added at the
beginning of a communication message in order to transfer
it over the network. It contains the source and destination
addresses as well as data that describe the content of the
message.
Identification Identification is part of the access-control
software and
requires users to provide identification in the form of a user
name or account number before they are allowed to
access a system.
Integrity The goal of integrity is to ensure that unauthorized
individuals or systems are unable to modify data.
IP Address An Internet Protocol (IP) address is a numeric label
that
identifies each device within a computer network that
communicates over the Internet.
Key Generation Key generation is the process of creating
cryptographic
keys.
Key Management Key management is the system of controlling
and
managing the generation, exchange, storage, safety,
application, and replacement of encryption keys.

Logical Connection A logical connection refers to the
connection between two
systems at the same level of the OSI or TCP/IP model.
Message Authentication
Code
In cryptography, a Message Authentication Code (MAC) is
a short piece of information used to authenticate a
message.
Message-Digest
Algorithm 5
Message-Digest Algorithm 5 (MD5) is a popular
cryptographic hash function that uses a 128-bit hash value.
Nonrepudiation Nonrepudiation refers to giving a guarantee
about the
authenticity of a document or message. The sending
parties cannot deny that they sent data.
Nonce Nonce is an abbreviation of “number used once.” It is
often
a random number issued in an authentication protocol to
ensure that old communications cannot be reused in replay
attacks.
CSEC
640

Term Definition
Open Source Open source refers to software that is distributed
with its
source code so that other users can modify it for their own
purposes.
Payload Payload refers to the actual data in a packet or file,
without
all headers attached for transport and/or description.
Preshared Keys Preshared keys are shared secrets that were
previously
shared between two endpoints using some secure channel
before they need to be used.
Replay Attack A replay attack is a breach of network security in
which a
valid data transmission is repeated or delayed with
malicious intent.
RSA RSA is an encryption algorithm that uses public-key
cryptography to secure information and is a widely used
protocol for encrypting data.
Secure Hash Algorithm 1 Secure Hash Algorithm 1 (SHA-1) is a
cryptographic hash
algorithm. The SHA-1 algorithm was designed by the
National Security Agency.
Session Key A randomly generated encryption and decryption
key that
is used to ensure the security of a communication session.

Signature A signature is a digital code that can be attached to a
message. Like a written signature, the signature uniquely
identifies the sender and is a guarantee that the individual
sending the message is really who he or she claims to be.
Time to Live Time to Live (TTL) is a field in the Internet
Protocol
(IP) that specifies how many more hops a packet can travel
before being discarded or returned.
Triple DES Triple DES is a symmetric algorithm that involves
repeating
the basic DES algorithm three times, using either two or
three unique keys, for a key size of 112 or 168 bits. This
provides additional resistance to a brute-force attack.
Type of Service Type of Service (TOS) is a field in an IP
packet that is used
for quality of service.
X.509 X.509 is a standard used in cryptography that specifies
formats for public key certificates, certificate revocation
lists, attribute certificates, and a certification path validation
algorithm.

1. Part 1) Choose your own topic related to web technologiesappl.docx

Recommended

Recommended

More Related Content

Similar to 1. Part 1) Choose your own topic related to web technologiesappl.docx

Similar to 1. Part 1) Choose your own topic related to web technologiesappl.docx (17)

More from jackiewalcutt

More from jackiewalcutt (20)

Recently uploaded

Recently uploaded (20)

1. Part 1) Choose your own topic related to web technologiesappl.docx