IP Security (IPSec)

Course Code: 6000

Overview
Schedule classes
What you'll learn
Outline
Prerequisites
Who should attend

Overview

This IPSec course helps participants understand how IPSec works and how to deploy it using the recognized best practices. The labs in the course use open source projects such as strongswan, to demonstrate how IP security is configured and deployed. During the course, participants will learn the best practices regarding selection of encryption algorithms, advantages and tradeoffs of security mechanisms managed by IPSec. The course also trains participants in the important Linux skills they would need to perform effective CLI tasks.

Schedule Classes

Looking for more sessions of this class?

Course Delivery

This course is available in the following formats:

Live Classroom
Duration: 3 days

Live Virtual Classroom
Duration: 3 days

What You'll learn

Understanding tunneling and encapsulation
Understanding security associations, architecture, policies and configurations
Introduction to tcpdump
Exploring the different security threats
Learning about public key encryptions
Introduction to Diffie-Hellman
Discovering the differences between extended authentication and extensible authentication protocol
Understanding the different modes of operation
Reviewing the different IPSec protocols

Outline

Module 1: Introduction to Tunneling

Introduction to tunneling
- Course schedule
Encapsulation
- Tunneling
- IPsec Site-to-Site application
- Road Warrior application based on IPsec
GPRS-tunneling protocol and the APN
- 4G GPRS Tunnel
- IP Flow Mobility and Seamless Offload
- SIPTO and LIPA
Remote Client
- Virtual Private Networks
Remote Client
- The “Road Warrior” Remote Access Case
Algorithms
- IPSEC Knobs and settings
- IPSEC Settings
- Tunnel Types
Other tunneling methods
- Road Warrior Application Based on SSL/TLS
- OpenVPN SSL Based VPN
- Layer 2/3/4 VPNs – Pros and Cons
- MPLS Tunnels (1 of 2)
- MPLS Tunnels (2 of 2)
- VXLAN Flow

Module 2: Security Associations

Security Associations
- VXLAN Flow
Architecture
- IPsec and the Security Association
- What is a Security Association (SA)?
- Outbound processing
- Inbound processing
Policy
- Security Policy Database
- Security Association Identifiers
Configuration
- Strongswan Config Files and Directories
- Strongswan ipsec.conf example – 1 of 14
- Strong Swan “left” and “right” Reference
- Strongswan ipsec.conf example – 2 of 14
- Strongswan ipsec.conf example – 3 of 14
- Strongswan ipsec.conf example – 4 of 14
- Strongswan ipsec.conf example – 5 of 10
- Strongswan ipsec.conf example – 6 of 14
- Strongswan ipsec.conf example – 7 of 14
- Strongswan ipsec.conf example – 8 of 14
- Strongswan ipsec.conf example – 9 of 14
- Strongswan ipsec.conf example – 10 of 14
- Strongswan ipsec.conf example – 11 of 14
- Strongswan ipsec.conf example – 12 of 14
- Strongswan ipsec.conf example – 13 of 14
- Strongswan ipsec.conf example – 14 of 14

Module 3: Just Enough IPsec Legacy

Just Enough IPsec Legacy
- Strongswan ipsec.conf example – 14 of 14
RFCs
- Overview
- IKEv1 vs IKEv2 (1 of 4)
- IKEv1 vs IKEv2 (2 of 4)
- IKEv1 vs IKEv2 (3 of 4)
- IKEv1 vs IKEv2 (4 of 4)
Security Threats
- Security Threat Icons
- Authentication
- Data Origin Authentication
- Data Integrity
- Replay Attack
- Confidentiality
- Traffic Flow Confidentiality
- MITM Attack
- IPSec services

Module 4: tcpdump Overview

tcpdump overview
- IPSec services
Why is it so fast?
- BPF Berkley Packet Filter Primer
Commands
- tcpdump Essentials
- iptables’ nflog interface

Module 5: Symmetric Encryption

Symmetric Encryption
- iptables’ nflog interface
Types
- Symmetric Key
AES
- AES Conceptual Scheme
- AES Transformation Tools
- AES Block Example
- AES Block Example
- AES Key
- Key Expansion
- XOR (AddRoundKey)
- S-box or Substitution Box
- ShiftRows
- Mix Columns
- AES Round
- Multiple Rounds
- IKEv2 Cipher Suites

Module 6: PKI Encryption

PKI Encryption
- IKEv2 Cipher Suites
Vocabulary
RSA
- Public Key Encryption as Privacy
- Public Key Encryption as Authentication
- Public Key Encryption: Four Keys = Secure Communications in Both Directions
- Man in the Middle Certificate Swapping
- Integrity Check
- PKI Process Introducing the CA (Certificate Authority)
- Hashing Algorithms Produce a Mathematical Distillation Called a Digest or Hash
- Using Hashing Algorithms for Authentication
- Using Hashing + RSA to Create a Digital Signature
- Verify the Digital Certificate Verification
- A Digital Certificate Example
- SUBJECT and ISSUER Data Elements
- PEM Format and Base 64
- TLS Connection Establishment
- RSA Example 1 of 5 – Clear Text
- RSA Example 2 of 5 – Deriving the keys
- RSA Example 3 of 5 – Encrypt using the Public Key
- RSA Example 4 of 5 – Using the Private Key
- RSA Example 5 of 5 – Back to clear text
- Creating Production RSA keys (1 of 2)
- Creating Production RSA keys (2 of 2)
Elliptic Curve
- Groups
- The Elliptic Curve Group
- Why ECC is Secure
- Comparing RSA to ECC

Module 7: Diffie-Hellman

Diffie-Hellman
- Comparing RSA to ECC
Values
- Diffie-Hellman’s 7 Numbers – Public and Private
- Diffie-Hellman Introduction
- Diffie-Hellman’s 7 Numbers Defined
- Primitive Root
Algorithm
- Discrete Algorithm Problem, Modulo Substitution and Exponents
- DH Exchange
- Why Diffie-Hellman works
- Diffie-Hellman Example

Module 8: Oakley

Oakley
- Diffie-Hellman Example
Improving Diffie-Hellman
- How Oakley Improves Diffie-Hellman
Cookies
- Oakley Cookie Exchange
- Oakley ID and Hash
- Oakley Nonce

Module 9: Extensible Authentication Protocol

Extensible Authentication Protocol
- Oakley Nonce
XAUTH vs EAP
- Extended Authentication
- Man-in-the-Middle Attack Possible with IKE Aggressive Mode and XAUTH
Architecture
- EAP is a Wrapper, not an Authentication Protocol
- Extensible Authentication Protocol (EAP)
- Expanded EAP Type
- Standard EAP Packet Format
- EAP Identity
- EAP Authentication method negotiated with NAK
How it works
- Sample EAP Negotiation with NAK
- 3G EAP AKA Example
- IKE EAP-AKA/ESP

Module 10: Mode of Operation

Mode of Operation
- IKE EAP-AKA/ESP
Types
- Transport and Tunnel Modes
- IPsec – Tunnel Mode: Virtual Private Network (VPN)
- TCP/IP Bypass
- Transport Mode
- Authentication Header Tunnel Mode
- ESP – Transport Mode
- ESP – Tunnel Mode
Overhead
- IPsec Tunnel Mode CBC Packet Overhead

Module 11: IPsec Negotiation

IPsec Negotiation
- IPsec Tunnel Mode CBC Packet Overhead
Overview
- Security Association
- Internet Security Association and Key Management Protocol (ISAKMP)
- ISAKMP Phases
- IKE vs ISAKMP
- The New Standard – IKEv2 RFC 4306 (Dec. 2005) / RFC 5996 (Sept. 2010)
IKEv1
- Internet Key Exchange – IKEv1 Main Mode PSK 1 of 2
- Internet Key Exchange – IKEv1 Main Mode PSK 2 of 2
- IKE Aggressive Mode Using Pre-Shared Keys
IKEv2
- IKEv2 – SA Initialization and Authentication
- IKEv2 – Authentication and First Child SA
- IKEv2 – Authentication and First Child SA
- IKEv2 – Authentication and First Child SA
- IKEv2 – Authentication and First Child SA
- IKEv2 – Authentication and First Child SA
- IKEv2 – Authentication and First Child SA
- IKE_AUTH Request Details
- IKEv2 – Authentication and First Child SA
- IKEv2 – IKE_AUTH Response
- IKEv2 – Cookie Mechanism Against DoS Attacks
- IKEv2 – Additional Child SAs
- Configuration Payload (CP)
- ISAKMP and IPsec Security Associations
- Security Association Structure
- IKEv2 Dead Peer Detection
- Reading IKEV2 Exchanges in Documentation

Module 12: How NAT Impacts IPsec

How NAT Impacts IPsec
- Reading IKEV2 Exchanges in Documentation
Defining the problem
- NATs
- The NAT Traversal Problem
- IPSec Passthrough (Transparent IPSec Connection)
- The NAT Traversal with UDP Tunneling
- UDP for Tunneling ESP
- The NAT Traversal UDP Port Assignment
Solving the problem
- UDP-Encapsulated ESP Header Format
- NAT-Keepalive Packet Format
- IKE Header Format for Port 4500
- NAT-T vs. IPSec-over-UDP
- The NAT Traversal UDP Port Assignment
- NAT_DETECTION Notification Data
- NAT-T Detection Process
- Tunnel Mode Conflict

Module 13: Encapsulation in Depth

Encapsulation in Depth
- Tunnel Mode Conflict
Overview of the options
- IPsec Encapsulation Options
- IPsec and the IP Header
- IPSec and the UDP Header
- IPsec and the TCP Header
- IPsec and the ESP Header
- IPsec and the AH Header
- ISAKMP Typical Message Format

Module 14: IPsec ESP Protocol

IPsec ESP Protocol
- ISAKMP Typical Message Format
Introduction
- Encapsulating Security Payload (ESP)
Methods
- Encapsulated Security Payload (ESP)
Anti-replay
- Replay detection
Encapsulating the data
- Encapsulating Security Payload Header Fields

Module 15: IPsec AH Protocol

IPsec AH Protocol
- Encapsulating Security Payload Header Fields
Issues and Limitations
- AH Data Protected Fields
Modes
- AH Data Fields
- Authentication Header Transport Mode
- Authentication Header Tunnel Mode
- AH transport vs tunnel mode

Module 16: Penetration Testing

IPsec AH Protocol
- Encapsulating Security Payload Header Fields
Issues and Limitations
- AH Data Protected Fields
Modes
- AH Data Fields
- Authentication Header Transport Mode
- Authentication Header Tunnel Mode
- AH transport vs tunnel mode