Banner

IP Security (IPSec)

Live Classroom
Duration: 3 days
Live Virtual Classroom
Duration: 3 days
Pattern figure

Overview

This IPSec course helps participants understand how IPSec works and how to deploy it using the recognized best practices. The labs in the course use open source projects such as strongswan, to demonstrate how IP security is configured and deployed. During the course, participants will learn the best practices regarding selection of encryption algorithms, advantages and tradeoffs of security mechanisms managed by IPSec. The course also trains participants in the important Linux skills they would need to perform effective CLI tasks.

What You'll Learn

  • Understanding tunneling and encapsulation
  • Understanding security associations, architecture, policies and configurations
  • Introduction to tcpdump
  • Exploring the different security threats
  • Learning about public key encryptions
  • Introduction to Diffie-Hellman
  • Discovering the differences between extended authentication and extensible authentication protocol
  • Understanding the different modes of operation
  • Reviewing the different IPSec protocols

Curriculum

  • Introduction to tunneling
    • Course schedule
  • Encapsulation
    • Tunneling
    • IPsec Site-to-Site application
    • Road Warrior application based on IPsec
  • GPRS-tunneling protocol and the APN
    • 4G GPRS Tunnel
    • IP Flow Mobility and Seamless Offload
    • SIPTO and LIPA
  • Remote Client
    • Virtual Private Networks
  • Remote Client
    • The “Road Warrior” Remote Access Case
  • Algorithms
    • IPSEC Knobs and settings
    • IPSEC Settings
    • Tunnel Types
  • Other tunneling methods
    • Road Warrior Application Based on SSL/TLS
    • OpenVPN SSL Based VPN
    • Layer 2/3/4 VPNs – Pros and Cons
    • MPLS Tunnels (1 of 2)
    • MPLS Tunnels (2 of 2)
    • VXLAN Flow

  • Security Associations
    • VXLAN Flow
  • Architecture
    • IPsec and the Security Association
    • What is a Security Association (SA)?
    • Outbound processing
    • Inbound processing
  • Policy
    • Security Policy Database
    • Security Association Identifiers
  • Configuration
    • Strongswan Config Files and Directories
    • Strongswan ipsec.conf example – 1 of 14
    • Strong Swan “left” and “right” Reference
    • Strongswan ipsec.conf example – 2 of 14
    • Strongswan ipsec.conf example – 3 of 14
    • Strongswan ipsec.conf example – 4 of 14
    • Strongswan ipsec.conf example – 5 of 10
    • Strongswan ipsec.conf example – 6 of 14
    • Strongswan ipsec.conf example – 7 of 14
    • Strongswan ipsec.conf example – 8 of 14
    • Strongswan ipsec.conf example – 9 of 14
    • Strongswan ipsec.conf example – 10 of 14
    • Strongswan ipsec.conf example – 11 of 14
    • Strongswan ipsec.conf example – 12 of 14
    • Strongswan ipsec.conf example – 13 of 14
    • Strongswan ipsec.conf example – 14 of 14

  • Just Enough IPsec Legacy
    • Strongswan ipsec.conf example – 14 of 14
  • RFCs
    • Overview
    • IKEv1 vs IKEv2 (1 of 4)
    • IKEv1 vs IKEv2 (2 of 4)
    • IKEv1 vs IKEv2 (3 of 4)
    • IKEv1 vs IKEv2 (4 of 4)
  • Security Threats
    • Security Threat Icons
    • Authentication
    • Data Origin Authentication
    • Data Integrity
    • Replay Attack
    • Confidentiality
    • Traffic Flow Confidentiality
    • MITM Attack
    • IPSec services

  • tcpdump overview
    • IPSec services
  • Why is it so fast?
    • BPF Berkley Packet Filter Primer
  • Commands
    • tcpdump Essentials
    • iptables’ nflog interface

  • Symmetric Encryption
    • iptables’ nflog interface
  • Types
    • Symmetric Key
  • AES
    • AES Conceptual Scheme
    • AES Transformation Tools
    • AES Block Example
    • AES Block Example
    • AES Key
    • Key Expansion
    • XOR (AddRoundKey)
    • S-box or Substitution Box
    • ShiftRows
    • Mix Columns
    • AES Round
    • Multiple Rounds
    • IKEv2 Cipher Suites

  • PKI Encryption
    • IKEv2 Cipher Suites
  • Vocabulary
  • RSA
    • Public Key Encryption as Privacy
    • Public Key Encryption as Authentication
    • Public Key Encryption: Four Keys = Secure Communications in Both Directions
    • Man in the Middle Certificate Swapping
    • Integrity Check
    • PKI Process Introducing the CA (Certificate Authority)
    • Hashing Algorithms Produce a Mathematical Distillation Called a Digest or Hash
    • Using Hashing Algorithms for Authentication
    • Using Hashing + RSA to Create a Digital Signature
    • Verify the Digital Certificate Verification
    • A Digital Certificate Example
    • SUBJECT and ISSUER Data Elements
    • PEM Format and Base 64
    • TLS Connection Establishment
    • RSA Example 1 of 5 – Clear Text
    • RSA Example 2 of 5 – Deriving the keys
    • RSA Example 3 of 5 – Encrypt using the Public Key
    • RSA Example 4 of 5 – Using the Private Key
    • RSA Example 5 of 5 – Back to clear text
    • Creating Production RSA keys (1 of 2)
    • Creating Production RSA keys (2 of 2)
  • Elliptic Curve
    • Groups
    • The Elliptic Curve Group
    • Why ECC is Secure
    • Comparing RSA to ECC

  • Diffie-Hellman
    • Comparing RSA to ECC
  • Values
    • Diffie-Hellman’s 7 Numbers – Public and Private
    • Diffie-Hellman Introduction
    • Diffie-Hellman’s 7 Numbers Defined
    • Primitive Root
  • Algorithm
    • Discrete Algorithm Problem, Modulo Substitution and Exponents
    • DH Exchange
    • Why Diffie-Hellman works
    • Diffie-Hellman Example

  • Oakley
    • Diffie-Hellman Example
  • Improving Diffie-Hellman
    • How Oakley Improves Diffie-Hellman
  • Cookies
    • Oakley Cookie Exchange
    • Oakley ID and Hash
    • Oakley Nonce

  • Extensible Authentication Protocol
    • Oakley Nonce
  • XAUTH vs EAP
    • Extended Authentication
    • Man-in-the-Middle Attack Possible with IKE Aggressive Mode and XAUTH
  • Architecture
    • EAP is a Wrapper, not an Authentication Protocol
    • Extensible Authentication Protocol (EAP)
    • Expanded EAP Type
    • Standard EAP Packet Format
    • EAP Identity
    • EAP Authentication method negotiated with NAK
  • How it works
    • Sample EAP Negotiation with NAK
    • 3G EAP AKA Example
    • IKE EAP-AKA/ESP

  • Mode of Operation
    • IKE EAP-AKA/ESP
  • Types
    • Transport and Tunnel Modes
    • IPsec – Tunnel Mode: Virtual Private Network (VPN)
    • TCP/IP Bypass
    • Transport Mode
    • Authentication Header Tunnel Mode
    • ESP – Transport Mode
    • ESP – Tunnel Mode
  • Overhead
    • IPsec Tunnel Mode CBC Packet Overhead

  • IPsec Negotiation
    • IPsec Tunnel Mode CBC Packet Overhead
  • Overview
    • Security Association
    • Internet Security Association and Key Management Protocol (ISAKMP)
    • ISAKMP Phases
    • IKE vs ISAKMP
    • The New Standard – IKEv2 RFC 4306 (Dec. 2005) / RFC 5996 (Sept. 2010)
  • IKEv1
    • Internet Key Exchange – IKEv1 Main Mode PSK 1 of 2
    • Internet Key Exchange – IKEv1 Main Mode PSK 2 of 2
    • IKE Aggressive Mode Using Pre-Shared Keys
  • IKEv2
    • IKEv2 – SA Initialization and Authentication
    • IKEv2 – Authentication and First Child SA
    • IKEv2 – Authentication and First Child SA
    • IKEv2 – Authentication and First Child SA
    • IKEv2 – Authentication and First Child SA
    • IKEv2 – Authentication and First Child SA
    • IKEv2 – Authentication and First Child SA
    • IKE_AUTH Request Details
    • IKEv2 – Authentication and First Child SA
    • IKEv2 – IKE_AUTH Response
    • IKEv2 – Cookie Mechanism Against DoS Attacks
    • IKEv2 – Additional Child SAs
    • Configuration Payload (CP)
    • ISAKMP and IPsec Security Associations
    • Security Association Structure
    • IKEv2 Dead Peer Detection
    • Reading IKEV2 Exchanges in Documentation

  • How NAT Impacts IPsec
    • Reading IKEV2 Exchanges in Documentation
  • Defining the problem
    • NATs
    • The NAT Traversal Problem
    • IPSec Passthrough (Transparent IPSec Connection)
    • The NAT Traversal with UDP Tunneling
    • UDP for Tunneling ESP
    • The NAT Traversal UDP Port Assignment
  • Solving the problem
    • UDP-Encapsulated ESP Header Format
    • NAT-Keepalive Packet Format
    • IKE Header Format for Port 4500
    • NAT-T vs. IPSec-over-UDP
    • The NAT Traversal UDP Port Assignment
    • NAT_DETECTION Notification Data
    • NAT-T Detection Process
    • Tunnel Mode Conflict

  • Encapsulation in Depth
    • Tunnel Mode Conflict
  • Overview of the options
    • IPsec Encapsulation Options
    • IPsec and the IP Header
    • IPSec and the UDP Header
    • IPsec and the TCP Header
    • IPsec and the ESP Header
    • IPsec and the AH Header
    • ISAKMP Typical Message Format

  • IPsec ESP Protocol
    • ISAKMP Typical Message Format
  • Introduction
    • Encapsulating Security Payload (ESP)
  • Methods
    • Encapsulated Security Payload (ESP)
  • Anti-replay
    • Replay detection
  • Encapsulating the data
    • Encapsulating Security Payload Header Fields

  • IPsec AH Protocol
    • Encapsulating Security Payload Header Fields
  • Issues and Limitations
    • AH Data Protected Fields
  • Modes
    • AH Data Fields
    • Authentication Header Transport Mode
    • Authentication Header Tunnel Mode
    • AH transport vs tunnel mode

  • IPsec AH Protocol
    • Encapsulating Security Payload Header Fields
  • Issues and Limitations
    • AH Data Protected Fields
  • Modes
    • AH Data Fields
    • Authentication Header Transport Mode
    • Authentication Header Tunnel Mode
    • AH transport vs tunnel mode
waves
Ripple wave

Who should attend

The course is highly recommended for –
  • Network engineers
  • Security engineers
  • Network security engineers
  • Network and hardware engineers
  • Security analysts
  • System administrators
  • System engineers

Interested in this Course?

    Ready to recode your DNA for GenAI?
    Discover how Cognixia can help.

    Get in Touch
    Pattern figure
    Ripple wave