course-deatils-thumbnail

IP Security (IPSec)

Course Code: 6000
|
|
Home / Courses / IP Security (IPSec)

Overview

This IPSec course helps participants understand how IPSec works and how to deploy it using the recognized best practices. The labs in the course use open source projects such as strongswan, to demonstrate how IP security is configured and deployed. During the course, participants will learn the best practices regarding selection of encryption algorithms, advantages and tradeoffs of security mechanisms managed by IPSec. The course also trains participants in the important Linux skills they would need to perform effective CLI tasks.

Schedule Classes

Looking for more sessions of this class?
Talk to us
Trivera

Course Delivery

This course is available in the following formats:

Live Classroom
Duration: 3 days

Live Virtual Classroom
Duration: 3 days

What You'll learn

  • Understanding tunneling and encapsulation
  • Understanding security associations, architecture, policies and configurations
  • Introduction to tcpdump
  • Exploring the different security threats
  • Learning about public key encryptions
  • Introduction to Diffie-Hellman
  • Discovering the differences between extended authentication and extensible authentication protocol
  • Understanding the different modes of operation
  • Reviewing the different IPSec protocols

Outline

Module 1: Introduction to Tunneling

  • Introduction to tunneling
    • Course schedule
  • Encapsulation
    • Tunneling
    • IPsec Site-to-Site application
    • Road Warrior application based on IPsec
  • GPRS-tunneling protocol and the APN
    • 4G GPRS Tunnel
    • IP Flow Mobility and Seamless Offload
    • SIPTO and LIPA
  • Remote Client
    • Virtual Private Networks
  • Remote Client
    • The “Road Warrior” Remote Access Case
  • Algorithms
    • IPSEC Knobs and settings
    • IPSEC Settings
    • Tunnel Types
  • Other tunneling methods
    • Road Warrior Application Based on SSL/TLS
    • OpenVPN SSL Based VPN
    • Layer 2/3/4 VPNs – Pros and Cons
    • MPLS Tunnels (1 of 2)
    • MPLS Tunnels (2 of 2)
    • VXLAN Flow

Module 2: Security Associations

  • Security Associations
    • VXLAN Flow
  • Architecture
    • IPsec and the Security Association
    • What is a Security Association (SA)?
    • Outbound processing
    • Inbound processing
  • Policy
    • Security Policy Database
    • Security Association Identifiers
  • Configuration
    • Strongswan Config Files and Directories
    • Strongswan ipsec.conf example – 1 of 14
    • Strong Swan “left” and “right” Reference
    • Strongswan ipsec.conf example – 2 of 14
    • Strongswan ipsec.conf example – 3 of 14
    • Strongswan ipsec.conf example – 4 of 14
    • Strongswan ipsec.conf example – 5 of 10
    • Strongswan ipsec.conf example – 6 of 14
    • Strongswan ipsec.conf example – 7 of 14
    • Strongswan ipsec.conf example – 8 of 14
    • Strongswan ipsec.conf example – 9 of 14
    • Strongswan ipsec.conf example – 10 of 14
    • Strongswan ipsec.conf example – 11 of 14
    • Strongswan ipsec.conf example – 12 of 14
    • Strongswan ipsec.conf example – 13 of 14
    • Strongswan ipsec.conf example – 14 of 14

Module 3: Just Enough IPsec Legacy

  • Just Enough IPsec Legacy
    • Strongswan ipsec.conf example – 14 of 14
  • RFCs
    • Overview
    • IKEv1 vs IKEv2 (1 of 4)
    • IKEv1 vs IKEv2 (2 of 4)
    • IKEv1 vs IKEv2 (3 of 4)
    • IKEv1 vs IKEv2 (4 of 4)
  • Security Threats
    • Security Threat Icons
    • Authentication
    • Data Origin Authentication
    • Data Integrity
    • Replay Attack
    • Confidentiality
    • Traffic Flow Confidentiality
    • MITM Attack
    • IPSec services

Module 4: tcpdump Overview

  • tcpdump overview
    • IPSec services
  • Why is it so fast?
    • BPF Berkley Packet Filter Primer
  • Commands
    • tcpdump Essentials
    • iptables’ nflog interface

Module 5: Symmetric Encryption

  • Symmetric Encryption
    • iptables’ nflog interface
  • Types
    • Symmetric Key
  • AES
    • AES Conceptual Scheme
    • AES Transformation Tools
    • AES Block Example
    • AES Block Example
    • AES Key
    • Key Expansion
    • XOR (AddRoundKey)
    • S-box or Substitution Box
    • ShiftRows
    • Mix Columns
    • AES Round
    • Multiple Rounds
    • IKEv2 Cipher Suites

Module 6: PKI Encryption

  • PKI Encryption
    • IKEv2 Cipher Suites
  • Vocabulary
  • RSA
    • Public Key Encryption as Privacy
    • Public Key Encryption as Authentication
    • Public Key Encryption: Four Keys = Secure Communications in Both Directions
    • Man in the Middle Certificate Swapping
    • Integrity Check
    • PKI Process Introducing the CA (Certificate Authority)
    • Hashing Algorithms Produce a Mathematical Distillation Called a Digest or Hash
    • Using Hashing Algorithms for Authentication
    • Using Hashing + RSA to Create a Digital Signature
    • Verify the Digital Certificate Verification
    • A Digital Certificate Example
    • SUBJECT and ISSUER Data Elements
    • PEM Format and Base 64
    • TLS Connection Establishment
    • RSA Example 1 of 5 – Clear Text
    • RSA Example 2 of 5 – Deriving the keys
    • RSA Example 3 of 5 – Encrypt using the Public Key
    • RSA Example 4 of 5 – Using the Private Key
    • RSA Example 5 of 5 – Back to clear text
    • Creating Production RSA keys (1 of 2)
    • Creating Production RSA keys (2 of 2)
  • Elliptic Curve
    • Groups
    • The Elliptic Curve Group
    • Why ECC is Secure
    • Comparing RSA to ECC

Module 7: Diffie-Hellman

  • Diffie-Hellman
    • Comparing RSA to ECC
  • Values
    • Diffie-Hellman’s 7 Numbers – Public and Private
    • Diffie-Hellman Introduction
    • Diffie-Hellman’s 7 Numbers Defined
    • Primitive Root
  • Algorithm
    • Discrete Algorithm Problem, Modulo Substitution and Exponents
    • DH Exchange
    • Why Diffie-Hellman works
    • Diffie-Hellman Example

Module 8: Oakley

  • Oakley
    • Diffie-Hellman Example
  • Improving Diffie-Hellman
    • How Oakley Improves Diffie-Hellman
  • Cookies
    • Oakley Cookie Exchange
    • Oakley ID and Hash
    • Oakley Nonce

Module 9: Extensible Authentication Protocol

  • Extensible Authentication Protocol
    • Oakley Nonce
  • XAUTH vs EAP
    • Extended Authentication
    • Man-in-the-Middle Attack Possible with IKE Aggressive Mode and XAUTH
  • Architecture
    • EAP is a Wrapper, not an Authentication Protocol
    • Extensible Authentication Protocol (EAP)
    • Expanded EAP Type
    • Standard EAP Packet Format
    • EAP Identity
    • EAP Authentication method negotiated with NAK
  • How it works
    • Sample EAP Negotiation with NAK
    • 3G EAP AKA Example
    • IKE EAP-AKA/ESP

Module 10: Mode of Operation

  • Mode of Operation
    • IKE EAP-AKA/ESP
  • Types
    • Transport and Tunnel Modes
    • IPsec – Tunnel Mode: Virtual Private Network (VPN)
    • TCP/IP Bypass
    • Transport Mode
    • Authentication Header Tunnel Mode
    • ESP – Transport Mode
    • ESP – Tunnel Mode
  • Overhead
    • IPsec Tunnel Mode CBC Packet Overhead

Module 11: IPsec Negotiation

  • IPsec Negotiation
    • IPsec Tunnel Mode CBC Packet Overhead
  • Overview
    • Security Association
    • Internet Security Association and Key Management Protocol (ISAKMP)
    • ISAKMP Phases
    • IKE vs ISAKMP
    • The New Standard – IKEv2 RFC 4306 (Dec. 2005) / RFC 5996 (Sept. 2010)
  • IKEv1
    • Internet Key Exchange – IKEv1 Main Mode PSK 1 of 2
    • Internet Key Exchange – IKEv1 Main Mode PSK 2 of 2
    • IKE Aggressive Mode Using Pre-Shared Keys
  • IKEv2
    • IKEv2 – SA Initialization and Authentication
    • IKEv2 – Authentication and First Child SA
    • IKEv2 – Authentication and First Child SA
    • IKEv2 – Authentication and First Child SA
    • IKEv2 – Authentication and First Child SA
    • IKEv2 – Authentication and First Child SA
    • IKEv2 – Authentication and First Child SA
    • IKE_AUTH Request Details
    • IKEv2 – Authentication and First Child SA
    • IKEv2 – IKE_AUTH Response
    • IKEv2 – Cookie Mechanism Against DoS Attacks
    • IKEv2 – Additional Child SAs
    • Configuration Payload (CP)
    • ISAKMP and IPsec Security Associations
    • Security Association Structure
    • IKEv2 Dead Peer Detection
    • Reading IKEV2 Exchanges in Documentation

Module 12: How NAT Impacts IPsec

  • How NAT Impacts IPsec
    • Reading IKEV2 Exchanges in Documentation
  • Defining the problem
    • NATs
    • The NAT Traversal Problem
    • IPSec Passthrough (Transparent IPSec Connection)
    • The NAT Traversal with UDP Tunneling
    • UDP for Tunneling ESP
    • The NAT Traversal UDP Port Assignment
  • Solving the problem
    • UDP-Encapsulated ESP Header Format
    • NAT-Keepalive Packet Format
    • IKE Header Format for Port 4500
    • NAT-T vs. IPSec-over-UDP
    • The NAT Traversal UDP Port Assignment
    • NAT_DETECTION Notification Data
    • NAT-T Detection Process
    • Tunnel Mode Conflict

Module 13: Encapsulation in Depth

  • Encapsulation in Depth
    • Tunnel Mode Conflict
  • Overview of the options
    • IPsec Encapsulation Options
    • IPsec and the IP Header
    • IPSec and the UDP Header
    • IPsec and the TCP Header
    • IPsec and the ESP Header
    • IPsec and the AH Header
    • ISAKMP Typical Message Format

Module 14: IPsec ESP Protocol

  • IPsec ESP Protocol
    • ISAKMP Typical Message Format
  • Introduction
    • Encapsulating Security Payload (ESP)
  • Methods
    • Encapsulated Security Payload (ESP)
  • Anti-replay
    • Replay detection
  • Encapsulating the data
    • Encapsulating Security Payload Header Fields

Module 15: IPsec AH Protocol

  • IPsec AH Protocol
    • Encapsulating Security Payload Header Fields
  • Issues and Limitations
    • AH Data Protected Fields
  • Modes
    • AH Data Fields
    • Authentication Header Transport Mode
    • Authentication Header Tunnel Mode
    • AH transport vs tunnel mode

Module 16: Penetration Testing

  • IPsec AH Protocol
    • Encapsulating Security Payload Header Fields
  • Issues and Limitations
    • AH Data Protected Fields
  • Modes
    • AH Data Fields
    • Authentication Header Transport Mode
    • Authentication Header Tunnel Mode
    • AH transport vs tunnel mode
View More

Prerequisites

Participants need to have experience working with Linux and have an understanding of an enterprise network security environment.

Who Should Attend

The course is highly recommended for –

  • Network engineers
  • Security engineers
  • Network security engineers
  • Network and hardware engineers
  • Security analysts
  • System administrators
  • System engineers

Interested in this course? Let’s connect!

Related Courses

Python for network automation
Python for Network Automation
Network fundamentals
Network Fundamentals
Software defined networking function virtualization
Software Defined Networking (SDN) and Network Function Virtualization (NFV)
VoLTE and the IMS
VoLTE and the IMS

Popular Courses

ITIL 4 foundation
ITIL® 4 Foundation
ITIL® Foundation (v3, 2011)
Certified Information Systems Security Professional (CISSP)
Certified Information Systems Security Professional (CISSP)
Mastering Python Programming
Mastering Python Programming

Recent Posts

ITIL

Training for Digital Transformation with ITIL

July 2, 2020

Top 10 Trending Technologies to Learn in 2020

July 1, 2020
Machine Learning

Top 10 machine learning models beginners must learn

June 24, 2020
redhat

How difficult is it to become Red Hat Certified System Administrator (RHCSA)?

June 19, 2020