925-201b Principles of Network Security and FortiGate Configurations Practice Tests

Demo Question 4.

Answer: D

Explanation: : IPSEC was developed by the Internet Engineering Task Force (IETF. to address certain vulnerabilities inherent in the popular IP protocol. Exploits in IP allowed for eavesdropping (sniffing) and identity masking (spoofing), so it was difficult to get guaranteed security over large networks. Prior solutions would provide security for only specific applications (PGP for email and SSL for web applications). IPSEC secures the network itself, so it also secures the applications using the network. IPSEC is a set of IP extensions that provide strong data authentication and privacy guarantees through the use of modern encryption techniques. To have security on your network, you need to have confidence in three factors: 1. The person you are communicating with is really that person (authentication) 2. No one can eavesdrop on your communication (confidentiality) 3. The communication that you received has not been modified in transit (integrity) IPSEC is comprised of three components that provide these security functions. Authentication Header (AH. - A signature is tied to each packet, allowing you to verify the sender's identity and the integrity of the data. Currently MD5 and SHA. 1 authentication schemes are supported. Encapsulating Security Payload (ESP) - Uses strong encryption algorithms to encrypt the data in each packet to defeat common eavesdropping techniques. The most common encryption algorithm used by ESP is 56-bit DES, but ESP is an open protocol that allows support for most current (and even future) encryption algorithms. Internet Key Exchange (IKE. - Allows nodes to agree on authentication methods, encryption methods, the keys to use and the keys' lifespan. IKE also allows smart secure key exchange. AH and ESP provide the means to protect data from tampering, preventing eavesdropping and verifying the origin of the data. IKE provides a secure method of exchanging keys and negotiating protocols and encryption algorithms to use. The information negotiated IKE is stored in a Security Association (SA. . The SA is like a contract laying out the rules of the VPN connection for the duration of the S A. An SA is assigned a 32-bit number that, when used in conjunction with the destination IP address, uniquely identifies the S A. This number is called the Security Parameters Index or SPI. To tie this all together, let's look at an example. User A wants to send data to User B. User A's router (router A. has a security policy applied with a rule that says all traffic to User B needs to be encrypted. User B's router (router B. will be the other end of an IPSEC tunnel. Router A checks to see if an IPSEC SA exists between it and router B. If it doesn't, router A will request an IPSEC SA from IKE. If an IKE SA exists between the two routers, an IPSEC SA is issued. If an IKE SA does not exist, one has to be negotiated first, with the routers exchanging information signed by a third-party certificate authority (CA. that both routers trust. Once the IKE SA is agreed upon by the routers, an IPSEC SA can be issued, and secure, encrypted communications can begin. This process is transparent to User A and User B. The basic steps for setting up an IPSEC connection are as follows: 1. Set up an IKE SA. 2. Agree upon the terms of communication and encryption algorithm. Create an IPSEC SA. 3. Start sending data.