Please don\'t solve the questions with randomly answers, please this is the seco
ID: 3576941 • Letter: P
Question
Please don't solve the questions with randomly answers, please this is the second time I am asking. Thank you.
1. What is the advantage and disadvantage of having a network-layer security?
2. In Encapsulating Security Payload, compare Tunnel and Transport modes in :
a. The ways they can be used. Use an illustration.
b. Their protocol architecture. Use an illustration
c. Which one is best for host to server communication ?
3. Define Security Association and Security Policy Database. Give an example of how a network might use them.
Explanation / Answer
1Ans:
Advantages of Network security layer:
Network layer security in IPSec or SSL.
While ssl based vpns rely on application layer specific protocols like SSL, IPSec based VPN’s.
A part of the network itself allowing the traffic and increased protection for not only a single type traffic, but for all the traffic flowing in and out of the network.
IPSec has the international standard and easy to maintain, secure.
This technology is invisible in its operations. End user No need to learn about the this technology.
Added a layer of security for VPN running on IPSec.
IPSec monitor the traffic and securing network.
In the case of SSL,SSH,PGP based VPN’s are application dependent but this is independent and no need to worry about application dependences. There are no compatibility issues.
Disadvantages:
IT performs operation on large data that operation might be encryption or decryption so much of data is flowing through the machines it cost on CPU and large processors are need to process it leads to CPU overhead and higher payload.
Some large software applications may adhere to IPSec and go their own and it lead to compatibility issue.
Some of the security algorithms still used in IPSec which are already cracked, it causes a security threat.
2Ans:
Tunnel mode is encapsulating the whole IP packet by encrypting. Tunnel mode encapsulates our packet with IPSec headers and trailers. Tunnel mode is used to create virtual private networks for network-to-network communications (e.g. between routers to link sites), host-to-network communications (e.g. remote user access) and host-to-host communications (e.g. private chat)
ESP and AH are used in Tunnel mode. ESP – Encapsulation security model AH – Authentication Header
Both ESP and AH are inserted together in IP packet. After the authentication a new IP header to the packet the user get the information about the IPSec end point as new source and destination. This tunel mode used with any kind of Ip traffic. In tunnel mode IPSec will basically be set in place by either of ESP or AH header inserted between the real packet IP header and the upper layer protocol. ESP is preferred when it comes to IPSec VPN Tunnel solutions.
Transport Mode:
Transport mode can be used to protect IPsec peers traffic that they exchange and generate by themselves. The routing is intact, since the IP header is neither modified nor encrypted; however, when the authentication header is used, the IP addresses cannot be modified by network address translation, as this always invalidates the hash value. The transport and application layers are always secured by a hash, so they cannot be modified in any way, for example by translating the port numbers.A means to encapsulate IPsec messages for NAT traversal has been defined by RFC documents describing the NAT-T mechanism. If we are using tunnel mode it is basically a tunneling mechanism that hides everything inside a header trailer capsule. But what if we are using GRE. If we are using GRE and then tunnel mode IPsec we will basically make tunneling and another tunneling inside the tunnel right. Only that one of those tunnels will encrypt and other will not.
Payload sent in transport mode is encapsulated by IPSec header and trailer. The original IP header remains the same but IP protocol field is changed to 50 for ESP or 51 in case of AH. Original protocol value will always be saved in IPsec trailer so it can be restored when the packet is decrypted.
The best for host to server communiaction is Transport mode.
3)
A security Association is a logical connection involving two devices that transfer data. By using the help of defined IPSec protocols , SA’s offer data protection for unidirectional traffic. Generally an IPSec tunnel features two unidirectional SA’s which offer a secure full duplex channel for data.
In transport mode the payload of the packet is encapsulated by the transport-mode IPsec implementation; however, the IP header remains unchanged. The new IP packet includes the processed packet payload as well as the old IP header once the packet is processed with IPsec. The transport mode does not have the capability to shield the information carried in the IP header, which lets an attacker identify the source and destination of the packet.
In tunnel mode the IPsec implementation encapsulates the whole IP packet. The whole packet turns into the packet's payload that is processed using IPsec. The newly created IP header contains two IPsec gateway addresses. Use of the tunnel mode prevents an attacker from inspecting the information and decoding it, and it also hides the source and destination of the packet.
Security Policy Database:
SPD specifies the policies that determine the disposition of all IP traffic inbound or outbound from a host or a security gateway. SAD is a security association table, containing parameters that are associated with each security association.
The SPD must be consulted during the processing of all traffic (both inbound and outbound), including non-IPsec traffic. The policy entries in SPD are totally ordered, and the first matched policy will be used to process the traffic. For example, we have two IPv4 subnet networks, subnet A 1.1.1.0/24 and subnet B 2.2.1.0/24, with security gateway GA and GB, as shown in Figure 5. This diagram could also be degraded to a host A to subnet B, or even host A to host B, in such cases, GA or GB becomes an IPsec-enabled host.