Credit: Post based on CISSP course presented by Dennis Lee, November 2018
Network tunneling is where two networks are connected to one another over the public internet. This is accomplished through different protocols including:
Point-to-Point Protocol (PTPP) which can be used with different authentication options. Adding / removing frames is called “tunneling”.
The Password Authentication Protocol (PAP) uses an ID and password to authenticate users, however passwords are sent in clear-text.
There are lots of versions of the Challenge-Handshake Authentication Protocol (CHAP), a common one is MD5-CHAP. CHAP provides for repeated / continuous authentication if desired to re-authenticate a client on a set time period (i.e. every 4 hours) to reduce risk of spoofing and session hijacking. In the standard version of CHAP, passwords are stored in clear text on the server, leaving it up to the implementation vendor on how to protect those passwords.
The CHAP Challenge number is typically a randomized session ID issued for tracking each user. The Nonce (short for “Number Used Once”) is typically a time-based session ID, only used once (timestamp) to reduce the risk of password replay attacks.
The Extensible Authentication Protocol (EAP) can be used with passwords, challenge and response (e.g. CHAP), biometrics, tokens, combining protocols (e.g. EAS+TLS), device authentication, etc.
Layer 2 Tunneling Protocol (L2TP) is a hybrid of L2F and PPTP. PPTP was developed by Microsoft, PPTP uses PPP frames but provides encryption. L2F was developed by Cisco and also uses PPP frames but does not have encryption. However, each tunnel can support multiple connections per user. L2F requires special hardware to use it.
Microsoft & Cisco worked together to combine L2F and PPTP into L2TP. L2TP uses PPP frames, supports multiple connections in a single tunnel, does not require special hardware, but also does NOT provide encryption.
IPSec is a protocol designed to protect IP traffic through use of an:
- Authentication Header (AH) which is designed to authenticate source IP addresses, and
- Encapsulating Security Payload (ESP) which provides encryption of both payload and header if desired.
Security Associations (SA’s) are one-way connections using either AH or ESP services. Each SA is uniquely identified using a:
- Security Parameter Index (a session ID for tracking connection)
- Destination IP address
- AH or ESP identifier A second SA must be defined for 2-way communication.
End-to-end encryption / Transport Mode is where only the payload portion of a packet is encrypted (if using encryption).
Two examples of this include: Transport Mode with ESP
And Link Encryption / Tunnel Mode – this is where the entire original packet is encrypted including the original header and payload. It is also known as a Gateway-to-Gateway VPN. A trick to help you remember it is <u>Linc</u>oln Tunnel -> Tunnel Mode uses <u>Link</u> Encryption
Here’s an example of Tunnel Mode with ESP:
To summarize:
| Tunneling Protocol | Provides Encryption? |
|---|---|
| IPSec | Yes, ESP |
| SSH | Yes |
| L2F | No |
| L2TP | No, but yes if partnered with IPSec |
| PPTP | Yes |
| MPLS | No |
| TLS/SSL | Yes |
| PPP | No |
To end our discussion about the OSI model, we’ll touch briefly on how Transport Layer Security (TLS) and Secure Sockets Layer (SSL) work:
Excellent Tips 