# IPSEC TUNNEL MODE
IPSec tunnel mode is the default mode. With tunnel
mode, the entire original IP packet is protected by IPSec. This
means IPSec wraps the original packet, encrypts it, adds a new IP
header and sends it to the other side of the VPN tunnel (IPSec
peer).
Tunnel mode is most commonly used between gateways (Cisco
routers or ASA firewalls), or at an end-station to a gateway, the
gateway acting as a proxy for the hosts behind it.
Tunnel mode is used to encrypt traffic between secure IPSec
Gateways, for example two Cisco routers connected over the Internet
via IPSec VPN. Configuration and setup of this topology is
extensively covered in our Site-to-Site IPSec VPN article. In this
example, each router acts as an IPSec Gateway for their LAN,
providing secure connectivity to the remote network:
Another example of tunnel mode is an IPSec tunnel between a
Cisco VPN Client and an IPSec Gateway (e.g ASA5510 or PIX
Firewall). The client connects to the IPSec Gateway. Traffic from
the client is encrypted, encapsulated inside a new IP packet and
sent to the other end. Once decrypted by the firewall appliance,
the client’s original IP packet is sent to the local network.
In tunnel mode, an IPSec header (AH or ESP
header) is inserted between the IP header and the upper
layer protocol. Between AH and ESP, ESP is most commonly used in
IPSec VPN Tunnel configuration.
The packet diagram below illustrates IPSec Tunnel
mode with ESP header:
ESP is identified in the New IP header with an
IP protocol ID of 50.
The packet diagram below illustrates IPSec Tunnel
mode with AH header:
The AH can be applied alone or together with the ESP, when IPSec
is in tunnel mode. AH’s job is to protect the entire packet. The AH
does not protect all of the fields in the New IP Header because
some change in transit, and the sender cannot predict how they
might change. The AH protects everything that does not change in
transit. AH is identified in the New IP header
with an IP protocol ID of
51.
IPSEC TRANSPORT MODE
IPSec Transport mode is used for end-to-end communications, for
example, for communication between a client and a server or between
a workstation and a gateway (if the gateway is being treated as a
host). A good example would be an encrypted Telnet or Remote
Desktop session from a workstation to a server.
Transport mode provides the protection of our data, also known
as IP Payload, and consists of TCP/UDP header + Data, through an AH
or ESP header. The payload is encapsulated by the IPSec headers and
trailers. The original IP headers remain intact, except that the IP
protocol field is changed to ESP (50) or AH (51), and the original
protocol value is saved in the IPsec trailer to be restored when
the packet is decrypted.
IPSec transport mode is usually used when another tunneling
protocol (like GRE) is used to first encapsulate the IP data
packet, then IPSec is used to protect the GRE tunnel packets. IPSec
protects the GRE tunnel traffic in transport mode.
The packet diagram below illustrates IPSec Transport
mode with ESP header:
Notice that the original IP Header is moved to
the front. Placing the sender’s IP header at the front (with minor
changes to the protocol ID), proves that transport mode does not
provide protection or encryption to the original IP header and ESP
is identified in the New IP headerwith an IP
protocol ID of 50.
The packet diagram below illustrates IPSec Transport
mode with AH header:
The AH can be applied alone or together with the ESP when IPSec
is in transport mode. AH’s job is to protect the
entire packet, however, IPSec in transport mode does not create a
new IP header in front of the packet but places a copy of the
original with some minor changes to the protocol ID therefore not
providing essential protection to the details contained in the IP
header (Source IP, destination IP etc). AH is identified in the
New IP header with an IP protocol
ID of 51.
In both ESP and AH cases with IPSec Transport mode, the IP header
is exposed.
2) Router hardening techniques
Disable unused router interfaces—that’s right, find ANY interface
that is not in use and make sure you issue the
shutdown command
Disable unused services—these typically include:
You also should inspect the network management protocols in use
in your network infrastructure. Remember the following:
SNMP version 1 and 2c transfer passwords (called community strings)
in clear text—if security is required—consider SNMP version
3.
HTTP authentication also sends clear text passwords—when needed,
use HTTPS instead.
Attackers can respond to broadcast DNS lookups—disable DNS when not
in use or configure securely.
Telnet is a clear text protocol—do not use it; instead, use
SSH.
Router Hardening with the Cisco Router and Security and Device
Manager (SDM)
Now one of the reasons that we love Cisco is that they are always
trying to make it easy on us. We see this in the area of router
hardening. In the Graphical User Interface for managing your
perimeter routers, Cisco provides a Security Audit feature. This
feature provides two “modes” of operation. The first is the
Security Audit Wizard and the second is the One-step
Lockdown mode.
The Security Audit Wizard examines your router and then lets you
choose which potential security flaws you want to correct. The
One-step Lockdown mode automatically makes the router hardening
configurations that Cisco would recommend.
Here are the steps of the Security Audit Wizard:
Within the Cisco SDM, choose
Configure then Security
Audit.
Click the Perform Security Audit button.
Click Next and the Security Audit
Interface Configuration page appears —here you are
presented with your router interfaces. It is up to you to select
which of the interfaces connect to your internal networks, and
which of the interfaces connect to your external networks. After
you select these options, choose Next.
The security audit now runs. When it is complete, the SDM presents
you with a report of potential security vulnerabilities on your
device. You can click Save Report in order to save
it. If you select Close, the Security Audit Wizard
continues to the next phase.
In the final phase of the Security Audit Wizard, you can check or
uncheck the vulnerabilities that you want the wizard to
automatically repair. Notice there is even an option for
Fix All.
As you might guess, using the One-step Lockdown mode is even
easier!
Within the Cisco SDM, choose Configure then
Security Audit.
Click the One-step Lockdown button.
Click the Yes button that you want to continue and
the SDM goes about its business of locking down the device for
you.
What exactly does the One-step lockdown do on your device? Well, it
is very busy indeed. Here is a list of the changes made by this
GUI:
Cisco also provides a One-step lockdown-like feature at the
command line! This feature is called AutoSecure. It uses the
command shown below:
auto secure [management | forwarding] [no-interact | full]
[ntp | login | ssh | firewall | tcp-intercept]
Notice that this command can run fully automated like the
One-step Lockdown mode of the Security Audit feature in SDM. You
would issue the command auto secure no-interact.
You should notice also that you can run “subsets” of the command’s
full capabilities. For example, you could run auto secure
managementin order to just harden the network management
capabilities of the router.
You might not be surprised to learn that the Command Line
AutoSecure feature is capable of doing a bit more than the
graphical user interface counterpart. Specifically, Cisco SDM does
not implement these Cisco AutoSecure features:
The Cisco SDM also implements some of the Cisco AutoSecure
features differently. For example:
The SDM disables SNMP but does not configure SNMPv3 (on some
routers).
The SDM enables and configures SSH on crypto Cisco IOS images, but
does not enable SCP or disable other access and file transfer
services, such as FTP for example.
3) a.Application layer firewalls
An application firewall is an enhanced firewall that limits access
by applications to the operating system (OS) of a computer.
Conventional firewalls merely control the flow of data to and from
the central processing unit (CPU), examining each packet and
determining whether or not to forward it toward a particular
destination. An application firewall offers additional protection
by controlling the execution of files or the handling of data by
specific applications.
For best performance, a conventional firewall must be configured by
the user. The user must know which ports unwanted data is likely to
enter or leave through. An application firewall prevents the
execution of programs or DLL (dynamic link library) files which
have been tampered with. Thus, even though an intruder might get
past a conventional firewall and gain entry to a computer, server,
or network, destructive activity can be forestalled because the
application firewall does not allow any suspected malicious code to
execute.
c.Packet filtering
In a software firewall, packet filtering is done by a program
called a packet filter. The packet filter examines the header of
each packet based on a specific set of rules, and on that basis,
decides to prevent it from passing (called DROP) or allow it to
pass (called ACCEPT).
There are three ways in which a packet filter can be configured,
once the set of filtering rules has been defined. In the first
method, the filter accepts only those packets that it is certain
are safe, dropping all others. This is the most secure mode, but it
can cause inconvenience if legitimate packets are inadvertently
dropped. In the second method, the filter drops only the packets
that it is certain are unsafe, accepting all others. This mode is
the least secure, but is causes less inconvenience, particularly in
casual Web browsing. In the third method, if the filter encounters
a packet for which its rules do not provide instructions, that
packet can be quarantined, or the user can be specifically queried
concerning what should be done with it. This can be inconvenient if
it causes numerous dialog boxes to appear, for example, during Web
browsing.
NOTE: As per HOMEWORKLIB POLICY, I am allowed to answer
only 4 questions (including sub-parts) on a single post.
Discuss in detail on IPSEC tunneling and transport mode mechanisms. Discuss the various AAA based hardening...
please I need this, step by step with formulas, avoid using excel. CASE 33 Security Software, Inc. communication in a highly secure and efficient process. The Market Security Software, Inc. (SSI) was a major provider of application software. The firm was proud to be the number two company in the enterprise firewall market. Firewalls ensure network Security for businesses by determining whether to approve or deny access to corporate networks and applications. They have security software that inspects com- munication...