Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
18 Cards in this Set
- Front
- Back
|
VPN
|
Virtual Private Network. Allows secure communication between private LAN and remote hosts over an unsecured public network connection. Using the VPN, security parameters can be applied to certain types of remote communications without affecting other aspects of the network.
|
|
|
Authentication
|
The receiving VPN host or device can verify the source of the data; the sender is, in fact, who she says she is.
|
|
|
Integrity
|
The receiving VPN host or device can ensure that the data was not altered during transit.
|
|
|
Generic Routing Encapsulation (GRE)
[Cisco proprietary] |
Enables a Cisco router to encapsulate a packet in an IP header. The remote router removes this header when the packet is received
|
|
|
Data Confidentiality
|
Because data is encrypted by one endpoint device, then is decrypted by the other endpoint device, data is seen in an unencrypted format only by those devices that should be able to do so.
|
|
|
Anti-replay protection
|
Protection from data, originally sent from an authorized device, being copied and retransmitted by an attacking device. With this type of attack, the attacker successfully copies the identity of the authorized device.
|
|
|
Data Encryption Standard (DES)
|
uses a 56 bit key to encrypt data. These keys have been know to be broken within 24hrs; sometimes as quickly as ten minutes!
|
|
|
Triple Data Encryption Standard (TDES) (Also 3DES)
|
Uses three 56 bit keys (168 bit total). 112 bit encryption is considered efficient. Uses symmetric encryption
|
|
|
Advanced Encryption Standard (AES)
|
AES can run on any Cisco router that has IPSec DES/3DES capability.
|
|
|
Symmetric Encryption (secret key encryption)
|
An algorithm which uses the same key to encrypt and decrypt data. Includes stream algorithms, where one bit/byte is encrypted/decrypted at a time; and block algorithms, where blocks (usually 64 bits) are encrypted/decrypted as a whole. The drawback is that using the same encryption key at both endpoints doubles the risk exposure.
|
|
|
Asymmetric encryption
|
Utilizes two keys for both sender and receiver. The public key encryption scheme involves a public and private key for each user. Prior to the encryption process, the public key is certified by a third party called a Certificate Authority (CA). The CA verifies both the identity of the user and the user's public key. The certificate is a combination of the user's public key and the CA's private root key.
|
|
|
Diffie-Hellman (exponential key exchange)
|
An algorithm that allows VPNs to comply with the IPSec requirement for dynamic key exchange
|
|
|
Dynamic key exchange
|
Encryption key is exchanged between endpoints over the communications channel in lieu of the keys being manually configured on each device by an administrator.
|
|
|
IPSec
|
Protocol suite for securing Internet Protocol communication by authenticating and encrypting each IP packet of a communication session. An end-to-end security scheme that operates at the Internet Layer of the TCP/IP model. Uses three protocols: Authentication Header (AH), Encapsulating Security Payload (ESP), and Security Associations (SA) (to which Internet Key Exchange [IKE] applies)
|
|
|
Authentication Header (AH)
|
Defined in RFC 2402, provides data origin authentication, integrity, and optional anti-replay protection. AH will successfully protect the IP packet's payload; but it cannot provided data confidentiality since some of the fields in the IP header are mutable during transmission (and therefore unpredictable). Less processor intensive than ESP, and may suffice when data confidentiality is not needed.
|
|
|
Encapsulating Security Payload (ESP)
|
Using a header and a trailer to encapsulate data, this protocol provides data origin authentication, anti-replay protection, and data confidentiality. ESP is more demanding of processor resources, and requires strong cryptography; which isn't available and/or allowed everywhere.
|
|
|
IPSec Tunnel Mode
|
The entire IPSec process is transparent to end hosts; specialized IPSec gateway devices handle the IPScec workload. The entire IP packet is encrypted; then this encrypted packet is placed in yet another IP packet (this is the general definition of tunneling -- packet encapsulation).
|
|
|
IPSec Transport Mode
|
End hosts perform the encapsulation. No new IP header is attached when transport mode is used.
|
