IPSec

Duration

18 hours or 3 classroom days

Course Overview

Our IPsec course offers both hands on and lecture, allowing students to gain a clear understanding of how IPsec works and how to properly deploy it though a study of best practices. This course is vendor neutral, so labs will use open source projects such as strongswan, to demonstrate how IPsec is configured and deployed. You will learn best practices regarding selection of encryption algorithms, learning advantages and tradeoffs of security mechanisms managed by IPsec. Important linux skills necessary to perform effective CLI tasks are also taught. All hands-on labs are written to reinforce each lesson, making the concepts clearly understood.

Download Detailed Outlline

1. Introduction to Tunneling

  • Introduction to Tunneling
    • Course Schedule
  • Encapsulation
    • Tunneling
    • IPsec Site to Site Application
    • Road Warrior Application Based on IPsec
  • GPRS-tunneling protocol and the APN
    • 4G GPRS Tunnel
    • IP Flow Mobility and Seamless Offload
    • SIPTO and LIPA
  • Remote Client
    • Virtual Private Networks
  • Remote Client
    • The “Road Warrior” Remote Access Case
  • Algorithms
    • IPSEC Knobs and settings
    • IPSEC Settings
    • Tunnel Types
  • Other tunneling methods
    • Road Warrior Application Based on SSL/TLS
    • OpenVPN SSL Based VPN
    • Layer 2/3/4 VPNs – Pros and Cons
    • MPLS Tunnels (1 of 2)
    • MPLS Tunnels (2 of 2)
    • VXLAN Flow

2. Security Associations

  • Security Associations
    • VXLAN Flow
  • Architecture
    • IPsec and the Security Association
    • What is a Security Association (SA)?
    • Outbound processing
    • Inbound processing
  • Policy
    • Security Policy Database
    • Security Association Identifiers
    • Security Association Identifiers
    • Security Association Identifiers
  • Configuration
    • Strongswan Config Files and Directories
    • Strongswan ipsec.conf example - 1 of 14
    • Strong Swan “left” and “right” Reference
    • Strongswan ipsec.conf example - 2 of 14
    • Strongswan ipsec.conf example - 3 of 14
    • Strongswan ipsec.conf example - 4 of 14
    • Strongswan ipsec.conf example - 5 of 10
    • Strongswan ipsec.conf example - 6 of 14
    • Strongswan ipsec.conf example - 7 of 14
    • Strongswan ipsec.conf example - 8 of 14
    • Strongswan ipsec.conf example - 9 of 14
    • Strongswan ipsec.conf example - 10 of 14
    • Strongswan ipsec.conf example - 11 of 14
    • Strongswan ipsec.conf example - 12 of 14
    • Strongswan ipsec.conf example - 13 of 14
    • Strongswan ipsec.conf example - 14 of 14

3. Just Enough IPsec Legacy

  • Just Enough IPsec Legacy
    • Strongswan ipsec.conf example - 14 of 14
  • RFCs
    • Overview
    • IKEv1 vs IKEv2 (1 of 4)
    • IKEv1 vs IKEv2 (2 of 4)
    • IKEv1 vs IKEv2 (3 of 4)
    • IKEv1 vs IKEv2 (4 of 4)
  • Security Threats
    • Security Threat Icons
    • Authentication
    • Data Origin Authentication
    • Data Integrity
    • Replay Attack
    • Confidentiality
    • Traffic Flow Confidentuality
    • MITM Attack
    • IPSec services

4. tcpdump Overview

  • tcpdump Overview
    • IPSec services
  • Why is it so fast
    • BPF Berkley Packet Filter Primer
  • commands
    • tcpdump Essentials
    • tcpdump Essentials
    • iptables’ nflog interface

5. Symmetric Encryption

  • Symmetric Encryption
    • iptables’ nflog interface
  • Types
    • Symmetric Key
  • AES
    • AES Conceptual Scheme
    • AES Transformation Tools
    • AES Block Example
    • AES Block Example
    • AES Key
    • Key Expansion
    • XOR (AddRoundKey)
    • S-box or Substitution Box
    • ShiftRows
    • Mix Columns
    • AES Round
    • Multiple Rounds
    • IKEv2 Cipher Suites

6. PKI Encryption

  • PKI Encryption
    • IKEv2 Cipher Suites
  • Vocabulary
  • RSA
    • Public Key Encryption as Privacy
    • Public Key Encryption as Authentication
    • Public Key Encryption: Four Keys = Secure Communications in Both Directions
    • Man in the Middle Certificate Swapping
    • Integrity Check
    • PKI Process Introducing the CA (Certificate Authority)
    • Hashing Algorithms Produce a Mathematical Distillation Called a Digest or Hash
    • Using Hashing Algorithms for Authentication
    • Using Hashing + RSA to Create a Digital Signature
    • Verify the Digital Certificate Verification
    • A Digital Certificate Example
    • SUBJECT and ISSUER Data Elements
    • PEM Format and Base 64
    • TLS Connection Establishment
    • RSA Example 1 of 5 – Clear Text
    • RSA Example 2 of 5 - Deriving the keys
    • RSA Example 3 of 5 – Encrypt using the Public Key
    • RSA Example 4 of 5 – Using the Private Key
    • RSA Example 5 of 5 – Back to clear text
    • Creating Production RSA keys (1 of 2)
    • Creating Production RSA keys (2 of 2)
  • Elliptic Curve
    • Groups
    • The Elliptic Curve Group
    • Why ECC is Secure
    • Comparing RSA to ECC

7. Diffie-Hellman

  • Diffie-Hellman
    • Comparing RSA to ECC
  • Values
    • Diffie-Hellman’s 7 Numbers - Public and Private
    • Diffie-Hellman Introduction
    • Diffie-Hellman’s 7 Numbers Defined
    • Primitive Root
  • Algorithm
    • Discrete Algorithm Problem, Modulo Substitution and Exponents
    • DH Exchange
    • Why Diffie-Hellman works
    • Diffie-Hellman Example

8. Oakley

  • Oakley
    • Diffie-Hellman Example
  • Improving Diffie-Hellman
    • How Oakley Improves Diffie-Hellman
  • Cookies
    • Oakley Cookie Exchange
    • Oakley ID and Hash
    • Oakley Nonce

9. Extensible Authentication Protocol

  • Extensible Authentication Protocol
    • Oakley Nonce
  • XAUTH vs EAP
    • Extended Authentication
    • Man-in-the-Middle Attack Possible with IKE Aggressive Mode and XAUTH
  • Architecture
    • EAP is a Wrapper, not an Authentication Protocol
    • Extensible Authentication Protocol (EAP)
    • Expanded EAP Type
    • Standard EAP Packet Format
    • EAP Identity
    • EAP Authentication method negotiated with NAK
  • How it works
    • Sample EAP Negotiation with NAK
    • 3G EAP AKA Example
    • IKE EAP-AKA/ESP

10. Mode of Operation

  • Mode of Operation
    • IKE EAP-AKA/ESP
  • Types
    • Transport and Tunnel Modes
    • IPsec – Tunnel Mode: Virtual Private Network (VPN)
    • TCP/IP Bypass
    • Transport Mode
    • Authentication Header Tunnel Mode
    • ESP - Transport Mode
    • ESP – Tunnel Mode
    • ESP - Transport Mode
    • ESP – Tunnel Mode
  • Overhead
    • IPsec Tunnel Mode CBC Packet Overhead

11. IPsec Negotiation

  • IPsec Negotiation
    • IPsec Tunnel Mode CBC Packet Overhead
  • Overview
    • Security Association
    • Internet Security Association and Key Management Protocol (ISAKMP)
    • ISAKMP Phases
    • IKE vs ISAKMP
    • The New Standard – IKEv2 RFC 4306 (Dec. 2005) / RFC 5996 (Sept. 2010)
  • IKEv1
    • Internet Key Exchange – IKEv1 Main Mode PSK 1 of 2
    • Internet Key Exchange – IKEv1 Main Mode PSK 2 of 2
    • IKE Aggressive Mode Using Pre-Shared Keys
  • IKEv2
    • IKEv2 – SA Initialization and Authentication
    • IKEv2 – Authentication and First Child SA
    • IKEv2 – Authentication and First Child SA
    • IKEv2 – Authentication and First Child SA
    • IKEv2 – Authentication and First Child SA
    • IKEv2 – Authentication and First Child SA
    • IKEv2 – Authentication and First Child SA
    • IKE_AUTH Request Details
    • IKEv2 – Authentication and First Child SA
    • IKEv2 – IKE_AUTH Response
    • IKEv2 – Cookie Mechanism Against DoS Attacks
    • IKEv2 – Additional Child SAs
    • Configuration Payload (CP)
    • ISAKMP and IPsec Security Associations
    • Security Association Structure
    • IKEv2 Dead Peer Detection
    • Reading IKEV2 Exchanges in Documentation

12. How NAT Impacts IPsec

  • How NAT Impacts IPsec
    • Reading IKEV2 Exchanges in Documentation
  • Defining the problem
    • NATs
    • The NAT Traversal Problem
    • IPSec Passthrough (Transparent IPSec Connection)
    • The NAT Traversal with UDP Tunneling
    • UDP for Tunneling ESP
    • The NAT Traversal UDP Port Assignment
  • Solving the problem
    • UDP-Encapsulated ESP Header Format
    • NAT-Keepalive Packet Format
    • IKE Header Format for Port 4500
    • NAT-T vs. IPSec-over-UDP
    • The NAT Traversal UDP Port Assignment
    • NAT_DETECTION Notification Data
    • NAT-T Detection Process
    • Tunnel Mode Conflict

13. Encapsulation in Depth

  • Encapsulation in Depth
    • Tunnel Mode Conflict
  • Overview of the options
    • IPsec Encapsulation Options
    • IPsec and the IP Header
    • IPSec and the UDP Header
    • IPsec and the TCP Header
    • IPsec and the ESP Header
    • IPsec and the AH Header
    • ISAKMP Typical Message Format

14. IPsec ESP Protocol

  • IPsec ESP Protocol
    • ISAKMP Typical Message Format
  • Introduction
    • Encapsulating Security Payload (ESP)
  • Methods
    • Encapsulated Security Payload (ESP)
  • Anti-replay
    • Replay detection
  • Encapsulating the data
    • Encapsulating Security Payload Header Fields

15. IPsec AH Protocol

  • IPsec AH Protocol
    • Encapsulating Security Payload Header Fields
  • Issues and Limitations
    • AH Data Protected Fields
  • Modes
    • AH Data Fields
    • Authentication Header Transport Mode
    • Authentication Header Tunnel Mode
    • AH transport vs tunnel mode

16. Penetration Testing

  • Penetration Testing
    • AH transport vs tunnel mode
  • Methods
    • Portscanning 101
    • Host Discovery
    • nmap ike-version
    • Professor Messer’s Quick Reference Guide to NMAP (Scan Option)
    • Professor Messer’s Quick Reference Guide to NMAP
    • ike-scan
    • Trying Different Transforms
    • Trying Different Transforms (2 of 2)

 

Lab Exercises:

  1. Using tmux
  2. Site-to-Site User Deployed Configs with PSK
  3. IPsec Logging
  4. IKEv2 Packet Analysis
  5. Nflog Interface
  6. Challenge - Problem at MS
  7. Road Warrior PSK IKEv2
  8. Challenge - Broken VPN #1
  9. Challenge - Broken VPN #2
  10. x509 Key Generation
  11. Road Warrior x509 IKEv2
  12. Certificate Revocation
  13. Decrypting Existing pcap with Wireshark
  14. Use Wireshark to decrypt IKEv2 from tcpdump
  15. IKEv1 Capture
  16. IKEv1 Analysis
  17. IKEv2 Analysis
  18. Radius
  19. rw-eap-tls-only.md
  20. ikev2-rw-eap-md5-rsa.md
  21. Ram Based IP Pool
  22. Challenge - New Road Warrior
  23. Challenge - Broken Road Warrior #1
  24. Challenge - Broken Road Warrior #2
  25. IKE Penetration Testing

 

ipsec_tutorial

Enroll

Self-paced: $ 295 USD

  • Digital course materials
  • Includes 1 year access to videos

Live Instructor via the web: $ 1795 USD

  • Live Instructor Led Webinar
  • A teacher to guide you
  • Plus all the self-paced items

Bring us Onsite:

  • Contact us for onsite quotes

Next Public Course Offerings:

  • Please contact us for the next scheduled event
  • Testimonials

    Different plans for everyone

    Choose the pricing that fits your business needs

    Live Instructor via the Web
    $ 1795
  • Live Instructor Led Webinar
  • A teacher to guide you
  • Plus all the self-paced items
  • Buy Instructor Led

    Onsite
    Contact Us
  • Instructor led class
  • Digital and Printed course materials
  • Hands-on Lab access
  • Plus all the self-paced items
  • Contact Us