Cisco CCNP ISCW Exam Tutorial
Defining Virtual Private Network Features
By Chris Bryant, CCIE #12933
Before we get into the sometimes-complex world of configuring Virtual Private Networks, we need to define terms you'll see over and over during your CCNP ISCW exam studies as well as real-world VPN documentation.
While these terms may sound alike, they are very different, and aren't all performed by the same endpoint. Let's define each term and note where each occurs in a VPN - well, actually we'll start by defining what a VPN is!
You can think of a VPN as a tunnel - actually, VPNs are often referred to as tunnels. We can apply security rules and policies to this tunnel without applying them to other WAN communications. In the following exhibit, a VPN has been created between two routers. Security policies can be enforced on the VPN between those two routers without affecting any WAN communications with other routers.
Data origin authentication allows the receiver to guarantee the source of the packet.
Don't confuse data origin authentication with data confidentiality. Data confidentiality means that only the devices that should see the data in an unencrypted form will see the data that way. The sender encrypts the data before transmitting it, and the recipient unencrypts the data - and hopefully nothing happens to that data between sender and receiver!
Well, maybe we better not leave that up to hope! We need to ensure nothing undesirable during transmission, and that's the job of data integrity.
Data Integrity means that the recipient of the data can guarantee that the received data is the same as the transmitted data - in short, that the data was not altered during transport.
We also have two terms that sound like polar opposites, but they do actually refer to the same thing.
Anti-replay protection (sometimes just called replay protection) protects against replay attacks, a malicious repeat and/or delay of a valid transmission.
Replay attacks begin innocently enough. In this example, Router C requests proof of identity from Router A. Router A responds with proof of identity. (We'll go into the details of this entire process in a future tutorial.)
Unfortuantely for us, an intruder is listening to the conversation and copies Router A's proof of identity.
After A and C are done with their conversation, the Intruder starts a conversation with C, pretending to be A. When C asks for proof of identity, the Intruder submits A's ID, and C just might accept it.
Anti-replay protection can use several different methods of defeating such an attack, including the one-time use of tokens for the proof of identity or by using sequence numbers; a repeated sequence number will be rejected.
As I mentioned, we'll look at some more detailed examples later in the course, but this gives you a general idea of how replay attacks work.
We'll continue our discussion of VPNs in the next installment of my CCNP ISCW exam tutorial series -- and in the meantime, purchase your copy of my ISCW Study Package or The Ultimate CCNP Study Package Bundle, which covers all four CCNP exams, and be totally prepared for CCNP exam success!
To your success,
Chris Bryant
CCIE #12933
chris@thebryantadvantage.com
|
