My CCIE Security step 2.0 - Security Protocols, Ciphers and Hash Algorithms

June 30th, 2008 Bryan Posted in CCIE Security, Cisco |

Now that I have returned from Networkers I plan to dedicate a lot more time to passing the written and starting to study for the lab. This will probably be a two part section just because there is a lot to cover been the protocols, ciphers and hash algorithms. Ciphers was the first section covered.

Basically this is just information to have so lets just list a few definitions.

  • Symmetric Key- Encryption and Decryption are related or identical and its much faster to compute than Asymmetric. Commonly referred to as shared secret.
  • Asymmetric Key- Encryption and Decryption require separate keys. A public key and a private key are required.
  • Block Cipher - Symmetric key which encrypts a group or block of bits. DES and AES are examples of a block cipher.
  • Stream Cipher - Symmetric key that encrypts one bit at a time. RC4 is an example of a stream cipher.

Next I moved on to IKE and IPSEC. Being familiar with VPN tunnels this section was just a brief overview. I will highlight some of the things I glossed over.

  • Common ports in IPSEC: ESP - IP 50, AH - IP 51, IKE - UDP 500, NAT T - UDP 4500
  • Nat-T is short for Nat-Traversal in IKE. This basically enables UDP encapsulation of ESP packets to provide a better flow through firewalls. 
  • IPSEC can have two modes, tunnel and transport. Tunnel mode is used to encrypt traffic between two gateways and transport mode is used between two end-stations or between and end-station and a gateway.
  • DH (Diffie-Hellman) is the method of establishing an IKE security association. DH offers three different modes or groups. Group 1 - 768-bit key, Group 2 - 1024-bit key and Group 5 - 1536-bit key.
  • IKE (Internet Key Exchange) is used to securely establish the security associations for the IPSEC protocol. It has two phases. Phase 1 authenticates the IPSEFC peers, negotiates the matching policy to protect the IKE exchange, it exchanges the keys via DH and establishes the IKE security association. Phase 2 negotiates the IPSEC sa parameters by using the existing IKE security i and periodically renegotiates the IPSEC sa to ensure security.

If you would like to see a video tutorial on how to setup and IPSEC VPN please click here. Hopefully tomorrow I can get something up on AH and ESP.

Tags: , , , , , , , , ,


You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

AddThis Social Bookmark Button

Leave a Reply

« CCIE Security techtorial at Networkers
CCIE Security (350-018) Pre-qualification test scheduled »