CCIE SEC Security Protocols & Encryption

RADIUS
1. Remote Authentication Dial In User Service
2. UDP
  1. OLD = 1645
  2. New = 1812
3. Only Encrypts the Password
4. Accounting
  1. UDP
    1. OLD = 1646
    2. New = 1813
5. RFC 2865
  1. Obsoletes 2138!
6. Packet Types
  1. Access-Request
  2. Access-Accept
  3. Access-Reject
  4. Accounting-Request
  5. Accounting-Response
  6. Access-Challenge
7. Reply ATTRIBUTES
8. Check ITEMS
9. VSA
  1. Vendor Specific Attribues
  2. Type 26
  3. Cisco's Vendor ID = 9
    1. 1: Cisco-AVPair
    2. 250: Account-Info
    3. 251:Service-Info
    4. 252:Command-Code
10. Radius Does not support these protocols
  1. AppleTalk Remote Access (ARA) protocol
  2. NetBIOS Frame Protocol Control protocol
  3. Novell Asynchronous Services Interface (NASI)
  4. X.25 PAD connection
11. / etc / radius / clients (file)
  1. The clients file contains a list of clients that are allowed to make requests of the RADIUS server.
    The clients file contains a list of clients that are allowed to make requests of the RADIUS server. Typically, for each client, NAS or AP, you must enter the client IP address along with the shared secret between the RADIUS server and the client and an optional poolname for IP pooling. The file consists of entries in the following form: A sample entry list appears as follows: 10.10.10.1 mysecret1 floor6 10.10.10.2 mysecret2 floor5 A shared secret is a character string that is configured on both the client hardware and on the RADIUS server. The maximum length of the shared secret is 256 bytes and is case sensitive. The shared secret is not sent in any of the RADIUS packets and is never sent over the network. System administrators must make sure the exact secret is configured on both sides (client and RADIUS server). The shared secret is used for encrypting the user password information and can be used for verifying message integrity by the use of a Message Authentication attribute. Each client's shared secret should be unique in the /etc/radius/clients file and, like any good password, it is best to use a mixture of uppercase/lowercase letters, numbers, and symbols in the secret. To keep a shared secret secure, make it at least 16 characters in length. The /etc/radius/clients file can be modified using SMIT. The shared secret should be changed often to prevent dictionary attacks. The poolname is the name of the pool from which global IP addresses are allocated during dynamic translation. The system administrator creates the poolname when setting up the RADIUS server. Using a SMIT panel, the poolname is added from Configure Proxy Rules > IP Pool > Create an IP Pool. It is used during server side IP pooling.
12. radius-server vsa send
TACACS+
1. Terminal Access Controller Access-Control System Plus
2. TCP 49
3. Encryptes whole packet Body
4. By default, there are three command levels on the router
  1. privilege level 0—Includes the disable, enable, exit, help, and logout commands
  2. privilege level 1—Includes all user-level commands at the router> prompt
  3. privilege level 15—Includes all enable-level commands at the router> prompt
5. if-needed
6. You can move commands around between privilege levels
  1. privilege exec level priv-lvl command
7. RFC 1492
Ciphers RSA, DSS, RC4
1. Symmetric Key = Same Key Both Ends
2. Asymetric Key = RSA, Pub/Priv Key pair
3. Block Cipher
  1. Encrypts data of a fixed size
  2. Fixed input & output, i.e. 128bitr of plain text = 128but of cipher text
  3. To encrypt data larger than block size need a "mode of operation"
    1. Most modes of operation require an IV
      1. IV: Initilation Vector A sort of "dummy" block of data to kick off the proccess for the real block & provide some randomisation
    2. Electronic codebook (ECB)
      The simplest of the encryption modes is the electronic codebook (ECB) mode. The message is divided into blocks and each block is encrypted separately. The disadvantage of this method is that identical plaintext blocks are encrypted into identical ciphertext blocks; thus, it does not hide data patterns well.
    3. Cipher-block chaining (CBC)
      CBC mode of operation was invented by IBM in 1976. [1] In the cipher-block chaining (CBC) mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. This way, each ciphertext block is dependent on all plaintext blocks processed up to that point. Also, to make each message unique, an initialization vector must be used in the first block.
    4. Cipher feedback (CFB)
      The cipher feedback (CFB) mode, a close relative of CBC, makes a block cipher into a self-synchronizing stream cipher. Operation is very similar; in particular, CFB decryption is almost identical to CBC encryption performed in reverse
    5. Output feedback (OFB)
      The output feedback (OFB) mode makes a block cipher into a synchronous stream cipher: it generates keystream blocks, which are then XORed with the plaintext blocks to get the ciphertext. Just as with other stream ciphers, flipping a bit in the ciphertext produces a flipped bit in the plaintext at the same location. This property allows many error correcting codes to function normally even when applied before encryption.
    6. Counter (CTR)
      Like OFB, counter mode turns a block cipher into a stream cipher. It generates the next keystream block by encrypting successive values of a "counter". The counter can be any simple function which produces a sequence which is guaranteed not to repeat for a long time, although an actual counter is the simplest and most popular. CTR mode has similar characteristics to OFB, but also allows a random access property during decryption. Note that the nonce in this graph is the same thing as the initialization vector (IV) in the other graphs. The IV/nonce and the counter can be concatenated, added, or XORed together to produce the actual unique counter block for encryption. CTR mode is well suited to operation on a multi-processor machine where blocks can be encrypted in parallel.
4. Stream Cipher
  1. Encrypts data bit by bit
  2. Contrinuous stream
MD5
1. Message Digest 5
2. 128 But
SHA
1. Secure Hash Algorithm
2. 160 Bit
EAP PEAP TKIP TLS
DES
1. Data Encryption Standard
3DES
1. Triple DES
AES
1. Advanced Encryption Standard
IPSec
1. IP Security
2. Provides Security at the IP layer to protect the IP later and those above
  1. Access Control
  2. Connectionless Integrity
  3. Data Origin Authentication
  4. Rejection on replayed packets
  5. Confidentiliaty (encryption)
3. Can by used by both Hosts & Gateways
4. Implemented Methods
  1. Integrated into native IP
    1. Requires acces to IP source code
    2. Applicable to hosts & gatewats
  2. Bump in the stack
    1. Implemented under IP, before the NIC driver
    2. Good for legacy hosts
  3. Bump in the wire
    1. Implemnted by a devices, i.e. a firewall or router
    2. off-load crypto processing to another device
5. Security Associations
  1. Components
    1. SPI: Security Paramater Index
    2. Destination IP (only Unicast supported)
    3. AH or ESP Identifier
      1. AH & ESP canNOT share SA's
AH
1. Authentication Header
2. Protocol 51
3. RFC 2402
4. Transport Mode
  1. AH is inserted after the IP Header and before the upper layer protocol e.f. TCP, UDP, ICMP etc
  2. Packet Format
5. Tunnel Mode
  1. Can only be used on "gateway" devices
  2. AH protects the entire IP packet including inner header
  3. Packet Format
6. Header Format
ESP
1. Encapsulating Security Payload
2. Protocol 50
3. RFC2406
4. Provides confidentiallity, data origin authentication, connectionless integrity & limited traffic flow confidentiality
5. Packet Header
6. Transport Mode
  1. ESP is inserted after the IP header and before the upper layer protocols (and before any other IPSEC header)
  2. Packet Format
7. Tunnel Mode
  1. Used on either Hosts or Gateways
  2. ESP Tunnel protects the entire inner IP packet, including headers
  3. Packet Format
IKE
1. Internet Key Exchange
2. UDP 500
CEP
1. Certificate Enrollment Protocol
TLS
1. Transport Layer Security
SSL
1. Secure Socket Layer
PPTP
1. Point to Point Tunneling Protocol
L2TP
1. Layer 2 Tunneling Protocol
GRE
1. Generic Route Encapsulation
2. Protocol 47
3. GRE tunnels are designed to be completely stateless. This means that each tunnel end-point does not keep any information about the state or availability of the remote tunnel end-point
4. RFC2784
  1. Packet Form
  2. Security Considerations
    Security in a network using GRE should be relatively similar to security in a normal IPv4 network, as routing using GRE follows the same routing that IPv4 uses natively. Route filtering will remain unchanged. However packet filtering requires either that a firewall look inside the GRE packet or that the filtering is done on the GRE tunnel endpoints. In those environments in which this is considered to be a security issue it may be desirable to terminate the tunnel at the firewall.
5. RFC1701
  1. Packet Header
SSH
1. Secure Shell
PGP
1. Pretty Good Privacy
2. Web of Trust