You’re implementing IPsec to protect data in transit. Which of the following is the least feasible through IPsec? (Source: Wentz QOTD)
A. Build a virtual data link over frame relay to connect two remote offices
B. Secure TFTP traffic that updates the firmware of network devices
C. Protect traffic between browsers and the enterprise information portal over LAN
D. Authenticate security gateways that establish the tunnel between two remote offices
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Build a virtual data link over frame relay to connect two remote offices.
IPsec provides security to Internet communications at the IP layer. In other words, it works at the network layer or layer 3. Frame relay is a packet-switching network that can connect multiple locations to shape an enterprise network through PVC or SVC. It works at the data link layer or layer 2. There is no need to implement IPsec as VPN to connect enterprise branches. However, if security is at priority, intranet supported by frame relay can implement IP and IPsec.
There are three common application scenarios of IPsec:
- Gateway-to-gateway: site-to-site VPN that connects two locations
- Host-to-gateway: dial-up VPN that connects a remote user to an enterprise network
- Host-to-host: end-to-end security that protects traffic among hosts (client/server)
- It’s common to download and update firmware through TFTP. In some organizations where security is a concern, the TFTP traffic can be protected by IPsec.
- HTTP traffic can be protected IPsec as well.
As noted above, two types of SAs are defined: transport mode and tunnel mode. IKE creates pairs of SAs, so for simplicity, we choose to require that both SAs in a pair be of the same mode, transport or tunnel.
Internet Key Exchange (IKE)
IPsec establishes a pair of one-way security associations (SA), IKE SA and IPsec SA (or Child SA), to communicate with peer hosts or gateway. IKEv1 establishes SAs in two phases:
- Phase 1 establishes the IKE SA so that Phase 2 can proceed securely.
- Phase 2 establishes the IPsec SA (Child SA)
A transport mode SA is an SA typically employed between a pair of hosts to provide end-to-end security services.
When security is desired between two intermediate systems along a path (vs. end-to-end use of IPsec), transport mode MAY be used between security gateways or between a security gateway and a host.
- In the case where transport mode is used between security gateways or between a security gateway and a host, transport mode may be used to support in-IP tunneling (e.g., IP-in-IP [Per96] or Generic Routing Encapsulation (GRE) tunneling [FaLiHaMeTr00] or dynamic routing [ToEgWa04]) over transport mode SAs.
- To clarify, the use of transport mode by an intermediate system (e.g., a security gateway) is permitted only when applied to packets whose source address (for outbound packets) or destination address (for inbound packets) is an address belonging to the intermediate system itself.
The access control functions that are an important part of IPsec are significantly limited in this context, as they cannot be applied to the end-to-end headers of the packets that traverse a transport mode SA used in this fashion. Thus, this way of using transport mode should be evaluated carefully before being employed in a specific context. (RFC 4301)
- IPsec and Non-repudiation
- UNDERSTANDING VPN IPSEC TUNNEL MODE AND IPSEC TRANSPORT MODE – WHAT’S THE DIFFERENCE?
- IPSec Overview Part Two: Modes and Transforms
- ATM PVC, SVC, Soft-PVC, and PVP Frequently Asked Questions
- Frame Relay Protocols Overview
- How To Use IPSec To Secure Data Between Client & Server
- Upgrading the router’s firmware using the TFTP utility
A. 通過Frame Realy建立虛擬鏈接，以連結兩個遠程辦公室
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.