Файловый архив студентов. Файловый архив студентов.
1273 вуза, 4712 предмета.
/ Регистрация
FAQ Обратная связь Вопросы и предложения
Добавил:
Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз:
Таврический Национальный Университет им. В.И. Вернадского
Предмет:
Сети и Телекоммуникации 
Файл:
CCIE Self Study CCIE Security Exam Certification Guide - Cisco press.pdf
Скачиваний:
169
Добавлен:
24.05.2014
Размер:
10.23 Mб
Скачать
►Содержание►

348 Chapter 7: Security Technologies

Public Key Infrastructure

In the new digital environment, a Public Key Infrastructure (PKI) ensures that sensitive electronic communications are private and protected from tampering. It provides assurances of the identities of the participants in those transactions, and prevents them from later denying participation in the transaction.

PKI provides the following assurances:

Protects privacy by ensuring the data is not read but can’t stop someone from intercepting it (If you can’t read something, what’s the use of that data?)

Assures the integrity of electronic communications by ensuring that they are not altered during transmission

Verifies the identity of the parties involved in an electronic transmission

Ensures that no party involved in an electronic transaction can deny involvement in the transaction

Before you send data over the public Internet, you want to make sure that the data, no matter how sensitive, won’t be read by the wrong source. PKI enables data to be sent encrypted by use of a public key, cryptography, and digital signatures.

Public key cryptography ensures the confidentiality of sensitive information or messages using a mathematical algorithm, or key, to scramble (encrypt) data, and a related mathematical key to unscramble (decrypt) it. In public key cryptography, authorized users receive special encryption software and a pair of keys, one an accessible public key, and the other a private key, which the user must keep secret.

A digital signature (DSS) is an electronic identifier comparable to a traditional, paper-based signature—it is unique and verifiable, and only the signer can initiate it.

Before any communication can take place, both parties involved in the data communication must obtain a Certificate of Authority from a Certification Authority (CA), a trusted third party responsible for issuing digital certificates and managing them throughout their lifetime.

Consider the following example: a user named Simon wants to communicate with a user named Sharon. Simon already has his digital certificate but Sharon has yet to obtain one. Sharon must identify herself to the CA to obtain a certificate. This is analogous to a passport when you travel the world. When Sharon obtains her digital certificate, it contains a copy of her public key, the certificate’s expiration date, and the CA’s digital signature. Each of these details is public.

Sharon also receives a private key, which is not shared with anyone. Now that both parties have a DSS, they can communicate and encrypt data using their public key, but they can decrypt only the data using their respective private keys. Pretty Good Privacy (application layer tool) is an excellent example of this type of communication. I suggest you install the software (free demonstration version) and try PKI for yourself. You can find the free software at www.pgp.com.

Virtual Private Networks 349

Virtual Private Networks

A virtual private network (VPN) enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses “tunneling” to encrypt all information at the IP level.

VPN is very loosely defined as a network in which a customer or end user connects to one or more sites through a public infrastructure, such as the Internet or World Wide Web.

We have already discussed dialup VPNs or Virtual Private Dialup Network (VPDN) in Chapter 5, “Security Protocols.”

VPNs are typically set up permanently between two or more sites. Figure 7-6 displays a typical VPN design.

Figure 7-6 VPN Model

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Private

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Address

 

 

 

 

 

 

 

 

 

 

 

Beta

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Remote

 

 

 

 

VPN Tunnels

Public Address Space

 

 

 

 

Site

 

 

 

 

 

 

 

 

 

 

 

 

 

131.108.1.0/30

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Alpha

 

 

 

 

 

 

 

 

 

Remote

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Site

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Central Site

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Private

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Internet or Current Service

 

 

 

 

Remote

Address

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Provider Infrastructure

 

 

 

 

Site

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure 7-6 displays a typical hub (central site) to spoke (remote site) model, where all existing public infrastructure transports data. IP generic routing encapsulation (GRE) tunnels can be set up between the hub and spoke routers, and any protocol can run over the IP tunnel.

Consider an example where the router, Alpha, needs to communicate with the remote site, Router Beta.

At no time should the private address space be advertised to any public domain. Assuming that IP routing is enabled and configured, we can configure an IP GRE tunnel between Alpha and Beta.

350 Chapter 7: Security Technologies

Assume that you have a client who wants to create a VPN across your network. The client’s main network is attached via Alpha over the Internet IP cloud. The client has a group of employees in their own IP space on the Ethernet interface. The client has a classless interdomain routing (CIDR) block of 192.1.64.0/20 for the network attached to the Alpha router, and the CIDR block 141.108.32.0/20 to the network attached to the Beta router. The network 131.108.1.0/30 is assigned between the routers and is pingable.

Example 7-9 configures Alpha with a GRE tunnel pointing to the remote IP address 131.108.1.2/30 (Beta’s Serial IP address) and uses 131.108.1.5 for the loopback interface.

Example 7-9 Alpha GRE Tunnel

hostname Alpha

!

interface Loopback0

ip address 131.108.1.1 255.255.255.255 ! IP GRE tunnel configuration follows interface Tunnel0

ip address 192.1.64.1 255.255.255.0 tunnel source Loopback0

tunnel destination 131.108.1.2

!

interface Ethernet0/0

ip address 192.1.65.1 255.255.248.0

!

interface Serial0

Description Link to Beta via Internet Cloud ip address 131.108.1.1 255.255.255.252

!

router ospf 1

network 192.1.64.0.0 0.0.240.255 area 0

End

Example 7-10 configures Beta with a GRE tunnel pointing to the remote IP address 131.108.1.1/30 and 131.108.1.6/32 for loopback use.

Example 7-10 Beta GRE Tunnel

hostname Beta

!

interface Loopback0

ip address 131.108.1.2 255.255.255.255 ! IP GRE tunnel configuration follows interface Tunnel0

ip address 192.1.64.2 255.255.255.0 tunnel source Loopback0

tunnel destination 131.108.1.1

!

interface Ethernet0/0

Virtual Private Networks 351

Example 7-10 Beta GRE Tunnel (Continued)

ip address 141.108.32.1 255.255.240.0

!

router ospf 1

network 141.108.0.0 0.0.255.255 area 0 interface Serial0

Description Link to Alapha via Internet Cloud ip address 131.108.1.2 255.255.255.252

!

End

The IP GRE tunnel is now configured between the routers Alpha and Beta. While using public address space for the source and destination of the VPN tunnel, the reserved CIDR block 192.1.64.0/20 will not be advertised or routable over the public domain. The private traffic can now flow between both hub site and remote site securely. You can also transport other non-IP protocols over the VPN tunnel, such as Internetwork Packet Exchange (IPX) or AppleTalk. IP GRE tunnels support only IPX or AppleTalk.

Соседние файлы в предмете Сети и Телекоммуникации 
Помощь Обратная связь Вопросы и предложения Пользовательское соглашение Политика конфиденциальности