William Slater's CYBR 515 Blog

William Slater's CYBR 515 Blog
CYBR 515 - Security Architecture and Design

Thursday, October 20, 2011

Post 035 - CYBR 515


Week Eight Assignments

Theme for the Week - IP Security (IPSec)

Learning Objectives:
Design a secure network that provides for end-to-end encryption between hosts using IPSec and certificates.
Model IPSec data packets as they pass through each node of an internetwork.
Describe the main steps in the Internet Key Exchange (IKE) process.
Evaluate the vulnerability to attack of a network that employs IPSec as its only means of security.

Readings:
Chapter 8 in your textbook.

This week:
IPSec provides authentication and encryption at the Internet Protocol (IP) Layer of the Open Systems Interconnect model. This is a significant improvement over encryption systems that operate at higher levels. That is because encryption systems at higher levels only work with applications that are security aware. When higher level security is used, some traffic from a host is sent encrypted (https, SSL/TLS, SSH) and other traffic is sent unencrypted. That means that traffic can be differentiated and isolated by application. IPSec unconditionally encrypts all traffic, making it almost impossible differentiate traffic from one application from that of another. In addition, IPSec authentication prevents communication from unauthorized originators from being accepted.

This lesson, we examine IPSec and how it handles authentication and encryption/decryption. We'll look at transport and tunnel modes and where and under what conditions they are used. We'll explore IPSec policies and message formats. We'll also cover key exchange methods and Cryptographic suites.
I suggest that you begin by doing the reading assignment. It is short this week, and the models are fewer and easier to understand. In addition, read all of the questions in this week's forum assignment. They will provide clues to additional research that will help you master the objectives and complete the assignments. Now, let's get to the assignments.
Assignment 8_1 (On-line Quiz)
Take this ten question true/false and multiple choice chapter quiz over the reading assignment. Quizzes are a "participation grade," which means that you can retake them as many times as necessary. However, please be aware that low scores are a sign that you need to go back to the reading assignment, slow down, and read more carefully. You need to take the quiz by the end of the week to earn credit.

Assignment 8_2 (Post to this week's discussion forum)
Read all of the following questions, select one, and post a substantive answer to it on this week's discussion forum in your own words. Please select a question that has not been previously answered by one of your classmates, until all questions have been answered at least once. Once that has been done, you may select any question that has only been answered once. Some of the questions fall outside of the scope of your reading, so be prepared to use other sources to answer them. Once you have submitted your initial post, read each initial post and respond to at least three. Remember to cite your sources. It is important to note that your posts should be in your own words unless I explicitly state otherwise. Copying an answer directly from the Internet to the discussion forum without citing it is considered plagiarism. Copying and properly citing something from the Internet will not fulfill the requirement to express your initial post in your own words, but could be done in cases where you want to share information with the group that is in addition to your initial forum posting for the week.

1. In the Key Points section of our reading assignment, our author states that IP security (IPsec) can be added to either IP version 4 (IPv4) or IP version 6 (IPv6) by means of additional headers. However, many references on the Internet state that IPsec is mandatory with IPv6. Is the author correct or incorrect? Include information on why you arrived at your answer.

2. How does Internet Key Exchange work? Include information about the phases of communication and the underlying protocols that are used.

3. What is the impact to IPsec traffic when it traverses a router that has Net Address Translation enabled? Include a description of Net Address Translation in your answer. By the way, this is an important issue that is not addressed in our text. You will need to use other references to find the answer.

4. What is the difference between IPsec transport mode and tunnel mode? Provide an example of where each could be used.

5. How are cookies used to prevent problems in Internet Key Exchange (IKE)? Also, why are they called cookies, and how are they similar or different to cookies used by Web sites to keep track of visitors?

6. In IPsec, the IPsec header appears after the IP header and before the Secure IP Payload. How and where is that header built, and what does it contain? Is the header encrypted or unencrypted?

7. If IPsec is so great, why isn't everyone using it to encrypt everything? Explain your answer.

8. IPsec uses different combinations of Security Associations (SAs) that are dependent on the configuration and security requirements of network hosts. These associations are referred to as SA bundles. What is the purpose of each SA bundle that is mentioned in the reading? Your answer should include a reference to each bundle and an explanation as to why it is used.

9. In Windows Server architectures, IPsec has traditionally been applied to IPv4 networks using Group Policies. What are group policies and how is IPsec managed using them? Include an explanation of the three different filter actions that can be used in your answer. Again, this topic is not in our text, so you will need outside references to answer the question (or you can answer it off of the top of your head if you are a Microsoft system administrator.) Remember to cite your sources.

10. What are the titles of the two IPsec cryptographic suites mentioned in the reading and what do they represent? Hint: Use the Internet to search for RFC 4308 and RFC 4869.

Our trivia question for the week: In the movie, A Christmas Story, Ralphie gets a decoder ring in the mail that he uses to decode a message from the Little Orphan Annie radio show. What kind of cipher is the ring based on, and how would you use it to encrypt or decrypt messages?

General Posting Guidelines (for participation): Postings are counted as participation for the week. Make sure all postings for this week's assignments are posted to this week's discussion forum. You must post at least two substantive messages to get minimum credit for participation (a 'C' grade). Two messages on different days gets a 'B' for participation - more postings (including answering other questions) get more credit. To qualify for an 'A' grade, you must post at least three critical thinking messages on three different days. Postings on the last day of the lesson will not count for credit since other students will not have sufficient time to respond or participate in your discussion. Post early and often. Don't wait until the last minute!
________________________________________
Assignment 8_3
IPSec has built-in protection for numerous different kinds of attacks. Several of these attacks are mentioned at various points in the reading, but they are spread out and difficult to keep organized in their current form. You need to create a table that summarizes the different attack methods. This is one way to gain traction on your study of the threats and countermeasures.
After completing the reading assignment, create a table that contains three columns: Name, Description, and Countermeasures. In theName column, list the names of all the attacks you can find in the reading. In the Description column, provide a corresponding description of each attack listed in the Name column. In the Countermeasures column, provide a short description of how IPSec protects against the corresponding threat.

Save your work to a Word document as CYBR515 Assignment 8_3_ and attach it to this assignment.

Assignment 8_4 Milestone 3
Our third set of Project milestone deliverables is due this week. In this milestone, we will use everything we have learned up to this point to design improvements to the network infrastructure that that improve security to electronic mail, and protect against intruders and malicious software.
As in previous milestones, you are free to use the information from your studies, appropriate sources, and feedback from previous assignments, to help you with this process. Add any changes to your Visio diagram and then revise your Microsoft Word document to incorporate any additional recommendations. You should include any past Visio diagrams as tabs, so we can track changes and progress. Your written discussion should explain your recommendations in enough detail to be easily understood by the "customer." Remember to cite any sources that you choose to use in APA format.

Attach your completed documents to this assignment. Please include CYBR515 Assignment 8_4 and your name in the file name for your diagram and summary. Remember, you only have one opportunity to attach documents, so please attach both documents at the same time.




No comments:

Post a Comment