This blog provides clarifying information related to IPSec as found on the CompTIA A+ and Security+ exams.
For instructor-led CopmTIA training, see our complete schedule.
Allow me to recap my goal with this series:
Although CompTIA exams are heavily based upon the published exam objectives, CompTIA tends to expand target material by exposing candidates to potential content on their certification exams. Although such questions are not supposed to count toward the exam score, they may be considered valid or may be mere distractions. If they occur on one of the more time consuming simulation questions they can be rather disruptive to the candidate’s focus.
Since the exam objectives may lag technology introduction by three years or more, you may find it beneficial to consider technology extensions to existing exam objectives during your certification preparations. In that light, I will be providing a growing series that introduces new or potentially expanding content.
My goal here is to extend the knowledge you may choose to develop when preparing for CompTIA entry level certification exams relative to IPSec content.
The CompTIA A+ 220-801and 220-802 Exam Objectives only list IPSec within the Acronyms list as referring to ‘Internet protocol security’. You need to understand just a little more information.
IPSec is an open standard suite that enables the use of a variety of protocols to affect data integrity in transit and/or source and destination authentication of hosts connected via IP protocols. Although not limited to PKI, the solution is often compared to PKI public-private key pair implementation due to IPSec ability as a means of authentication, a means of encrypting data, or a means of encrypting data across an authenticated session.
In its simplest description, IPSec is also often compared to traditional or classic VPN solutions, particularly since IPSec has become a standard component of the (newer) L2TP VPN implementation. Classic VPN encrypts packet data content (layer 7 of the OSI model) using a shared (symmetric) key known to the VPN client and VPN server. In Classic VPN, only the Application layer data is encrypted while other IP packet layers are transmitted in the clear and are therefore subject to inspection and analysis by packet sniffers, etc. Classic VPN can subject the host to replay, man-in-the-middle and other malicious attacks. By comparison, IPSec can protect all content within the IP packet, including any content in the header that is not ‘mutable’. In simpler terms, IPSec can encrypt all packet content, including the header except for the IP source and destination addresses. Content that might be affected by NAT or other routing controls is almost the only packet content left in clear text. There are other mutable fields within the IP packet header that are not protected (i.e. DSCP/ToS, ECN, Fragment Offset, TTL, Header Checksum), though you do not need to know these for the CompTIA exams.
The Security+ (SY0-401) Objectives expect substantially greater understanding of the IPSec protocol suite than merely the Acronym listing. Specific references include:
1.4 Given a scenario, implement common protocols and services.
6.2 Given a scenario, use appropriate cryptographic methods.
Use of algorithms/protocols with transport encryption
Transport encryption applications include the use of IPSec as the encryption component of a VPN with L2TP setting up the tunnel. Or IPSec can provide the tunneling and encryption piece of a VPN using the full IPSec suite. Note: that IPSec does not just create a tunnel, so do not select an answer suggesting tunneling as a primary use for IPSec. IPSec is not a tunneling protocol, though is used for tunneling. Often the wording of exam questions may be designed to test your understanding of singular solutions versus solution suites like IPSec.
IPSec is a family of protocols that include:
- Authentication Header (AH) that is a hash used for authentication, message integrity, non-repudiation, and protection from replay attacks. The AH is connectionless, in that it does not require the ESP or IKE components to affect content integrity, and therefore does not require a similar exchange between the source and the destination systems.
- Encapsulating Security Payload (ESP) provides confidentiality through encryption, as well as content integrity. The ESP can provide data origin authentication, connectionless data integrity, anti-replay function, and limited traffic flow confidentiality.
- Security Associations (SA). Although not limited to Internet Key Exchange (IKE), SA is most often referenced in conjunction with IKE or IKEv2. The SA manages security keys and associations. The SA is an algorithm set that enables AH and ESP functionality. SA options include pre-shared keys (symmetric), Internet Key Exchange (IKE and IKEv2), Kerberos Internet Negotiation of Keys (KINK) or IPSECKEY DNS records.
IPSec can be used to authenticate a DNS server before lookup results or responses are accepted. This would prevent DNS poisoning attacks.
IPSec was developed simultaneously to IPv6 though is not a required association. When IPSec is utilized with IPV6, the AH provides far greater protection of the IP header than that provided for IPv4.
Given the requirement to understand IPSec as a transport encryption tool, comparisons are often made to SSL, TLS, SSH, and HTTPS.
- Secure Shell (SSH) is not associated with IPSec, although it often appears in related questions or answer lists since SSH provides a secure channel and encrypted communications.
- An alternate approach often compared to IPSec is the Secure Sockets Tunneling Protocol (SSTP) that can connect to a secure application or a secure web site using just a browser. SSTP uses SSL 3.0 across port 443, using SSL for key exchange and authentication. An example comparison might be that VPN client setup is not needed for SSTP, but it would be needed for IPSec because of the key exchange implementation.
Since IPSec leaves portions of the IP header mutable, IPSec works with Network address translation (NAT). IPSec can also traverse network environments that perform packet encapsulation and limited header modification.
Cisco (and other router manufacturers) are enabling IPSec as a suite on current devices. You may need to know how to enable SSH or IPSec on a Cisco router. The specific command to enable/enforce IPSec is:
Transport input IPSEC
This enforces the use of IPSec for point-to-point authentication.
In my CompTIA Series: Internet Ports blog, I reference several ports commonly associated with IPSec in support of tunneling, authentication, or traffic encryption.
|IPSec (VPN tunneling) uses the following ports:|
50 – Encapsulation Header (ESP)
51 – Authentication Header (AH)
500/udp – Internet Key Exchange (IKE)
4500/udp – NAT traversal
500/tcp – sometimes used for IKE over TCP
You might want to perform a little additional research on your own, for clarification or to reinforce understanding.
Implementing IPSec through a Microsoft Firewall or within a Microsoft Enterprise Environment.
You might want to recall that IPSec is enabled and configured through the Windows Firewall with Advanced Security interface, and may also be configured and controlled at the Local, Site, Domain, or OU level through Group Policy within a Windows Domain/Enterprise environment.
The National Institute of Standards and Technology (NIST) released Special Publication 800-77 covering the use of IPSec VPNs.
Cisco has also released a book covering General IPSec Standards.
You may want a copy for your library if you support IPSec in a routed environment, though summary and reviews for the book should afford you additional insight into some of the protocols and encryption standards supported within the Security Associations (SA) suite. Cisco lists the following standards as supported by IPSec, along with AH and ESP:
- DES Algorithm
- Triple DES Algorithm (3DES)
- Diffie-Hellman (D-H)
- Message Digest 5 (MD5)
- Secure Hash Algorithm-1 (SHA-1)
- Rivest, Shamir, and Adelman Signatures (RSA)
- Internet Key Exchange (IKE)
- Certificate authorities (CA)
IPSec is becoming the preferred Internet transport encryption standard. Expand your knowledge beyond that necessary to pass the exam. Understanding has great value relative to IPSec.
Steve teaches PMP: Project Management Fundamentals and Professional Certification, Windows 10, Windows 7, Windows 8.1 and CompTIA classes in Phoenix, Arizona.