Professional Documents
Culture Documents
DataComms Group 7 Assignment2020
DataComms Group 7 Assignment2020
DataComms Group 7 Assignment2020
2) Compare and contrast the Authentication Header (AH) and Encapsulating Security
Payload (ESP) protocols.
[6]
Authentication Header Encapsulating Security Payload
Provides authentication only, data Provides data confidentiality (encryption)
integrity, data origin authentication and an as well as authentication (data integrity,
optional replay protection service data origin authentication and replay
protection)
Uses HMA-MD5 or HMAC-SHA for Uses the same algorithms as AH, but with
encryption authenticating the entire IP a different coverage. ESP authenticates
packet including the outer IP header only the datagram portion of the IP packet
3) Explain the operations of Virtual Private Network (VPN) with relevance to enforcing
network security.
[7]
A virtual private network (VPN) is programming that creates a safe, encrypted
connection over a less secure network, such as the public internet. There are multiple
types of VPNs which include Remote Access VPN, Site-to-Site VPN, Mobile VPN,
Hardware VPNs, Dynamic Multipoint VPNs. A VPN uses tunneling protocols to
encrypt data at the sending end and decrypt it at the receiving end. To provide additional
security, the originating and receiving network addresses are also encrypted. To gain
access to a restricted resource through a VPN, the user must be authorized to use the
VPN app and provide one or more authentication factors, such as a password, security
token or biometric data.
Due to the implementation which uses public internet access as opposed the creating a
costly Private Network, it justifies the need for IPSec. IPSec provides three main
facilities an authentication-only function referred to as Authentication Header (AH), a
combined authentication, encryption function called Encapsulating Security Payload
(ESP), and a key exchange function. A private datagram, including the header, is
encapsulated in an ESP packet. The router at the border of the sending site uses its own
IP address and the address of the router at the destination site in the new datagram.
For VPNs, both authentication and encryption are generally desired, because it is
important both to assure that unauthorized users do not penetrate the virtual private
network and assure that eavesdroppers on the Internet cannot read messages sent over
the virtual private network.
At its most basic level, VPN tunnelling creates a point-to-point connection that cannot
be accessed by unauthorized users. To actually create the VPN tunnel, the endpoint
device needs to be running a VPN client, software application, locally or in the cloud.
The VPN client runs in the background and is not noticeable to the end user unless there
are performance issues.
The performance of a VPN can be affected by a variety of factors, among them the
speed of users' internet connections, the types of protocols an internet service provider
may use and the type of encryption the VPN uses. In the enterprise, performance can
also be affected by poor quality of service (QoS) outside the control of an organization's
information technology (IT) department.
Limitations are, any device that accesses an isolated network through a VPN presents a
risk of bringing malware to that network environment unless there is a requirement in
the VPN connection process to assesses the state of the connecting device. Without an
inspection to determine whether the connecting device complies with an organization's
security policies, attackers with stolen credentials can access network resources,
including switches and routers.
To simplify the handling of addresses, the Internet authorities impose three restrictions
on classless address blocks:
Classful routing places one restriction on when a router can use its default route,
resulting in cases in which a router has a default route but the router chooses to discard
a packet rather than forwarding the packet based on the default route. In IPv4 uses the
concept of classes. It is divided into five classes namely classes A, B, C, D and E. each
class.
• Class A: The first octet is the network portion. Octets 2, 3, and 4 are for subnets/hosts.
In a class A address, the first bit of the first octet is always ‘0’. Thus, class A
addresses range from 0.0.0.0 to 127.255.255.255(as 01111111 in binary converts to
127 in decimal). The first 8 bits or the first octet denote the network portion and the
rest 24 bits or the 3 octets belong to the host portion. Example: 10.1.1.1
• Class B: The first two octets are the network portion. Octets 3 and 4 are for
subnets/hosts.
In a class B address, the first octet would always start with ’10’. Thus, class B
addresses range from 128.0.0.0 to 191.255.255.255. The first 16 bits or the first two
octets denote the network portion and the remaining 16 bits or two octets belong to the
host portion.
Example: 172.16.1.1
• Class C: The first three octets are the network portion. Octet 4 is for subnets/hosts.
In a class C address, the first octet would always start with ‘110’. Thus, class C
addresses range from 192.0.0.0 to 223.255.255.255. The first 24 bits or the first three
octets denote the network portion and the rest 8 bits or the remaining one octet belong
to the host portion.
Example: 192.168.1.1
Class D is used for multicast addressing and in a class D address the first octet would
always start with ‘1110’. Thus, class D addresses range from 224.0.0.0 to
239.255.255.255. Class D addresses are used by routing protocols like OSPF, RIP, etc
Example: 239.2.2.2
The terms classless and classful also characterize both IP addressing and IP routing
protocols, so a fair amount of confusion exists as to the meaning of the terms.
Class E addresses are reserved for research purposes and future use. The first octet in a
class E address starts with ‘1111’. Thus, class E addresses range from 240.0.0.0 to
255.255.255.255.
As Applied To Classful Classless
Addresses Addresses have three parts: Addresses have two parts: subnet or
network, subnet, and host. prefix, and host.
Routing Routing protocol does not Routing protocol does advertise masks
Protocols advertise masks nor support and support VLSM; RIP-2, EIGRP,
OSPF.
VLSM; RIP-1 and IGRP
Routing IP forwarding process is restricted IP forwarding process has no
(Forwarding) in how it uses the restrictions on using the default route
default route