[MUSIC] Hello everybody. Thanks for joining us. My name is Mitch Densely I work for Palo Alto Networks. I'm a security training engineer. And today we're going to talk about IPSEC. So typically when two remote sites want to share information and they want to share it securely, they need to hide that information. And a great way of doing that is through a VPN tunnel by encrypting the traffic. The tunnel is effectively a logical result of encrypting traffic as it crosses an unsecure medium like the internet. So in our scenario we've got two remote sites. We call this site 1, and we've got another site, call this site 2. And these systems are virtually connected through, like I said earlier, the insecure medium, we'll just call this the World Wide Web, all right. So before these two systems can identify each other and begin secured communication, we have to establish some cryptographic settings. Those cryptographic settings typically go into what we are going to call an internet key exchange, krypto profile or in some cases they're called IKE policies. And there's two phases to internet key exchange so we'll call this IKE phase 1, and then down here, we have IKE Phase 2. The same IKE settings and that's crucial the same IKE settings go into the opposing firewall or the pier. So that when one wants to talk to the other, they know what each other is going to say. Then you establish a gateway. And this is how the two peers get identified with another. The IKE crypto settings feed into the gateway and communication between the two starts out as I said earlier in IKE phase1 where the two sites first identify each other and authenticate And establish what we call a security association. When the two gateways established communications with each other, this communication all happens over UDP port 500. The settings that go into the IKE phase1 cryptographic profile can be remembered through a nice demonic H-A-G-L-E, Hagler Hagel depending on where you're from. The first H is for hash, the A is authentication, the G, this is going to be your Diffie Hellman group, and think of this as your asymmetric Encryption key pair, and there's a lifetime, And then lastly encryption. And this is going to be your symmetric or bulk data transport encryption. Now that the two piers have identified each other and authenticated with each other, they're ready to move into IKE phase2. In IKE phase2 we have what we call IPSEC or IP security crypto settings on both sides. These settings must also match on both peers. These settings then feed into the behavior of a tunnel interface. This is a logical interface and the firewall or router. In between these two tunnel interfaces are symmetric encryption traffic or symmetrically encrypted traffic or traverse. Now that we have our two tunnel interfaces and their cryptographic settings are feeding into the tunnel, we establish secured communications through a logical tunnel and this is going to be your bulk data transport. And this is going to be IP protocol 50. If you want to look at the traffic from start to finish, we're going to start out with our original traffic as it comes into the firewall or router, it's going to hit a router routing table and a decision is going to be made on whether it should go through the gateway and traverse through the internet in clear text or if it needs to go down to the tunnel interface and be encrypted. So your normal clear text Traffic is going to have an IP header. It's going to have a TCP and UDP header or UDP header and then some payload. When this traffic gets encrypted it can be encrypted in one of two modes. Our first mode we're going to call transport mode. Transport mode isn't the most popular for IPSEC VPN tunnels simply because the original IP header isn't encrypted. So let's see how that looks. The original TCP and UDP headers are encrypted as well as the payload. And we add on a new ESP trailer for encapsulating security payload. Unencrypted is an ESP header, And our original IP header. And finally, we add on an ESP off. This off is used to authenticate everything from the header of ESP down to the ESP trailer. Tunnel mode however is the most preferred because the original IP hader is also encrypted. Let's see how that looks. IP header, TCP or UDP headers, payload, RESP trailer. And as before with transport mode, the ESP header is unencrypted and now we add a new IP header. And our new IP header, and then lastly we have our ESP header. And that off trailer contains a hash of everything including the ESP header, back to the ESP trailer. Now sometimes in ISP could have a network address translation boundary somewhere in between the two sites. And so in order to get through in that, we have to turn on a new feature for tunnel mode called nat traversal, and all that does is add a new UDP header-right behind the new IP header so that that UDP header can translate between routers. So we're going to add tunnel mode with Matt traversal. And the way it will look, Is our new IP header. We have our UDP header and then RESP header. This UDP header will be used across port 4500. Everything after that is encrypted until we get to the ESP art. And this ESP off-trailer Is used to authenticate all of the traffic from the original ESP header back. So that's how IPSEC works. The communication gets established between the two firewalls or routers and this is how the traffic looks. If you're looking at it in wire Shark or some other packet capture a tool for troubleshooting. I'm Mitch Densely, thanks for joining us.
