We want to think about secure protocols, and the use of secure protocols along with the use of keys. This is very important. One of the big security protocols we often talk about and use is IPSec, or IP Security. It's actually a suite of protocols that allow us to communicate securely by providing mechanisms to both authenticate and encrypt. In the networking and telecommunications conversations that we will have, in one of our upcoming conversations in the next knowledge area, we'll talk about IPSec with regards to L2TP, Layer Two Tunneling Protocol. L2TP is a protocol that's used to create effectively secured endpoints, a tunnel from point A to point B. We're going to be able to connect between those two endpoints using a tunnel. A layer two tunnel. As in layer two of the OSI model. Problem with L2TP is that while it creates a tunnel, it has no authentication and no encryption capabilities natively. All it is is just a tunnel, start here, end there. We don't know who's on the starting end. We don't know who's on the ending end. And we don't know how to safely transfer information between those two in a way that people won't be able to see it if all we do is use L2TP. So what we need, and we often hear about in the way we implement L2TP, is by using L2TP with IPSec. And that's how you hear it referred to. VPN tunnel or VPN or the use of L2TP with IPSec is created. IPSec, the IP security protocol, that you know is bound to the L2TP tunnel or bolts on. And adds the authentication and the encryption capabilities that we need to not just safely send information down a tunnel, but to do so by authenticating and encrypting that information. We use what's known as Authentication Headers, To authenticate. And we use what's known as Encapsulating Security Payload functionality, ESP, to authenticate. And this is how IPSec works. Authentication headers, as I just mentioned, are going to be used to prove the identity of the sender. So this is integrity non-repudiation authentication. Who are we? Yes, we did this. It was us. Couldn't have been anybody else. That's what we're going to be doing, so this is the integrity and non-repudiation function in IPSec. It's driven by the use of Authentication Headers or. Encapsulating Security Payload, as I mentioned, is going to encrypt the data packets, right? Ensuring integrity, but also confidentiality. Nobody's messed with them and by the way, we have confidentiality. Nobody's been exposed or nothing has been exposed, Encapsulating Security Payload. We do this by creating what are known as Security Associations or SAs. The SA in going to define the mechanism in effect, the agreement that communication will take place between, or be used to, in other words, drive communication between two known endpoints. I'm sitting over here, I want to connect to somebody over here. We can't just look at each other and go okay, LTT IPSec, go, right, everybody connects. So we have to instead, so we have to negotiate that connection and establish the rules in order to make that work. The SAs, the Security Association's negotiated in each direction. We have a one-way SA and then another one-way SA that goes between the two parties. Each SA going one direction, negotiates and creates an agreement for the communication and connection items that have to be specified coming from one party to the other. We do it the other way going back. We have two SAs. Each unit directional. And as a result, we are then able to transmit in both directions as you can see. Setup two-way communication, we establish two SAs. The SAs are negotiated between the secure endpoints, the one that use IPSec. Part of the IPSec set up is the negotiation of the SAs. IPSec can be used in two different modes, it can be used in what's known as transport mode or tunnel mode. We often think about this, and remember, at least I do anyone that talk to customers and I talk to students, and try to get them to think about it in very simple terms. So if we think about the fact that we transport, we kind of drive, right? When we're transporting, we transporter drive information up to the router to send it out remotely across the wire. So we're going to transport to the router to the default gateway. So we transport across the LAN, right? because how do we get from our machine to the router to the default gateway? We move across the LAN, the Local Area Network. We transport over the LAN, and then when we get to the router we switch from the LAN side to the WAN, the Wide Area Network side to go out the router and to go to the other side where we want to effectively establish the end of the tunnel, right? And so, we're going to transport on the LAN and we're going to tunnel through the WAN, the Wide Area Network. Getting to the other side by establishing the tunnel between two endpoints involves communicating between one or more routers across a Wide Area Network. So as a result, we transport over the LAN, we tunnel through the WAN. If that helps you to remember the function that we're talking about or where it occurs. Hopefully that's a good thing and it will help you. We transport or use transport mode on the LAN between endpoints, between a machine and the router. That's what we're going to operate IPSec at, we're going to operate it in transport mode. When we get into the router and we go over to the WAN side of the router and connect one router to another to create our tunnel, we're going to use IPSec in tunnel mode. So that's where we see that on the WAN. Please make sure you are comfortable with the difference between the two modes. We also use IKE, Internet Key Exchange. IKE is actually going to allow us to effectively provide the identity information we need to identify each other as we set up and establish the IPSec secure communication channel. So IKE is used to actually drive the exchange of the private session keys, the KEKs that we talked about, right? The Key Encrypting Keys to be able to establish a session keys. We're going to do all that stuff using IKE, IKE is one of the protocols that's going to be used in order to be able to do this or one of the mechanisms that's going to allow us to do this. Remember we talked about Diffie-Hellman, and Diffie-Hellman is an algorithm that is used to drive key exchange, and we may see that deployed here. Or we may see another protocol, another solution called Oakley, which is used for key exchange as well. It's another protocol that can be used. We may use what's called S/MIME, or Secure/Multipurpose Internet Mail Extensions. We may have MIME, you may know about MIME, it's an older thought process. S/MIME is the newer updated version that is more secure. So the idea here is that this is how we send digitally signed and encrypted messages. We actually use S/MIME to do the digital signing and the encrypting of e-mail, and this is how we do it. It allows us to encrypt e-mails and digitally sign them. S/MIME has to be implemented in your email client. So if you're using Outlook as your MAP email client on the desktop, Outlook is going to support S/MIME extensions. Outlook supports digitally signing and digitally encrypting email. If you use another mail client, whatever it may be it doesn't matter. As long as that mail application supports the use of S/MiME, it will let you digitally sign and/or digitally encrypt. Now you may need to either add in or somehow turn on functionality. You may need to add a cryptographic module or install a digital symmetry module or things like that to augment the functionality and make it available. But the fact that the application itself supports the use of S/MIME is the reason why it will actually work.
