ccna vpn raid qans

7/31/2019 Ccna VPN Raid Qans

1/117

CCNA Questions

Ques 1:- What is the Difference between Hub and Switch?Ans :-

HUB

1. Hub is a Layer 1 Device2. Hub is not more intelligent device3. Hub does not reads the frame4. Hub provides the always broadcasting in the network5. we cannot configure Hub6. In Hub the rate of data transmission is slow7. hub is a half duplex device8.

the rate of data transmission is divided in hub9. hub does not provide packet filtering in the network

10.hub is a single broadcast domain11.hub is a single collision domain12.Hub does not create any table

SWITCH1. Generally Switch is a Layer 2/ Layer 3 Device2. Switch is a more intelligent device3. Switch reads the frame4. Switch provides conditional broadcasting in the network5 fi S it h


2/117

5 fi S it h

Manageable Switch we can configure Manageable switch that

means we can create VLAN in this Switch. with the help of this

switch we can create a separate broadcast domain in the network

Ques 3:- How many types of Switch?Ans :- There are two types of switch

1. Normal Switch2.

Manageable Switch

Ques 4:- What is the Difference between Switch and Bridge?Ans :- Generally Switch and bridge are having the same functionality in

the network but there is one major difference between switch and

bridge.

Bridge maximum 16 ports are availableSwitch Maximum 100 ports are available

Ques 5:- What is the Function of Router?Ans :- Router is a Device that provides the Connectivity between Tow

and More Different Network ID. Router is a Layer 3 Device of

OSI model.

Ques 6:- What is the function of Layer 2 Switch?


3/117

Ans :- Layer 2 Device provides the connectivity within a single NetworkID. As for example

1. Switch2. Bridge

Ques 9:- What is the function of Layer 3 Device?Ans :- Later 3 Device provides the connectivity between two or more

different Network ID as for example

1. Router2. Layer 3 Switch

Ques 10:-How many Types of Router are Available in the Network?Ans :- There are two types of Router in the Network

1. Fixed Router i.e. 2500 Series2. Modular Router i.e. 1600, 1700, 2600, 3600, 4500 and above

Series

Ques 11:-What are the Difference between Fixed Router and ModularRouter?

Ans :- Fixed Router we cannot add additional serial port as well as


4/117

5. Auxiliary PortRemotely Configuration of Router.Ques 13:-What is Broadcast Domain?Ans :- When Ever one Computer Are Sending A Broadcast message in

the Network And If Another Computer Receive That Broadcast

message, in that Case We Can Say Both Computer Belongs To

Single Broadcast Domain.

1.

Hub Is a Single Broadcast Domain2. Switch is a Single Broadcast Domain by Default3. Router Is a Separate Broadcast Domain4. Bridge Is a Single broadcast Domain By default.

Ques 14:-What is Collision Domain?Ans :- When Ever Two Computer Are Sending a Message to Each Otherat a Same Time, Then Collision Will Be Happen, in that case we

can Say Both Computer belongs to Single Collision Domain.

1. Hub Is a Single Collision Domain2. Switch Is a Separate Collision Domain3. Bridge is A Separate Collision Domain4. Router Is a Separate Collision Domain

Ques 15:-What is VLAN?


5/117

Ques 18:-What is the function of BPDU {Bridge Protocol Data Unit}?Ans :- BPDU Stands for Bridge protocol Data unit. It is basically used in

spanning tree operation In the Network. It detects the looping in

the Network.

Ques 19:-What is Trunk?Ans :-

Trunks carry your multiple VLAN traffic in the network. TrunkAre Always configured on fast Ethernet port.

Ques 20:-What is Uplink Port?Ans :- Uplink port provides the Connectivity between Two Or more

Network Devices in the Network.

Ques 21:-What is Native VLAN?Ans :- By default VLAN one are available on the switch and all of ports

are member of that VLAN that is called Native VLAN. We cannot

Modify or delete native VLAN but we can change the

membership of any port in the switch.

Ques 22:-How many types of VLAN?


6/117

VLAN in the switch. For dynamic VLAN we will use VMPS

Server. VMPS stands for VLAN Management policy Server.

Ques 24:-What is Routing?Ans :- Routing route a packet from one network ID to another network

ID. Routes are created on router. Layer 3 device provides the

routing in the network. As for example layer 3 switch and router.

Ques 25:-What is Routing Table?Ans :- Routing Table Are Stored on the Router In the Network. In

Routing Table All OF the routes are Available on the Router.

When Ever Router Receive Any Packets From one network Then

after Router Find Out the destination network in Routing Table

Then After, Router Send that packet To Respective Router in thenetwork

Ques 26:-How many methods to create a Route on the Router?Ans :- There are two methods to create a route on the router

1. Static routing In a static routing administrator manually create aroute on the router it is basically use for smaller size network.


7/117

Default static Routing If only one Existing point is Available

on The Router, In That case We Will create A Default static route

on the Router.

Ques 28:-What is IOS {Internetwork Operating System}?Ans :- IOS stands for Inter Network Operating System. IOS works as an

interpreter between hardware device and user interface.

Ques 29:-What is Protocol?Ans :- Protocol is a set of rules and regulations that provides the

communication between two or more different devices in the

network.

Ques 30:-How many types of Protocol in the Network?Ans :- There are two types of protocol in the network

1. Routing Protocol i.e. RIP, IGRP, EIGRP, OSPF2. Routed Protocol i.e. TCP/IP, IPX/SPX, Apple Talk

Ques 31:-What is the Difference between Routing Protocol and RoutedProtocol?


8/117

Ans :- Except Cisco All of the Company Router Are Only SupportIndustry Standard Routing protocol. This Company Router Only

Support RIP & OSPF Routing protocol in The Network.

But Cisco Have developed Own routing protocol that is Called

Cisco Standard Routing protocol. IGRP & EIGRP Is the Cisco

standard Routing protocol in the network. Cisco Are Talking

About My Routing protocol Is More intelligent routing protocol

than RIP & OSPF. And he is also talking about If U Will Use myrouter, My Router Supports All of the routing protocol in the

network. Such AsRIP, IGRP, EIGRP, OSPF

Ques 33:-What is AD {Administrative Distance}?Ans :- AD stands for Administrative Distance. Administrative Distancedefines the intelligence of any dynamic routing protocol in the

Network. Lower the AD that is the more intelligent routing

protocol. Whenever we will enable two or more dynamic routing

protocol on the router then it will be used.

Ques 34:-What is BGP {Border Gateway Protocol}?Ans :- BGP stands for Border Gateway Protocol. It provides the

communications between two or more different environment in


9/117

Ans :- Route Bridge is a master switch in the network. Every switch ishaving a one ID number that number is called Bridge ID. Lower

the Bridge ID that switch becomes A Route Bridge and rest of theswitches are non route bridge In the Network. Route bridge and

non route bridge depends on bridge ID. Bridge ID is a

combination of priority + MAC Address. This Term is basically

used in spanning tree operation in the Network.

Ques 37:-What is Non-Route Bridge?

Ans :- Non Route Bridge is a secondary switch in the network. RouteBridge is the master switch in the network. This Term is basically

used in STP operation In the Network.

Ques 38:-What is Root Port?Ans :- It is the port on the non route bridge that is connected to Route

Bridge at less port ID. This port is always in forwarding stage. It

is also called designated port.

Ques 39:-What is Forwarding Stage?Ans :- Every port are having in two stage

1. Forwarding stage in forwarding stage we can send the packet as


10/117

Ques 41:-What are Difference between RIP, IGRP, EIGRP and OSPFRouting Protocol?

Ans :-1. RIP-:

RIP Stands For Routing Information protocol It Is a Industry standard Dynamic Routing Protocol IT Is not a More Intelligent Dynamic Routing Protocol It Is Basically Use For Smaller Size Organization It Support Maximum 15 Routers in the Network. 16 Router Is

Unreachable

It is denoted By R in Routing Table. Its Administrative Distance Is 120. In RIP Routing protocol We Can not create A Separate

Administrative boundary in The Network.

It Calculate the Metric In Terms Of Hop Count From sourceNetwork to destination Network. Lower the Hop count that Is

the Best route For That Particular Network.

It works on Bellman Ford algorithm RIPV.1 Do Not Support VLSM RIPV.2 Support VLSM

2. IGRP-: IGRP Stands For Interior Gateway Routing protocol


11/117

3. EIGRP-: EIGRP Stands For Enhanced Interior Gateway Routing

protocol

It Is a Cisco standard routing protocol It Is a More Intelligent routing protocol Than RIP And IGRP It Is Basically Use For Medium to Lager Size Organization in

the network. It supports Maximum 255 Routers in The Network Its Administrative distance Is 90 It calculates the Metric In Terms Of Bandwidth And delay EIGRP Works on DUAL(Diffusing Update Algorithm)

Algorithm

EIGRP is denoted by D in Routing Table. EIGRP Supports VLSM EIGRP Creates three table In the Router

1. Neighbor Table

2. Topology Table

3. Routing table

4. OSPF-:

OSPF stands For Open shortest path First


12/117

OSPF Routing protocol Creates three Table in the router1. Neighbor Table2. Database table3. Routing Table

Ques 42:-What is CIDR {Classless Inter Domain Routing}?Ans :- CIDR Stands for Classless Inter Domain Routing.Ques 43:-What is VLSM {Variable Length Subnet Mask}?Ans :- VLSM stands For Variable Length Subnet Mask. Whenever we

are Using Different-different Subnet Mask in entire Organization,

that architecture Is Called VLSM.

Ques 44:-What is CLSM {Constant Length Subnet Mask}?Ans :- CLSM stands For Constant Length Subnet Mask. Whenever we

are Using Same Subnet Mask in entire Organization, that

architecture Is Called CLSM.

Ques 45:-What is the function of Console Cable?Ans :- With the help of console cable we will configure the router,

switch, pix.


13/117

Ans :- Layer 1 device provides the communication within the singlenetwork ID. As for example Hub, Repeater, Cable, NIC

Ques 49:-What is VTP {VLAN Trunking Protocol}?Ans :- VTP Stands For VLAN Trunking Protocol. It is basically used in

VLAN Environment. VLAN Trunking protocol provides the

Sending and Receiving Multiple VLAN information In theNetwork.

Ques 50:-How many types of VTP Operation Mode?Ans :- There are three types Of VTP operation Mode in the Network

1. VTP Server mode2. VTP Client Mode3. VTP Transparent modeBY default all of The Switch Are VTP Server Mode in the

Network.

Ques 51:-What is the difference between VTP Server Mode, Client Modeand Transparent Mode?

Ans :-


14/117

receive The VLAN Information from Other switch as well As

this switch Can Not Send the own VLAN information to other

Switch in The Network. That means we can say this Switch IsNot participated in the VLAN configuration in the Network

Ques 52:-What is Switching Method in the Network?Ans :- Switching Method define How the Data is Sending As Well As

receiving From one Switch To Another Switch in the Network.There are three types of switching Method in the Network

1. Store-in-Forward2. Cut-Through3. Fragment free

Ques 53:-What is difference between Store-and-Forward, cut-through,Fragment-Free Method?Ans :-

1. Store-in-forward2. Cut-Through3. Fragment free


15/117

Ques 56:-What is the booting Sequence of Router?Ans :- There are three steps for booting a router In the Network

1. POST {Power On Self Test}2. Load IOS {Internetwork Operating System}3. Load Startup Configuration

Ques 57:-What is the difference between RIPv1 and RIPv2?

Ans :- There is one major difference between RIP v1 and RIP v2. RIP v1does not support VSLM but RIP v2 support VLSM In the

Network.

Ques 58:-What is the difference Classfull Routing and Classless Routing?Ans :- When Ever we are talking about Class full Routing, in this

Routing We Will use CLSM (Constant Length subnet Mask) in

the Network

When ever we are talking about Classless routing, in this routing

we will Use VLSM (Variable Length Subnet mask) in the

Network

Ques 59:-What is ASN {Autonomous System Number}?


16/117

Ques 61:-How many types of Industry Standard Routing Protocol in theNetwork?

Ans :- There are two types of Industry Standard Routing Protocol1. RIP {Routing Information Protocol}2. OSPF {Open Shortest Path First}

Ques 62:-What is the function of Area Number in OSPF Routing Protocol?Ans :- Area Number defines the administrative boundary in the network.

Within the same area all of the routers are exchanging the route

information from neighbor router in the network. Area 0 is called

backbone area. In this area all of the routers are called backbone

router. Whenever any area wants to communicate with another

area that query must be forwarded through area 0. Every area isdirectly connected to area 0 in the Network.

Ques 63:-What is the function of Loopback Interface in OSPF RoutingProtocol?

Ans :- Loop back interfaces Are Basically Used in OSPF Environment.Loop Back interface IP Address Define the RID Of Any Router inthe network. It is basically useful in DR and BDR Selection in the

Network.


17/117

Ans :- This Timer Specify how Long a Router Should Wait beforeDeclaring A Route is Invalid if it does not receive a Specific

update About It.

Ques 67:-What is Flush Timer?Ans :- After Flush Timer Router Delete a Particular Route from routing

Table in the Network.

Ques 68:-What are the Timer of RIP, IGRP, EIGRP and OSPF RoutingProtocol?

Ans :-1. RIP Timer---1. Update Timer 30 Second2. Hold down Timer180 Second3. Invalid Timer180 Second4. Flush Timer240 Second2. IGRP Timer1. Update timer90 Second2. Hold Down timer280 Second3. Invalid timer270 Second4. Flush Timer630 Second


18/117

1. Route Summarization2.

Ques 71:-What is difference between Static NAT, Dynamic NAT andOverloading NAT?

Ans :- There are three Types of NAT in the Network1. Static NAT In Static NAT Only One Computer IS Connected

To Internet. For That We Define The Mapping Of That

Particular Computer in The Network.

2. Dynamic NAT In Dynamic NAT We Define the Pool. InThis NAT Only Some Computer Is Connected To Internet At A

Same Time.

3. Overloading NAT (PAT) Overloading NAT Is Also CalledPAT (port Address Translation). With The Help of PAT All of

the Internal User Are connected to internet through Single

Public IP Address In the network. In this NAT All User Query

Are Differentiate Through port Basis in the network, thats why

it is Called PAT.

Ques 72:-What is PAT {Port Address Translation}?


19/117

Ques 75:-What is function of Telnet Command?Ans :- Telnet Command provides the Remotely Configuration of Any

Devices in The Network. Such As--Router, Switch, Pix.

Ques 76:-How many types of Access List in the Network?Ans :- There are two types of access List in The Network.

1. Number Access List2. Name Access ListNumber and Name access List is Again divides in to two parts

1. Standard Access List2. Extended Access List

Ques 77:-What is the difference between Number Access List and NameAccess List?Ans :- Number access List In this access List we can not edit the

existing access List.

Name access List In this access List we can edit The Existing

access List According to My company requirement.

Ques 78:-What is difference between Standard Access List and ExtendedAccess List?


20/117

Ans :- Wild Card mask are generally Used in Access list And OSPFrouting environment in the Network.

Ques 80:-How many types of ISDN Technologies are available in theNetwork?

Ans :- There are two types of technologies are available in the network1. BRI {Basic Rate Interface}2. PRI {Primary Rate Interface}

Whenever we are talking about BRI technologies, in this technology two B

channel and one D channel are available.

Whenever we are talking about PRI technologies again PRI are divided into

two technologies

1. T1 Technologies2. EI Technologies

Ques 81:-What is the difference between BRI and PRI Technologies?Ans :- BRI Stands for Basic rate Interface. When Ever we are talking

about BRI, in BRI Maximum 2 B Channel And 1 d Channel Are

available in The Network. Per B Channel Speed Is 64 Kbps And

per D Channel Speed Is 16 Kbps in the Network.

PRI Stands for Primary Rate interface. When Ever we are talking


21/117

Ques 83:-What is the Function of D Channel in ISDN Technologies?Ans :- D Channel provides the data signaling in the Network.

Connections establish From Source to Destination Computer in

the Network Depends on D Channel Speed.

Ques 84:-What is HDLC {High level Data Link Control Protocol}?Ans :- HDLC Stands for High Level data Link Control Protocol. This

protocol Is Basically Used in leased line In the Network. By

default HDLC Protocol is enable on Cisco router.

Ques 85:-What is PPP?Ans :- PPP stands for point to Point protocol. It Is an Industry standard

Protocol in The World. This protocol Is Basically Used inInternet.

Ques 86:-What is the Difference between ISDN and Frame RelayTechnologies?

Ans :- ISDN Stands for Integrated service Digital Network. GenerallyISDN Works on SVC (Switched virtual Circuit) in the Network.In isdn we are Using PPP (point To point Protocol) In the

Network


22/117

Ans :- Metric (Cost) are generally used in Routing environment. If MoreThan one routes are Available for any particular Network in

routing Table in That Case Router use The Metric Value. Lowerthe Metric that Is the Best route for That Particular Network. If the

Metric Value is same In that case Router Will Do the Load

Balancing in The network

Ques 89:-How many types of Subnet Mask?Ans :- There are two types of subnet Mask in the Network

1. Default subnet Mask2. Customized subnet Mask

Ques 90:-What is the difference between Default Subnet Mask andCustomize Subnet Mask?

Ans :- Default subnet Mask It is Generally Used in Class Full IPaddress In the Network.

Customized subnet Mask It is Generally Used in Classless IP

address in the Network. When ever we are talking About Sub

netting and super netting in That Case we will Use CustomizedSubnet Mask in The Network.


23/117

Ans :- BDR Stands for Backup designated Routed. It is Basically Used inOSPF routing Protocol in the Network. BDR Stores the Complete

Backup Information of Network topology. When DR Will Downin that Case BDR Becomes a DR in the Network

Ques 94:-What is Process ID in OSPF Routing Protocol?Ans :- Process Id Is Nothing Just enables The OSPF routing Process in

the Network. Process Id Can Be Same or May Be different on all

of the Router in the Network

Ques 95:-What is Bridge ID?Ans :- Every Switch is having a one Id No. that No IS Called Bridge Id.

Bridge Id Is a Combination Of priority + Mac address. Lower The

Bridge Id That switch becomes a Route Bridge in the Network. InLemon Language We Can Say Route Bridge Is a Master switches

in The Network. Every Switch are Having a Default priority That

Is32768 in the network. We can Change the Switch priority.

Ques 96:-What is DLCI {Data Link Connection Identification Number}?Ans :- DLCI stands for data Link Connection Identification Number. It is

basically used in frame relay technology in the Network. With The

Help of DLCI No. We can create PVC (permanent Virtual Circuit)


24/117

(Permanent Virtual Circuit). In PVC All of The data is Sending

from Source Computer to destination Computer through That

Route in the Network.

Ques 99:-What is SVC {Switched Virtual Circuit}?Ans :- When Ever a Permanent Route Is Not established Between Source

to Destination Computer in the Network, that Is Called SVC

(Switched Virtual Circuit). In SVC All Of The data Are Sending

from Source Computer to destination Computer Through May Be

a Different Way in the Network.

Ques 100:- What is DE {Discard Eligibility}?Ans :- DE Stands For Discard Eligibility. This Term is basically used in

frame relay technology in the Network. It provides to stop thecongestion in frame relay technology.

Ques 101:- What is FECN {Forward Explicit Congestion Notification}?Ans :- FECN stands for forward Explicit Congestion Notification. This

Term is basically used in Frame relay technology in The Network.

It provides to stop the congestion in frame relay technology.

Ques 102:- What is BECN {Backward Explicit Congestion Notification}?


25/117

Ans :-


26/117

The User-Space VPN and

OpenVPN

Understanding the User-Space VPN

History, Conceptual Foundations, andPractical Usage By James Yonan

Copyright James Yonan 2003


27/117

What is a VPN and how is it different

from other security software?

Fundamentally, a VPN is a set of tools whichallow networks at different locations to besecurely connected, using a public network

as the transport layer. VPNs use cryptography to provide protections

against eavesdropping and active attacks.

VPNs are most commonly used today fortelecommuting and linking branch offices viasecure WANs.


28/117

The Wide area network before VPNs

Firms would spend thousands of dollars permonth for private, dedicated circuits to linkbranch offices.

The rise of the internet created cheap butinsecure bandwidth.

The VPN concept was to produce the virtualdedicated circuit, pump it over the internet,and use cryptography to make it secure.


29/117

A brief history of VPNs

IPSec was the first major effort to develop astandard for secure networking.

First version in 1995.

IPSec, like other early crypto developments,were hamstrung by export controls andinsufficient processor power in the routerswhere they were to be implemented.

Some components of IPSec, e.g. IKE are stillin development today. Long Developmenttime!


30/117

IPSec problems

Slow progress resulted in a splintering ofefforts during the mid-90s

SSL was one such offshoot, developed to

provide application-level security rather thannetwork level security. Traditional IPSec implementations required a

great deal of kernel code, complicating cross-

platform porting efforts. IPSec is a complex production with arelatively steep learning curve for new users.


31/117

The rise of SSL and user-space VPNs.

IPSecs slow progress and complexity causedmany to turn to other solutions.

By contrast, SSL matured quickly, due to

heavy usage on the web. SSL runs in user space, simplifyingimplementation and administration.

The so-called SSL VPN is really just a web

application that tries to give users theservices they need without a full VPNimplementation.


32/117

Linux and virtual network interfaces

The maturing of the Linux OS by the late 90sprovided an excellent test bed forexperimental networking concepts.

One such innovation is the tun or tapinterface.

The first tun driver for linux was written byMaxim Krasnyansky.
mailto:[email protected]:[email protected]


33/117

What is a tun interface?

A tun interface is a virtual network adapterthat looks like point-to-point networkhardware to the OS, such as a T1 line.

But instead of pushing bits out a wire, the tundriver pushes them to user space.A user space program can open the tun

device just like a file and read and write IP

packets from and to it.A tap interface is a similar production, only itemulates ethernet rather than point-to-point.


34/117

How is a tun interface used to build a

VPN?

Suppose I have a tun interface on machine A,and another on machine B.

I write a simple network application with two

threads. Copy bits from tun device -> network socket.

Copy bits from network socket -> tun device.

If I run this app on machine A and B I willhave constructed a very simple VPN minusthe security component.


35/117

How is a tun interface used to build a

VPN (continued)?

From A I can ping the tun device on B, andfrom B I can ping the tun device on A.

That ping will actually travel over the socket

connection, i.e. the ping packet will beencapsulated within a UDP or TCP packetand sent between A and B.

The problem with this very simple VPN is itsmissing the security it is what is known as acleartext tunnel.


36/117

Adding security to the VPN

The simple VPN we have constructed,tunnels a virtual network interface over a TCPor UDP connection.

By forwarding such a TCP connection over asecure port forwarding tool such as SSH, wecan build a real VPN.


37/117

Problems with using SSH to build a

VPN

The previous example has a problem, however. IP is what is known as an unreliable protocol. This is not a value judgment.

Rather, it means that IP assumes that packetssent over a physical or virtual network might belost or corrupted.

Protocols in the IP family such as TCP try very

hard to work under this assumption.


38/117

Reliable and Unreliable protocols

TCP is a reliable application protocol thatutilizes an unreliable transport layer.

This means that your web browser (HTTP is aTCP protocol) expects TCP to handle theglitches in the connection between your clientand a possibly distant web server.

TCP does this by retransmitting packets

which are lost due to network congestion. TCP is a reliability bridge between theapplication and physical network layers.


39/117

Encapsulating Protocols

One of the cool things about networking isthat you can take one protocol andencapsulate it into another.

Getting back to our simple VPN example, weare encapsulating IP into a TCP port, thenusing SSH to secure that TCP connectionwith another remote host.

As far as encapsulation is concerned, we areencapsulating IP (which includes TCP andUDP protocols) into TCP.


40/117

Encapsulating TCP in TCP the

problem

There is a fundamental problem, however, inthis encapsulation graph.

TCP is designed to flow over unreliablenetworks. Pushing TCP into TCP means thatwe are nesting one reliability layer intoanother, essentially producing a whole levelof redundancy.

This redundancy translates into lessefficiency and less robustness duringcongested network conditions.


41/117

Fixing the problem

A better solutions is to encapsulate TCP inUDP.

UDP is the unreliable cousin of TCP. It

strips out the whole reliability layer of TCP,giving the application the responsibility to sortout problems of dropped packets, or packetsarriving in a different order from how they

were sent.


42/117

Why is UDP better for encapsulating

IP?

The fundamental reason is that IP wasdesigned to flow over wires, fiber, or wirelesslinks which are all unreliable physical media

that can suffer from glitches or congestion. Because UDP is itself an unreliable protocol,

it gives IP a transmission medium which is asclose as possible to its native environment.

Encapsulating IP in UDP is the ideal choice.


43/117

VPNs and UDP

The modern, portable, easy-to-configure,user-space VPN has several basic properties.

IP packets from tun or tap virtual networkadapters are encrypted and encapsulated,onto a UDP connection, and sent to a remotehost over the internet.

The remote host decrypts, authenticates, andde-encapsulates the IP packets, pumpingthem into a tun or tap virtual adapter at theother end.


44/117

The VPN is invisible to applications

tunneling over it.

This user-space VPN model essentially linksa local tun virtual adapter with a remote tunvirtual adapter.

One can apply routes or firewall rules to tunor tap interfaces in the same way that youcan apply them to ethernet interfaces.

Applications using a VPN would find themindistinguishable from a wide area networkimplemented with dedicated circuits.


45/117

Enter OpenVPN

There are several Open Source VPNs todaythat follow the user-space tun/tap model.

OpenVPN, VTun, Tinc, Cipe, and many more

are being actively developed today. They stand in contrast to IPSec solutions

such as FreeSwan which attack the problemin a very different way.


46/117

User-space Tun/Tap vs. IPSec

There is some controversy about whichapproach is better.

User space is more portable and easier to

configure. IPSec is more complex, and offers multi-

vendor and dedicated router support.

IPSecs complexity sometimes makes itdifficult for vendor As implementation to talkto vendor Bs.


47/117

IPSec in a nutshell

IPSec is a complex modification to the IPstack itself.

IPSec examines packets coming out of an IPinterface, determines if a security associationexists with the destination, and then tries toautomatically encrypt packets at one end anddecrypt them at the other.

The dream of IPSec is that it just works andyou never need to know its there (thisconcept is often referred to as opportunisticencryption).


48/117

IPSec limitations

As IPSec evolved, the internet evolved alongwith it.

The IPv4 address shortage created aprofusion of private networks that use NAT toaccess the internet through a single IPaddress.

The IP address shortage also caused anincrease in the use of dynamic IP addresses.

IPSec proved somewhat inflexible to thesenew developments.


49/117

IPSec limitations (continued)

Because IPSec considered the source anddestination addresses to be part of thesecured payload, it broke interoperability withNAT.

Since then, the IPSec standard has tried toevolve around these limitations.

IPSec has also been both lauded andcriticized for its security.

Sometimes such praise/blame emanates fromthe same individuals! (see next slide)

h i d f


50/117

The Two Minds of IPSec -- N.

Ferguson and B. Schneier

We are of two minds about IPsec. On the one hand,IPsec is far better than any IP security protocol thathas come before: Microsoft PPTP, L2TP, etc. On theother hand, we do not believe that it will ever result ina secure operational system. It is far too complex,

and the complexity has lead to a large number ofambiguities, contradictions, inefficiencies, andweaknesses. [...] We strongly discourage the use ofIPsec in its current form for protection of any kind ofvaluable information, and hope that future iterationsof the design will be improved. However, we evenmore strongly discourage any current alternatives,and recommend IPsec when the alternative is aninsecure network. Such are the realities of the world.


51/117

How does a VPN achieve security?

A VPN must protect against passive andactive attacks.

A passive attacker is an eavesdropper who

has no ability to interrupt or modify the datachannel between two parties.

Encryption is effective at defeating passiveattacks.


52/117

Active Attacks

An active attacker has the ability to inserthimself into the communication channel andadd, modify, or delete data packets between

both parties to the channel. For this reason, such attacks are commonly

referred to as Man-in-the-middle attacks.

A i k h d h h


53/117

Active attacks are thwarted through

the use ofauthentication

While many believe that VPN security is allabout encryption, the larger and more difficultproblem to solve is the problem ofauthentication.

Authentication in the VPN context involvessigning every packet with a secure hash, sothat the recipient can prove that it originatedfrom a legitimate source.

Both OpenVPN and IPSec use the HMACconstruction to authenticate packets.

HMAC i 100% l i i


54/117

HMAC isnt a 100% solution against

active attacks.

Even after applying HMAC, we are stillvulnerable to two types of active attacks:

Replay attacks.

Known plaintext attacks.


55/117

Replay Attacks

Suppose an attacker was able to tap into hisbanks T1 line at 3am when traffic is low.

While observing the encrypted bits flowingacross the line with a tool such as snort, helogs onto his banks web site and does anumber of small wire transfers, observing theencrypted packets flowing over the banks T1line.

He is able, by timing analysis, to gain accessto a sample of encrypted packets thatrepresent his money transfers.


56/117

Replay attacks, continued

What if he then spams the T1 with a largenumber of those sampled packets.

He doesnt need to know the encryption

algorithm, he only needs to reproduce thepackets.

If the bank is only using encryption withoutreplay protection, they may find an

unexplained deluge of questionable transfersthe following morning.


57/117

Replay attacks, continued.

The solution to the problem is to embed aunique ID or timestamp in every packetbefore it is signed.

The receiver needs to keep track of thistimestamp, and make sure that it neveraccepts a packet with the same timestamptwice.

Both OpenVPN and IPSec implement replayprotection using the Sliding WindowAlgorithm.


58/117

Known plaintext attacks.

Getting back to our bank cracker, supposethat he makes 5 transfers of differingamounts of money.

By analyzing the ciphertext stream over theT1 as his transfers are taking place, he isable to discern the byte offsets in the packetsthat represent the dollar amount of the

transfer, even though the amountsthemselves are encrypted gibberish.


59/117

Known plaintext attacks (continued).

Suppose the $ amount is a 32 bit integer.

He inserts some bogus packets onto the linkwith the dollar amount altered.

He doesnt know what the final dollar amountwill be when it is decrypted but he knows ifhe tries enough values, some of them will turnout to be large and disruptive.

Thi ld b i ibl (I h ) i


60/117

This would be impossible (I hope) in

2003.

This scenario could not, of course, happentoday.

The importance of this kind of thoughtexperiment is to show that encryption, even ifit is unbreakable, is not enough to secureagainst an active attacker.

Encryption must be combined withauthentication (HMAC), randomized IVs, andreplay protection, to protect against thepreviously discussed attacks.


61/117

OpenVPN and Cryptography

Cryptography is an advanced and specializedfield.

OpenVPN takes a modular approach to

cryptography. Most crypto functions are offloaded to the

OpenSSL library.

OpenVPN has protection against bothpassive attacks and known types of activeattacks.


62/117

OpenVPN and keying

OpenVPN tries to supply the best of bothworlds when it comes to keying.

Static, pre-shared keys are provided for ease

of configuration. Full RSA PKI, through the OpenSSL library, is

provided for full certificate and private keyoperation.

SSL/TLS can be used for initial authenticationand symmetric key exchange.

A thentication onl leads into a bigger


63/117

Authentication only leads into a bigger

problem key management.

The HMAC construction is a strong andelegant contribution from the cryptographycommunity but it still needs a shared secret

key to exist at both ends of the secureconnection.

How do two parties bootstrap their keyexchange process in a way that protects

against the exchange being hijacked by anattacker?


64/117

Enter public key cryptography.

In the September, 1977 issue of The ScientificAmerican, Ronald L. Rivest, Adi Shamir and LeonardM. Adleman introduced to the world their RSA cipher,applicable to public key cryptography and digitalsignatures. The authors offered to send their full

report to anyone who sent them self-addressedstamped envelopes, and the ensuing internationalresponse was so overwhelming the NSA balked atthe idea of such widespread distribution ofcryptography source code. When no response wasmade by the NSA as to the legal basis of theirrequest, distribution recommenced, and thealgorithm was published in The Communications ofthe ACM the following year.

Public Key cryptography is really


65/117

Public Key cryptography is really

about the problem of authentication

Since long before the age of computers,cryptography was practiced betweenindividuals who possessed a shared key.

The innovation of Public Key cryptographywas to show how individuals couldcommunicate securely without needing a pre-existing secure medium over which to share

their keys.

Public Key technology solves the key


66/117

Public Key technology solves the key

sharing problem.

Public key cryptography solves the problemof providing the secure medium over whichthe initial shared secret key can be

exchanged. The real encryption still occurs with a shared,

symmetrical key. The public key process onlygives us a means of sharing this key

electronically over an insecure medium.


67/117

Public key cryptography.

Public key cryptography allows you togenerate a public and private key pair.

The private key never leaves your hard drive.

The public key is published far and wide. To communicate with someone, you only

need their public key.

But once content has been encrypted with apublic key, only the private key can decrypt it.

Public key cryptography and


68/117

Public key cryptography and

authentication.

Public key cryptography as described thus farstill has a missing link.

How do you know that the person on the

other end of the communication channel iswho they say they are?

They can present their public key, but thatproves nothing about their identity.


69/117

Enter the Certificate.

Public key cryptography and RSA pioneered theconcept of secure signatures.

I can sign a file with my private key. I can publish my public key.Anyone who receives the file can verify that it

was signed by my public key. The mathematics of the algorithm behind digital

signatures ensures that it would be infeasible toforge a signature without having the correctprivate key.


70/117

The Certificate Authority.

The certificate authority (CA) is the finalresult in a long linkage of developments inapplied cryptography that attempt to solve theproblem of authentication.

The CA has a super-secret key that they keepunder armed guard.

They have a team of investigators who verifythe identity of clients.

They then sign the keys of clients with theirsuper secret key.


71/117

CAs Continued

The CAs public key becomes a publiccommodity, embedded in applications andoperating systems.

The CAs root certificate forms a the root ofa chain of public keys which can be used toverify the indentity of any of the CAs clients.

The CA solves the problem of authenticationby trusted referral.

CAs are the basis of authentication on thesecure web.


72/117

Cryptography conclusion

While OpenVPN draws heavily on thecryptography-related developments of IPSec,there are details about any encryptedcommunication session which cannot be

hidden. Traffic Analysis is one type of attack that no

internet-based, modern cryptosystem canprotect against.

But when considering the needs of most VPNusers, the modern crypto technology provesmore than sufficient.


73/117

OpenVPN Features

OpenVPN tries to take advantage of all thecapabilities which are possible to a userspace VPN.

Portability. Familiar daemon-style usage.

No kernel modifications required.

State-of-the-art cryptography layer providedby the OpenSSL library.


74/117

OpenVPN Features, continued.

Very comfortable with dynamic addresses orNAT.

Supports most operating systems in the

known computing universe, including Linux,Windows, Mac OS X, the three BSDs, andSolaris.


75/117

OpenVPNs 3 tier security model

One of the maxims of computer security isthat complexity is the enemy of security

One way of reducing the impact of software

complexity on overall software security is toforce incoming network traffic to pass througha kind of security gateway that is a muchsimpler piece of code than the applications

behind itA prime example of this is the firewall.



76/117

OpenVPN s 3 tier security model

(continued)

The key is to reduce the number of lines ofcode which can be touched byunauthenticated packets. These fewer linesof code can then be more rigorouslyscrutinized for vulnerabilities.

OpenVPN expands on the concept of afirewall, using thetls-auth option to subject

incoming packets to a preliminary digitalsignature test before they are passed on tothe actual SSL/TLS code.



77/117

OpenVPN s 3 tier security model

(continued)

Tier 1 Use HMAC-based tls-auth option toprevent an attacker from injecting packetsinto the SSL/TLS subsystem.

Tier 2 Use SSL/TLS for bidirectionalclient/server authentication.

Tier 3 Downgrade OpenVPN daemonsprivilege level using --user/--group to help

contain a successful code injection exploit.


78/117

VPNs and Networking

As much (or more) can be written about thetopic of VPNs and networking as can bewritten about VPNs and cryptography.

95% of the tech support problems that peoplehave with VPNs are with the networking andfirewall layers, not the cryptography layer.

The two major techniques for VPN networking

are routing and bridging.

Bridging vs Routing in the VPN


79/117

Bridging vs. Routing in the VPN

context

Bridging is a technique for creating a virtual,wide-area ethernet LAN, running on a singlesubnet.

Routing solves the problem of a wide areaVPN by using separate subnets and settingup routes between them.


80/117

Bridging Advantages

Broadcasts traverse the VPN -- this allowssoftware that depends on LAN broadcastssuch as Windows NetBIOS file sharing andnetwork neighborhood browsing to work.

No route statements to configure. Works with any protocol that can function

over ethernet, including IPv4, IPv6, NetwareIPX, AppleTalk, etc.

Relatively easy-to-configure solution for roadwarriors.

id i i d


81/117

Bridging Disadvantages

Less efficient than routing, and does notscale well.

i Ad


82/117

Routing Advantages

Efficiency and scalability.Allows better tuning of MTU for efficiency.

R i Di d


83/117

Routing Disadvantages

On Windows, clients must use a WINS server(such as samba) to allow cross-VPN networkbrowsing to work.

Routes must be set up linking each subnet. Software that depends on broadcasts will not

"see" machines on the other side of the VPN.

Works only with IPv4 in general, and IPv6 insome special cases.

Th d b l f b id i (1)


84/117

The nuts and bolt of bridging (1)

Suppose you want to create a secure ethernet bridgethat serves multiple mobile clients, using Linux as theserver.

First generate a bunch of persistent tap virtualethernet interfaces on your server, using openvpn mktun.

Then use the brctl tool to bridge them together with

your real ethernet adapter.

Th d b l f b id i (2)


85/117

The nuts and bolt of bridging (2)

When clients connect to the server, the tapvirtual ethernet interface at their end can beassigned an IP address from the actualsubnet of the physical ethernet LAN

connected to the server. So I could have a subnet 10.4.7.0 netmask

255.255.255.0 which is a bridged ethernet. 10.4.7.5 could be a machine in Moscow,

Idaho. 10.4.7.6 could be a machine inMoscow, Russia.

VPN d fi lli


86/117

VPNs and firewalling

The modern user-space VPN presents virtualtun and tap interfaces as VPN endpoints.

Suppose you have a vpn network device

called tun0 You can apply the same kinds of firewall rules

to tun0 as you could to eth0 or any othernetworking device.

VPN d fi lli ( ti d)


87/117

VPNs and firewalling (continued).

One of the more troublesome security issuesof VPNs is the way that they create trustedrelationships between different networks.

This can be bad, as in the case where a

worm or virus infects someones homemachine, then jumps across the VPN tocorporate headquarters.

Firewall rules applied to the VPN itself can

create a trust relationship between twonetworks that is more than untrusted but lessthan fully trusted.

F t di ti O VPN 2 0


88/117

Future directions -- OpenVPN 2.0

In OpenVPN 1.x, a single openvpn daemoncan support a single tunnel over a singletun/tap interface, using a single UDP or TCPport for daemon-to-daemon communication.

This model offers maximum flexibility, as theconfiguration for each tunnel can becustomized.

The weakness in this model is that it is hard

to set up an OpenVPN configuration thathandles connections from a large number ofdynamic clients.

Future directions -- OpenVPN 2.0


89/117

p

(continued)

OpenVPN 2.0 (currently in beta) solves thisproblem by allowing an arbitrarily largenumber of UDP clients to connect to a singleopenvpn daemon, which itself uses onetun/tap interface and one UDP port number.

C l i


90/117

Conclusion

VPNs tie together concepts from cryptography,networking, and firewalls.

VPNs can be used as building blocks to constructanything from a small secure telecommuting solution,

to a large-scale secure WAN. The user-space VPN is an elegant solution to the

VPN problem in a modular package.

VPNs still have a long way to evolve before they are

as easy-to-configure as other networkingsubsystems, such as IP.

OVERVIEW


91/117

CPEG323 1

OVERVIEW

What is RAID?

Benefits of RAID

Concepts of RAID

RAID Levels

RAID AND ITS BENEFITS


92/117

CPEG323 2

RAID AND ITS BENEFITS

What is RAID?

RAID (redundant array of independent disks; originally redundant arrayof inexpensive disks) is a way of storing the same data in differentplaces (thus, redundantly) on multiple hard disks.

Benefits OF RAID

Improved Performance

High Availability

Fault Tolerance

RAID CONCEPTS


93/117

CPEG323 3

RAID CONCEPTS

STRIPING

MIRRORING

PARITY

RAID Concepts(Striping)


94/117

CPEG323 4

RAID Concepts(Striping)

Raid Concepts (Mirroring)


95/117

CPEG323 5

Raid Concepts (Mirroring)

All data in the system is written simultaneously to twohard disksinstead of one; thus the "mirror" concept .

100% data redundancy which provides full protection against the

failure of either of the disks containing the duplicated data.

RAID Concepts(Parity)


96/117

CPEG323 6

RAID Concepts(Parity)

Parity is redundancy information calculated from the actualdata values.

take "N" pieces of data, and from them, compute an extra piece ofdata. Take the "N+1" pieces of data and store them on "N+1"drives. If you lose any one of the "N+1" pieces of data, you canrecreate it from the "N" that remain, regardless of which piece islost.

The parity calculation is typically performed using a logicaloperation called "exclusive OR" or "XOR".

RAID LEVELS


97/117

CPEG323 7

RAID LEVELS

RAID: Level 0 (No Redundancy; Striping)


98/117

CPEG323 8


Multiple smaller disks as opposed to one big diskSpreading the blocks over multiple disks striping means that

multiple blocks can be accessed in parallel increasing theperformance .

A 3 disk system gives 3 times the throughput of a 1 disk system



99/117

CPEG323 9


No redundancy, so what if one disk fails?

Failure of one or more disks results in data loss.

RECOMMENDED APPLICATIONS

Video Production and Editing

Image Editing

Any application requiring high bandwidth

RAID: Level 1 (Redundancy via Mirroring)


100/117

CPEG323 10


Uses twice as many disks as RAID 0 (e.g., 8 smaller

disks with second set of 4 duplicating the first set) sothere are always two copies of the data

# redundant disks = # of data disks so twice the cost of one bigdisk



101/117

CPEG323 11


What if one disk fails?

If a disk fails, the system just goes to the mirror for the data

Recommended Application

Accounting

Payroll

Financial

Any application requiring very high availability

RAID: Level 2 (Redundancy via ECC)


102/117

CPEG323 12

RAID: Level 2 (Redundancy via ECC)

ECC disks contain the parity of data on a set of distinctoverlapping disks

# redundant disks = log (total # of data disks) so almost twice thecost of one big disk

- writes require computing parity to write to the ECC disks

- reads require reading ECC disk and confirming parity

Can tolerate limiteddisk failure, since the data can bereconstructed

blk1,b0 blk1,b2blk1,b1 blk1,b3Checks4,5,6,7

Checks2,3,6,7

Checks1,3,5,7

3 5 6 7 4 2 1

10 0 0 11

ECC disks

0

ECC disks 4 and 2 point to either data disk 6 or 7,but ECC disk 1 says disk 7 is okay, so disk 6 must be in error

1

RAID: Level 3 (Bit-Interleaved Parity)


103/117

CPEG323 13


On RAID 3 systems, data blocks are subdivided (striped)and written in parallel on two or more drives. An

additional drive stores parity information. You need atleast 3 disks for a RAID 3 array.

writes require writing the new data to the data disk as well as computing

the parity, meaning reading the other disks, so that the parity disk can beupdated


reads require reading all the operational data disks as well as theparity disk to calculate the missing data that was stored on the faileddisk

blk1,b0 blk1,b2blk1,b1 blk1,b3

10 01(odd)

bit parity disk



104/117

CPEG323 14


On RAID 3 systems, data blocks are subdivided (striped)and written in parallel on two or more drives. An

additional drive stores parity information. You need atleast 3 disks for a RAID 3 array.

writes require writing the new data to the data disk as well ascomputing the parity, meaning reading the other disks, so that theparity disk can be updated


reads require reading all the operational data disks as well as theparity disk to calculate the missing data that was stored on the faileddisk

blk1,b0 blk1,b2blk1,b1 blk1,b3

10 0 1(odd)

bit parity diskdisk fails

1



105/117

CPEG323 15

RAID: Level 3 (Bit Interleaved Parity)

Recommended Applications

Video Production and live streaming

Image Editing

Video Editing

Any application requiring high throughput

RAID: Level 4 (Block-Interleaved Parity)


106/117

CPEG323 16

RAID: Level 4 (Block Interleaved Parity)

RAID 4 improves performance by striping data acrossmany disks in blocks, and provides fault tolerancethrough a dedicated parity disk.

RAID: Level 4 (Block-Interleaved Parity)


107/117

CPEG323 17

RAID: Level 4 (Block Interleaved Parity)

It is like RAID 3 except that it uses blocks instead of bytesfor striping

Supports small reads and small writes (reads and writes that goto just one (or a few) data disk)

by watching which bits change when writing new information, needonly to change the corresponding bits on the parity disk

the parity disk must be updated on every write, so it is a bottleneck forback-to-back writes


Small Writes


108/117

CPEG323 18

Small Writes RAID 3 small writes

New D1 data

D1 D2 D3 D4 P

D1 D2 D3 D4 P

3 reads and2 writes

involving all

the disks

RAID 4 small writesNew D1 data

D1 D2 D3 D4 P

D1 D2 D3 D4 P

2 reads and2 writes

involving justtwo disks

RAID: Level 5 (Distributed Block-Interleaved


109/117

CPEG323 19

RAID: Level 5 (Distributed Block InterleavedParity)

Parity is distributed across the disks

Supports small reads and small writes (reads and writes thatgo to just one (or a few) data disk)

Allows multiple simultaneous writes as long as theaccompanying parity blocks are not located on the same disk


RAID: Level 5 (Distributed Block-Interleaved


110/117

CPEG323 20

RAID: Level 5 (Distributed Block InterleavedParity)


File and Application servers

Database servers

Web, E-mail, and News servers

Intranet servers

Most versatile RAID level

Distributing Parity Blocks


111/117

CPEG323 21

Distributing Parity Blocks

By distributing parity blocks to all disks, some smallwrites can be performed in parallel

1 2 3 4 P0

5 6 7 8 P1

9 10 11 12 P2

13 14 15 16 P3

RAID 4 RAID 5

1 2 3 4 P0

5 6 7 P1 8

9 10 P2 11 12

13 P3 14 15 16

Raid : Level 6


112/117

CPEG323 22

Raid : Level 6

RAID level 6 is an evolution of RAID 5. RAID 6 usesdouble parity for additional fault tolerance.

Like in RAID 5, data is striped at a block level across thedisk sets while parity information is generated and writtenacross the array. Now it's possible for more than onedrive to fail simultaneously, and the RAID will stilloperate.

RAID: Level 6


113/117

CPEG323 23

e e 6

Advantages

Perfect solution for mission critical applications as it can sustainmultiple drive failures .

Disadvantages

Uses 2 drives for parity

Recommended Applications Database server

Mail server

Web server

Intranet server Transaction processing

RAID: Level 0+1 (Striping with Mirroring)


114/117

CPEG323 24

( p g g)

Combines the best of RAID 0 and RAID 1, data is striped

across four disks and mirrored to four disks

Four times the throughput (due to striping)

# redundant disks = # of data disks so twice the cost of one bigdisk

writes have to be made to both sets of disks, so writes would be only1/2 the performance of RAID 0

blk1 blk3blk2 blk4 blk1 blk2 blk3 blk4

redundant (check) data

RAID: Level 0+1 (Striping with Mirroring)


115/117

CPEG323 25

( p g g)

What if one disk fails?

If a disk fails, the system just goes to the mirror for the data


Imaging applications

General fileserver

RAID: Level 1+0 (Mirroring with Striping)


116/117

CPEG323 26

( g p g)

RAID Level 10 provides very high performance andredundancy.

Data is simultaneously mirrored and striped.

Can under circumstances support multiple drive failures.


117/117

THANK YOU

Queries?

ccna vpn raid qans

Documents