P. 1
Gdnw Jncis-fwv Study Guide

Gdnw Jncis-fwv Study Guide

|Views: 4,558|Likes:
Published by Gavrilo
Hi,
Attached is a Juniper JNCIS-FWV Study Guide for exam JN0-532 in PDF document format. It is similar to the Jason Ha document some of you may remember from the past. However, my version follows the syllabus for the current exam.
If you find it useful, I would be really grateful if you can donate a little something to the below appeal Fund.
The Tsunami appeal information is here: http://www.rescue.org/japan-crisis
Finally can I ask for errata etc. to be sent to my GMX account which is garnet.newton-wade@gmx.com (I can withstand a bit of spam on that address  )
Thanks
Garnet Newton-Wade

Hi,
Attached is a Juniper JNCIS-FWV Study Guide for exam JN0-532 in PDF document format. It is similar to the Jason Ha document some of you may remember from the past. However, my version follows the syllabus for the current exam.
If you find it useful, I would be really grateful if you can donate a little something to the below appeal Fund.
The Tsunami appeal information is here: http://www.rescue.org/japan-crisis
Finally can I ask for errata etc. to be sent to my GMX account which is garnet.newton-wade@gmx.com (I can withstand a bit of spam on that address  )
Thanks
Garnet Newton-Wade

More info:

Published by: Gavrilo on Mar 21, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

12/11/2013

pdf

text

original

Definition: A Virtual Private Network (VPN) allows two sites to communicate securely over an
insecure medium such as the Internet.

NetScreen firewalls support the IPSec protocol standard for site-to-site and client-to-site VPN
connections. There are two types of tunnel negotiation methods, Manual Key and AutoKey.
In a Manual Key IPSec VPN all Security Association (SA) parameters are predefined so the
authentication and security properties of the tunnel are already set. Therefore it is possible for
one device to simply encrypt the traffic and forward it to the other device. When a Firewall/VPN
is required to establish many tunnels the Manual Key method becomes labour intensive and is
inherently less secure because parties on both ends of the VPN need to agree and share the SA
parameters.

NOTE: A Security Association is a unidirectional agreement between both VPN end points
regarding the methods and parameters to use in order to secure the communication channel.

AutoKey IKE IPSec VPN automates most of the negotiation process and can be divided into two
distinct phases.

• Phase 1 (IKE phase) negotiates how the VPN tunnel will be authenticated and secured
• Phase 2 (IPSec phase) determines how traffic will be secured through the tunnel.

Page | 17

PHASE 1 PROPOSAL

Phase 1 of an AutoKey IKE tunnel negotiation consists of the exchange of proposals for how to
authenticate and secure the channel. The exchange can be in one of two modes: aggressive or
main. Using either mode, the participants exchange proposals for acceptable security services.

Tunnel

Both end points need to agree on the same proposal for Phase 1 and four possible Phase 1
proposal types are defined:

Method: indicates a preshared key (“pre”) or digital certificate (using “RSA”-Sig or
“DSA”-Sig) used as the authentication method
DH Group: Indicates the Diffie-Hellman group used for the key generation or exchange

(“g1”, “g2” or “g5”)
Encrypt/Auth: Indicates the encryption algorithm (“3DES”, “DES” or “AES”) and hash
algorithm (“MD5” or “SHA-1”) used

Examples of Phase 1 proposals i:
• pre-g2-3des-sha1
• pre-g1-des-md5
• dsa-g2-3des-sha1
• rsa-g5-aes128-md5

Once IKE has been used to establish a tunnel to provide a secure channel of communication,
IPSec is used to provide a means of securing the actual data that will traverse the tunnel.

Key lifetime indicates the life of the key (how often the key should be changed) and can be
configured in terms of seconds, minutes hours or days. A Phase 1 tunnel may still be established
when both ends use different key lifetimes but when one end decides to change its key the
tunnel will fail.

PHASE 2 PROPOSAL

Once the tunnel has been established (Phase 1), the SAs to secure the data to be transmitted
through the IPsec tunnel are negotiated (Phase 2).

Proposals are exchanged to determine the security parameters to be used for the SA. Phase 2
proposals also include a security protocol—either Encapsulating Security Payload (ESP) or
Authentication Header (AH)—and selected encryption and authentication algorithms. The
proposal can also specify a DH group and if Perfect Forward Secrecy (PFS) is desired.

Regardless of the mode used in Phase 1, Phase 2 always operates in quick mode and involves
the exchange of three messages. Juniper Networks Firewalls support up to four proposals for
Phase 2 negotiations, allowing you to define how restrictive a range of tunnel parameters you
will accept. ScreenOS also provides a replay protection feature but use of this feature does not
require negotiation because packets are always sent with sequence numbers, so you have the
option of checking or not checking the sequence numbers.

PFS: “nopfs” indicates PFS is not used, “g1”, “g2” or “g5” indicates which DH group is

being applied.

Page | 18

Encapsulation: ESP (“esp”) or AH (“ah”) protocol is being used for encryption and

authentication.

Encryption/Authentication: encryption (“DES”, “3DES” or “AES”) and/or the hash
algorithm (“MD5” or “SHA1”) used.

Examples of a Phase 2 proposal:

• g2-esp-3des-sha1
• nopfs-esp-des-md5
• g1-ah-null-sha1

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->