Question

Suppose you have been hired as a security consultant in a large organisation ABC.org, which has offices in three different countries: New Zealand, the USA, and the UK. This organisation wishes to use a VPN (Virtual Private Network) for internal employees. This organisation has decided to use IPSec-powered VPN. This organisation also uses NAT (Network Address Translation) and multiple network firewalls.

Question:

(a) Suggest whether the tunnel mode or the transport mode is better for the organisation’s VPN. Justify your answer.

(b) Suggest whether the AH or ESP protocol is better for the organisation’s VPN. Justify your answer.

Answer 1

ANSWER

(Q) (a) Suggest whether the tunnel mode or the transport mode is better for the organisation’s VPN. Justify your answer ?

answer : According to my Suggestion tunnel mode is better for the Organisation's VPN Because  tunnel mode is the default mode. With tunnel mode, the entire original IP packet is protected by IPSec. This means IPSec wraps the original packet, encrypts it, adds a new IP header and sends it to the other side of the VPN tunnel (IPSec peer).

Tunnel mode is most commonly used between gateways (ASA firewalls), or at an end-station to a gateway, the gateway acting as a proxy for the hosts behind it.

Tunnel mode is used to encrypt traffic between secure IPSec Gateways, for example two routers connected over the Internet via IPSec VPN. Configuration and setup of this topology is extensively covered in our Site-to-Site IPSec VPN article. In this example, each router acts as an IPSec Gateway for their LAN, providing secure connectivity to the remote network.

Therefore, here it proves that tunnel mode is far better than the transport mode.

(Q) b)  Suggest whether the AH or ESP protocol is better for the organisation’s VPN. Justify your answer

answer :According to my suggestion AH protocol is better for the organisation's VPN Because, AH provides data integrity, data origin authentication, and an optional replay protection service.

Data integrity is ensured by using a message digest that is generated by an algorithm such as HMAC-MD5 or HMAC-SHA. Data origin authentication is ensured by using a shared secret key to create the message digest.

Replay protection is provided by using a sequence number field with the AH header.

AH authenticates IP headers and their payloads, with the exception of certain header fields that can be legitimately changed in transit, such as the Time To Live (TTL) field.

where,  ESP doesn't protect any IP header fields in Transport mode.