Cisco CCNP Security 300-730 SVPN – Remote Access VPN Part 10

11. SSL, TLS and DTLS + LAB

Hello guys. Welcome to another video and we are going to be talking about DTLs versus SSL and also TLS. Let’s go ahead and get started with this. So before we start, let’s go ahead and do a little bit talk about, about the history about SSL. So it was developed by Net Netscape in 190 94. The SSL protocol quickly became dominant for the use in applications and service when transferring secure data across the Internet. Whenever you’re buying stuff, whenever you’re logging in, you want to make sure that you are using a secure connection. Also, whenever you are swiping your credit card online and doing all that, you want to be secure.

You know, back then during the consumer infancy of the Internet, the World Wide Web Consortium or Consortium, decided that a secure way to transfer web traffic across the Internet was needed to encourage ecommerce providers onto the Internet. You guys remember back in the days when people were saying that you were going to be able to buy stuff online and they were like, no, you’re crazy. How are you going to enter your credit card on a website and you’re going to pay for it like that? You’re crazy. That’s never going to happen. And look, now you’re able to use that and a lot more. And what is SSL? Guys. Well, SSL provides message authentication, authentication, confidentiality, we encryption and integrity with hashing algorithms through the combination of the underlying cryptographic protocols.

And how are SSL and TLS similar? Well, SSL and TLS are cryptographic protocols that authenticate data transfer between servers, systems, application and users. For example, a cryptographic protocol encrypts the data that is exchanged between our web server and a user. And they both do that and they are very, very similar. Some of the differences between SSL and TLS, the cipher suit. So SSL protocol offers support for Tesla cipher suite. TLS does not support, does not offer the support. TLS offers a betterization process that makes defining a new Cypress switch easier.

Like RC four triple test AES an idea, but you don’t want to do any. You want to use AES two five six list? And also another difference between SSL and TLS is that those alert messages, SSL has the no certificate alert message. TLS protocol removes the alert message and replaces it with several other alert messages. And there are a few more, the Record protocol. So each SSL uses message authentication code, or Mac after encryption. After encryption, each message. While Chiles, on the other hand, uses H Mac, a hash based message authentication code after each message encryption.

Right? So what it does is it encrypts it and then it just hashes it. That’s what HMAC does. And also there’s a different handshake process in it. So the hash calculation also compromises the master secret and pad. While in TLS, the hashes are calculated over a handshake message. So it is the same protocol, SSL and TLS, but TLS just makes it just takes it to another step. It’s just a little bit better than SSL. And they also do the message authentication, different SSL message authentication adjoins the key details and application data in ad hoc, while TLS version relies on HMAC hash based message authentication code, just like I said before. And what about DTLs? What in the world is DTLs? Who came out with DTLs? I feel like there’s a lot of people out there just sitting in the basement like I am right now, just thinking about what to do. Like, let’s just create a new protocol. Let me just draw on the board. And here is a new protocol. Here you are. DTLs. I think that’s how DTLs came up. And if you guys recall that, as you say on TLS, they use TCP, right? And because of the need for support for message reordering, retransmission and reliable delivery purposes, that’s why they use TCP, right? Because if you lose the packet, you want to get it back. And that’s why they use TCP, because TCP is able to reorder and retransmit and it’s more reliable than UDP, and that’s why SSL and TLS uses that.

But somebody came out with DTLs, and that is, for many, delay sensory protocols like voice and video, a lot of that is not really encrypted, and video and voice is not used. TCP uses UDP. That’s why DTLs came up. It is basically SSL and TLS, but using UDP instead of TCP, right? And some engineers needed to send the light sensitive application through an SSL and TLS tunnel. And because SSL and TLS, like I said, it says TCP, the EU, TCP, the voice and video was not really going to work. So they needed to just take SSL, take SSL and TLS and just add UDP instead of TCP.

And that’s why they came out with DTLs. DTLs is based on the original implementation of TLS, like I said, but instead operates using the UDP transport protocol for faster packet delivery, so you can have voice and video. Additional parameters, fields and functions allow it to provide reliable message delivery, message reordering, fragmentation, and anti replay. Natively natively. To provide the functions of message reordering and reliable delivery, the DTLs protocol has added two new fields to the TLS record layer format, sequence number and epoch. Also the sequence number increments for each package sent between the client and the server. DTLs also uses Windowing, which GCP uses the Windowing system for any replay purposes, providing the protocol to be able to distinguish between packets that are yet to be received and the ones that it should receive. And that is for this video on DTLs, SSL and TLS.

So they are basically TLS the DTLs. It is just TLS, but uses UDP and SSL and TLS. TLS, it just has better encryption and better everything than SSL. That’s what it is. And let’s just start labing, guys. Let’s just do a lab. And for this lab, let me see if I configure everything. I think I did it on the video before but I want to make sure that no, nothing was saved here. Let’s go ahead and do show IP interface brief. I don’t think anything was saved. No, nothing was saved.

So let’s go and configure everything. Guys. The hostname I want to name these R three interface one to one shut down. Then you want to do exit IP routes. Let’s just add a default route and I want to send everything to 21 one two. So we are switching this 21 and 21 two. That’s just how I did it. Okay, so we are done and let’s save it. Good. Now let’s go and configure the essay. The SA needs to have a lot more of configuration. Why is it rebooting right now? While that is rebooting, let’s go ahead and configure the IP address of the ASDM and of the website as well. And let’s go ahead and bring up over here. While this is rebooting, let’s go to ifconfig interface zero. And what is the interface IP address? 192-1681 net mask tupperfile tickle file file at zero actually now that needs to be that two if comp.

Then we do a route add default gateway 2168 let’s go ahead and configure the ASDM now. And the ACM just keeps rebooting for some reason. What we could do is let’s go ahead and just remove this bad boy. Let’s go ahead and add it again. Yes, I have Palo also. I’m working on that guys, just for you guys because I love you guys. Let’s go ahead and also configure it. Let’s see if it lets me use telnet. There we go. Hopefully it lets me use telnet. Okay, let’s go ahead and configure the IP address for the ISDM which is going to be go ahead and go to the terminal ifconfig interfere zero one two net mask for filefilers zero route and default gateway one.

Now let’s go ahead and see if the ASA fireball is up and running. It’s still not running. Let’s go ahead and just plug everything in. This one is going to go to the management interface. This one’s going to go to zero. This one’s going to go to zero one. Also at zero one. Let’s go ahead and verify ACM still not running. It is still reloading. So let’s go ahead and go to the Windows server and configure this IP address while the ASA is coming up. Let’s go ahead and go network adapters go ahead and remove 1821-6832-1821-6831 say yes, we should be able to do a thing. 192-1831 yes, we have a connection. So my ASDM or my ASDM ASA doesn’t want to work today. Let’s go ahead and try this over here. See if this one works. This is the other one management interface right here. Let me verify. This one is already up and running. So we are going to be using this one instead of this one. So let’s go ahead and stop it. Delete it. Adiosamigo. Go ahead and add this ASA right here.

Management cool. So let’s go ahead and don’t start rebooting. Let’s go ahead and pause. Am I going to have to pause it? Let’s see. I don’t want to make you guys wait on it then. So I’m just going to post it. Okay, so the ASA is up and running now. So let’s go and configure that bad boy. Configte gigabit one, which is this one. This is the management making sure you don’t get confused. This is this one. Gigabit one IP address 2001 two name if this one is going to be the out size. Now shut down. Now we go to gigabit zero. IP address 192 one eight, that one nine one name if inside. Now shut down. Let’s see if I were to ping 1921 H that one two. We are so we were able to pin this website right here. Good. Now let’s go ahead and do interface management saleslife zero IP address name f management shut down ping one to one two. Good. Ping 21 see if we are with pin the router. We are that’s great. So now let’s go ahead and do enable Http then http http we are going to let any IP address connect to it, which is not really good. Then we’re going to do management. Management. Then we are going to do a route to the outside, a default route. Send it to 201 which is the router.

So now we should be able to ping one and 216832, which is the Windows device. So we are able to ping that Windows device. Good. Let’s go ahead and save my configuration. Now let’s go ahead and access the ASA via the Asem which is the GUI interface of this firewall. Let’s go ahead and configure a or let’s go ahead and launch it. So yes, we don’t have a username and password. So you can just click okay. So you can log into it. And here we go. We are inside the Isa. So what we’re going to be doing, we first are going to be configuring not a site to site a client SSL VPN SSL. Okay, so we are going to be using SSL. Well actually let’s not do the wizard. That’s just for people that don’t know how to configure. So let’s go ahead and go to configuration. Let me go and be fancy and do a remote access VPN. We are going to do a clientless VPN. We are going to create a connection profile. Let’s go ahead and apply that. Let’s go ahead and add a connection profile. This one’s going to be called Excel connection and we are going to be using the local. So that’s good. We are going to use the default DNS.

We are going to create our own policy, excel policy. Oops. Press enter by accident. Edit we are going to say welcome whenever you log in. Welcome to Excel. Client list. VPN connection. Okay, okay. Say yes. Enable it, apply. Save it. Let’s go ahead and create a new user, local user, oscar password. Cisco. Cisco. That’s the password is for everything guys. So if you want to log into my Twitter account, the password is Cisco applied save it. Let’s go ahead and go to group policies and let’s attach that username to that policy so we are able to remote in. Good. After that is done, let’s go ahead and go to the portal. Let’s create a new one. Manage. And we want to add a URL bookmark. This one is going to go website. And the website that we want to go to is 121-6812, which is this website right here. Apply it, save it. So now we just have configure a clientless connection and a clientless ASPN connection. You’re able to access these ASA via a web browser. So you don’t need to install any software. And that’s going to take you to different places inside this network. Like the website for example. Just like we added that bookmark to go to that website. So let’s go ahead and go bring up that Windows device and inside this Windows device we are going to open whatever you want.

Let’s go ahead and open material firefox. We are going to go to http s wagwag 21 two saying that it’s not secure because we have a self signed certificate. So the self signed certificate is not a trusted certificate. But we are just going to add an exemption, confirm it. And here we go. Now we’re going to log in with my username and password. There we go. Don’t save. And you can see the banner that we added. Welcome to Sslcon SAPN Connection. Continue. And here we go. Here’s the bookmark that we created. Go to that website and here it is. So we are inside that website using just the web browser. Not using any, not using any software. But if you want to use a software, what you could do also let me do a CMD IP config. So you can see my current IP address is this one. But whenever we connect we are going to get an IP address that we’re going to configure in this ASA. So let’s go ahead and just do a wizard so we can do it a little bit faster. I don’t want to make this video too long. We are going to do it any connect with being a wizard. Next name. This one is going to be SSL. Any connect to the outside. We are just going to enable SSL. We don’t need an image or you can just add whatever you want. I already have an image. You can just add that. That’s fine. Next authentication.

Why don’t we go ahead and create another one. Let’s just call it Cisco. Cisco. We are going to add a pool or IP addresses. This one’s going to be any connect pool. We are going to start. 19216 810 10 and it’s going to go all the way to 192-161-6813. So whenever I connect I’m going to get an IP address in this ranges from that one to ten to that one at 13. But we are going to get the first one. Whenever I connect click. Okay. Next. We’re not going to do that. Say no. Net traversal is good. Finish that bad boy up. I got an error. The error saying that just the interconnect image. That’s fine. I didn’t use a proper image so that’s fine. I don’t need to add an image because I already have cisco AnyConnect installed on my windows device. Why is it not letting me click on finish. Don’t start. Come on. No, I want to finish them. Then it’s going to go back next. It’s not letting me finish.

Let’s go and cancel or click yes. Let’s see if it was configured. It looks like it was configured. I can see the group policy. Let’s see if we see the connection profile. It is our two. Let’s go to enable it to the outside. Group policy. Group policy is there. We don’t have a user to it. Let’s go ahead and add the VPN user. Good. Let’s go ahead and go and see. Let’s go ahead and go over here. Make this smaller. Local users are there advanced. So everything is there. It looks like everything is there. Some liking it. Let’s go ahead and see if we are able to connect to it. Let’s go ahead and go into my windows device and connect. We are going to use 21 two not IPsec. Quit. Any connect. Open it in 20. That one. That one. Two. Connect. Here we go. It is contacting. There we go. Continue. Anyway they’re going to log in with VPN password. Cisco you.

• Category: Uncategorized