CCNP Security IPS 642-627 Official Cert Guide: Network IPS Traffic Analysis Methods, Evasion Possibilities, and Anti-evasive Countermeasures

This chapter covers the various methods used for traffic analysis using a network IPS sensor, the various evasion techniques used by attackers to bypass detection & filtering while understanding the benefits and limitations of each method to assess the risk of evasion, and the various countermeasures, tools, and choosing the best approach based on the methods used by attackers.

This chapter covers the following:

• Various Network IPS traffic analysis methods
• Various Network Evasion Attacks
• Choosing the appropriate anti-evasion countermeasures

This chapter first explores various techniques to analyze network traffic to optimally detect suspicious and malicious traffic. This will be followed by a deep dive into the IPS Sensor software architecture. The next section discusses various evasion methods used by attackers to evade detection. The chapter concludes with a look at the appropriate and common anti-evasive countermeasures the Cisco IPS engines use to avoid false negatives.

Overview

Cisco and Third Party IPS sensors use a variety of techniques to analyze network traffic to optimally detect suspicious and malicious traffic. This chapter will cover the methods the Cisco IPS supports and the various evasion techniques used by attackers.

Chapter 3 begins with the "Network IPS Traffic Analysis Methods" section, which is a high level overview of the various analysis methods available today. Following the analysis methods, the chapter examines the evasion techniques and how to stay in front of the threats being seen around the world with anti-evasive countermeasures to prevent these evasive possibilities.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz allows you to assess if you should read the entire chapter. If you miss no more than one of these 8 self-assessment questions, you might want to move ahead to the "Exam Preparation Tasks." Table 3-1 lists the major headings in this chapter and the “Do I Know This Already?” quiz questions covering the material in those headings so you can assess your knowledge of these specific areas. The answers to the “Do I Know This Already?” quiz appear in Appendix A.

Table 3-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping

1. Which of the following is a common limitation of packet header matching as a method of IPS traffic analysis?

***Link: Network IPS Traffic Analysis Methods

1. true positive
2. true negative
3. false positive
4. false negative

False positives with malware identification is a common limitation of packet header matching.

2. Which of the following is NOT a limitation of stateful content matching as a method of IPS traffic analysis?

***Link: Network IPS Traffic Analysis Methods

1. performance impact
2. false negatives if search is limited
3. true positives due to lack of context
4. false positives due to lack of context

A known limitation of stateful content matching is false positives due to lack of context.

3. Which of the following are benefits of using Protocol Decoding as a method of IPS traffic analysis?

***Link: Network IPS Traffic Analysis Methods

1. reliably detect known application-layer attacks
2. detect yet-unknown application-layer attacks through application-layer protocol verification
3. lower false positives
4. improved performance for application-layer analysis
5. e. All of the above

All of the listed options are benefits of Protocol Decoding as a method of IPS traffic analysis.

4. Which of the following network IPS traffic analysis method is the most granular method?

***Link: Network IPS Traffic Analysis Methods

1. protocol decoding
2. stateful content matching
3. packet content matching
4. packet header matching

The most granular method of IPS traffic analysis is protocol decoding.

5. Which of the following attacks is mainly detected through the IPS traffic analysis method known as traffic correlation?

***Link: Network IPS Traffic Analysis Methods

1. Denial of Service (DoS) attacks
2. Reconnaissance attacks
3. Application-layer attacks
4. Composite attacks

Reconnaissance attacks are the attacks mainly detected through the method of traffic analysis known as traffic correlation.

6. Which of the following IPS evasion techiniques is where the attacker splits malicious traffic, hoping to avoid detection or filtering?

***Link: Network IPS Evasion Techiniques

1. traffic fragmentation
2. traffic substitution and insertion
3. protocol-level misinterpretation
4. encryption and tunneling

The IPS evasion technique where the attacker splits malicious traffic in an effort to avoid detection or filtering is known as traffic fragmentation.

7. Which of the following unicode decoding is often referred to as a worst-case scenario when utilized?

***Link: Network IPS Evasion Techiniques

1. Ambiguous bits
2. Alternate code pages
3. Multiple directory delimiters
4. Double Encoding

When Double Encoding is utilized this is the worst-case scenario with regard to unique ways a single character can be encoded.

8. Which of the following IPS evasion techniques causes the IPS sensor to NOT ignore traffic that should be ignored?

***Link: Network IPS Evasion Techiniques

1. traffic fragmentation
2. traffic substituion and insertion
3. protocol-level misinterpretation
4. encryption and tunneling

The IPS evasion technique that causes the IPS sensor to NOT ignore traffic that should be ignored is protocol-level misinterpretation.

9. Which of the following are examples of secure sessions used in encryption and tunneling?

***Link: Network IPS Evasion Techiniques

1. Secure Socket Layer (SSL)
2. Secure Shell (SSH)
3. Site-to-Site IP Security (IPSec) virtual private network (VPN) tunnel
4. Client-to-LAN IPSec tunnel
5. All of the above

TBD.

10. Which of the following Cisco IPS Anti-Evasion features is more suitable against Resource Exhaustion?

***Link: Network IPS Evasion Techiniques

1. Smart dynamic event summarization
2. full session reassembly
3. Data Normalization (deobfuscation)
4. IP TTL & TCP checksum validation

TBD.

Foundation Topics

Network IPS Traffic Analysis Methods

There are a number of different aspects a network IPS sensor analyzes network traffic. Some of the most common methods of network analysis are listed below:

• Stateful Content Matching.
• Protocol Decoding.
• Traffic Correlation.
• Rate Analysis
• Packet Header Matching
• Packet Content Matching
• Statistical Modeling
• Event Correlation

Stateful Content Matching

The Cisco IPS sensor will fully reassemble a transport-layer session between network endpoints to extract a stream of bytes exchanged through an application session. Using this stream of bytes, the sensor can perform more reliable matching when searching for payload data across the entire session, even if the content is split across many packets.

The sensor reassembles different pieces of data depending on the OSI Layer:

• OSI Layer 3, the sensor reassembles the fragmented IP packets.
• OSI Layer 4, the sensor reassembles the TCP session in the correct manner relying on sequence numbers to correctly sequence data; UDP session reassembly may relay on some application-layer UDP sequencing to extract the correct byte stream.

Stateful content matching improves quality of detection and doesn't allow attackers to easily evade the sensor using packet fragmentation and segmentation. This method is more demanding of the sensor, as the sensor must perform real-time in-memory buffering of application data. The sensor can be instructed to only look into one portion of the byte stream (for example, only the first 100 bytes) to increase performance. This can lead to false negatives if the attacker is able to send malicious data later in the session, outside the inspection window. The sensor still does not fully understand the application-layer protocol and content, thus administrators may see false positives as the content the sensor is looking for may appear in many different contexts in the application stream (for example, a user may be visiting a web page that contains certain malicious sequences inside a textual description, where they pose no harm), possibly causing the sensor to act on legitimate or non-harmful traffic.

Protocol Decoding

The most granular method of analysis is protocol decoding, where the sensor takes an extra step, and parses the application-layer protocol from a reassembled byte stream provided by the stateful transport-layer reassembly routines. The quality of detection is improved by this method in the following three ways:

• It improves performance, as the sensor needs to examine less traffic after it has decoded it.
• The sensor can perform protocol verification, and reject protocol messages that do not conform to the standard behavior of the protocol. The sensor can detect or prevent both known and yet-unknown attacks which violate protocol standards (for example, buffer overflows which send too much data to a host, violating maximum lengths set forth in protocol standards).
• It lowers false positives by providing context in which the sensor needs to look for suspicious or malicious patterns. For example, instead of searching through the entire TCP session's byte stream the sensor can now search for malicious HTTP URLs exactly in the part of the HTTP request where the URL is located. This increases the accuracy of the sensor ensuring it won't make a wrong decision by finding offending content in the wrong context.

Traffic Correlation

A network IPS sensor sees a large amount of flows from different network endpoints, thus they have the advantage of being able to correlate packets of multiple network conversations. Suspicious or malicious activity can be identified via the network IPS sensors correlating different packets and determining their common properties.

IPS sensors use these real-time correlation abilities mainly to detect network reconnaissance attacks, where attackers send many packets to few or many other hosts in order to determine their reachability, the presence of specific applications, or to enumerate all exposed network services offered by an endpoint. Worms use similar scanning techniques to find other systems to spread to, and can be detected and stopped using the same correlation mechanisms on the network IPS sensors.

One fundamental limitation of packet correlation is that it takes a while before the sensor classifies and correlates packets to determine if these packets constitute an interesting event. Until this threshold is met, all previous packets will already be on the way to their destination, thus cannot be dropped or captured.

A good example of such correlation would be a network sensor detecting more than 10 different connection request packets from a single host, to multiple other hosts, on the same TCP destination ports, within 60 second. This may indicate that a host is performing a service scan of the network.

Rate Analysis

A network IPS has the ability to analyze network traffic to monitor the rate of packets of a particular protocol, the rate of packets between host pairs, the connection rates, or the rate of application-layer requests and messages. This capability is referred to as rate analysis. These rate monitors work using a set of thresholds that determine maximum expected for normal network operation. The thresholds can be set manually by the administrator, or pre-configured using the IPS vendor. Denial-of-service attacks often use flooding at various levels of the OSI model, thus they can be detected using these mechanisms.

An example of rate analysis is an IPS sensor configured to monitor UDP traffic rate between the attacker and the target host. The threshold for traffic rate is at 150 packets per second. Once this threshold is met or exceeded, the sensor will then alarm and act according (results may vary depending on what actions or alarming threshold are configured).

Packet Header Matching

The simplest method of traffic analysis of individual packets' headers to address suspicious or malicious activity can be determined by only analyzing a packet's header. For example, an anomalous combination of TCP flags in a TCP segment.

This method of analysis is used to:

• Provide basic identification of network connections made by malware, or accepted by malware-infested PCs. A Trojan horse program that allows remote control of a system. The sensor can identify these connections based on the well-known transport-layer ports these malware applications use. Identification of this nature is prone to errors as there are some applications that may be legitimately using these ports.
• Detect malformed packets of OSI Layers 2-4 by performing low-level protocol verification of these protocols. Attackers can and often do use these malformed packets to crash protected systems or network devices by exploiting bugs in their TCP-IP stacks or packet forwarding functions.

Packet Content Matching

Another method of analysis uses basic examination of packet payloads for each individual packet. The sensor uses this to:

• Improve its identification of malware connections, if these connections use some well-known payload data patterns that can be identified in individual packets.
• Detect unwanted applications in the network, such as messaging or gaming applications that use ports of standard applications.
• Detect known application-layer attacks that are embedded in the packet payloads, by looking for a specific sequence of payload bytes.

Attackers often evade this method of analysis simply by spreading the characteristic or "signature" of suspicious or malicious traffic over two or more packets, thus bypassing this analysis since the sensor or examining each packet individually.

This method of analysis often causes false positives as legitimate traffic may contain the same traffic pattern, so given the sensor doesn't understand the context in which the payload will appear it will trigger an event or act in error.

Statistical Modeling

A network IPS sensor may be able to use an analysis technique and supervised learning to build a statistical model that describes certain traffic properties. Some examples may be traffic patterns, traffic rates, traffic composition, traffic intervals, etc. This method typically aligns to the anomaly-based approach, which allows the sensor to detect any known or yet-unknown attacks that violate the learned "normal" behavior. Denial-of-service and similar flooding-based attacks are often detected by sensors using this approach. This approach is prone to higher rates of false positives in networks that cannot be adequately described with a statistical model. If an administrator is trying to address specific issues similar to reconnaissance detection problems this method of analysis can work well with almost no false positives.

Typically management stations and tools scan the network legitimately opening up several sessions a minute to different hosts, but often work-infected servers or PCs try to open a much larger number of sessions. An IPS sensor would detect such anomalies and identify a worm attack.

Event Correlation

Finally, in addition to packet correlation the last method of analysis allows the sensor to provide event correlation where it correlates multiple detected events to present higher-level, consolidated information to the administrator, and possibly automatically act on such higher-level information using preventive actions.

Event correlation on the sensor is beneficial in detecting composite attacks more reliably. A composite attack usually consists of multiple individual events or attacks. The sensor is required to see multiple components of the attack in order to recognize it as an attack. This increases the reliability and confidence required to deploy preventive aggressive actions, and provides more information about the network activity to the administrator.

Unlike other methods, the limitation isn't with false reporting but performance degradation. The sensor isn't able to use very long time windows in which to correlate events, thus an attacker may be able to evade detection if the attacker performed an attack in a slow sequence, at the expense of attack efficiency. While this may be the case individual components of the attack are still likely to be detected or prevented.

Network IPS Evasion Techniques

As discussed in the previous section there are a number of methods to analyze attacks, but to better analyze and choose anti-evasion countermeasures it's important to understand the various evasion techniques used by attackers. Network attackers often use network IPS evasion techniques to attempt to bypass the intrusion detection, prevention, and traffic filtering functions provided by network IPS sensors. Some commonly used network IPS evasion techniques are listed below:

• Encryption and Tunneling
• Timing Attacks
• Resource Exhaustion
• Traffic Fragmentation
• Protocol-level Misinterpretation
• Traffic Substitution and Insertion

Encryption and Tunneling

One common method of evasion used by attackers is to avoid detection simply by encrypting the packets or putting them in a secure tunnel. As discussed now several times, IPS sensors monitor the network and capture the packets as they traverse the network, but network based sensors rely on the data being transmitted in plaintext. When and if the packets are encrypted, the sensor captures the data but is unable to decrypt it and cannot perform meaningful analysis. This is assuming the attacker has already established a secure session with the target network or host. Some examples that can be used for this method of encryption and tunneling are:

• Secure Shell (SSH) connection to an SSH server
• Client-to-LAN IPSec (IP Security) VPN (virtual private network) tunnel
• Site-to-site IPSec VPN tunnel
• SSL (Secure Socket Layer) connection to a secure website

There are other types of encapsulation that the sensor cannot analyze and unpack that attackers often use in an evasion attack. For example, GRE (Generic Route Encapsulation) tunnels are often used with or without encryption.

Timing Attacks

Attackers can evade detection by performing their actions slower than normal, not exceeding the thresholds inside the time windows the signatures use to correlate different packets together. These evasion attacks can be mounted against any correlating engine that uses a fixed time window and a threshold to classify multiple packets into a composite event. An example of this type of attack would be a very slow reconnaissance attack sending packets at the interval of a couple per minute. In this scenario, the attacker would likely evade detection simply by making the scan possibly unacceptably long.

Resource Exhaustion

A common method of evasion used by attackers is extreme resource consumption, though this subtle method doesn't matter if such a denial is against the device or the personnel managing the device. Specialized tools can be used to create a large number of alarms that consume the resources of the IPS device and prevent attacks from being logged. These attacks can overwhelm what is known as the management systems or server, database server, or out-of-band (OOB) network. Attacks of this nature can also succeed if they only overwhelm the administrative staff, which does not have the time or skill necessary to investigate the numerous false alarms that have been triggered.

Intrusion detection and prevention systems rely on their ability to capture packets off the wire and analyze them quickly, but this requires the sensor has adequate memory capacity and processor speed. The attacker can cause an attack to go undetected through the process of flooding the network with noise traffic and causing the sensor to capture unnecessary packets. If the attack is detected, the sensor resources may be exhausted but unable to respond within a timely manner due to resources being exhausted.

Traffic Fragmentation

Fragmentation of traffic was one of the early network IPS evasion techniques used to attempt to bypass the network IPS sensor. Any evasion attempt where the attacker splits malicious traffic to avoid detection or filtering is considered a fragmentation-based evasion by:

• Bypassing the network IPS sensor if it does not perform any reassembly at all.
• Reordering split data if the network IPS sensor does not correctly order it in the reassembly process.
• Confusing the network IPS sensor's reassembly methods which may not reassemble split data correctly and result in missing the malicious payload associated with it.
• A few classic examples of fragmentation-based evasion are below:
• TCP segmentation and reordering, where the sensor must correctly reassemble the entire TCP session, including possible corner cases, such as selective ACKs and selective retransmission.
• IP fragmentation, where the attacker fragments all traffic if the network IPS does not perform reassembly. Most sensors do perform reassembly, so the attacker fragments the IP traffic in a manner that it is not uniquely interpreted. This action causes the sensor to interpret it differently from the target, which leads to the target being compromised.

In the same class of fragmentation attacks, there is a class of attacks involving overlapping fragments. In overlapping fragments the offset values in the IP header don't match up as they should, thus one fragment overlaps another. The IPS sensor may not know how the target system will reassemble these packets, and typically different operating systems handle this situation differently.

Protocol-level Misinterpretation

Attackers also evade detection by causing the network IPS sensor to misinterpret the end-to-end meaning of network protocols. In this scenario the traffic is seen differently from the target by the attacker causing the sensor either to ignore traffic that should not be ignored or vice versa. Two common examples are packets with bad TCP checksum and IP TTL (Time-to-live) attacks.

A bad TCP checksum could occur in the following manner: An attack intentionally corrupts the TCP checksum of specific packets, thus confusing the state of the network IPS sensor that does not validate checksums. The attacker can also send a good payload with the bad checksum. The sensor can process it, but most hosts will not. The attacker follows with a bad payload with a good checksum. From the network IPS sensor this appears to be a duplicate and will ignore it, but the end host will now process the malicious payload.

The IP TTL field in packets presents a problem to network IPS sensor because there is no easy way to know the number of hops from the snesor to the end point of an IP session stream. Attackers can take advantage of this through a method of reconnaissance by sending a packet that has a very short TTL which will pass through the network IPS fine, but be dropped by a router between the sensor and the target host due to a TTL equaling zero. The attacker may then follow by sending a malicious packet with a long TTL, which will make it to the end host or target. The packet looks like a retransmission or duplicate packet from the attacker, but to the host or target this is the first packet that actually reached it. The result is a compromised host and the network IPS sensor ignored or missed the attack.

Traffic Substitution and Insertion

Another class of evasion attacks includes traffic substitution and insertion. Traffic substitution is when that attacker attempts to substitute payload data with other data in a different format, but the same meaning. A network IPS sensor may miss such malicious payloads if it looks for data in a particular format and doesn't recognize the true meaning of the data. Some examples of substitution attacks are below:

• Substitution of spaces with tabs, and vice versa, for example inside HTTP requests.
• Using Unicode instead of ASCII strings and characters inside HTTP requests.
• Exploit mutation, where specific malicious shellcode (executable exploit code that forces the target system to execute it) can be substituted by completely different shellcode with the same meaning and thus consequences on the end host or target.
• Exploit case sensitivity and changing case of characters in a malicious payload, if the network IPS sensor is configured with case-sensitive signature.

Insertion attacks act in the same manner in that the attacker inserts additional information that does not change the payload meaning into the attack payload. An example would be the insertion of spaces or tabs into protocols that ignore such sequences.

Unicode provides a unique identifier for every character in every language to facilitate uniform computer representation of the world's languages. The Unicode Consortium manages Unicode and has been adopted by the majority of information technology industry leaders. Modern standards including Java, LDAP (Lightweight Directory Access Protocol), and XML require Unicode. Many operating systems and applications support Unicode. Also known as 'code points', Unicode can be represented by U+xxxx where x is a hexadecimal digit.

UTF-8 is the Unicode Transformation Format that serializes a Unicode code point as a sequence of one to four bytes, as defined by the Unicode Consortium in its "Corrigendum to Unicode 3.0.1." UTF-8 provides a way to encode Unicode points and still be compatible with ASCII, which is the common representation of text on the Internet.

Even though the Unicode specification dictates that the code points should be treated differently there are times the application or operation system can assign the same interpretation to different code points.

Cisco supports the following variations of its Unicode de-obfuscation though there are many different implementations of Unicode decoding (including some "free interpretations"):

• Ambiguous bits - Some decoder implementations ignore certain bits in the encoding. For example, an application will treat %A9 and %C9 identically, discarding the fifth bit in a UTF8 two octet encoding.
• Alternate code pages - Most Windows-based personal computers have extended Latin code pages loaded. Typically when an extended character is processed it is normalized to an ASCII equivalent character.
• Self-referencing directories - The directory name "test/././app" refers to the same path as "test/app".
• Double Encoding - The code point passes through two levels of encoding. The base encoding can be either a single octet UTF-8 or Unicode %U encoding (without variation). The second encoding can encode each octet of the base encoding with any encoding method and variation. When utilized a single character can be encoded in many unique ways, such as listed below:
• "%" can be represented at least 140 ways.
• "x" can be represented at least 1000 ways on average.
• "U" can be represented at least 3260 ways.
• Multiple directory delimiters - Some operating systems will treat "/" and "\" equivalently as directory delimiters. Repeated directory delimiters are also ignored.
• Unencoded octtets mixed with encoded octets in a UTF8 sequence - Any octet except the first octet in a UTF8 sequence can be an unencoded value. A good example of this is the value 0x123 represented in UTF-8 is %E0%84%A3, but the 84 being an ASCII value can also be represented with a UTF-8 value.
• Microsoft base-36 - Older version of Microsoft's UTF8 decoder accept 36 characters (A-Z and 0-9) as valid hexadecimal characters in the UTF8 encoding instead of the normal 16 characters (A-F and 0-9). This is often referred to as a decoder implementation error.

Table 3-2 Cisco IPS Evasion Tools & Anti-Evasion Features

Table 3-2 above summarizes the evasion methods, tools, and the corresponding IPS anti-evasion features available on the Cisco IPS sensors. Though they are covered in the table the anti-evasion features are listed below:

• Smart and dynamic summarization of events to guard against too many alarms for high event rates.
• IP TTL analysis and TCP checksum validation to guard against end-to-end protocol-level traffic interpretation.
• Full session reassembly that supports the STRING and SERVICE engines that must examine a reliable byte stream between two network endpoints.
• Configurable intervals for correlating signatures, or the use of an external correlation that does not require real-time resources, such as Cisco Security MARS.
• Data normalization (de-obfuscation) inside SERVICE engines, where all signatures convert network traffic data into a normalized, canonical form being comparing it to the signature matching rules.
• Inspection of traffic inside GRE tunnels to prevent evasion through tunneling.

We'll discuss the configuration of these features in later chapters.

Summary

This section highlights the key topics discussed in this chapter.

• The various methods used for traffic analysis using a network IPS sensor.
• The various evasion techniques used by attackers to bypass detection & filtering while understanding the benefits and limitations of each method to assess the risk of evasion.
• The various countermeasures, tools, and choosing the best approach based on the methods used by attackers.

References

• IDS Evasion with Unicode - http://www.securityfocus.com/infocus/1232
• IDS Evasion Techniques and Tactics - http://www.securityfocus.com/infocus/1577
• Evading NIDS, Revisited - http://www.securityfocus.com/infocus/1852
• Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection - http://www.insecure.org/stf/secnet_ids/secnet_ids.html
• Firewall/IDS Evasion and Spoofing - http://nmap.org/book/man-bypass-firewalls-ids.html
• Intrusion Detection FAQ: IDS Evasion and Denial of Service Using RPC Design Flaws - http://www.sans.org/security-resources/idfaq/rpc_evas.php
• Intrusion Detection Evasion: How Attackers Get Past The Burglar Alarm - http://www.sans.org/reading_room/whitepapers/detection/intrusion-detection-evasion-attackers-burglar-alarm_1284
• Intrusion Detection FAQ: How does Fragroute Evade NIDS Detection - http://www.sans.org/security-resources/idfaq/fragroute.php

Exam Preparation Tasks

Review all the Key Topics

Review the most important topics from inside the chapter, noted with the Key Topic icon in the outer margin of the page. Table 3-3 lists a reference of these key topics and the page numbers on which each is found

Table 3-3 Key Topics for Chapter 3

Complete the Tables and Lists from Memory

Print a copy of Appendix D, “Memory Tables,” (found on the CD), or at least the section for this chapter, and complete the tables and lists from memory. Appendix E, “Memory Tables Answer Key,” also on the CD, includes completed tables and lists to check your work.

Definitions of Key Terms

Define the following key terms from this chapter, and check your answers in the glossary.

• de-obfuscation: the practice that is used to simplify something such as code that was intentionally made more difficult to understand to evade detection.
• evasion: the act or instance of avoiding escaping, or shirking something. .
• encode: the process by which information/code from a source is converted to another code to be communicated to a particular receiver or host.
• decode: the process by which information/code is converted back into information understandable by the receiver or host.
• reconnaissance attack: a common method by which a user or users maliciously gather information about a target network or system to be used for subsequent access or denial of service attacks.
• SSL: Also known as Secure Socket Layer is commonly-used protocol for managing the security of a message transmission on the Internet. SSL has been succeeded by Transport Layer Security, which is based on SSL thus when SSL is used in text it's assumed TLS/SSL is being used. SSL uses a program layer between Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers.
• IPSec: Also known as Internet Protocol Security provides a method of authentication and encryption for each IP packet of a communications session. IPSec leverages protocols such as AH (Authentication Headers) for integrity and authentication; ESP (Encapsulating Security Payloads) for confidentiality, authentication, integrity, and anti-replay; and ISAKMP (Internet Security Association and Key Management Protocol) for a framework for authentication and key exchange.
• VPN: Also known as Virtual Private Network which is a method of communicating securely using IPSec, SSL/TLS, etc. over a public or shared telecommunications infrastructure.
• GRE: Also known as Generic Routing Encapsulation which is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocol packet types inside IP tunnels.