Explanation/Reference:
Section: Enterprise Network Design Explanation
Explanation:
You should use Transport Layer Security (TLS) to secure communication between a web browser and a web server. TLS is a protocol derived from Secure Sockets Layer version 3 (SSLv3) and is commonly used to protect traffic between a web browser and a web server. Secure Sockets Layer (SSL), which was designed by Netscape in the early 1990s, uses signed digital certificates to provide web traffic authentication, encryption, and nonrepudiation. In 1995, the first public version of SSL version 2 (SSLv2) was released, but shortly thereafter it was found to have cryptographic flaws. The flaws led the Netscape team to completely redesign the protocol and resulted in the release of SSLv3 the following year. Since then, SSL has been used all over the world to secure web traffic. In 1999, the Internet Engineering Task Force (IETF) published Request for Comments (RFC) 2246, which defined a new protocol called TLS, which is based on SSLv3. Although TLS is based on SSLv3, the two protocols are not directly compatible.
In fact, the latest version of TLS, TLS version 1.2 (TLSv1.2), explicitly prevents TLS from actively negotiating SSLv2 sessions because of the known weaknesses with the older ciphers. The IETF recommends running SSLv3 or TLSv1 (or higher) and disabling all previous versions to mitigate the risk of compromised sessions.
You should not use Generic Routing Encapsulation (GRE). In addition, you should not use IP Security (IPSec). GRE over IPSec provides support for IP multicast and dynamic routing protocol traffic. In addition, it provides support for non-IP protocols. Because the focus of GRE is to transport many different protocols, it has very limited security features. Therefore, GRE relies on IPSec to provide data confidentiality and data integrity. Although GRE was developed by Cisco, GRE works on Cisco and non-Cisco routers.
You should not use Hypertext Transfer Protocol (HTTP). HTTP is typically used to request a resource from another computer, such as a web server, on the Internet. For example, when a web browser is used to visit a website, the Uniform Resource Locator (URL) typically begins with http:// because the browser is using HTTP to request a resource. HTTP is not used to secure the communication between a web browser and a web server.
You should not use Extensible Authentication Protocol (EAP). EAP is an authentication technology that is typically used on wireless networks. There are many different types of EAP that are supported by a wide array of products. For example, Lightweight EAP (LEAP) is a type of EAP developed by Cisco that uses dynamic Wired Equivalent Privacy (WEP) keys for mutual authentication between wireless devices and a Remote Authentication Dial-In User Service (RADIUS) device. However, other types of EAP can be used by authentication, authorization, and accounting (AAA) protocols, such as RADIUS and DIAMETER.
DIAMETER was originally designed to be a more secure replacement for RADIUS.
Reference:
Cisco: SSL: Foundation for Web Security The Internet Protocol Journal Volume 1, No. 1