Scribd Logo
Upload

Welcome to Scribd!

  • IPSec

    Uploaded by

    Ganesh Murthy
    19 views25 pages
    nmghjk

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    nmghjk

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    19 views25 pages

    IPSec

    Uploaded by

    Ganesh Murthy
    nmghjk

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 25

    Information System Security

    AABFS-Jordan
    Summer 2006


    IP Security
    Supervisor :Dr. Lo'ai Ali Tawalbeh
    Done by: Wael Musa Hadi

    What is IP Security

    Framework of open standards to ensure
    secure communications over the Internet

    In short: It is the network layer Internet
    Security Protocol


    IPSEC Service
    Internet/
    Intranet
    IPSec disabled host
    Case 1 : Insecure IP Packet
    IPSec enabled host
    Case 2 : Secure IP Packet
    IP
    Header
    Upper
    layer
    data
    IP
    Header
    IPSec
    Header
    Upper
    layer
    data
    IPSec
    general IP Security mechanisms
    provides
    authentication
    confidentiality
    key management
    applicable to use over LANs, across public
    & private WANs, & for the Internet
    IP sec Application
    IPSec provides the capability to secure
    communications across a LAN, across private
    and public WANs, and across the Internet.
    Secure branch office connectivity over the Internet
    Secure remote access over the Internet
    Establishing extranet and intranet connectivity with partners
    Enhancing electronic commerce security
    Security Associations
    One of the most important concepts in IPSec is called a
    Security Association (SA). Defined in RFC 1825.
    SAs are the combination of a given Security Parameter
    Index (SPI) and Destination Address.
    SAs are one way. A minimum of two SAs are required
    for a single IPSec connection.
    SAs contain parameters including:
    Authentication algorithm and algorithm mode
    Encryption algorithm and algorithm mode
    Key(s) used with the authentication/encryption algorithm(s)
    Lifetime of the key
    Lifetime of the SA
    Source Address(es) of the SA
    Sensitivity level (ie Secret or Unclassified)
    IP security scenario
    scenario of IPSec usage
    An organization maintains LANs at dispersed
    locations
    Non secure IP traffic is conducted on each LAN.
    IPSec protocols are used
    These protocols operate in networking devices
    that connect each LAN to the outside world.
    (router, firewall )
    The IPSec networking device will typically
    encrypt and compress all traffic going into the
    WAN, and decrypt and decompress traffic
    coming from the WAN

    Why not use IPSec?
    Processor overhead to encrypt & verify
    each packet can be great.
    Added complexity in network design.
    Benefits of IPSec
    in a firewall/router provides strong security
    to all traffic crossing the perimeter
    in a firewall/router is resistant to bypass
    is below transport layer, hence transparent
    to applications
    can be transparent to end users
    can provide security for individual users
    secures routing architecture
    IPsec
    Network Layer Security
    IP security (IPsec)
    Two protocols
    Authentication protocol, using an Authentication Header (AH)
    Encryption/authentication protocol, called the Encapsulating
    Security Payload (ESP)
    Two modes of operation
    Transport mode: provides protection for upper-layer
    protocols
    Tunnel mode: protects the entire IP datagram

    IPSec protocols AH protocol
    AH - Authentication Header
    Defined in RFC 1826
    Integrity: Yes, including IP header
    Authentication: Yes
    Non-repudiation: Depends on cryptography algorithm.
    Encryption: No
    Replay Protection: Yes
    IP Header AH Header Payload (TCP, UDP, etc)
    IP Header AH Header Payload (TCP. UDP,etc) IP Header
    Transport Packet layout
    Tunnel Packet layout
    IPSec protocols ESP protocol
    ESP Encapsulating Security Payload
    Defined in RFC 1827
    Integrity: Yes
    Authentication: Depends on cryptography algorithm.
    Non-repudiation: No
    Encryption: Yes
    Replay Protection: Yes
    IP Header ESP Header Payload (TCP, UDP, etc)
    IP Header ESP Header Payload (TCP. UDP,etc) IP Header
    Transport Packet layout
    Tunnel Packet layout
    Unencrypted Encrypted
    What protocol to use?
    Differences between AH and ESP:
    ESP provides encryption, AH does not.
    AH provides integrity of the IP header, ESP does not.
    AH can provide non-repudiation. ESP does not.
    However, we dont have to choose since both
    protocols can be used in together.
    Why have two protocols?
    Some countries have strict laws on encryption. If you
    cant use encryption in those countries, AH still
    provides good security mechanisms. Two protocols
    ensures wide acceptance of IPSec on the Internet.
    Data Integrity and Confidentiality
    Basic difference between AH and ESP
    IPSec Protocols (cont)
    Algorithms Used:
    Encryption:
    Symmetric As IP packets may arrive out of order and
    Asymmetric algorithms are incredible slow.
    E.g. DES (Data Encryption Standard)

    Authentication:
    MAC (Message Authentication Codes) based on symmetric
    encryption algorithms.
    One way hash functions. (MD5 or SHA-1)

    Transport Versus Tunnel Mode
    Transport Mode:
    Used for Peer to Peer communication security
    Data is encrypted

    Tunnel Mode:
    Used for site-to-site communication security
    Entire packet is encrypted.
    Transport versus Tunnel mode
    (cont)
    Transport mode is used when the cryptographic endpoints are also the
    communication endpoints of the secured IP packets.


    Cryptographic endpoints: The entities that generate / process an IPSec header
    (AH or ESP)
    Communication endpoints: Source and Destination of an IP packet
    Transport versus Tunnel mode
    (cont)
    Tunnel mode is used when at least one cryptographic endpoint is not a
    communication endpoint of the secured IP packets.
    Outer IP Header Destination for the router.
    Inner IP Header Ultimate Destination
    Transport Mode
    Tunneling Mode
    How IPSec works: Phase 1
    Internet Key Exchange (IKE) is used to setup
    IPSec.
    IKE Phase 1:
    Establishes a secure, authenticated channel between the two
    computers
    Authenticates and protects the identities of the peers
    Negotiates what SA policy to use
    Performs an authenticated shared secret keys exchange
    Sets up a secure tunnel for phase 2
    Two modes: Main mode or Aggressive mode
    Main Mode IKE
    1. Negotiate algorithms & hashes.
    2. Generate shared secret keys using a Diffie-Hillman exchange.
    3. Verification of Identities.
    Aggressive Mode IKE
    Squeezes all negotiation, key exchange, etc. into less packets.
    Advantage: Less network traffic & faster than main mode.
    Disadvantage: Information exchanged before a secure channel is
    created. Vulnerable to sniffing.
    How IPSec works: Phase 2
    An AH or ESP packet is then sent using the agreed
    upon main SA during the IKE phase 1.
    IKE Phase 2
    Negotiates IPSec SA parameters
    Establishes IPSec security associations for specific
    connections (like FTP, telnet, etc)
    Renegotiates IPSec SAs periodically
    Optionally performs an additional Diffie-Hellman exchange
    How IPSec works: Communication
    Once Phase 2 has established an SA for a
    particular connection, all traffic on that
    connection is communicated using the SA.
    IKE Phase 1 exchange uses UDP Port 500.
    AH uses IP protocol 51.
    ESP uses IP protocol 50.
    Key Management

    You might also like