Professional Documents
Culture Documents
What is IPSec?
IPSec is a set of extensions to the IP protocol family. It provides cryptographic security services. These services allow for Authentication, Integrity, Access Control, and Confidentiality. IPSec provides similar services as SSL, but at the network layer, in a way that is completely transparent to your applications, and much more powerful. We say this because your applications do not have to have any knowledge of IPSec to be able to use it. You can use any IP protocol over IPSec. You can create encrypted tunnels (VPNs), or just do encryption between computers. Since you have so many options, IPSec is rather complex (much more so then SSL!) In a logical sense, IPSec works in any of these three ways:
In every scenario that involves a network, meaning to imply router. As in, Host-toRouter (and this router controls and encrypts traffic for a particular Network.) As you can see, IPSec can be used to tunnel traffic for VPN connections. However, its utility reaches beyond VPNs. With a central Internet Key Exchange registry, every machine on the internet could talk to another one and employ powerful encryption and authentication!
IPSec Architecture
IPSec Documents: The IPSec specification consists of numerous documents. The most important of these, issued in November of 1998, are RFCs 2401, 2402, 2406, and 2408:
RFC 2401: An overview of a security architecture RFC 2402: Description of a packet authentication extension to IPv4 and IPv6 RFC 2406: Description of a packet encryption extension to IPv4 and IPv6
Confidentiality
Ensure it is hard for anyone but the receiver to understand what data has been communicated. For example: ensuring the secrecy of passwords when logging into a remote machine over the Internet.
Integrity
Guarantee that the data does not get changed on the way. If you are on a line carrying invoicing data you probably want to know that the amounts and account numbers are correct and not altered while in-transit.
Authenticity
Sign your data so that others can see that it is really you that sent it. It is clearly nice to know that documents are not forged.
Replay protection
We need ways to ensure a datagram is processed only once, regardless of how many times it is received. I.e. it should not be possible for an attacker to record a transaction (such as a bank account withdrawal), and then by replaying it verbatim cause the peer to think a new message (withdrawal request) had been received. WARNING: as per the standards specification, replay protection is not performed when using manual-keyed IPsec (e.g., when using ipsecadm(8)).
Authentication Header (AH): provides authenticity guarantee for packets by ensuring the packet was not generated by an impersonator and was not modified in transit; Encapsulating Security Payload (ESP): provides a confidential guarantee for data by encrypting packets with algorithms IP Payload Compression (IPComp): provides a way to compress packets before encryption. Internet Key Exchange (IKE): provides a way to negotiate private keys in secrecy
Security of IPSec depends on secret keys, generated by IKE. If the secret keys are compromised, IPSec is no longer secure. Data encryption is a function of IPSec, made possible by ESP. An encryption algorithm, generated by ESP, is a way of changing data so that only the desired recipient knows how to reconstruct it. Triple DES (Data Encryption Standard) is an encryption algorithm that is unbreakable and is the most popular algorithm because of its strong encryption and number of keys. Encryption allows only the receiver to read what has been sent over the network. IPSEC provides the capability to secure tunnels between two network devices such as two routers.
Step 4: Router A encapsulates the packet into a new one, and sends it to Router B:
The TCP/IP packet lookslikethis:[IPHDR][IPoptions]AH][ESP][IPHDR2][IPoptions][TCP][data]
http://www.iamexwi.unibe.ch/studenten/stadelma/cn/applet/IPSec4.html
Eavesdropping Data Modification Password Based Attacks Man-in-the-Middle Attacks Compromised-Key Attacks Application-Layer Attacks
Packet Sniffing
A Packet Sniffer is a program running in a network attached device that passively receives all data-link layer frames passing by the devices network interface. Packet Sniffers are commonly used to acquire account names and passwords. Packet Sniffing Software is freely available at various WWW sites and as commercial products.
IP Spoofing
The intruder creates and transmits packets from the outside with a source IP address field containing an address of an internal host. Used to exploit applications that use simple source address security, in which packets from specific trusted internal hosts are accepted.
Denial-Of-Service
A Denial-Of-Service attack renders a network, host, or other piece of network infrastructure unusable by legitimate users. DoS attacks work by creating so much work for the infrastructure under attack that legitimate work cannot be performed. (Resource Exhaustion for ex. Disk Space, CPU Cycles, Memory, Network Bandwidth, and Application Resources)
TCP Three-Way Handshake
What is a VPN?
VPNs (Virtual Private Networks) are private, secure connections across a public network (usually the internet) that extend corporate networks to remote offices, mobile users, telecommuters, and extranet partners. VPNs maintain privacy through the use of tunneling protocols and security procedures. VPN tunnels are secured through encryption technology that uses advanced mathematical algorithms to scramble the data flowing through the VPN.
Transport Mode provides protection primarily for upper-layer protocols. That is transport mode protection extends to the payload of an IP packet (everything in the packet behind and not including the IP header is protected). Typically, transport mode is used for end-to-end communication between two hosts. Tunnel Mode provides protection to the entire IP packet (everything behind and including the header is protected, requiring a new pseudo IP header). To achieve this, after the AH or ESP fields are added to the IP packet, the entire packet plus security fields, is treated as the payload of a new outer IP packet with a new outer IP header. The entire original or inner packet travels through a tunnel from one point of an IP network to another. No routers along the way are able to examine the inner IP header.
678255
Using the Cisco website calculator a comparison of three scenarios was made to show the cost saving benefits of implementing a VPN solution.
6000
Number of users
www.cisco.com/warp/public/779/largeent/learn/technologies/vpn/site2site.html
When encrypting small pieces of information, the overhead caused by the encryption process becomes larger than the actual payload, causing performance degradation. IPSec is not immune to this problem.
Complexity Issues
IPSec was developed in a committee and has many features and options, therefore it is very complicated. The downside is, more features means a greater possibility a weakness or hole can be found to compromise security. For example, IPSec is weak against certain attacks, such as replay attacks. Also, in certain cases, IPSec allows encryption without authentication, which could allow an unauthorized person to use IPSec for malicious purposes.
IP Security, a set of standards for the internet security; also implementations of VPN using the set of standards for internet security.
The End!!!