IPSec and VPN

Ali Bodden Joseph Gonya Miguel Mendez

IPSec / VPN Outline

What is IPSec? IPSec Architecture What are the Security Properties/Services of IPSec? What are the IPSec Protocol types? An example of IPSec in use. What are the security issues concerning IP? What is IPSecs application to VPN? What is VPN? Transport and Tunnel Modes What are the two types of VPN? Current status of VPN solution technology versus first generation What is the cost effectiveness of implementing a VPN? What are the advantages of an IPSec VPN? What are the disadvantages of an IPSec VPN? Review and Questions

What is IPSec?
IPSec is a set of extensions to the IP protocol family. It provides cryptographic security services. These services allow for Authentication, Integrity, Access Control, and Confidentiality. IPSec provides similar services as SSL, but at the network layer, in a way that is completely transparent to your applications, and much more powerful. We say this because your applications do not have to have any knowledge of IPSec to be able to use it. You can use any IP protocol over IPSec. You can create encrypted tunnels (VPNs), or just do encryption between computers. Since you have so many options, IPSec is rather complex (much more so then SSL!) In a logical sense, IPSec works in any of these three ways:

Host-to-Host Host-to-Network Network-to-Network

In every scenario that involves a network, meaning to imply router. As in, Host-toRouter (and this router controls and encrypts traffic for a particular Network.) As you can see, IPSec can be used to tunnel traffic for VPN connections. However, its utility reaches beyond VPNs. With a central Internet Key Exchange registry, every machine on the internet could talk to another one and employ powerful encryption and authentication!

IPSec Architecture

IPSec Documents: The IPSec specification consists of numerous documents. The most important of these, issued in November of 1998, are RFCs 2401, 2402, 2406, and 2408:

RFC 2401: An overview of a security architecture RFC 2402: Description of a packet authentication extension to IPv4 and IPv6 RFC 2406: Description of a packet encryption extension to IPv4 and IPv6

RFC 2406: Specification of key management capabilities

What are the Security Properties/Services of IPSec?

The internet protocol, IP, AKA IPv4, does not inherently provide any protection to your transferred data. It does not even guarantee that the sender is who he says he is. IPsec tries to remedy this. These services are considered distinct, but the IPsec supports them in a uniform manner.

Confidentiality
Ensure it is hard for anyone but the receiver to understand what data has been communicated. For example: ensuring the secrecy of passwords when logging into a remote machine over the Internet.

Integrity
Guarantee that the data does not get changed on the way. If you are on a line carrying invoicing data you probably want to know that the amounts and account numbers are correct and not altered while in-transit.

Authenticity
Sign your data so that others can see that it is really you that sent it. It is clearly nice to know that documents are not forged.

Replay protection
We need ways to ensure a datagram is processed only once, regardless of how many times it is received. I.e. it should not be possible for an attacker to record a transaction (such as a bank account withdrawal), and then by replaying it verbatim cause the peer to think a new message (withdrawal request) had been received. WARNING: as per the standards specification, replay protection is not performed when using manual-keyed IPsec (e.g., when using ipsecadm(8)).

What are the IPSec Protocol types?

First, the IP protocol is the description of how devices on the Internet can address each other. Internet Protocol Security (IPSec) adds security functionality to the IP protocol. There are four (4) key protocols that collectively form the basis for IPSec:

IPSec = AH + ESP + IPComp + IKE

Authentication Header (AH): provides authenticity guarantee for packets by ensuring the packet was not generated by an impersonator and was not modified in transit; Encapsulating Security Payload (ESP): provides a confidential guarantee for data by encrypting packets with algorithms IP Payload Compression (IPComp): provides a way to compress packets before encryption. Internet Key Exchange (IKE): provides a way to negotiate private keys in secrecy

Security of IPSec depends on secret keys, generated by IKE. If the secret keys are compromised, IPSec is no longer secure. Data encryption is a function of IPSec, made possible by ESP. An encryption algorithm, generated by ESP, is a way of changing data so that only the desired recipient knows how to reconstruct it. Triple DES (Data Encryption Standard) is an encryption algorithm that is unbreakable and is the most popular algorithm because of its strong encryption and number of keys. Encryption allows only the receiver to read what has been sent over the network. IPSEC provides the capability to secure tunnels between two network devices such as two routers.

Step 1: Host A sends a TCP/IP packet to Host B.

The TCP/IP packet looks like this: [IPHDR][IPoptions][TCP][data]

Step 2: Router A receives the packet and adds the ESP:

The TCP/IP packet looks like this: [ESP][IPHDR][IPoptions][TCP][data]

Step 3: Router A adds the AH:

The TCP/IP packet looks like this: [AH][ESP][IPHDR][IPoptions][TCP][data]

Step 4: Router A encapsulates the packet into a new one, and sends it to Router B:
The TCP/IP packet lookslikethis:[IPHDR][IPoptions]AH][ESP][IPHDR2][IPoptions][TCP][data]

Step 5: Router B receives the packet and removes the AH:

The TCP/IP packet looks like this: [ESP][IPHDR2][IPoptions][TCP][data]

Step 6: Router B removes the ESP:

The TCP/IP packet looks like this: [IPHDR][IPoptions][TCP][data]

Step 7: Host B receives the original packet sent by Host A:

The TCP/IP packet looks like this: [IPHDR][IPoptions][TCP][data]

http://www.iamexwi.unibe.ch/studenten/stadelma/cn/applet/IPSec4.html

What are the most common Security Issues concerning IP?

The three most serious types of attacks are:

Packet Sniffing IP Spoofing Denial-Of-Service

Other attacks include:

Eavesdropping Data Modification Password Based Attacks Man-in-the-Middle Attacks Compromised-Key Attacks Application-Layer Attacks

Packet Sniffing

A Packet Sniffer is a program running in a network attached device that passively receives all data-link layer frames passing by the devices network interface. Packet Sniffers are commonly used to acquire account names and passwords. Packet Sniffing Software is freely available at various WWW sites and as commercial products.

IP Spoofing

The intruder creates and transmits packets from the outside with a source IP address field containing an address of an internal host. Used to exploit applications that use simple source address security, in which packets from specific trusted internal hosts are accepted.

Denial-Of-Service
A Denial-Of-Service attack renders a network, host, or other piece of network infrastructure unusable by legitimate users. DoS attacks work by creating so much work for the infrastructure under attack that legitimate work cannot be performed. (Resource Exhaustion for ex. Disk Space, CPU Cycles, Memory, Network Bandwidth, and Application Resources)
TCP Three-Way Handshake

Simple Example: SYN Flood

What is a VPN?
VPNs (Virtual Private Networks) are private, secure connections across a public network (usually the internet) that extend corporate networks to remote offices, mobile users, telecommuters, and extranet partners. VPNs maintain privacy through the use of tunneling protocols and security procedures. VPN tunnels are secured through encryption technology that uses advanced mathematical algorithms to scramble the data flowing through the VPN.

POP = Points of Presence

Primary functions of a VPN

Encryption keep data confidential Authentication ensure the identities of the two parties communicating Tunneling safeguard the identities of communicating parties Non-Repudiation ensure data is accurate and in its original form Replay Prevention guard against packets being sent over and over again Note All of the above features are components of the IP Security Protocol (IPSec) Standard!!!

What is IPSecs application to VPN?

VPNs provide the highest level of security using advanced, standards-based security protocols such as IPSec. Use of IPSec with VPNs delivers enhanced network security in an insecure, network world. IPSec (Internet Protocol Security) is the security protocol most commonly associated with VPN. IPSec is used to transmit high value data securely in a VPN by utilizing Data privacy, Data authenticity and integrity, and Non-repudiation. In IPSec, all protocols, which sit upon the network layer, are encrypted (once an IPSec tunnel is created) between the two communicating parties. TCP, UDP, SNMP, HTTP, POP, AIM, KaZaa etc, are all encrypted regardless of their built in (or lack of built in) security and encryption. The deployment of IPSec VPNs provide a solution that is more secure, flexible, easy to manage and cost-saving.

Transport and Tunnel Modes

Both AH and ESP support two modes of use:

Transport Mode Tunnel Mode

Transport Mode provides protection primarily for upper-layer protocols. That is transport mode protection extends to the payload of an IP packet (everything in the packet behind and not including the IP header is protected). Typically, transport mode is used for end-to-end communication between two hosts. Tunnel Mode provides protection to the entire IP packet (everything behind and including the header is protected, requiring a new pseudo IP header). To achieve this, after the AH or ESP fields are added to the IP packet, the entire packet plus security fields, is treated as the payload of a new outer IP packet with a new outer IP header. The entire original or inner packet travels through a tunnel from one point of an IP network to another. No routers along the way are able to examine the inner IP header.

Transport and Tunnel Modes

How Does a VPN work?

VPN uses IPSec for transferring secure packets across the network IPSec identifies an authorized client/network

Negotiates an encrypted channel

Tunnels all network traffic through the encrypted channel (authenticating keys). The client/network appears to be locally connected

How does an IPSec VPN work?

Two Way authentication using tokens Digital Certificates Heavily Encrypted Access limited to well defined and controlled user base All IP related services supported More suited for internal company use

Current status of VPN solution technology versus first generation

Cost savings of a VPN implementation

Monthly Cost Savings for Site-to-Site VPN
800000
Cost Savings $$

600000 400000 200000 0 0 0 2000 4000 134055

678255

Using the Cisco website calculator a comparison of three scenarios was made to show the cost saving benefits of implementing a VPN solution.

6000

Number of users

www.cisco.com/warp/public/779/largeent/learn/technologies/vpn/site2site.html

Advantages of an IPSec VPN Solution

Separate private networking solutions are expensive and cannot be updated quickly to adapt to changes in business requirements
The Internet is inexpensive but does not by itself ensure privacy Flexibility in Network Design New Application Enablement Any-to-Any Connectivity

Disadvantages of an IPSec VPN Solution

Small Packet Issue

When encrypting small pieces of information, the overhead caused by the encryption process becomes larger than the actual payload, causing performance degradation. IPSec is not immune to this problem.

Complexity Issues

IPSec was developed in a committee and has many features and options, therefore it is very complicated. The downside is, more features means a greater possibility a weakness or hole can be found to compromise security. For example, IPSec is weak against certain attacks, such as replay attacks. Also, in certain cases, IPSec allows encryption without authentication, which could allow an unauthorized person to use IPSec for malicious purposes.

Question & Answers?

What is IPSec?

IP Security, a set of standards for the internet security; also implementations of VPN using the set of standards for internet security.

What are two properties\services of IPSec?

Confidentiality, Integrity, Authentication, Replay Protection

What are two security issues concerning IP?

Packet sniffing, IP spoofing, Denial of Service

What are the two types of VPNs?

Transport and Tunnel

What are two advantages of an IPSec VPN?

Cost savings, Bandwidth savings

What are two disadvantages of an IPSec VPN?

Small packet issue, Complexity issues

The End!!!