1 / 15

Internet Protocol Security

Internet Protocol Security. Introduction. Internet Protocol Security ( IPsec ) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.

holli
Download Presentation

Internet Protocol Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet Protocol Security

  2. Introduction • Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. • IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. • IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. • It can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).

  3. Cont.., • Some other Internet security systems in widespread use, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS) and Secure Shell (SSH), operate in the upper layers of the TCP/IP model. • In the past, the use of TLS/SSL had to be designed into an application to protect the application protocols. • In contrast, since day one, applications did not need to be specifically designed to use IPsec. Hence, IPsec protects any application traffic across an IP network.

  4. History • In December 1993, the experimental of IP Security swIPe (protocol) was researched at Columbia University and AT&T Bell Labs. In July 1994, Wei Xu at Trusted Information Systems continued this research. After several months, the research was completed successfully on BSDI system. • By hacking the binary kernels, Wei had quickly extended his development on to Sun OS, HP UX, and other UNIX system. One of the challenges was slow performance of DES and 3DES. The software encryption can’t even support a T1 speed under the Intel 80386 architecture. By exploring the Crypto cards from Germany, Wei Xu further developed an automated device driver, known as plug-and-play today. • By achieving the throughput for more than a T1s, this work made the commercial product practically feasible, that was released as a part of the well-known Gauntlet firewall. In December 1994, it was the first time in production for securing some remote sites between east and west coastal states of the United States.

  5. Cont.., • Another IP Security Protocol was developed in 1995 at the Naval Research Laboratory as part of a DARPA-sponsored research project. • ESP was originally derived from the SP3D protocol, rather than being derived from the ISO Network-Layer Security Protocol (NLSP). • The SP3D protocol specification was published by NIST, but designed by the Secure Data Network System project of the National Security Agency (NSA), AH is derived in part from previous IETF standards work for authentication of the Simple Network Management Protocol (SNMP). • Since 1996, the IP Security workshops were organized for standardizing the protocols. IPsec is officially specified by the Internet Engineering Task Force (IETF) in a series of Request for Comments documents addressing various components and extensions. It specifies the spelling of the protocol name to be IPsec.

  6. Authentication Header • The authentication header provides support for data integrity and authentication of IP packets. The data integrity feature ensures that undetected modification to the content of a packet in transit is not possible. • The authentication feature enables an end system or network device to authenticate the user or application and filter traffic accordingly; it also prevents the address spoofing attacks observed in today's Internet.

  7. IPSec Authentication Header

  8. Modes of Operation • IPsec can be implemented in a host-to-host transport mode, as well as in a network tunnel mode. • Transport mode • In transport mode, only the payload of the IP packet is usually encrypted and/or authenticated. The routing is intact, since the IP header is neither modified nor encrypted; however, when the authentication header is used, the IP addresses cannot be translated, as this will invalidate the hash value. The transport and application layers are always secured by hash, so they cannot be modified in any way (for example by translating the port numbers). • A means to encapsulate IPsec messages for NAT traversal has been defined by RFC documents describing the NAT-T mechanism. • Tunnel mode • In tunnel mode, the entire IP packet is encrypted and/or authenticated. It is then encapsulated into a new IP packet with a new IP header. Tunnel mode is used to create virtual private networks for network-to-network communications (e.g. between routers to link sites), host-to-network communications (e.g. remote user access) and host-to-host communications (e.g. private chat). • Tunnel mode supports NAT traversal.

  9. IPSec ESP Format

  10. An IP Security Scenario

  11. The Scope of IPSec • IPSec provides three main facilities: an authentication-only function, referred to as Authentication Header (AH), a combined authentication/ encryption function called Encapsulating Security Payload (ESP), and a key exchange function. For virtual private networks, both authentication and encryption are generally desired, because it is important both to (1) assure that unauthorized users do not penetrate the virtual private network and (2) assure that eavesdroppers on the Internet cannot read messages sent over the virtual private network. Because both features are generally desirable, most implementations are likely to use ESP rather than AH. The key exchange function allows for manual exchange of keys as well as an automated scheme. • The IPSec specification is quite complex and covers numerous documents. The most important of these, issued in November 1998, are RFCs 2401, 2402, 2406, and 2408.

  12. Benefits of IPSec • When IPSec is implemented in a firewall or router, it provides strong security that can be applied to all traffic crossing the perimeter. Traffic within a company or workgroup does not incur the overhead of security-related processing. • IPSec is below the transport layer (TCP, UDP), so is transparent to applications. There is no need to change software on a user or server system when IPSec is implemented in the firewall or router. Even if IPSec is implemented in end systems, upper layer software, including applications, is not affected.

  13. Cont.., • IPSec can be transparent to end users. There is no need to train users on security mechanisms, issue keying material on a per-user basis, or revoke keying material when users leave the organization. • IPSec can provide security for individual users if needed. This feature is useful for offsite workers and also for setting up a secure virtual subnetwork within an organization for sensitive applications.

  14. See more • http://www.cisco.com/web/about/ac123/ac147/ac174/ac197/about_cisco_ipj_archive_article09186a00800c830b.html • http://en.wikipedia.org/wiki/IPsec

  15. The End Thank you

More Related