Join Lisa Bock for an in-depth discussion in this video Introducing IPsec, part of IT Security Foundations: Network Security.
- Internet Protocol is a best effort, connectionless protocol used to connect networks by routing and addressing each packet. Internet Protocol Security, or IPSec, is a protocol suite for securing IP communications. IPSec can both encrypt and authenticate each IP packet of a session between host or a network across dLAN, a private and public WAN, and across the internet. IPSec can protect a much wider range of applications than SSL, and no special training is required when using IPSec.
We can add IPSec to IPv4 or IPv6 by using additional headers. If we take a look at our diagram on security mechanisms in the TCP IP stack, we see that IPSec provides security at the network layer. IPSec is a general framework that provides a set of security processes and has three main functions, the Encapsulating Security Payload, the Authentication Header, and Key Management.
The Encapsulating Security Payload is a combination encryption and authentication protocol that provides confidentiality, authentication, integrity, and anti-replay service for IPv4 and IPv6. What services are selected are determined by the Security Association, and where on the network it is implemented. You can use encryption only to provide for confidentiality with Encapsulating Security Payload.
However, using encryption without integrity may leave the communication stream vulnerable to attacks. The Authentication Header provides support for data integrity and authentication of IP packets using a message authentication code, and can provide assurance that a router or neighbor advertisement comes from an authorized router. The two parties must share a secret key. There are three authentication methods, digital signatures, public key encryption, and symmetric key encryption.
IPSec manages the keys to ensure that they are not intercepted or used by unauthorized parties. IPSec provides flexibility in the way you implement IPSec and what level security is required. You can implement IPSec on host to host, that would be from one host to another. IPSec can be implemented gateway to gateway, that would be between a pair of routers using IPSec with a Virtual Private Network, or VPN.
Or gateway to host, that would be an outside host to the gateway. Both the Authentication Header and Encapsulating Security Payload support two modes, transport and tunnel. These are accomplished by adding new headers to the IP packet. Transport mode encrypts only the data portion of each packet, yet leaves the header unencrypted. This is used when a device, such as a firewall, must see the source and destination address to route the packet.
After passing through the firewall, the packet then changes to tunnel mode before being sent on the internet. Tunnel mode protects the entire IP package by encrypting both the header and the data portion. The original packet is treated as the data portion. Here we see an IP packet in its transformation. Up at the top you see an original IP packet. When we use the Authentication Header in transport mode, you see that it is tucked behind the IP header.
However, when transformed to tunnel mode, the Authentication is behind the new IP header. And as you can see the original packet is treated as the data portion. A Security Association is created to provide the attributes necessary for the Encapsulating Security Payload or Authentication Header process. We have to keep track of the streams, so the Security Parameter Index is an essential part of IPSec, by adding to the IP header information that differentiates between traffic streams that use different encryption rules and algorithms.
The Security Parameter Index only has local significance since the creator of the Security Association defines it. Key Management with IPSec can be one of two ways. Manual, which is practical for small, relatively static environments. This means that each system is configured with its own keys, and the keys of other communicating systems. Automated is the most flexible, as it enables on demand creation of keys for Security Associations, and facilitates the use of keys in a large distributed system.
The Internet Key Exchange is a protocol to set up Security Associations in IPSec. This provides a standard method for dynamically authenticating IPSEC peers, negotiating security services and generating shared keys. Internet Key Exchange, or IKE, has two distinct functions. ISAKMP, or Internet Security Association And Key Management Protocol, this is a framework for internet key management that defines procedures for authenticating a communicating peer, creation and management of Security Association key generation techniques.
And Oakley. Oakley is key distribution, which is based on the Diffie-Hellman algorithm.
Note: This training maps to a number of the exam topics on the Microsoft Technology Associate (MTA) Security Fundamentals exam (98-367). See https://www.microsoft.com/learning/en-us/exam-98-367.aspx for more information.
- Implementing secure content management (SCM)
- Implementing unified threat management (UTM)
- Introducing VLANs
- NAT addressing
- Network sniffing
- Understanding common attack methods, such as password attacks
- Protecting clients with antivirus software
- Implementing physical security