SlideShare a Scribd company logo

IP Security

D
Dr.Florence Dayana

Applications of IPsec,Routing Applications,IPsec Services,Security Association (SA),Security Association Database (SAD),Internet Key Exchange

Education
1 of 18
Download to read offline
NETWORK SECURITY Name of the Staff : M.FLORENCE DAYANA M.C.A.,M.Phil.,(Ph.D)., Head, Dept. of CA Bon Secours College For Women Thanjavur. Class : II MSc., CS Semester : III Unit : IV Topic : IP Security 2/15/2019 1
IP Security Overview • Internet protocol security (IPsec) is a set of protocols that provides security for Internet Protocol. • It can use cryptography to provide security. • IPsecurity can be used for the setting up of virtual private networks (VPNs) in a secure manner. • Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications that works by authenticating and encrypting each IP packet of a communication session.
Applications of IPsec • IPsec provides the capability to secure communications across a LAN, private and public WANs, and the Internet • An extranet is a private network that uses Internet technology and the public telecommunication system to securely share part of a business's information or operations with suppliers, vendors, partners, customers, or other businesses. • An intranet is a private network accessible only to an organization's staff. Examples include: • Secure branch office connectivity over the Internet • Secure remote access over the Internet • Establishing extranet and intranet connectivity with partners • Enhancing electronic commerce security
An IP Security Architecture Ethernet is a system for connecting a number of computer systems to form a local area network, with protocols to control the passing of information and to avoid simultaneous transmission by two or more systems.
Benefits of IPSecurity • When IPSec is implemented in a firewall or Router,It provides strong security whose application is to all traffic crossing this perimeter. • Traffic within a company or workgroup does not incur the overhead of security-related processing. • IPSec is below the transport layer (TCP, UDP), and is thus transparent to applications. •
• There is no need to change software on a user or server system when IPSec is implemented in the firewall or router. • Even if IPSec is implemented in end systems, upper layer software, including applications is not affected. • IPSec can be transparent to end users. • IPsec can provide security for individual users if needed Benefits of IPSecurity
Routing Applications • IPsec can play a vital role in the routing architecture required for internetworking IPsec can assure that: A router advertisement comes from an authorized router A router seeking to establish or maintain a neighbor relationship with a router in another routing domain is an authorized router A redirect message comes from the router to which the initial IP packet was sent A routing update is not forged A router is a networking device that forwards data packets between computer networks.
IPsec Documents1.Architecture • Covers the general concepts, security requirements, definitions, and mechanisms defining IPsec technology • The current specification is RFC4301, Security Architecture for the Internet Protocol 2.Authentication Header (AH) • An extension header to provide message authentication • The current specification is RFC 4302, IP Authentication Header 3. Encapsulating Security Payload (ESP) • Consists of an encapsulating header and trailer used to provide encryption or combined encryption/authentication • The current specification is RFC 4303, IP Encapsulating Security Payload (ESP) 4. Internet Key Exchange (IKE) • A collection of documents describing the key management schemes for use with IPsec • The main specification is RFC 5996, Internet Key Exchange (IKEv2) Protocol, but there are a number of related RFCs 5. Cryptographic algorithms • This category encompasses a large set of documents that define and describe cryptographic algorithms for encryption, message authentication, pseudorandom functions (PRFs), and cryptographic key exchange 6.Other • There are a variety of other IPsec- related RFCs, including those dealing with security policy and management information base (MIB) content
IPsec Services • IPsec provides security services at the IP layer by enabling a system to: • Select required security protocols • Determine the algorithm(s) to use for the service(s) • Put in place any cryptographic keys required to provide the requested services • RFC lists the following services: • Access control • Connectionless integrity • Data origin authentication • Rejection of replayed packets (a form of partial sequence integrity) • Confidentiality (encryption) • Limited traffic flow confidentiality
Transport and Tunnel Modes Transport Mode • Provides protection primarily for upper-layer protocols • Examples include a TCP or UDP segment or an ICMP packet • ICMP (Internet Control Message Protocol) is an error-reporting protocol • Typically used for end-to-end communication between two hosts • ESP in transport mode encrypts and optionally authenticates the IP payload but not the IP header • AH in transport mode authenticates the IP payload and selected portions of the IP header Tunnel Mode • Provides protection to the entire IP packet • Used when one or both ends of a security association (SA) are a security gateway • A number of hosts on networks behind firewalls may engage in secure communications without implementing IPsec • ESP in tunnel mode encrypts and optionally authenticates the entire inner IP packet, including the inner IP header • AH in tunnel mode authenticates the entire inner IP packet and selected portions of the outer IP header
Transport and Tunnel Mode
Security Association (SA) • A Security Association (SA) is the establishment of shared security attributes between two network entities to support secure communication. • A security association (SA) is a logical connection involving two devices that transfer data, With the help of the defined IPsec protocols • An SA may include attributes such as: cryptographic algorithm and mode; traffic encryption key; and parameters for the network data to be passed over the connection. Security Parameters Index (SPI) • A 32-bit unsigned integer assigned to this SA and having local significance only IP Destination Address • Address of the destination endpoint of the SA, which may be an end-user system or a network system such as a firewall or router Security protocol Identifier • Indicates whether the association is an AH or ESP security association A SA is Uniquely identified by three parameters:
Security Association Database (SAD) The following parameters in a SAD entry • Security parameter index (is used to construct the packet’s Number field. This is 32 bit value) • Sequence number counter (A 32-bit value used to generate the Sequence Number field) • Sequence counter overflow (A flag indicating whether overflow of the Sequence Number) • Anti-replay window (The main goal of anti-replay is to avoid hackers injecting or making changes in packets that travel from a source to a destination) •AH information •ESP information (Encapsulating Security Payload) • Lifetime of this security association • IPsec protocol mode (Tunnel, Transport, or wildcard(mask)) •Path MTU (maximum size of a packet that can be transmitted without fragmentation)
Security Policy Database (SPD) The following selectors determine an SPD entry: Remote IP address This may be a single IP address, an enumerated list or range of addresses, or a wildcard (mask) address The latter two are required to support more than one destination system sharing the same SA Local IP address This may be a single IP address, an enumerated list or range of addresses, or a wildcard (mask) address The latter two are required to support more than one source system sharing the same SA Next layer protocol The IP protocol header includes a field that designates the protocol operating over IP Name A user identifier from the operating system Not a field in the IP or upper-layer headers but is available if IPsec is running on the same operating system as the user Local and remote ports These may be individual TCP or UDP port values, an enumerated list of ports, or a wildcard port
ESP with Authentication Option • An Encapsulating Security Payload (ESP) is a protocol within the IPSec for providing authentication, integrity and confidentially of network packets data/payload in IPv4 and IPv6 networks. • In this approach, the first user applies ESP to the data to be protected and then appends the authentication data field • For both cases authentication applies to the ciphertext rather than the plaintext • Authentication and encryption apply to the IP payload delivered to the host, but the IP header is not protected Transport mode ESP • Authentication applies to the entire IP packet delivered to the outer IP destination address and authentication is performed at that destination • The entire inner IP packet is protected by the privacy mechanism for delivery to the inner IP destination Tunnel mode ESP
Internet Key Exchange • The key management portion of IPsec involves the determination and distribution of secret keys • A typical requirement is four keys for communication between two applications • Transmit and receive pairs for both integrity and confidentiality • The IPsec Architecture document mandates support for two types of key management: • A system administrator manually configures each system with its own keys and with the keys of other communicating systems • This is practical for small, relatively static environments Manual • Enables the on-demand creation of keys for SAs and facilitates the use of keys in a large distributed system with an evolving configuration Automated
ISAKMP/Oakley The default automated key management protocol of Ipsec Oakley Key Determination Protocol • The Oakley Key Determination Protocol is a key- agreement protocol that allows authenticated parties to exchange keying material across an insecure connection using the Diffie– Hellman key exchange algorithm. Internet Security Association and Key Management Protocol (ISAKMP) • Provides a framework for Internet key management and provides the specific protocol support, including formats, for negotiation of security attributes • Consists of a set of message types that enable the use of a variety of key exchange algorithms
Features of IKE Key Determination The five important features are: 1. • It employs a mechanism known as cookies to thwart clogging attacks 2. • It enables the two parties to negotiate a group; this, in essence, specifies the global parameters of the Diffie-Hellman key exchange 3. • It uses nonces to ensure against replay attacks 4. • It enables the exchange of Diffie-Hellman public key values 5. • It authenticates the Diffie-Hellman exchange to thwart man-in-the-middle-attacks The Internet Key Exchange (IKE) is an IPsec (Internet Protocol Security) standard protocol used to ensure security for virtual private network (VPN) negotiation and remote host or network access.

Recommended

Web Security
Web SecurityWeb Security
Web Security
Dr.Florence Dayana
 
RC4&RC5
RC4&RC5RC4&RC5
RC4&RC5
Mohamed El-Serngawy
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication Codes
DarshanPatil82
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithm
Srinadh Muvva
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMAC
Krishna Gehlot
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
Pawan Arya
 
Electronic mail security
Electronic mail securityElectronic mail security
Electronic mail security
Dr.Florence Dayana
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithms
Rashmi Burugupalli
 

Recommended

Web Security
Web SecurityWeb Security
Web Security
Dr.Florence Dayana
 
RC4&RC5
RC4&RC5RC4&RC5
RC4&RC5
Mohamed El-Serngawy
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication Codes
DarshanPatil82
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithm
Srinadh Muvva
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMAC
Krishna Gehlot
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
Pawan Arya
 
Electronic mail security
Electronic mail securityElectronic mail security
Electronic mail security
Dr.Florence Dayana
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithms
Rashmi Burugupalli
 
Hash Function
Hash FunctionHash Function
Hash Function
Siddharth Srivastava
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
Diffie Hellman Key Exchange
Diffie Hellman Key ExchangeDiffie Hellman Key Exchange
Diffie Hellman Key Exchange
SAURABHDHAGE6
 
Digital Signature Standard
Digital Signature StandardDigital Signature Standard
Digital Signature Standard
Sou Jana
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
Samip jain
 
Internet Key Exchange Protocol
Internet Key Exchange ProtocolInternet Key Exchange Protocol
Internet Key Exchange Protocol
Prateek Singh Bapna
 
IP Security
IP SecurityIP Security
IP Security
Keshab Nath
 
Public Key Cryptosystem
Public Key CryptosystemPublic Key Cryptosystem
Public Key Cryptosystem
Devakumar Kp
 
DES
DESDES
DES
Naga Srimanyu Timmaraju
 
Idea(international data encryption algorithm)
Idea(international data encryption algorithm)Idea(international data encryption algorithm)
Idea(international data encryption algorithm)
SAurabh PRajapati
 
Rc4
Rc4Rc4
Rc4
Amjad Rehman
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
Kalpesh Kalekar
 
Security Attacks.ppt
Security Attacks.pptSecurity Attacks.ppt
Security Attacks.ppt
Zaheer720515
 
CMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signatureCMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signature
Adarsh Patel
 
2. public key cryptography and RSA
2. public key cryptography and RSA2. public key cryptography and RSA
2. public key cryptography and RSA
Dr.Florence Dayana
 
Ipsec
IpsecIpsec
Ipsec
Rupesh Mishra
 
Security services and mechanisms
Security services and mechanismsSecurity services and mechanisms
Security services and mechanisms
Rajapriya82
 
PUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTION
raf_slide
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
Arun Shukla
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Naveen Kumar
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6
limsh
 
Network Security_3rd Module_Dr. Shivashankar
Network Security_3rd Module_Dr. ShivashankarNetwork Security_3rd Module_Dr. Shivashankar
Network Security_3rd Module_Dr. Shivashankar
Dr. Shivashankar
 

More Related Content

What's hot

PUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTION
raf_slide
 

What's hot (20)

Hash Function
Hash FunctionHash Function
Hash Function
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
 
Diffie Hellman Key Exchange
Diffie Hellman Key ExchangeDiffie Hellman Key Exchange
Diffie Hellman Key Exchange
 
Digital Signature Standard
Digital Signature StandardDigital Signature Standard
Digital Signature Standard
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
Internet Key Exchange Protocol
Internet Key Exchange ProtocolInternet Key Exchange Protocol
Internet Key Exchange Protocol
 
IP Security
IP SecurityIP Security
IP Security
 
Public Key Cryptosystem
Public Key CryptosystemPublic Key Cryptosystem
Public Key Cryptosystem
 
DES
DESDES
DES
 
Idea(international data encryption algorithm)
Idea(international data encryption algorithm)Idea(international data encryption algorithm)
Idea(international data encryption algorithm)
 
Rc4
Rc4Rc4
Rc4
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
 
Security Attacks.ppt
Security Attacks.pptSecurity Attacks.ppt
Security Attacks.ppt
 
CMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signatureCMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signature
 
2. public key cryptography and RSA
2. public key cryptography and RSA2. public key cryptography and RSA
2. public key cryptography and RSA
 
Ipsec
IpsecIpsec
Ipsec
 
Security services and mechanisms
Security services and mechanismsSecurity services and mechanisms
Security services and mechanisms
 
PUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTION
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 

Similar to IP Security

BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6
limsh
 
IP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfIP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdf
solimankellymattwe60
 

Similar to IP Security (20)

BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6
 
Network Security_3rd Module_Dr. Shivashankar
Network Security_3rd Module_Dr. ShivashankarNetwork Security_3rd Module_Dr. Shivashankar
Network Security_3rd Module_Dr. Shivashankar
 
IP SEC.ptx
IP SEC.ptxIP SEC.ptx
IP SEC.ptx
 
IS Unit-4 .ppt
IS Unit-4 .pptIS Unit-4 .ppt
IS Unit-4 .ppt
 
Lecture14..pdf
Lecture14..pdfLecture14..pdf
Lecture14..pdf
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
 
IP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfIP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdf
 
CNS UNIT-VI.pptx
CNS UNIT-VI.pptxCNS UNIT-VI.pptx
CNS UNIT-VI.pptx
 
ICS PPT Unit 4.ppt
ICS PPT Unit 4.pptICS PPT Unit 4.ppt
ICS PPT Unit 4.ppt
 
Ip security
Ip security Ip security
Ip security
 
The Security layer
The Security layerThe Security layer
The Security layer
 
Ip security
Ip security Ip security
Ip security
 
Module 8 - Ccna - Pre.pptx
Module 8 - Ccna - Pre.pptxModule 8 - Ccna - Pre.pptx
Module 8 - Ccna - Pre.pptx
 
Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8
 
Network defenses
Network defensesNetwork defenses
Network defenses
 
Vpn(virtual private network)
Vpn(virtual private network)Vpn(virtual private network)
Vpn(virtual private network)
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
Ip sec
Ip secIp sec
Ip sec
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
 
Lec 9.pptx
Lec 9.pptxLec 9.pptx
Lec 9.pptx
 

More from Dr.Florence Dayana

More from Dr.Florence Dayana (20)

Dr.M.Florence Dayana-Cloud Computing-unit - 4.pdf
Dr.M.Florence Dayana-Cloud Computing-unit - 4.pdfDr.M.Florence Dayana-Cloud Computing-unit - 4.pdf
Dr.M.Florence Dayana-Cloud Computing-unit - 4.pdf
 
Dr.M.Florence Dayana-Cloud Computing-Unit - 1.pdf
Dr.M.Florence Dayana-Cloud Computing-Unit - 1.pdfDr.M.Florence Dayana-Cloud Computing-Unit - 1.pdf
Dr.M.Florence Dayana-Cloud Computing-Unit - 1.pdf
 
M. Florence Dayana - Hadoop Foundation for Analytics.pptx
M. Florence Dayana - Hadoop Foundation for Analytics.pptxM. Florence Dayana - Hadoop Foundation for Analytics.pptx
M. Florence Dayana - Hadoop Foundation for Analytics.pptx
 
M. FLORENCE DAYANA/unit - II logic gates and circuits.pdf
M. FLORENCE DAYANA/unit - II logic gates and circuits.pdfM. FLORENCE DAYANA/unit - II logic gates and circuits.pdf
M. FLORENCE DAYANA/unit - II logic gates and circuits.pdf
 
M.FLORENCE DAYANA/electronic mail security.pdf
M.FLORENCE DAYANA/electronic mail security.pdfM.FLORENCE DAYANA/electronic mail security.pdf
M.FLORENCE DAYANA/electronic mail security.pdf
 
M. FLORENCE DAYANA - INPUT & OUTPUT DEVICES.pdf
M. FLORENCE DAYANA - INPUT & OUTPUT DEVICES.pdfM. FLORENCE DAYANA - INPUT & OUTPUT DEVICES.pdf
M. FLORENCE DAYANA - INPUT & OUTPUT DEVICES.pdf
 
Professional English - Reading
Professional English - ReadingProfessional English - Reading
Professional English - Reading
 
Professional English - Speaking
Professional English - SpeakingProfessional English - Speaking
Professional English - Speaking
 
Professional English - Listening
Professional English - ListeningProfessional English - Listening
Professional English - Listening
 
INPUT AND OUTPUT DEVICES.pdf
INPUT AND OUTPUT DEVICES.pdfINPUT AND OUTPUT DEVICES.pdf
INPUT AND OUTPUT DEVICES.pdf
 
NETWORK SECURITY-SET.pptx
NETWORK SECURITY-SET.pptxNETWORK SECURITY-SET.pptx
NETWORK SECURITY-SET.pptx
 
Network Security- Secure Socket Layer
Network Security- Secure Socket LayerNetwork Security- Secure Socket Layer
Network Security- Secure Socket Layer
 
M.florence dayana dream weaver
M.florence dayana dream weaverM.florence dayana dream weaver
M.florence dayana dream weaver
 
M.florence dayana computer networks transport layer
M.florence dayana computer networks transport layerM.florence dayana computer networks transport layer
M.florence dayana computer networks transport layer
 
M.Florence Dayana Computer Networks Types
M.Florence Dayana Computer Networks TypesM.Florence Dayana Computer Networks Types
M.Florence Dayana Computer Networks Types
 
M.Florence Dayana Computer Networks Introduction
M.Florence Dayana Computer Networks IntroductionM.Florence Dayana Computer Networks Introduction
M.Florence Dayana Computer Networks Introduction
 
M. FLORENCE DAYANA/DATABASE MANAGEMENT SYSYTEM
M. FLORENCE DAYANA/DATABASE MANAGEMENT SYSYTEMM. FLORENCE DAYANA/DATABASE MANAGEMENT SYSYTEM
M. FLORENCE DAYANA/DATABASE MANAGEMENT SYSYTEM
 
M.Florence Dayana
M.Florence DayanaM.Florence Dayana
M.Florence Dayana
 
M.Florence Dayana / Basics of C Language
M.Florence Dayana / Basics of C LanguageM.Florence Dayana / Basics of C Language
M.Florence Dayana / Basics of C Language
 
M.Florence Dayana/Cryptography and Network security
M.Florence Dayana/Cryptography and Network securityM.Florence Dayana/Cryptography and Network security
M.Florence Dayana/Cryptography and Network security
 

Recently uploaded

1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
fonyou31
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
discovermytutordmt
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
SoniaTolstoy
 

Recently uploaded (20)

Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 

IP Security

  • 1. NETWORK SECURITY Name of the Staff : M.FLORENCE DAYANA M.C.A.,M.Phil.,(Ph.D)., Head, Dept. of CA Bon Secours College For Women Thanjavur. Class : II MSc., CS Semester : III Unit : IV Topic : IP Security 2/15/2019 1
  • 2. IP Security Overview • Internet protocol security (IPsec) is a set of protocols that provides security for Internet Protocol. • It can use cryptography to provide security. • IPsecurity can be used for the setting up of virtual private networks (VPNs) in a secure manner. • Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications that works by authenticating and encrypting each IP packet of a communication session.
  • 3. Applications of IPsec • IPsec provides the capability to secure communications across a LAN, private and public WANs, and the Internet • An extranet is a private network that uses Internet technology and the public telecommunication system to securely share part of a business's information or operations with suppliers, vendors, partners, customers, or other businesses. • An intranet is a private network accessible only to an organization's staff. Examples include: • Secure branch office connectivity over the Internet • Secure remote access over the Internet • Establishing extranet and intranet connectivity with partners • Enhancing electronic commerce security
  • 4. An IP Security Architecture Ethernet is a system for connecting a number of computer systems to form a local area network, with protocols to control the passing of information and to avoid simultaneous transmission by two or more systems.
  • 5. Benefits of IPSecurity • When IPSec is implemented in a firewall or Router,It provides strong security whose application is to all traffic crossing this perimeter. • Traffic within a company or workgroup does not incur the overhead of security-related processing. • IPSec is below the transport layer (TCP, UDP), and is thus transparent to applications. •
  • 6. • There is no need to change software on a user or server system when IPSec is implemented in the firewall or router. • Even if IPSec is implemented in end systems, upper layer software, including applications is not affected. • IPSec can be transparent to end users. • IPsec can provide security for individual users if needed Benefits of IPSecurity
  • 7. Routing Applications • IPsec can play a vital role in the routing architecture required for internetworking IPsec can assure that: A router advertisement comes from an authorized router A router seeking to establish or maintain a neighbor relationship with a router in another routing domain is an authorized router A redirect message comes from the router to which the initial IP packet was sent A routing update is not forged A router is a networking device that forwards data packets between computer networks.
  • 8. IPsec Documents1.Architecture • Covers the general concepts, security requirements, definitions, and mechanisms defining IPsec technology • The current specification is RFC4301, Security Architecture for the Internet Protocol 2.Authentication Header (AH) • An extension header to provide message authentication • The current specification is RFC 4302, IP Authentication Header 3. Encapsulating Security Payload (ESP) • Consists of an encapsulating header and trailer used to provide encryption or combined encryption/authentication • The current specification is RFC 4303, IP Encapsulating Security Payload (ESP) 4. Internet Key Exchange (IKE) • A collection of documents describing the key management schemes for use with IPsec • The main specification is RFC 5996, Internet Key Exchange (IKEv2) Protocol, but there are a number of related RFCs 5. Cryptographic algorithms • This category encompasses a large set of documents that define and describe cryptographic algorithms for encryption, message authentication, pseudorandom functions (PRFs), and cryptographic key exchange 6.Other • There are a variety of other IPsec- related RFCs, including those dealing with security policy and management information base (MIB) content
  • 9. IPsec Services • IPsec provides security services at the IP layer by enabling a system to: • Select required security protocols • Determine the algorithm(s) to use for the service(s) • Put in place any cryptographic keys required to provide the requested services • RFC lists the following services: • Access control • Connectionless integrity • Data origin authentication • Rejection of replayed packets (a form of partial sequence integrity) • Confidentiality (encryption) • Limited traffic flow confidentiality
  • 10. Transport and Tunnel Modes Transport Mode • Provides protection primarily for upper-layer protocols • Examples include a TCP or UDP segment or an ICMP packet • ICMP (Internet Control Message Protocol) is an error-reporting protocol • Typically used for end-to-end communication between two hosts • ESP in transport mode encrypts and optionally authenticates the IP payload but not the IP header • AH in transport mode authenticates the IP payload and selected portions of the IP header Tunnel Mode • Provides protection to the entire IP packet • Used when one or both ends of a security association (SA) are a security gateway • A number of hosts on networks behind firewalls may engage in secure communications without implementing IPsec • ESP in tunnel mode encrypts and optionally authenticates the entire inner IP packet, including the inner IP header • AH in tunnel mode authenticates the entire inner IP packet and selected portions of the outer IP header
  • 12. Security Association (SA) • A Security Association (SA) is the establishment of shared security attributes between two network entities to support secure communication. • A security association (SA) is a logical connection involving two devices that transfer data, With the help of the defined IPsec protocols • An SA may include attributes such as: cryptographic algorithm and mode; traffic encryption key; and parameters for the network data to be passed over the connection. Security Parameters Index (SPI) • A 32-bit unsigned integer assigned to this SA and having local significance only IP Destination Address • Address of the destination endpoint of the SA, which may be an end-user system or a network system such as a firewall or router Security protocol Identifier • Indicates whether the association is an AH or ESP security association A SA is Uniquely identified by three parameters:
  • 13. Security Association Database (SAD) The following parameters in a SAD entry • Security parameter index (is used to construct the packet’s Number field. This is 32 bit value) • Sequence number counter (A 32-bit value used to generate the Sequence Number field) • Sequence counter overflow (A flag indicating whether overflow of the Sequence Number) • Anti-replay window (The main goal of anti-replay is to avoid hackers injecting or making changes in packets that travel from a source to a destination) •AH information •ESP information (Encapsulating Security Payload) • Lifetime of this security association • IPsec protocol mode (Tunnel, Transport, or wildcard(mask)) •Path MTU (maximum size of a packet that can be transmitted without fragmentation)
  • 14. Security Policy Database (SPD) The following selectors determine an SPD entry: Remote IP address This may be a single IP address, an enumerated list or range of addresses, or a wildcard (mask) address The latter two are required to support more than one destination system sharing the same SA Local IP address This may be a single IP address, an enumerated list or range of addresses, or a wildcard (mask) address The latter two are required to support more than one source system sharing the same SA Next layer protocol The IP protocol header includes a field that designates the protocol operating over IP Name A user identifier from the operating system Not a field in the IP or upper-layer headers but is available if IPsec is running on the same operating system as the user Local and remote ports These may be individual TCP or UDP port values, an enumerated list of ports, or a wildcard port
  • 15. ESP with Authentication Option • An Encapsulating Security Payload (ESP) is a protocol within the IPSec for providing authentication, integrity and confidentially of network packets data/payload in IPv4 and IPv6 networks. • In this approach, the first user applies ESP to the data to be protected and then appends the authentication data field • For both cases authentication applies to the ciphertext rather than the plaintext • Authentication and encryption apply to the IP payload delivered to the host, but the IP header is not protected Transport mode ESP • Authentication applies to the entire IP packet delivered to the outer IP destination address and authentication is performed at that destination • The entire inner IP packet is protected by the privacy mechanism for delivery to the inner IP destination Tunnel mode ESP
  • 16. Internet Key Exchange • The key management portion of IPsec involves the determination and distribution of secret keys • A typical requirement is four keys for communication between two applications • Transmit and receive pairs for both integrity and confidentiality • The IPsec Architecture document mandates support for two types of key management: • A system administrator manually configures each system with its own keys and with the keys of other communicating systems • This is practical for small, relatively static environments Manual • Enables the on-demand creation of keys for SAs and facilitates the use of keys in a large distributed system with an evolving configuration Automated
  • 17. ISAKMP/Oakley The default automated key management protocol of Ipsec Oakley Key Determination Protocol • The Oakley Key Determination Protocol is a key- agreement protocol that allows authenticated parties to exchange keying material across an insecure connection using the Diffie– Hellman key exchange algorithm. Internet Security Association and Key Management Protocol (ISAKMP) • Provides a framework for Internet key management and provides the specific protocol support, including formats, for negotiation of security attributes • Consists of a set of message types that enable the use of a variety of key exchange algorithms
  • 18. Features of IKE Key Determination The five important features are: 1. • It employs a mechanism known as cookies to thwart clogging attacks 2. • It enables the two parties to negotiate a group; this, in essence, specifies the global parameters of the Diffie-Hellman key exchange 3. • It uses nonces to ensure against replay attacks 4. • It enables the exchange of Diffie-Hellman public key values 5. • It authenticates the Diffie-Hellman exchange to thwart man-in-the-middle-attacks The Internet Key Exchange (IKE) is an IPsec (Internet Protocol Security) standard protocol used to ensure security for virtual private network (VPN) negotiation and remote host or network access.