SlideShare une entreprise Scribd logo

Lec 9.pptx

Télécharger en tant que PPTX, PDF
S
ssuserbab2f4

Network security

Logiciels
1  sur  22
Network Security CIT 602 Lec 9 Dr. Ahmed Alwakeel Assistant Professor College of Computers and Information Technology University of Tabuk aalwakeel@ut.edu.sa
IP Security IP security (IPsec) is a capability that can be added to either current version of the Internet Protocol (IPv4 or IPv6) by means of additional headers. IPsec encompasses three functional areas: authentication, confidentiality, and key management. Authentication makes use of the HMAC message authentication code. Authentication can be applied to the entire original IP packet (tunnel mode) or to all of the packet except for the IP header (transport mode). Dr. Anas Bushnag 2
IP Security Confidentiality is provided by an encryption format known as encapsulating security payload. Both tunnel and transport modes can be accommodated. IKE defines a number of techniques for key management. There are application-specific security mechanisms for a number of application areas, including electronic mail (S/MIME, PGP), client/server (Kerberos), Web access (Secure Sockets Layer), and others. Dr. Anas Bushnag 3
IP Security The authentication mechanism assures that a received packet was, in fact, transmitted by the party identified as the source in the packet header. In addition, this mechanism assures that the packet has not been altered in transit. The confidentiality facility enables communicating nodes to encrypt messages to prevent eavesdropping by third parties. The key management facility is concerned with the secure exchange of keys. Dr. Anas Bushnag 4
IP Security Overview In 1994, the Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture” (RFC 1636). The need to secure the network infrastructure from unauthorized monitoring and control of network traffic and the need to secure end-user-to-end-user traffic using authentication and encryption mechanisms.  To provide security, the IAB included authentication and encryption as necessary security features in the next-generation IP, which has been issued as IPv6. Fortunately, these security capabilities were designed to be usable both with the current IPv4 and the future IPv6. Dr. Anas Bushnag 5
Applications of IPsec IPsec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples: Secure branch office connectivity over the Internet: A company can build a secure virtual private network over the Internet or over a public WAN. This enables a business to rely heavily on the Internet and reduce its need for private networks, saving costs and network management overhead. Dr. Anas Bushnag 6
Applications of IPsec Secure remote access over the Internet: An end user whose system is equipped with IP security protocols can make a local call to an Internet Service Provider (ISP) and gain secure access to a company network. This reduces the cost of toll charges for traveling employees and telecommuters. Establishing extranet and intranet connectivity with partners: IPsec can be used to secure communication with other organizations, ensuring authentication and confidentiality and providing a key exchange mechanism. Dr. Anas Bushnag 7
Applications of IPsec Enhancing electronic commerce security: Even though some Web and electronic commerce applications have built-in security protocols, the use of IPsec enhances that security. IPsec guarantees that all traffic designated by the network administrator is both encrypted and authenticated, adding an additional layer of security to whatever is provided at the application layer. Dr. Anas Bushnag 8
Applications of IPsec Dr. Anas Bushnag 9
Benefits of IPsec When IPsec is implemented in a firewall or router, it provides strong security that can be applied to all traffic crossing the perimeter. Traffic within a company or workgroup does not incur the overhead of security-related processing. IPsec in a firewall is resistant to bypass if all traffic from the outside must use IP and the firewall is the only means of entrance from the Internet into the organization. Dr. Anas Bushnag 10
Benefits of IPsec IPsec is below the transport layer (TCP, UDP) and so is transparent to applications. There is no need to change software on a user or server system when IPsec is implemented in the firewall or router. Even if IPsec is implemented in end systems, upper-layer software, including applications, is not affected. IPsec can be transparent to end users. There is no need to train users on security mechanisms. IPsec can provide security for individual users if needed. This is useful for offsite workers and for setting up a secure virtual subnetwork within an organization for sensitive applications. Dr. Anas Bushnag 11
IPsec Services Two protocols are used to provide security: An authentication protocol designated by the header of the protocol, Authentication Header (AH).  A combined encryption/ authentication protocol designated by the format of the packet for that protocol, Encapsulating Security Payload (ESP). Dr. Anas Bushnag 12
Transport and Tunnel Modes Both AH and ESP support two modes of use: transport and tunnel mode Transport mode provides protection primarily for upper-layer protocols. Tunnel mode provides protection to the entire IP packet. Dr. Anas Bushnag 13
Transport and Tunnel Modes Dr. Anas Bushnag 14
Transport and Tunnel Modes Dr. Anas Bushnag 15
Transport and Tunnel Modes Dr. Anas Bushnag 16
Transport and Tunnel Modes Dr. Anas Bushnag 17
Transport and Tunnel Modes Dr. Anas Bushnag 18
Transport and Tunnel Modes Transport Mode: Encryption (and optionally authentication) is provided directly between two hosts. Tunnel Mode: how tunnel mode operation can be used to set up a virtual private network. An organization has four private networks interconnected across the Internet. Hosts on the internal networks use the Internet for transport of data but do not interact with other Internet-based hosts. Dr. Anas Bushnag 19
Transport and Tunnel Modes For Transport mode using IPv4, the ESP header is inserted into the IP packet immediately prior to the transport-layer header (e.g., TCP, UDP), and an ESP trailer (Padding, Pad Length, and Next Header fields) is placed after the IP packet. If authentication is selected, the ESP Authentication Data field is added after the ESP trailer. The entire transport-level segment plus the ESP trailer are encrypted. Authentication covers all of the ciphertext plus the ESP header. Dr. Anas Bushnag 20
Transport and Tunnel Modes Tunnel mode ESP is used to encrypt an entire IP packet. For this mode, the ESP header is prefixed to the packet and then the packet plus the ESP trailer is encrypted. This method can be used to counter traffic analysis. Because the IP header contains the destination address and possibly source routing directives and hop-by-hop option information, it is not possible simply to transmit the encrypted IP packet prefixed by the ESP header. Dr. Anas Bushnag 21
Transport and Tunnel Modes Intermediate routers would be unable to process such a packet. Therefore, it is necessary to encapsulate the entire block (ESP header plus ciphertext plus Authentication Data, if present) with a new IP header that will contain sufficient information for routing but not for traffic analysis. Whereas the transport mode is suitable for protecting connections between hosts that support the ESP feature, the tunnel mode is useful in a configuration that includes a firewall or other sort of security gateway that protects a trusted network Dr. Anas Bushnag 22

Recommandé

IP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfIP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdf
solimankellymattwe60
 
college assignment on Applications of ipsec
college assignment on Applications of ipsec college assignment on Applications of ipsec
college assignment on Applications of ipsec
bigchill29
 
Cns unit4
Cns unit4Cns unit4
Cns unit4
PRADEEPJ30
 
Cns unit4
Cns unit4Cns unit4
Cns unit4
PRADEEPJ30
 
Ip sec
Ip secIp sec
Ip sec
Shiva Krishna Chandra Shekar
 
I psec cisco
I psec ciscoI psec cisco
I psec cisco
Deepak296
 
Ipsecurity
IpsecurityIpsecurity
Ipsecurity
Chinmay Patel
 
IP Security
IP SecurityIP Security
IP Security
Ambo University
 

Recommandé

IP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfIP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdf
solimankellymattwe60
 
college assignment on Applications of ipsec
college assignment on Applications of ipsec college assignment on Applications of ipsec
college assignment on Applications of ipsec
bigchill29
 
Cns unit4
Cns unit4Cns unit4
Cns unit4
PRADEEPJ30
 
Cns unit4
Cns unit4Cns unit4
Cns unit4
PRADEEPJ30
 
Ip sec
Ip secIp sec
Ip sec
Shiva Krishna Chandra Shekar
 
I psec cisco
I psec ciscoI psec cisco
I psec cisco
Deepak296
 
Ipsecurity
IpsecurityIpsecurity
Ipsecurity
Chinmay Patel
 
IP Security
IP SecurityIP Security
IP Security
Ambo University
 
Internet Protocol Security as the Network Cryptography System
Internet Protocol Security as the Network Cryptography SystemInternet Protocol Security as the Network Cryptography System
Internet Protocol Security as the Network Cryptography System
Universitas Pembangunan Panca Budi
 
IP Security
IP SecurityIP Security
IP Security
sahilshah200
 
Working Survey of Authentication Header and Encapsulating Security Payload
Working Survey of Authentication Header and Encapsulating Security PayloadWorking Survey of Authentication Header and Encapsulating Security Payload
Working Survey of Authentication Header and Encapsulating Security Payload
ijtsrd
 
Cn36539543
Cn36539543Cn36539543
Cn36539543
IJERA Editor
 
Unit 5
Unit 5Unit 5
Unit 5
Vinod Kumar Gorrepati
 
Ip security
Ip security Ip security
Ip security
Naveen Dubey
 
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
n|u - The Open Security Community
 
Ip security
Ip security Ip security
Ip security
Dr.K.Sreenivas Rao
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6
limsh
 
Network Security_3rd Module_Dr. Shivashankar
Network Security_3rd Module_Dr. ShivashankarNetwork Security_3rd Module_Dr. Shivashankar
Network Security_3rd Module_Dr. Shivashankar
Dr. Shivashankar
 
IP Security
IP SecurityIP Security
IP Security
Dr.Florence Dayana
 
Network IP Security.pdf
Network IP Security.pdfNetwork IP Security.pdf
Network IP Security.pdf
georgejustymirobi1
 
CNS UNIT-VI.pptx
CNS UNIT-VI.pptxCNS UNIT-VI.pptx
CNS UNIT-VI.pptx
nandan543979
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
Abdullaziz Tagawy
 
Unit 6
Unit 6Unit 6
Unit 6
KRAMANJANEYULU1
 
IP SEC.ptx
IP SEC.ptxIP SEC.ptx
IP SEC.ptx
MamoonKhan40
 
V P N
V P NV P N
V P N
bhathiji
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnel
ArunKumar Subbiah
 
Ipsecurity
IpsecurityIpsecurity
Ipsecurity
Jyoshna Cec Cse Staf bejjam
 
[removed]Cryptography and Network Security Principles a.docx
[removed]Cryptography and Network Security Principles a.docx[removed]Cryptography and Network Security Principles a.docx
[removed]Cryptography and Network Security Principles a.docx
hanneloremccaffery
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
PearlKirahMaeRagusta1
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
Shane Coughlan
 

Contenu connexe

Similaire à Lec 9.pptx

Internet Protocol Security as the Network Cryptography System
Internet Protocol Security as the Network Cryptography SystemInternet Protocol Security as the Network Cryptography System
Internet Protocol Security as the Network Cryptography System
Universitas Pembangunan Panca Budi
 
Working Survey of Authentication Header and Encapsulating Security Payload
Working Survey of Authentication Header and Encapsulating Security PayloadWorking Survey of Authentication Header and Encapsulating Security Payload
Working Survey of Authentication Header and Encapsulating Security Payload
ijtsrd
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6
limsh
 
[removed]Cryptography and Network Security Principles a.docx
[removed]Cryptography and Network Security Principles a.docx[removed]Cryptography and Network Security Principles a.docx
[removed]Cryptography and Network Security Principles a.docx
hanneloremccaffery
 

Similaire à Lec 9.pptx (20)

Internet Protocol Security as the Network Cryptography System
Internet Protocol Security as the Network Cryptography SystemInternet Protocol Security as the Network Cryptography System
Internet Protocol Security as the Network Cryptography System
 
IP Security
IP SecurityIP Security
IP Security
 
Working Survey of Authentication Header and Encapsulating Security Payload
Working Survey of Authentication Header and Encapsulating Security PayloadWorking Survey of Authentication Header and Encapsulating Security Payload
Working Survey of Authentication Header and Encapsulating Security Payload
 
Cn36539543
Cn36539543Cn36539543
Cn36539543
 
Unit 5
Unit 5Unit 5
Unit 5
 
Ip security
Ip security Ip security
Ip security
 
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
 
Ip security
Ip security Ip security
Ip security
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6
 
Network Security_3rd Module_Dr. Shivashankar
Network Security_3rd Module_Dr. ShivashankarNetwork Security_3rd Module_Dr. Shivashankar
Network Security_3rd Module_Dr. Shivashankar
 
IP Security
IP SecurityIP Security
IP Security
 
Network IP Security.pdf
Network IP Security.pdfNetwork IP Security.pdf
Network IP Security.pdf
 
CNS UNIT-VI.pptx
CNS UNIT-VI.pptxCNS UNIT-VI.pptx
CNS UNIT-VI.pptx
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
 
Unit 6
Unit 6Unit 6
Unit 6
 
IP SEC.ptx
IP SEC.ptxIP SEC.ptx
IP SEC.ptx
 
V P N
V P NV P N
V P N
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnel
 
Ipsecurity
IpsecurityIpsecurity
Ipsecurity
 
[removed]Cryptography and Network Security Principles a.docx
[removed]Cryptography and Network Security Principles a.docx[removed]Cryptography and Network Security Principles a.docx
[removed]Cryptography and Network Security Principles a.docx
 

Dernier

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 

Dernier (20)

Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durban%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durban
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
SHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions PresentationSHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions Presentation
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 

Lec 9.pptx

  • 1. Network Security CIT 602 Lec 9 Dr. Ahmed Alwakeel Assistant Professor College of Computers and Information Technology University of Tabuk aalwakeel@ut.edu.sa
  • 2. IP Security IP security (IPsec) is a capability that can be added to either current version of the Internet Protocol (IPv4 or IPv6) by means of additional headers. IPsec encompasses three functional areas: authentication, confidentiality, and key management. Authentication makes use of the HMAC message authentication code. Authentication can be applied to the entire original IP packet (tunnel mode) or to all of the packet except for the IP header (transport mode). Dr. Anas Bushnag 2
  • 3. IP Security Confidentiality is provided by an encryption format known as encapsulating security payload. Both tunnel and transport modes can be accommodated. IKE defines a number of techniques for key management. There are application-specific security mechanisms for a number of application areas, including electronic mail (S/MIME, PGP), client/server (Kerberos), Web access (Secure Sockets Layer), and others. Dr. Anas Bushnag 3
  • 4. IP Security The authentication mechanism assures that a received packet was, in fact, transmitted by the party identified as the source in the packet header. In addition, this mechanism assures that the packet has not been altered in transit. The confidentiality facility enables communicating nodes to encrypt messages to prevent eavesdropping by third parties. The key management facility is concerned with the secure exchange of keys. Dr. Anas Bushnag 4
  • 5. IP Security Overview In 1994, the Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture” (RFC 1636). The need to secure the network infrastructure from unauthorized monitoring and control of network traffic and the need to secure end-user-to-end-user traffic using authentication and encryption mechanisms.  To provide security, the IAB included authentication and encryption as necessary security features in the next-generation IP, which has been issued as IPv6. Fortunately, these security capabilities were designed to be usable both with the current IPv4 and the future IPv6. Dr. Anas Bushnag 5
  • 6. Applications of IPsec IPsec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples: Secure branch office connectivity over the Internet: A company can build a secure virtual private network over the Internet or over a public WAN. This enables a business to rely heavily on the Internet and reduce its need for private networks, saving costs and network management overhead. Dr. Anas Bushnag 6
  • 7. Applications of IPsec Secure remote access over the Internet: An end user whose system is equipped with IP security protocols can make a local call to an Internet Service Provider (ISP) and gain secure access to a company network. This reduces the cost of toll charges for traveling employees and telecommuters. Establishing extranet and intranet connectivity with partners: IPsec can be used to secure communication with other organizations, ensuring authentication and confidentiality and providing a key exchange mechanism. Dr. Anas Bushnag 7
  • 8. Applications of IPsec Enhancing electronic commerce security: Even though some Web and electronic commerce applications have built-in security protocols, the use of IPsec enhances that security. IPsec guarantees that all traffic designated by the network administrator is both encrypted and authenticated, adding an additional layer of security to whatever is provided at the application layer. Dr. Anas Bushnag 8
  • 9. Applications of IPsec Dr. Anas Bushnag 9
  • 10. Benefits of IPsec When IPsec is implemented in a firewall or router, it provides strong security that can be applied to all traffic crossing the perimeter. Traffic within a company or workgroup does not incur the overhead of security-related processing. IPsec in a firewall is resistant to bypass if all traffic from the outside must use IP and the firewall is the only means of entrance from the Internet into the organization. Dr. Anas Bushnag 10
  • 11. Benefits of IPsec IPsec is below the transport layer (TCP, UDP) and so is transparent to applications. There is no need to change software on a user or server system when IPsec is implemented in the firewall or router. Even if IPsec is implemented in end systems, upper-layer software, including applications, is not affected. IPsec can be transparent to end users. There is no need to train users on security mechanisms. IPsec can provide security for individual users if needed. This is useful for offsite workers and for setting up a secure virtual subnetwork within an organization for sensitive applications. Dr. Anas Bushnag 11
  • 12. IPsec Services Two protocols are used to provide security: An authentication protocol designated by the header of the protocol, Authentication Header (AH).  A combined encryption/ authentication protocol designated by the format of the packet for that protocol, Encapsulating Security Payload (ESP). Dr. Anas Bushnag 12
  • 13. Transport and Tunnel Modes Both AH and ESP support two modes of use: transport and tunnel mode Transport mode provides protection primarily for upper-layer protocols. Tunnel mode provides protection to the entire IP packet. Dr. Anas Bushnag 13
  • 14. Transport and Tunnel Modes Dr. Anas Bushnag 14
  • 15. Transport and Tunnel Modes Dr. Anas Bushnag 15
  • 16. Transport and Tunnel Modes Dr. Anas Bushnag 16
  • 17. Transport and Tunnel Modes Dr. Anas Bushnag 17
  • 18. Transport and Tunnel Modes Dr. Anas Bushnag 18
  • 19. Transport and Tunnel Modes Transport Mode: Encryption (and optionally authentication) is provided directly between two hosts. Tunnel Mode: how tunnel mode operation can be used to set up a virtual private network. An organization has four private networks interconnected across the Internet. Hosts on the internal networks use the Internet for transport of data but do not interact with other Internet-based hosts. Dr. Anas Bushnag 19
  • 20. Transport and Tunnel Modes For Transport mode using IPv4, the ESP header is inserted into the IP packet immediately prior to the transport-layer header (e.g., TCP, UDP), and an ESP trailer (Padding, Pad Length, and Next Header fields) is placed after the IP packet. If authentication is selected, the ESP Authentication Data field is added after the ESP trailer. The entire transport-level segment plus the ESP trailer are encrypted. Authentication covers all of the ciphertext plus the ESP header. Dr. Anas Bushnag 20
  • 21. Transport and Tunnel Modes Tunnel mode ESP is used to encrypt an entire IP packet. For this mode, the ESP header is prefixed to the packet and then the packet plus the ESP trailer is encrypted. This method can be used to counter traffic analysis. Because the IP header contains the destination address and possibly source routing directives and hop-by-hop option information, it is not possible simply to transmit the encrypted IP packet prefixed by the ESP header. Dr. Anas Bushnag 21
  • 22. Transport and Tunnel Modes Intermediate routers would be unable to process such a packet. Therefore, it is necessary to encapsulate the entire block (ESP header plus ciphertext plus Authentication Data, if present) with a new IP header that will contain sufficient information for routing but not for traffic analysis. Whereas the transport mode is suitable for protecting connections between hosts that support the ESP feature, the tunnel mode is useful in a configuration that includes a firewall or other sort of security gateway that protects a trusted network Dr. Anas Bushnag 22