2. In today's massively interconnected business world of the Internet, intranets, branch offices, and
remote access, sensitive information constantly crosses the networks.
Without security, both public and private networks are susceptible to unauthorized monitoring
and access.
Therefore, there are different network security protocols widespread use for protecting private
and public networks such as
IP Security(IPSec),
Transport Layer Security(TLS)
and Secure Shell(SSH) .
Hence, only IPsec protects all application traffic over an IP network.
10-Dec-16 2
3. IP security refers to security mechanism implemented at the IP
(Internet Protocol) Layer to ensure
integrity,
authentication and
confidentiality of data during transmission in the open Internet environment
It is a protocol suite for secure IP communications that works by
Authenticating
And encrypting each IP packet of a communication session.
10-Dec-16 3
4. IPSec is a set of protocol and algorithm used to secure IP
data and network layer
Open standard for VPN implementation
Inbuilt in IPV6 and compatible with IPV4
10-Dec-16 4
5. to verify sources of IP packets
authentication
to prevent replaying of old packets
to protect integrity and/or confidentiality of packets
data Integrity/Data Encryption
10-Dec-16 5
6. 10-Dec-16 6
ESP AH
IKE
IPSec Security Policy
Encapsulating Security
Payload
Authentication Header
The Internet Key Exchange
Architecture: Covers the general concepts, security requirements, definitions and
mechanisms defining IPsec technology.
7. Provides source authentication
Protects against source spoofing
Provides connectionless data integrity
Protects against replay attacks
Use monotonically increasing sequence numbers
Protects against denial of service attacks
NO protection for confidentiality!
10-Dec-16 7
8. Use 32-bit monotonically increasing sequence number to avoid replay
attacks
Use cryptographically strong hash algorithms to protect data integrity
(96-bit)
Use symmetric key cryptography
HMAC-SHA-96, HMAC-MD5-96
10-Dec-16 8
9. 10-Dec-16 9
Authentication Data
Sequence Number
Security Parameters Index (SPI)
Next
header
Payload
length
Reserved
Old IP header (only in Tunnel mode)
TCP header
New IP header
Authenticated
Data
Encapsulated
TCP or IP packet
Hash of everything
else
10. Provides all that AH offers, and
in addition provides data confidentiality
Uses symmetric key encryption
Same as AH:
◦ Use 32-bit sequence number to counter replaying attacks
◦ Use integrity check algorithms
Only in ESP:
◦ Data confidentiality:
◦ Uses symmetric key encryption algorithms to encrypt packets
10-Dec-16 10
11. 10-Dec-16 11
Authentication Data
Sequence Number
Security Parameters Index (SPI)
Next
header
Payload
length
Reserved
TCP header
Authenticated
IP header
Initialization vector
Data
Pad Pad length Next
Encrypted TCP
packet
12. 10-Dec-16 12
Bothe AH and ESP support transport and Tunnel modes
Transport Mode SA Tunnel Mode SA
AH Authenticates IP payload
and selected portions of IP
header and IPv6 extension
headers
Authenticates entire inner
IP packet plus selected
portions of outer IP header
ESP Encrypts IP payload and
any IPv6 extension header
Encrypts inner IP packet
ESP with
Authentication
Encrypts IP payload and
any IPv6 extension header
Authenticates IP payload
but no IP header
Encrypts inner IP packet
Authenticates inner IP
packet
13. The key management portion of IPSec involves
the determination and distribution of the secret keys.
A typical requirement is four keys for communication between
two applications:
transmit and receive pairs for both AH and ESP
Support for two types of key management
Manual
Authomatic
10-Dec-16 13
14. 10-Dec-16 14
SA describes a particular kind of secure connection between
one device and another.
Security Associations are key to IPSEC’s authentication and
confidentiality mechanisms.
SAs are needed to negotiate in the exchange of the “shared
secret” process
Sharing the shared key secrete
15. uniquely identified by three parameters:
Security Parameters Index (SPI): The SPI assigns a bit string to this SA that has
local significance only.
The SPI is carried in AH and ESP headers to enable the receiving system to select the
SA under which a received packet will be processed.
IP destination address : Currently, only unicast addresses are allowed; this is the
address of the destination endpoint of the SA, which may be an end-user system or
a network system such as a firewall or router.
Security protocol identifier : This indicates whether the association is an AH or
ESP security association.
10-Dec-16 15
16. Provides strong security when implemented in a firewall or router
that can be applied to all traffic crossing the perimeter.
IPsec is resistant to bypass if all traffic from the outside must use
IP and the firewall is the only way of entrance from the Internet into
the organization.
Is below transport layer, hence transparent to applications.
Can be transparent to end users.
Can provide security for individual users if needed.
10-Dec-16 16
17. Secure branch office connectivity over the Internet
Secure remote access over the Internet
Establishment of extranet and intranet connectivity with partners
Enhancement of electronic commerce security
10-Dec-16 17
18. IP Security importance is growing, but unfortunately its operation
imposes a significant burden on the encrypting devices. Furthermore,
certain applications may suffer from the increase in latency (i.e., the
time required to pass through an IPSec network device) due to the
extra processing.
Finally, at a time when network security is increasingly vital, IPSec
makes it easy for network managers to provide a strong layer of
protection to their organization's information resources.
10-Dec-16 18