1 / 18

IPSec Detailed Description and VPN

IPSec Detailed Description and VPN. Lecture 6 – NETW4006. IPSec.

kerrie
Download Presentation

IPSec Detailed Description and VPN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IPSec Detailed Descriptionand VPN Lecture 6 – NETW4006 NETW4006-Lecture06

  2. IPSec IPSec is not a single protocol. Instead, IPSec provides a set of security algorithms plus a general framework that allows a pair of communicating entities to use whichever algorithms provide security appropriate for the communication. NETW4006-Lecture06

  3. IPSec • provides • authentication • confidentiality • key management • applicable to use over LANs, across public & private WANs, & for the Internet NETW4006-Lecture06

  4. Network Security Protocols • To manage and secure authentication, authorization, confidentiality, integrity, and non-repudiation • In Microsoft WS2003 NW, major protocols used are Kerberos, NTLM, IPSec, and their various sub-protocols NETW4006-Lecture06

  5. Encrypting File System • Applications of IPSec • Secure branch office connectivity over the Internet • Secure remote access over the Internet • Establsihing extranet and intranet connectivity with partners • Enhancing electronic commerce security • IP Security (IPSec)to avoid unauthorized captured data NETW4006-Lecture06

  6. Protecting Data with IPSec • Digitally signing and encrypting it before transmission • IPSecencrypts the information inIP datagramsby encapsulating it so that even if the packets are captured, none of the data inside can be read • IP based-protocol, it provides end-to-end encryption • Intermediate systems, such as routers, treat the encrypted part of the packets purely as payload • Protocols besides IPSec, such as SSL or TLS, application-layer protocols that can encrypt only specific types of traffic (Web) NETW4006-Lecture06

  7. IPSec Functions (1) • Key generation • 2 C both must access to shared encryption key: Diffie–Hellmanalgorithmto compute shared key • Cryptographic checksums • cryptographic keys to calculate checksum for data in each packet, called a Hash Message Authentication Code (HMAC) • HMAC in combination with Message Digest 5 (MD5) and HMAC in combination with Secure Hash Algorithm-1 (SHA1): • SHA1 160-bit key and MD5 128-bit key • SHA1 in USA for high-level security requirement NETW4006-Lecture06

  8. IPSec Functions (2) • Mutual authentication • end system/router can authenticate user/app • prevents address spoofing attacks by tracking sequence numbers • WS2003 Kerberos, digital certificates, or pre-shared key • Replay prevention • IPSec prevents replay by assigning a sequence number to each packet: anti-replay services • IP packet filtering • IPSec includes its own packet filtering mechanism: prevent DoS attacks: port, @, protocol NETW4006-Lecture06

  9. IPSec Protocols (1) • Two protocols that provide different types of security for network communications • IP Authentication Header (AH) Covers issues of packet authentication (Authentication Protocol) • IP Encapsulating Security Payload (ESP) • (for encryption)Covers the issues of packet encryption. • (Combined Encryption & authentication protocol) Domain of Interpretation (DOI): Contains values needed for a domain NETW4006-Lecture06

  10. IPSec Protocols (2) IP Authentication Header (AH) – Extension header for authentication. • Does not encrypt the data in IP packets, but it does provide authentication, anti-replay, and integrity services • Integrity (Modification to packets while in transit are not possible.) • Authentication of a packet. • >End system can verify the sender. • >Prevents address spoofing attacks • AH by itself or in combination with ESP • AH alone provides basic security services, with relatively low overhead NETW4006-Lecture06

  11. IP Authentication Header Support for data integrity and authentication • Authentication Data • integrity check value (ICV)/ or MAC for this packet, that the sending computer calculates, based on selected IP header fields, the AH header, and the datagram’s IP payload • Sequence number (32): A monotonically increasing counter value. • Next Header (8Bits) • Identifies the type of header immediately following the AH header, • Payload Length(8Bits) Specifies the length of the AH header • Reserved Unused(16 Bits) – For future use. • Security Parameters Index(32 Bits) • defines the datagram’s security association = a list of security measures, negotiated by the communicating Cs NETW4006-Lecture06

  12. IPSec Protocols (6) • Actually encrypts the data in an IP datagram • ESP also provides authentication, integrity, and anti-replay services IP Encapsulating Security Payload (ESP) Provides confidentiality services. //confidentiality of the packet.// >Provides limited authentication service. //Authenticates the payload but not the header.// NETW4006-Lecture06

  13. IPSec Protocols (7) ESP • By itself or in combination with AH • Maximum possible security for a data transmission • ICV(Integrity Check value), it calculates the value only on the information between the ESP header and trailer; no IP header fields NETW4006-Lecture06

  14. IPSec Protocols (8) IP Encapsulating Security Payload Security Parameters Index(32) • value that combine packet’s destination IP @ and its security protocol (AH or ESP), defines datagram’s security association. • Sequence number (32): A monotonically increasing counter value. • Payload Data • Contains TCP, UDP, or ICMP information carried inside the original IP datagram – transport level segment • Padding • added to Payload Data field to ensure Payload Data has a boundary required by the encryption algorithm • Padding also provides “traffic flow confidentiality” by concealing the actual length of the payload. • Pad length (8): The number of byte padded in this packet • Next Header (8Bits) • Identifies the type of data contained in the payload data field by identifying the first header in that payload. • Authentication data (variable): Contains the integrity check value of the packet. • >ICV computed over the ESP packet minus the Authentication Data fields. NETW4006-Lecture06

  15. Transport & Tunnel Mode • Tunnel mode designed provide security for WAN connections • particularly Virtual Private Network (VPN) connections, via the Internet as a communications medium • tunnel mode connection, end systems do not support and implement the IPSec protocols • But routers at both ends of the WAN connection • Transport Mode: protect communications between computers on NW • Two end systems must support IPSec but intermediate systems (such as routers) need not • All of AH and ESP protocols applies to transport mode NETW4006-Lecture06

  16. Tunnel Mode (2) • The tunnel mode communications process proceeds as follows: • C on one of PN transmit data using standard, unprotected IP datagrams • Packets reach router that provides access to WAN, encapsulates using IPSec, encrypting and hashing data • Router transmits encapsulated packets to destination router at end of the WAN connection • Destination router verifies packets by calculating and comparing ICVs, and decrypts it if necessary • Destination router repackages information in packet into standard, unprotected IP datagrams and transmits to destination(s) on PN NETW4006-Lecture06

  17. Virtual Private Network (1) • VPN objectives • Security • End-to-end security (authentication and, optionally, privacy) for host connecting to a private network over untrusted public intermediate NWs • Security for private NW-to-NW communication over un-trusted intermediate NWs • Connectivity:authorized sites, new users, mobile users • Simplicity and cost effective: transparency for user, simple for use of application via VPN • Quality: Can provide QoS via SLAs NETW4006-Lecture06

  18. Virtual Private Network (3) • Tunnelling • encapsulating data of one protocol inside the data field of another protocol at: • layer 2 (Ethernet @ across LAN): Portion of VPN connecting internal sites (Intranet) • layer 3 (routers for IP information): Portion of VPN connecting external sites (Extranet) • Point-to-Point Tunneling Protocol (PPTP) • PPP for tuneling IP and non-IP packets • Layer 2 Tunneling Protocol (L2TP) • Merge PPTP and the Layer 2 Forwarding Protocol (L2FP) • IP and non-IP packets over IP NW • IP Security (IPSec) NETW4006-Lecture06

More Related