1 / 19

INTERNET PROTOCOL SECURITY IPsec

INTERNET PROTOCOL SECURITY IPsec. IPsec Definition:. IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. The IP, which is the standard protocol used for communication across the Internet

barnabas-sean
Download Presentation

INTERNET PROTOCOL SECURITY IPsec

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INTERNET PROTOCOL SECURITY IPsec IPsec Definition: • IPSec is a suite of protocols defined by the Internet Engineering Task Force • (IETF) to provide security services at the network layer. • The IP, which is the standard protocol used for communication across the • Internet • IPSec is in 3rd layer (network) in OSI model. • Optional security in V4 & obligatory in V6 Why IPsec ? • IPSec provides a range of : • Connectionless integrity, • data authentication, • security services, • protection against replays, • confidentiality (encryption), • and limited traffic flow confidentiality.

  2. IPsec Scenario: Transport mode Tunnel mode

  3. IPsec Architecture: • Covers security requirements, • definitions, & mechanisms of IPsec Architecture • Access protocol,protection • against anti-replay, data • origin authentication Data Confidentiality & limits traffic flow AH Protocol ESP Protocol Choose suitable Algorithm for ESP Encryption alg. Authentication alg. DOI Domain of Interpretation, include identifiers for approved authentication & Encrypted algorithm Documents that describe key management Key management

  4. IPsec Protocol: • IPSec comprises two protocols that provide security services & • key managementmechanism. • Authentication Header (AH) • Access control, connectionless integrity, data origin authentication and • protection against anti-replayare provided by the protocol. • Encapsulating Security Payload (ESP) • provides Confidentiality of the data and limited traffic flow confidentiality

  5. IPsec Modes: • Transport mode : • is designed for host-to-host communication and does not • afford total protection for the IP packets transmitted between the two hosts. • The security protocol header is inserted between the IP header & the upper • layer protocol header, protecting only the upper layer payload of the packet. • Tunnel mode : • is usedTo protect the entire IP packet, the packet is ‘wrapped' in a new • IP packet, and both the header and the payload of the original packet are • afforded IPSec protection.

  6. Authentication Header Next Header: identifies the type of next header Payload length: identifies size of data in the packet SPI:Identifies security association Sequence counter: designed to thwart replay attacks By initializing the sender a counter by zero, each time the packet is sent on SA, the sender increments the counter, finally it will return to zero Authentication data: contains integrity check value

  7. Encapsulation Header SPI:Identifies security association Sequence counter: designed to thwart replay attacks By initializing the sender a counter by zero, each time the packet is sent on SA, the sender increments the counter, finally it will return to zero Payload data: identifies size of IP data in the packet Padding: Expand the plain text size Next Header: identifies the type of data in next header Authentication data: contains integrity check value

  8. IPSec Session Mangement • For two IPSec endpoints to be able to securely communicate, each host needs • to be aware of the parameters to be used in the communication. • such as: • Security Associations (SAs) and • Security Policies. Security association defined as a one-way contract between two communicating hosts. An SA is used to define the communication parameters between the two IPSec secured peers. The parameters defined in the SA are: • Which protocol to be used - AH or ESP • What transforms to be used - • Encryption keys • Lifetime of the keys • Sequence Number • Anti-replay window • Mode • Tunnel destination

  9. Security association Cont… • It is possible to use more than one protocol to communicate between the 2 hosts • at the same time – for example SQL database traffic using ESP and LDAP • Synchronisation could be using AH.

  10. Creating Security association • SAs can be setup by : • Setting up an SA manually is called Manual Keying. • The two parties that need to communicate agree upon the initial key. • The key is exchanged out of band, e.g. by using email or over the phone. • This key is then manually keyed in using the user interface to the IPSec kernel & • set up the other parameters such as Security Parameter Index and key expiry • date. • 2. Dynamically using a key management protocol such as Internet Key Exchange • (IKE) protocol. • If there is no SA available, the IPSec kernel invokes IKE. IKE negotiates the SA • with the destination host based on the IPSec policy associated with that host. • During thesenegotiations, a pair of SAs for the communication between these • two hosts are generated and added to the Security Association Database. • This is known as auto mated key exchange.

  11. Identifying the correct Association for a session • A combination of three fields in the SAD is used to uniquely identify each SA. • 1- Destination IP address • 2- The IPSec protocol to be used for that session. • 3-Security Parameter Index (SPI) is a unique 32-bit parameter that identifies • the SA used for the session • Every IPSec packet that is communicated contains an SPI. • When there are multiple security associations between two hosts, the SPI is • used to identify the correct SA for a particular communication session.

  12. Basic Combination of Security Associations • We have four examples of combinations of SAs that must be supported by • Compliant IPSec hosts (workstation,server) or security gateways(firewall,router) • Each SA can be either AH or ESP for host tohost SAs the mode may be • transport or tunnel,otherwise it must be tunnel mode

  13. Basic Combination of Security Associations Cont... Case 2 : security is provided only between gateways Case 3: security is provided between gateways and host to host

  14. Basic Combination of Security Associations Cont... Case4 : only tunnel mode between remot host and the firewall One or two SAs between remot host and local host

  15. Security Policy • The security policy defines the security services to be applied at the IPSec • endpoint, and every IP packet processed has to be evaluated against the policy • regardless of whether it is protected by IPSec or not. • Security policies are maintained in a Security Policy Database (SPD). • IPSec architecture specifies that a separate SPD be maintained for every IPSec • enabled interface.Two tables are defined in the SPD for inbound & outbound • policy. • Each entry has to indicate how the traffic that matches that entry is processed, • need to be (bypass, reject or proceed with IPSec processing). • Each policy entry also has a number of selectors that are used to identify • the policy application process. These selectors include source address, • destination address, user ID or system name, transport layer protocol • and source and destination ports.

  16. IPSec Key Mangement • This mutual authentication is achieved through a pre-shared secret key, • digital certificate, or a digital signature. • Once the two communicating systems have authenticated themselves to each • other, they generate session keys for data integrity and confidentiality . IKE Phases • Phase 1 • is used for mutual authentication of the IPSec peers. • the IPSec peers authenticate each other, and setup a communication channel. • exchange happens once per communication session, and pre-shared secrets • or public key pairs are used for identification and authentication. • The secure, authenticated communication channel established is called • an ISAKMP • Phase 2 • session keys for other security services are established using the ISAKMP . • can result in multiple connections. • IPSec security associations are generated during this phase.

  17. InBound Packet Processing OUTBound Packet Processing

  18. IPSec Key Implementation IPSec is implemented at the IP layer, thus providing security services to the upper layer protocols. IPSec can be implemented between, two hosts, two gateways or between a host and a gateway. Some examples of these of implementations are: a) Two servers synchronising a database, either internally or across the Internet

  19. IPSec Key Implementation Cont... b) Two gateways, providing secure communication between the two networks connected by the two gateways c) A gateway and host/s as in remote access solutions.

More Related