541 likes | 1.36k Views
IP Security. Outline. Introduction IP security Overview IP security Applications IP security Scenario IP security Benefits IP security Architecture Security Associations Combinations of SA’s Key Exchange Management. Basic Objective: Secure IP. Should achieve the following:
E N D
Outline • Introduction • IP security Overview • IP security Applications • IP security Scenario • IP security Benefits • IP security Architecture • Security Associations • Combinations of SA’s • Key Exchange Management
Basic Objective: Secure IP Should achieve the following: • Disallow links to un-trusted sites. • Encrypt packets that leave the premises. • Authenticate packets that enter the premises.
IP-Level Security • Consists of three aspects: • Authentication: insures that the received packet was transmitted by the party identified in the header. • Confidentiality: Enables communicating nodes to encrypt messages. • Key management: secure key exchange.
An Overview of IP • Internet Protocol (IP): “Provides the facilities for inter-connecting end systems across multiple networks.” Implemented in: • Each end system and • Routers of the networks. Routers must cope with heterogeneous networks.
Overview of IP • IP provides unreliable service. • No guarantee that all data packets will be delivered. • Delivered packets may arrive in wrong order. • Higher layer (TCP) must recover from any errors. • Provides great deal of flexibility: • No reliability requirements of subnets. • Packets can follow different paths.
An Overview of IP • Operation of IP: //The next slides shows the architecture of TCP/IP suite.// Example: “End system X wants to send a data packet to end system Y.”
IP Security Overview • IPSec provides a set of security algorithms plus a general framework that allows a pair of communicating entities to use whichever algorithms provide security appropriate for the communication.
Applications of IPSec • Secure branch office connectivity over the Internet: A company can build a secure virtual private network over the Internet or over a public WAN. This enables a business to rely heavily on the Internet and reduce its need for private networks, saving costs and network management overhead. • Secure remote access over the Internet: An end user whose system is equipped with IP security protocols can make a local call to an Internet Service Provider (ISP) and gain secure access to a company network. This reduces the cost of toll charges for traveling employees and telecommuters.
Application of IPSec • Establishment of extranet and intranet connectivity with partners: IPSec can be used to secure communication with other organizations, ensuring authentication and confidentiality and providing a key exchange mechanism. • Enhancement of electronic commerce security: Most efforts to date to secure electronic commerce on the Internet have relied upon securing Web traffic with SSL since that is commonly found in Web browsers and is easy to set up and run. There are new proposals that may utilize IPSec for electronic commerce.
Applications of IP Security • IPSec can encrypt and authenticate all traffic at IP level. • Distributed applications (like remote login, client-server interaction, e-mail, file transfers, web accesss etc.) can be secured.
An IP Security Scenario • Suppose an organization maintains LANs at several dispersed locations. -Within each LAN, IP traffic is not secured. -For Inter-LAN traffic (over the Internet or a WAN), IPSec protocols are used.
An IP Security Scenario... • IPSec protocols operate in networking devices that connect a LAN to Internet. (like router) • Encrypt all traffic leaving a LAN and decrypt traffic incoming to a LAN. • IPSec operations are transparent to workstations and servers. • Secure transmission also possible with individual users. // User workstation must implement IPSec protocols//
Benefits of IP Security • Transparent to applications (below transport layer (TCP, UDP). //no need to change software on end systems.// -IPSec can be transparent to end users. //no need to train end users on security mechanisms.// • Provide security for individual users.
Benefits of IP Security • IPSec plays an important role in routing. • IPSec can assure that: • A router or neighbour advertisement comes from an authorized router • A redirect message comes from the router to which the initial packet was sent • A routing update is not forged
IP Security Architecture 1. Architecture: Covers general concepts, security requirements, etc. 2. Encapsulating Security Payload (ESP): Covers the issues of packet encryption. 3. Authentication header (AH): Cover issues of packet authentication
IP Security Architecture 4.Encryption Algorithms: how various encryption algos are used for ESP. 5. Authentication Algorithms: How various authentication algorithms are used for AH and authentication option of ESP. 6. Key Management: Documents that describe key management. 7. Domain of Interpretation (DOI): Defines payload formats, exchange types, and conventions for naming security
IPSec Services • IPSec uses two protocols to provide security: 1. Authentication Header (AH): an authentication protocol. 2. Encapsulating Security Payload (ESP): a combined encryption and authentication protocol.
IPSec Services • Access Control • Connectionless integrity • Data origin authentication • Rejection of replayed packets • Confidentiality (encryption) • Limited traffic flow confidentiallity
Security Associations (SA) • A simplex (uni-directional) logical connection, created for security purposes. • A one-way relationship between a sender and a receiver. • For a two-way secure exchange, two security associations are required. • Identified by three parameters: • Security Parameter Index (SPI): A bit string assigned to this SA. //Used by receiver to select the SA.//
Security Associations (SA) • IP Destination Address: • The address of the destination endpoint of SA. //may be an end user system, a firewall or a router// • Security Protocol Identifier: • Indicates if the association is an AH or ESP security association.
Modes Of Operations • AH and ESP support two modes of operations: • Transport • Tunnel. • Transport Mode: • Protection extends to the payload of an IP packet. • Used for end-to-end communication between two hosts (client and server, or two workstations).
Modes Of Operations • Tunnel Mode: • Provides protection to the entire IP packet. • After AH or ESP fields are added, the entire packet plus security fields are treated as a payload of a new IP packet. • A new IP header is attached.
Authentication Header • Provides support for: 1. Data integrity of a packet. • Modification to packets while in transit are not possible. 2. Authentication of a packet. • End system can verify the sender. • Prevents address spoofing attacks. 3. Also guards against replay attacks.
Encapsulating Security Payload 1. Provides confidentiality services. • Confidentiality of the packet. 2. Provides limited authentication service. • Authenticates the payload but not the header. 3. Also provides limited traffic confidentiality.
Combination of SAs • Four basic combinations. • Case 1: • All security is provided between end systems. • End systems share appropriate secret keys.
Combination of SAs • Case 2: • Security is implemented only between gateways (routers, firewalls). • End hosts do not implement IPSec. • A single tunnel SA is established between the gateways. • Could support AH, ESP, and ESP with authentication.
Combination of SAs • Case 3: • End-to-end security is added to Case 2. • Besides a tunnel SA, the end hosts may have one or more SAs. • Gateway-to-gateway tunnel provides authentication or confidentiality to traffic between end systems. • End systems can implement additional security using end-to-end SAs.
Combination of SAs • Case 4: • A tunnel mode exists between a host and a firewall. • Can be used by remote host to reach the firewall and gain access to a server or workstation behind the firewall.
Key Exchange Management • Handles key generation & distribution • Typically need 2 pairs of keys • 2 per direction for AH & ESP • Manual key management • System admin manually configures every system • Automated key management • automated system for on demand creation of keys for SA’s in large systems • has Oakley & ISAKMP elements