IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Slides:

Advertisements

Similar presentations

Internet Protocol Security (IP Sec)

Advertisements

IPSec.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Chapter 5 Network Security Protocols in Practice Part I

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

SCSC 455 Computer Security Virtual Private Network (VPN)

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Guide to Network Defense and Countermeasures Second Edition

Part 5:Security Network Security (Access Control, Encryption, Firewalls)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Internet Protocol Security (IPSec)

K. Salah1 Security Protocols in the Internet IPSec.

NetComm Wireless VPN Functionality Feature Spotlight.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

What Is Needed to Build a VPN? An existing network with servers and workstations Connection to the Internet VPN gateways (i.e., routers, PIX, ASA, VPN.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 9: Securing Network Traffic Using IPSec.

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

Chapter 13 – Network Security

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

An Introduction to Encrypting Messages on the Internet Mike Kaderly INFS 750 Summer 2010.

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

1 Network Security Lecture 8 IP Sec Waleed Ejaz

IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.

IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

Karlstad University IP security Ge Zhang

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 

IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.

Chapter 32 Internet Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,

Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Planning and Managing IP Security.

IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.

IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.

Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.

1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.

V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.

IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.

1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.

Network Layer Security Network Systems Security Mort Anvari.

K. Salah1 Security Protocols in the Internet IPSec.

Securing Access to Data Using IPsec Josh Jones Cosc352.

Security Data Transmission and Authentication Lesson 9.

8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,

Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.

VPNs & IPsec Dr. X Slides adopted by Prof. William Enck, NCSU.

Chapter 5 Network Security Protocols in Practice Part I

Encryption and Network Security

SECURING NETWORK TRAFFIC WITH IPSEC

Module 8: Securing Network Traffic by Using IPSec and Certificates

Module 8: Securing Network Traffic by Using IPSec and Certificates

Introduction to Network Security

Presentation transcript:

IP Security (IPSec) Matt Hermanson

What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation between two hosts. This is the most popular method for encrypting data.

How does it work? IPSec works by establishing an association between two communicating devices. An association is formed by two devices authenticating their identities via a preshared key, Kerberos authentication, or digital certificates.

A preshared key is a series of letteIs, numbers, and special characters, much like a password, that both communicating devices use to authenticate each other's identity. A network administrator must enter the same preshared key in the IPSec configuration settings on both devices.

Kerberos authentication is used in a Windows domain environment or on a Linux system to authenticate users and computers. Kerberos authentication also uses keys, but the OS generates the keys, which makes this method more secure than having an administrator enter keys.

Digital certificates involve a third party called a certification authority (CA). Someone wanting to send encrypted data must apply for a digital certificate from a CA, which is responsible for verifying the applicant's authenticity. When an IPSec communication session begins, the communicating parties exchange certificates, and each party sends the certificate to the CA electronically to verify its authenticity.

Three standard IPSec policies –Client (Respond Only) –Server (Request Security) –Secure Server (Require Security) These policies are intended as models for administrators to create their own policies suitable for their networks, but they can be used as is or edited.

The Client (Respond Only) The Client (Respond Only) policy is intended primarily for client computers that need to access secure resources. With this policy, the computer uses encrypted communications only if the device it's communicating with requests secure communications.

Server (Request Security) If the Server (Request Security) policy is set, the computer requests IPSec- encrypted communication but allows unencrypted communication if the other device doesn't support IPSec.

Secure Server (Require Security) The Secure Server (Require Security) policy should be used when all communication of the type specified in the policy must be secure. A computer with this policy set rejects attempts to communicate if encryption is not used.

OSI Model In the OSI Model IPSec protocols operates at the network layer. Other Internet security protocols in widespread use, such as SSL, TLS and SSH, operate from the transport layer in the OSI. This makes IPSec more flexible, as it can be used for protecting 4 protocols layers including both TCP and UDP, which are the most commonly used transport layer protocols. IPSec has an advantage over SSL and other methods that operate at higher layers.

OSI Model cont. For an application to use IPSec no code change in the applications is required whereas to use SSL and other higher level protocols, applications must undergo code changes. IPSec has an advantage over SSL and other methods that operate at higher layers. For an application to use IPSec no code change in the applications is required whereas to use SSL and other higher level protocols, applications must undergo code changes.

Security architecture IPSec is implemented by a set of cryptographic protocols for –(1) securing packet flows –(2) mutual authentication –(3) establishing cryptographic parameters

Security architecture The IP security architecture uses the concept of a security association as the basis for building security functions into IP. A security association is simply the bundle of algorithms and parameters (such as keys) that is being used to encrypt and authenticate a particular flow in one direction. Therefore, in normal bi-directional traffic, the flows are secured by a pair of security associations. The actual choice of encryption and authentication algorithms (from a defined list) is left to the IPsec administrator.

Security architecture In order to decide what protection is to be provided for an outgoing packet, IPSec uses the security parameter index (SPI), an index to the security association database (SADB), along with the destination address in a packet header, which together uniquely identify a security association for that packet. A similar procedure is performed for an incoming packet, where IPSec gathers decryption and verification keys from the security association database.

Security architecture For multicast, a security association is provided for the group, and is duplicated across all authorized receivers of the group. There may be more than one security association for a group, using different SPIs, thereby allowing multiple levels and sets of security within a group. Indeed, each sender can have multiple security associations, allowing authentication, since a receiver can only know that someone knowing the keys sent the data. Note that the relevant standard does not describe how the association is chosen and duplicated across the group; it is assumed that a responsible party will have made the choice.

Design intent IPSec was intended to provide either transport mode (end-to-end) security of packet traffic in which the end-point computers do the security processing, or tunnel mode (portal-to-portal) communications security in which security of packet traffic is provided to several machines (even to whole LANs) by a single node.

Design intent IPSec can be used to create Virtual Private Networks (VPN) in either mode, and this is the dominant use. However, that the security implications are quite different between the two operational modes.

Design intent Since the IP does not inherently provide any security capabilities, IPSec was introduced to provide security services such as the following: 1. Encrypting traffic (so it cannot be read by parties other than those for whom it is intended) 2. Integrity validation (ensuring traffic has not been modified along its path) 3. Authenticating the peers (ensuring that traffic is from a trusted party) 4.Anti-replay (protecting against replay of the secure session).

Modes IPSec supports two encryption modes: Transport and Tunnel. Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPSec-compliant device decrypts each packet.

Sources IPSec-Wikipedia htmlhttp:// html Guide to Networking Essentials