Security IPsec 1 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1

IP Security have a range of application specific security mechanisms – eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that cut across protocol layers would like security implemented by the network for all applications

IP Security general IP Security mechanisms provides – authentication – confidentiality – key management applicable to use over LANs, across public & private WANs, & for the Internet

IP Security Uses

Benefits of IPSec 1.IPsec in a firewall/router provides strong security to all traffic crossing the perimeter 2.IPsec in a firewall/router is resistant to bypass 3.is below transport layer, hence transparent to applications 4.can be transparent to end users 5.can provide security for individual users

IPSec Services 1.Access control 2.Connectionless integrity 3.Data origin authentication 4.Confidentiality (encryption) Two protocols are used to provide security: 1.an authentication protocol designated by the header of the protocol, Authentication Header (AH); 2. and a combined encryption/authentication protocol designated by the format of the packet for that protocol, Encapsulating Security Payload (ESP) Both AH & ESP support two modes of use : Transport and Tunnel mode.

Transport and Tunnel Modes Transport Mode – to encrypt & optionally authenticate IP data (payload). – When AH is used : IP payload and selected portion of the header will be authenticated. – When ESP is used : IP payload wil be encrypted. – When ESP with authentication is used : IP payload will be encrypted and authenticated.

Transport and Tunnel Modes Tunnel Mode – encrypts entire IP packet – add new header for next hop. – When AH is used : authenticate the entire inner header + inner payload + a selected portion of the outer header. – When ESP is used : entire inner IP packet will be encrypted. – When ESP with authentication is used : entire inner IP packet will be encrypted and authenticated

IPSec Modes of Operation Transport Mode: protect the upper layer protocols IP Header TCP Header Dat a Original IP Datagram IP Header TCP Header IPSec Header Dat a Transport Mode protected packet  Tunnel Mode: protect the entire IP payload Tunnel Mode protected packet New IP Header TCP Header IPSec Header Dat a Original IP Header protected

Tunnel Mode Host-to-Network, Network-to- Network Protecte d Data IPSec IP Layer SG Inter net Transpo rt Layer Applicat ion Layer IP Layer Host B Protecte d Data IPSec IP Layer SG Transpo rt Layer Applicat ion Layer IP Layer Host A SG = Security Gateway

Transport Mode Transport Layer Application Layer Host-to-Host Transport Layer Application Layer IP Layer Data Link Layer IPSec Host B IP Layer Data Link Layer IPSec Host A

Security Associations a one-way relationship between sender & receiver that affords security for traffic flow defined by 3 parameters: – Security Parameters Index (SPI) – IP Destination Address – Security Protocol Identifier have a database of Security Associations

Security Policy Database  relates IP traffic to specific SAs match subset of IP traffic to relevant SA use selectors to filter outgoing traffic to map based on: local & remote IP addresses, next layer protocol, name, local & remote ports

IP Traffic Processing IT352 | Network Security |Najwa AlGhamdi 14

IP Traffic Processing IT352 | Network Security |Najwa AlGhamdi 15