Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Published byNorman Bryan Modified over 9 years ago

Similar presentations

Presentation on theme: "Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi."— Presentation transcript:

1 Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

2 What is IP Security Framework of open standards to ensure secure communications over the Internet In short: It is the network layer Internet Security Protocol

3 IPSEC Service Internet/ Intranet IPSec disabled host Case 1 : Insecure IP Packet IPSec enabled host Case 2 : Secure IP Packet IP Header Upper layer data IP Header IPSec Header Upper layer data

4 IPSec general IP Security mechanisms provides –authentication –confidentiality –key management applicable to use over LANs, across public & private WANs, & for the Internet

5 IP sec Application IPSec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. –Secure branch office connectivity over the Internet –Secure remote access over the Internet –Establishing extranet and intranet connectivity with partners –Enhancing electronic commerce security

6 Security Associations One of the most important concepts in IPSec is called a Security Association (SA). Defined in RFC 1825. SAs are the combination of a given Security Parameter Index (SPI) and Destination Address. SAs are one way. A minimum of two SAs are required for a single IPSec connection. SAs contain parameters including: –Authentication algorithm and algorithm mode –Encryption algorithm and algorithm mode –Key(s) used with the authentication/encryption algorithm(s) –Lifetime of the key –Lifetime of the SA –Source Address(es) of the SA –Sensitivity level (ie Secret or Unclassified)

7 IP security scenario

8 scenario of IPSec usage An organization maintains LANs at dispersed locations Non secure IP traffic is conducted on each LAN. IPSec protocols are used These protocols operate in networking devices that connect each LAN to the outside world. (router, firewall ) The IPSec networking device will typically encrypt and compress all traffic going into the WAN, and decrypt and decompress traffic coming from the WAN

9 Why not use IPSec? Processor overhead to encrypt & verify each packet can be great. Added complexity in network design.

10 Benefits of IPSec in a firewall/router provides strong security to all traffic crossing the perimeter in a firewall/router is resistant to bypass is below transport layer, hence transparent to applications can be transparent to end users can provide security for individual users secures routing architecture

11 IPsec

12 Network Layer Security IP security (IPsec) –Two protocols Authentication protocol, using an Authentication Header (AH) Encryption/authentication protocol, called the Encapsulating Security Payload (ESP) –Two modes of operation Transport mode: provides protection for upper-layer protocols Tunnel mode: protects the entire IP datagram

13 IPSec protocols – AH protocol AH - Authentication Header –Defined in RFC 1826 –Integrity: Yes, including IP header –Authentication: Yes –Non-repudiation: Depends on cryptography algorithm. –Encryption: No –Replay Protection: Yes IP HeaderAH HeaderPayload (TCP, UDP, etc) IP HeaderAH HeaderPayload (TCP. UDP,etc)IP Header Transport Packet layout Tunnel Packet layout

14 IPSec protocols – ESP protocol ESP – Encapsulating Security Payload –Defined in RFC 1827 –Integrity: Yes –Authentication: Depends on cryptography algorithm. –Non-repudiation: No –Encryption: Yes –Replay Protection: Yes IP HeaderESP HeaderPayload (TCP, UDP, etc) IP HeaderESP HeaderPayload (TCP. UDP,etc)IP Header Transport Packet layout Tunnel Packet layout UnencryptedEncrypted

15 What protocol to use? Differences between AH and ESP: –ESP provides encryption, AH does not. –AH provides integrity of the IP header, ESP does not. –AH can provide non-repudiation. ESP does not. However, we don’t have to choose since both protocols can be used in together. Why have two protocols? –Some countries have strict laws on encryption. If you can’t use encryption in those countries, AH still provides good security mechanisms. Two protocols ensures wide acceptance of IPSec on the Internet.

16 Data Integrity and Confidentiality Basic difference between AH and ESP

17 IPSec Protocols (cont) Algorithms Used: Encryption: Symmetric – As IP packets may arrive out of order and Asymmetric algorithms are incredible slow. E.g. DES (Data Encryption Standard)  Authentication: MAC (Message Authentication Codes) based on symmetric encryption algorithms. One way hash functions. (MD5 or SHA-1)

18 Transport Versus Tunnel Mode Transport Mode: Used for Peer to Peer communication security Data is encrypted Tunnel Mode: Used for site-to-site communication security Entire packet is encrypted.

19 Transport versus Tunnel mode (cont) Transport mode is used when the cryptographic endpoints are also the communication endpoints of the secured IP packets. Cryptographic endpoints: The entities that generate / process an IPSec header (AH or ESP) Communication endpoints: Source and Destination of an IP packet

20 Transport versus Tunnel mode (cont) Tunnel mode is used when at least one cryptographic endpoint is not a communication endpoint of the secured IP packets. Outer IP Header – Destination for the router. Inner IP Header – Ultimate Destination

21 Transport Mode Tunneling Mode

22 How IPSec works: Phase 1 Internet Key Exchange (IKE) is used to setup IPSec. IKE Phase 1: –Establishes a secure, authenticated channel between the two computers –Authenticates and protects the identities of the peers –Negotiates what SA policy to use –Performs an authenticated shared secret keys exchange –Sets up a secure tunnel for phase 2 –Two modes: Main mode or Aggressive mode Main Mode IKE 1.Negotiate algorithms & hashes. 2.Generate shared secret keys using a Diffie-Hillman exchange. 3.Verification of Identities. Aggressive Mode IKE –Squeezes all negotiation, key exchange, etc. into less packets. –Advantage: Less network traffic & faster than main mode. –Disadvantage: Information exchanged before a secure channel is created. Vulnerable to sniffing.

23 How IPSec works: Phase 2 –An AH or ESP packet is then sent using the agreed upon “main” SA during the IKE phase 1. –IKE Phase 2 Negotiates IPSec SA parameters Establishes IPSec security associations for specific connections (like FTP, telnet, etc) Renegotiates IPSec SAs periodically Optionally performs an additional Diffie-Hellman exchange

24 How IPSec works: Communication Once Phase 2 has established an SA for a particular connection, all traffic on that connection is communicated using the SA. IKE Phase 1 exchange uses UDP Port 500. AH uses IP protocol 51. ESP uses IP protocol 50.

25 Key Management

Download ppt "Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi."

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Cryptography and Network Security

Cryptography and Network Security
1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.

VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.

Similar presentations

Ads by Google