Presentation is loading. Please wait.

Presentation is loading. Please wait.

IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

Published bySusan Lesley Townsend Modified over 8 years ago

Similar presentations

Presentation on theme: "IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet."— Presentation transcript:

1 IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet

2 Usability and Security
Security Convenience / Usability Determine where on this line your organization needs lie

3 Services, Mechanisms, Algorithms
A typical security protocol provides one or more security services (authentication, secrecy, integrity, etc.) Services are built from mechanisms. Mechanisms are implemented using algorithms. SSL/IPSec/PPTP, etc Signatures Encryption Hashing DSA RSA DES SHA1 MD5 Services (Security Protocols) Mechanisms Algorithms

4 Security in the Internet Architecture
Lack of security in the Internet Architecture Security was left up to the applications With the passage of time it was realized that universal security at the IP level will become a need and not a luxury

5 Security Protocol Layers
The further down you go, the more transparent it is The further up you go, the easier it is to deploy

6 Some Pros of Security at the IP Level
Can be end to end or at least multi­link unlike link layer Could be hw/sw supported (hw support for encryption) Can shield unmodified host apps giving them crypto/security at the level of nets/hosts/and possibly users Can extend secure enclave across insecure areas

7 What is IPSec? Extensions to the basis Internet Protocol to provide security functions at the IP level Applicable to both IP Version 4 and IP Version 6 IPSec available in Windows 2000, Linux, Cisco Routers, etc.

8 How do you know IPSec is there?
AH/ESP new IP layer protocols (50/51) with either 1. an IP datagram encapsulated in them (tunnel mode) 2. TCP/UDP and the rest above them (transport mode) Every packet may have AH/ESP applied to them: AH for authentication; ESP for encryption and authentication, this is bulk/per­packet encryption/authentication

9 IP Security Usage Scenario

10 Applications of IPSec Secure Branch Office Connectivity Over the Internet Secure Remote Access Over the Internet Establishing Extranet and Intranet Connectivity with Business partners Enhancing Electronic Commerce Security

11 IP Security Architecture
Defined by IPSec Documents (RFCs) IP Security Protocol Working Group of IETF IP Security Evolving with the passage of time IPSec provides security services at the IP layer by enabling a system to select required security protocols, determine the algorithms to use for the services, and put in place any cryptographic keys required.

12 IPSec Documents Overview
Relevant RFCs RFC 1825: An overview of a security architecture RFC 1826: Description of a packet authentication extension to IP RFC 1828: A specific authentication mechanism RFC 1827: Description of a packet encryption extension to IP RFC 1829: A specific encryption mechanism

13 AH and ESP AH The Authentication Header provides support for data integrity and authentication of IP packets ESP The Encapsulating Security Payload provides confidentiality services, including confidentiality of message contents and limited traffic flow confidentiality. As an optional feature, ESP can also provide the same authentication service as AH.

14 IPSec Services

15 IPSec Framework Protocols
Authentication Header R1 R2 All data is in plaintext. AH provides the following: Authentication Integrity Encapsulating Security Payload R1 R2 Data payload is encrypted. ESP provides the following: Encryption Authentication Integrity

16 IPSec Framework Diffie-Hellman DH7

17 Least secure Most secure
Confidentiality Least secure Most secure Key length: - 56-bits Key length: - 56-bits (3 times) Key lengths: 128-bits 192 bits 256-bits Diffie-Hellman DH7 Key length: - 160-bits

18 Least secure Most secure
Integrity Least secure Most secure Key length: - 128-bits Key length: - 160-bits) Diffie-Hellman DH7

19 Authentication Diffie-Hellman DH7

20 Security Associations
What is a SA? An SA is a one way relationship between a sender and a received that affords security services to the traffic carried on it. SA Parameters Security Association Database stores parameters associated with each of the SAs SA Selectors Each SPD entry is defined by a set of IP and upper layer protocol field values called selectors.

21 Security Association (SA)
A simplex (uni-directional) logical connection, created for security purposes All traffic traversing an SA is provided the same security processing In IPsec, an SA is an Internet-layer abstraction implemented through the use of AH or ESP State data associated with an SA is represented in the SA Database (SAD)

22 Security Parameters Index (SPI)
An arbitrary 32-bit value that is used by a receiver to identify the SA to which an incoming packet should be bound. For a unicast SA, the SPI can be used by itself to specify an SA, or it may be used in conjunction with the IPsec protocol type. Additional IP address information is used to identify multicast SAs. The SPI is carried in AH and ESP protocols to enable the receiving system to select the SA under which a received packet will be processed. An SPI has only local significance, as defined by the creator of the SA (usually the receiver of the packet carrying the SPI); thus an SPI is generally viewed as an opaque bit string. However, the creator of an SA may choose to interpret the bits in an SPI to facilitate local processing.

23 Security Association Database Parameters
Security Parameters Index (SPI) • sequence number counter • sequence number overflow • anti-replay window • AH information • ESP information • lifetime of SA • IPSec protocol mode • Path MTU • other information

24 SA Selector IPSec provides flexibility • SAs can be combined
• Security Policy Database (SPD) specifies mapping of IP traffic to SAs • mapping is done according to field values of selectors – destination IP address – source IP address – user ID – data sensitivity level – transport layer protocol – source and destination ports

25 Transport and Tunnel Modes
Tunnel Mode means that one outgoing IP packet is encapsulated in another packet with typically a different IP destination Tunnels can be (1) Router to Router (2) Router to host or host to router (3) host to host

26 Transport and Tunnel Modes

27 Tunnel Mode and Transport Mode Functionality

28 Authentication Header

29 Services Provided by AH
Anti-Replay Service Integrity Check Value

30 Anti-Replay Service

31 Transport and Tunnel Modes

32 Scope of Authentication Header

33 Scope of Authentication Header

34 Encapsulating Security Payload - ESP
ESP Services Confidentiality Authentication Services ESP Format SPI SN PD Padding Pad Length Next Header Authentication Data

35 ESP

36 ESP Format

37 Transport-level security

38 A virtual private network via Tunnel Mode

Download ppt "IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet."

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Cryptography and Network Security

Cryptography and Network Security
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden
Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
IP SECURITY – Chapter 16 IP SECURITY – Chapter 16 Security Mechanisms: email – S/MIME, PGP client/server - Kerberos web access - Secure Sockets Layer network.

IP SECURITY – Chapter 16 IP SECURITY – Chapter 16 Security Mechanisms: – S/MIME, PGP client/server - Kerberos web access - Secure Sockets Layer network.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Cryptography and Network Security

Cryptography and Network Security
1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.

VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.

Similar presentations

Ads by Google