Presentation is loading. Please wait.

Presentation is loading. Please wait.

IPsec  IPsec (IP security)  Security for transmission over IP networks The InternetThe Internet Internal corporate IP networksInternal corporate IP.

Published byCharity Flowers Modified over 8 years ago

Similar presentations

Presentation on theme: "IPsec  IPsec (IP security)  Security for transmission over IP networks The InternetThe Internet Internal corporate IP networksInternal corporate IP."— Presentation transcript:

1

2 IPsec  IPsec (IP security)  Security for transmission over IP networks The InternetThe Internet Internal corporate IP networksInternal corporate IP networks IP packets sent over public switched data networks (PSDN)IP packets sent over public switched data networks (PSDN) Local Network Internet Local Network

3 IPsec  Why do we need IPsec? IP has no securityIP has no security Add security to create a virtual private network (VPN) to give secure communication over the Internet or another IP networkAdd security to create a virtual private network (VPN) to give secure communication over the Internet or another IP network Local Network Internet Local Network

4 IPsec  Genesis Being created by the Internet Engineering Task ForceBeing created by the Internet Engineering Task Force For both IP version 4 and IP version 6For both IP version 4 and IP version 6

5 IPsec  Two Modes of operation  Tunnel Mode IPsec server at each siteIPsec server at each site Secures messages going through the InternetSecures messages going through the Internet Local Network Internet Local Network Secure Communication IPsec Server

6 IPsec  Tunnel Mode Hosts operate in their usual wayHosts operate in their usual way  Tunnel mode IPsec is transparent to the hosts No security within the site networksNo security within the site networks Local Network Internet Local Network Secure Communication IPsec Server

7 IPsec  Two Modes of operation  Transport Mode End-to-end security between the hostsEnd-to-end security between the hosts Security within site networks as wellSecurity within site networks as well Requires hosts to implement IPsecRequires hosts to implement IPsec Local Network Internet Local Network Secure Communication

8 IPsec  Transport Mode Adds a security header to IP packetAdds a security header to IP packet After the main IP headerAfter the main IP header Source and destination addresses of hosts can be learned by interceptorSource and destination addresses of hosts can be learned by interceptor Only the original data field is protectedOnly the original data field is protected Protected Original Data Field Original IP Header Transport Security Header

9 IPsec  Tunnel Mode Adds a security header before the original IP headerAdds a security header before the original IP header Has IP addresses of the source and destination IPsec servers only, not those of the source and destination hostsHas IP addresses of the source and destination IPsec servers only, not those of the source and destination hosts Protects the main IP headerProtects the main IP header Protected Original Data Field Protected Original IP Header Tunnel Security Header

10 IPsec  Can combine the two modes Transport mode for end-to-end securityTransport mode for end-to-end security Plus tunnel mode to hide the IP addresses of the source and destination hosts during passage through the InternetPlus tunnel mode to hide the IP addresses of the source and destination hosts during passage through the Internet Local Network Internet Local Network Tunnel Mode Transport Mode

11 IPsec  Two forms of protection  Encapsulating Security Protocol (ESP) security provides confidentiality as well as authentication  Authentication Header (AH) security provides authentication but not confidentiality Useful where encryption is forbidden by lawUseful where encryption is forbidden by law Provides slightly better authentication by providing authentication over a slightly larger part of the message, but this is rarely decisiveProvides slightly better authentication by providing authentication over a slightly larger part of the message, but this is rarely decisive

12 IPsec  Modes and protection methods can be applied in any combination Tunnel Mode Transport Mode ESPSupportedSupported AHSupportedSupported

13 IPsec  Security Associations (SAs) are agreements between two hosts or two IPsec servers, depending on the mode  “Contracts” for how security will be performed  Negotiated  Governs subsequent transmissions Host AHost B Negotiate Security Association

14 IPsec  Security Associations (SAs) can be asymmetrical Different strengths in the two directionsDifferent strengths in the two directions For instance, clients and servers may have different security needsFor instance, clients and servers may have different security needs Host AHost B SA for messages From A to B SA for messages From B to A

15 IPsec Policies may limit what SAs can be negotiated To ensure that adequately strong SAs for the organization’s threatsTo ensure that adequately strong SAs for the organization’s threats Gives uniformity to negotiation decisionsGives uniformity to negotiation decisions Host AHost B Security Association Negotiations Limited By Policies

16 IPsec  First, two parties negotiate IKE (Internet Key Exchange) Security Associations IKE is not IPsec-specificIKE is not IPsec-specific Can be used in other security protocolsCan be used in other security protocols Host AHost B Communication Governed by IKE SA

17 IPsec  Under the protection of communication governed by this IKE SA, negotiate IPsec-specific security associations Host AHost B Communication Governed by IKE SA IPsec SA Negotiation

18 IPsec  Process of Creating IKE SAs (and other SAs) Negotiate security parameters within policy limitationsNegotiate security parameters within policy limitations Authenticate the parties using SA-agreed methodsAuthenticate the parties using SA-agreed methods Exchange a symmetric session key using SA-agreed methodExchange a symmetric session key using SA-agreed method Communicate securely with confidentiality, message-by-message authentication, and message integrity using SA-agreed methodCommunicate securely with confidentiality, message-by-message authentication, and message integrity using SA-agreed method

19 IPsec  IPsec has mandatory security algorithms Uses them as defaults if no other algorithm is negotiatedUses them as defaults if no other algorithm is negotiated Other algorithms may be negotiatedOther algorithms may be negotiated But these mandatory algorithms MUST be supportedBut these mandatory algorithms MUST be supported

20 IPsec  Diffie-Hellman Key Agreement To agree upon a symmetric session key to be used for confidentiality during this sessionTo agree upon a symmetric session key to be used for confidentiality during this session Also does authenticationAlso does authentication Party AParty B

21 IPsec  Diffie-Hellman Key Agreement Each party sends the other a nonce (random number)Each party sends the other a nonce (random number) The nonces will almost certainly be differentThe nonces will almost certainly be different Nonces are not sent confidentiallyNonces are not sent confidentially Party AParty B Nonce B Nonce A

22 IPsec  Diffie-Hellman Key Agreement From the different nonces, each party will be able to compute the same symmetric session key for subsequent useFrom the different nonces, each party will be able to compute the same symmetric session key for subsequent use No exchange of the key; instead, agreement on the keyNo exchange of the key; instead, agreement on the key Party AParty B Symmetric Key From nonces, independently compute same symmetric session key

Download ppt "IPsec  IPsec (IP security)  Security for transmission over IP networks The InternetThe Internet Internal corporate IP networksInternal corporate IP."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Secure Mobile IP Communication

Secure Mobile IP Communication
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
1 IP VPN Nikolay Scarbnik. 2 Agenda Introduction………………………………………………………….3 VPN concept definition……………………………………………..4 VPN advantages……………...…………………………………….5.

1 IP VPN Nikolay Scarbnik. 2 Agenda Introduction………………………………………………………….3 VPN concept definition……………………………………………..4 VPN advantages……………...…………………………………….5.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.

VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.

Similar presentations

Ads by Google