Presentation is loading. Please wait.

Presentation is loading. Please wait.

IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

Published byEleanore Fisher Modified over 9 years ago

Similar presentations

Presentation on theme: "IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows."— Presentation transcript:

1 IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows

2 Implementation approaches ● BITS – Bump in the stack, usually tightly integrated in the OS ● BITW – Bump in the wire, Often a hardware device connected to a router or security gateway.

3 Security Features ● Authentication – Verifies the identity of the sender ● Integrity – Ensures that the data has not been changed in transit ● Confidentiality – Encrypts data using symmetric key ● Replay Protection – Attacker can't resend packets without being detected

4 IPSec Components ● SPD - Security Policy Database – Defined by the sysadmin – Contains a set of rules Src IP | Dst IP | Ports | Action | IPSec Protocol | Mode | SA Index ● SAD – Security Association Database – Contains Security Associations – Each Security Association contains keys, sequence numbers – Must be stored in a secure place

5 IPSec Components ● Key Management – Internet Key Exchange Protocol (IKE) ● Data Manipulation – For authentication, encryption and compression – Authentication Header (AH) – Encapsulation Security Payload (ESP) – IP Compression (IPCOMP)

6 IPSec Modes ● Transport Mode – Used primarily to protect IP traffic between hosts – Adds requested protection to the datagram payload ● Tunnel Mode – The entire IP Datagram is treated as a block of data – Adds new header and protects the datagram – Used primarily between gateways

7 IPSec Transport Mode IP Header Payload IP Header IPSec Header (AH or ESP) IP Datagram to be protected Protected Datagram

8 IPSec Tunnel Mode IP Header Payload New IP Header IPSec Header (AH or ESP) IP Datagram to be protected Protected Datagram (Tunnel Mode) Original IP Header

9 IPSec Protocols (HEADERS) ● AH - Authentication Header – Connectionless integrity – Data origin authentication – Optional anti-replay service ● ESP – Encapsulating Security Payload – Confidentiality plus AH services

10 Security Associations (SA) ● A Security Association is a bundle of algorithms and keys/IVs ● They provide security services to the traffic carried by it. ● SA's are different for tunnel mode and transport mode ● If either end of a security association is a security gateway the SA must be tunnel mode ● Every host must support both tunnel mode and transport mode

11 Security Association Database (SAD) ● Separate SAD's are required for inbound traffic and outbound traffic ● The SAD contains parameters that are associated with each active security association ● A Selector is a set of IP and upper layer protocol field values that is used by the SPD to map traffic to a policy

12 SPI ● Security Parameters Index (32 bits) ● Arbitrary ● The SPI and the destination IP address identifies the Security Association of the receiving party. ● Sequence Number ● Increases by 1 for every packet ● Used for replay detection

13 SAD Record Contents SPI580974 Src IP192.168.2.1192.168.1.1 Dst IP192.168.1.1192.168.2.1 Src PortAnyAny Dst PortAny80 Parametersstuffstuff TypeInboundOutbound Pointer to SPD Entry47

14 Additional SAD Record Fields ● Sequence Counter ● Sequence Counter Overflow ● A flag when set causes an auditable event ● Anti-Replay Window ● AH Authentication Algorithm, keys, etc. ● ESP Encryption Algorithm, keys, IV Mode, IV, etc. ● ESP Authentication Algorithm, keys, etc. ● Lifetime of this SA ● IPSec protocol mode: tunnel, transport ● Path MTU

15 Security Policy Database (SPD) ● Security association is a management construct to enforce a security policy ● A security policy specifies what services are to be offered to IP datagrams and in what fashion ● All processing of traffic both inbound and outbound must consult the SPD ● The SPD must specify what action will be taken on every packet

16 SPD Record Contents Rule #12 Src IP192.168.1.1192.168.2.1 Dst IP192.168.2.1192.168.1.1 Src PortAnyAny Dst Port23443 ActionIPSecIPSec ProtocolESPAH ModeTunnelTunnel Outbnd SA Index4001

17 Traffic processing ● Every inbound and outbound packet is processed by IPSec ● Three processing choices: – Discard ● Not allowed to enter host ● Auditable event – Bypass IPSec – Apply IPSec

18 SA Selectors ● Dest IP Address ● Source IP Address ● Name – usually User ID ● Data Sensitivity Level for info flow security – Bell-LaPadua Model ● Transport Layer Protocol ● Src/Dst Ports – In the case the Upper layer is encrypted these selectors may have the value “OPAQUE”

19 Outbound IP Traffic Processing ● The SPD must be consulted for every outbound packet – If no policy is found that matches the packet, the packet MUST be discarded and audited – If a policy is found that matches then the packet is mapped to an existing SA or a new SA is created. ● If IPSec is required the packet must be either mapped to an existing SA of a new SA is created ● Create a Header for Tunnel Mode

20 Outbound IP Traffic Processing ● Some packet's selectors will match multiple SAs ● The SPD is ordered ● IPSec must 1)Locate the first appropriate policy in the SPD 2)Find first SA is the SAD that matches the packet's selectors 3)If no SA is found create a new one and link to the appropriate policy in the SPD 4)Do the required IPSec processing

21 Inbound IP Traffic Processing ● All fragments are reassembled ● Mapping the IP datagram to the appropriate SA depends on: ● Outer IP header destination address ● The IPSec protocol ● The SPI ● If the mapping fails drop and log ● Otherwise use the SA to do the IPSec processing

Download ppt "IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows."

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
IP security over ATM CS 329 Hwajung Lee Computer and Communications Security The George Washington University.

IP security over ATM CS 329 Hwajung Lee Computer and Communications Security The George Washington University.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.2: IPsec.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.2: IPsec.
IPSec.

IPSec.
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.

IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Network Layer Security: IPSec

Network Layer Security: IPSec
IP SECURITY – Chapter 16 IP SECURITY – Chapter 16 Security Mechanisms: email – S/MIME, PGP client/server - Kerberos web access - Secure Sockets Layer network.

IP SECURITY – Chapter 16 IP SECURITY – Chapter 16 Security Mechanisms: – S/MIME, PGP client/server - Kerberos web access - Secure Sockets Layer network.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
IPSec Isaac Ghansah.

IPSec Isaac Ghansah.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.

IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.

Similar presentations

Ads by Google