Top Banner
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux
24

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

Dec 24, 2015

Download

Documents

Paul Marsh
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
  • Slide 1
  • What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux
  • Slide 2
  • What is IPsec IPsec is a set of security protocols and algorithms used to secure IP data at the network layer. IPsec provides data confidentiality (encryption), integrity (hash), and authentication (signatures and certificates) of IP packets while maintaining the ability to route them through existing IP networks.
  • Slide 3
  • What is IPsec IPsec protection involves five main components: Security protocols The IP datagram protection mechanisms. The authentication header (AH) signs IP packets and ensures integrity but The content of the datagram is not encrypted though. The encapsulating security payload (ESP) encrypts IP data, thus obscuring the content during packet transmission. ESP also can ensure data integrity through an authentication algorithm option.authentication headerencapsulating security payload (ESP)
  • Slide 4
  • What is IPsec Security associations database (SADB) The database that associates a security protocol with an IP destination address and an indexing number. The indexing number is called the security parameter index (SPI). These three elements (the security protocol, the destination address, and the SPI) uniquely identify a legitimate IPsec packet. The database ensures that a protected packet that arrives to the packet destination is recognized by the receiver. The receiver also uses information from the database to decrypt the communication, verify that the packets are unchanged, reassemble the packets, and deliver the packets to their ultimate destination.security parameter index (SPI)
  • Slide 5
  • What is IPsec Key management The generation and distribution of keys for the cryptographic algorithms and for the SPI. Security mechanisms The authentication and encryption algorithms that protect the data in the IP datagrams. Security policy database (SPD) The database that specifies the level of protection to apply to a packet. The SPD filters IP traffic to determine how the packets should be processed. A packet can be discarded. A packet can be passed in the clear. Or, a packet can be protected with IPsec. For outbound packets, the SPD and the SADB determine what level of protection to apply. For inbound packets, the SPD helps to determine if the level of protection on the packet is acceptable. If the packet is protected by IPsec, the SPD is consulted after the packet has been decrypted and has been verified.
  • Slide 6
  • Encryption Layers
  • Slide 7
  • Why is IPsec important The data sent over the Internet and private networks includes passwords, credit card numbers, social security numbers and other private and personal information. When sending this data crucial information, one wants to ensure that no third party manipulates or accesses this data. What are Security Issues? Spoofing: a machine on the network acts as another. Sniffing: another person is listening in on another's activity. Session Hijacking: an attacker completely takes over another users activities
  • Slide 8
  • Why is IPsec important Provides Authentication Prevent eavesdropping Replay Attack Data Tempering
  • Slide 9
  • Provides Authentication Be enable to prove each party who they say they are. This Stops the hackers from impersonating the server in order to get information such as usernames and passwords. Also helps server to confirm the client is real client or a hacker.
  • Slide 10
  • Prevents Eavesdropping Monitoring of your communication by third party. But with IPsec the information on network is encrypted which makes it impossible for hacker to use the data.
  • Slide 11
  • Replay Attack One form of attack is recording your information and play it back at latter date. If a hacker is able to record the initial authentication sequence at start of communication they can replay the message and can add wrong data. With IPsec replay attacks are impossible because even if you sent same data in different session the communication sequence used by IPsec will be completely different and only valid in that one session.
  • Slide 12
  • Data Tempering Is when data is changed, removed or added in a communication stream. IPsec can detect if data stream has been altered in anyway and thus prevent data tempering attacks.
  • Slide 13
  • IPsec Protocols
  • Slide 14
  • Internet Key Exchange(IKE) - Used to transfer SA parameters between hosts. - Handles Negotiation of protocols - Generates keys
  • Slide 15
  • IPsec Protocols ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete Security Associations (SA). SAs contain all the information required for execution of various network security services, such as the IP layer services (such as header authentication and payload encapsulation), transport or application layer services, or self-protection of negotiation traffic. ISAKMP defines payloads for exchanging key generation and authentication data. These formats provide a consistent framework for transferring key and authentication data which is independent of the key generation technique, encryption algorithm and authentication mechanism. IPsec ISAKMP: Internet Security Association and Key Management Protocol
  • Slide 16
  • IPsec Protocols Authentication Header(AH) - Host and Client Authentication - Provides Data Integrity - Protects from Anti-Replay Attacks Limitations Does not support encryption and thus its possible for third party to eavesdrop on communication.
  • Slide 17
  • IPsec Protocols Encapsulating Security Payload (ESP) Same as AH but also support data encryption and NAT.
  • Slide 18
  • IPsec Architecture IPsec Applied to Outbound Packet Process
  • Slide 19
  • IPsec Architecture IPsec Applied to Inbound Packet Process
  • Slide 20
  • IPsec Modes Main Mode - Time consuming to make sure identity of each party - Establish a secure connection to configure quick mode Quick Mode - Used to communicate with each party AH often used for Main Mode ESP often Used for Quick Mode
  • Slide 21
  • How to create an IPsec connection between to Hosts or Networks Implementing IPsec requires that the IPsec- tools RPM package be installed on all IPsec hosts (if using a host-to-host configuration) or routers (if using a network-to-network configuration). The RPM package contains essential libraries, daemons, and configuration to aid in setup of the IPsec connection.
  • Slide 22
  • Steps to configure IPsec In a command shell, type system-config-network to start the Network Administration Tool. On the IPsec tab, click New to start the IPsec configuration wizard. Click Forward to start configuring a host-to-host IPsec connection. Enter a unique name for the connection, for example, ipsec0. If required, select the check box to automatically activate the connection when the computer starts. Click Forward to continue. Select Host to Host encryption as the connection type, and then click Forward. Select the type of encryption to use: manual or automatic. If you select manual encryption, an encryption key must be provided later in the process. If you select automatic encryption, the racoon daemon manages the encryption key. The IPsec-tools package must be installed if you want to use automatic encryption. Click Forward to continue. Enter the IP address of the remote host. To determine the IP address of the remote host, use the following command on the remote host: [root@myServer ~] # /sbin/ifconfig
  • Slide 23
  • Steps to configure IPsec If manual encryption was selected in step 6, specify the encryption key to use, or click Generate to create one.6 Specify an authentication key or click Generate to generate one. It can be any combination of numbers and letters. Click Forward to continue. Verify the information on the IPsec Summary page, and then click Apply. Click File => Save to save the configuration. You may need to restart the network for the changes to take effect. To restart the network, use the following command: [root@myServer ~]# service network restart Select the IPsec connection from the list and click the Activate button. Repeat the entire procedure for the other host. It is essential that the same keys from step 8 be used on the other hosts. Otherwise, IPsec will not work.8
  • Slide 24
  • IPsec Architecture http://docs.oracle.com/cd/E19082-01/819-3000/ipsec-ov-1/index.html http://www.tuxfiles.org/linuxhelp/rpminstall.html http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/i ke.html http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/i ke.html IPsec: The New Security Standard for the Inter- net, Intranets, and Virtual Private Networks, Naganand Doraswamy (Author), Dan Harkins (Author)Naganand DoraswamyDan Harkins