What is in Presentation
What is IPsecWhy is IPsec ImportantIPsec ProtocolsIPsec ArchitectureHow to Implement IPsec in linux
What is IPsec
IPsec is a set of security protocols and algorithms used to secure IP data at the network layer.
IPsec provides data confidentiality (encryption), integrity (hash), and authentication (signatures and certificates) of IP packets while maintaining the ability to route them through existing IP networks.
What is IPsec
IPsec protection involves five main components:• Security protocols – The IP datagram
protection mechanisms. The authentication header (AH) signs IP packets and ensures integrity but The content of the datagram is not encrypted though. The encapsulating security payload (ESP) encrypts IP data, thus obscuring the content during packet transmission. ESP also can ensure data integrity through an authentication algorithm option.
What is IPsec
• Security associations database (SADB) – The database that associates a security protocol with an IP destination address and an indexing number. The indexing number is called the security parameter index (SPI). These three elements (the security protocol, the destination address, and the SPI) uniquely identify a legitimate IPsec packet. The database ensures that a protected packet that arrives to the packet destination is recognized by the receiver. The receiver also uses information from the database to decrypt the communication, verify that the packets are unchanged, reassemble the packets, and deliver the packets to their ultimate destination.
What is IPsec
• Key management – The generation and distribution of keys for the cryptographic algorithms and for the SPI.
• Security mechanisms – The authentication and encryption algorithms that protect the data in the IP datagrams.
• Security policy database (SPD) – The database that specifies the level of protection to apply to a packet. The SPD filters IP traffic to determine how the packets should be processed. A packet can be discarded. A packet can be passed in the clear. Or, a packet can be protected with IPsec. For outbound packets, the SPD and the SADB determine what level of protection to apply. For inbound packets, the SPD helps to determine if the level of protection on the packet is acceptable. If the packet is protected by IPsec, the SPD is consulted after the packet has been decrypted and has been verified.
Encryption Layers
Why is IPsec important
The data sent over the Internet and private networks includes passwords, credit card numbers, social security numbers and other private and personal information. When sending this data crucial information, one wants to ensure that no third party manipulates or accesses this data.
What are Security Issues?
Spoofing: a machine on the network acts as another.
Sniffing: another person is listening in on another's activity.
Session Hijacking: an attacker completely takes over another users activities
Why is IPsec important
Provides Authentication Prevent eavesdropping Replay Attack Data Tempering
Provides Authentication
• Be enable to prove each party who they say they are. This Stops the hackers from impersonating the server in order to get information such as usernames and passwords.
• Also helps server to confirm the client is real client or a hacker.
Prevents Eavesdropping
• Monitoring of your communication by third party.
• But with IPsec the information on network is encrypted which makes it impossible for hacker to use the data.
Replay Attack
• One form of attack is recording your information and play it back at latter date.
• If a hacker is able to record the initial authentication sequence at start of communication they can replay the message and can add wrong data.
• With IPsec replay attacks are impossible because even if you sent same data in different session the communication sequence used by IPsec will be completely different and only valid in that one session.
Data Tempering
• Is when data is changed, removed or added in a communication stream.
• IPsec can detect if data stream has been altered in anyway and thus prevent data tempering attacks.
IPsec Protocols
IPsec Protocols
• Internet Key Exchange(IKE) - Used to transfer SA parameters between hosts. - Handles Negotiation of protocols - Generates keys
IPsec Protocols
• ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete Security Associations (SA).
• SAs contain all the information required for execution of various network security services, such as the IP layer services (such as header authentication and payload encapsulation), transport or application layer services, or self-protection of negotiation traffic.
• ISAKMP defines payloads for exchanging key generation and authentication data. These formats provide a consistent framework for transferring key and authentication data which is independent of the key generation technique, encryption algorithm and authentication mechanism.
IPsec ISAKMP: Internet Security Association and Key Management Protocol
IPsec Protocols
• Authentication Header(AH) - Host and Client Authentication - Provides Data Integrity - Protects from Anti-Replay Attacks
Limitations – Does not support encryption and thus its possible for third party to eavesdrop on communication.
IPsec Protocols
• Encapsulating Security Payload (ESP)• Same as AH but also support data
encryption and NAT.
IPsec Architecture
IPsec Applied to Outbound Packet Process
IPsec Architecture
IPsec Applied to Inbound Packet Process
IPsec Modes
• Main Mode - Time consuming to make sure identity of each party - Establish a secure connection to configure quick mode • Quick Mode - Used to communicate with each party• AH often used for Main Mode• ESP often Used for Quick Mode
How to create an IPsec connection between to Hosts or Networks
• Implementing IPsec requires that the IPsec-tools RPM package be installed on all IPsec hosts (if using a host-to-host configuration) or routers (if using a network-to-network configuration). The RPM package contains essential libraries, daemons, and configuration to aid in setup of the IPsec connection.
Steps to configure IPsec• In a command shell, type system-config-network to start the Network
Administration Tool. • On the IPsec tab, click New to start the IPsec configuration wizard. • Click Forward to start configuring a host-to-host IPsec connection. • Enter a unique name for the connection, for example, ipsec0. If required,
select the check box to automatically activate the connection when the computer starts. Click Forward to continue.
• Select Host to Host encryption as the connection type, and then click Forward.
• Select the type of encryption to use: manual or automatic. • If you select manual encryption, an encryption key must be provided later
in the process. If you select automatic encryption, the racoon daemon manages the encryption key. The IPsec-tools package must be installed if you want to use automatic encryption.
• Click Forward to continue. • Enter the IP address of the remote host. • To determine the IP address of the remote host, use the following
command on the remote host: [root@myServer ~] # /sbin/ifconfig
Steps to configure IPsec• If manual encryption was selected in step 6, specify the encryption key to
use, or click Generate to create one. • Specify an authentication key or click Generate to generate one. It can
be any combination of numbers and letters. • Click Forward to continue. • Verify the information on the IPsec — Summary page, and then click
Apply. • Click File => Save to save the configuration. • You may need to restart the network for the changes to take effect. To
restart the network, use the following command: • [root@myServer ~]# service network restart Select the IPsec connection
from the list and click the Activate button. • Repeat the entire procedure for the other host. It is essential that the
same keys from step 8 be used on the other hosts. Otherwise, IPsec will not work.
IPsec Architecture• http://docs.oracle.com/cd/E19082-01/819-3000/ipsec-ov-1/index.html• http://docs.oracle.com/cd/E19082-01/819-3000/ipsec-ov-1/index.html• http://www.tuxfiles.org/linuxhelp/rpminstall.html• http://
www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ike.html
• IPsec: The New Security Standard for the Inter- net, Intranets, and Virtual Private Networks , Naganand Doraswamy (Author), Dan Harkins (Author)
