Internet Protocol Security (IPSec) Overview PDF
Document Details
Uploaded by PortableAgate944
Tags
Summary
This document provides an overview of Internet Protocol Security (IPSec). It details the security problems associated with the internet, explains the TCP/IP model, explores different security levels, and highlights the functionalities of IPSec protocols. The document clarifies the modes of operation and protocols used in IPSec security, offering an understanding of how it enhances network security.
Full Transcript
INTERNET PROTOCOL SECURITY AN OVERVIEW OF IPSEC OUTLINE: What Security Problem? Understanding TCP/IP. Security at What Level? IP Security. IPSec Security Services. Modes of operation. IPSec Security Protocols. Outbound/Inbound IPSec Processing. Real World Deployment Examples. WHAT SECU...
INTERNET PROTOCOL SECURITY AN OVERVIEW OF IPSEC OUTLINE: What Security Problem? Understanding TCP/IP. Security at What Level? IP Security. IPSec Security Services. Modes of operation. IPSec Security Protocols. Outbound/Inbound IPSec Processing. Real World Deployment Examples. WHAT SECURITY PROBLEM? Today's Internet is primarily comprised of : Public Un-trusted Unreliable IP networks Because of this inherent lack of security, the Internet is subject to various types of threats… INTERNET THREATS Data integrity The contents of a packet can be accidentally or deliberately modified. Identity spoofing The origin of an IP packet can be forged. Reply attacks Unauthorized data can be retransmitted. Loss of privacy The contents of a packet can be examined in transit. UNDERSTANDING TCP/IP OSI Reference Model Application Layer Application Presentation Layer SNMP SMTP HTTP DNS NFS FTP FTP Session Layer Transport Layer TCP, UDP Network Layer IP Logical Link Layer Device Driver Physical Layer Network Adapter UNDERSTANDING TCP/IP Encapsulation of Data for Network Delivery Original Application Layer Message UNDERSTANDING TCP/IP Encapsulation of Data for Network Delivery Original Application Layer Message Transport Layer Data 3 (TCP, UDP) UNDERSTANDING TCP/IP Encapsulation of Data for Network Delivery Original Application Layer Message Transport LayerHeader 3Data 3 (TCP, UDP) UNDERSTANDING TCP/IP Encapsulation of Data for Network Delivery Original Application Layer Message Transport LayerHeader 3Data 3 (TCP, UDP) Network Layer Data 2 (IP) UNDERSTANDING TCP/IP Encapsulation of Data for Network Delivery Original Application Layer Message Transport LayerHeader 3Data 3 (TCP, UDP) Network LayerHeader 2 Data 2 (IP) UNDERSTANDING TCP/IP Encapsulation of Data for Network Delivery Original Application Layer Message Transport LayerHeader 3Data 3 (TCP, UDP) Network LayerHeader 2 Data 2 (IP) Data Link Data 1 Layer UNDERSTANDING TCP/IP Encapsulation of Data for Network Delivery Original Application Layer Message Transport LayerHeader 3Data 3 (TCP, UDP) Network LayerHeader 2 Data 2 (IP) Data LinkHeader 1 Data 1 Layer UNDERSTANDING TCP/IP Packet Sent by Host A Packet Data LinkHeader 1 Data 1 Layer UNDERSTANDING TCP/IP Packet Received by intermediary Router Network Layer Data Link Layer UNDERSTANDING TCP/IP Packet Received by Host B Packet Data LinkHeader 1 Data 1 Layer UNDERSTANDING TCP/IP De-capsulation of Data from Network Delivery Data LinkHeader 1 Data 1 Layer UNDERSTANDING TCP/IP De-capsulation of Data from Network Delivery Data Link Data 1 Layer UNDERSTANDING TCP/IP De-capsulation of Data from Network Delivery Network LayerHeader 2 Data 2 (IP) UNDERSTANDING TCP/IP De-capsulation of Data from Network Delivery Network Layer Data 2 (IP) UNDERSTANDING TCP/IP De-capsulation of Data from Network Delivery Transport LayerHeader 3Data 3 (TCP, UDP) UNDERSTANDING TCP/IP De-capsulation of Data from Network Delivery Transport Layer Data 3 (TCP, UDP) UNDERSTANDING TCP/IP De-capsulation of Data from Network Delivery Original Application Layer Message UNDERSTANDING TCP/IP De-capsulation of Data from Network Delivery Original Application Layer Message SECURITY AT WHAT LEVEL? Application Layer PGP, Kerberos, SSH, etc. Transport Layer Transport Layer Security (TLS) Network Layer IP Security Data Link Layer Hardware encryption SECURITY AT APPLICATION LAYER (PGP, Kerberos, SSH, etc.) Implemented in end-hosts Advantages -Extend application without involving operating system. -Application can understand the data and can provide the appropriate security. Disadvantages -Security mechanisms have to be designed independently of each application. SECURITY AT TRANSPORT LAYER Transport Layer Security (TLS) Implemented in end-hosts Advantages -Existing applications get security seamlessly Disadvantages -Protocol specific SECURITY AT NETWORK LAYER IP Security (IPSec) Advantages -Provides seamless security to application and transport layers (ULPs). -Allows per flow or per connection security and thus allows for very fine-grained security control. Disadvantages -More difficult to to exercise on a per user basis on a multi-user machine. SECURITY AT DATA LINK LAYER (Hardware encryption) Need a dedicated link between host/routers. Advantages - Speed. Disadvantages -Not scalable. -Need dedicated links. IP SECURITY (IPSEC) IPSec is a framework of open standards developed by the Internet Engineering Task Force (IETF). Creates secure, authenticated, reliable communications over IP networks Source: https://devcentral.f5.com/articles/application-is-more-than- header-deep IPSEC SECURITY SERVICES Connectionless integrity Assurance that received traffic has not been modified. Integrity includes anti-reply defenses. Data origin authentication Assurance that traffic is sent by legitimate party or parties. Confidentiality (encryption) Assurance that user’s traffic is not examined by non- authorized parties. Access control Prevention of unauthorized use of a resource. IPSEC MODES OF OPERATION Transport Mode: protect the upper layer protocols Original IP IP TCP Data Datagram Header Header Transport Mode IP IPSec TCP Data protected packet Header Header Header protected ¨ Tunnel Mode: protect the entire IP payload Tunnel Mode New IP IPSec Original TCP Data protected packet Header Header IP Header Header protected IPSEC SECURITY PROTOCOLS Authentication Header (AH) Encapsulating Security Payload (ESP) IPSEC SECURITY PROTOCOLS Authentication Header (AH) provides: - Connectionless integrity - Data origin authentication - Protection against replay attacks Encapsulating Security Payload (ESP) provides: - Confidentiality (encryption) - Connectionless integrity - Data origin authentication - Protection against reply attacks Both protocols may be used alone or applied in combination with each other. OUTBOUND IPSEC PROCESSING SPD IPSec policies ct or sele Packet SAD SAout 1. Drop the packet. SPD = Security Policy Database 2. Bypass IPSec. SAD = Security Association Database 3. Apply IPSec. SA = Security Association INBOUND IPSEC PROCESSING Packet Case 1: If IPSec headers exists 1. Headers are processed. 2. SPD is consulted to determine if the packet can be admitted based on the Sain. SPD IPSec policies SPD = Security Policy Database SAD = Security Association Database SA = Security Association INBOUND IPSEC PROCESSING Packet Case 2: If IPSec headers are absent 1. SPD is consulted to determine the type of service to afford this packet. 2. If certain traffic is required to be IPSec protected and its not it must be dropped. SPD IPSec policies SPD = Security Policy Database SAD = Security Association Database SA = Security Association REAL WORLD DEPLOYMENT EXAMPLES Encrypted / Authenticated VPNs Internet SG Wireless Internet CONCLUSION The Internet was not created with security in mind. Communications can be altered, examined and exploited. There is a growing need to protect private information crossing the public networks that make up the Internet infrastructure. IPSec is a set of protocols and methodologies to create secure IP connections. QUESTIONS?
