i psecurity
TRANSCRIPT
IPSECCrypto Group presents:
Definition
Why IPSec?
Goals of IPSec
Introduction
Definition Internet Protocol Security (IPSec) is a Protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of communication session.
IP is not secure..!IP Protocol was designed in the late
70’s to early 80’s.
Part of DARPA Internet Project Very Small Network All hosts are known So are the users Therefore security was not an issue
Why IPsec … ?
Security Issues in IP Fundamental Issue Networks are not fully Secure (and never will be) DOS Attacks, Replay Attacks and Spying etc.
IP causes Source Spoofing Replay Packets No data Integrity or Confidentiality
Why IPsec … ? (Cont..)
Authentication To verify sources of IP packets
To prevent Replaying of Old Packets
To protect Integrity and/or Confidentiality of Packets Data Integrity/ Data Encryption
Goals of IPsec
Wei Xu started in July 1994 the research on IP Security, enhanced the IP protocols, developed the IPSec product.
The assembly software encryption was unable to support even a T1 (1.544MBps) speed.
Wei further developed an automated device driver, known as plug-and-play.
After achieving the throughput higher than a T1s, in December 1994, he finally made the commercial product, that was released as Gauntlet firewalll
History of IPsec
History (cont..)
In December 1993, Another IP Encapsulating Security Payload (ESP) was researched at the Naval Research Laboratory as DARPA project
ESP was derived from the US Department of Defense SP3D protocol.
The Security Authentication Header (AH) is derived from previous IETF standard.
In 1995, The IPsec working group in the IETF was started to create Protocols.
IETF : Internet Engineering Task Force
9
Secure
Insecure
IPsec Security Model
Router Router
Transport Mode
Tunnel Mode
IPsec Architecture
Transport ModeTransport Mode is used between end-stations supporting IPSec or between an end-station and a gateway, if the gateway is being treated as a host
Tunnel ModeTunnel mode is used to encrypt traffic between secure IPSec gateways and it is also used to connect an end-station running IPSec Software.
Modes of IPsec
Modes of IPsec (Diagram)
IP header
IP header
IP header
TCP header
TCP header
TCP header
data
data
data
IPSec header
IPSec header IP header
Original
Transportmode
Tunnelmode
Modes of IPsec (Diagram cont..)
PROTOCOLS
IPSec is broken into multiple protocols. These are:
Authentication Header (AH) Encapsulated Security Payload (ESP)
Internet Key Exchange (IKE) IP Payload Compression
Protocols
Authentication header is defined as:
Authentication Header (AH)
Provides source authentication
Protects against source spoofing Provides data integrity Protects against replay attacks
Use monotonically increasing sequence numbers
Protects against denial of service attacks
NO protection for confidentiality!
Authentication Header (Cont..)
The following AH packet diagram shows how an AH packet is constructed and interpreted.
Authentication Header (Cont..)
User and application transparent Authentication Integrity checking Anti-replay Protects entire packet
Advantages of Authentication Header
No confidentiality
Unable to use NATs or proxies
Only works with TCP/IP
Disadvantages of Authentication Header
ESP is a member of the IPsec protocol suite. In IPsec it provides origin authenticity, integrity and confidentiality protection of packets.
Encapsulating Security Payload (ESP)
The following ESP packet diagram show how an ESP packet is constructed and interpreted.
ESP (Cont..)
Does not protect entire packet
May not work with NATs or proxies
Only works with TCP/IP
Disadvantages of ESP
User and application transparent Authentication Integrity checking Confidentiality Anti-replay
Advantages of ESP
Used for compression
Can be specified as part of the IPSec policy
Will not cover!
IP Payload Compression
Internet Key Exchange(IKE) The internet key exchange is a
protocol to set up a security association in the IPsec protocol.
Before secured data can be exchanged, a security agreement is established between two computers. In this security agreement(SA) both peers agree on how to exchange and protect information.
IKE Modes
The IKE (Internet Key Exchange) ofIPsec is of two phases:
1) IKE phase 12) IKE phase 2
IPSec Phases
IKE Phase 1 Diagram
IKE phase 2 does the following things:
Negotiates IPsec SA parameters protected by an existing IKE SA.
Establishes Ipsec security associations.
Periodically negotiates IPsec SAs to ensure security.
IKE Phase 2
IKE Phase 2 Diagram
Benefits of IKE
Automatic negotiation.
Authentication.
Anti replay services.
Certification authority.
Authentication
Integrity
Confidentiality
IPSec Features
IPsec policy is a set of rules that governs when and how Windows uses IPsec protocol to secure the communications.
The IPsec policy interacts directly with the Ipsec driver.
IPsec consists of some basic elements which includes:
IP filter list Individual IP filters Filter actions
A brief description is as follows:
IPSec Policy
IP filter list contains the IP packets on which the action was applied.
Individual IP filters tells windows that on which IP packets actions should be performed.
Filter action is to secure the IP packets.
IPSec Policy (Cont..)
The IPsec policy also requires someinfo about the network which includes:
Security method to use Connection type Tunnel settings
IPSec Policy (Cont..)
Security methods – which security algorithms to use for authentication and key exchanges.
Connection type – policy applied to remote access connections, LANs or all network connections.
Tunnel settings – IPsec use over a virtual private network.
IPSec Policy (Cont..)
IPsec policies can be created or edited.
In windows, 3 default policies are stored which are:
Client policy Server policy Secure server policy
IPSec Policy (Cont..)
IPsec policy to block PING traffic.
IPsec policy configuration through GPO.
IPSec Policy Examples
References:
https://en.wikipedia.org/wiki/IPsec http://www.webopedia.com/TERM/I/IP
sec.html http://www.unixwiz.net/techtips/iguid
e-ipsec.html
Thank You..!