6-Jan-17 1 Ambo University Institute of Technology Gradute program in Computer Science IP SECURITY Presented By: Dejene Techane

 In today's massively interconnected business world of the Internet, intranets, branch offices, and remote access, sensitive information constantly crosses the networks.  Without security, both public and private networks are susceptible to unauthorized monitoring and access.  Therefore, there are different network security protocols widespread use for protecting private and public networks such as  IP Security(IPSec),  Transport Layer Security(TLS)  and Secure Shell(SSH).  Hence, only IPsec protects all application traffic over an IP network. 6-Jan-17 2

 IP security refers to security mechanism implemented at the IP (Internet Protocol) Layer to ensure  integrity,  authentication and  confidentiality of data during transmission in the open Internet environment  It is a protocol suite for secure IP communications that works by  Authenticating  And encrypting each IP packet of a communication session. 6-Jan-17 3

 IPSec is a set of protocol and algorithm used to secure IP data and network layer  Open standard for VPN implementation  Inbuilt in IPV6 and compatible with IPV4 6-Jan-17 4

 to verify sources of IP packets  authentication  to prevent replaying of old packets  to protect integrity and/or confidentiality of packets  data Integrity/Data Encryption 6-Jan-17 5

6 ESPAH IKE IPSec Security Policy Encapsulating Security Payload Authentication Header The Internet Key Exchange  Architecture : Covers the general concepts, security requirements, definitions and mechanisms defining IPsec technology.

 Provides source authentication  Protects against source spoofing  Provides connectionless data integrity  Protects against replay attacks  Use monotonically increasing sequence numbers  Protects against denial of service attacks  NO protection for confidentiality! 6-Jan-17 7

 Use 32-bit monotonically increasing sequence number to avoid replay attacks  Use cryptographically strong hash algorithms to protect data integrity (96-bit)  Use symmetric key cryptography  HMAC-SHA-96, HMAC-MD Jan-17 8

9 Authentication Data Sequence Number Security Parameters Index (SPI) Next header Payload length Reserved Old IP header (only in Tunnel mode) TCP header New IP header Authenticated Data Encapsulated TCP or IP packet Hash of everything else

 Provides all that AH offers, and  in addition provides data confidentiality  Uses symmetric key encryption Same as AH: ◦ Use 32-bit sequence number to counter replaying attacks ◦ Use integrity check algorithms Only in ESP: ◦ Data confidentiality: ◦ Uses symmetric key encryption algorithms to encrypt packets 6-Jan-17 10

6-Jan Authentication Data Sequence Number Security Parameters Index (SPI) Next header Payload length Reserved TCP header Authenticated IP header Initialization vector Data PadPad lengthNext Encrypted TCP packet

6-Jan  Bothe AH and ESP support transport and Tunnel modes Transport Mode SATunnel Mode SA AHAuthenticates IP payload and selected portions of IP header and IPv6 extension headers Authenticates entire inner IP packet plus selected portions of outer IP header ESPEncrypts IP payload and any IPv6 extension header Encrypts inner IP packet ESP with Authentication Encrypts IP payload and any IPv6 extension header Authenticates IP payload but no IP header Encrypts inner IP packet Authenticates inner IP packet

 The key management portion of IPSec involves  the determination and distribution of the secret keys.  A typical requirement is four keys for communication between two applications:  transmit and receive pairs for both AH and ESP  Support for two types of key management  Manual  Authomatic 6-Jan-17 13

6-Jan  SA describes a particular kind of secure connection between one device and another.  Security Associations are key to IPSEC’s authentication and confidentiality mechanisms.  SAs are needed to negotiate in the exchange of the “shared secret” process  Sharing the shared key secrete

 uniquely identified by three parameters:  Security Parameters Index (SPI): The SPI assigns a bit string to this SA that has local significance only.  The SPI is carried in AH and ESP headers to enable the receiving system to select the SA under which a received packet will be processed.  IP destination address : Currently, only unicast addresses are allowed; this is the address of the destination endpoint of the SA, which may be an end-user system or a network system such as a firewall or router.  Security protocol identifier : This indicates whether the association is an AH or ESP security association. 6-Jan-17 15

 Provides strong security when implemented in a firewall or router that can be applied to all traffic crossing the perimeter.  IPsec is resistant to bypass if all traffic from the outside must use IP and the firewall is the only way of entrance from the Internet into the organization.  Is below transport layer, hence transparent to applications.  Can be transparent to end users.  Can provide security for individual users if needed. 6-Jan-17 16

 Secure branch office connectivity over the Internet  Secure remote access over the Internet  Establishment of extranet and intranet connectivity with partners  Enhancement of electronic commerce security 6-Jan-17 17

 IP Security importance is growing, but unfortunately its operation imposes a significant burden on the encrypting devices. Furthermore, certain applications may suffer from the increase in latency (i.e., the time required to pass through an IPSec network device) due to the extra processing.  Finally, at a time when network security is increasingly vital, IPSec makes it easy for network managers to provide a strong layer of protection to their organization's information resources. 6-Jan-17 18

6-Jan-17 19