2003-2004 - Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)

Slides:



Advertisements
Similar presentations
IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Advertisements

Internet Protocol Security (IP Sec)
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Security at the Network Layer: IPSec
Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 IP Security (IPSec) Thomas Lee Chief Technologist –QA
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
1 IPsec Youngjip Kim Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.
Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.
What Is Needed to Build a VPN? An existing network with servers and workstations Connection to the Internet VPN gateways (i.e., routers, PIX, ASA, VPN.
1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden Revised by Andrew.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
IP Security: Security Across the Protocol Stack
406 NW’98 1 © 1998, Cisco Systems, Inc. IPSec Loss of Privacy Security Threats Impersonation Loss of Integrity Denial of Service m-y-p-a-s-s-w-o-r-d.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
IP Security Lawrence Taub IPSEC IP security — security built into the IP layer Provides host-to-host (or router-to-router) encryption and.
CSCE 715: Network Systems Security
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
/IPsecurity.ppt 1 - Chapter 6 of William Stallings. Network Security Essentials (2nd edition). Prentice Hall.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
Karlstad University IP security Ge Zhang
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
21 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.
1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh.
18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
1 Chapter 6 IP Security. 2 Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Network Layer Security Network Systems Security Mort Anvari.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 27 November 23, 2004.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
@Yuan Xue CS 285 Network Security IP Security Yuan Xue Fall 2013.
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
IP Security - Chapter 6 of William Stallings. Network Security Essentials (2nd edition). Prentice Hall Slides by Henric Johnson Blekinge Institute.
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
Chapter 6 IP Security.
Presentation transcript:

Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)

Information management 2 Groep T Leuven – Information department 2/26 IP Security (IPSec) IPSec overview Authentication Header (AH) Encapsulating Security Payload (ESP) Internet Key Exchange (IKE) Main Mode negotiation Quick Mode negotiation Retransmit behavior

Information management 3 Groep T Leuven – Information department 3/26 Overall Architecture (RFC 1825) Framework for security protocols to provide: –Data integrity –Data authentication –Data confidentiality –Security association management –Key management

Information management 4 Groep T Leuven – Information department 4/26 Authentication Header (RFC 1826) Data integrity—no twiddling of bits Origin authentication—definitely came from router Uses keyed-hash mechanism Does not provide confidentiality IP Header plus Data AH Authentication Data (00ABCDEF) Authentication Data (00ABCDEF) IP Header plus Data Router IP HDR Data Router

Information management 5 Groep T Leuven – Information department 5/26 Encapsulating Security Payload (RFC 1827) Confidentiality Data origin authentication Data integrity Replay protection (optional) All Data-Encrypted Router

Information management 6 Groep T Leuven – Information department 6/26 Security Association (SA) Router Firewall Insecure Channel Agreement between two entities on method to communicate securely Unidirectional—two way communication consists of two SAs

Information management 7 Groep T Leuven – Information department 7/26 IKE Policy Negotiation Encryption Algorithm, Hash Algorithm, and Method of Authentication 3DES, MD5, and RSA Signatures, or IDEA, SHA, and DSS Signatures, or Blowfish, SHA, and RSA Encryption 3DES, MD5, and RSA Signatures, or IDEA, SHA, and DSS Signatures, or Blowfish, SHA, and RSA Encryption IDEA, SHA, and DSS Signatures ISAKMP Policy Tunnel

Information management 8 Groep T Leuven – Information department 8/26 IPSec Model Device authentication –Crypto devices obtain digital certificates from CAs Authorization –Packet selection via ACLs –Security Association (SA) established via ISAKMP/OAKLAY Privacy and integrity –IPSec-based encryption and digital signature Certificate Authority Digital Certificate SA Authenticated Encrypted Tunnel Encrypted Clear Text Internal Network Digital Certificate IKE Session

Information management 9 Groep T Leuven – Information department 9/26 IPsec Protocols and Formats Headers Key Exchange Modes Encryption Hashing Headers Key Exchange Modes Encryption Hashing Authentication Header Encapsulating Security Payload ISAKMP/Oakley Diffie-Hellman Transport Tunnel Authentication Header Encapsulating Security Payload ISAKMP/Oakley Diffie-Hellman Transport Tunnel Integrity, authentication Adds confidentiality Negotiates security parameters Uses digital certificates Generates shared secret keys IP payload only, Layer 4 is obscured Both end systems need IPsec Entire datagram No changes to intermediate systems DES, 3DES, RC4, IDEA, AES... HMAC MD5, HMAC SHA1 Integrity, authentication Adds confidentiality Negotiates security parameters Uses digital certificates Generates shared secret keys IP payload only, Layer 4 is obscured Both end systems need IPsec Entire datagram No changes to intermediate systems DES, 3DES, RC4, IDEA, AES... HMAC MD5, HMAC SHA1

Information management 10 Groep T Leuven – Information department 10/26 IPSec Modes IP HDR Encrypted IP HDR DATA IPSec HDR DATA IP HDR DATA IPSec HDR IP HDR New IP HDR Encrypted DATA Tunnel Mode Transport Mode

Information management 11 Groep T Leuven – Information department 11/26 Tunnel and Transport Modes Transport mode for end-to-end session Tunnel mode for everything else HR Server Joe’s PC Transport Mode Tunnel Mode

Information management 12 Groep T Leuven – Information department 12/26 Ipsec—Standards Based Internet Campus Firewall VLANs IPsec Dial

Information management 13 Groep T Leuven – Information department 13/26 IPSec Overview Router to Router Router to Firewall PC to Router PC to Server Proposed Internet standard for IP- layer cryptography with IPv4 and IPv6

Information management 14 Groep T Leuven – Information department 14/26 IPSec Process Initiating the IPSec session –Phase one—exchanging keys –Phase two—setting up security associations Encrypting/decrypting packets Rebuilding security associations Timing out security associations

Information management 15 Groep T Leuven – Information department 15/26 Initiating the IPSec Session Phase One — ISAKMP Internet Security Association Key Management Protocol (ISAKMP) Both sides need to agree on the ISAKMP security parameters (ISAKMP SADB) –ISAKMP parameters Encryption algorithm Hash algorithm Authentication method Diffie-Hellman modulus Group lifetime

Information management 16 Groep T Leuven – Information department 16/26 Initiating the IPSec Session Phase Two Both sides need to agree on the IPSec security parameters (IPSec SADB) IPSec parameters –IPSec peer Endpoint of IPSec tunnel –IPSec proxy Traffic to be encrypted/decrypted –IPSec transform Encryption and hashing –IPSec lifetime Phase two SA regeneration time

Information management 17 Groep T Leuven – Information department 17/26 Encrypting and Decrypting Packets Phase one and phase two completes Security Associations (SA) are created at both IPSec endpoints Using the negotiated SADB information –Outbound packets are encrypted –Inbound packets are decrypted

Information management 18 Groep T Leuven – Information department 18/26 Rebuilding Security Associations To ensure that keys are not compromised they are periodically refreshed Security associations will be rebuilt when: –The lifetime expires, or –Data volume has been exceeded, or –Another SA is attempted with identical parameters

Information management 19 Groep T Leuven – Information department 19/26 Security Associations Combination of mutually agreed security services, protection mechanisms, and cryptographic keys ISAKMP SA IPSec SAs –One for inbound traffic –One for outbound traffic Security Parameters Index (SPI) –Helps identify an SA Creating SAs –Main Mode for ISAKMP SA –Quick Mode for IPSec SAs

Information management 20 Groep T Leuven – Information department 20/26 IPSec Headers Authentication Header (AH) –Provides data origin authentication, data integrity, and replay protection for the entire IP datagram Encapsulating Security Payload (ESP) –Provides data origin authentication, data integrity, replay protection, and data confidentiality for the ESP-encapsulated portion of the packet

Information management 21 Groep T Leuven – Information department 21/26 IPSec Modes Transport mode –Typically used for IPSec peers doing end-to-end security –Provides protection for upper-layer protocol data units (PDUs) Tunnel mode –Typically used by network routers to protect IP datagrams –Provides protection for entire IP datagrams

Information management 22 Groep T Leuven – Information department 22/26 AH Transport Mode IPUpper layer PDU IPAH Authenticated Upper layer PDU

Information management 23 Groep T Leuven – Information department 23/26 AH Tunnel Mode AH Authenticated IP IP (new) Upper layer PDU

Information management 24 Groep T Leuven – Information department 24/26 ESP Transport Mode IPESP Auth Data Encrypted Authenticated IPUpper layer PDU

Information management 25 Groep T Leuven – Information department 25/26 ESP with AH Transport Mode IPESP Auth Encrypted Authenticated with AH IP AH Upper layer PDU Authenticated with ESP

Information management 26 Groep T Leuven – Information department 26/26 ESP Tunnel Mode IP (new)ESP Auth Data IP Encrypted Authenticated IPUpper layer PDU

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.