18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
1 IPsec Youngjip Kim Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.
Internet Protocol Security (IPSec)
K. Salah1 Security Protocols in the Internet IPSec.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.
Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.
What Is Needed to Build a VPN? An existing network with servers and workstations Connection to the Internet VPN gateways (i.e., routers, PIX, ASA, VPN.
Network Access for Remote Users: Practical IPSec Dr John S. Graham ULCC
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
406 NW’98 1 © 1998, Cisco Systems, Inc. IPSec Loss of Privacy Security Threats Impersonation Loss of Integrity Denial of Service m-y-p-a-s-s-w-o-r-d.
CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Advanced Unix 25 Oct 2005 An Introduction to IPsec.
CSCE 715: Network Systems Security
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Karlstad University IP security Ge Zhang
Network Security David Lazăr.
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
21 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.
1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
IPSec VPN: How does it really work? Yasushi Kono (ComputerLinks Frankfurt)
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
IPSec The Wonder Protocol Anurag Vij Microsoft IT.
Network Layer Security Network Systems Security Mort Anvari.
IPSEC Modes of Operation. Breno de MedeirosFlorida State University Fall 2005 IPSEC  To establish a secure IPSEC connection two nodes must execute a.
K. Salah1 Security Protocols in the Internet IPSec.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 27 November 23, 2004.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.
@Yuan Xue CS 285 Network Security IP Security Yuan Xue Fall 2013.
VPNs & IPsec Dr. X Slides adopted by Prof. William Enck, NCSU.
IPSec Detailed Description and VPN
Encryption and Network Security
Chapter 18 IP Security  IP Security (IPSec)
IT443 – Network Security Administration Instructor: Bo Sheng
Presentation transcript:

18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You

18 July 2004Bill Nickless / IPSec2 Outline What is IPSec, and what is it for? The IPSec Framework How do IKE, AH, and ESP fit together? Routing and Technology Issues Management and Policy Issues How To Learn More

18 July 2004Bill Nickless / IPSec3 IPSec Scope (RFC 2401) Good news: IPSEC is designed to provide interoperable, high quality, cryptographically-based security for IPv4 and IPv6.

18 July 2004Bill Nickless / IPSec4 IPSec Scope (RFC 2401) Bad news: The set of IPSec protocols employed in any context, and the ways they are employed, will be determined by the security and system requirements of users, applications, and/or sites/organizations.

18 July 2004Bill Nickless / IPSec5 IPSec Scope IPSec is a technology. IPSec is NOT a solution. Better: IPSec is a technology framework.

18 July 2004Bill Nickless / IPSec6 Outline What is IPSec, and what is it for? The IPSec Framework How do IKE, AH, and ESP fit together? Routing and Technology Issues Management and Policy Issues How To Learn More

18 July 2004Bill Nickless / IPSec7 IPSec Standards-based IP Security Framework –Data Integrity –Data Confidentiality –Data Origin Authentication –Anti-Replay Protection Supported in modern router software –Cisco IOS 12.1(19) or later –Juniper JUNOS 5.3 or later (with Encryption Services PIC)

18 July 2004Bill Nickless / IPSec8 IPSec Router performs additional operations: 1.Receive the packet and verify/decrypt it 2.Inspect the headers of the packet 3.Based on that inspection, put the packet into an outbound queue 4.Transmit the packet when it reaches the front of the outbound queue and sign/encrypt it Version (4 or 6) Protocol (TCP, etc) Source IP Address Destination IP Address Source PortDestination Port FlagsTime To Live Data (possibly with sequence number) Checksum IP

18 July 2004Bill Nickless / IPSec9 Ciphers, Signing and Keys (Oh My!) IPSec is a framework that supports many cryptographic technologies. What fits into the IPSec framework? –Diffie-Hellman Key Exchange –Ciphers –Hashes –Shared Secrets –Certificates –Perfect Forward Secrecy

18 July 2004Bill Nickless / IPSec10 Diffie-Hellman Key Exchange Agree on a secret shared key, without a secure channel. Suppose Alice and Bob want to agree on a shared secret key using the Diffie-Hellman key agreement protocol. They proceed as follows: First, Alice generates a random private value a and Bob generates a random private value b. Both a and b are drawn from the set of integers. Then they derive their public values using parameters p and g and their private values. Alice's public value is g a mod p and Bob's public value is g b mod p. They then exchange their public values. Finally, Alice computes g ab = (g b ) a mod p, and Bob computes g ba = (g a ) b mod p. Since g ab = g ba = k, Alice and Bob now have a shared secret key k.

18 July 2004Bill Nickless / IPSec11 Ciphers Obscure data, so that it can only be read by someone with the right “key” DES, AES, RSA, RC5, Blowfish, Skipjack, etc.

18 July 2004Bill Nickless / IPSec12 Hashes Take a bunch of data, make a digest of it, so that changes can be detected MD5, SHA-1, RIPEMD-160

18 July 2004Bill Nickless / IPSec13 Shared Secrets Prove identity by demonstrating knowledge of the same data Not necessary to actually transmit the shared secret.

18 July 2004Bill Nickless / IPSec14 Perfect Forward Secrecy RFC 2409: Perfect Forward Secrecy (PFS) refers to the notion that compromise of a single key will permit access to only data protected by a single key. For PFS to exist the key used to protect transmission of data MUST NOT be used to derive any additional keys, and if the key used to protect transmission of data was derived from some other keying material, that material MUST NOT be used to derive any more keys.

18 July 2004Bill Nickless / IPSec15 Certificates Establish trust based on mutual trust of a third party X.509

18 July 2004Bill Nickless / IPSec16 IPSec Security Associations IPSec Security Associations (SA) –between two routers (or hosts) –Unicast only –Unidirectional –Selection Criteria: Drop, Apply IPSec, Pass without IPSec

18 July 2004Bill Nickless / IPSec17 IPSec Router IPSec flow: 1.Receive the packet. 2.Inspect the headers of the packet. Matching Security Association (SA)? 3.If so, verify/decrypt 4.Inspect headers again. Make routing decision, and look for matching Security Association (SA). 5.If so, sign/encrypt 6.Transmit the packet. Version (4 or 6) Protocol (TCP, etc) Source IP Address Destination IP Address Source PortDestination Port FlagsTime To Live Data (possibly with sequence number) Checksum IP

18 July 2004Bill Nickless / IPSec18 Outline What is IPSec, and what is it for? The IPSec Framework How do IKE, AH, and ESP fit together? Routing and Technology Issues Management and Policy Issues How To Learn More

18 July 2004Bill Nickless / IPSec19 The Internet Key Exchange (IKE) RFC 2409: The purpose is to negotiate, and provide authenticated keying material for, security associations in a protected manner. Processes which implement this memo can be used for negotiating virtual private networks (VPNs) and also for providing a remote user from a remote site (whose IP address need not be known beforehand) access to a secure host or network.

18 July 2004Bill Nickless / IPSec20 IKE Phase 1 Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to communicate. This is called the ISAKMP Security Association (SA).

18 July 2004Bill Nickless / IPSec21 IKE Phase 2 Phase 2 is where Security Associations are negotiated on behalf of services such as IPsec or any other service which needs key material and/or parameter negotiation.

18 July 2004Bill Nickless / IPSec22 IKE New Group "New Group Mode" is not really a phase 1 or phase 2. It follows phase 1, but serves to establish a new group which can be used in future negotiations.

18 July 2004Bill Nickless / IPSec23 IKE In Operation

18 July 2004Bill Nickless / IPSec24 IKE In Operation

18 July 2004Bill Nickless / IPSec25 IKE In Operation

18 July 2004Bill Nickless / IPSec26 Authentication Header (AH) Uses a hash such as MD5 or SHA –Protects against modification –Protects against replay RFC 2402 Version (4 or 6) Protocol (TCP, etc) Source IP Address Destination IP Address Source PortDestination Port FlagsTime To Live Authentication Header Data (possibly with sequence number) Checksum

18 July 2004Bill Nickless / IPSec27 ESP: Encapsulating Security Payload Transport Mode Before applying ESP IPv4 |orig IP hdr | | | |(any options)| TCP | Data | After applying ESP IPv4 |orig IP hdr | ESP | | | ESP | ESP| |(any options)| Hdr | TCP | Data | Trailer |Auth| | | | | RFC 2406

18 July 2004Bill Nickless / IPSec28 Recursive Encapsulation: Tunneling Why? –Create a virtual connection between two parts of a private Internet that… …uses nonroutable addresses? …uses advanced services like IPv6 or multicast? –Encrypt the encapsulated packet

18 July 2004Bill Nickless / IPSec29 Recursive Encapsulation: Tunneling Encapsulate an IP packet inside the data portion of another IP packet Version (4 or 6) Protocol (TCP, etc) Source IP AddressDestination IP Address Source PortDestination Port FlagsTime To Live Data (possibly with sequence number) Checksum Version (4 or 6) Protocol (TCP, etc) Source IP Address Destination IP Address Source PortDestination Port FlagsTime To Live Data (possibly with sequence number) Checksum

18 July 2004Bill Nickless / IPSec30 ESP: Encapsulating Security Payload Tunnel Mode Before applying ESP IPv4 |orig IP hdr | | | |(any options)| TCP | Data | After applying ESP IPv4 | new IP hdr | ESP | orig IP hdr | | | ESP | ESP| |(any options)| HDR | (any options)| TCP | Data |Trailer |Auth| | | | | RFC 2406

18 July 2004Bill Nickless / IPSec31 IPSec Router IPSec flow: 1.Receive the packet. 2.Inspect the headers of the packet. Matching Security Association (SA)? 3.If so, verify/decrypt 4.Inspect headers again. Make routing decision, and look for matching Security Association (SA). 5.If so, sign/encrypt 6.Transmit the packet. Version (4 or 6) Protocol (TCP, etc) Source IP Address Destination IP Address Source PortDestination Port FlagsTime To Live Data (possibly with sequence number) Checksum IP

18 July 2004Bill Nickless / IPSec32 ESP in Operation

18 July 2004Bill Nickless / IPSec33 Outline What is IPSEC, and what is it for? The IPSEC Framework How do IKE, AH, and ESP fit together? Routing and Technology Issues Management and Policy Issues How To Learn More

18 July 2004Bill Nickless / IPSec34 ESP and AH Additional Header Information –Smaller payload –MTU ugliness Cryptographic Operations –Additional Complexity –More CPU load?

18 July 2004Bill Nickless / IPSec35 ESP Tunnel Mode Original headers obscured –Bad guys can’t see the headers...neither can your firewall!...neither can your router! Creates a Virtual Circuit –Encapsulated IP TTL isn’t decremented –Intermediate hops are obscured –Remember debugging ATM VCs? …or MPLS?

18 July 2004Bill Nickless / IPSec36 ESP in Operation

18 July 2004Bill Nickless / IPSec37 Outline What is IPSEC, and what is it for? The IPSEC Framework How do IKE, AH, and ESP fit together? Routing and Technology Issues Management and Policy Issues How To Learn More

18 July 2004Bill Nickless / IPSec38 Where is your Security Perimeter? Firewalls and ACLs protect your network IPSec VPN solutions bring external hosts inside your network Should you trust those external hosts? –Viruses, Worms, Trojans –OS Vendor Patch-of-the-week –“Art and Music” sharing Split tunneling vs. Host-based Firewalls

18 July 2004Bill Nickless / IPSec39 Policy Enforcement Enforcement Requires Visibility ESP Tunnel Mode –Bad guys can’t see the headers ….neither can your firewall! ….neither can your router! Encryption Obscures Activity –Is this traffic work-related or “Art and Music”?

18 July 2004Bill Nickless / IPSec40 IPSec: A Two-Edged Sword Powerful set of options –Data Confidentiality –Data Integrity –Data Origin Authentication Bad Guys can use IPSec too –Back doors –Hiding “bad” activity

18 July 2004Bill Nickless / IPSec41 IPSec Legal/Societal Issues Cryptography: Controlled as a Munition Lawful Intercept U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Not a comprehensive list)

18 July 2004Bill Nickless / IPSec42 Outline What is IPSEC, and what is it for? The IPSEC Framework How do IKE, AH, and ESP fit together? Routing and Technology Issues Management and Policy Issues How To Learn More

18 July 2004Bill Nickless / IPSec43 Example Solution: Cisco Easy VPN

18 July 2004Bill Nickless / IPSec44 Example Solution: Cisco Easy VPN

18 July 2004Bill Nickless / IPSec45 Cisco and Linux Interoperate

18 July 2004Bill Nickless / IPSec46 Juniper IPSec Configuration swconfig63-services/html/ipsec-config.html IETF IPSec Working Group Virtual Private Network Consortium 122cgcr/fsecur_c/fipsenc/scfipsec.htm Cisco IPSec Configuration

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.