Presentation is loading. Please wait.

Presentation is loading. Please wait.

IPSec Detailed Description and VPN

Published byJordan Banks Modified over 6 years ago

Similar presentations

Presentation on theme: "IPSec Detailed Description and VPN"— Presentation transcript:

1 IPSec Detailed Description and VPN
Lecture 6 – NETW4006 NETW4006-Lecture06 1

2 IPSec IPSec is not a single protocol. Instead, IPSec provides a set of security algorithms plus a general framework that allows a pair of communicating entities to use whichever algorithms provide security appropriate for the communication. NETW4006-Lecture06

3 IPSec provides authentication confidentiality key management applicable to use over LANs, across public & private WANs, & for the Internet NETW4006-Lecture06

4 Network Security Protocols
To manage and secure authentication, authorization, confidentiality, integrity, and non-repudiation In Microsoft WS2003 NW, major protocols used are Kerberos, NTLM, IPSec, and their various sub-protocols NETW4006-Lecture06

5 Encrypting File System
Applications of IPSec Secure branch office connectivity over the Internet Secure remote access over the Internet Establsihing extranet and intranet connectivity with partners Enhancing electronic commerce security IP Security (IPSec) to avoid unauthorized captured data NETW4006-Lecture06

6 Protecting Data with IPSec
Digitally signing and encrypting it before transmission IPSec encrypts the information in IP datagrams by encapsulating it so that even if the packets are captured, none of the data inside can be read IP based-protocol, it provides end-to-end encryption Intermediate systems, such as routers, treat the encrypted part of the packets purely as payload Protocols besides IPSec, such as SSL or TLS, application- layer protocols that can encrypt only specific types of traffic (Web) NETW4006-Lecture06

7 IPSec Functions (1) Key generation
2 C both must access to shared encryption key: Diffie– Hellman algorithm to compute shared key Cryptographic checksums cryptographic keys to calculate checksum for data in each packet, called a Hash Message Authentication Code (HMAC) HMAC in combination with Message Digest 5 (MD5) and HMAC in combination with Secure Hash Algorithm-1 (SHA1): SHA1 160-bit key and MD5 128-bit key SHA1 in USA for high-level security requirement NETW4006-Lecture06

8 IPSec Functions (2) Mutual authentication
end system/router can authenticate user/app prevents address spoofing attacks by tracking sequence numbers WS2003 Kerberos, digital certificates, or pre-shared key Replay prevention IPSec prevents replay by assigning a sequence number to each packet: anti-replay services IP packet filtering IPSec includes its own packet filtering mechanism: prevent DoS attacks: protocol NETW4006-Lecture06

9 IPSec Protocols (1) Two protocols that provide different types of security for network communications IP Authentication Header (AH) Covers issues of packet authentication (Authentication Protocol) IP Encapsulating Security Payload (ESP) (for encryption) Covers the issues of packet encryption. (Combined Encryption & authentication protocol) Domain of Interpretation (DOI): Contains values needed for a domain NETW4006-Lecture06

10 IPSec Protocols (2) IP Authentication Header (AH) – Extension header for authentication. Does not encrypt the data in IP packets, but it does provide authentication, anti-replay, and integrity services Integrity (Modification to packets while in transit are not possible.) Authentication of a packet. >End system can verify the sender. >Prevents address spoofing attacks AH by itself or in combination with ESP AH alone provides basic security services, with relatively low overhead NETW4006-Lecture06

11 IP Authentication Header
Support for data integrity and authentication Authentication Data integrity check value (ICV)/ or MAC for this packet, that the sending computer calculates, based on selected IP header fields, the AH header, and the datagram’s IP payload Sequence number (32): A monotonically increasing counter value. Next Header (8Bits) Identifies the type of header immediately following the AH header, Payload Length(8Bits) Specifies the length of the AH header Reserved Unused(16 Bits) – For future use. Security Parameters Index(32 Bits) defines the datagram’s security association = a list of security measures, negotiated by the communicating Cs NETW4006-Lecture06

12 IP Encapsulating Security Payload (ESP)
IPSec Protocols (6) Actually encrypts the data in an IP datagram ESP also provides authentication, integrity, and anti-replay services IP Encapsulating Security Payload (ESP) Provides confidentiality services. //confidentiality of the packet.// >Provides limited authentication service. //Authenticates the payload but not the header.// NETW4006-Lecture06

13 IPSec Protocols (7) ESP By itself or in combination with AH
Maximum possible security for a data transmission ICV(Integrity Check value), it calculates the value only on the information between the ESP header and trailer; no IP header fields NETW4006-Lecture06 13

14 IPSec Protocols (8) IP Encapsulating Security Payload
Security Parameters Index(32) value that combine packet’s destination and its security protocol (AH or ESP), defines datagram’s security association. Sequence number (32): A monotonically increasing counter value. Payload Data Contains TCP, UDP, or ICMP information carried inside the original IP datagram – transport level segment Padding added to Payload Data field to ensure Payload Data has a boundary required by the encryption algorithm Padding also provides “traffic flow confidentiality” by concealing the actual length of the payload. Pad length (8): The number of byte padded in this packet Next Header (8Bits) Identifies the type of data contained in the payload data field by identifying the first header in that payload. Authentication data (variable): Contains the integrity check value of the packet. >ICV computed over the ESP packet minus the Authentication Data fields. IPSec system is using AH and ESP together, the Protocol field in the IP header contains the value 51 because the AH header immediately follows the IP header. The Next Header field in the AH header has the value 50 because the ESP header immediately follows the AH header. Finally, the Next Header field in the ESP header contains the code for the protocol that generated the payload, which is usually TCP, UDP, or ICMP NETW4006-Lecture06

15 Transport & Tunnel Mode
Tunnel mode designed provide security for WAN connections particularly Virtual Private Network (VPN) connections, via the Internet as a communications medium tunnel mode connection, end systems do not support and implement the IPSec protocols But routers at both ends of the WAN connection Transport Mode: protect communications between computers on NW Two end systems must support IPSec but intermediate systems (such as routers) need not All of AH and ESP protocols applies to transport mode NETW4006-Lecture06

16 Tunnel Mode (2) The tunnel mode communications process proceeds as follows: C on one of PN transmit data using standard, unprotected IP datagrams Packets reach router that provides access to WAN, encapsulates using IPSec, encrypting and hashing data Router transmits encapsulated packets to destination router at end of the WAN connection Destination router verifies packets by calculating and comparing ICVs, and decrypts it if necessary Destination router repackages information in packet into standard, unprotected IP datagrams and transmits to destination(s) on PN NETW4006-Lecture06

17 Virtual Private Network (1)
VPN objectives Security End-to-end security (authentication and, optionally, privacy) for host connecting to a private network over untrusted public intermediate NWs Security for private NW-to-NW communication over un-trusted intermediate NWs Connectivity: authorized sites, new users, mobile users Simplicity and cost effective: transparency for user, simple for use of application via VPN Quality: Can provide QoS via SLAs Service level agreement NETW4006-Lecture06 17

18 Virtual Private Network (3)
Tunnelling encapsulating data of one protocol inside the data field of another protocol at: layer 2 across LAN): Portion of VPN connecting internal sites (Intranet) layer 3 (routers for IP information): Portion of VPN connecting external sites (Extranet) Point-to-Point Tunneling Protocol (PPTP) PPP for tuneling IP and non-IP packets Layer 2 Tunneling Protocol (L2TP) Merge PPTP and the Layer 2 Forwarding Protocol (L2FP) IP and non-IP packets over IP NW IP Security (IPSec) NETW4006-Lecture06

Download ppt "IPSec Detailed Description and VPN"

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
IPSec.

IPSec.
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
CSCE 715: Network Systems Security

CSCE 715: Network Systems Security
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

Similar presentations

Ads by Google