Internet Protocol Security (IPsec) - Report Example

? Internet Protocol Security (IPSec) By Table of Contents 4 Introduction 5 2.Internet Protocol Security (IPSec) 7 3.IPSec Suite 8 A.IPSec Core Protocols 10 1)Authentication Header 10 2)Encapsulating Security Payload 10 B.IPSec Support Components 11 1Encryption Algorithm 11 3)Security Policies and Asociations: 11 4)Internet Key Exchange 13 4.IPSec Implementation 14 A.IPSec Implemented in Host 14 B.IPSec Implemented in Router 14 5.IPSec Architecture 14 A.Integrated Architecture: 14 B.Bump in the Stack (BITS) Architecture: 15 C.Bump in the Wire (BITW) Architecture 15 6.Working of IPSec 16 A.Transport Mode 16 B.Tunnel Mode 18 7.Discussion and Conclusion 19 8.References 20 Abstract Internet is a public network which was not created with the aspect of security in mind. Since the Internet Protocol has no built in security feature and the information communicated over the Internet is in the form of plain text, this information is very vulnerable to threats such as unauthorized examination, alteration or exploitation. In order to ensure security of information over the Internet various security technologies have been proposed that usually work on the higher layers of the OSI model and provide security in terms of authentication, confidentiality, integrity and availability. IPSec is one such security technology that operates on the IP layer and provides confidentiality, integrity and authentication. As it operates at the IP layer, its implementation provides security in the higher layers as well. And its implementation is such that the existing setup of Internet does not have to be changed in order to implement it. This report presents an overview of the IPSec technology. It discusses the general architecture of the technology, briefly covering its technical details and its operation modes. Furthermore the report discusses how IPSec can be integrated into the existing Internet setup. 1. Introduction The security of information is defined by four attributes; confidentiality, integrity, privacy and availability (Adeyinka, 2008). In the past, when computers were not that common a commodity let alone the Internet, virtual private networks were formed through installation of dedicated leased lines between the hosts e.g. networking of remote offices (Liska, 2003). Figure 1 Dedicated Leased Lines VPN Since these lease lines were private the information sent or retrieved remained within the related parties and so the communication was fast and secure. Thus private networks were formed. But the setup was costly and very few companies could afford it. Later on, in order to accommodate the mobile users, the companies installed dedicated remote dial-in servers (Remote Access Servers) that had modem(s) each connected to a separate dedicated phone line (Liska, 2003). Figure 2 Dial-up VPN Although the networking was achieved, yet the effort was not that useful as the speed of these networks was very slow. With the advent of the Internet and its global web servers that provided larger and easier access worldwide, the use of leased lines became an expensive burden and remained limited to very few resourceful companies. In view to the easy access to worldwide communication granted by the Internet, the element of security somewhat lost its significance and every other school, office, company and business sought out to be connected through the Internet. The instances of some serious cyber crimes (“Cyber Crime Stories”) led to the realization that the Internet is not at all secure. Being a public medium, the information sent across the Internet in the form of data packets passes through various networks until they reach their intended destination. Since the Internet protocol (IP) offers no built-in security, this plain text data in the IP datagram cannot be prevented from unauthorized access from the public network. Any third party can easily inspect, even modify or generate false data and compromise system security. For instance the passwords that are sent can be tracked and looked into (packet-sniffing), IP packets can be generated with false IP and sent to servers that authenticate based on IPs, etc. A number of technologies have been therefore designed to ensure security across the Internet which basically worked on the application layer of the OSI model. Table 1 lists down the various technologies designed considering the security threats prevailing on the Internet (Adeyinka,2008). Table 1 Internet Threats and Security Technologies Computer Security Attributes Attack Methods Technology for Internet Security Confidentiality Eavesdropping, Hacking, Phishing, DoS and IP Spoofing IDS, Firewall, Cryptographic Systems, IPSec and SSL Integrity Viruses, Worms, Trojans, Eavesdropping, DoS and IP Spoofing. IDS, Firewall, Anti-Malware Software, IPSec and SSL. Privacy Email bombing, Spamming, Hacking, DoS and Cookies IDS, Firewall, Anti-Malware Software, IPSec and SSL. Availability DoS, Email bombing, Spamming and Systems Boot Record Infectors IDS, Anti-Malware Software and Firewall. IPSec is one of the Internet security technologies aimed at ensuring the confidentiality, authenticity and privacy of online information. This report provides a detailed overview of the IPSec. 2. Internet Protocol Security (IPSec) IPSec is a combination of protocols and services that intend to provide an IP network with a complete security solution i.e. One of the biggest strengths of IPSec is that since IPSec operates at the IP layer of the OSI model, it implicitly provides protection to the higher layers as well i.e. the TCP and Application, even if there is no explicit protection added for those layers. IPSec provides security of authentication, confidentiality and integrity. It encrypts the user data thus ensures privacy, checks the integrity of data to ensure it has not been altered when passing through the network, provides the communicating devices with the ability to negotiate on the keys and security algorithms to ensure authenticity. Since IPSec promotes the idea of implementing virtual private networks (VPNs) over the Internet, it is a powerful security technology with a bright future owing to the increasing number of companies taking their business or work online. 3. IPSec Suite IPSec was designed to facilitate with the security of the existing TCP/IP networks. When two devices whether that be hosts, routers or firewalls want to communicate securely, they must establish a secure path between themselves which may pass through several insecure intermediate systems. To achieve this secure path, three tasks are minimally required to be performed; agreement of security protocols to use so that the data communicated can be understood by the two devices, agreement of the particular encryption algorithm for encoding the data accordingly and finally exchange of keys to decode the encrypted data with. Once the tasks are performed the devices can communicate securely. IPSec can be defined as the package that performs all these tasks using a set of standardized technologies. Therefore IPSec is not defined as a single Internet standard. Its architecture is defined by a collection of standardized protocols, services and RFCs as shown in Table 2 (Goralski, 2009). A number of core and support components work together to deliver the security service of IPSec. Figure 1 presents the high level view of the IPSec Suite. Figure 3 Overview of IPSec Protocol Suite The remaining section gives a brief overview of each of the components. A. IPSec Core Protocols Two of the core technologies of IPSec Suite also referred to as the “core protocols” are the Authentication Header (AH) and the Encapsulating Security Payload (ESP) which are implemented as part of the IP datagram header . 1) Authentication Header The role of this protocol is to provide the authentication service of the IPSec. AH allows the message recipient to verify three facts; the message was indeed sent by the original sender, the message has not been altered along the way, and that the message is not replayed (captured and resent by an unauthorized user along the way). Figure 4 IPSec Authentication Header (Jawin Technologies, 2005) 2) Encapsulating Security Payload The role of this protocol is to ensure privacy of the message. In order to ensure the confidentiality of the message, the payload of an IP datagram is encrypted by the ESP. Figure 5 Encapsulating Security Payload (Jawin Technologies) B. IPSec Support Components The core components cannot work at their own and require certain supporting protocols and service. The three major supporting components the encryption algorithm, security policies and lastly Internet Key Exchange (IKE). 1 Encryption Algorithm The AH and ESP are generic protocols that do not specify any particular encryption mechanism and therefore are flexible to negotiation of using one favourable to situations. The most common encryption algorithms are the Secure Hash Algorithm 1 (SHA-1) and the Message Digest 5 (MD5). 3) Security Policies and Asociations: As the communication devices have the flexibility of choosing the security parameters, a policy needs to be present to keep track of the relationships. IPSec uses constructs (‘security policies’ and ‘security associations’) and methods of exchanging this information. A certain overhead of resources is required in providing IPSec. A device may be handling a lot of message exchanges with different devices. And not every message requires the same level of security or the same kind of processing. IPSec is equipped to handle this complex problem through use of security Policies and Security Associations. Security Policies: These are rules that are programmed into the IPSec implementations that contain guidelines regarding the processing of the different datagrams. For instance, a policy tells whether a certain packet has IPSec implemented or not, or whether a packet completely bypasses the AH and ECP. Security Policies are stored in the Security Policy Database (SPD) of the device. Security Associations: These are a set of security details that describe the security mechanisms and parameters agreed upon by the two communicating devices. SAs are stored in Security Association Database (SAD) on a device. The difference between the SPD and SAD lies in the level of security detail. SPD contains general information while SPD contains specific information. When a datagram arrives, the device first consults with the SPD to see how to process the datagram. The SPD may reference to any specific association in the SAD. Allocation of Security Policies to Security Associations: In order to determine what policy applies to a datagram, IPSec has a flexible system of ‘selectors’ which are rules for selecting from the datagrams those that a security association would apply to. SAs are unidirectional i.e. a separate SA exists for a device’s inbound or outbound traffic each. SAs are identified by a set of three parameters (called triple); 1. Security Parameter Index (SPI): It is a 32 bit number that uniquely identifies a specific SA for a connected device. It is placed inside the AH and ESP header of the datagram thus linking each datagram to the SA. The recipient of the datagram identifies the SA through the SPI. 2. IP Destination Address: This is the IP address of the communicating device for which the SA is formed. 3. Security Protocol Identifier: This is used for specifying whether the association belongs to the AH or the ESP. In case both of both, a separate SA exists for each. Thus the security policies and the databases govern the operations of the AH and ESP. The SAs can be configured either manually or through the IKE. 4) Internet Key Exchange The encoding and decoding of information is done on the basis of a key which only the sending and receiving party knows. And this secret key needs to be exchanged securely between the two parties even before the information is secured through the AH and ECP protocols. IKE is also used in the exchange of SAs which in turn guide the operations of the AH and ESP. IKE is a “hybrid” protocol as it is a combination of three protocols; Internet Security Association and Key Management Protocol (ISAKMP), OAKLEY and SCHEME. IKE generally works in the framework of ISAKMP while taking bits from the OAKLEY and SCHEME. Therefore its operation has two phases; Phase 1 is the configuration phase wherein the two devices agree on the methods of securely exchanging information (the encryption algorithm, hash algorithm and the authentication method). The result of agreement is the SA for ISAKMP itself. This SA is then used to exchange the detailed information in phase 2. Phase 2 uses the ISAKMP SA formed in phase 1 for creating SA for other protocols i.e. the AH and ESP. By using a separate phase for establishing only the ISAKMP SAs in the start, while leaving behind the ESP and AH, multiple negotations can be done in phase 2 based on the SAs from phase 1 as unlike the SAs, the ISAKMPS are bidirectional. Secondly, simpler methods of exchange can be used in the second phase. 4. IPSec Implementation IPSec is programmed into the IP layer. It is either implemented into the hosts or in the routers or both. A. IPSec Implemented in Host Putting IPSec into end hosts offer the highest form of end-to-end security and flexibility. However, implementing them in large networks requires a lot of work. B. IPSec Implemented in Router By implementing security in routers the work lessens to a great degree as one router represents hundreds of clients. However, this way the IPSec remains between two routers implementing IPSec. This setting works well for most of the VPNs where the outgoing traffic can be secured this way. 5. IPSec Architecture There are three different architectures for the IPSec that represent how to make IPSec part of the TCP/IP protocol. A. Integrated Architecture: IPSec is integrated directly into the regular IP layer without adding any extra hardware or software layer. IPv6 supports IPSec however IPv4 requires changes to be the IP implementation on every device that requires implementing IPSec. Figure 6 Imtegrated Architecture (Doraswamy et. Al, 2003) The integrated architecture is generally implemented in the routers (Doraswamy et. Al, 2003). B. Bump in the Stack (BITS) Architecture: IPSec is implemented as a separate layer between the IP and data link layer through software. Once an IP datagram is intercepted while coming down the protocol stack, the security layer is added and thereafter forwarded onto the data link layer. The advantage of BITS is that IPSec can be implemented on any IP device. The disadvantage is the extra effort involved in processing each IP datagram. IPv4 hosts generally use BITS. Figure 7 BITS Stak Layering C. Bump in the Wire (BITW) Architecture IPSec is implemented by adding an extra hardware device between the communicating devices i.e. the routers. These devices add the IPSec layer to IP datagrams while sending the packets and strip the IPSec layer on receipt of IPSec packets. BITS can be added to any network. The disadvantage is the added complexity of the network and the cost. Figure 8 BITW Architecture (Doraswamy et. Al, 2003) 6. Working of IPSec The type of IPSec architecture selected determines the operation mode of the IPSec. IPSec operates in two modes; transport and tunnel mode. The modes describe how the AH and ESP perform their roles and also define the security associations (SAs). A. Transport Mode In this mode the message that comes down from the transport layer (TCP or UDP) is protected by adding the AH and ESP headers in between the IP header and the transport layer header. A new IP header is added at the start. Figure 9 IPSec Transport Mode Operation This mode is generally used with the Integrated Architecture between two hosts that support IPSec. Figure 10 IPSec In Transport Mode (Schitka et. al) B. Tunnel Mode In this mode, the complete IP datagram is secured. Once the IP header is added before the transport layer header, the AH and ESP headers are added after the IP headers. A new IP header is added at the start. Figure 11 IPSec Tunnel Mode Operation (The TCP/IP Guide, 2005) Using this mode a virtual tunnel is formed between merely the IPSec supporting devices. This mode is generally employed with the BITS and BITW architectures (a common choice in VPNs) between two routers. All communication between the routers is authenticated and encrypted. Figure 12 IPSec in Tunnel Mode (Schitka et. al) 7. Discussion and Conclusion IPSec is a powerful security technology which happens to be a pressing need of the present day world where use of Internet has seeped into the core of many companies and organizations worlwide that deal in sensitive information. In the old times networks were formed through leased dedicated lines between the comminucating devices. These networks were secure. Intenet however is a public, untrusted network. IPSec is based on the strategy of achieving a secure Virtual Private Network by tunneling the between the two endpoints. Through VPNs, a mobile user from anywhere in the world can access a company’s secure and private inner network without having to worry about the information travelling through the public network i.e. the Internet. The major strength of IPSec is that it can be embedded within the existing Internet settings without having to make significant alterations and the security offered is better than the other technologies that operate at the higher layers of the Internet Protocol stack. Since it is integrated into the IP Layer, the security is propagated implicitly to the higher layers as well and is not specific to any application running on the device. 8. References Adeyinka, Olalekan. Internet Attack Methods and Internet Security Technology. International Conference onModeling & Simulation, 2008. AICMS 08. Second Asia. Page(s): 77 – 82. 2008. Doraswamy, N., Harkins, D. and Dan Harkins, D. Ipsec: The New Security Standard for the Internet, Intranet and Virtual Private Network. Prentice Hall Professional. 2003. Goralski, Walter. The Illustrated Network: How TCP/IP Works in a Modern Network. Morgan Kaufmann. 2009. Jawin Technologies. Network Protocols Handbook: Overview of All Active Network Protocols. Jawin Technologies Inc. 2005. Liska, Allan. The Practice of Network Security: Deployment Strategies for Production Environments. Pg. 137. Prentice Hall Professional. 2003. Schitka, M.J., Eckert, J.W. and McCann, Brian. Mcse Guide To Managing A Microsoft Windows Server 2003 Network, Enhanced: 70-291. Page 273-274. Cengage Learning. 2005. The FBI. Cyber Crime Stories. http://www.fbi.gov/news/stories/story-index/cyber-crimes The TCP/IP Guide. IPSec Architectures and Implementation Methods. 2005. http://www.tcpipguide.com/free/t_IPSecArchitecturesandImplementationMethods.htm Read More