StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

Internet Protocol Security (IPsec) - Report Example

Cite this document
Summary
This report  'Internet Protocol Security (IPsec)' presents an overview of the IPSec technology. It discusses the general architecture of the technology, briefly covering its technical details and its operation modes.Furthermore the report discusses how IPSec can be integrated into the existing Internet setup. …
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER97.4% of users find it useful
Internet Protocol Security (IPsec)
Read Text Preview

Extract of sample "Internet Protocol Security (IPsec)"

? Internet Protocol Security (IPSec) By Table of Contents 4 Introduction 5 2.Internet Protocol Security (IPSec) 7 3.IPSec Suite 8 A.IPSec Core Protocols 10 1)Authentication Header 10 2)Encapsulating Security Payload 10 B.IPSec Support Components 11 1Encryption Algorithm 11 3)Security Policies and Asociations: 11 4)Internet Key Exchange 13 4.IPSec Implementation 14 A.IPSec Implemented in Host 14 B.IPSec Implemented in Router 14 5.IPSec Architecture 14 A.Integrated Architecture: 14 B.Bump in the Stack (BITS) Architecture: 15 C.Bump in the Wire (BITW) Architecture 15 6.Working of IPSec 16 A.Transport Mode 16 B.Tunnel Mode 18 7.Discussion and Conclusion 19 8.References 20 Abstract Internet is a public network which was not created with the aspect of security in mind. Since the Internet Protocol has no built in security feature and the information communicated over the Internet is in the form of plain text, this information is very vulnerable to threats such as unauthorized examination, alteration or exploitation. In order to ensure security of information over the Internet various security technologies have been proposed that usually work on the higher layers of the OSI model and provide security in terms of authentication, confidentiality, integrity and availability. IPSec is one such security technology that operates on the IP layer and provides confidentiality, integrity and authentication. As it operates at the IP layer, its implementation provides security in the higher layers as well. And its implementation is such that the existing setup of Internet does not have to be changed in order to implement it. This report presents an overview of the IPSec technology. It discusses the general architecture of the technology, briefly covering its technical details and its operation modes. Furthermore the report discusses how IPSec can be integrated into the existing Internet setup. 1. Introduction The security of information is defined by four attributes; confidentiality, integrity, privacy and availability (Adeyinka, 2008). In the past, when computers were not that common a commodity let alone the Internet, virtual private networks were formed through installation of dedicated leased lines between the hosts e.g. networking of remote offices (Liska, 2003). Figure 1 Dedicated Leased Lines VPN Since these lease lines were private the information sent or retrieved remained within the related parties and so the communication was fast and secure. Thus private networks were formed. But the setup was costly and very few companies could afford it. Later on, in order to accommodate the mobile users, the companies installed dedicated remote dial-in servers (Remote Access Servers) that had modem(s) each connected to a separate dedicated phone line (Liska, 2003). Figure 2 Dial-up VPN Although the networking was achieved, yet the effort was not that useful as the speed of these networks was very slow. With the advent of the Internet and its global web servers that provided larger and easier access worldwide, the use of leased lines became an expensive burden and remained limited to very few resourceful companies. In view to the easy access to worldwide communication granted by the Internet, the element of security somewhat lost its significance and every other school, office, company and business sought out to be connected through the Internet. The instances of some serious cyber crimes (“Cyber Crime Stories”) led to the realization that the Internet is not at all secure. Being a public medium, the information sent across the Internet in the form of data packets passes through various networks until they reach their intended destination. Since the Internet protocol (IP) offers no built-in security, this plain text data in the IP datagram cannot be prevented from unauthorized access from the public network. Any third party can easily inspect, even modify or generate false data and compromise system security. For instance the passwords that are sent can be tracked and looked into (packet-sniffing), IP packets can be generated with false IP and sent to servers that authenticate based on IPs, etc. A number of technologies have been therefore designed to ensure security across the Internet which basically worked on the application layer of the OSI model. Table 1 lists down the various technologies designed considering the security threats prevailing on the Internet (Adeyinka,2008). Table 1 Internet Threats and Security Technologies Computer Security Attributes Attack Methods Technology for Internet Security Confidentiality Eavesdropping, Hacking, Phishing, DoS and IP Spoofing IDS, Firewall, Cryptographic Systems, IPSec and SSL Integrity Viruses, Worms, Trojans, Eavesdropping, DoS and IP Spoofing. IDS, Firewall, Anti-Malware Software, IPSec and SSL. Privacy Email bombing, Spamming, Hacking, DoS and Cookies IDS, Firewall, Anti-Malware Software, IPSec and SSL. Availability DoS, Email bombing, Spamming and Systems Boot Record Infectors IDS, Anti-Malware Software and Firewall. IPSec is one of the Internet security technologies aimed at ensuring the confidentiality, authenticity and privacy of online information. This report provides a detailed overview of the IPSec. 2. Internet Protocol Security (IPSec) IPSec is a combination of protocols and services that intend to provide an IP network with a complete security solution i.e. One of the biggest strengths of IPSec is that since IPSec operates at the IP layer of the OSI model, it implicitly provides protection to the higher layers as well i.e. the TCP and Application, even if there is no explicit protection added for those layers. IPSec provides security of authentication, confidentiality and integrity. It encrypts the user data thus ensures privacy, checks the integrity of data to ensure it has not been altered when passing through the network, provides the communicating devices with the ability to negotiate on the keys and security algorithms to ensure authenticity. Since IPSec promotes the idea of implementing virtual private networks (VPNs) over the Internet, it is a powerful security technology with a bright future owing to the increasing number of companies taking their business or work online. 3. IPSec Suite IPSec was designed to facilitate with the security of the existing TCP/IP networks. When two devices whether that be hosts, routers or firewalls want to communicate securely, they must establish a secure path between themselves which may pass through several insecure intermediate systems. To achieve this secure path, three tasks are minimally required to be performed; agreement of security protocols to use so that the data communicated can be understood by the two devices, agreement of the particular encryption algorithm for encoding the data accordingly and finally exchange of keys to decode the encrypted data with. Once the tasks are performed the devices can communicate securely. IPSec can be defined as the package that performs all these tasks using a set of standardized technologies. Therefore IPSec is not defined as a single Internet standard. Its architecture is defined by a collection of standardized protocols, services and RFCs as shown in Table 2 (Goralski, 2009). A number of core and support components work together to deliver the security service of IPSec. Figure 1 presents the high level view of the IPSec Suite. Figure 3 Overview of IPSec Protocol Suite The remaining section gives a brief overview of each of the components. A. IPSec Core Protocols Two of the core technologies of IPSec Suite also referred to as the “core protocols” are the Authentication Header (AH) and the Encapsulating Security Payload (ESP) which are implemented as part of the IP datagram header . 1) Authentication Header The role of this protocol is to provide the authentication service of the IPSec. AH allows the message recipient to verify three facts; the message was indeed sent by the original sender, the message has not been altered along the way, and that the message is not replayed (captured and resent by an unauthorized user along the way). Figure 4 IPSec Authentication Header (Jawin Technologies, 2005) 2) Encapsulating Security Payload The role of this protocol is to ensure privacy of the message. In order to ensure the confidentiality of the message, the payload of an IP datagram is encrypted by the ESP. Figure 5 Encapsulating Security Payload (Jawin Technologies) B. IPSec Support Components The core components cannot work at their own and require certain supporting protocols and service. The three major supporting components the encryption algorithm, security policies and lastly Internet Key Exchange (IKE). 1 Encryption Algorithm The AH and ESP are generic protocols that do not specify any particular encryption mechanism and therefore are flexible to negotiation of using one favourable to situations. The most common encryption algorithms are the Secure Hash Algorithm 1 (SHA-1) and the Message Digest 5 (MD5). 3) Security Policies and Asociations: As the communication devices have the flexibility of choosing the security parameters, a policy needs to be present to keep track of the relationships. IPSec uses constructs (‘security policies’ and ‘security associations’) and methods of exchanging this information. A certain overhead of resources is required in providing IPSec. A device may be handling a lot of message exchanges with different devices. And not every message requires the same level of security or the same kind of processing. IPSec is equipped to handle this complex problem through use of security Policies and Security Associations. Security Policies: These are rules that are programmed into the IPSec implementations that contain guidelines regarding the processing of the different datagrams. For instance, a policy tells whether a certain packet has IPSec implemented or not, or whether a packet completely bypasses the AH and ECP. Security Policies are stored in the Security Policy Database (SPD) of the device. Security Associations: These are a set of security details that describe the security mechanisms and parameters agreed upon by the two communicating devices. SAs are stored in Security Association Database (SAD) on a device. The difference between the SPD and SAD lies in the level of security detail. SPD contains general information while SPD contains specific information. When a datagram arrives, the device first consults with the SPD to see how to process the datagram. The SPD may reference to any specific association in the SAD. Allocation of Security Policies to Security Associations: In order to determine what policy applies to a datagram, IPSec has a flexible system of ‘selectors’ which are rules for selecting from the datagrams those that a security association would apply to. SAs are unidirectional i.e. a separate SA exists for a device’s inbound or outbound traffic each. SAs are identified by a set of three parameters (called triple); 1. Security Parameter Index (SPI): It is a 32 bit number that uniquely identifies a specific SA for a connected device. It is placed inside the AH and ESP header of the datagram thus linking each datagram to the SA. The recipient of the datagram identifies the SA through the SPI. 2. IP Destination Address: This is the IP address of the communicating device for which the SA is formed. 3. Security Protocol Identifier: This is used for specifying whether the association belongs to the AH or the ESP. In case both of both, a separate SA exists for each. Thus the security policies and the databases govern the operations of the AH and ESP. The SAs can be configured either manually or through the IKE. 4) Internet Key Exchange The encoding and decoding of information is done on the basis of a key which only the sending and receiving party knows. And this secret key needs to be exchanged securely between the two parties even before the information is secured through the AH and ECP protocols. IKE is also used in the exchange of SAs which in turn guide the operations of the AH and ESP. IKE is a “hybrid” protocol as it is a combination of three protocols; Internet Security Association and Key Management Protocol (ISAKMP), OAKLEY and SCHEME. IKE generally works in the framework of ISAKMP while taking bits from the OAKLEY and SCHEME. Therefore its operation has two phases; Phase 1 is the configuration phase wherein the two devices agree on the methods of securely exchanging information (the encryption algorithm, hash algorithm and the authentication method). The result of agreement is the SA for ISAKMP itself. This SA is then used to exchange the detailed information in phase 2. Phase 2 uses the ISAKMP SA formed in phase 1 for creating SA for other protocols i.e. the AH and ESP. By using a separate phase for establishing only the ISAKMP SAs in the start, while leaving behind the ESP and AH, multiple negotations can be done in phase 2 based on the SAs from phase 1 as unlike the SAs, the ISAKMPS are bidirectional. Secondly, simpler methods of exchange can be used in the second phase. 4. IPSec Implementation IPSec is programmed into the IP layer. It is either implemented into the hosts or in the routers or both. A. IPSec Implemented in Host Putting IPSec into end hosts offer the highest form of end-to-end security and flexibility. However, implementing them in large networks requires a lot of work. B. IPSec Implemented in Router By implementing security in routers the work lessens to a great degree as one router represents hundreds of clients. However, this way the IPSec remains between two routers implementing IPSec. This setting works well for most of the VPNs where the outgoing traffic can be secured this way. 5. IPSec Architecture There are three different architectures for the IPSec that represent how to make IPSec part of the TCP/IP protocol. A. Integrated Architecture: IPSec is integrated directly into the regular IP layer without adding any extra hardware or software layer. IPv6 supports IPSec however IPv4 requires changes to be the IP implementation on every device that requires implementing IPSec. Figure 6 Imtegrated Architecture (Doraswamy et. Al, 2003) The integrated architecture is generally implemented in the routers (Doraswamy et. Al, 2003). B. Bump in the Stack (BITS) Architecture: IPSec is implemented as a separate layer between the IP and data link layer through software. Once an IP datagram is intercepted while coming down the protocol stack, the security layer is added and thereafter forwarded onto the data link layer. The advantage of BITS is that IPSec can be implemented on any IP device. The disadvantage is the extra effort involved in processing each IP datagram. IPv4 hosts generally use BITS. Figure 7 BITS Stak Layering C. Bump in the Wire (BITW) Architecture IPSec is implemented by adding an extra hardware device between the communicating devices i.e. the routers. These devices add the IPSec layer to IP datagrams while sending the packets and strip the IPSec layer on receipt of IPSec packets. BITS can be added to any network. The disadvantage is the added complexity of the network and the cost. Figure 8 BITW Architecture (Doraswamy et. Al, 2003) 6. Working of IPSec The type of IPSec architecture selected determines the operation mode of the IPSec. IPSec operates in two modes; transport and tunnel mode. The modes describe how the AH and ESP perform their roles and also define the security associations (SAs). A. Transport Mode In this mode the message that comes down from the transport layer (TCP or UDP) is protected by adding the AH and ESP headers in between the IP header and the transport layer header. A new IP header is added at the start. Figure 9 IPSec Transport Mode Operation This mode is generally used with the Integrated Architecture between two hosts that support IPSec. Figure 10 IPSec In Transport Mode (Schitka et. al) B. Tunnel Mode In this mode, the complete IP datagram is secured. Once the IP header is added before the transport layer header, the AH and ESP headers are added after the IP headers. A new IP header is added at the start. Figure 11 IPSec Tunnel Mode Operation (The TCP/IP Guide, 2005) Using this mode a virtual tunnel is formed between merely the IPSec supporting devices. This mode is generally employed with the BITS and BITW architectures (a common choice in VPNs) between two routers. All communication between the routers is authenticated and encrypted. Figure 12 IPSec in Tunnel Mode (Schitka et. al) 7. Discussion and Conclusion IPSec is a powerful security technology which happens to be a pressing need of the present day world where use of Internet has seeped into the core of many companies and organizations worlwide that deal in sensitive information. In the old times networks were formed through leased dedicated lines between the comminucating devices. These networks were secure. Intenet however is a public, untrusted network. IPSec is based on the strategy of achieving a secure Virtual Private Network by tunneling the between the two endpoints. Through VPNs, a mobile user from anywhere in the world can access a company’s secure and private inner network without having to worry about the information travelling through the public network i.e. the Internet. The major strength of IPSec is that it can be embedded within the existing Internet settings without having to make significant alterations and the security offered is better than the other technologies that operate at the higher layers of the Internet Protocol stack. Since it is integrated into the IP Layer, the security is propagated implicitly to the higher layers as well and is not specific to any application running on the device. 8. References Adeyinka, Olalekan. Internet Attack Methods and Internet Security Technology. International Conference onModeling & Simulation, 2008. AICMS 08. Second Asia. Page(s): 77 – 82. 2008. Doraswamy, N., Harkins, D. and Dan Harkins, D. Ipsec: The New Security Standard for the Internet, Intranet and Virtual Private Network. Prentice Hall Professional. 2003. Goralski, Walter. The Illustrated Network: How TCP/IP Works in a Modern Network. Morgan Kaufmann. 2009. Jawin Technologies. Network Protocols Handbook: Overview of All Active Network Protocols. Jawin Technologies Inc. 2005. Liska, Allan. The Practice of Network Security: Deployment Strategies for Production Environments. Pg. 137. Prentice Hall Professional. 2003. Schitka, M.J., Eckert, J.W. and McCann, Brian. Mcse Guide To Managing A Microsoft Windows Server 2003 Network, Enhanced: 70-291. Page 273-274. Cengage Learning. 2005. The FBI. Cyber Crime Stories. http://www.fbi.gov/news/stories/story-index/cyber-crimes The TCP/IP Guide. IPSec Architectures and Implementation Methods. 2005. http://www.tcpipguide.com/free/t_IPSecArchitecturesandImplementationMethods.htm Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(“Internet Protocol Security (IPsec) Research Paper”, n.d.)
Retrieved from https://studentshare.org/information-technology/1402473-internet-protocol-security-ipsec
(Internet Protocol Security (IPsec) Research Paper)
https://studentshare.org/information-technology/1402473-internet-protocol-security-ipsec.
“Internet Protocol Security (IPsec) Research Paper”, n.d. https://studentshare.org/information-technology/1402473-internet-protocol-security-ipsec.
  • Cited: 0 times

CHECK THESE SAMPLES OF Internet Protocol Security (IPsec)

Windows Server Deployment: New Features of Windows Server 2012

This paper shows Windows Server Deployment Proposal.... It includes New Features of Windows Server 2012, Deployment and Server Editions, Active Directory, DNS and DHCP, Application Services.... Specifically, an author will focus on application deployment and server configuration.... hellip; According to (Schaefer 112-140) the new features of Windows Server 2012 that WAI can take advantages of are....
7 Pages (1750 words) Assignment

Networking Bachelor Essay

These protocols are basically used by banks and large corporate, their functionality includes:Encrypting of InformationDecrypting of InformationRouters Firewalls Data encryption key management Intrusion detection systems (IDS )AuthenticationDigital certificateSecure Sockets Layer (SSL) internet protocol security (IPSec).... The major concern for any organization and/or corporation is to provide the necessary security for the online transaction either done through a bank or via any credit card company....
2 Pages (500 words) Essay

Network Remote Access

internet protocol security (Ipsec).... On this logical connection data packets are constructed in a specific VPN protocol and are encapsulated within some other carrier protocol then transmitted between VPN client and server.... Point-to-point tunneling protocol.... Layer Two Tunneling protocol (L2TP).... internet service provider (ISP). … VPN technology is based on the concept of tunneling....
5 Pages (1250 words) Essay

FCCs Role in Broadband Regulations

Department of Commerce (2010), the internet had a revolutionary effect to the social and economic environment by providing… internet became an integral part of the lives of the citizens in America for both their social and economic lives.... The internet and information technology gave way to growth in economy and Reports showed that the differences in socio-economic, geographic and demographic characteristics of the surveyed households affected the significant difference in demands and use of broadband internet....
8 Pages (2000 words) Assignment

Case Study: Solution to Network Security

The aim of the paper “Case Study: Solution to Net Work security” is to analyze the unprecedented degree of risk of using the Internet.... hellip; The author claims that network security has become a major concern.... The repeated occurrence of similar security breaches like misuse of email suggests that most organizations have failed to tackle network security.... A company that processes credit card transactions must raise its profile of network security to survive in the business....
5 Pages (1250 words) Case Study

The Solution of VPN Connection

In order to protect this risk,… The two-level security prompts the user to enter two aspects of passphrases in case an intruder has one component, but lacks another component.... In the realm of VPN, many security risks are associated with the T1 frame relay that is shown in the diagram.... Malware and security breaches have been a major issue after analyzing this case.... As a matter of fact, it is clear that the organization not only lacks a sufficient system of protection but has failed to integrate a seamless approach of security that cascades from top executives to bottom-layer employees....
6 Pages (1500 words) Case Study

Site to Site Internet Protocol Security

The following essay "Site to Site internet protocol security" is focused on the issue of information security.... As the text has it, internet protocol security (IPSec) happens to be the prime technique that works with all forms of internet traffic in attempts to achieve a secured internetwork system.... hellip; IPSec protocol is a set of protocols that enable the secure exchange of packets at the internet protocol layer.... With IPSec, any piece of information sent from one site to another remains secured due to the involved extensibility of the internet protocol layer....
6 Pages (1500 words) Essay

Network Topology and Design Layout

For the sake of ABC company security, it is crucial that outsiders should not gain access to the internal CVS or internal WWW servers whatsoever.... In terms of security assumptions, it is important for the company to make its security appear good as argued by Cheswick et al (2003) that this is enough to deter attackers.... It is also important to make simple security arrangement since complex things are harder to comprehend and might even be nightmare to their designer (Cheswick et al, 2003, pp....
4 Pages (1000 words) Essay
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us