Overview on Ipsec

I. digest2 II. The deficiency for IPSec3 1. meshwork threats3 2. TCP/IP security vulnerabilities4 3. The need for IPSec5 III. What is IPSec5 1. What is IPSec5 2. IPSec properties6 IV. IPSec structure6 1. Au consequentlytication header (AH)6 2. Encapsulating warrantor Payload (ESP)7 V. shelter Associations (SA)8 1. Security Associations8 2. Combining Security Associations9 3. SA and refer management10 VI. Building a real VPN with IPSec11 1. VPN overview11 2. IPSec in VPN11 VII. Future Research13 VIII. Conclusion14 IX. References14 I. Abstract It piece of tail be seen clearly that the profits has developed with a very high fastness in many recent years. In the 80s of last century, the internet was all physical exertiond in US army, only when nowadays, the Internet has come to every country, every home and everyone. However, such fast develops also go on with the increasing number of security issues from the Internet. Therefore there is a need to find a security solution f or this issue and that is the season why Internet Protocol Securities exists. * In this paper, i will introduce a overview about this security protocol what is it?What are its core components? And how this protocol was implemented in the applicative? II. The need for IPSec 1. Internet threats * The Internet is quickly changing our world, particularly in the way we do argumentation. The fast developing of technology has helped to increase the community speed of Internet and decrease the cost also. This has given the opportunity for mickle who know how to take advantage of it. The Internet enables such things as * Extranets companies can easily link up with their business partners and their customers.In the past, we corroborate to use dial up line with low bandwidth, so we have to wait a bit long to get the connection to a web sites or send essences to our friend via yahoo messenger. But today with the quick development of the technology, the speed of the Internet has been in creased significantly, therefore the Internet can enable instant and on-demand high-speed communions with our business customers and partners around the world . * Intranets a powerful tool is widely used for providing the communication in a organization.. Remote users the Internet also provides a solution for users who dont need to go to the company till can connect and entrance to the company ne some(prenominal)rk. This will help to reduce the cargo ships cost and also increase the productive of the company. * It can be said that the Internet provides many business opportunities, but if there is not the proper controls, your entropy can become a subject to various kinds of security attacks. * Loss of Privacy There are many ways that the Internet users can lose their privacy information such as the address, family information, phone number, credit cards and so on.This information can be used in marketing purposes such as send spam mail about a new product to many people or more dangerously, It can be used for thief or criminal purposes such as credit care stealing, disclose personal information to the public and so on. * Loss of Data Integrity Even in case your credential is not stolen but there is free need a solution to help ensure the justness of entropy. For example, when you do an transaction, your password are not be disclosed but if the number of money of your transaction was modified, you still got a big problem. Identity Spoofing The Internet is an un-trusted network so be careful with your identity when you surf on the Internet because an intruder can pose you and get the access to your confidential. * Denial-of-service As organizations take advantage of the Internet, there is a issue that the service being performed is almost always a constant while operation, so it is easy for an external observer process to detect a Dos attack. These attacks are generally transient. 2. TCP/IP security vulnerabilitiesThe main earth lead to Internet threa ts mentions above is that TCP/IP the foundation of Internet has many security vulnerabilities. When IP, TCP, UDP and the infrastructure protocol of TCP/IP were designed to use in a very small network and all hosts and users are known, hence the security concerns were almost non-existing. But today, with a very quick development of the Internet, there are more and more security vulnerabilities of TCP/IP were exploited. In this section I will reveal an overview about popular kinds of attacks in TCP/IP. a. TCP SYN or TCP ACK Flood feelerThis is a form of DOS attack in which an intruder sends a successful SYN request to victims system to consume the resources of the victims sever to settle the sever cannot respond to the legal connection b. TCP Sequence modus operandi Attack By predicting the IP sequence number, an attacker can inject data or take over a pre- nominateed connection. c. ICMP Attacks Attacker could use either the ICMP message can make a host stop working such as Time exceeded or Destination unreachable messages. Attacker can make use of this by simply forging one of these ICMP messages, and sending it to one or both of the communicating hosts.Their connection will then be move apart. d. Smurf Attacks The smurf attack is a modification of the classic ping flood attack. An attacker instead of sending ICMP echo mail boats from his system to the victims network, he send a big money to a broadcast address of middle network with a return IP address of the victims network. 3. The need for IPSec To solve issues was mentioned in the preliminary sections, it is necessary to have a protocol retinue which can provide the authentication and decryption to IP packets to increase the security level in data communication over the Internet.And that is reason why we have Internet Protocol Security (IPSec). III. What is IPSec 1. What is IPSec? * Internet Protocol Security (IPSec) has revolutionized Internet Protocol (IP) security. The IPSec protocol suite uti lizes cryptographic techniques to ensure data confidentiality, and digital signatures to authenticate the source of the data transmission. IPSec also brings a new level of interoperability to the Internet that never existed before. It doesnt cuss on proprietary protocols or techniques to establish secure links amidst network nodes.By utilizing IPSec in virtual private networking solutions organizations can exchange sensitive data over public networks with the knowledge that the parties they are exchanging the data with are the intended receivers, that the data was kept confidential in transit, and that the data did not change during transmission. * IPSec has two goals * To ensure the integrity and confidentiality of IP packets. * To provide a defense against network attacks. Both goals are met through the use of cryptography-based protection services, security protocols, and dynamic key management. 2. IPSec properties IPSec has following properties * Anti replay (replay prevention ) ensures the uniqueness of each IP packet, any packet was captured by the attacker cannot be put back into the network to establish a session or steal information. * Integrity protect data from being modified in transit, ensure that received data is the same as the first data. * Confidentiality (encryption) ensures that data is only know by the authorized recipients. To do this, data will be encrypted before being send, and the received has to use a public, private key to decrypt the data when receiving it. Authentication verifies that a message can only be send from a receiver who knows the shared, secret key. The vector will include a authentication message to the data before sending, the receiver has to use their key to encrypt the authentication message to enable ceremonial occasion the data. If the key is wrong, the data will be discarded. IV. IPSec structure 1. Authentication header (AH) * AH is used to authenticate- but not encrypt IP traffic, or in other(a) words this p rotocol guarantees connectionless integrity and data origin authentication of the packet.Moreover, it can optionally guard against replay attacks by attackers who obtain a copy of certify packet and later put it back to the network. * Structure of AH The AH header consist of 6 parts * Next hdr (8 bits) this identifies what the upper-level protocol following the AH is * AH len (8bit) this field indentifies the size of it of the authentication header. * Reserved this field is a place holder for future use. * Security Parameters Index (32bits) this is a random number that indicates the setting that being selected by the transmitter to communicate with the receiver.This includes the encryption algorithms that are being used, which encryption keys are being used, and the information about the validity period for these encryption keys. * Sequence Number this is a counter that increases incrementally each measure a packet is transmitted using the parameters setup in the SPI. * Authentic ation Data this is the Integrity Check Value(ICV) for the packet. The actor will create a keyed-one-way-hash of the packet payload and attach this hash value to the packet as the authentication field.The receiver can check the integrity of the payload data by hashing the payload data once it has been decrypted with the same hash algorithm, which sender used. If two hash values are identical then the recipient can be sure that the data was not modified during the transmission. However, because the data was not encrypted this does not ensure the confidentiality of the payload data only the integrity. 2. Encapsulating Security Payload (ESP) The ESP is the portions of the IPSec that addresses the confidentiality of the data that is being transmitted as well as offers authentication capabilities.ESP utilizes bilaterally symmetric encryption techniques to encrypt the IP packet payload. The symmetric encryption algorithms that must be supported in order to be compliant to standard are DE S, 3 DES, RSA, CAST, and Blowfish. The ESP will encrypt the IP header or information, which includes the information required for routing. It will only encrypt the packet payload, which will ensure the confidentiality of the data. There are six elements which make up the ESP which include V. Security Associations (SA) 1. Security Associations * A key issue appears in both authentication and encryption mechanism for IPSec, that is Security Association (SA).SA is a simply the bundle of algorithm are parameters that is used to provide authentication and confidentiality a particular flow of traffic stream in one direction. frankincense in normal bi-directional traffic process, the flows are secured by a pair of security associations. * In order to decide what protection is to be provided for an outgoing packet, IPSec uses the Security Parameter Index (SPI), an index to the security association database (SADB), along with the destination address in a packet header, which together uniquel y identify a security association for that packet.A similar procedure is performed for an incoming packet, where IPSec gathers decryption and verification keys from the security association database. There are two types of SAs are defined transport agency and cut into mode. * Transport mode SA is used to provide security communication amidst two hosts, and in this mode only the payload of packet is encrypted (with ESP) or authenticated (with AH) so it only provide protection for upper layer protocols. A tunnel mode SA is used to provide security communication between two gateway or between a gateway and a host and in this mode the entire IP packet is encrypted (with ESP) or authenticated (with AH). 2. Combining Security Associations * Any single SA can select AH or ESP to protect the data transmits over an IP network but it cannot combine 2 of these protocols. Therefore, there is a need to combine many SAs to achieve the required security policy. The term security association bun dle or SA bundle is applied to a sequence of SAs through which traffic must be processed to satisfy a security policy. Security associations may be combined into bundles in two ways transport adjacency and iterated tunneling. * Transport adjacency refers to applying more than one security protocol to the same IP datagram, without invoking tunneling. This is only applicable for trust AH and ESP at the same level. * Iterated tunneling refers to the application of multiple layers of security protocols affected through IP tunneling. This approach allows for multiple levels of nesting, since each tunnel can originate or terminate at a different IPSec site along the path. Basic ways of SAs combination documents about IPSec structure has listed tetrad cases of combining SAs based on the compatibility between severs or gateways * Case 1 all securities properties are provided between systems. * Case 2 security is only provided between gateways and there is no any host implemented IPSec * C ase 3 based on the case 2 but add the oddment to End security. * Case 4 support the remote access through the Internet in the scope of firewalls and expandable accept of server or host in behind the firewalls. 3. SA and key management Key management is an important part of IPSec regarded to identify and distribute the secret key. And basic demand is four keys to communicate between two applications receiving key and sending keys include two AH and ESP. IPSec structure allows to support two type of key management is * Manually every administrator tack manually their private keys with other communicate systems keys. In practice, this type of key management is used for small resources in a static surroundings. * Automated it is a system which allows creating keys for SAs and being used in a large distribution system with dynamic configuration. The default automated key management in IPSec is called ISAKMP/Oakley with following components * Oakley key indentifying protocol Oakley is a basic key exchanging protocol based on Diffie-Hellman algorithm, but added security condition. Oakley is a general standard it does not have any specific format. * Internet Security Association and Key Management Protocol (ISAKMP) ISAKMP provide a framework for establishing SAs and cryptographic keys in an Internet environment VI. Building a real VPN with IPSec 1. VPN overviewVPN (Virtual Private Network) is the expansion of LAN by adding connections over a shared network or public network handle the Internet. In other words, VPN is a private network uses public communication infrastructure but still remains the privacy by using a tunneling protocol and security procedures. VPN can be used to establish a connection between a computer and a private network or between 2 private networks. 2. IPSec in VPN * In IPSec, ESP is the unique way to provide encryption, but ESP and AH both can provide authentication, so what is the most efficient way to combine 2 of them together. The traditi onal solution of wrapping ESP inside of AH is technically possible, but because of the limitations of AH with NAT (Network Address Translation), hence combining AH and ESP by this way will make this tunnel not work with whatchamacallums using NAT. * Instead, ESP + Authentication is used in Tunnel mode to fully encapsulate the traffic on its way across an un-trusted network, protected by both encryption and authentication in the same thing. * Whats especially refined thing about this way of implement is that VPN and other security measures are almost invisible to the end-user hosts.Because a VPN is carried out by a gateway device which treats the VPN as yet another interface, traffic destined for the other end is routed normally. VII. Future Research This paper only provides an overview about IPSec but not tension on securities components of IPSec such as encryption algorithms and detail of mechanism of SAs. Therefore in the future research I will spend more time on those issues. VIII. Conclusion * After covering most of components of IPSec structure, it can be seen clearly that IPSec is a strong security protocol it can provide both ncryption and authentications. It also use various types of encryption and authentications algorithm such as Triple-DES, 128 bit C4, AES (for encryption) MD5 or SHA-1 (for authentication). * However IPSec still have security issue when a authorized IPSec user access to the network, they can also access to unauthorized resources. Moreover data file is uploaded and downloaded easily also creates the threats from virus infection. IX. References 1. Www. wikipedia. org 2. http//tools. ietf. org/html/rfc2401section-4. 4. 3