Scribd
Upload
23 views26 pages

13IPSec & VPN Types & Operating Modes

The document outlines encryption methods across different OSI layers, detailing end-to-end encryption, transport layer encryption (SSL/TLS), and network layer encryption (IPsec). It explains IPsec's architecture, mechanisms, operating modes, and benefits, highlighting its flexibility and strong security features for data communication. Additionally, it compares IPsec with SSL/TLS in terms of complexity, management, and operational layers.

Uploaded by

raaziya.19943
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
23 views26 pages

13IPSec & VPN Types & Operating Modes

The document outlines encryption methods across different OSI layers, detailing end-to-end encryption, transport layer encryption (SSL/TLS), and network layer encryption (IPsec). It explains IPsec's architecture, mechanisms, operating modes, and benefits, highlighting its flexibility and strong security features for data communication. Additionally, it compares IPsec with SSL/TLS in terms of complexity, management, and operational layers.

Uploaded by

raaziya.19943
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 26

Encryption at Different OSI Layers

• End-to-end encryption happens within the


applications, for e.g., SMIME & HTTPS (SSL/TLS –
SSL VPN)
• SSL/TLS/SSH encryption takes place at the transport
layer (SSL VPN)
• IPsec encryption takes place at the Network Layer.
• PPTP/L2TP encryption takes place at the data link
layer.
• Link encryption takes place at the data link and
physical layers.
What is IP Security???

 The Internet Protocol Security (IPsec) architecture


comprises a suite of protocols developed to ensure the
integrity, confidentiality and authentication of data
communications over an IP network (INTERNRET).

• The devices that share this secure channel can be two


servers, two routers, a workstation and a server, or two
gateways between different networks.

• IPsec may be used in three different security domains:


virtual private networks, application-level security and
routing security.
IP Sec ……
• IPSec has strong encryption and authentication
methods/features for next-generation IPv6 (Ipng).
• Also usable/included in existing IPv4.
• It can be more flexible and less expensive than end-to-end
and link encryption methods.
• IP Sec is not a strict protocol that dictates the type of
algorithm, keys, and authentication method to use.
Rather, it is an open, modular framework that provides a
lot of flexibility for companies when they choose to use
this type of technology.
Cryptographic System

4
IP Sec Mechanisms
• General IP Security mechanisms provides:
– authentication
– Confidentiality
– Integrity
– key management
• applicable to use over LANs, across public &
private WANs, & for the Internet
IP Sec Uses
Benefits of IP Sec
• In a firewall/router it provides strong security
to all traffic crossing the perimeter
• In a firewall/router is resistant to bypass
• It is below the transport layer, hence
transparent to users applications.
• can be transparent to end users
• can provide security for individual users
• secures routing architecture
IP Sec Architecture
• mandatory in IPv6, optional in IPv4
• have two security header extensions:
– Authentication Header - AH is the
authenticating protocol
– Encapsulating Security Payload - ESP is an
authenticating and encrypting protocol that uses
cryptographic mechanisms to provide source
authentication, confidentiality, and message integrity
– Key Exchange function
• VPNs want both authentication/encryption
– hence usually use ESP
Authentication Header (AH)

• provides support for data integrity & authentication of IP packets


– end system/router can authenticate user/app
– prevents address spoofing attacks by tracking sequence
numbers.
• based on use of a MAC
– HMAC-MD5-96 or HMAC-SHA-1-96
• parties must share a secret key
Encapsulating Security Payload (ESP)

ESP is an authenticating and encrypting protocol that uses


cryptographic mechanisms to provide source authentication,
confidentiality, and message integrity.
IP Sec Operating Modes
• IPSec can work in one of two modes:
i. Transport Mode, in which only the payload of
the message is protected
ii. Tunnel Mode, in which the payload and the
routing & header information are protected.

• ESP, in transport mode, encrypts the actual message


information so it cannot be sniffed and uncovered by
an unauthorized entity.
• Tunnel mode provides a higher level of protection by
also protecting the header and trailer data an
attacker may find useful.
IP Sec Encapsulating Security Payload (ESP) Header and
Trailer in Transport and Tunnel Modes

Raymond Panko
12
IPsec Operation: Transport Mode
1.
End-to-End
Security
(Good)

2. 3.
Security in Setup Cost
Site Network On Each Host
(Good) (Costly)
IPsec Operation: Tunnel Mode

2. 3.
No Security in No Setup Cost
Site Network On Each Host
(Bad) (Good)

14
Comparing IPsec Transport and Tunnel Modes
Characteristic Transport Mode Tunnel Mode
Uses an IPsec VPN No Yes
Gateway?
Cryptographic All the way from the Only over the Internet
Protection source host to the between the IPsec
destination host, gateways. Not within
including the Internet the two site networks.
and the two site
networks.(E2E)

Setup Costs High. Setup requires Low. Only the IPsec


the creation of a digital gateways must
certificate for each implement IPsec, so
client and significant only they need digital
configuration work. certificates and need to
be configured.

Raymond Panko
Copyright Pearson Prentice-Hall 2010 15
The Figure shows the high-level view of the steps of setting
up an IPSec connection.
Security Associations (SA)
• A one-way (hash) relationship between sender &
receiver that affords security for traffic flow
• Defined by 3 parameters:
– Security Parameters Index (SPI)
– IP Destination Address
– Security Protocol Identifier
• Has a number of other parameters
– sequence no, AH & EH info, lifetime etc
• Have a database of Security Associations
• Each device will have at least one security
association (SA) for each secure connection it
uses.
IPsec SA

Raymond Panko
18
IPsec SA ….
When two devices complete their handshaking
process, which means they have agreed upon a long
list of parameters they will use to communicate,
these data must be recorded and stored somewhere
(db), which is in the SA. The SA can contain the
authentication and encryption keys, the agreed-
upon algorithms, the key lifetime (expiry/renewal),
and the source IP address.
Key Management
• handles key generation & distribution
• typically need 2 pairs of keys
– 2, per direction for AH & ESP
• manual key management
– SysAdmin manually configures every system
• automated key management
– automated system for on demand creation of keys
for SA’s in large systems (large networks)
– has Oakley & ISAKMP elements
Virtual Private Networks (VPNs)

Raymond Panko
Copyright Pearson Prentice-Hall 2010 22
ISAKMP & OAKLEY

• Because IPSec is a framework, it does not dictate which


hashing and encryption algorithms are to be used or how
keys are to be exchanged between devices.
• Key management can be handled manually or automated by
a key management protocol. The de facto standard for IPSec
is to use Internet Key Exchange (IKE), which is a combination
of the ISAKMP and OAKLEY protocols.

The Internet Security Association and Key Management


Protocol (ISAKMP) is a key exchange architecture that is
independent of the type of keying mechanisms used. Basically,
ISAKMP provides the framework of what can be negotiated to
set up an IPSec connection (algorithms, protocols, modes, keys).
The OAKLEY protocol is the one that carries out the negotiation
process.
ISAKMP & OAKLEY…..
You can think of ISAKMP as providing the playing field
(the infrastructure) and OAKLEY as the guy running up
and down the playing field (carrying out the steps of
the negotiation).

IPSec is very complex with all of its components and possible


configurations. This complexity is what provides for a great
degree of flexibility, because a company has many different
configuration choices to achieve just the right level of
protection.
IP Security (IPSec) Vs SSL/TLS
SSL/TLS IPsec
Cryptographic security standard Yes Yes
Cryptographic security protections Good Gold
Standard

Supports central management No Yes


Complexity and expense Lower Higher
Layer of operation Transport Internet
Transparently protects all higher-layer No Yes
traffic

Works with IPv4 and IPv6 NA Yes


Modes of operation NA Transport,
Tunnel
25
• RSA implementation via programming
• QR code will be scanned/converted
• Encryption/decrption

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy