Transcript IPsec - WordPress.com

What is in Presentation
What is IPsec
Why is IPsec Important
IPsec Protocols
IPsec Architecture
How to Implement IPsec in linux
What is IPsec
 IPsec is a set of security protocols and
algorithms used to secure IP data at the
network layer.
 IPsec provides data confidentiality
(encryption), integrity (hash), and
authentication (signatures and
certificates) of IP packets while
maintaining the ability to route them
through existing IP networks.
What is IPsec
IPsec protection involves five main components:
• Security protocols – The IP datagram protection
mechanisms. The authentication header (AH)
signs IP packets and ensures integrity but The
content of the datagram is not encrypted
though. The encapsulating security payload (ESP)
encrypts IP data, thus obscuring the content
during packet transmission. ESP also can ensure
data integrity through an authentication
algorithm option.
What is IPsec
• Security associations database (SADB) – The
database that associates a security protocol with an
IP destination address and an indexing number. The
indexing number is called the security parameter
index (SPI). These three elements (the security
protocol, the destination address, and the SPI)
uniquely identify a legitimate IPsec packet. The
database ensures that a protected packet that
arrives to the packet destination is recognized by the
receiver. The receiver also uses information from the
database to decrypt the communication, verify that
the packets are unchanged, reassemble the
packets, and deliver the packets to their ultimate
destination.
What is IPsec
• Key management – The generation and distribution of
keys for the cryptographic algorithms and for the SPI.
• Security mechanisms – The authentication and encryption
algorithms that protect the data in the IP datagrams.
• Security policy database (SPD) – The database that
specifies the level of protection to apply to a packet. The
SPD filters IP traffic to determine how the packets should
be processed. A packet can be discarded. A packet can
be passed in the clear. Or, a packet can be protected
with IPsec. For outbound packets, the SPD and the SADB
determine what level of protection to apply. For inbound
packets, the SPD helps to determine if the level of
protection on the packet is acceptable. If the packet is
protected by IPsec, the SPD is consulted after the packet
has been decrypted and has been verified.
Encryption Layers
Why is IPsec important
 The data sent over the Internet and private networks includes
passwords, credit card numbers, social security numbers and other
private and personal information. When sending this data crucial
information, one wants to ensure that no third party manipulates or
accesses this data.
 What are Security Issues?
Spoofing: a machine on the network acts as another.
Sniffing: another person is listening in on another's activity.
Session Hijacking: an attacker completely takes over another
users activities
Why is IPsec important




Provides Authentication
Prevent eavesdropping
Replay Attack
Data Tempering
Provides Authentication
• Be enable to prove each party who they
say they are. This Stops the hackers from
impersonating the server in order to get
information such as usernames and
passwords.
• Also helps server to confirm the client is real
client or a hacker.
Prevents Eavesdropping
• Monitoring of your communication by third
party.
• But with IPsec the information on network is
encrypted which makes it impossible for
hacker to use the data.
Replay Attack
• One form of attack is recording your
information and play it back at latter date.
• If a hacker is able to record the initial
authentication sequence at start of
communication they can replay the
message and can add wrong data.
• With IPsec replay attacks are impossible
because even if you sent same data in
different session the communication
sequence used by IPsec will be completely
different and only valid in that one session.
Data Tempering
• Is when data is changed, removed or
added in a communication stream.
• IPsec can detect if data stream has been
altered in anyway and thus prevent data
tempering attacks.
IPsec Protocols
IPsec Protocols
• Internet Key Exchange(IKE)
- Used to transfer SA parameters
between hosts.
- Handles Negotiation of protocols
- Generates keys
IPsec Protocols
IPsec ISAKMP: Internet Security Association and
Key Management Protocol
• ISAKMP defines procedures and packet formats to establish,
negotiate, modify and delete Security Associations (SA).
• SAs contain all the information required for execution of
various network security services, such as the IP layer services
(such as header authentication and payload
encapsulation), transport or application layer services, or
self-protection of negotiation traffic.
• ISAKMP defines payloads for exchanging key generation
and authentication data. These formats provide a consistent
framework for transferring key and authentication data
which is independent of the key generation technique,
encryption algorithm and authentication mechanism.
IPsec Protocols
• Authentication Header(AH)
- Host and Client Authentication
- Provides Data Integrity
- Protects from Anti-Replay Attacks
Limitations – Does not support
encryption and thus its possible for third
party to eavesdrop on communication.
IPsec Protocols
• Encapsulating Security Payload (ESP)
• Same as AH but also support data
encryption and NAT.
IPsec Architecture
IPsec Applied to
Outbound Packet
Process
IPsec Architecture
IPsec Applied to
Inbound Packet
Process
IPsec Modes
• Main Mode
- Time consuming to make sure identity of each
party
- Establish a secure connection to
configure quick mode
• Quick Mode
- Used to communicate with each party
• AH often used for Main Mode
• ESP often Used for Quick Mode
How to create an IPsec connection
between to Hosts or Networks
• Implementing IPsec requires that the IPsectools RPM package be installed on all IPsec
hosts (if using a host-to-host configuration) or
routers (if using a network-to-network
configuration). The RPM package contains
essential libraries, daemons, and
configuration to aid in setup of the IPsec
connection.
Steps to configure IPsec
•
•
•
•
•
•
•
•
•
•
In a command shell, type system-config-network to start the Network
Administration Tool.
On the IPsec tab, click New to start the IPsec configuration wizard.
Click Forward to start configuring a host-to-host IPsec connection.
Enter a unique name for the connection, for example, ipsec0. If required,
select the check box to automatically activate the connection when the
computer starts. Click Forward to continue.
Select Host to Host encryption as the connection type, and then click
Forward.
Select the type of encryption to use: manual or automatic.
If you select manual encryption, an encryption key must be provided later in
the process. If you select automatic encryption, the racoon daemon
manages the encryption key. The IPsec-tools package must be installed if
you want to use automatic encryption.
Click Forward to continue.
Enter the IP address of the remote host.
To determine the IP address of the remote host, use the following command
on the remote host: [root@myServer ~] # /sbin/ifconfig
Steps to configure IPsec
•
•
•
•
•
•
•
•
If manual encryption was selected in step 6, specify the encryption key to
use, or click Generate to create one.
Specify an authentication key or click Generate to generate one. It can be
any combination of numbers and letters.
Click Forward to continue.
Verify the information on the IPsec — Summary page, and then click Apply.
Click File => Save to save the configuration.
You may need to restart the network for the changes to take effect. To
restart the network, use the following command:
[root@myServer ~]# service network restart Select the IPsec connection from
the list and click the Activate button.
Repeat the entire procedure for the other host. It is essential that the same
keys from step 8 be used on the other hosts. Otherwise, IPsec will not work.
IPsec Architecture
•
•
•
•
http://docs.oracle.com/cd/E19082-01/819-3000/ipsec-ov-1/index.html
http://docs.oracle.com/cd/E19082-01/819-3000/ipsec-ov-1/index.html
http://www.tuxfiles.org/linuxhelp/rpminstall.html
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/i
ke.html
•
IPsec: The New Security Standard for the Inter- net, Intranets, and Virtual
Private Networks , Naganand Doraswamy (Author), Dan Harkins (Author)