Ip security
This presentation is the property of its rightful owner.
Sponsored Links
1 / 40

IP Security PowerPoint PPT Presentation


  • 308 Views
  • Uploaded on
  • Presentation posted in: General

IP Security. Outline. Introduction IP security Overview IP security Applications IP security Scenario IP security Benefits IP security Architecture Security Associations Combinations of SA’s Key Exchange Management. Basic Objective: Secure IP. Should achieve the following:

Download Presentation

IP Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Ip security

IP Security


Outline

Outline

  • Introduction

  • IP security Overview

  • IP security Applications

  • IP security Scenario

  • IP security Benefits

  • IP security Architecture

  • Security Associations

  • Combinations of SA’s

  • Key Exchange Management


Basic objective secure ip

Basic Objective: Secure IP

Should achieve the following:

  • Disallow links to un-trusted sites.

  • Encrypt packets that leave the premises.

  • Authenticate packets that enter the premises.


Ip level security

IP-Level Security

  • Consists of three aspects:

  • Authentication: insures that the received packet was transmitted by the party identified in the header.

  • Confidentiality: Enables communicating nodes to encrypt messages.

  • Key management: secure key exchange.


An overview of ip

An Overview of IP

  • Internet Protocol (IP):

    “Provides the facilities for inter-connecting end systems across multiple networks.”

    Implemented in:

  • Each end system and

  • Routers of the networks.

    Routers must cope with heterogeneous networks.


Overview of ip

Overview of IP

  • IP provides unreliable service.

    • No guarantee that all data packets will be delivered.

    • Delivered packets may arrive in wrong order.

  • Higher layer (TCP) must recover from any errors.

  • Provides great deal of flexibility:

  • No reliability requirements of subnets.

  • Packets can follow different paths.


An overview of ip1

An Overview of IP

  • Operation of IP:

    //The next slides shows the architecture of TCP/IP suite.//

    Example:

    “End system X wants to send a data packet to end system Y.”


Tcp ip example

TCP/IP Example


Ip security overview

IP Security Overview

  • IPSec provides a set of security algorithms plus a general framework that allows a pair of communicating entities to use whichever algorithms provide security appropriate for the communication.


Applications of ipsec

Applications of IPSec

  • Secure branch office connectivity over the Internet: A company can build a secure virtual private network over the Internet or over a public WAN. This enables a business to rely heavily on the Internet and reduce its need for private networks, saving costs and network management overhead.

  • Secure remote access over the Internet: An end user whose system is equipped with IP security protocols can make a local call to an Internet Service Provider (ISP) and gain secure access to a company network. This reduces the cost of toll charges for traveling employees and telecommuters.


Application of ipsec

Application of IPSec

  • Establishment of extranet and intranet connectivity with partners: IPSec can be used to secure communication with other organizations, ensuring authentication and confidentiality and providing a key exchange mechanism.

  • Enhancement of electronic commerce security: Most efforts to date to secure electronic commerce on the Internet have relied upon securing Web traffic with SSL since that is commonly found in Web browsers and is easy to set up and run. There are new proposals that may utilize IPSec for electronic commerce.


Applications of ip security

Applications of IP Security

  • IPSec can encrypt and authenticate all traffic at IP level.

  • Distributed applications (like remote login, client-server interaction, e-mail, file transfers, web accesss etc.) can be secured.


An ip security scenario

An IP Security Scenario

  • Suppose an organization maintains LANs

    at several dispersed locations.

    -Within each LAN, IP traffic is not secured.

    -For Inter-LAN traffic (over the Internet

    or a WAN), IPSec protocols are used.


An ip security scenario1

An IP Security Scenario...

  • IPSec protocols operate in networking devices that connect a LAN to Internet.

    (like router)

  • Encrypt all traffic leaving a LAN and decrypt traffic incoming to a LAN.

    • IPSec operations are transparent to workstations and servers.

    • Secure transmission also possible with individual users.

      // User workstation must implement IPSec protocols//


Ip security scenerio

IP Security Scenerio


Benefits of ip security

Benefits of IP Security

  • Transparent to applications (below transport layer (TCP, UDP).

    //no need to change software on end systems.//

    -IPSec can be transparent to end users.

    //no need to train end users on security mechanisms.//

  • Provide security for individual users.


Benefits of ip security1

Benefits of IP Security

  • IPSec plays an important role in routing.

  • IPSec can assure that:

    • A router or neighbour advertisement comes from an authorized router

    • A redirect message comes from the router to which the initial packet was sent

    • A routing update is not forged


Ip security architecture

IP Security Architecture

1. Architecture: Covers general concepts, security requirements, etc.

2. Encapsulating Security Payload (ESP): Covers the issues of packet encryption.

3. Authentication header (AH): Cover issues of packet authentication


Ip security architecture1

IP Security Architecture

4.Encryption Algorithms: how various encryption algos are used for ESP.

5. Authentication Algorithms: How various authentication algorithms are used for AH and authentication option of ESP.

6. Key Management: Documents that describe key management.

7. Domain of Interpretation (DOI): Defines payload formats, exchange types, and conventions for naming security


Architecture

Architecture


Ipsec services

IPSec Services

  • IPSec uses two protocols to provide security:

    1. Authentication Header (AH): an authentication protocol.

    2. Encapsulating Security Payload (ESP): a combined encryption and authentication protocol.


Ipsec services1

IPSec Services

  • Access Control

  • Connectionless integrity

  • Data origin authentication

  • Rejection of replayed packets

  • Confidentiality (encryption)

  • Limited traffic flow confidentiallity


Security associations sa

Security Associations (SA)

  • A simplex (uni-directional) logical connection, created for security purposes.

    • A one-way relationship between a sender and a receiver.

    • For a two-way secure exchange, two security associations are required.

  • Identified by three parameters:

    • Security Parameter Index (SPI): A bit string assigned to this SA.

      //Used by receiver to select the SA.//


Security associations sa1

Security Associations (SA)

  • IP Destination Address:

    • The address of the destination endpoint of SA.

      //may be an end user system, a firewall or a router//

  • Security Protocol Identifier:

    • Indicates if the association is an AH or ESP security association.


Modes of operations

Modes Of Operations

  • AH and ESP support two modes of operations:

    • Transport

    • Tunnel.

  • Transport Mode:

    • Protection extends to the payload of an IP packet.

    • Used for end-to-end communication between two hosts (client and server, or two workstations).


Modes of operations1

Modes Of Operations

  • Tunnel Mode:

  • Provides protection to the entire IP packet.

  • After AH or ESP fields are added, the entire packet plus security fields are treated as a payload of a new IP packet.

  • A new IP header is attached.


Tunnel vs transport

Tunnel vs. Transport


Authentication header

Authentication Header

  • Provides support for:

    1. Data integrity of a packet.

    • Modification to packets while in transit are not possible.

      2. Authentication of a packet.

    • End system can verify the sender.

    • Prevents address spoofing attacks.

      3. Also guards against replay attacks.


Encapsulating security payload

Encapsulating Security Payload

1. Provides confidentiality services.

  • Confidentiality of the packet.

    2. Provides limited authentication service.

  • Authenticates the payload but not the header.

    3. Also provides limited traffic confidentiality.


Combination of sas

Combination of SAs

  • Four basic combinations.

  • Case 1:

    • All security is provided between end systems.

    • End systems share appropriate secret keys.


Combination of sas1

Combination of SAs


Combination of sas2

Combination of SAs

  • Case 2:

    • Security is implemented only between gateways (routers, firewalls).

    • End hosts do not implement IPSec.

    • A single tunnel SA is established between the gateways.

    • Could support AH, ESP, and ESP with authentication.


Combination of sas3

Combination of SAs


Combination of sas4

Combination of SAs

  • Case 3:

    • End-to-end security is added to Case 2.

    • Besides a tunnel SA, the end hosts may have one or more SAs.

    • Gateway-to-gateway tunnel provides authentication or confidentiality to traffic between end systems.

    • End systems can implement additional security using end-to-end SAs.


Combination of sas5

Combination of SAs


Combination of sas6

Combination of SAs

  • Case 4:

    • A tunnel mode exists between a host and a firewall.

    • Can be used by remote host to reach the firewall and gain access to a server or workstation behind the firewall.


Combination of sas7

Combination of SAs


Key exchange management

Key Exchange Management

  • Handles key generation & distribution

  • Typically need 2 pairs of keys

    • 2 per direction for AH & ESP

  • Manual key management

    • System admin manually configures every system

  • Automated key management

    • automated system for on demand creation of keys for SA’s in large systems

    • has Oakley & ISAKMP elements


Questions

Questions???


  • Login