IPSec VPNs

1. IPSec VPNs Industrial Strength Security for an Insecure World

2. Introduction • Companies, research institutions, and government organizations have long maintained private networks between central offices and branch offices. • Employees/contractors want to work from home or external offices. Road warriors, all the way from salesmen to CEO’s, want to be mobile and connect to the home office for whatever purpose. • There are fast, cheap, and plentiful connections to the Internet to be had in locations as varied as libraries, airports, and Starbucks. • How do you go about securing what is basically an unsecured medium?

3. Enter VPNs • VPNs (Virtual Private Networks) provide secure tunneling of communications over insecure networks. • Where physical private networks existed, VPNs are becoming commonplace not only among road warriors, branch offices, and central offices but also business-to-business partners exchanging data through a secure tunnel wrapped around the communications traffic.

4. VPN Topologies • Network-to-Network • Host-to-Network • Host-to-Host

5. VPN Tunneling Technologies • IPSec • IKE Internet Key Exchange • ESP Encapsulated Security Payload • AH Authentication Header • PPTP • L2TP • SSL

6. IPSec Modes – An Overview • IPSec protocol consists of several parts that define two security protocols, AH and ESP. • ISAKMP is a framework for management of keys and other vital information such as security associations. • IKE provides the cryptographic algorithm negotiation and key distribution utilized by AH and ESP, • ESP provides data origin authentication, connectionless integrity, anti-replay service, and data confidentiality. • AH provides data origin authentication, connectionless integrity, and anti-replay service.

7. Security Associations • Both AH and ESP rely on security associations (SAs) negotiating the properties of a secure connection using IKE. • The SA holds the information negotiated between the two VPN participants.

8. ISAMP and IKE • ISAKMP (IPSec Key Exchange and Management Protocol) is part of the IPSec suite that defines procedures for negotiation, establishment, modification, and deletion of SAs. • IKE (Internet Key Exchange) is based on the ISAKMP framework. • IKE consists of two different mode or phases. • Phase 1 is used to establish a secure channel later used to protect all negotiations in Phase 2. • Phase 2 is used to negotiate the IPSec SAs to set up the IPSec tunnel to protect the communications traffic.

9. ESP • ESP provides for encapsulation of the unprotected IP packet, its encryption, and authentication. • Some newer IPSec implementations use stronger algorithms such AES, Blowfish, and Twofish.

10. AH • AH allows you to check the authenticity of the data and the header of the IP packet sent to you. It does not provide a mechanism for data encryption but does provide a hash that code that allows you to check whether the packet was tampered with along the way.

11. IP Compression • As you might guess, all this extra security comes at the price of extra encapsulation of the IP packet. • This translates into decreased throughput. IPSec seeks to overcome this problem with a built-in IP compression protocol.

12. Conclusion • IPSec VPNs provide strong security for business-to-business and person-to-business needs. IPSec has two protocols, AH and ESP, that give confidentiality, integrity, and authentication. • IPSec also has protocols and frameworks for key negotiation and data compression. • FreeS/WAN used to be the only IPSec game in town as far as Linux was concerned. • With the advent of the 2.6 kernel series, there is now integrated support for IPSec in the kernel in addition to the survivor of FreeS/WAN, OpenSWAN.