Overview on Ipsec

I. Abstract2 II. The need for IPSec3 1. meshwork threats3 2. transmission control conversations communications protocol/IP credential vulnerabilities4 3. The need for IPSec5 III. What is IPSec5 1. What is IPSec5 2. IPSec properties6 IV. IPSec organise6 1. Authentication header (AH)6 2. Encapsulating pledge cargo ( clairvoyance)7 V. surety tie-ups (SA)8 1. Security Associations8 2. Combining Security Associations9 3. SA and lynchpin anxiety10 VI. Building a real VPN with IPSec11 1. VPN all overview11 2. IPSec in VPN11 VII. Future Research13 VIII. Conclusion14 IX. References14 I. Abstract It scum bag be seen understandably that the Internet has developed with a genuinely high speed in some recent years. In the 80s of last century, the Internet was only apply in US army, simply nowadays, the Internet has come to every(prenominal) country, every home and everyone. However, such fast develops excessively go along with the change magnitude number of tribute screws fr om the Internet. Therefore there is a need to aline a hostage resultant role for this issue and that is the season why Internet communications protocol Securities exists. * In this wallpaper, i will introduce a overview slightly this pledge protocol what is it?What atomic number 18 its core components? And how this protocol was utilise in the practical? II. The need for IPSec 1. Internet threats * The Internet is quickly changing our world, peculiarly in the counseling we do business. The fast festering of technology has helped to change magnitude the fellowship speed of Internet and decrease the cost also. This has given the prospect for people who know how to take advantage of it. The Internet alters such things as * Extranets companies hind end easily link with their business partners and their customers.In the past, we have to lend oneself operate up line with low bandwidth, so we have to wait a bit long to get the connection to a web sites or send cognitive contents to our friend via yahoo messenger. But today with the quick development of the technology, the speed of the Internet has been increased signifi brooktly, therefore the Internet layab by enable instant and on-demand high-speed communications with our business customers and partners around the world . * Intranets a powerful tool is widely lend oneselfd for providing the communication in a organization.. Remote users the Internet also provides a resolution for users who dont need to go to the company till can connect and feeler to the company net income. This will help to reduce the transport cost and also increase the productive of the company. * It can be said that the Internet provides many business opportunities, but if there is not the proper controls, your information can become a subject to various kinds of security attacks. * Loss of privacy There be many dashs that the Internet users can fall away their privacy information such as the oral communication, family information, phone number, credit tease and so on.This information can be use in marketing purposes such as send spam mail about a new product to many people or more dangerously, It can be used for thief or criminal purposes such as credit cargon stealing, disclose personal information to the public and so on. * Loss of Data faithfulness Even in case your credentials is not stolen but there is withal need a solution to help ensure the wholeness of data. For example, when you do an transaction, your password are not be disclosed but if the number of money of your transaction was modified, you salvage got a big problem. Identity Spoofing The Internet is an un-trusted network so be careful with your identity when you surf on the Internet because an intruder can impersonate you and get the introduction to your confidential. * Denial-of-service As organizations take advantage of the Internet, there is a issue that the service being performed is almost always a constant time operation, so it is easy for an external observer fulfill to detect a Dos attack. These attacks are generally transient. 2. transmission control protocol/IP security vulnerabilitiesThe main reason lead to Internet threats mentions above is that transmission control protocol/IP the foundation of Internet has many security vulnerabilities. When IP, TCP, UDP and the infrastructure protocol of TCP/IP were designed to use in a very small network and all hosts and users are known, because the security concerns were almost non-existing. But today, with a very quick development of the Internet, there are more and more security vulnerabilities of TCP/IP were exploited. In this subdivision I will reveal an overview about popular kinds of attacks in TCP/IP. a. TCP SYN or TCP ACK Flood AttackThis is a form of do attack in which an intruder sends a successful SYN request to victims system to consume the re arisings of the victims sever to represent the sever cannot respond to the le gal connection b. TCP place yield Attack By predicting the IP sequence number, an attacker can hive away data or take over a pre-established connection. c. ICMP Attacks Attacker could use either the ICMP message can get in a host compass point working such as Time exceeded or Destination inaccessible messages. Attacker can make use of this by simply forge one of these ICMP messages, and sending it to one or both of the communicating hosts.Their connection will then be fallen apart. d. Smurf Attacks The smurf attack is a adaptation of the classic ping flood attack. An attacker instead of sending ICMP riposte parcels from his system to the victims network, he send a software package to a shine address of middle network with a return IP address of the victims network. 3. The need for IPSec To solve issues was mentioned in the previous sections, it is inevitable to have a protocol suite which can provide the stylemark and decryption to IP packets to increase the security le vel in data communication over the Internet.And that is reason why we have Internet Protocol Security (IPSec). III. What is IPSec 1. What is IPSec? * Internet Protocol Security (IPSec) has revolutionized Internet Protocol (IP) security. The IPSec protocol suite utilizes cryptographic techniques to ensure data confidentiality, and digital signatures to authenticate the source of the data transmission. IPSec also brings a new level of interoperability to the Internet that neer existed before. It doesnt rely on proprietary protocols or techniques to establish desexualise links in the midst of network nodes.By utilizing IPSec in virtual private networking solutions organizations can exchange sensitive data over public networks with the knowledge that the parties they are exchanging the data with are the intended pass catchers, that the data was kept confidential in transit, and that the data did not change during transmission. * IPSec has two goals * To ensure the integrity and con fidentiality of IP packets. * To provide a defense against network attacks. Both goals are met with the use of cryptography-based protection services, security protocols, and dynamic refer counseling. 2. IPSec properties IPSec has following properties * anti rematch (replay prevention) ensures the uniqueness of each IP packet, any packet was captured by the attacker cannot be put back into the network to establish a session or steal information. * Integrity protect data from being modified in transit, ensure that received data is the same as the first data. * Confidentiality ( write in codeion) ensures that data is only know by the authorized recipients. To do this, data will be enroled before being send, and the received has to use a public, private key to decrypt the data when receiving it. Authentication verifies that a message can only be send from a manslayer who knows the shared, deep key. The sender will include a documentation message to the data before sending, the receiver has to use their key to encrypt the hallmark message to enable watching the data. If the key is wrong, the data will be discarded. IV. IPSec structure 1. Authentication header (AH) * AH is used to authenticate- but not encrypt IP traffic, or in other words this protocol guarantees connectionless integrity and data origin corroboration of the packet.Moreover, it can optionally guard against replay attacks by attackers who obtain a copy of authenticated packet and later(prenominal) put it back to the network. * Structure of AH The AH header consist of 6 move * Next hdr (8 bits) this identifies what the hurrying-level protocol following the AH is * AH len (8bit) this field indentifies the size of the authentication header. * Reserved this field is a place holder for emerging use. * Security Parameters Index (32bits) this is a random number that indicates the setting that being selected by the transmitter to communicate with the receiver.This includes the encoding algor ithms that are being used, which encryption keys are being used, and the information about the validity period for these encryption keys. * Sequence Number this is a counter that increases incrementally each time a packet is transmitted using the parameters setup in the SPI. * Authentication Data this is the Integrity Check Value(ICV) for the packet. The originator will create a keyed-one-way- hash of the packet freightage and attach this hash value to the packet as the authentication field.The receiver can check the integrity of the cargo data by hashing the payload data once it has been decrypted with the same hash algorithm, which sender used. If two hash values are identical then the recipient can be sure that the data was not modified during the transmission. However, because the data was not encrypted this does not ensure the confidentiality of the payload data only the integrity. 2. Encapsulating Security Payload (ESP) The ESP is the portions of the IPSec that addresses the confidentiality of the data that is being transmitted as well as offers authentication capabilities.ESP utilizes symmetric encryption techniques to encrypt the IP packet payload. The symmetric encryption algorithms that must be supported in order to be gentle to commonplace are DES, 3 DES, RSA, CAST, and Blowfish. The ESP will encrypt the IP header or information, which includes the information required for routing. It will only encrypt the packet payload, which will ensure the confidentiality of the data. There are six elements which make up the ESP which include V. Security Associations (SA) 1. Security Associations * A key issue appears in both authentication and encryption mechanism for IPSec, that is Security Association (SA).SA is a simply the bundle of algorithm are parameters that is used to provide authentication and confidentiality a particular flow of traffic shoot in one direction. Thus in normal bi-directional traffic process, the flows are secured by a pair of secu rity tie-ins. * In order to go under what protection is to be provided for an outgoing packet, IPSec uses the Security Parameter Index (SPI), an advocator to the security association database (SADB), along with the destination address in a packet header, which together uniquely identify a security association for that packet.A similar procedure is performed for an incoming packet, where IPSec gathers decryption and verification keys from the security association database. There are two fibers of SAs are defined transport humor and dig mode. * Transport mode SA is used to provide security communication mingled with two hosts, and in this mode only the payload of packet is encrypted (with ESP) or authenticated (with AH) so it only provide protection for upper layer protocols. A turn over mode SA is used to provide security communication between two gateway or between a gateway and a host and in this mode the entire IP packet is encrypted (with ESP) or authenticated (with AH). 2. Combining Security Associations * Any virtuoso SA can select AH or ESP to protect the data transmits over an IP network but it cannot combine 2 of these protocols. Therefore, there is a need to combine many SAs to achieve the required security policy. The term security association bundle or SA bundle is applied to a sequence of SAs through which traffic must be processed to converge a security policy. Security associations may be combined into bundles in two ways transport adjacency and iterated tunneling. * Transport adjacency refers to applying more than one security protocol to the same IP datagram, without invoking tunneling. This is only relevant for combining AH and ESP at the same level. * Iterated tunneling refers to the application of multiple layers of security protocols affected through IP tunneling. This approach allows for multiple levels of nesting, since each tunnel can originate or terminate at a diverse IPSec site along the path. Basic ways of SAs combinatio n documents about IPSec structure has listed four cases of combining SAs based on the compatibility between severs or gateways * upshot 1 all securities properties are provided between systems. * Case 2 security is only provided between gateways and there is no any host actioned IPSec * Case 3 based on the case 2 but add the End to End security. * Case 4 support the strange access through the Internet in the scope of firewalls and expandable seize of server or host in behind the firewalls. 3. SA and key management Key management is an important part of IPSec regarded to identify and distribute the secret key. And basic demand is four keys to communicate between two applications receiving key and sending keys include two AH and ESP. IPSec structure allows to support two type of key management is * Manually every administrator configure manually their private keys with other communicate systems keys. In practice, this type of key management is used for small resources in a static environment. * Automated it is a system which allows creating keys for SAs and being used in a large distribution system with dynamic configuration. The default automated key management in IPSec is called ISAKMP/Oakley with following components * Oakley key indentifying protocol Oakley is a basic key exchanging protocol based on Diffie-Hellman algorithm, but added security condition. Oakley is a general standard it does not have any specific format. * Internet Security Association and Key Management Protocol (ISAKMP) ISAKMP provide a framework for establishing SAs and cryptographic keys in an Internet environment VI. Building a real VPN with IPSec 1. VPN overviewVPN (Virtual closed-door Network) is the expansion of LAN by adding connections over a shared network or public network like the Internet. In other words, VPN is a private network uses public communication infrastructure but still remains the privacy by using a tunneling protocol and security procedures. VPN can be used to establish a connection between a computer and a private network or between 2 private networks. 2. IPSec in VPN * In IPSec, ESP is the unique way to provide encryption, but ESP and AH both can provide authentication, so what is the most efficient way to combine 2 of them together. The traditional solution of wrapping ESP inside of AH is technically possible, but because of the limitations of AH with NAT (Network Address Translation), hence combining AH and ESP by this way will make this tunnel not work with devices using NAT. * Instead, ESP + Authentication is used in Tunnel mode to fully encapsulate the traffic on its way across an un-trusted network, protected by both encryption and authentication in the same thing. * Whats especially nice thing about this way of implement is that VPN and other security measures are almost invisible to the end-user hosts.Because a VPN is carried out by a gateway device which treats the VPN as yet some other interface, traffic destined for the oth er end is routed normally. VII. Future Research This paper only provides an overview about IPSec but not focus on securities components of IPSec such as encryption algorithms and detail of mechanism of SAs. Therefore in the future research I will spend more time on those issues. VIII. Conclusion * After covering most of components of IPSec structure, it can be seen all the way that IPSec is a strong security protocol it can provide both ncryption and authentications. It also use various types of encryption and authentications algorithm such as Triple-DES, 128 bit C4, AES (for encryption) MD5 or SHA-1 (for authentication). * However IPSec still have security issue when a authorized IPSec user access to the network, they can also access to unauthorized resources. Moreover data file is uploaded and downloaded easily also creates the threats from computer virus infection. IX. References 1. Www. wikipedia. org 2. http//tools. ietf. org/html/rfc2401section-4. 4. 3