What is IPSec and Why we need IPSec, Primary Goals of IPSec
At this junction, if you have followed every lesson inside www.omnisecu.com, you must now have a thorough understanding of TCP/IP protocol suite and how computer networks operate.
You may have noticed the main drawback of TCP/IP protocol stack. "Security"!!!
The TCP/IP protocol suite does not have any in-built mechanism for the protection of moving data. Protection of Data, when moving in network is crucial in computer networking. As an individual, you may not want your email accounts/bank accounts/social networks hacked. Enterprises must secure their moving data because business data is so important and data loss (For Example: Research Data, Financial Data) can damage even the existence of business organizations.
The IPSec (Internet Protocol Security) Protocol Suite is a set of network security protocols, developed to ensure the Confidentiality, Integrity, and Authentication of Data traffic over TCP/IP network. IPSec Protocol Suite provides security to the network traffic by ensuring Data Confidentiality, Data Integrity, Sender and Recipient Authentication and Replay Protection.
Some network threats which are mitigated by using IPSec are 1) Data corruption in traffic 2) Data theft in traffic 3) Passwords and Account theft and 4) Network based attacks
IPsec Protocol Suite is based on Internet Engineering Task Force (IETF) standards. Since IPSec is an IETF standard, we can have interoperability between different Firewall, Router and Operating System vendors. We can use IPSec to create VPN tunnels between devices made by different vendors like Cisco, Juniper, Microsoft, RedHat, Checkpoint, Palo Alto etc.
IPSec (Internet Protocol Security) provides protection to Network Data Traffic (Primary Goals of IPSec) in four different ways listed below.1) Confidentiality: The Data in network traffic must be available only to the intended recipient. In other words, the Data in network traffic MUST NOT be available to anyone else other than the intended recipient. IPSec provides Data Confidentiality to Data by Encrypting it during its journey.
2) Integrity: The Data in network traffic MUST NOT be altered while in network. In other words, the Data which is received by the recipient must be exactly same as the Data sent from the Sender. IPSec (Internet Protocol Security) provides Data Integrity by using Hashing Algorithms.
3) Authentication: Sender and the Recipient MUST PROVE their identity with each other. IPSec provides Authentication services by using Digital Certificates or Pre-Shared keys.
4) Protection against Re-play Attacks: Network Re-play attacks (also called as "man-in-the-middle attacks") allows an attacker to spy the network traffic between a sending device and a receiving device. Later, the Re-play attacker uses the information he gained illegally for fake authentication, fake authorization or to duplicate a transaction. IPSec protects against Re-play attack by using sequence of numbers which are built into the IPSec packets. By using this sequence numbers, IPSec can identify the packets which it has already seen.
IPSec can provide network security to end to end IP Traffic (also called as Transport mode) or between two Gateways (also known as tunnel mode).
Transport mode: In Transport mode, only the Data Payload of the IP datagram is secured by IPSec. IPSec inserts its header between the IP header and the upper levels.
Tunnel mode: In Tunnel Mode, entire IP datagram is secured by IPSec. The original IP Packet is
encapsulated in a new IP packet.
IPSec is integrated at the Layer 3 of the OSI model and hence it provides security for almost all protocols in the TCP/IP protocol suite. As we discussed above, the IPSec (IP Security) Protocol Suite is a set of network security protocols, conisting of different protocols/technologies to provide Confidentiality, Integrity, Authentication and anti-replay capabilities.
Following are the three main components of IPSec.
1) Internet Key Exchange (IKE) Protocol: Internet Key Exchange (IKE) is an IETF protocol and it has two versions, an old version IKEv1 and a relatively new version, IKEv2. Internet Key Exchange (IKE) is used to establish Security Association (SA) between two communicating IPSec devices.
2) Encapsulating Security Payload (ESP): IPSec uses ESP (Encapsulating Security Payload) to provide Data Integrity, Encryption, Authentication, and Anti-Replay functions for IPSec VPN. Cisco IPSec implementations uses DES, 3DES and AES for Data Encryption.
3) Authentication Header (AH): IPSec uses Authentication Header (AH) to provide Data Integrity, Authentication, and Anti-Replay functions for IPSec VPN. Authentication Header (AH) does not provide any Data Encryption. Authentication Header (AH) can be used to provide Data Integrity services to ensure that Data is not tampered during its journey.