TCP/IP Solution  «Prev  Next»
Lesson 3 Protect data with IPSec
ObjectiveDefine the data protection features provided by IPSec.

Protect data with IPSec using its Protection Features

IPSec (Internet Protocol Security) provides several key protection features for data transmitted over a network. These features ensure that data is transmitted securely and remains confidential, integral, and authenticated. The primary protection features provided by IPSec include:
  1. Confidentiality (Encryption):
    • Purpose: Protects the data from being read by unauthorized parties.
    • How: IPSec uses encryption algorithms (such as AES or 3DES) to encrypt the data payload, ensuring that only the intended recipient with the correct decryption key can read the data.
  2. Integrity (Data Integrity):
    • Purpose: Ensures that the data has not been tampered with or altered during transmission.
    • How: IPSec uses hashing algorithms (such as HMAC-SHA1 or HMAC-MD5) to create a message digest (a hash) of the data. The recipient can then verify the hash to ensure the data has not been modified.
  3. Authentication:
    • Purpose: Verifies the identity of the sender to ensure the data is coming from a trusted source.
    • How: IPSec uses mechanisms like pre-shared keys, digital certificates, or Kerberos to authenticate the communicating parties and confirm the sender’s identity.
  4. Anti-Replay Protection:
    • Purpose: Prevents attackers from intercepting and replaying old packets to disrupt communication or impersonate a user.
    • How: IPSec assigns sequence numbers to each packet and ensures that a packet with the same sequence number is not processed again.
  5. Access Control:
    • Purpose: Ensures that only authorized devices or users can participate in the communication.
    • How: Through policies defined in the Security Policy Database (SPD), IPSec allows or blocks certain traffic based on parameters like IP addresses, port numbers, and protocols.

Summary of IPSec Protection Features:
  1. Confidentiality: Keeps data private via encryption.
  2. Integrity: Protects against data tampering.
  3. Authentication: Confirms the identities of communicating parties.
  4. Anti-Replay Protection: Prevents replay attacks.
  5. Access Control: Ensures only authorized users/devices can communicate.
Together, these features ensure secure communication over IP networks, such as in Virtual Private Networks (VPNs).

Protect Data with IPSec

Data traffic on public and private IP networks may be confidential and require increased security. The security required can include both authentication of peers, and the encryption and authentication of data.
  • Two IPSec Functions IPSec provides two functions to improve security:
    1. Data integrity: Use an Authentication Header (AH) to provide source authentication and integrity without providing data encryption. You use IPSec with AH in the network design where only data integrity is required, or where the application layer already encrypts data. The Authentication Header allows you to confirm that the person who sent the data is who they claim to be, and also assures that the data has not been altered during transit over the network. Remember, (AH) Authentication Header does not encrypt the data itself.
      Using an application layer protocol such as the Secure Sockets Layer (SSL) or ESP to encrypt the actual data.
    2. Data encryption: Encapsulating Security Payload (ESP) provides authentication and integrity, along with encryption. Use IPSec with ESP where both integrity and encryption are required.

  1. Authentication Header (AH): The Authentication Header is one of the security protocols used with IPSec. AH provides authentication and integrity, for the entire packet (both the IP header and the data carried in the packet). AH signs the entire packet. It does not encrypt the data. The data is readable, but protected from modification. Packet integrity is assured by digital signatures applied to each packet.
  2. Encapsulating Security Payload (ESP): ESP provides confidentiality, in addition to authentication and integrity. ESP is one of the security protocols used in IPSec.

The Authentication and Encrypting Security Payload headers support two different modes: tunnel mode and transport mode. In tunnel mode, the endpoints of the tunnel are specified. These endpoints are typically two VPN. All data is encrypted as it is passed from the source to the destination server on each end of the tunnel. Transport mode provides for end-to-end encryption.
In this case, a computer on network A encrypts data before it hits the wire, and the data remains encrypted until it reaches its destination on network B.
Note the difference between tunnel and transport modes. In tunnel mode, the data is protected only between the tunnel endpoints. In transport mode, the data is protected from the source to the destination, which is referred to as "end-to-end" protection.
The following Slide Show provides an overview of the data protection features provided by IPSec.

Overview of IPSec
1) A policy must exist to define the IPSec parameters required. The IPSec policies define several parameters, including the encryption and authentication algorithm used during the setup of a secure connection. IPSEC is a policy-driven protocol, and secure connections are established between computers only if a policy exists that defines both machines as participants in a secure communication.
A policy must exist to define the IPSec parameters required. The IPSec policies define several parameters, including the encryption and authentication algorithm used during the setup of a secure connection. IPSEC is a policy-driven protocol, and secure connections are established between computers only if a policy exists that defines both machines as participants in a secure communication.

2) An exchange between peers must occur to calculate security keys. Outbound and inbound processing uses the negotiated and security association (SA) and keys.
An exchange between peers must occur to calculate security keys. Outbound and inbound processing uses the negotiated and security association (SA) and keys. When an outbound IP packet matches the IP filer list with an action to negotiate security, the IPSec driver queues the packet, then notifies Internet Key Exchange (IKE), which begins security negotiations with the destination IP address of that packet.

3) IKE is also knwon as ISAKMP/Oakley. ISAKMP stands for Internet Security Association and Key Management Protocol and it incorpoates a number of protocols used to manage security and key management for secure communications.
IKE is also knwon as ISAKMP/Oakley. ISAKMP stands for Internet Security Association and Key Management Protocol and it incorpoates a number of protocols used to manage security and key management for secure communications.

4) Data is exchanged between peers by using teh SA to control encryption for the session.
Data is exchanged between peers by using teh SA to control encryption for the session.

Protect data with IPSec

IPsec provides secure tunnels between two peers, such as two routers or switches. More accurately, these tunnels are sets of security associations (SAs) that are established between two IPsec peers. The SAs define which protocols and algorithms should be applied to sensitive packets and specify the keying material to be used by the two peers. SAs are unidirectional and are established per security protocol (Authentication Header (AH) or Encapsulating Security Payload (ESP)). Multiple IPsec tunnels can exist between two peers to secure different data streams, with each tunnel using a separate set of SAs. For example, some data streams might be authenticated only while other data streams must both be encrypted and authenticated.

Pre-defined IPSec policies

Computers that are members of Windows 2000 domain include predefined IPSec policies that define integrity and encryption options. These are described in the table below.
Policy Definition
Client (Respond Only) Use this policy for computers that do not require IPSec except when requested by another computer. When defined, this policy enables the computer to respond appropriately to requests for secured communications. Only the requested protocol and port traffic for the communication are secured. For example, a Windows 2000 Professional computer might wish to connect to a secure Windows 2000 server. The Windows 2000 Professional machine does not require secure communication via IPSec, but the server does require IPSec. The Windows 2000 Professional client will respond by creating only IPSec-secure connections to the secure server.
Server (Request Security) Use this policy for computers that secure communications most of the time. In this policy, the computer accepts unsecured traffic, but always attempts to secure additional communications by requesting security from the original sender. This policy allows the entire communication to be unsecured if the other computer is not IPSec-enabled. The Request Security policy is helpful to use during an interim period when you wish to create a secure server, but not all machines on your network have been upgraded to Windows 2000. This allows the server to communicate with downlevel client operating systems in a non-secure context during the upgrade rollout. Once all the machines on the network have been upgraded, you can change the server to use the secure server IPSec policy.
Secure Server (Require Security) Use this policy for computers that always require secure communications. This policy rejects unsecured incoming communications. The outgoing traffic is always secured. Unsecured communication is not allowed.

Only one of the policies may be active on a given computer, so your security plan must specify the required policy or define a custom policy. You must customize the predefined policies to meet the given security requirements.

Routing IPSec traffic

IPSec traffic uses particular ports and protocol numbers that can be routed transparently. For a security gateway, firewall, Proxy Server, router, or any server that is an access point from the private network to a public network where traffic filtering may be applied, you must define filters to ensure that packets secured with IPSec are not rejected. For example, Microsoft Proxy Server 2.0 includes a number of built-in filters, including a filter for PPTP. If you want to use L2TP/IPSec instead of PPTP, you will have to configure your own custom filter.
Define the following inbound and outbound filters for a public network interface if your design includes IPSec traffic through that interface:
  1. IPSec Authentication Header traffic. Permit IP Protocol ID 51
  2. IPSec Encapsulating Security Protocol traffic. Permit IP Protocol ID50 and UDP Port 500 for ISAKMP/Oakley negotiation traffic

The next lesson describes the protection levels provided by IPSec.

SEMrush Software 3 SEMrush Banner 3