Cours complet Index Cours réseaux informatiques IPsec Overview

IPsec Overview

Pin

IPsec Overview

IP Security, or IPsec, has been in use for a number of years now to protect sensitive data as it flows from one location to another. The evolution of corporate communications has changed the way that private data is exchanged and maintained. Most companies have distributed resources and personnel. It is important that corporate data remains private during transit. IPsec offers a standards-based mechanism to provide such secure data transmission. Typically, IPsec is associated with Virtual Private Networks (VPN). A VPN creates a private connection, or network, between two endpoints. This is a virtual connection because the physical means of connectivity is indifferent to the safety of the data involved. IPsec adds a layer of protection to the data that travels across the VPN. Many years ago, wide-area network (WAN) connections between branch offices was accomplished with point-to-point (p2p) circuits. A single port of a router at one site would connect, via a provider, to a single port of a router at a remote site. The introduction of X.25, ATM, and Frame Relay introduced the virtual circuit. With this technology, one router interface could have many virtual circuits, or connections, to many other sites. Today, practically every site has Internet connectivity. Rather than lease a p2p or virtual circuit between sites across a carrier’s network, most sites simply lease access to the Internet. The ability to send data packets from one location to another is simply a matter of knowing the destination IP address. However, due to the “open” nature of the Internet, it is not considered safe to simply send packets from one site to another. IPsec is used as a means of safeguarding IP data as it travels from one site to another. Note that IPsec can be used on any type of connectivity—not just Internet links. But IPsec is predominantly used on data that traverses insecure or untrusted networks, such as the Internet

Foundation Topics IPsec

IPsec is best thought of as a set of features that protects IP data as it travels from one location to another. The locations involved in the VPN typically define the type of VPN. A location could be an end client (such as a PC), a small remote office, a large branch office, a corporate headquarters, a data center, or even a service provider. The combination of any two of these locations determines the type of VPN in use. For example, a small remote office connecting to a corporate headquarters would be a site-to-site VPN. It is important to remember that IPsec can protect only the IP layer and up (transport layer and user data). IPsec cannot extend its services to the data link layer. If protection of the data link layer is needed, then some form of link encryption is needed. Such encryption is typically performed within a trusted infrastructure, where the security of the link can be assured. Such encryption is not feasible in the Internet because intermediate links are not controlled by the end users. Often, the use of encryption is assumed to be a requirement of IPsec. In reality, encryption, or data confidentiality, is an optional (although heavily implemented) feature of IPsec. IPsec consists of the following features, which are further explained later in this chapter: ■ Data confidentiality ■ Data integrity ■ Data origin authentication ■ Anti-replay The features, or services, of IPsec are implemented by a series of standards-based protocols. It is important that the implementation of IPsec is based on open standards to ensure interoperability between vendors. The IPsec protocols do not specify any particular authentication, encryption algorithms, key generation techniques, or security association (SA) mechanisms. The three main protocols that are used by IPsec are as follows: ■ Internet Key Exchange (IKE) ■ Encapsulating Security Payload (ESP) ■ Authentication Header (AH) 150x01x.book Page 256 Monday, June 18, 2007 8:52 AM IPsec 257 These protocols are detailed a bit later in this chapter in the section “IPsec Protocols.” It is important to understand that these protocols are based on open standards. IPsec uses the preceding protocols to establish the rules for authentication and encryption, and existing standards-based algorithms provide the actual means of authentication, encryption, and key management. Remember that IPsec is used to protect the flow of data through a VPN. However, a VPN does not necessarily imply that the contents are protected. A VPN can simply be a tunnel, or link, between two endpoints. As such, a new outer header or tag may be applied, but the internal contents are still available for inspection to anyone between the endpoints. So, an IPsec VPN can be considered safe and protected, while other types of VPNs might not share this luxury. IPsec Features As noted earlier, the primary features of IPsec consist of the following: ■ Data confidentiality ■ Data integrity ■ Data origin authentication (peer authentication) ■ Anti-replay It is important to understand the meaning of each of these features. The protocols that implement these features are covered later in this chapter. Data confidentiality involves keeping the data within the IPsec VPN private between the participants of the VPN. As noted earlier, most VPNs are used across the public Internet. As such, it is possible for data to be intercepted and examined. In reality, any data in transit is subject to examination, so the Internet should not be viewed as the only insecure media. Data confidentiality involves the use of encryption to scramble the data in transit. Encrypted packets cannot be easily, if ever, understood by anyone other than the intended recipient. The use of encryption involves the selection of an encryption algorithm and a means of distributing encryption keys to those involved. IPsec encryption algorithms are covered later in this chapter. Data confidentiality, or encryption, is not required for IPsec VPNs. More often than not, packets are encrypted as they pass through the VPN. But data confidentiality is an optional feature for IPsec. Data integrity is a guarantee that the data was not modified or altered during transit through the IPsec VPN. Data integrity itself does not provide data confidentiality. Data integrity typically uses a hash algorithm to check if data within the packet was modified between endpoints. Packets that are determined to have been changed are not accepted.

IPsec Protocols

IPsec consists of three primary protocols to help implement the overall IPsec architecture: ■ Internet Key Exchange (IKE) ■ Encapsulating Security Payload (ESP) ■ Authentication Header (AH) Together, these three protocols offer the various IPsec features mentioned earlier. Every IPsec VPN uses some combination of these protocols to provide the desired features for the VPN. IKE Internet Key Exchange (IKE) is a framework for the negotiation and exchange of security parameters and authentication keys. The IPsec security parameters will be examined later in the “Internet Key Exchange (IKE)” section. For now, it is important to understand that there are a variety of possible options between two IPsec VPN endpoints. The secure negotiation of these parameters used to establish the IPsec VPN characteristics is performed by IKE. IKE also exchanges keys used for the symmetrical encryption algorithms within an IPsec VPN. Compared to other encryption algorithms, symmetrical algorithms tend to be more efficient and easier to implement in hardware. The use of such algorithms requires appropriate key material, and IKE provides the mechanism to exchange the keys. ESP Encapsulating Security Payload (ESP) provides the framework for the data confidentiality, data integrity, data origin authentication, and optional anti-replay features of IPsec. While ESP is the only IPsec protocol that provides data encryption, it also can provide all of the IPsec features 150x01x.book Page 258 Monday, June 18, 2007 8:52 AM IPsec 259 mentioned earlier. Because of this, ESP is primarily used in IPsec VPNs today. The following encryption methods are available to IPsec ESP: ■ Data Encryption Standard (DES)—An older method of encrypting information that has enjoyed widespread use. ■ Triple Data Encryption Standard (3DES)—A block cipher that uses DES three times. ■ Advanced Encryption Standard (AES)—One of the most popular symmetric key algorithms used today. AH Authentication Header (AH) provides the framework for the data integrity, data origin authentication, and optional anti-replay features of IPsec. Note that data confidentiality is not provided by AH. AH ensures that the data has not been modified or tampered with, but does not hide the data from inquisitive eyes during transit. As such, the use of AH alone in today’s networks has faded in favor of ESP. Both AH and ESP use a Hash-based Message Authentication Code (HMAC) as the authentication and integrity check.

Formation et coursTélécharger le document complet

Télécharger aussi :

Implémentation du protocole de cohérence de cache AMBA ACE sur une architecture générique et extensible

Génération des topologies des réseaux pour la modélisation et la simulation des interdépendances

Exclusion mutuelle de groupe dans les réseaux mobiles ad hoc

Exclusion mutuelle de groupe basée sur le modèle client-serveur

Ordonnancement d’une machine à traitement par fournées 

Guide pour la sécurité informatique

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *