Post on 02-Jan-2016
description
IT352 | Network Security |Najwa AlGhamdi
1
Email Security
IPsec 1
*Essential Network Security Book Slides .
IP Security
• have a range of application specific security mechanisms– eg. S/MIME, PGP, Kerberos,
SSL/HTTPS• however there are security
concerns that cut across protocol layers
• would like security implemented by the network for all applications
IP Security
• general IP Security mechanisms• provides
– authentication– confidentiality– key management
• applicable to use over LANs, across public & private WANs, & for the Internet
IP Security Uses
Benefits of IPSec
1. IPsec in a firewall/router provides strong security to all traffic crossing the perimeter
2. IPsec in a firewall/router is resistant to bypass
3. is below transport layer, hence transparent to applications
4. can be transparent to end users5. can provide security for
individual users
IPSec Services
1. Access control2. Connectionless integrity3. Data origin authentication4. Confidentiality (encryption)Two protocols are used to provide security: 5. an authentication protocol designated
by the header of the protocol, Authentication Header (AH);
6. and a combined encryption/authentication protocol designated by the format of the packet for that protocol, Encapsulating Security Payload (ESP)
• Both AH & ESP support two modes of use : Transport and Tunnel mode.
Transport and Tunnel Modes
• Transport Mode– to encrypt & optionally authenticate
IP data (payload) .– When AH is used : IP payload and
selected portion of the header will be authenticated.
– When ESP is used : IP payload wil be encrypted.
– When ESP with authentication is used : IP payload will be encrypted and authenticated.
Transport and Tunnel Modes
• Tunnel Mode– encrypts entire IP packet– add new header for next hop.– When AH is used : authenticate the
entire inner header + inner payload + a selected portion of the outer header.
– When ESP is used : entire inner IP packet will be encrypted.
– When ESP with authentication is used : entire inner IP packet will be encrypted and authenticated
IPSec Modes of Operation
• Transport Mode: protect the upper layer protocols
IP Header
TCPHeader
Data
Original IP Datagram
IP Header
TCPHeader
IPSecHeader
Data
Transport Mode protected packet
¨Tunnel Mode: protect the entire IP payload
Tunnel Mode protected packet
New IP Header
TCPHeader
IPSecHeader
Data
Original IP
Header
protected
protected
Tunnel Mode
• Host-to-Network, Network-to-Network
Protected
Data
IPSec
IP Layer
SG
Internet
Internet
Transport
Layer
Application
Layer
IP Layer
Host B
Protected
Data
IPSec
IP Layer
SG
Transport
Layer
Application
Layer
IP Layer
Host A
SG = Security Gateway
Transport Mode
Transport Layer
Application Layer
• Host-to-Host
Transport Layer
Application Layer
IP Layer
Data Link Layer
IPSec
Host B
IP Layer
Data Link Layer
IPSec
Host A
Security Associations
• a one-way relationship between sender & receiver that affords security for traffic flow
• defined by 3 parameters:– Security Parameters Index (SPI)– IP Destination Address– Security Protocol Identifier
• have a database of Security Associations
Security Policy Databaserelates IP traffic to specific SAs
match subset of IP traffic to relevant SA
use selectors to filter outgoing traffic to map
based on: local & remote IP addresses, next layer protocol, name, local & remote ports
IT352 | Network Security |Najwa AlGhamdi
14
IP Traffic Processing
IT352 | Network Security |Najwa AlGhamdi
15
IP Traffic Processing