IT352 | Network Security |Najwa AlGhamdi

1

Email Security

IPsec 1

*Essential Network Security Book Slides .

IP Security

• have a range of application specific security mechanisms– eg. S/MIME, PGP, Kerberos,

SSL/HTTPS• however there are security

concerns that cut across protocol layers

• would like security implemented by the network for all applications

IP Security

• general IP Security mechanisms• provides

– authentication– confidentiality– key management

• applicable to use over LANs, across public & private WANs, & for the Internet

IP Security Uses

Benefits of IPSec

1. IPsec in a firewall/router provides strong security to all traffic crossing the perimeter

2. IPsec in a firewall/router is resistant to bypass

3. is below transport layer, hence transparent to applications

4. can be transparent to end users5. can provide security for

individual users

IPSec Services

1. Access control2. Connectionless integrity3. Data origin authentication4. Confidentiality (encryption)Two protocols are used to provide security: 5. an authentication protocol designated

by the header of the protocol, Authentication Header (AH);

6. and a combined encryption/authentication protocol designated by the format of the packet for that protocol, Encapsulating Security Payload (ESP)

• Both AH & ESP support two modes of use : Transport and Tunnel mode.

Transport and Tunnel Modes

• Transport Mode– to encrypt & optionally authenticate

IP data (payload) .– When AH is used : IP payload and

selected portion of the header will be authenticated.

– When ESP is used : IP payload wil be encrypted.

– When ESP with authentication is used : IP payload will be encrypted and authenticated.

Transport and Tunnel Modes

• Tunnel Mode– encrypts entire IP packet– add new header for next hop.– When AH is used : authenticate the

entire inner header + inner payload + a selected portion of the outer header.

– When ESP is used : entire inner IP packet will be encrypted.

– When ESP with authentication is used : entire inner IP packet will be encrypted and authenticated

IPSec Modes of Operation

• Transport Mode: protect the upper layer protocols

IP Header

TCPHeader

Data

Original IP Datagram  

IP Header

TCPHeader

IPSecHeader

Data

Transport Mode protected packet

¨Tunnel Mode: protect the entire IP payload

Tunnel Mode protected packet

New IP Header

TCPHeader

IPSecHeader

Data

Original IP

Header

protected

protected

Tunnel Mode

• Host-to-Network, Network-to-Network

Protected

Data

IPSec

IP Layer

SG

Internet

Internet

Transport

Layer

Application

Layer

IP Layer

Host B

Protected

Data

IPSec

IP Layer

SG

Transport

Layer

Application

Layer

IP Layer

Host A

SG = Security Gateway

Transport Mode

Transport Layer

Application Layer

• Host-to-Host

Transport Layer

Application Layer

IP Layer

Data Link Layer

IPSec

Host B

IP Layer

Data Link Layer

IPSec

Host A

Security Associations

• a one-way relationship between sender & receiver that affords security for traffic flow

• defined by 3 parameters:– Security Parameters Index (SPI)– IP Destination Address– Security Protocol Identifier

• have a database of Security Associations

Security Policy Databaserelates IP traffic to specific SAs

match subset of IP traffic to relevant SA

use selectors to filter outgoing traffic to map

based on: local & remote IP addresses, next layer protocol, name, local & remote ports

IT352 | Network Security |Najwa AlGhamdi

14

IP Traffic Processing

IT352 | Network Security |Najwa AlGhamdi

15

IP Traffic Processing