IPSec in a Multi-OS Environment
-
Upload
tyrone-patton -
Category
Documents
-
view
21 -
download
0
description
Transcript of IPSec in a Multi-OS Environment
IPSec in a Multi-OS Environment
What is IPSec?
• IPSec stands for Internet Protocol Security
• It is at a most basic level a way of adding security to your network traffic without having to modify the applications that are using IP
Why is IPSec needed?
• IPSec is needed to make sure that no one is reading your private data.
• It makes sure that the sender of the information is really who they say they are.
• To protect us from the bad guys (l33t h4X0r5 and 5cr1pt K1d135).
Where is IPSec Used?
• Wireless nets
• Virtual Private Networks (VPNs)
• Non-trusted Local Area Networks (LANs)
IP Overview
• How IP Works– Basics– Parts of a Packet
• What is Insecure About it
IP Basics
• The IP protocol breaks down information that is to be sent out into small manageable pieces called packets
• Packets are reassembled at the receiving side
Parts of an IP Packet
• Two Major Parts– Header– Data Section
Parts of the Header
• Source Address
• Destination Address
• Protocol
• Fragment Flag
• Total Length
• Type of Service
• And more…
Data Section
• This portion holds all of the data that you are trying to transmit
What is insecure about IP
• Traffic in many cases is in plain text.
• No verification the the sender is who they say they are.
• No way of knowing if you packet was modified in the middle.
What IPSec does.
• Authentication
• Encryption
• With Two Major modes– Tunnel– Transport
• AH + ESP
• AH
• ESP
Authentication
• An Authentication Headers (AH) portion is added to the IP Packet
• The AH contains fields– Next Header
– AH payload length
– Security Parameters Index (SPI)
– Anti-Replay Sequence number
– Authentication Data field (Information dependent on the cipher used)
Encryption
• The encryption part of IPSec is know as Encapsulating Security Payload (ESP)
• The ESP portion of the packet contains– A SPI Number
– Sequence Number
– Payload Data field
– Padding
– Pad length
– Next Header
Tunnel modeIP Header
AH Header
SPI and Sequence Number
IP Header
Upper Protocol Headers and Packet Data
ESP Trailer
ESP Authentication Data
Note: Fields in Green are Encrypted
Transport modeIP Header
AH Header
SPI and Sequence Number
Upper Protocol headers and Packet Data
ESP Trailer
ESP Authentication Data
Note: Fields in Green are Encrypted
Keying
• The Encryption algorithms that IPSec uses rely on keys
• Methods for Getting Keys– Manual Keying– Internet Security Association and Key
Management Protocol (ISAKMP)– Certificates
Why Doesn’t Everyone Use It?
• Implementations for different operating systems are not fully compatible
• Takes time and energy to setup
• Not needed in most environments
Multiple Operating Systems
• Solaris – Only supports Manual Keying– Does not ship with Enc. Algs.
• Linux – No native IPSec– FreeSWA/N – Manual, ISAKMP, and Certs
• OpenBSD – Manual, ISAKMP, and Certs
• Windows 2000 - ISAKMP, and Certs
IPSec Graph
Questions?