overview of ip_security by jetarvind kumar madhukar
TRANSCRIPT
![Page 1: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/1.jpg)
Internet Protocol SecurityAn Overview of IPSec
![Page 2: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/2.jpg)
Outline:
♦ What Security Problem?♦ Understanding TCP/IP. ♦ Security at What Level?♦ IP Security.♦ IPSec Security Services. ♦ Modes of operation.♦ IPSec Security Protocols.♦ Outbound/Inbound IPSec Processing.♦ Real World Deployment Examples.
![Page 3: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/3.jpg)
What Security Problem?
Today's Internet is primarily comprised of :
♦ Public♦ Un-trusted♦ Unreliable IP networks
Because of this inherent lack of security, the Internet is subject to various types of threats…
![Page 4: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/4.jpg)
Internet Threats
♦ Data integrityThe contents of a packet can be accidentally or deliberately modified.
♦ Identity spoofingThe origin of an IP packet can be forged.
♦ Anti-reply attacksUnauthorized data can be retransmitted.
♦ Loss of privacyThe contents of a packet can be examined in transit.
![Page 5: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/5.jpg)
Understanding TCP/IPOSI Reference Model
Application Layer
Transport Layer
Network Layer
Physical Layer
Presentation Layer
Session Layer
Logical Link Layer
TCP, UDP
IP
Network Adapter
Device Driver
Application
HT
TP
SMT
P
FTP
SNM
P
NF
S
FTP
DN
S
![Page 6: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/6.jpg)
Understanding TCP/IPEncapsulation of Data for Network Delivery
Original Message
Application Layer
![Page 7: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/7.jpg)
Understanding TCP/IPEncapsulation of Data for Network Delivery
Original Message
Data 3
Application Layer
Transport Layer(TCP, UDP)
![Page 8: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/8.jpg)
Understanding TCP/IPEncapsulation of Data for Network Delivery
Original Message
Data 3Header 3Transport Layer(TCP, UDP)
Application Layer
![Page 9: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/9.jpg)
Understanding TCP/IPEncapsulation of Data for Network Delivery
Original Message
Data 3Header 3
Data 2
Transport Layer(TCP, UDP)
Network Layer(IP)
Application Layer
![Page 10: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/10.jpg)
Understanding TCP/IPEncapsulation of Data for Network Delivery
Original Message
Data 3Header 3
Data 2Header 2
Transport Layer(TCP, UDP)
Network Layer(IP)
Application Layer
![Page 11: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/11.jpg)
Understanding TCP/IPEncapsulation of Data for Network Delivery
Original Message
Data 3Header 3
Data 2Header 2
Transport Layer(TCP, UDP)
Network Layer(IP)
Data 1
Application Layer
Data Link Layer
![Page 12: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/12.jpg)
Understanding TCP/IPEncapsulation of Data for Network Delivery
Original Message
Data 3Header 3
Data 2Header 2
Transport Layer(TCP, UDP)
Network Layer(IP)
Data 1Header 1
Application Layer
Data Link Layer
![Page 13: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/13.jpg)
Understanding TCP/IP
Data 1Header 1
Packet
Packet Sent by Host A
Data Link Layer
![Page 14: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/14.jpg)
Understanding TCP/IP
Network Layer
Data Link Layer
Packet Received by intermediary Router
![Page 15: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/15.jpg)
Understanding TCP/IP
Data 1Header 1
Packet
Packet Received by Host B
Data Link Layer
![Page 16: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/16.jpg)
Understanding TCP/IP
Data 1Header 1
De-capsulation of Data from Network Delivery
Data Link Layer
![Page 17: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/17.jpg)
Understanding TCP/IPDe-capsulation of Data from Network Delivery
Data 1Data Link Layer
![Page 18: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/18.jpg)
Understanding TCP/IPDe-capsulation of Data from Network Delivery
Data 2Header 2Network Layer(IP)
![Page 19: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/19.jpg)
Understanding TCP/IPDe-capsulation of Data from Network Delivery
Data 2Network Layer(IP)
![Page 20: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/20.jpg)
Understanding TCP/IPDe-capsulation of Data from Network Delivery
Data 3Header 3Transport Layer(TCP, UDP)
![Page 21: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/21.jpg)
Understanding TCP/IPDe-capsulation of Data from Network Delivery
Data 3Transport Layer(TCP, UDP)
![Page 22: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/22.jpg)
Understanding TCP/IPDe-capsulation of Data from Network Delivery
Original Message
Application Layer
![Page 23: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/23.jpg)
Understanding TCP/IPDe-capsulation of Data from Network Delivery
Original Message
Application Layer
![Page 24: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/24.jpg)
Security at What Level?
Application Layer
Transport Layer
Network Layer
Data Link Layer
PGP, Kerberos, SSH, etc.
Transport Layer Security (TLS)
IP Security
Hardware encryption
![Page 25: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/25.jpg)
Security at Application Layer
(PGP, Kerberos, SSH, etc.)
♦ Implemented in end-hosts♦ Advantages- Extend application without involving operating system.- Application can understand the data and can provide the appropriate
security.
♦ Disadvantages- Security mechanisms have to be designed independently of each
application.
![Page 26: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/26.jpg)
Security at Transport Layer
Transport Layer Security (TLS)
♦ Implemented in end-hosts♦ Advantages- Existing applications get security seamlessly
♦ Disadvantages- Protocol specific
![Page 27: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/27.jpg)
Security at Network Layer
IP Security (IPSec)
♦ Advantages- Provides seamless security to application and transport layers (ULPs).- Allows per flow or per connection security and thus allows for very
fine-grained security control.
♦ Disadvantages- More difficult to to exercise on a per user basis on a multi-user
machine.
![Page 28: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/28.jpg)
Security at Data Link Layer
♦ (Hardware encryption)♦ Need a dedicated link between host/routers.
♦ Advantages- Speed.
♦ Disadvantages- Not scalable.- Need dedicated links.
![Page 29: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/29.jpg)
IP Security (IPSec)
♦ IPSec is a framework of open standards developed by the Internet Engineering Task Force (IETF).
Creates secure, authenticated, reliable communications over IP networks
![Page 30: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/30.jpg)
IPSec Security Services
♦ Connectionless integrity Assurance that received traffic has not been modified. Integrity includes anti-reply defenses.
♦ Data origin authenticationAssurance that traffic is sent by legitimate party or parties.
♦ Confidentiality (encryption)Assurance that user’s traffic is not examined by non-authorized parties.
♦ Access controlPrevention of unauthorized use of a resource.
![Page 31: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/31.jpg)
IPSec Modes of Operation
♦ Transport Mode: protect the upper layer protocols
IP Header
TCPHeader
DataOriginal IP Datagram
IP Header
TCPHeader
IPSecHeader
DataTransport Mode protected packet
♦ Tunnel Mode: protect the entire IP payload
Tunnel Mode protected packet
New IP Header
TCPHeader
IPSecHeader
DataOriginal IP Header
protected
protected
![Page 32: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/32.jpg)
Tunnel Mode
♦ Host-to-Network, Network-to-Network
ProtectedData
IPSec
IP Layer
SG
InternetInternet
Transport Layer
Application Layer
IP Layer
Host B
ProtectedData
IPSec
IP Layer
SG
Transport Layer
Application Layer
IP Layer
Host A
SG = Security Gateway
![Page 33: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/33.jpg)
Transport Mode
Transport Layer
Application Layer
♦ Host-to-Host
Transport Layer
Application Layer
IP Layer
Data Link Layer
IPSec
Host B
IP Layer
Data Link Layer
IPSec
Host A
![Page 34: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/34.jpg)
IPSec Security Protocols
♦ Authentication Header (AH)♦ Encapsulating Security Payload (ESP)
![Page 35: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/35.jpg)
IPSec Security Protocols
♦ Authentication Header (AH) provides:- Connectionless integrity- Data origin authentication- Protection against replay attacks
♦ Encapsulating Security Payload (ESP) provides:- Confidentiality (encryption)- Connectionless integrity- Data origin authentication- Protection against reply attacks
♦ Both protocols may be used alone or applied in combination with each other.
![Page 36: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/36.jpg)
Outbound/Inbound IPSec Processing♦ The inbound and the outbound IPSec
processing are completely independent.
Packet
![Page 37: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/37.jpg)
SPDIPSec policies
SAD
SPD = Security Policy DatabaseSAD = Security Association DatabaseSA = Security Association
Packet
Outbound IPSec Processing
selector
1. Drop the packet.2. Bypass IPSec.3. Apply IPSec.
SAout
![Page 38: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/38.jpg)
SPDIPSec policies
Packet
Inbound IPSec ProcessingCase 1:If IPSec headers exists1. Headers are processed.2. SPD is consulted to
determine if the packet can be admitted based on the Sain.
SPD = Security Policy DatabaseSAD = Security Association DatabaseSA = Security Association
![Page 39: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/39.jpg)
SPDIPSec policies
Packet
Inbound IPSec ProcessingCase 2:If IPSec headers are absent1. SPD is consulted to
determine the type ofservice to afford this packet.
2. If certain traffic is required to be IPSec protected and its
not it must be dropped.
SPD = Security Policy DatabaseSAD = Security Association DatabaseSA = Security Association
![Page 40: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/40.jpg)
Real World Deployment Examples
♦ VPNs
♦ Wireless
Internet
SG
Internet
Encrypted / Authenticated
![Page 41: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/41.jpg)
Conclusion
♦ The Internet was not created with security in mind.
♦ Communications can be altered, examined and exploited.
♦ There is a growing need to protect private information crossing the public networks that make up the Internet infrastructure.
♦ IPSec is a set of protocols and methodologies to create secure IP connections.
![Page 42: Overview of ip_security by JetArvind kumar Madhukar](https://reader034.vdocuments.us/reader034/viewer/2022042701/55a6111f1a28ab3e5c8b4782/html5/thumbnails/42.jpg)
Questions?