IPSec VPNs by lanyuehua


									        IPSec VPNs

Industrial Strength Security for an
          Insecure World
• Companies, research institutions, and government
  organizations have long maintained private networks
  between central offices and branch offices.
• Employees/contractors want to work from home or
  external offices. Road warriors, all the way from
  salesmen to CEO’s, want to be mobile and connect to
  the home office for whatever purpose.
• There are fast, cheap, and plentiful connections to the
  Internet to be had in locations as varied as libraries,
  airports, and Starbucks.
• How do you go about securing what is basically an
  unsecured medium?
                Enter VPNs
• VPNs (Virtual Private Networks) provide secure
  tunneling of communications over insecure
• Where physical private networks existed, VPNs
  are becoming commonplace not only among
  road warriors, branch offices, and central offices
  but also business-to-business partners
  exchanging data through a secure tunnel
  wrapped around the communications traffic.
          VPN Topologies
• Network-to-Network
• Host-to-Network
• Host-to-Host
 VPN Tunneling Technologies
• IPSec
  – IKE Internet Key Exchange
  – ESP Encapsulated Security Payload
  – AH Authentication Header
• L2TP
   IPSec Modes – An Overview
• IPSec protocol consists of several parts that
  define two security protocols, AH and ESP.
  – ISAKMP is a framework for management of keys and
    other vital information such as security associations.
  – IKE provides the cryptographic algorithm negotiation
    and key distribution utilized by AH and ESP,
  – ESP provides data origin authentication,
    connectionless integrity, anti-replay service, and data
  – AH provides data origin authentication,
    connectionless integrity, and anti-replay service.
       Security Associations
• Both AH and ESP rely on security
  associations (SAs) negotiating the
  properties of a secure connection using
• The SA holds the information negotiated
  between the two VPN participants.
             ISAMP and IKE

• ISAKMP (IPSec Key Exchange and
  Management Protocol) is part of the IPSec suite
  that defines procedures for negotiation,
  establishment, modification, and deletion of SAs.
• IKE (Internet Key Exchange) is based on the
  ISAKMP framework.
• IKE consists of two different mode or phases.
  – Phase 1 is used to establish a secure channel later
    used to protect all negotiations in Phase 2.
  – Phase 2 is used to negotiate the IPSec SAs to set up
    the IPSec tunnel to protect the communications traffic.
• ESP provides for encapsulation of the
  unprotected IP packet, its encryption, and
• Some newer IPSec implementations use
  stronger algorithms such AES, Blowfish,
  and Twofish.
• AH allows you to check the authenticity of
  the data and the header of the IP packet
  sent to you. It does not provide a
  mechanism for data encryption but does
  provide a hash that code that allows you to
  check whether the packet was tampered
  with along the way.
           IP Compression
• As you might guess, all this extra security
  comes at the price of extra encapsulation
  of the IP packet.
• This translates into decreased throughput.
  IPSec seeks to overcome this problem
  with a built-in IP compression protocol.
• IPSec VPNs provide strong security for business-to-
  business and person-to-business needs. IPSec has two
  protocols, AH and ESP, that give confidentiality, integrity,
  and authentication.
• IPSec also has protocols and frameworks for key
  negotiation and data compression.
• FreeS/WAN used to be the only IPSec game in town as
  far as Linux was concerned.
• With the advent of the 2.6 kernel series, there is now
  integrated support for IPSec in the kernel in addition to
  the survivor of FreeS/WAN, OpenSWAN.

To top