Intro to IPSEC

MCSE Video + 10 Free Vouchers

Practice Exams

CISSP

CCNP

MORE...

NETWORK

Intro to IPSEC

Email this Article

Print this Article

• Relates to: MCSE 2000 | MCSE 2003 | MCSA 2000 | Security+ | Network+ | CCNA | CCNP | MCSA 2003

It seems like everyone I talk to is setting up a VPN. I use
VPNs at home to provide a connection to several clients' sites.
This week's newsletter will take a look at the security
protocols behind the VPN, particularly IPSEC.

IPSEC was developed by the Internet Engineering Task Force
(IETF) to address certain vulnerabilities inherent in the
popular IP protocol. Exploits in IP allowed for eavesdropping
(sniffing) and identity masking (spoofing), so it was difficult
to get guaranteed security over large networks. Prior
solutions would provide security for only specific applications
(PGP for email and SSL for web applications). IPSEC secures
the network itself, so it also secures the applications using
the network. IPSEC is a set of IP extensions that provide
strong data authentication and privacy guarantees through the
use of modern encryption techniques.

To have security on your network, you need to have confidence
in three factors:

The person you are communicating with is really that person
(authentication)
No one can eavesdrop on your communication (confidentiality)
The communication that you received has not been modified in
transit (integrity)

IPSEC is comprised of three components that provide these
security functions.

Authentication Header (AH) - A signature is tied to each packet,
allowing you to verify the sender's identity and the integrity
of the data. Currently MD5 and SHA-1 authentication schemes
are supported.

Encapsulating Security Payload (ESP) - Uses strong encryption
algorithms to encrypt the data in each packet to defeat common
eavesdropping techniques. The most common encryption algorithm
used by ESP is 56-bit DES, but ESP is an open protocol that
allows support for most current (and even future) encryption
algorithms.

Internet Key Exchange (IKE) - Allows nodes to agree on
authentication methods, encryption methods, the keys to use and
the keys' lifespan. IKE also allows smart secure key exchange.

AH and ESP provide the means to protect data from tampering,
preventing eavesdropping and verifying the origin of the data.
IKE provides a secure method of exchanging keys and negotiating
protocols and encryption algorithms to use. The information
negotiated IKE is stored in a Security Association (SA). The SA
is like a contract laying out the rules of the VPN connection
for the duration of the SA. An SA is assigned a 32-bit number
that, when used in conjunction with the destination IP address,
uniquely identifies the SA. This number is called the Security
Parameters Index or SPI.

To tie this all together, let's look at an example. User A
wants to send data to User B. User A's router (router A) has
a security policy applied with a rule that says all traffic to
User B needs to be encrypted. User B's router (router B) will
be the other end of an IPSEC tunnel. Router A checks to see if
an IPSEC SA exists between it and router B. If it doesn't,
router A will request an IPSEC SA from IKE. If an IKE SA exists
between the two routers, an IPSEC SA is issued. If an IKE SA
does not exist, one has to be negotiated first, with the routers
exchanging information signed by a third-party certificate
authority (CA) that both routers trust. Once the IKE SA is
agreed upon by the routers, an IPSEC SA can be issued, and
secure, encrypted communications can begin. This process is
transparent to User A and User B.

The basic steps for setting up an IPSEC connection are as
follows:

Set up an IKE SA.
Agree upon the terms of communication and encryption
algorithm. Create an IPSEC SA.
Start sending data.

In the next newsletter, we will put this knowledge to use by
setting up a VPN between a branch office and a main office
using two 1700 series routers and Cisco IOS plus IPSEC. If
you want to do some homework, try the following links:

- Understanding the IPSEC Protocol Suite White Paper
- Cisco IPSEC White Paper
- An introduction to IPSEC Encryption

Subscribe to our Free Must Know News Newsletter
Name: Email: