Saturday, May 18, 2013

IPSEC

I was going to be posting on text indexing but I will make a post on IPSEC before that.

IPSEC is a suite of protocols for securing network connections. IP packets are authenticated and encrypted for the duration of a session. A variety of protocols can be used for authentication and encryption. It provides several controls for network connections and is generally better organized than many other networking protocols. This is an end to end IP connectivity between two endpoints that are either host to host, network to network or network to host.
The IPSec suite is an open standard. It uses the following protocols to perform various operations.
Authentication headers (AH): This guarantees that the sender of IP packets is who the packet says it is from and that the packet has not been tampered with. This prevents spoofing and replay attacks. This is achieved by computing a hash value called the Integrity Check Value and a sequence number. The sequence number helps to use a sliding window to determine the packets that are old and can be discarded.
Encapsulating Security Payloads (ESP): This provides confidentiality protection of packets. It supports both encryption and authentication configurations for direct IP connectivity as well as tunnel based connectivity. A tunnel is used to describe communication between two endpoints over a public network such that two endpoints can talk to each other without letting any of the other hosts on the public network know. A common example is when people connect to their office from home. This is implemented by slapping on another IP header over the original. This way the public network routes the packets based on the first header but the source and destination look at the inner IP packets to know that the packets are from each other. ESP unlike AH does not support integrity and authentication for the entire IP Packet.
Security Association This is the group of algorithms and parameters such as keys that is being used to encrypt and authenticate a particular flow in one direction.  A pair of security associations is required to secure bidirectional traffic. These groupings are well organized and policies are enforced using a policy agent.
There are two modes of transport for IPSEC depending on host to host configuration or those involving network tunnels and are referred to as the transport mode and tunnel mode respectively.
In the transport mode, only the payload of the IP packet is usually encrypted or authenticated and the IP header is preserved. The limitation of this mode is that the IP addresses cannot be translated when the authentication header is used as it will invalidate the hash value.
In the tunnel mode, an entire IP packet is  encrypted and/or authenticated because it is encapsulated into a new IP packet with a header.
The algorithms used for encrypting the packets include SHA1 for integrity protection and authenticity and  Triple DES and AES for confidentiality. The key negotiation for authentication is usually included with the IPSEC implementation from a vendor.
IPSEC implementation in earlier windows was a standalone component separate from windows firewall. This has changed since. IPSEC lets you author in more generic terms a set of rules and settings that define the security policies of your network and are implemented by each and every host on your network. You author these IPSEC policy settings as well as the individual policy or rules with IP filters and filter actions. IP filters define a set of IP traffic.
For example, a computer on the intranet can have the following rules: allow connections with resource servers, allow connections with other intranet computers, but deny connections to everyone else. These are authored as inbound and outbound rules.  Filters are evaluated based on weights. The weights are decided based on source IP address, subnet mask, destination IP address, subnet mask , IP protocol, source port, destination port. The source destination IP address port pairs identify a connection. Along with the filters and filter actions, you can also define the authentication methods such as Kerberos, Active Directory or certificate based.
The policies are written for the domain system and are retrieved by the policy agent running on the  host computers that want to communicate. These policies are passed to the IKE module which determines the authentication mechanism from negotiation settings of IPSEC, determines the secret key, and the protection of direct and tunnel mode traffic. These are then passed as SA parameters to the IPSEC drivers use these to protect the traffic. Since the IPSEC driver sits below the application and TCP/IP network stack, it handles all IP traffic.
After the policies are created, they can be assigned to different AD domains, sites and organizational units thus giving you the flexibility to define the scope for your rules and removing the redundancy from having to repeat the rules on each host. Local IP sec policies are overridden by domain based IPsec policies and so on.

No comments:

Post a Comment