Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IPSec Overview


Published on

IPSec protocol. Overview of IKE in IPSec. A look at ESP packet. AH is excluded in this presentation.

Published in: Technology
  • Be the first to comment

IPSec Overview

  1. 1. Internet Protocol Security (IPSec) Group name: grouppage
  2. 2. What to expect <ul><li>What is the difference between SSL and IPSec </li></ul><ul><li>And when to use it? </li></ul><ul><li>Go through the basics for IPSec </li></ul><ul><li>Explain IPSec’s key exchange </li></ul><ul><li>Look further into ESP, main protocol of IPSec </li></ul>
  3. 3. Internet Protocol (TCP/IP) <ul><li>Has no inherent security </li></ul><ul><li>Man in the middle can read/write to: </li></ul><ul><ul><ul><ul><li>The TCP/IP headers </li></ul></ul></ul></ul><ul><ul><ul><ul><li>The payload data </li></ul></ul></ul></ul><ul><li>SSL/TLS and IPSec can encrypt data </li></ul>
  4. 4. IPSec Compared To SSL <ul><li>IPSec </li></ul><ul><li>Application Independent </li></ul><ul><li>Authenticates IP headers </li></ul><ul><li>Encrypts TCP and Application layer </li></ul><ul><li>SSL </li></ul><ul><li>Must be compiled in Application </li></ul><ul><li>Insecure IP headers </li></ul><ul><li>Encrypts application layer </li></ul>
  5. 5. <ul><li>Malory can: </li></ul><ul><li>Create packets that have A's IP as src address </li></ul><ul><li>Read A's packets </li></ul><ul><li>Can change A's packets </li></ul><ul><li>Normal IP </li></ul>
  6. 6. IP with SSL <ul><li>Mallory Can </li></ul><ul><li>Create packets that have A's IP as src address </li></ul><ul><li>R/W the TCP header </li></ul>
  7. 7. IPSec <ul><li>Malroy can do nothing </li></ul>
  8. 8. When to use? <ul><li>Reasons not to use </li></ul><ul><li>NAT </li></ul><ul><li>Support </li></ul><ul><li>User authentication </li></ul><ul><li>Reasons to use: </li></ul><ul><li>VPN </li></ul><ul><li>Application doesn't support TLS </li></ul><ul><li>Don't want to use PKI </li></ul><ul><li>Host authentication </li></ul>
  9. 9. IPSec basics for this presentation <ul><li>Main protocol in IPSec: </li></ul><ul><ul><li>Encapsulating Security Payload (ESP) </li></ul></ul>
  10. 10. <ul><li>Constructs that guide the operation of IPSec </li></ul><ul><ul><li>Security Policy (SP) </li></ul></ul><ul><ul><li>Security Association (SA) </li></ul></ul>IPSec basics for this presentation
  11. 11. Security Policies <ul><li>Governs how IPSec process different datagrams received by an IPSec device </li></ul>
  12. 12. <ul><li>SA describes a particular kind of secure connection between one device and another. </li></ul>Security Associations AH
  13. 13. <ul><li>Security Associations are key to IPSEC’s authentication and confidentiality mechanisms. </li></ul>Security Associations
  14. 14. <ul><li>SAs are needed to negotiate in the exchange of the “shared secret” process </li></ul>Security Associations
  15. 15. Sharing the shared secret
  16. 16. Sharing the shared secret <ul><li>IPSec, like many secure networking protocol sets, is based on the concept of a “ shared secret ”. </li></ul>
  17. 17. Sharing the shared secret <ul><li>Before ESP (IPSec protocols) can be used, any two devices must exchange the “secret” that the ESP themselves will use. </li></ul>
  18. 18. Sharing the shared secret <ul><li>So how does this happen? </li></ul>
  19. 19. Exchanging the secret <ul><li>Internet Key Exchange (IKE) . </li></ul>
  20. 20. Internet Key Exchange (IKE) <ul><li>IPSec-capable devices to exchange security associations (SAs), </li></ul><ul><li>Populate their security association databases (SADs). </li></ul>
  21. 21. Internet Key Exchange (IKE) <ul><li>These established SAs are then being used for the actual exchange of secured datagrams with the ESP protocols. </li></ul>
  22. 22. Sharing the shared secret Source:
  23. 23. IPSec Protocols <ul><li>Encapsulating Security Payload </li></ul>
  24. 24. Encapsulating Security Payload (ESP) <ul><li>Main function: </li></ul><ul><li>Provide privacy for IP datagrams by encrypting them. </li></ul>
  25. 25. ESP packet in transport mode
  26. 26. ESP packet in tunnel mode New IP Header
  27. 27. Thank You! <ul><li>The end and we hope you understand </li></ul>
  28. 28. References <ul><li>Understanding IPSEC - Server 2003 </li></ul><ul><li> </li></ul><ul><li>TCPIP Guide </li></ul><ul><ul><li> </li></ul></ul>