Site to Site Internet Protocol Security - Essay Example

Site to Site Internet Protocol Security Table of Contents 1.0 Introduction………………………………………………………………………..3 2.0 Tunnel Model……………………………………………………………………....3 3.0 Architecture………………………………………………………………………...4 3.1 The IPSec Roadmap……………………………………………………………….5 4.0 Authentication and Confidentiality………………………………………………....6 4.1 Authentication Goals………………………………………………………………7 4.2 Confidentiality Goals………………………………………………………………7 4.3 IPv4 vs. IPv6 Authentication……………………………………………………...7 5.0 IPSec Implementation………………………………………………………………8 6.0 Conclusion…………………………………………………………………………..8 Site to Site Internet Protocol Security 1.0 Introduction Security is a pivotal factor when it comes to internet advancements. Internet Protocol Security (IPSec) happens to be the prime technique that works with all forms of internet traffic in attempts to achieve a secured internetwork system. This encompasses both the current version of internet addressing, IPv4, and the next generation version, IPv6. IPSec protocol is a set of protocols that enable secure exchange of packets at the Internet Protocol layer. It is developed by the Internet Engineering Task Force (IETF) and has been deployed widely in the implementation of Virtual Private Networks (VPN). With a secured IP layer, any application can take full advantage of its functionality (Doraswamy & Harkins 2003). In VPN Tunneling technology, all traffic is forced through a secured site. Furthermore, one network is able to send its data via the connection of another network. The implementation of IPSec can take place at the end host or in the routers or even in both depending on the security requirements of the users (Doraswamy & Harkins 2003). With IPSec any piece of information sent from one site to another remains secured due to the involved extensibility of the Internet Protocol layer. In this study therefore, we will discuss tunneling, architecture, authentication and the associated standards in attempts to describe IPSec protocol. 2.0 Tunnel Mode Of all VPNs Tunnel Mode is the most commonly used in IPSec implementations Tunneling is the transmission of data intended for use within a private network through public network. In this case therefore, data is conveyed by a public network, which is the internet, on behalf of private network. This is achieved through the protection of IP packets by the IPSec in such a way that the original packets get wrapped, encrypted and a new header added before being sent to the other side of the VPN tunnel (Tiller 2000). Configurations of IPSec VPN tunneling can also be done using Generic Routing Encapsulation (GRE) Tunnels with IPSec. The GRE is an encapsulation protocol of an arbitrary network layer protocol over another different arbitrary network layer protocol (Javin Technologies 2005). In this protocol, packets known as payloads need to be encapsulated and delivered to some destination. First, the payload is encapsulated in a GRE packet then in some other protocol before being forwarded. The outer protocol is known as a delivery protocol. "Security in a network using GRE should be relatively similar to security in a normal IPv4 network, as routing using GRE follows the same routing that IPv4 uses natively." (Javin Technologies 2005). Unlike the route filtering which remains unchanged, packet filtering requires a firewall look inside the GRE packet, or, alternatively, the filtering can be done at the GRE tunnel endpoints. Javin Technologies (2005) further describes another protocol within the IPSec protocols, the Point-to-Point Tunneling Protocol (PPTP). This is a network technology that supports multiprotocol VPNs enabling remote users to access corporate networks through the internet. The PPTP is almost entirely only implemented by Private Network Systems (PNS) and uses extended version of GRE in carrying out user Point-to-Point Protocol (PPP) packets. These enhancements allow for low-level congestion, efficient use of bandwidth available for the tunnels and avoidance of unnecessary transmissions and buffer overruns. 3.0 Architecture The goal of the IPsec architecture lies in the provision of various security services for traffic. This happens at the IP layer in both the environment of IPv4 an IPv6 in a more standardized and universal way. The IPSec architecture basically describe system requirements for the implementation of the IPSec. It further focuses on the fundamental elements of the implementation systems and how they fit together into the IP environment. All the security services offered by IPSec protocols are covered in the architecture. In attempts to visualize the IPSec architecture, Doraswamy & Harkins (2014) discuss the IPSec Roadmap diagram. 3.1 The IPSec Roadmap IPSec protocols includes the following: AH, ESP, IKE, ISAKMP/Oakley and transforms. An understanding of how these components relate with each other gives a clear understanding, implementation and the ability to use IPSec. The IPSec Roadmap defines how these components interact with each other. Figure 3.0.The IPSec Architecture The standard associated with security architecture is RFC 4301, the standard associated with IP Encapsulating Security Payload (ESP) is RFC 4303 and the standard associated with IP Authenticatication Header (AH) is 4302 just to mention but a few. ESP and AH documents define the protocol as well as the services they provide and also define packet processing rules. Their only undoing is their inability to specify the transforms used in the provision of these capabilities. Another component of great concern is the Internet Key Exchange (IKE) which is responsible for the generation of keys for the IPSec protocols. Furthermore it also negotiates keys for other protocols that may require keys. In the IPSec network layer security, the above stated three components, that is the AH, ESP and IKE, are highly interconnected towards the achievement of IPSec. In this case, AH and ESP rely on an existing security association which is established by the IKE. This is therefore an implication that should IKE break then definitely there will be no protection provided by the AH and ESP. This relationship can simply be summarized in this form: IPSec = AH + ESP + IKE, and it should therefore be understood that the combination of AH and ESP protect the IP traffic while IKE sets up keys as well as algorithms for AH and ESP. Issues concerning policy within the IPSec encompass representation and implementation (Doraswamy & Harkins 2014). Representation deals with policy definition, storage and how it can be retrieved while implimentation addresses policy application. 4.0 Authentication and Confidentiality "The IPSec standards include protocols for ensuring confidentiality, integrity, and authentication of data communications in an IP network." (Guttman et al 2000). Confidentiality is achievable through encapsulation. Both authentication and confidentiality can be used together or separately. The associated standards (RFCs) are very flexible to the extent of attracting commercial interest; this has resulted to the availability of many IPSec products. For a better understanding of the IPSec protocol, let us focus on authentication and confidentiality as security goals. 4.1 Authentication Goals Guttman et al (2000) argues that the essence of authentication lies in allowing the recipient to take a packet at face value. The author further affirms this argument by an example which states that for a Packet p selected from protection by the authentication goal the following scenario will occur: Assuming A is the value found in the header field of the source of p as received by B, then this implies that p originated at A in the past meaning the payload has not been altered since. A packet is never to be regarded as properly received until it is proven that the 'mark' it contains matches the value computed from a shared secret. 4.2 Confidentiality Goals Carrell et al(2012) reveals that the RFC 2401 states that the goals of IPSec are to provide confidentiality. In this case therefore, unauthorized people are prevented by confidentiality from viewing information. The fact that IPSec supports the use of a variety of encryption tools makes it possible for confidentiality to be realized. Furthermore, the IPSec can hide true communication paths from partners, a technique achievable through specified tunneling. This is a type of confidentiality known as Limited Traffic Flow confidentiality which makes it hard for an adversary to know who is talking to who. 4.3 IPv4 vs. IPv6 Authentication In order to enable a client to connect to a database with either IPv4 or IPv6, two authentication methods are required with one from each address. An IP address is required by any authentication method that happens to use the host authentication. The IPv6 PPP session authentication is identical to Ipv4 (Minoli 2012). Minoli (2012) further reveals that IPv6 and IPv4 authentications can be singly authenticated to Remote Authentication Dial-In User Services (RADIUS). 5.0 IPSec Implementation In this section let us focus on how a packet travels from one user to another using the IPSec. In IPSec the transport mode only encrypts the payload of an IP packet and this is only applicable to the two parties or entities that both implement the IPSec. The only difference with the tunnel mode is that the entire packet is encrypted making it more secured. Before packets are released, router implementation is essential as it protects the packets over the internet. The encrypted packet moves through a VPN tunnel where it cannot be visible to other network users except to the recipient who is the end user. Based on the knowledge of VPN tunneling discussed above, the switched packets are able to reach the recipient unaltered. 6.0 Conclusion This discussion has equipped us with vital knowledge IPSec protocol through extensive explanations of security measures involved in Internet Protocol Security (IPSec). If used the right way, IPSec turns out very useful. Preferably, IPSec should be applied in point-to-point communication type. As much as IPSec is able to provide a nice way to secure data as it is transferred through public network, it if still prone to attacks due to the highly advanced technology. Generally, this study describes data transmission using IPSec. References Carrell, J., Chappeli, L., Tittel, E., & Pyles, J. (2012). Guide to TCP/IP (4th ed.). Boston: Cen-gage Learning. Doraswamy, N., & Harkins, D. (2003). IPSec: The New Security Standard for the Internet. New Jersey, NJ: Prentice Hall Professional. Doraswamy, N., & Harkins, D. (2014, June). IPSec Architecture. Retrieved from http://www.technet.microsoft.com/en-us/library/cc700826.aspx Guttman, J. D., Herzog, A. L., & Thayer, F. J. (2000). Authentication and Confidentiality via IPSec. The MITRE Corporation, 45(6), 1-18. Javin Technologies, Inc. (2013, June). Network Protocols Handbook. Retrieved from http://javintechnologies.com Minoli, D. (2012). Learner and Non-Learner Video and TV Applications: Using IPv6 and IPv6 Multicast. New Jersey, NJ: John Wiley & Sons. Tiller, J. S. (2000). A Technical Guide to IPSec Virtual Private Networks. Florida, FL: CRC Press. Read More