logging in or signing up IPSec Misree Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 1120 Category: News & Reports.. License: All Rights Reserved Like it (3) Dislike it (0) Added: September 24, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: hellprincesse (6 month(s) ago) good Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript IPsec: IPsec Shu Zhang IPsec: IPsec Definition: (Webopedia) Short for IP Security, a set of protocols developed by the IETF to support secure exchange of packets at the IP layer. IPsec has been deployed widely to implement Virtual Private Networks (VPNs) Virtual Private Network (VPN): Virtual Private Network (VPN) More and more across-country or worldwide companies due to global market there is a problem for all of them how to maintain fast, secure and reliable communications wherever their offices are Leased lines very expensive Virtual Private Network (VPN): Virtual Private Network (VPN) VPN: using public wires, usually Internet to connect company’s private network, remote sites and users together, instead of using a dedicate, real-world connection. Virtual Private Network (VPN): Virtual Private Network (VPN) Features of VPN: Security Reliability Scalability Network management Policy management VPN Security: VPN Security Several Methods: Firewall Encryption IPsec AAA server Goal of IPsec: Goal of IPsec Provides security services at IP layer Access control Integrity Data origin Authentication Rejection of replayed packets Confidentiality IPsec Architecture: IPsec Architecture Components Security Protocols Security Associations Key Management Algorithms for authentication and encryption Security Protocols: Security Protocols Authentication Header (AH) Data Origin Authentication Anti-replay service Data Integrity Encapsulating Security Payload (ESP) Confidentiality Data Origin Authentication Anti-replay service Connectionless Integrity AH: AH AH provides authentication for as much of the IP header as possible, as well as for upper level protocol data Tow modes: transport mode/tunnel mode AH Location: AH Location AH Algorithms: AH Algorithms Keyed Message Authentication Codes (MAC) based on Symmetric Key Encryption( DES) One-way hash function (MD5/SHA-1) ESP: ESP Provides Data Confidentiality to IP payload using Encryption It can provides Data Integrity and connectionless Integrity, but the coverage is different from AH Two: transport Mode/Tunnel Mode ESP Format: ESP Format ESP Algorithms: ESP Algorithms Encryption Algorithms Symmetric Encryption Algorithms Authentication Algorithms The same as AH Security Associations (SA): Security Associations (SA) A management Component used to enforce a security policy in the IPsec environment A simplex 'connection' that affords security services to the traffic it carries The set of security services depends on: Protocol selected SA mode Endpoints of the SA SA’s Mode: SA’s Mode Transport Mode Between 2 hosts Transport Mode AH The protection is to selected portions of IP header and higher layer protocol header Transport Mode ESP The protection is only for the higher layer SA’s Mode: SA’s Mode Tunnel Mode Applied to an IP tunnel Tunnel Mode AH Portions of 'outer' IP header, as well as all of 'inner' IP packet Tunnel Mode ESP Only to the tunneled packet DataBases in IPsec: DataBases in IPsec Two databases are maintained in each IPsec implementation: Security Policy Database (SPD) Security Association Database (SAD) SPD: SPD Contains an ordered list of policy entries keyed by selectors Destination/Source IP Address Transport Layer protocol Destination/Source Port Each entry includes: SA specification IPsec protocol Modes algorithms SPD: SPD An administrative interface must be provided to user or system administrator Must be consulted during the all the traffic processing, including non-IPsec traffic SAD: SAD Each entry defines the parameters associated with one SA Sequence Number Counter Anti_replay window AH Authentication algorithm, keys ESP Encryption algorithm, keys ESP Authentication algorithm, keys Lifetime of SA IPsec Protocol Mode IPsec Processing: IPsec Processing Differentiate inbound/outbound traffic For outbound Entries are pointed to by entries in SPD If not, create a new SA For inbound A triple is used to uniquely identify a SA andlt;Destination IP address, IPsec Protocol, Security Parameters Indexandgt; Security Parameter Index: Security Parameter Index 32-bit value Selected by destination system when a new SA is established SA Management Protocol: SA Management Protocol Internet Security Association and Key Management Protocol (ISAKMP) is the framework for SA management It defines: Procedure and Packet format to establish, negotiate, modify and delete SAs Payloads for exchanging key generation and authentication data ISAKMP: ISAKMP ISAKMP has 3 main functions Security Associations and Management Negotiation: authentication mechanism cryptographic algorithm algorithm mode key length nitialization Vector (IV) …… Establishment ISAKMP: ISAKMP Authentication Authenticate the entity at the other end of Communication Strong Authentication must be provided Digital signature Public Key Encryption obtain shared secrets and session keys Key Establishment: Key generation/Key transport Key Exchange Authentication ISAKMP Negotiation: ISAKMP Negotiation Offer 2-phase negotiation Phase 1: establish an ISAKMP SA to protect further negotiation Phase 2: establish real protocol SAs Higher start-up cost Benefit: Multiple Protocol SAs can be established Allow to use simpler second phase exchanges ISAKMP SA reduces ISAKMP management activities ISAKMP Protection: ISAKMP Protection Denial-of-service A anti-clogging token (ACT) Man-in-the-middle attack Authentication and Encryption Algorithms: Algorithms Not bounded to any specific cryptographic algorithm, key generation technique, or security mechanism Supports the dynamic communications environment Provides a forward migration path to better mechanisms and algorithms You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
IPSec Misree Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 1120 Category: News & Reports.. License: All Rights Reserved Like it (3) Dislike it (0) Added: September 24, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: hellprincesse (6 month(s) ago) good Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript IPsec: IPsec Shu Zhang IPsec: IPsec Definition: (Webopedia) Short for IP Security, a set of protocols developed by the IETF to support secure exchange of packets at the IP layer. IPsec has been deployed widely to implement Virtual Private Networks (VPNs) Virtual Private Network (VPN): Virtual Private Network (VPN) More and more across-country or worldwide companies due to global market there is a problem for all of them how to maintain fast, secure and reliable communications wherever their offices are Leased lines very expensive Virtual Private Network (VPN): Virtual Private Network (VPN) VPN: using public wires, usually Internet to connect company’s private network, remote sites and users together, instead of using a dedicate, real-world connection. Virtual Private Network (VPN): Virtual Private Network (VPN) Features of VPN: Security Reliability Scalability Network management Policy management VPN Security: VPN Security Several Methods: Firewall Encryption IPsec AAA server Goal of IPsec: Goal of IPsec Provides security services at IP layer Access control Integrity Data origin Authentication Rejection of replayed packets Confidentiality IPsec Architecture: IPsec Architecture Components Security Protocols Security Associations Key Management Algorithms for authentication and encryption Security Protocols: Security Protocols Authentication Header (AH) Data Origin Authentication Anti-replay service Data Integrity Encapsulating Security Payload (ESP) Confidentiality Data Origin Authentication Anti-replay service Connectionless Integrity AH: AH AH provides authentication for as much of the IP header as possible, as well as for upper level protocol data Tow modes: transport mode/tunnel mode AH Location: AH Location AH Algorithms: AH Algorithms Keyed Message Authentication Codes (MAC) based on Symmetric Key Encryption( DES) One-way hash function (MD5/SHA-1) ESP: ESP Provides Data Confidentiality to IP payload using Encryption It can provides Data Integrity and connectionless Integrity, but the coverage is different from AH Two: transport Mode/Tunnel Mode ESP Format: ESP Format ESP Algorithms: ESP Algorithms Encryption Algorithms Symmetric Encryption Algorithms Authentication Algorithms The same as AH Security Associations (SA): Security Associations (SA) A management Component used to enforce a security policy in the IPsec environment A simplex 'connection' that affords security services to the traffic it carries The set of security services depends on: Protocol selected SA mode Endpoints of the SA SA’s Mode: SA’s Mode Transport Mode Between 2 hosts Transport Mode AH The protection is to selected portions of IP header and higher layer protocol header Transport Mode ESP The protection is only for the higher layer SA’s Mode: SA’s Mode Tunnel Mode Applied to an IP tunnel Tunnel Mode AH Portions of 'outer' IP header, as well as all of 'inner' IP packet Tunnel Mode ESP Only to the tunneled packet DataBases in IPsec: DataBases in IPsec Two databases are maintained in each IPsec implementation: Security Policy Database (SPD) Security Association Database (SAD) SPD: SPD Contains an ordered list of policy entries keyed by selectors Destination/Source IP Address Transport Layer protocol Destination/Source Port Each entry includes: SA specification IPsec protocol Modes algorithms SPD: SPD An administrative interface must be provided to user or system administrator Must be consulted during the all the traffic processing, including non-IPsec traffic SAD: SAD Each entry defines the parameters associated with one SA Sequence Number Counter Anti_replay window AH Authentication algorithm, keys ESP Encryption algorithm, keys ESP Authentication algorithm, keys Lifetime of SA IPsec Protocol Mode IPsec Processing: IPsec Processing Differentiate inbound/outbound traffic For outbound Entries are pointed to by entries in SPD If not, create a new SA For inbound A triple is used to uniquely identify a SA andlt;Destination IP address, IPsec Protocol, Security Parameters Indexandgt; Security Parameter Index: Security Parameter Index 32-bit value Selected by destination system when a new SA is established SA Management Protocol: SA Management Protocol Internet Security Association and Key Management Protocol (ISAKMP) is the framework for SA management It defines: Procedure and Packet format to establish, negotiate, modify and delete SAs Payloads for exchanging key generation and authentication data ISAKMP: ISAKMP ISAKMP has 3 main functions Security Associations and Management Negotiation: authentication mechanism cryptographic algorithm algorithm mode key length nitialization Vector (IV) …… Establishment ISAKMP: ISAKMP Authentication Authenticate the entity at the other end of Communication Strong Authentication must be provided Digital signature Public Key Encryption obtain shared secrets and session keys Key Establishment: Key generation/Key transport Key Exchange Authentication ISAKMP Negotiation: ISAKMP Negotiation Offer 2-phase negotiation Phase 1: establish an ISAKMP SA to protect further negotiation Phase 2: establish real protocol SAs Higher start-up cost Benefit: Multiple Protocol SAs can be established Allow to use simpler second phase exchanges ISAKMP SA reduces ISAKMP management activities ISAKMP Protection: ISAKMP Protection Denial-of-service A anti-clogging token (ACT) Man-in-the-middle attack Authentication and Encryption Algorithms: Algorithms Not bounded to any specific cryptographic algorithm, key generation technique, or security mechanism Supports the dynamic communications environment Provides a forward migration path to better mechanisms and algorithms