IP Security One problem with Internet protocol IP is that it

IP Security
One problem with Internet protocol (IP) is that it has no method for confirming the authenticity and security of data as it moves through the net. IP datagrams are typically routed between devices over disparate networks; as a result, information within these datagrams could be intercepted and altered. As use of the Internet for critical applications has increased, the need for enhancements to IP security became necessary. As a result, the Internet Engineering Task Force (IETF) created a set of protocols called IP Security, or IPsec, to support the secure exchange of packets over the Internet. IPsec is now a mandatory component of IPv6 and must be supported for any IPv6 implementation. IPsec is implemented in IPv6 using the authentication header (AH) and the encapsulating security payload (ESP) extension header.

Answer the following questions in a 3- to 4-page, APA-formatted paper:
   1   What is IPsec, and why is it necessary? How is IPsec used in VPN?
   2   Which network layer currently suffers from attacks, and why? At which layers of the network stack architecture should a solution be attempted? Provide details.
   3   How is IP security achieved? What is the basic authentication scheme? Which mechanisms are used? What are some of the application venues of IPsec?
   4   How is a VPN implemented on a server so that its clients can connect to it?
Remember to properly cite your sources according to APA guidelines.

Solution

IPSec

IPsec also known as IP Security.Internet Protocol Security is a framework for a set of protocols that provide security for internet protocol. It can use cryptography to provide security. IPsec support network level data integrity, data confidentiality. As it is integrated at the internet layer (i.e. layer 3), it provides security for all the protocols in the TCP/IP. IPsec applied transparently to the applications, there is no need to configure separate security for each application the uses TCP/IP.

IPsec provides security for

IPsec provides two choices of security service: Authentication Header (AH), which essentially allows authentication of the sender of data, and Encapsulating Security Payload (ESP), which supports both authentication of the sender and encryption of data as well. The specific information associated with each of these services is inserted into the packet in a header that follows the IP packet header. Separate key protocols can be selected, such as the ISAKMP/Oakley protocol.

IPsec is necessary for

Earlier security approaches have inserted security at the Application layer of the communications model. IPsec is said to be especially useful for implementing virtual private networks and for remote user access through dial-up connection to private networks. A big advantage of IPsec is that security arrangements can be handled without requiring changes to individual user computers. Cisco has been a leader in proposing IPsec as a standard (or combination of standards and technologies) and has included support for it in its network routers.

VPN

Virtual Private Network or VPN is a type of network setup in which the public telecommunication medium and the public network, i.e. the Internet, is used to transmit data from one office at one geographical location to another office at another geographical location.

IPsec used in VPN

Below is the process that takes place during site-to-site communication over an IPsec VPN site-to-site tunnel:

·         The source computer C1 forwards the packet P1 with the destination IP address of the computer C2 to the router R1 (default gateway).

·         The router R1 receives the packet P1 and encrypts the entire packet using the specified algorithm.

·         After encrypting the packet, the router R1 encapsulates the whole packet to form a new packet NP1. This packet has IP address of R1 as source IP and the IP address of the router R2 (the router placed at the destination location) as the destination IP.

·         The router R1 then forwards the packet NP1 to the IP address of R2 using the Internet.

·         The destination router R2 receives the packet.

·         The router R2 decapsulates the NP1 to get the original packet P1.

·         The router R2 decrypts the packet P1 using the appropriate algorithm.

·         The router R2 then forwards the packet P1 to the destination computer C2, where the packet was actually supposed to reach.

Advantages of Using IPsec VPN Site-to-Site Tunnels

IPsec VPN site-to-site tunnels offer numerous advantages. Some of them are:

·         Requirement of buying dedicated expensive lease lines from one site to another is completely eliminated as public telecommunication lines are used to transmit data.

·         The internal IP addresses of both the participating networks and nodes remain hidden from each other and from the external users.

·         The entire communication between the source and destination sites remains encrypted which means that chances of information theft are extremely low.

Disadvantages of IPsec VPN Site-to-Site Tunnels

A few disadvantages of using IPsec VPN site-to-site tunnels are:

·         Expensive router is required at each site to play the role of the VPN server.

·         Since encapsulation, decapsulation, encryption and decryption takes place at the routers, these devices may face processing overhead and increased CPU utilization. Because of this, users may experience reduced communication speed.

·         The configuration process of IPsec VPN site-to-site is complex and requires highly skilled and qualified IT professionals to be hired to get the job done with perfection.

Network layer currently suffers from attacks

Network layer currently suffers from attacks are listed bellow

Application layer

Transport layer

Network layer

Data link layer

How can IP Security be achieved?

There are two specific headers that can be attached to IP packet to achieve security. They are the IP Authentication Header (AH) and the IP Encapsulating Security Payload (ESP) header.

If confidentiality is not required, the Authentication Header (AH) alone can provide security (in this case, connectionless data integrity and data origin authentication) to IP datagram. The implementation can be host-host, host-gateway or gateway-gateway. But only host-host implementation is encouraged. The reason is that, in the case that security gateway provides security service for the trusted hosts behind the gateway, The security attack can still arise when the trusted hosts become untrusted. In other words the security can be violated for two communicating end user if the security (without confidentiality) does not cover completely the communicating path, but instead stop at the gateway, even though SA is established. Certainly in any kind of implementation, the untrusted systems (i.e., the systems that don\'t have the SA established) can\'t have the ability to attack data authentication ( always referring to both data integrity and data origin authentication) .

The IP Encapsulating Security Payload (ESP) header provides integrity, authentication, and confidentiality to IP datagrams . It can provide a mix of optional security . ESP header can be applied alone, in combination with the IP Authentication Header(AH), or in a nested way, e. g. by using Tunnel-mode. The ESP header implementation can be host-host, host-gateway, or gateway-gateway. The ESP header is inserted after the IP header and before a higher-level protocol header(Transport-mode) or the encapsulated IP header(Tunnel-mode). Gateway-to-gateway ESP implementation, using encryption/decryption , is critical for building Private Virtual Networks (PVN) across an untrusted backbone in an open environment such as the Internet.