It seems like everyone I talk to is
setting up a VPN. I use VPNs at home to provide a connection to several
clients' sites. This week's newsletter will take a look at the security
protocols behind the VPN, particularly IPSEC.
IPSEC was developed by
the Internet Engineering Task Force (IETF) to address certain
vulnerabilities inherent in the popular IP protocol. Exploits in IP allowed
for eavesdropping (sniffing) and identity masking (spoofing), so it was
difficult to get guaranteed security over large networks. Prior
solutions would provide security for only specific applications (PGP for
email and SSL for web applications). IPSEC secures the network itself, so it
also secures the applications using the network. IPSEC is a set of IP
extensions that provide strong data authentication and privacy guarantees
through the use of modern encryption techniques.
To have security on
your network, you need to have confidence in three factors:
The person you are communicating with is really that person
(authentication)
No one can eavesdrop on your communication (confidentiality)
The communication that you received has not been modified in transit
(integrity)
IPSEC is comprised of three components that provide
these security functions.
Authentication Header (AH) - A signature is
tied to each packet, allowing you to verify the sender's identity and the
integrity of the data. Currently MD5 and SHA-1 authentication schemes
are supported.
Encapsulating Security Payload (ESP) - Uses strong
encryption algorithms to encrypt the data in each packet to defeat common
eavesdropping techniques. The most common encryption algorithm used by
ESP is 56-bit DES, but ESP is an open protocol that allows support for most
current (and even future) encryption algorithms.
Internet Key
Exchange (IKE) - Allows nodes to agree on authentication methods, encryption
methods, the keys to use and the keys' lifespan. IKE also allows smart
secure key exchange.
AH and ESP provide the means to protect data from
tampering, preventing eavesdropping and verifying the origin of the data.
IKE provides a secure method of exchanging keys and negotiating
protocols and encryption algorithms to use. The information negotiated
IKE is stored in a Security Association (SA). The SA is like a contract
laying out the rules of the VPN connection for the duration of the SA. An SA
is assigned a 32-bit number that, when used in conjunction with the
destination IP address, uniquely identifies the SA. This number is called
the Security Parameters Index or SPI.
To tie this all together, let's
look at an example. User A wants to send data to User B. User A's router
(router A) has a security policy applied with a rule that says all traffic
to User B needs to be encrypted. User B's router (router B) will be the
other end of an IPSEC tunnel. Router A checks to see if an IPSEC SA exists
between it and router B. If it doesn't, router A will request an IPSEC SA
from IKE. If an IKE SA exists between the two routers, an IPSEC SA is
issued. If an IKE SA does not exist, one has to be negotiated first, with
the routers exchanging information signed by a third-party certificate
authority (CA) that both routers trust. Once the IKE SA is agreed upon
by the routers, an IPSEC SA can be issued, and secure, encrypted
communications can begin. This process is transparent to User A and User
B.
The basic steps for setting up an IPSEC connection are as
follows:
Set up an IKE SA.
Agree upon the terms of communication and encryption algorithm. Create
an IPSEC SA.
Start sending data.
In the next newsletter, we will put
this knowledge to use by setting up a VPN between a branch office and a main
office using two 1700 series routers and Cisco IOS plus IPSEC. If you
want to do some homework, try the following links:
Email this Article
Print this Article
