If you need to refresh your understanding of IPSec, read through the following material.
The primary goal of IPSec is to provide protection for IP packets. IPSec is based on an end-to-end security model, which means that the only hosts that must know about the IPSec protection are the sender and the receiver.
Any intermediary network devices, such as routers, hubs, or switches, do not need to be aware of IPSec nor be IPSec enabled.
Each computer handles security at its own end under the assumption that the medium over which the communication takes place is not secure.
The table below illustrates a partial list of the most common network attacks:
|A sniffer is an application or device that can monitor and read network packets. If the packets are not encrypted, a sniffer provides a full view of the data inside the packet. Microsoft Network Monitor is an example of a network sniffer.
||IPSec defeats sniffer attacks by encrypting the data, thus making it appear as garbage to the network sniffer.
|The attacker could modify a message in transit and send counterfeit data, which could prevent the receiver from getting the correct information or could allow the attacker to get secure information.
||IPSec prevents data from being modified in transit by creating a cryptographic checksum at the time it is sent. If the data is modified during transit, the checksum becomes invalid and IPSec discards the packet.
| An attacker could use a stolen password or key, or attempt to break the password if it is a simple password.
|| IPSec users sophisticated encryption algorithms that make it virtually impossible to obtain a key that would be able to decrypt a message.
| An attacker can use special programs to construct IP packets that appear to originate from valid addresses inside the trusted network.
|| Address spoofing
|| IPSec protects against spoofing by using digital signatures on messages, via a process of non-repudiation.
| This attack targets application servers by exploiting weaknesses in the server operating system and applications.
|| Application layer
|| IPSec does not protect against application layer attacks because the programs is with the network application.
However, application layer attacks can be minimized by allowing only authorized, authenticated users access to servers running such applications.
In this attack, someone between the two communicating computers actively monitors, captures, and controls
the data transparently. (For example, the attacker may reroute a data exchange)
IPSec protects from these attacks via non-repudiation and digital signatures that are added to IPSec
|The goal of this attack is to prevent normal use of computers or network resources. For example, an attacker using this sort of attack might flood e-mail accounts with unsolicited messages.
||IPSec does not protect against denial-of-service attacks. However, you can minimize denial-of-service attacks by allowing only trusted, authenticated users to access your important servers.
The following features of IPSec address all of these methods of attack:
Encapsulating Security Payload (ESP) protocol: ESP provides data privacy by encrypting the IP packets.
Cryptography-based keys: Encrypted keys, which are shared by the communicating systems, create a digital checksum for each IP packet. Any
modifications to the packet will alter the checksum, showing the receiver that the packet has been changed in transit. Different keys are
used for each segment of the overall protection scheme, and new keys can be generated as often as IPSec policy dictates. This explains why
you cannot use IPSec across a NAT. When the NAT changes the source IP address on the request, the IPSec algorithms interprets it as
altered and discards the packet as invalid.
Automatic key management: Long key lengths and dynamic re-keying during on-going communications help protect against attacks. IPSec uses
the Internet Security Association and Key Management Protocol (ISAKMP) to dynamically exchange and manage cryptography-based keys between
Automatic security negotiation: IPSec uses ISAKMP to dynamically negotiate a mutual set of security requirements between communicating
computers. The computers do not need identical policies; a computer only needs a policy configured with enough negotiation options to
establish a common set of requirements with another computer.
Network-layer security: IPSec exists at the network layer, providing automatic security for all applications. Because IPSec uses layer 3
security protocol, applications do not need to be "aware" of IPSec and do not have to be configured to use IPSec. This is in
contrast with higher-level protocols such as SSL, where applications must be written specifically to support SSL.
Mutual authentication: IPSec allows the exchange and verification of identities while preventing an attacker from obtaining this
information. Mutual verification (authentication) is used to establish trust between the communicating systems. Only trusted systems can
exchange meaningful information. Users do not have to be in the same domain to communicate with IPSec protection. They can each be in any
trusted domain in the enterprise. Communication is encrypted, making it difficult to identify and interpret the information.
IP packet filtering: This filtering process enables, allows, or blocks communications as necessary by specifying address ranges, protocols, or even specific protocol ports.