DistributedNetworks DistributedNetworks


TCP/IP Solution  «Prev 

Protect data with IPSec

IPsec provides secure tunnels between two peers, such as two routers or switches. More accurately, these tunnels are sets of security associations (SAs) that are established between two IPsec peers. The SAs define which protocols and algorithms should be applied to sensitive packets and specify the keying material to be used by the two peers. SAs are unidirectional and are established per security protocol (Authentication Header (AH) or Encapsulating Security Payload (ESP)). Multiple IPsec tunnels can exist between two peers to secure different data streams, with each tunnel using a separate set of SAs. For example, some data streams might be authenticated only while other data streams must both be encrypted and authenticated.

Overview of IPSec

A policy must exist to define the IPSec parameters required. The IPSec policies define several parameters, including the encryption and authentication algorithm used during the setup of a secure connection. IPSEC is a policy-driven protocol, and secure connections are established between computers only if a policy exists that defines both machines as participants in a secure communication.

An exchange between peers must occur to calculate security keys. Outbound and inbound processing uses the negotiated and security association (SA) and keys. When an outbound IP packet matches the IP filer list with an action to negotiate security, the IPSec driver queues the packet, then notifies Internet Key Exchange (IKE), which begins security negotiations with the destination IP address of that packet.

IKE is also knwon as ISAKMP/Oakley. ISAKMP stands for Internet Security Association and Key Management Protocol and it incorpoates a number of protocols used to manage security and key management for secure communications.

Data is exchanged between peers by using teh SA to control encryption for the session.