Secure network con­nec­tions with IPsec

IP packages, the basic elements in internet data com­mu­ni­ca­tion, are made up of two parts: user data like speech, text, or images, and header data con­tain­ing, among others elements, the addresses of the sender and recipient. The biggest issue with these data packages, as they pass through various routers on their way to the recipient, is the fact that Internet Protocol doesn’t have en­cryp­tion or au­then­ti­ca­tion mech­a­nisms. This means that data is trans­ferred un­en­crypt­ed from router to router and can be read or tampered with. And the three pillars of in­for­ma­tion security – con­fi­den­tial­i­ty, au­then­tic­i­ty, and integrity – are not guar­an­teed.

For this reason, the protocol suite Internet Protocol security, or IPsec for short, was developed in order to give the Internet Protocol vastly increased safety pro­tec­tion. Together, the two combine to ensure reliable security during data package transfers over open networks, which is why IPsec is an important building block for many VPN con­nec­tions (virtual private network).

IPsec is a protocol suite, the ar­chi­tec­ture of which was suggested as a standard by the Internet En­gi­neer­ing Task Force (IETF). The IETF is an or­ga­ni­za­tion concerned with the technical ad­vance­ment of the internet. IPsec was developed for the newest version of Internet Protocol (IPv6) and ret­ro­spec­tive­ly also for IPv4. It can be divided into the following three function groups:

• Transfer protocols: Au­then­ti­ca­tion Header (AH), En­cap­su­lat­ing Security Payload (ESP)

• Key man­age­ment: Internet Security As­so­ci­a­tion and Key Man­age­ment Protocol (ISAKMP), Internet Key Exchange (IKE)

• Database: Security As­so­ci­a­tion Database (SAD), Security Policy Database (SPD)

Through the two transfer protocols, AH and ESP, IPsec guar­an­tees the au­then­tic­i­ty and integrity of sent data, ensuring that content from the sender reaches the recipient without being altered. For this purpose, AH offers both data origin au­then­ti­ca­tion, to confirm its le­git­i­ma­cy, and pro­tec­tion for the package during transfer. Ad­di­tion­al­ly, the AH protocol assigns a sequence number to the header, pro­tect­ing packages from potential repeated transfer.

The ESP protocol provides ad­di­tion­al en­cryp­tion for the data package alongside identity and integrity pro­tec­tion. But ESP au­then­ti­ca­tion differs from that of the AH protocol in that it does not take the outer IP header into account. By using an ad­di­tion­al en­cap­su­la­tion, however, the ESP content can be securely delivered across networks with address trans­la­tion (NAT), which are typically used in private DSL con­nec­tions. The IKE protocol is primarily re­spon­si­ble for managing ESP en­cryp­tion. It ne­go­ti­ates the security as­so­ci­a­tions between sender and recipient, uses the Diffie-Hellman algorithm for secure key exchange, and tech­ni­cal­ly im­ple­ments the de­f­i­n­i­tions for the ISAKMP framework.

The necessary in­for­ma­tion for package transfer using IPsec is stored in the two local databases, SPD and SAD. The entries in the SPD, security policy database, determine which trans­mis­sion protocol – AH, ESP, or both – is to be used for the secure con­nec­tion. The SAD, security as­so­ci­a­tion database, manages the specific security as­so­ci­a­tion entries provided by the IKE protocol; giving the sender the en­cryp­tion key and the receiver the cor­re­spond­ing de­cryp­tion key.

Transport mode

The following occurs when IPsec is used in transport mode: the header of the trans­mis­sion protocol is inserted between the IP header of the data package, which remains untouched, and the user data. Pro­tec­tion begins from the sender and remains through­out the transfer until the target computer is reached. Only after the package has been received is the original user data released and made available to the recipient. This means that the cryp­to­graph­ic and com­mu­nica­tive terminal points are identical. Transport mode has the advantage of a very quick pro­cess­ing time, but only secures the user data, while the source and target addresses remain un­pro­tect­ed. In practical use, this mode is common for host-to-host or host-to-router con­nec­tions, e.g. for network man­age­ment.

Tunnel mode

In tunnel mode, the data package receives a com­plete­ly new IP header in which both the source and target address are hidden together with the user data. The header of the transfer protocol is also im­ple­ment­ed – just as in transport mode. So it can be said that the original package is en­cap­su­lat­ed as well. The new, outer IP header defines the cryp­to­graph­ic terminal point, which isn’t identical to the actual com­mu­ni­ca­tions point stored in the inner IP header. Only once the package reaches this cryp­to­graph­ic end point, known as a security gateway, can it then be decrypted and forwarded on to the intended recipient. Data transfer in tunnel mode is typically carried out from gateway to gateway; host-to-gateway and host-to-host con­nec­tions are also possible.

When using VPNs, which are the most common ap­pli­ca­tion area of the protocol suite, IPsec has a decisive advantage over al­ter­na­tives like SSL: it can be used in­de­pen­dent­ly from any ap­pli­ca­tion at network level. Once the con­nec­tion is made, different forms of data, like e-mail, file transfer, or IP telephony can be sent without the need to install program-specific tools. This makes the protocol stack the most cost-effective solution for VPN con­nec­tions. In turn, the use of IPsec for remote access requires special software that must be installed, set up, and main­tained on each client in­di­vid­u­al­ly. The ap­pli­ca­tion in­de­pen­dence can also quickly lead to unau­tho­rized access issues if not protected by a central firewall, as a breach would put all ap­pli­ca­tions at risk.

But what’s un­de­ni­able is the per­for­mance and re­li­a­bil­i­ty of IPsec: if problems occur, another gateway can be opened ef­fort­less­ly on a clustered system, while thousands of users are si­mul­ta­ne­ous­ly supplied with data package. Lastly, thanks to its high security, IPsec is seen as the best solution for all sensitive data and for internal company traffic systems that don’t permit anonymous users.