PROGRAM TITLE: BTEC in Computing (Network Engineering)
UNIT TITLE:
ASSIGNMENT NUMBER:
ASSIGNMENT NAME:
SUBMISSION DATE:
DATE RECEIVED:
TUTORIAL LECTURER:
WORD COUNT:
STUDENT NAME:
STUDENT ID:
MOBILE NUMBER:
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Guidelines and tips
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community
Ask the community for help and clear up your study doubts
University Rankings
Discover the best universities in your country according to Docsity users
Free resources
Our save-the-student-ebooks!
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
IPsec VPN: Understanding IPsec Components and Modes for Secure Data Transmission, Study Guides, Projects, Research of Network security
An in-depth understanding of IPsec, a suite of protocols used for securing data transmitted over public networks. Learn about IPsec components such as Encapsulating Security Payload (ESP) and Authentication Header (AH), Internet Key Exchange (IKE), and Diffie-Hellman key exchange. Discover how IPsec works, its modes (transport and tunnel), and the negotiation process. Useful for university students studying network security.
Typology: Study Guides, Projects, Research
2021/2022
1 / 13
This page cannot be seen from the preview
Don't miss anything!
Related documents
Partial preview of the text
Download IPsec VPN: Understanding IPsec Components and Modes for Secure Data Transmission and more Study Guides, Projects, Research Network security in PDF only on Docsity!
PROGRAM TITLE: BTEC in Computing (Network Engineering) UNIT TITLE: ASSIGNMENT NUMBER: ASSIGNMENT NAME: SUBMISSION DATE: DATE RECEIVED: TUTORIAL LECTURER: WORD COUNT: STUDENT NAME: STUDENT ID: MOBILE NUMBER:
Summative Feedback:
IPsec VPN.
a) Definition.
- IPsec stand for Internet Protocol Security, is a suite of protocols and algorithms for securing data transmitted over the internet or any public network. It was developed by the Internet Engineering Task Force (IETF).
- IPsec provide data authentication, integrity, and confidentiality. It also defines the encrypted, decrypted and authenticated packets. The protocols needed for secure key exchange and key management are defined in it.
- A virtual private network (VPN) is an encrypted connection between two or more computers. VPN connections take place over public networks, but the data exchanged over the VPN is still private because it is encrypted.
- VPNs make it possible to securely access and exchange confidential data over shared network infrastructure, such as the public Internet. For instance, when employees are working remotely instead of in the office, they often use VPNs to access corporate files and applications.
- Many VPNs use the IPsec protocol suite to establish and run these encrypted connections. However, not all VPNs use IPsec. Another protocol for VPNs is SSL/TLS, which operates at a different layer in the OSI model than IPsec. (The OSI model is an abstract representation of the processes that make the Internet work.)
- Uses of IPsec: To encrypt application layer data. To provide security for routers sending routing data across the public internet. To provide authentication without encryption, like to authenticate that the data originates from a known sender. To protect network data by setting up circuits using IPsec tunneling in which all data is being sent between the two endpoints is encrypted, as with a Virtual Private Network (VPN) connection.
b) IPsec components.
1. Encapsulating Security Payload (ESP).
- ESP provides confidentiality, integrity, encryption, authentication, and anti-replay by encrypting IP headers and payloads for each packet. However, in Transport mode only the payload is encrypted. Confidentiality:
which provides a framework for authentication and key exchange. ISAKMP tells how the setup of the Security Associations (SAs) and how direct connections between two hosts that are using IPsec.
- Internet Key Exchange (IKE) provides message content protection and also an open frame for implementing standard algorithms such as SHA and MD5. The algorithm’s IP sec users produces a unique identifier for each packet. This identifier then allows a device to determine whether a packet has been correct or not. Packets which are not authorized are discarded and not given to receiver.
- Diffie-Hellman key exchange is a method of digital encryption that securely exchanges cryptographic keys between two parties over a public channel without their conversation being transmitted over the internet. The two parties use symmetric cryptography to encrypt and decrypt their messages.
- Diffie-Hellman key exchange raises numbers to a selected power to produce decryption keys. The components of the keys are never directly transmitted, making the task of a would-be code breaker mathematically overwhelming. The method doesn't share information during the key exchange. The two parties have no prior knowledge of each other, but the two parties create a key together.
- Diffie-Hellman key exchange's goal is to securely establish a channel to create and share a key for symmetric key algorithms. Generally, it's used for encryption, password-authenticated key agreement and forward security. Password-authenticated key agreements are used to prevent man-in-the-middle (MitM) attacks. Forward secrecy-based protocols protect against the compromising of keys by generating new key pairs for each session.
- To implement Diffie-Hellman, two end users, Alice and Bob, mutually agree on positive whole numbers p and q, such that p is a prime number and q is a generator of p. The
generator q is a number that, when raised to positive whole-number powers less than p, never produces the same result for any two such whole numbers. The value of p may be large, but the value of q is usually small.
- Once Alice and Bob have agreed on p and q in private, they choose positive whole- number personal keys a and b. Both are less than the prime number modulus p. Neither user divulges their personal key to anyone; ideally, they memorize these numbers and don't write them down or store them anywhere. Next, Alice and Bob compute public keys a* and b* based on their personal keys according to the following formulas:
- a * = q a mod p
- b* = q b mod p
- The two users can share their public keys a* and b* over a communications medium assumed to be insecure, such as the internet or a corporate wide area network. From these public keys, a number x can be generated by either user on the basis of their own personal keys. Alice computes x using the following formula:
- x = (b*) mod p
- Bob computes x using the following formula:
- x = (a*) mod p
- The value of x turns out to be the same according to either of the above two formulas. However, the personal keys a and b, which are critical in the calculation of x, haven't been transmitted over a public medium. Because it's a large and apparently random number, a potential hacker has almost no chance of correctly guessing x, even with the help of a powerful computer to conduct millions of trials. The two users can, therefore, in theory, communicate privately over a public medium with an encryption method of their choice using the decryption key x.
4. Termination.
- This is the final step and it involves terminating the IPsec secure channel. Termination occurs when the data exchange is complete or the session has timed out. Cryptographic keys are also removed. To save system resources, the tunnel between two communicating parties is automatically split when the tunnel idle timeout period is reached. d) IPsec modes.
- In simple terms, transport mode secures data as it travels from one device to another, typically for a single session. Alternatively, tunnel mode secures the entire data path, from point A to point B, regardless of the devices in between.
- Tunnel mode. Usually used between secured network gateways, IPsec tunnel mode enables hosts behind one of the gateways to communicate securely with hosts behind the other gateway. For example, any users of systems in an enterprise branch office can securely connect with any systems in the main office if the branch office and main office have secure gateways to act as IPsec proxies for hosts within the respective offices. The IPsec tunnel is established between the two gateway hosts, but the tunnel itself carries traffic from any hosts inside the protected networks. Tunnel mode is useful for setting up a mechanism for protecting all traffic between two networks, from disparate hosts on either end.
- Transport mode. A transport mode IPsec circuit is when two hosts set up a directly connected IPsec VPN connection. For example, this type of circuit might be set up to enable a remote information technology (IT) support technician to log in to a remote server to do maintenance work. IPsec transport mode is used in cases where one host needs to interact with another host. The two hosts negotiate the IPsec circuit directly with each other, and the circuit is usually torn down after the session is complete. e) IPsec negotiation.
- The host A checks whether the outgoing packet should be transmitted using IPsec. These packets are given an appropriate encryption method by the sending system. Incoming packets are also checked by host B to see if they are properly encrypted.
- Phase 1 of IKE begins where 2 hosts (using IPsec) authenticate themselves to each other to initiate a secure channel. The channel has 2 modes: Main mode provides higher security and Aggressive mode allows the host to set up IPsec circuit faster. This channel is then used to securely exchange how the IP circuitry will encrypt all data.