“If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death, together with the man to whom the secret was told.”
The Art of War, Sun Tzu
Introduction: Due increased threats of attacks of hackers on the internet, experts have developed application specific security mechanisms. Like for the security of electronic mail (S/MIME and PGP), client-server (Kerberos), Web access (Secure Socket Layer), etc. for security reasons, organizations need to block some URLs or links. So for blocking specific links, IP level security is used. IP level security works better to prevent untrusted links and websites. IP level security comes with three functional areas: authentication, confidentiality and key management.
IP Security Overview: In response to security issues, the IAB included authentication and encryption as necessary security features in the next-generation IP, which has been issued as IPv6. Fortunately, these security capabilities were designed to be usable both with the current IPv4 and the future IPv6. This means that vendors can begin offering these features now, and many vendors do now have some IPSec capability in their products.
- Application of IP Security: IP Security provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include the following:
- Secure branch office connectivity over the Internet
- Secure remote access over the Internet
- Establishing extranet and intranet connectivity with partners
- Enhancing electronic commerce security
- Benefits of IP Security: Following are some benefits of IP Security,
- When IP security is implemented in a firewall or router, it provides strong security that can be applied to all traffic crossing the perimeter. Traffic within a company or workgroup does not incur the overhead of security-related processing.
- IP security in a firewall is resistant to bypass if all traffic from the outside must use IP, and the firewall is the only means of entrance from the internet into the organization.
- IP security is below the layer and so is transparent to applications. There is no need to change software on a user or server system when IP security is implemented in the firewall or router. Even if IP security is implemented in the end systems, upper-layer software, including applications, is not affected.
- IP security can be transparent to end users. There is no need to train users on security mechanisms, issue keying material on a per-user basis, or revoke keying material when users leave the organization.
- IP security can provide security for individual users if needed. This is useful for offsite workers and for setting up a secure virtual sub-network within an organization for sensitive applications.
- Routing Application: In addition to supporting end users and protecting premises systems and networks, IP security can play a vital role in the routing architecture required for interworking. Following is a list of examples of application of IP security. IP security can assure that,
- A router advertisement comes from an authorized router.
- A neighborhood advertisement comes from an authorized router.
- A redirected message comes from the router to which the initial packet was sent.
- A routing update is not forged.
IP Security Architecture: The IP security specification has become quite complex. To get a feel for the overall architecture, we begin with a look at the documents that define IP security. Then we discuss IP security and introduce the concept of security association.
- IP Security Documents: IP security consists of numerous documents. The most important of these, issued in November of 1998, are RFCs 2401, 2402, 2406 and 2408:
- RFC 2401: An overview of a security architecture
- RFC 2402: Description of a packet authentication extension to IPv4 and IPv6
- RFC 2406: Description of a packet encryption extension to IPv4 and IPv6
- RFC 2408: Specification of key management capabilities
In addition to these documents, IP Security Protocol Working Group set up by the IETF has also published a number of drafts. These drafts are divided into seven groups below,
- Encapsulating Security Payload (ESP)
- Authentication Header (AH)
- Encryption Algorithm
- Key Management
- Domain of Interpretation (DOI)
- IP Security Service: IP security provides security services at the IP layer by enabling a system to select required security protocols, determined the algorithm(s) to use for the service(s), and put in place any cryptographic keys required to provide the requested services. Authentication Header and Encapsulating Security Payload are used to provide security. The service are,
- Access Control
- Connectionless Integrity
- Data Origin Authentication
- Rejection of Replayed Packets
- Limited Traffic Flow Confidentiality
- Security Associations: The key concept that appears in both the authentication and confidentiality mechanisms for IP is security association. An association is a one-way relationship between a sender and a receiver that affords security services to the traffic carried on it. A security association is uniquely identified by three parameters,
- Security Parameter Index (SPI)
- IP Destination Address
- Security Protocol Identifier