When the internet was first developed, the intention was to have a network that would connect educational and government organization on a very small scale.
When news of this network began to seep out into the general population, people wanted to be able to take part. As a matter of fact it wasn’t long until the boom of nineties hit and now millions and millions of people all over the world are connected to the internet.
Because of this limited size scope in the early stages of its design, the core protocol suite knows as the TCP/IP does not have any inherent security in the actual design. What I mean by this is that your data is actually sent across the network in most situations as clear text. When this clear text is sent across the network, anyone can use a monitoring tool and actually read this information being sent. This is a huge security problem. There are a number of solutions to this now including IPSec, SSL and TLS.
IPSec gives us the ability to have that encryption we need for secure communication not only across the internet but in our private networks as well.
Problems with TCP/IP
TCP/IP structure has following major drawbacks.
- IP packets have no inherent security
- There is no way to verify that the claimed sender is the true sender. This is something known as Nonreputdiation. In other words we can send data on our network on such a way that the sender cannot deny that they were the original sender of that information.
- There is no way to verify that data has not been modified in the transit. There is no way to determine if someone has actually accessed the data, changed it and then forwarded the information on which could be critical in many scenarios.
- There is no way to verify that data has not been viewed by a third party. In other words it is possible that someone could have actually seen this information. All IP and TCP and other such protocols really do is make sure that data gets where it is supposed to go and that’s it.
Because of that it is very possible that some of these problems could exist in our environment. The data is being intercepted and we are not even aware of it. IPSec provides an automated solution for all three of these.
- First of all authentication that claimed sender is the true sender.
- Secondly Integrity, the data hasn’t been modified in transit and
- Confidentiality, the data hasn’t been viewed by a third party.
IPSec gives us all of this in one automated solution with the ability to massively distribute this in our environment through active directory.
Architecture
To understand how IPSec actually works it’s important to understand the structure of a standard IP packet.
A standard IP packet first of all has the actual Data in it that we want to send on the network. In addition to this Data we have the actual TCP Header. This is the thing that encapsulates the Data or wraps itself around the Data and TCP determines the destination application on the machine we are sending the information to. The final part is the IP Header. The IP Header encapsulates or wraps itself around the TCP Header which in turn had wrapped itself around the Data.
So you can look at this as a layered structure and the IP Header is all about determining where the data should go on the physical network. So the IP Header takes care of getting the data from point A to point B. Once it reaches point B, the IP Header is removed and now the TCP Header says where the data should go within the point B system and finally once it gets to that location, the TCP Header is removed, the data is reassembled and delivered to the application on the receiving end.
Now the difference between Standard IP and IPSec is this. First of all IPSec does start out with the data wrapped in a TCP Header. Then however things change a little bit. Instead of going directly to the IP Header, we interject and IPSec Header between TCP and IP. So what happens is that this is going to work in a fashion that we do not have to do anything to our application to be able to use IPSec. Why is that? Well our data is passed on from the application to the networking subsystem in the computer and that networking subsystem takes care of wrapping it in TCP and then in IPSec and finally IP to get to the destination. Because of this IPSec is application independent and that’s one of the great beauties of using IPSec for confidentiality, integrity and authentication in our networks.
Now we can also use IPSec in tunnel mode. When we use it in tunnel mode, we have the data, the TCP Header and the IP Header but then we also have an IPSec Header after the IP Header in the end. So it’s a little different than when we are using it in a protected packet mode within an internal network.In IPSec Tunnel Mode what we are talking about is using IPSec with Virtual Private Networking and in this case we then have another IP Header on the end.
Now to understand how this works, the sending application passes the data to the network subsystem of the computer. The network subsystem wraps that data in a TCP Header which says what application it is destined for on the other end or the receiving end and then an IP Header is placed around it as well. The next thing we do is that we wrap an IPSec header around that which could include encryption or it could just include authentication and integrity but we put this around it and then finally another IP Header wraps around all of this packet, then on the receiving end like an onion skin we just pull off each of these layers one at a time to get it to the destination computer and finally to the actual application on the receiving end.
So this is how IPSec architecture works for our Windows Server 2000.
Posts related to IPSec : What Is It and How It Works
More Tags : firefox ipsec probleme, ipsec provides a network independent application indepentdent solution to data privacy and support all, ipsec provides a network-independent application-independent solution to data privacy and supports all
Comments on this entry are closed.