IPsec (Internet Protocol Security) is a suite of protocols and algorithms for securing data transmitted over the internet or any public network. The Internet Engineering Task Force, or IETF, developed the IPsec protocols in the mid-1990s to provide security at the IP layer through authentication and encryption of IP network packets.
IPsec originally defined two protocols for securing IP packets: Authentication Header (AH) and Encapsulating Security Payload (ESP). The former provides data integrity and anti-replay services, and the latter encrypts and authenticates data.
The IPsec suite also includes Internet Key Exchange (IKE), which is used to generate shared security keys to establish a security association (SA). SAs are needed for the encryption and decryption processes to negotiate a security level between two entities. A special router or firewall that sits between two networks usually handles the SA negotiation process.
IPsec is used for protecting sensitive data, such as financial transactions, medical records and corporate communications, as it's transmitted across the network. It's also used to secure virtual private networks (VPNs), where IPsec tunneling encrypts all data sent between two endpoints. IPsec can also encrypt application layer data and provide security for routers sending routing data across the public internet. IPsec can also be used to provide authentication without encryption -- for example, to authenticate that data originated from a known sender.
Encryption at the application or the transport layers of the Open Systems Interconnection (OSI) model can securely transmit data without using IPsec. At the application layer, Hypertext Transfer Protocol Secure (HTTPS) performs the encryption. While at the transport layer, the Transport Layer Security (TLS) protocol provides the encryption. However, encrypting and authenticating at these higher layers increase the chance of data exposure and attackers intercepting protocol information.
IPsec authenticates and encrypts data packets sent over both IPv4- and IPv6-based networks. IPsec protocol headers are found in the IP header of a packet and define how the data in a packet is handled, including its routing and delivery across a network. IPsec adds several components to the IP header, including security information and one or more cryptographic algorithms.
The IPsec protocols use a format called Request for Comments (RFC) to develop the requirements for the network security standards. RFC standards are used throughout the internet to provide important information that enables users and developers to create, manage and maintain the network.
The following are key IPsec protocols:
IPsec uses, or is used by, many other protocols, such as digital signature algorithms and most protocols outlined in the IPsec and IKE Document Roadmap, or RFC 6071.
VPNs had a significant role to play in securing the communication and work of the expanded remote workforce during the COVID-19 pandemic. Here are articles focused on what we learned about using them:
Plan a VPN and remote access strategy for pandemic, disaster
Coronavirus: VPN hardware becomes a chokepoint for remote workers
There are five key steps involved with how IPsec works. They are as follows:
A VPN essentially is a private network implemented over a public network. Anyone who connects to the VPN can access this private network as if directly connected to it. VPNs are commonly used in businesses to enable employees to access their corporate network remotely.
IPsec is commonly used to secure VPNs. While a VPN creates a private network between a user's computer and the VPN server, IPsec protocols implement a secure network that protects VPN data from outside access. VPNs can be set up using one of the two IPsec modes: tunnel mode and transport mode.
In simple terms, transport mode secures data as it travels from one device to another, typically for a single session. Alternatively, tunnel mode secures the entire data path, from point A to point B, regardless of the devices in between.
Tunnel mode. Usually used between secured network gateways, IPsec tunnel mode enables hosts behind one of the gateways to communicate securely with hosts behind the other gateway. For example, any users of systems in an enterprise branch office can securely connect with any systems in the main office if the branch office and main office have secure gateways to act as IPsec proxies for hosts within the respective offices. The IPsec tunnel is established between the two gateway hosts, but the tunnel itself carries traffic from any hosts inside the protected networks. Tunnel mode is useful for setting up a mechanism for protecting all traffic between two networks, from disparate hosts on either end.
Transport mode. A transport mode IPsec circuit is when two hosts set up a directly connected IPsec VPN connection. For example, this type of circuit might be set up to enable a remote information technology (IT) support technician to log in to a remote server to do maintenance work. IPsec transport mode is used in cases where one host needs to interact with another host. The two hosts negotiate the IPsec circuit directly with each other, and the circuit is usually torn down after the session is complete.
A Secure Socket Layer (SSL) VPN is another approach to securing a public network connection. The two can be used together or individually depending on the circumstances and security requirements.
With an IPsec VPN, IP packets are protected as they travel to and from the IPsec gateway at the edge of a private network and remote hosts and networks. An SSL VPN protects traffic as it moves between remote users and an SSL gateway. IPsec VPNs support all IP-based applications, while SSL VPNs only support browser-based applications, though they can support other applications with custom development.
Learn more about how IPsec VPNs and SSL VPNs differ in terms of authentication and access control, defending against attacks and client security. See what is best for your organization and where one type works best over the other.
21 Apr 2021