Internet Standard Security (IPsec)


Description

Internet Standard Security (IPsec) enables secure private communications at the IP layer over the Internet and within the enterprise.

IPsec is a set of Internet-standard security services for the IP layer (RFCs 2401 through 2409) that supports authentication, packet integrity and confidentiality, security associations, and key management. These services can be applied to the current generation of IPv4-based networks as well as the next generation of IPv6 networks.

IPsec standards are being implemented by a broad range of internetworking, remote access, firewall, and other secure networking vendors.

How It Works

IPsec combines tunneling and encryption technologies to support private network sessions over a public network, such as the Internet. IPsec tunneling is considered the best solution for site-to-site, virtual private networks (VPNs).

The Internet Computer Security Association certifies IPsec implementations for interoperability. Early pilots prove that IPsec-based VPNs work, at least in configurations that use manual key exchange or share a single, public-key Certificate Authority (CA).

Integrity checks are based on the MD5 digest or SHA1 hashing algorithms. Since Authentication Header doesn't maintain the confidentiality of tunneled traffic, it is used when privacy is not required or in combination with other IPsec protocols, such as Encapsulating Security Payload.

Encapsulating Security Payload is used in either tunnel or transport mode. In tunnel mode, the entire IP datagram is encrypted and encapsulated into another IP datagram. In transport mode, only the datagram's payload (for example, a TCP packet) isencrypted. When a security gateway, such as a firewall exits between the sending and receiving stations, tunnel mode is best. Otherwise, transport mode is more efficient. Any encryption algorithm, such as DES and 3DES, can be used.

Requirements

Benefits