Internet Protocol Security IPSec VPN

Internet Protocol Security IPSec VPN

In this post you will learn about the IPSec (Internet Protocol Security) VPN. How to configure IPsec on Cisco router and different IPSec terminologies. VPNs with IPsec offer flexible and scalable connectivity. Site-to-site connections can provide a secure, fast and reliable remote connection.
With a VPN with IPsec, information from a private network is transported securely through a public network. GRE VPN Tunnels

What Is IPSEC ?

Internet Protocol Security or IPsec is an IETF standard that defines how a VPN can be configured securely using the Internet protocol.
IPsec is an open standards framework that details the rules for secure communications. IPSec is not limited to any specific type of encryption, authentication, security algorithm or key creation technology. Actually, IPsec depends on existing algorithms to implement secure communications. It also allows new and better algorithms to be implemented without modifying existing IPsec standards.
IPsec works at the network layer, so it protects and authenticates IP packets between participating IPsec devices, also known as peers. IPsec protects a route between a pair of gateways, a pair of hosts or a gateway and a host. As a result, IPsec can protect virtually all traffic in an application, since protection can be implemented from layer 4 to layer 7.
All IPsec implementations have a layer 3 header of unencrypted text, so there are no routing problems. IPsec works on all Layer 2 protocols, such as Ethernet, ATM or Frame Relay.
The characteristics of IPsec can be summarized as follows:

• It is a framework of open standards that does not depend on algorithms.
• It provides confidentiality and integrity of data, and authentication of the origin.
• It works at the network layer, so it protects and authenticates IP packets.

IPSEC Security Features

IPsec security services provide four fundamental functions:

• Confidentiality (encryption) : In a VPN implementation, private data is transferred through a public network. For this reason, the confidentiality of the data is essential. This can be achieved by encrypting the data before transmitting it over the network. This is the process of taking all the data that one computer sends to another and encoding them in a way that only the other computer can decode.
• Data Integrity : the receiver can verify that the data has been transmitted over the Internet without suffering any modifications or alterations. While it is important that the data through a public network be encrypted, it is also important to verify that they have not been modified when they were in transit.
• Authentication : verifies the identity of the origin of the data that is sent. This is necessary for protection against various attacks that depend on the impersonation of the issuer. IPsec uses Internet key exchange (IKE) to authenticate users and devices that can carry out communication independently.
• Anti- reproduction protection : it is the ability to detect and reject reproduced packets, and helps prevent phishing. Verify that each package is unique and not duplicated. IPsec packets are protected by comparing the sequence number of received packets with a sliding window on the destination host or security gateway. A package that has a sequence number before the sliding window is considered to be late or duplicated.

IPSec ENCRYPTION ALGORITHMS

The degree of security depends on the length of the encryption algorithm key. The longer the key, the more difficult it is to decipher it . However, a longer key requires more processor resources to encrypt and decrypt data.
DES and 3DES are no longer considered safe; therefore, it is recommended to use AES for IPSec encryption. The best security for IPSec encryption of VPNs between Cisco devices is provided by the 256-bit AES option.
In addition, since 512-bit and 768-bit Rivest, Shamir and Adleman (RSA) keys were decrypted , Cisco recommends using 2048-bit keys with the RSA option if it was used during the IKE authentication phase.

SYMMETRIC ENCRYPTION

Encryption algorithms, such as AES, require a shared secret key for encryption and decryption. Each of the two network devices must know the key to decode the information. With symmetric key encryption, also called "secret key encryption," each device encrypts the information before sending it over the network to the other device.
Symmetric key encryption requires knowing which devices communicate with each other in order to configure the same key on each device.

• For example, a sender creates an encrypted message in which each letter is replaced by another letter that is two places later in the alphabet: A becomes C, B becomes D and so on. In this case, the word SECRET becomes UGETGV.
• The sender has already told the recipient that the secret code is two letters.
• When the recipient receives the UGETGV message, the recipient's computer decodes the message by running two letters back and calculates the word SECRET.
• Anyone who sees the message only sees the encrypted message, which seems meaningless, unless the person knows the secret key.

Below is a synopsis for symmetric algorithms:

• They use symmetric key cryptography.
• Encryption and decryption use the same key.
• Usually they are used to encrypt the content of the message.
• Examples: DES, 3DES and AES

How do encryption and decryption devices have a shared secret key? To send the shared secret keys to the administrators of the devices, you could use email, the common courier service or express delivery. Another safer method is asymmetric encryption.

ASYMMETRIC ENCRYPTION

Asymmetric encryption uses different keys for encryption and decryption. Even if you know one of the keys, a hacker cannot deduce the second key and decode the information. A key encrypts the message, while a second key decrypts the message. It is not possible to encrypt and decrypt with the same key.

• Public key encryption is a variant of asymmetric encryption that uses a combination of a private and a public key.
• The recipient provides a public key to any sender with whom he wishes to communicate.
• The sender uses a private key that is combined with the recipient's public key to encrypt the message. In addition, the issuer must share his public key with the recipient.
• To decrypt a message, the recipient uses the sender's public key with his own private key.

Below is a synopsis for asymmetric algorithms:

• They use public key cryptography.
• Encryption and decryption use different keys.
• Usually they are used in digital certification and key management.
• Examples: RSA

IPSec DIFFIE-HELLMAN KEY EXCHANGE

Diffie-Hellman (DH) is not an encryption mechanism and is not usually used to encrypt data. Instead, it is a method to safely exchange the keys that encrypt data . Algorithms (DH) allow two parties to establish the shared secret key used by encryption and hash algorithms.
DH was the first system to use the public key or asymmetric cryptographic keys. Currently, DH is part of the IPsec standard. In addition, a protocol called OAKLEY uses a DH algorithm. OAKLEY is a protocol used by the IKE protocol, which is part of the general framework called " key management protocol and Internet security association ".
Encryption algorithms, such as DES, 3DES and AES, as well as the MD5 and SHA-1 hash algorithms, require a symmetric shared secret key to perform encryption and decryption. How do encryption and decryption devices obtain the shared secret key? The simplest method of key exchange is a method of exchanging public keys between encryption and decryption devices.
The DH algorithm specifies a public key exchange method that provides a way for two peers to establish a shared secret key that only they know, even if they communicate through an insecure channel. Like all cryptographic algorithms, DH key exchange is based on a mathematical sequence of steps.

INTEGRITY WITH HASH ALGORITHMS

Hash algorithms handle the integrity and authentication of VPN traffic. The hashes provide data integrity and authentication by ensuring that unauthorized persons do not alter the transmitted messages.
A hash, also called " message synthesis ", is a number that is generated from a text string. The hash is shorter than the text itself. It is generated by using a formula, such that it is very unlikely that other text will produce the same hash value.
The original sender generates a hash of the message and sends it with the message itself. The recipient analyzes the message and hash, produces another hash from the received message and compares both hashes. If they are the same, the recipient can be sure enough of the integrity of the original message.

HASH ALGORITHM EXAMPLE

In the illustration, Gail sent Alex an EFT of USD 100. Jeremiah intercepted and altered this EFT to show himself as the recipient and the amount is USD 1000. In this case, if a data integrity algorithm was used, the hashes they would not match, and the transaction would not be valid.
VPN data is transported via the public Internet. As shown, there is a possibility that these data will be intercepted and modified. To protect them against this threat, hosts can add a hash to the message.
VPNs use a message authentication code to verify the integrity and authenticity of a message, without using any additional mechanisms.

HMAC

Hash-based message authentication code (HMAC) is a mechanism for message authentication using hash functions.
A password HMAC is a data integrity algorithm that guarantees the integrity of a message.
An HMAC has two parameters: a message entry and a secret key known only to the author of the message and the intended recipients.

• The message sender uses an HMAC function to produce a value (the message authentication code) that is formed by compressing the secret key and entering the message.
• The message authentication code is sent along with the message.
• The receiver calculates the message authentication code in the message received with the same key and the same HMAC function that the sender used.
• The receiver then compares the result that was calculated with the message authentication code that was received.

There are two common HMAC algorithms:

• MD5 : uses a 128-bit shared secret key. The variable length message and the 128-bit shared secret key are combined and processed with the HMAC-MD5 hash algorithm. The result is a 128 bit hash. The hash is attached to the original message and sent to the remote end.
• SHA : SHA-1 uses a 160-bit secret key. The variable length message and the 160-bit shared secret key are combined and processed with the HMAC-SHA1 hash algorithm. The result is a 160-bit hash. The hash is attached to the original message and sent to the remote end.

Cisco IOS also supports 256-bit, 384-bit, and 512-bit SHA implementations.

IPSEC AUTHENTICATION

VPNs with IPsec support authentication. When conducting long-distance business, it is necessary to know who is on the other side of the phone, email or fax. The same goes for VPN networks.

The device at the other end of the VPN tunnel must be authenticated so that the communication path is considered secure, as indicated in the illustration. There are two peer authentication methods :

• PSK : is a secret key that is shared between the two parties that use a secure channel before it needs to be used. Pre-shared keys (PSK) use cryptographic algorithms of symmetric key. A PSK is entered into each peer manually and used to authenticate the peer. At each end, the PSK is combined with other information to form the authentication key.
• RSA signatures : digital certificates are exchanged to authenticate peers. The local device derives a hash and encrypts it with its private key. The encrypted hash, or digital signature, is linked to the message and forwarded to the remote end. At the remote end, the hash encrypted with the public key of the local end is decrypted. If the decrypted hash matches the recalculated hash, the signature is genuine .
• IPsec uses RSA (cryptographic public key system) for authentication in the context of IKE. The RSA signature method uses a digital signature configuration in which each device signs a set of data digitally and sends it to the other party.