The Network Infrastructure Security Information Technology Essay
It offers connection-less integrity, strong data origin authentication and anti-replay protection. AH is used if strong authentication of the
source of data is desired. It does not encrypt IP datagram, consequently AH provides no privacy.
Encapsulating security payload (ESP)
It offers connectionless integrity, data origin authentication, confidentiality and anti-replay protection. ESP offers IP payload authentication as well as encryption. IPSec is a standard for real –time Communication security .IPSec is application independent.
IPSec provides an automated solution for these three areas
Data integrity: Data is protected from removal by striking out and Corruptions which exits is with the database and transmitted wit in the network.
Data Authentication: It is the verification of Identity Of machine or person. Here verification of a person is claimed by the identity.
Data confidentiality: The objective is to provide Protection for personal information and data that can be disclosed without the consent.
PHASES AND PROTOCOLS OF IPSEC
They are three types of protocols used in a IPSec implementation
Encapsulating security, ESP
It offers set of services and also offers confidentiality.
Authentication header, AH
It offers integrity and data origin authentication.
Internet key exchanger, IKE
It can connect in two modes. Transport mode And Tunnel mode.
In this mode host to host connection is involved only for two machines.
Host does its own IPSec processing and routes some packets via IPSec.
In this type f mode gateways are required to support the tunnel mode connections. The gateways provide the tunnels for the use of client machines here the machines may not need any IPSec .all they need to have is routing things to gateways.
To understand how IPSec actually works it is important to understand the structure of standard Ip packet. First the actual data that we want to send in the network in addition to this data we have the actual TCP header. This is the thing which encapsulates the data or wraps itself around the data and TCP determines the destination application on the machine sending the information to. The final part is the IP header encapsulates around the TCP header which in turn warps itself around the data. Here we look at this is a like a layered structure . The IP header is all about determining where the data should go on the physical network. So the IP header takes care getting the data from point A to point B. Once it reaches point B the IP header is removed and now the TCP header determines where the data should go to point B within the system and Finally Once it gets to that location the TCP header is removed and Data us delivered to the application in the receiver end.
IPSec can be used to protect one or more paths.
It can used in between a pair of hosts.
It can used between a pair of security gateways.
It can used between security gateway and host. The host implementation must support both the pair of hosts and between security gateway host and a compliant gateway thus all these form a connectivity.
IPSec can be implemented in many ways like in a host, in a conjunction with a router or independent device. IPSec may be integrated into a IP stack. Thus it requires to the IP source Code and applicable to both hosts and security gateways. In a Bump in the stack implantation It is implemented Underneath between Native IP and Local Drivers.
Scalable and Robust Solution
The benefits of deploying IPSec security solutions based on the IPSec framework can enhance several aspects of enterprise security. These could be summarized as follows:
More secure communications within the firewall. Most the network communication occurs between severs and client over the LAN. IPSec reduces the internal security by protecting sensitive data .
More secure, low cost and virtual networks. The additional layers of security provided by IPSec enables greater control over the network resources. With IPSec you are not limited to all proposition of completely trusting everyone inside the firewall.
Security technologies are deployed in various for in co-operate LANs.
Application layer security
In this products such as firewalls, web browser plug-ins fall into this. As the application layer mechanisms Single sign On (SSO) and username-password authentication.
Session layer security
Protocols such as FTP and DNS are protected through extensions defined specifically for them.
Network infrastructure security
To transport network data over multiple links, link layer tunnelling protocols have been used Protocols encapsulate IP datagram’s in link layer protocol(LLP) specific headers. These protocols have defined proprietary or standard mechanisms to afford confidentiality to the data flows.
Host intrusion detection system
These products, which perform security related tasks such as virus scanning are not directly related to the network. However they are important components in any network security solution.
IPSec is expected to complement application and session layer security technologies. Its main purpose within an intranet is to protect network data flows form impropriate use. It also have distributed firewall functionality, in that data flows can be processes=d to be forwarded in the clear, dropped or protected by IPSec. The fact that IPSec is completely configurable and manageable by policies is a key factor that enables. IPSec will be used to help protect access to the corporate internet as well as access within the intranet. Applications and session layer security protocols will continue to complement IPSec in providing tighter access control and authorization functions.
LIMITATIONS OF IPSEC
It is designed to secure the Links between the machines, but it is important to know that it does not do many things. Here the some important limitations
IPSec Cannot be Secure until your system isn’t .
IPSec can be powerful tool for improving system and network security. No system can be trusted if the underlying machine had been subverted.
IPSec is not end to end
In this it cannot provide end to end security as system works at higher levels. It encrypts an IP connection between two machines, it is quite different than encrypting messages between the users.
IPSec cannot do everything
It cannot provide all the functions of the system working at higher levels. If we need a document or file from a particular person then we need his/her particular signature and key to verify it with.
IPSec authenticates machines, not users
It uses a strong authenticates mechanisms to take control which messages are going to which machines but It does not any User id Concept which relates to many other security policies.
IPSec does not stop denial of service attacks
The attacks aim at causing a system to crash, overload so that the users cannot get whatever services the system is supposed to provide. They are different types of attacks which the attacker seeks the uses the service himself. It also shifts the ground for DoS attacks.
IPSec does not stop traffic analysis
It analysis the attempt to derive the intelligence for messages without any regard of the content. In this case of IPSec it would analysis based on things visible in the unencrypted headers of packets. It partial defences are certainly possible
CONFIGURATION AND MANAGEMENT OF IPSEC
IPSec Security Policy Architecture
IPSec allow network administrators to control both incoming and outgoing traffic is processed by the IPSec protection services. When incoming packets are delivered to the IPSec processing engine form the network they go through a process to determine what action is to be takes on the packed based n the system policies. Here policies apply to both incoming and outing data packets travelling to through the given network device.
The IPSec Security association Database (SAD)conations information relating to current IPSec connection uses within given device. The IPSec policies affect this database dictate what happens when packet don’t match with requirements of the SAD.
IPSec Policy Decision Tree.
The Security Policy Database(SPD) controls the IPSec processing requirements of a device as a whole. This database which require by contract whether the traffic between two units must be protected by IPSec. If the incoming network packet is not protected then it is consulted to device what to do with where it came from and where is that going to. Then action is taken could include discarding it, starting a new IPSec enabled connection. The internet key exchange protocol describe additional policies that should be imposed on key negotiation.
Policy related IETF working groups
Multiple working groups already exits that are attempting to a standardize methods of IPSec specific and other types of policy based management. But however the majority of the groups are concentrating on conceptual methods and yet to produce execution results. The start if this project, little work had been done in standards working groups within the IPSec.
Policy Framework Working Group
It has been tasked with specifying a broad policy framework tat can be used in the IETF. The work is derived from and related to work being done in the Distributed Management Task Force(DMTF).It defines a common information model which classifies a wide range of system including the needed fr quality initiation and for IPSec policy management.
IP Security Policy Working Group
This is devoted to producing a IPSec security policy architecture to be use in networks. Almost all their work so far has been concentrating on data models and implementable results had been produced by the working group. The work submitted from this project had thr additional benefit of new needs to light the data model being worked.
Selecting a Protocol
In this IPSec enables network topologies are likely to increase in complexity to the point that they will become unmanageable using current Management methods. It is also expected that the need for cross and inter-organization collaboration will produce a need for policy configuration elements.
As this project has multiple components that must ne completed to meet the goal of being able to easily build ,configure. All the policy management must be implemented and tested. The basic architecture of a policy management system is shown below
Managed Network Architecture
The management server will be responsible for configuring multiple IPSec enabled network devices within it real of responsibility. This devices may be devices directly under its entire control, or for which it is allowed to configure only a subset of the policy system in hierarchical and peer based management. A policy management console is also needed to appropriately lad the SQL database with the policy definitions to be applied to managed IPSec devices. This will map the data hold the database structure into more understanding without apparent effort form displayed through it’s users.
Policy Management Implementation Overview
The initial target of the IPSec policy Management is flexible enough to be used for any type of policy this allows the system to be easily extended for other users.
The management console user interface to be developed will allow administrators to do and assign policies to devices within the controlled network and will use a database to store it's notion of a network’s policy set. The user interface interacting with the policy database will be implemented as a HTML based web console for maximum portability. It should ,however, be possible to easily add additional management consoles in the future which can operate concurrently with the web based console. Multiple consoles, regardless of type, should be capable of configuring the same database housed within the management server .IPSec enabled devices should be capable of login errors and irregularity by forwarding notifications to the management engine for display .these new policy specific events types should supplement the audit events described t by the IPSec protocol. Both the management server and management console need to have a section of its operations devoted to alarm sent by notifications. The management console interface a network administrator should ne able o determining which points on the network were failing to establish needed connections. The managements engines are carefully designed to allow multiple engines to run simultaneously. When this engines are operating in parallel they can easily distribute configuration tasks among them. Multiple policy monitoring engines may also be needed and will be constructed to rum in parallel ad well.
If you are the original writer of this essay and no longer wish to have the essay published on the UK Essays website then please click on the link below to request removal: