IPSec, or IP Security, is a set of standard protocols developed by the IETF (Internet Engineering Task Force) that supports the secure exchange of packets at the IP (network) layer. It is the most popular layer 3 tunneling approach for VPNs. Unlike PPP, it supports only IP which today is not the drawback it might have been several years ago when fewer organizations backbones were IP-based. IPSec is known for being flexible in configuration, with many options for packet authentication and encryption.
IPSec uses public key encryption technology. That is, the sending and receiving devices share a public key with the server who has a secret private key. (Public key encryption is discussed in more detail in section 4 of this book.)
IPSec establishes a Security Association (SA) for each side of a connection between a client and server. The SA includes the parameters needed to communicate over this connection, such as the type of encryption algorithm negotiated as compatible with both sides, a session key and an authentication algorithm (such as SHA1 or MD5). Session keys are negotiated at the startup of the initial connection via Internet Security Associations and Key Management Protocol (ISAKMP), which provides for key exchange and authentication, and uses digital certificates to allow its authentication to scale to the Internet.157
The ISAKMP/IKE protocol uses UDP port 500 to pass its traffic. When a NAT is involved, it may use port 4500 instead. In addition to this initial SA, a separate SA is created for each protocol (AH or ESP, described below) and connection direction, as needed158.
157. White Paper IPSec Executive Summary, Cisco Systems, http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/IPSec_wp.htm.
158. Shinder, Thomas W., Debra Littlejohn Shinder, D. Lynn White, Configuring Windows 2000 Server Security, Syngress, January, 2000, http://www.nerdbooks.com/item.html?id=1928994024
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.