As a basic building block at the network layer, IPSec fits well into the model of tomorrow’s trusted virtual network, playing a key role in LAN security, access control and WAN security. Uses might include the following types of network communications and configurations:

• Peer-to-peer
• Client-server
• Protected workgroup
• Protected enterprise
• Protected inter-enterprise
• VPN and remote access

The Network Interface Card (NIC) is an especially useful place to implement IPSec technology. This is the place where the end-station data is turned into an useful security management information, where data can be queued in order of priority before transport, and where hardware acceleration can be used to the greatest advantage to help in facilitating encryption.

An encrypted audio/video stream from a server to its clients provides a good example of the benefits of hardware acceleration. Users would experience much better network performance if the stream were decrypted on an IPSec enabled NIC, instead of via decryption software only. Hardware acceleration in NIC can help improve network performance by accelerating many math cycles required by the encryption and decryption algorithms. By offloading the process onto a NIC, problems are avoided.

How it works

As defined by the IETF, IPSec utilizes two principal elements to protect network communications:

• An Authentication Header (AH) for providing source authentication and data integrity, to ensure the data will not be available to an unauthorized station and will not be altered en route.

• An Encapsulated Security Payload (ESP) to provide confidentiality, ensuring that data will not be intercepted, read or copied.

What are the specific mechanisms for applying these elements? IPSec operates on IP packets as follows:

IPSec AH

For an AH transport mode, an AH header is inserted between the IP header and the payload. This provides the Security Parameter Index (SPI), sequence number and other authentication data required.

IPSec ESP

In an ESP transport mode, an ESP header is inserted between the IP header and IP payload. An ESP trailer and authentication MAC are added to the end of the packet. In tunnel mode ESP, the entire packet is encrypted and appended to a new ESP header and IP header, with an authentication trailer added.

Transport Mode Uses

Transport mode is typically used in peer-to-peer communications to provide Intranet security. The IP header remains unaltered, so it can be read and used by any standards-based device or software. The data packet is encrypted so that the contents of the IP packet are protected.

Tunnel Mode Uses

Tunnel mode is used for remote access and site-to-site security, including VPNs. By placing the packet into a whole new wrapper, it hides the topology of the protected sites.

Enhanced Security and Cost Savings

Enhanced, multi-layered security and significant cost savings are among the benefits of IPSec implementation in a trusted virtual network.

Intranets/Branch Office Connectivity

Large corporations can save money as more and more IPSec VPN solutions are implemented. Remote users can utilize
the Internet via an ISP instead of dial-up lines for access to the corporate network. Accessing a local ISP for connection and using IPSec for encryption, can significantly lower telephone charges and equipment costs.

Extranets

IPSec offers the ability to create virtual, protected links through the Internet to customers, vendors and other business partners. Faster, more efficient order placement, reduced warehousing, lower sales costs and many other benefits of online commerce can help generate savings.

Corporate LANs

IPSec can be used to create trusted virtual workgroups to help protect sensitive corporate data. For example, the R&D
department can be protected from other departments that do not have a ‘need to know’ with respect to this group’s
confidential information. Or employee records residing in the human resources department can be protected from unauthorized access.

Conclusion

The prospects for new electronic business model, the Trusted Virtual Network, hold exciting possibilities for a wide variety of industries.

By most accounts, IPSec is well on its way to become the new framework for network security. IT professionals will begin to see IPSec capabilities deployed in 1999, and it is expected to become a fully deployed, integral part of the network in the year 2000.

Courtesy: Intel