1) IPSec protocol is used for creating means for secure exchange of information between systems and networks on the Internet. IPsec protocol helps users to create “private groups” based on common interest, independently from specifications of the networks they are using.
2) IPSec protocol includes two protocols: Authentication Header (AH) and Encapsulating Secure Payload (ESP). AH creates an envelope that ensures authentication of the source of the information, the completeness and protection from double messaging. This way AH offers layers of ways to protect from malicious users. With help of AH every packet is authenticated, which makes ineffective programs that are trying to capture the administration of the session.
Besides this AH protocol tries to ensure the authentication of the headers of IP-packets, not depending on the location of the IP-headers outside of the envelope it is creating. AH Authentication prevents IP-header line manipulation during the transfer of the packet. Because of this reason protocol cannot be used in the environment where NAT (Network Address Translation – is a mechanism used for transferring network addresses) is being used. This is because NAT requires IP-header manipulation, which AH Authentication will not allow. ESP protocol ensures confidentiality of the information and executes functions of the AH protocol protection of the encrypted not authenticated information.
IPSec specification allows ESP protocol use without AH functions. However, it’s not a good idea to do this, unless you really know what you are doing and why. In ESP protocol it’s possible to use fictitious encryption, which is equal to AH implementation without IP-header. This allows using NAT mechanism, because in this method the addresses in the headers can be modified.
ESP and AH protocols are registered in IANA organization (Internet Address Naming Authority) and are entered into the protocol registry under the numbers 50 and 51. If you or your ISP already implemented basic rules of packet filtration on your gateway routers, then you need to add these two protocols to the list of allowed protocols. Because of the field “protocol type” of the header of IP-packet will now be identical with IPSec envelope, now the original type of transport protocol fits into the “protocol type” field inside of IPSec header.
IPSec protocol can be used in transport as well as tunnel mode. In the first case IPSec header is placed between network (IP) and transport (TCP or UDP) headers of the “normal” IP-packet. Transport mode is made for use on the end systems. Functioning in this mode will reflect in all applications in the systems and in most cases there will be a need for a reprogramming of the existing applications.
Tunnel mode IPSec requires regular IP-packets to be put inside of the IPSec envelope, and that envelope is placed inside of other IP-packet. This mode allows quickly implement tunnel IPSec systems across the network. To provide traffic security between networks configured this way is relatively easy task. At least the manual says so.
IPSec protocol connection is established by one-way agreement – SA (Security Association), therefore for each connection there is a need for two SA agreements. Each of them defines different configurations of IPSec connection, such as encryption algorithm and authentication algorithm. These algorithms are used when exchanging information between systems, session keys and etc. that conduct their work.
As we know IPSec is a collection of protocols which uses algorithms of authentication and encryption. Today there are two algorithms of authentication and seven algorithms of encryption. In AH and ESP protocols we can find implementation of authentication algorithms such as HMAC-MD5 and HMAC-SHA1. MD5 (Message Digest version 5, standard RFC #1321) works when both sides use common secret key with length of 128 bit and SHA1 (Secure Hash Algorithms version 1, standard FIPS 180-1) works when both sides use common secret key with length of 160 bit. Algorithm HMAC (Keyed-Hashing for Message Authentication Code) is defined in RFC 2104.
Which algorithm to choose, except required DES, is up to the developer. Possibility of algorithm choice gives him additional advantage: now an attacker not only has to break the encryption, but also must find out which encryption he needs to break. Not to mention the choice of keys that will be another additional factor which will leave little hope to timely decryption of the intercepted encrypted data.
In default mode both sides of IPSec network establish SA-agreements for secure messaging with each other using Oakley protocol. In fast mode, SA-agreements are set from IPSec protocol or any other service, which is requires information to create keys and/or communicating settings. Oakley protocol is developed in such a way, that it is not related to IPSec at all. For instance, to increase the security of the session process, we can use it together with SSL (Secure Sockets Layer) protocol version 4.0 instead of key exchange mechanism of SSL 3.0.
One thing that I like about IPSec – it is implemented on the IP-protocol level. This structure gives possibility of using TCP or UDP through its tunnels. And the main disadvantage of the IPSec – possibility to work only in IP-networks is neutralized by combined implementation with L2F (Layer 2 Forwarding, which performs readdressing on the 2nd level) and L2TP (Layer 2 Tunneling Protocol). These protocols allow encapsulation of the packets of a structure different from one that is implemented in IPSec.
After reading through this particular point various times I would like to add my 5 cents into the pile. However, I do not intent to follow authors’ path: “Again we stress that we did not perform a full analysis of all the ISAKMP protocols; we expect that there are further undiscovered weaknesses.” This doesn’t add extra credibility to the authors’. There is an Old Russian saying: “Measure 7 times, before you cut once”.
Speaking of measuring, for the last couple of years many researchers have analyzed the security of IPSec protocol. They have not found any “serious holes” in them so far, despite various complete testing. And those holes, that were found, are related to the misuse of the system or were fixed by developers. However, theoretical possibility of discovering vulnerabilities in IPSec, PPTP and all other protocols and/or applications exists.
Realization attacks are used the most often. These kinds of attacks do not require extensive mathematical knowledge. It’s enough to be a quality programmer and know human factor weaknesses. There are many examples of incorrect realization, which leads to the attack on the system. Let’s look at the following choices:
Secret encryption key is kept on the hard drive that has no controlled access.
Cryptographic key, that’s saved in the ROM, doesn’t get deleted after the use.
Open access to the “black lists” of the compromised keys.
Absence of the control of the entirety of the VPN system, which allows a malevolent user to change Exchange Protocol, which is responsible for encryption or sum check of the received packets.
Let’s point out some of the actual vulnerabilities in VPN protocols including IPSec. For instance, vulnerability of PPTP, that leads to denial of service in Windows NT OS, in network screen WatchGuard Firebox 2, routers Sisco and BinTec. IPSec has also exposed some of it’s vulnerabilities to the large official and underground public. For example, in OpenBSD there was a vulnerability that existed because of the incorrect processing of the AH/ESP packets (modes of IPSec). Windows 2000 as a tradition has attracted with vulnerability in key exchange IKE for IPSec in 2003.
Also, it’s necessary to mention attacks on the VPN equipment. Very often VPN is implemented using already existing network equipment such as Cisco 1720, or software/hardware of the inter network screens such as CheckPoint VPN-1 on the platform of Nokia IP Security Solutions. In addition there is specialized equipment to build VPN, such as Continent-K. And if any of the equipment used to build VPN uses TCP/IP, which means there is always a possibility of “denial of service” attacks that can alter the functioning of the equipment as well as temporary hang the network as a hole.
One of the most common attacks in IPSec based VPN networks as well as all other networks are the attack directed to/through the single user. It’s important to remember that there is an average user, and he/she is also an element of VPN and also is vulnerable to the attacks as well as other elements of VPN. User can give a disc with secret keys, or can simply lose the CD with secret keys and not notify the admin/security about the loss until the moment this user needs to use the secret keys.
In some systems user can independently create keys for encryption. Key generation is based on the passwords, which are chosen by the user. As we all know, an average user has a limited fantasy when picking keys. Therefore, this leads to things like “brute force” attack.
In conclusion, it’s very important to keep in mind one rule (this applies to all technologies including VPN): “Security of the entire system equals to the security of the weakest link” (Andre Berthiaume, CNS340 instructor has mentioned this rule in the class, in the beginning of the quarter). Therefore, it’s extremely important not only choose the strongest encryption algorithm and longest keys, but also to pay close attention to other elements of VPN – programming, equipment used, users, realization and etc.
References used:
1) http://www.securitylab.ru/32393.html
2) http://www.securitylab.ru/44613.html
3) http://www.cisco.com/warp/public/707/cisco-sn-20040415-grppass.shtml
4) http://support.microsoft.com/default.aspx?scid=kb;EN-US;253169
5) http://secunia.com/advisories/11324/
6) http://www.securityfocus.com/archive/1/347351
7) http://support.microsoft.com/?kbid=324953
8) http://www.net-security.org/vuln.php?id=3439
9) http://www.winhackingexposed.com/news.html
Are you busy and do not have time to handle your assignment? Are you scared that your paper will not make the grade? Do you have responsibilities that may hinder you from turning in your assignment on time? Are you tired and can barely handle your assignment? Are your grades inconsistent?
Whichever your reason is, it is valid! You can get professional academic help from our service at affordable rates. We have a team of professional academic writers who can handle all your assignments.
Students barely have time to read. We got you! Have your literature essay or book review written without having the hassle of reading the book. You can get your literature paper custom-written for you by our literature specialists.
Do you struggle with finance? No need to torture yourself if finance is not your cup of tea. You can order your finance paper from our academic writing service and get 100% original work from competent finance experts.
Computer science is a tough subject. Fortunately, our computer science experts are up to the match. No need to stress and have sleepless nights. Our academic writers will tackle all your computer science assignments and deliver them on time. Let us handle all your python, java, ruby, JavaScript, php , C+ assignments!
While psychology may be an interesting subject, you may lack sufficient time to handle your assignments. Don’t despair; by using our academic writing service, you can be assured of perfect grades. Moreover, your grades will be consistent.
Engineering is quite a demanding subject. Students face a lot of pressure and barely have enough time to do what they love to do. Our academic writing service got you covered! Our engineering specialists follow the paper instructions and ensure timely delivery of the paper.
In the nursing course, you may have difficulties with literature reviews, annotated bibliographies, critical essays, and other assignments. Our nursing assignment writers will offer you professional nursing paper help at low prices.
Truth be told, sociology papers can be quite exhausting. Our academic writing service relieves you of fatigue, pressure, and stress. You can relax and have peace of mind as our academic writers handle your sociology assignment.
We take pride in having some of the best business writers in the industry. Our business writers have a lot of experience in the field. They are reliable, and you can be assured of a high-grade paper. They are able to handle business papers of any subject, length, deadline, and difficulty!
We boast of having some of the most experienced statistics experts in the industry. Our statistics experts have diverse skills, expertise, and knowledge to handle any kind of assignment. They have access to all kinds of software to get your assignment done.
Writing a law essay may prove to be an insurmountable obstacle, especially when you need to know the peculiarities of the legislative framework. Take advantage of our top-notch law specialists and get superb grades and 100% satisfaction.
We have highlighted some of the most popular subjects we handle above. Those are just a tip of the iceberg. We deal in all academic disciplines since our writers are as diverse. They have been drawn from across all disciplines, and orders are assigned to those writers believed to be the best in the field. In a nutshell, there is no task we cannot handle; all you need to do is place your order with us. As long as your instructions are clear, just trust we shall deliver irrespective of the discipline.
Our essay writers are graduates with bachelor's, masters, Ph.D., and doctorate degrees in various subjects. The minimum requirement to be an essay writer with our essay writing service is to have a college degree. All our academic writers have a minimum of two years of academic writing. We have a stringent recruitment process to ensure that we get only the most competent essay writers in the industry. We also ensure that the writers are handsomely compensated for their value. The majority of our writers are native English speakers. As such, the fluency of language and grammar is impeccable.
There is a very low likelihood that you won’t like the paper.
Not at all. All papers are written from scratch. There is no way your tutor or instructor will realize that you did not write the paper yourself. In fact, we recommend using our assignment help services for consistent results.
We check all papers for plagiarism before we submit them. We use powerful plagiarism checking software such as SafeAssign, LopesWrite, and Turnitin. We also upload the plagiarism report so that you can review it. We understand that plagiarism is academic suicide. We would not take the risk of submitting plagiarized work and jeopardize your academic journey. Furthermore, we do not sell or use prewritten papers, and each paper is written from scratch.
You determine when you get the paper by setting the deadline when placing the order. All papers are delivered within the deadline. We are well aware that we operate in a time-sensitive industry. As such, we have laid out strategies to ensure that the client receives the paper on time and they never miss the deadline. We understand that papers that are submitted late have some points deducted. We do not want you to miss any points due to late submission. We work on beating deadlines by huge margins in order to ensure that you have ample time to review the paper before you submit it.
We have a privacy and confidentiality policy that guides our work. We NEVER share any customer information with third parties. Noone will ever know that you used our assignment help services. It’s only between you and us. We are bound by our policies to protect the customer’s identity and information. All your information, such as your names, phone number, email, order information, and so on, are protected. We have robust security systems that ensure that your data is protected. Hacking our systems is close to impossible, and it has never happened.
You fill all the paper instructions in the order form. Make sure you include all the helpful materials so that our academic writers can deliver the perfect paper. It will also help to eliminate unnecessary revisions.
Proceed to pay for the paper so that it can be assigned to one of our expert academic writers. The paper subject is matched with the writer’s area of specialization.
You communicate with the writer and know about the progress of the paper. The client can ask the writer for drafts of the paper. The client can upload extra material and include additional instructions from the lecturer. Receive a paper.
The paper is sent to your email and uploaded to your personal account. You also get a plagiarism report attached to your paper.
GET A PERFECT SCORE!!! 
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.
Read moreEach paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.
Read moreThanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.
Read moreYour email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.
Read moreBy sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.
Read more