Ipsec and vpns 13, What is ipsec? 13.1, Data encryption methods 13.2 – Westermo MR Series User Manual

385

6622-3201

Web Interface and Command Line Reference Guide

www.westermo.com

IPSEC and VPNs

13

What is IPSec?

13.1

One inherent problem with the TCP protocol used to carry data over the vast majority of LANs
and the Internet is that it provides virtually no security features. This lack of security, and recent
publicity about “hackers” and “viruses”, prevent many people from even considering using the
Internet for any sensi tive business application. IPSec provides a remedy for these weaknesses adding
a comprehensive security “layer” to protect data carried over IP links.

IPSec (Internet Protocol Security) is a framework for a series of IETF standards designed to
authenti cate users and data, and to secure data by encrypting it during transit. The protocols defined
within IPSec include:

IKE – Internet Key Exchange protocol

•

ISAKMP – Internet Security Association and Key Management Protocol

•

AH – Authentication Header protocol

•

ESP – Encapsulating Security Payload protocol

•

HMAC – Hash Message Authentication Code

•

MD5 – Message Digest 5

•

SHA-1 – Security Hash Algorithm

•

and the cryptographic (encryption) techniques include:

•

DES – Data Encryption Standard

3DES – Triple DES

•

AES – Advanced Encryption Standard (also known as Rijndael)

•

Two key protocols within the framework are AH and ESP. AH is used to authenticate users, and ESP
applies cryptographic protection. The combination of these techniques is designed to ensure the
integ rity and confidentiality of the data transmission. Put simply, IPSec is about ensuring that:

only authorised users can access a service and

•

that no one else can see what data passes between one point and another.

•

There are two modes of operation for IPSec, transport mode and tunnel mode.

In transport mode, only the payload (i.e. the data content), of the message is encrypted. In tunnel
mode, the payload and the header and routing information are all encrypted thereby by providing a
higher degree of protection.

Data Encryption Methods

13.2

There are several different algorithms available for use in securing data whilst in transit over IP links.
Each encryption technique has its own strengths and weaknesses and this is really, a personal selec-
tion made with regard to the sensitivity of the data you are trying to protect. Some general state-
ments may be made about the relative merits but users should satisfy themselves as to suitability
for any par ticular purpose.

DES (64-bit key)

13.2.1

This well-known and established protocol has historically been used extensively in the banking and
financial world. It is relatively “processor intensive”, i.e. to run efficiently at high data rates a power-
ful processor is required. It is generally considered very difficult for casual hackers to attack but may
be susceptible to determined attack by well-equipped and knowledgeable parties.