Cryptography Reference
In-Depth Information
(VPN), based upon IPSec, for secure Internet data transmissions. A descrip-
tion of a simple VPN is as follows. If Alice works for company A and wishes
to communicate with Bob who works for company B, both behind their respec-
tive security gateways, then her gateway automatically negotiates security with
his gateway. In this case, all IPSec processing is done behind these respective
gateways so no adversary can determine anything other than the fact that the
gates are communicating. Below, we will describe the details of such setups.
Remote logins for workers in large companies, as well as individuals away
from home, is becomingcommonplace. To do so securely is also becominga
necessary part of this fact. Whether it is for an individual's online bankingwhile
on vacation, or a company employee who needs to access sensitive corporate
files while at a business meetingaway from the workplace, Internet security is
becominga daily fact of life.
An advantage for end users having IPSec-security-enabled software is that
they can make local calls to an Internet Service Provider (ISP), and acquire
access to a corporate network, for instance. For employees of this corporation,
this reduces access costs when travellingor commutin. Moreover, when these
employees are at their workstations, they can achieve secure communications
with other corporate entities with whom they do business. Even when the
network used by employees has its own built-in security mechanism, IPSec com-
plements and intensifies that security. Moreover, unlike SSL/TLS, studied in
Section 5.7, the choice of cryptographic algorithm to be used, can be negotiated
in secret. With SSL/TLS, the negotiations are done in plaintext. Also, with
SSL/TLS, applications, such as e-mail, require that such cryptographic services
be requested, whereas IPSec-enabled computers automatically protect e-mail,
Web browsing, file transfers, and generally any data communications between
itself and any other IPSec-enabled computer. Even if the other computer is not
IPSec-enabled, the IPSec-enabled one can allow or disallow messages in a way
that is transparent to the user. (
Transparent
, in this context, means hardware
or software that works without user interference.)
How Does IPSec Work?
When IPSec is implemented as a boundary between unprotected and pro-
tected perimeters (such as in a firewall or router),
8.7
for a host or network, it
controls whether data crosses the boundary unrestricted, are subject to AH or
ESP security processing, or are discarded (say, if a replay data packet is de-
tected). Paths into an organization are protected against all bypass traJc if
it is specified that all outside traJc must pass through IP, say, in a firewall.
Moreover, given that IPSec is implemented at the network level, there is no
need to alter software or access to servers (see page 218). This also clearly has
the advantage that IPSec can be made transparent to end users. Yet, IPSec
8.7
In Section 8.4, we will learn about firewalls in depth. For now, think of them as network
gateway-server programs, that shield data of a network site from users situated in other
networks. Firewalls provide security in concert with what are called
router programs
, which
are mechanisms for directing data, via the best route possible, to the next network site enroute
toward the target site. Together they screen all data to decide action.
Search WWH ::
Custom Search