IPsec (Internet Protocol Security) is a large set of protocols and algorithms. IPsec is majorly used for securing data transmitted all over the internet. The Internet Engineering Task Force, or IETF, which was solely developed the IPsec protocols for the purpose of providing security at the IP layer through authentication and encryption of IP network packets.
Originally, Internet Protocol Security defined only two protocols for securing the IP packets which were Authentication Header(AH) and Encapsulating Security Payload(ESP). The former protocol i.e. AH provides data integrity and non-replay services, and the latter protocol i.e. ESP encrypts and authenticates data.
The Internet Protocol Security suite also includes Internet Key Exchange (IKE), which is basically used widely to generate shared security keys with the purpose of establishing a security association (SA). Security Associations are majorly needed for the purpose of the encryption process as well as for the decryption process to negotiate a security level between two entities. A special router or firewall is required that works between two networks which helps to handle the security association negotiation process.
Architecture of IPsec:
Read the article architecture of Internet Protocol Security to get the complete details about this.
Protocols behind IPsec:
There are majorly four protocols behind IPsec which are as follows:
1. Internet Protocol Authentication Header (IP AH): Internet Protocol Authentication Header basically includes functionalities like data integrity and transport protection services. The authentication Header was designed for the purpose of adding authentication data. It also provides the feature of data integrity, authentication, and anti-replay and one of its drawbacks are that it does not provide encryption. The anti-replay protection protects against unauthorized transmission of packets. One more disadvantage is that it does not protect the confidentiality of data at all.
2. Internet Protocol Encapsulating Security Payload (IP ESP): Internet Protocol Encapsulating Security Payload was majorly specified in RFC 4303, ESP provides fabulous features like authentication, integrity, and confidentiality with the help of encryption of IP packets. It also helps to provide data integrity, encryption, and authentication. Authentication for the payload is one of its important features of it.
3. Internet Key Exchange (IKE): Internet Key Exchange is a special protocol that helps to enable two systems or devices to establish a secure and strong communication channel over a nonreliable network also. This protocol achieves this using a series of key exchanges to create a secure and strong tunnel between a client and a server with the help of which they can send encrypted traffic easily and securely. The security of the tunnel is based on the Diffie-Hellman key exchange method, which is one of the widely used techniques used for security.
4. Internet Security Association and Key Management Protocol (ISAKMP): Internet Security Association and Key Management Protocol are simply specified as one of the parts of IKE protocol. It is a framework that is majorly used for key establishment, authentication, and negotiation of a security association for a secure exchange of packets over an Internet Protocol layer. In other words, we can say that this protocol defines the security parameters for how two systems can communicate with each other. Each security association defines a connection in one direction, from one host to another. The security association includes all attributes which are required for a connection, including the cryptographic algorithm, the IPsec mode, the encryption key, and any other parameters which are related to data transmission which are required to establish a secure connection.
Uses of IPsec:
IPsec is a security protocol that is primarily used for protecting sensitive data, providing secure transfer of information, such as financial transactions, medical records, corporate communications, etc. It’s also used to secure virtual private networks (VPNs), where Internet Protocol Security tunneling majorly helps in the encryption of all data sent between two endpoints or hosts. Internet Protocol Security can also help to strongly encrypt application layer data and provide high-level security for routers sending routing data across the public internet easily. Providing authentication without encryption is one of the best features of Internet Protocol Security.
Without using Internet Protocol Security protocol, high-level encryption at the application or the transport layers of the Open Systems Interconnection (OSI) model can securely transmit data. At the application layer, Hypertext Transfer Protocol Secure (HTTPS) plays a major role in performing the encryption. While at the transport layer, the Transport Layer Security (TLS) protocol plays a major role in providing the encryption. However, encrypting and authenticating at these higher layers increase the chance of data exposure.
Advantages of IPsec:
- IPsec provides network-layer security as it works on the network layer and provides transparency to applications.
- It provides confidentiality during any kind of data exchange.
- As it is implemented on the network layer, IPsec has zero dependability on applications.
Disadvantages of IPsec:
- IPsec has a wide access range, In IPsec networks giving access to a single device can give access privilege to other devices too.
- In many of the cases, it brings a couple of incompatibility issues with different software.
- In many cases, IPsec leads to high CPU usage.