UNIT III

NETWORK SECURITY BEST PRACTICES

1. Segment

The first best practice is to segment your network into zones. Basic
network segments for a perimeter-based network firewall in a small
organization are designed to isolate it from external networks, maybe
creating a demilitarized zone (DMZ) and internal network.

Internal network zones may be created using functional or business group

attributes. Examples of business groups include HR, finance, Research &
Development, visitor Wi-Fi access. Examples of functional groups include
web, database, email, core network services (like DNS and Microsoft
Active Directory), and IoT services like building management or
surveillance systems. Segmented networks enable the setup of least
privileged access across zone boundaries. This is the foundation for zero
trust and our next security best practice.

2. Trust but Verify

In the zero trust model, data can be considered the new perimeter. Access
to that data is allowed only to the people, devices, systems, and
applications that need it as part of their defined role. To implement zero
trust, deploy role-based access controls and identity management
systems that can verify access.

This includes:

 Using multi-factor authentication for people.

 Ensuring the device or machine where they are making the request from
complies with company requirements (e.g. is not in an infected or rooted
state).

 Using PKI-based certificates to verify and identify applications and

systems.
 Once verified, the connection context and device can be monitored for
any change in state. For example, a connection context change may occur
if the client uses a network or application exploit once the connection is
established. This can be accomplished using IDS/IPS technologies.

3. Secure IoT

IoT security is an extension of the “Trust but Verify” best practice. IoT
devices connected to the network are ubiquitous today. Like shadow-IT,
employees may connect IoT devices to the network without first getting
approval. Unfortunately there is a good chance the device is vulnerable,
and, if it is exposed to the Internet, it has a good chance of being
discovered and compromised by bot networks.

Companies can discover the devices when they’re connected using

products that specialize in IoT for different industries, such as enterprises,
healthcare, manufacturing, and utilities. All industries are vulnerable to
enterprise IoT devices such as IP cameras and HVAC or building
management systems. Include solutions that detect these IoT devices as
well. In industries like healthcare, manufacturing, and utilities that use
sanctioned IoT devices in production, apply security controls that do not
impede the IoT devices normal functions.

Securing IoT involves:

 Discovering and classifying the IoT device.

 Automatically segmenting the device using firewall policy.

 Preventing exploits of known vulnerable devices using IPS technologies.

4. Enable Security

Here, we get back to one of the five recommendations we mentioned

above: change your security settings from detect to prevent. First, enable
security that matches the data, device, user, or system that you’re
securing, including:
 Safe Internet Access: Users accessing files on the Internet will need
advanced threat prevention technologies such as sandboxing and Content
Disarm & Reconstruction (CDR) to protect them from malicious files.

o CDR enables them access to only safe files while the files are emulated in
a virtual sandbox to watch for maliciousness.

o Likewise, users should be protected from visiting sites that are malicious
and serving up drive-by malware.

o No user is safe from targeted spear phishing, so anti-phishing protections

are vital as well.

 Secure Data: Prevent the inadvertent loss of sensitive data with Data
Loss Prevention (DLP) technologies. Users sometimes inadvertently or out
of convenience may send work to a personal email. DLP technologies
provide security and visibility into how employees are using company
data.

 Device Security: Firewalls enable control of large groups of computers,

but sometimes granular device security is needed.

o Device security products that secure laptops and BYOD devices apply the
zero trust model’s micro-segmentation best practice by creating a security
layer for these mobile devices.

5. Security is a Process, not a Product

Here, we revisit one of the top cyber security recommendations from the
2021 Security Report: be cyber-aware and use this threat intelligence to
your advantage and what this means when applied to network security

 Create and Communicate your Security Plan: Primarily, this means

having a security plan in place and communicating this to your employees
to ensure they follow company guidelines. This, along with employee
training, will help increase their awareness and provide guidelines for
them to follow as well.

 Build Resilient Security: The likelihood that any company will be

attacked is high, so it’s important to design and create resilient security
 systems. Cyber security resilience ensures your business continues to
operate even when under attack.

 Audit Regularly: Performing regular security audits can identify

vulnerabilities in systems such as open ports, insecure protocol use
(TELNET), and configurations that are not secure (using default
passwords).

o Another security audit finding may show that sensitive data that is not
secured at rest, in transit across the network, or while in use. Encrypting
data at rest and using VPNs can help secure data from eavesdropping and
when a breach occurs.

o Security audits can be augmented by hiring a third party to do penetration

testing or a security assessment to identify security gaps.

 Security Maintenance: The top consideration here is to regularly

backup and update your security systems and other connected network
devices.

o Even firewalls can be vulnerable. Follow 8 Firewall Best Practices for

Securing the Network for hardening your firewall and the firewall
security.

o Regularly backing up system configurations and data will help you recover
when systems fail, administrators make mistakes, and, in a worst-case
scenario, when a breach occurs.

 Security Change Control: Having a change control process in place

reduces configuration errors, ensures changes are tracked and their effect
is analyzed and gauged.

 Optimize Security: In addition to performing regular audits, security

systems should be monitored to ensure they’re performing well as devices
are added to the network or more load is placed on the network.

o Firewalls need to do deep packet inspection which can add latency and
lower throughput. Use security systems that can scale as needed to meet
demand.
AUTHENTICATION APPLICATIONS

Authentication is the process of verifying the identity of a user or

information. User authentication is the process of verifying the identity of
a user when that user logs in to a computer system.
There are different types of authentication systems which are: –
1. Single-Factor authentication: – This was the first method of
security that was developed. On this authentication system, the user has
to enter the username and the password to confirm whether that user is
logging in or not. Now if the username or password is wrong, then the
user will not be allowed to log in or access the system.
Advantage of the Single-Factor Authentication System: –
 It is a very simple to use and straightforward system.
 it is not at all costly.
 The user does not need any huge technical skills.
The disadvantage of the Single-Factor Authentication
 It is not at all password secure. It will depend on the strength of the
password entered by the user.
 The protection level in Single-Factor Authentication is much low.
2. Two-factor Authentication: – In this authentication system, the user
has to give a username, password, and other information. There are
various types of authentication systems that are used by the user for
securing the system. Some of them are: – wireless tokens and virtual
tokens. OTP and more.
Advantages of the Two-Factor Authentication
 The Two-Factor Authentication System provides better security than
the Single-factor Authentication system.
 The productivity and flexibility increase in the two-factor
authentication system.
 Two-Factor Authentication prevents the loss of trust.
Disadvantages of Two-Factor Authentication
 It is time-consuming.
3. Multi-Factor authentication system: – In this type of
authentication, more than one factor of authentication is needed. This
gives better security to the user. Any type of keylogger or phishing
attack will not be possible in a Multi-Factor Authentication system. This
assures the user, that the information will not get stolen from them.
The advantage of the Multi-Factor Authentication System are: –
 No risk of security.
 No information could get stolen.
 No risk of any key-logger activity.
 No risk of any data getting captured.
The disadvantage of the Multi-Factor Authentication System are: –
 It is time-consuming.
 it can rely on third parties. The main objective of authentication is to
allow authorized users to access the computer and to deny access to
unauthorized users. Operating Systems generally
identify/authenticates users using the following 3 ways: Passwords,
Physical identification, and Biometrics. These are explained as
following below.
1. Passwords: Password verification is the most popular and
commonly used authentication technique. A password is a secret
text that is supposed to be known only to a user. In a password-
based system, each user is assigned a valid username and
password by the system administrator.
2. Physical Identification: This technique includes machine-
readable badges(symbols), cards, or smart cards. In some
companies, badges are required for employees to gain access to
the organization’s gate. In many systems, identification is
combined with the use of a password i.e the user must insert the
card and then supply his /her password.
3. Biometrics: This method of authentication is based on the unique
biological characteristics of each user such as fingerprints, voice or
face recognition, signatures, and eyes.
4. A scanner or other devices to gather the necessary data about the
user.
5. Software to convert the data into a form that can be compared and
stored.
6. A database that stores information for all authorized users.
7. Facial Characteristics – Humans are differentiated on the basis
of facial characteristics such as eyes, nose, lips, eyebrows, and
chin shape.
8. Fingerprints – Fingerprints are believed to be unique across the
entire human population.
9. Hand Geometry – Hand geometry systems identify features of the
hand that includes the shape, length, and width of fingers.

KERBEROS
Kerberos provides a centralized authentication server whose function is
to authenticate users to servers and servers to users. In Kerberos
Authentication server and database is used for client authentication.
Kerberos runs as a third-party trusted server known as the Key
Distribution Center (KDC). Each user and service on the network is a
principal.
The main components of Kerberos are:

 Authentication Server (AS):

The Authentication Server performs the initial authentication and
 ticket for Ticket Granting Service.

 Database:
The Authentication Server verifies the access rights of users in the
database.

 Ticket Granting Server (TGS):

The Ticket Granting Server issues the ticket for the Server

Kerberos Overview:

 Step-1:
User login and request services on the host. Thus user requests for
ticket-granting service.

 Step-2:
Authentication Server verifies user’s access right using database and
then gives ticket-granting-ticket and session key. Results are
encrypted using the Password of the user.

 Step-3:
The decryption of the message is done using the password then send
the ticket to Ticket Granting Server. The Ticket contains
authenticators like user names and network addresses.

 Step-4:
Ticket Granting Server decrypts the ticket sent by User and
authenticator verifies the request then creates the ticket for
 requesting services from the Server.

 Step-5:
The user sends the Ticket and Authenticator to the Server.

 Step-6:
The server verifies the Ticket and authenticators then generate
access to the service. After this User can access the services.

Kerberos Limitations

 Each network service must be modified individually for use with

Kerberos
 It doesn’t work well in a timeshare environment
 Secured Kerberos Server
 Requires an always-on Kerberos server
 Stores all passwords are encrypted with a single key
 Assumes workstations are secure
 May result in cascading loss of trust.
 Scalability

Applications

 User Authentication: User Authentication is one of the main

applications of Kerberos. Users only have to input their username and
password once with Kerberos to gain access to the network. The
Kerberos server subsequently receives the encrypted authentication
data and issues a ticket granting ticket (TGT).
 Single Sign-On (SSO): Kerberos offers a Single Sign-On (SSO)
solution that enables users to log in once to access a variety of
network resources. A user can access any network resource they have
been authorized to use after being authenticated by the Kerberos
server without having to provide their credentials again.
 Mutual Authentication: Before any data is transferred, Kerberos
uses a mutual authentication technique to make sure that both the
client and server are authenticated. Using a shared secret key that is
securely kept on both the client and server, this is accomplished. A
client asks the Kerberos server for a service ticket whenever it tries to
access a network resource
 Authorization: Kerberos also offers a system for authorization in
addition to authentication. After being authenticated, a user can
submit service tickets for certain network resources. Users can access
just the resources they have been given permission to use thanks to
information about their privileges and permissions contained in the
service tickets.
 Network Security: Kerberos offers a central authentication server
that can regulate user credentials and access restrictions, which helps
to ensure network security. In order to prevent unwanted access to
 sensitive data and resources, this server may authenticate users
before granting them access to network resources.

X.509 AUTHENTICATION SERVICE




X.509 is a digital certificate that is built on top of a widely trusted

standard known as ITU or International Telecommunication Union X.509
standard, in which the format of PKI certificates is defined.
X.509 digital certificate is a certificate-based authentication security
framework that can be used for providing secure transaction processing
and private information. These are primarily used for handling the
security and identity in computer networking and internet-based
communications.
Working of X.509 Authentication Service Certificate:
The core of the X.509 authentication service is the public key certificate
connected to each user. These user certificates are assumed to be
produced by some trusted certification authority and positioned in the
directory by the user or the certified authority. These directory servers
are only used for providing an effortless reachable location for all users
so that they can acquire certificates. X.509 standard is built on an IDL
known as ASN.1. With the help of Abstract Syntax Notation, the X.509
certificate format uses an associated public and private key pair for
encrypting and decrypting a message.
Once an X.509 certificate is provided to a user by the certified authority,
that certificate is attached to it like an identity card. The chances of
someone stealing it or losing it are less, unlike other unsecured
passwords. With the help of this analogy, it is easier to imagine how this
authentication works: the certificate is basically presented like an
identity at the resource that requires authentication.
 Public Key certificate use

Format of X.509 Authentication Service Certificate:

Generally, the certificate includes the elements given below:
 Version number: It defines the X.509 version that concerns the
certificate.
 Serial number: It is the unique number that the certified authority
issues.
 Signature Algorithm Identifier: This is the algorithm that is used
for signing the certificate.
 Issuer name: Tells about the X.500 name of the certified authority
which signed and created the certificate.
 Period of Validity: It defines the period for which the certificate is
valid.
 Subject Name: Tells about the name of the user to whom this
certificate has been issued.
 Subject’s public key information: It defines the subject’s public
key along with an identifier of the algorithm for which this key is
supposed to be used.
 Extension block: This field contains additional standard information.
 Signature: This field contains the hash code of all other fields which
is encrypted by the certified authority private key.
Applications of X.509 Authentication Service Certificate:
Many protocols depend on X.509 and it has many applications, some of
them are given below:
 Document signing and Digital signature
 Web server security with the help of Transport Layer Security
(TLS)/Secure Sockets Layer (SSL) certificates
 Email certificates
 Code signing
 Secure Shell Protocol (SSH) keys
 Digital Identities

E-mail Security

Email (short for electronic mail) is a digital method by using it we

exchange messages between people over the internet or other computer
networks. With the help of this, we can send and receive text-based
messages, often an attachment such as documents, images, or videos,
from one person or organization to another. In this article, we will
understand the concept of email security, how we can protect our
email, email security policies, and email security best practices, and one
of the features of email is an email that we can use to protect the email
from unauthorized access. Features of the e-mail service provider

It's not like, all reliable email services are confidential and protected
indeed. Several free alternatives may do further damage. Therefore, it
meets some or most of the following requirements when looking for the
most reliable email provider:

Some of the most common features of e-mail service providers are

mentioned-below:

1. End-to-end encryption

No email service can call itself secure without end-to-end encryption. Your
message is only encoded till it hits Gmail or yahoo mail when you're using
a standard service. If end-to-end encryption is used, the text can only be
read by the sender and the receiver. The most popular end-to-end
encryption for protected messages is the so-called Pretty Good Protection
or PGP in general.

2. Two-factor-authentication (2FA)

It gives you great protection and protects your accounts in case anyone
learns your password. You find it more difficult to hack into your inbox by
incorporating anything that you must have, like a mobile. There are
several 2FA options, varying from Google and other SMS to authorization
apps.

3. Stripping headers from metadata.

Each message includes the data of data (metadata), like the internet
browser, and even the receiver. For the sake of the sender and recipient
confidentiality, protected email providers wipe out the header's metadata.

4. Position of the server.

Many nations are not private information-friendly. Some even have

regulations for data protection that enable your personal information to be
retained for a certain time. Representatives of the Five Eyes intelligence
organization are the USA, United Kingdom, Canada, and Australia. They
exchange intelligence information about indicators and are among the
hardest locations for a safe email provider to enroll.

The Need of secure e-mail service

The benefits of using a protected email service must be evident to you.

When you still have some questions, although, while switching to Gmail,
please ensure to take a look at the following considerations:

1. Protect the emails

After the message hits their servers, Gmail, Hotmail, and other popular
services don't encode your confidential information. This implies that they
can translate them and make reading easier for attackers as well.

2. Metadata header hiding

It doesn't immediately imply covering the headers with metadata if your

daily email system authenticates your mail. It also covers your email
account, laptop, browser, and network, as well as the receiver.

3. Do not be a commodity.

If your email is good and free to use, there may be some possibilities that
you are treated as a commodity. However, very few users realize that
Gmail constantly searches the mailbox for words and utilizes them to
display customized advertisements. By using this way, you are helping
Google to earn money from your data with the help of Gmail.

4. In a private information-friendly place, save your emails.

The USA and any cognitive ability-sharing nation with Fourteen Eyes will
someday wish to access your mailbox. If the vendor's database is in one
of those nations, it would be much quicker to do that than to obtain
access to any of Switzerland's nuclear bunkers.

Ultimately, please remember that the email system is as protected as the

passwords you have selected. If someone can hack your password in a
couple of minutes, all end-to-end authentication and no-logs regulations
go over the roof.

Working of secure email service

End-to-end authentication is the distinguishing characteristic of encrypted

messaging. It implies that there is no option for the mail service or a third
party to decode your letter, which can only be achieved by the receiver.
On the counter, your messages can be read by any standard email service
provider such as Google (they are screening emails for words already!)
and making them simpler for attackers to get.

For protection, Pretty Good Privacy (PGP) and Secure/multipurpose

internet mail extension (S/MIME) are the most prominent options. PGP
incorporates symmetrical and asymmetrical protection, whereas S / MIME
provide the certificates that must be approved by the certification
authority at the regional or public level. Utilizing a certificate guarantees
that you are the message provider and that it has not been interfered by
others.

Because of the encryption, neither perpetrators nor the government, like

email accounts, will peer into your communication or metadata.

Encryption Levels

Here, we have discussed some different types of encryption levels that

are used to secure email communication.

o Transport-level Encryption

Transport-level authentication guarantees that your email moves securely

across the network, as discussed before. After all, the provider will see the
non-encrypted edition once it appears on their server, it would not be
sufficient to allow safe mail transmission. Although the latter is still used,
Transport layer security, is counterpart of Secured socket layer. It is
configured for encrypting emails (IMAP, SMTP) as well as other protocols,
like HTTP (Hyper-text transfer protocol) or FTP (File transfer protocol), on
top of TCP (Transmission Control Protocol). It is still not included in all mail
systems, unfortunately. For a frequent user, this may not be obvious since
there is no easy ability to determine when transport-level encryption is in
effect while using mail, unlike an internet browser displaying a green lock
or equivalent icon.

o End-to-end Encryption

End-to-end encryption means that your text can be decrypted neither by

the email service provider nor any other third party. Only the sender and
the receiver contain the public and private keys that are required to
unlock it.

PGP
o PGP stands for Pretty Good Privacy (PGP) which is invented by Phil
Zimmermann.
o PGP was designed to provide all four aspects of security, i.e.,
privacy, integrity, authentication, and non-repudiation in the
sending of email.
o PGP uses a digital signature (a combination of hashing and public
key encryption) to provide integrity, authentication, and non-
repudiation. PGP uses a combination of secret key encryption and
public key encryption to provide privacy. Therefore, we can say that
the digital signature uses one hash function, one secret key, and
two private-public key pairs.
o PGP is an open source and freely available software package for
email security.
o PGP provides authentication through the use of Digital Signature.
o It provides confidentiality through the use of symmetric block
encryption.
o It provides compression by using the ZIP algorithm, and EMAIL
compatibility using the radix-64 encoding scheme.

Following are the steps taken by PGP to create secure e-mail at the sender
site:

o The e-mail message is hashed by using a hashing function to create

a digest.
o The digest is then encrypted to form a signed digest by using the
sender's private key, and then signed digest is added to the original
email message.
o The original message and signed digest are encrypted by using a
one-time secret key created by the sender.
o The secret key is encrypted by using a receiver's public key.
o Both the encrypted secret key and the encrypted combination of
message and digest are sent together.
PGP at the Sender site (A)

Following are the steps taken to show how PGP uses hashing and a
combination of three keys to generate the original message:

o The receiver receives the combination of encrypted secret key and

message digest is received.
o The encrypted secret key is decrypted by using the receiver's
private key to get the one-time secret key.
o The secret key is then used to decrypt the combination of message
and digest.
o The digest is decrypted by using the sender's public key, and the
original message is hashed by using a hash function to create a
digest.
 o Both the digests are compared if both of them are equal means that
all the aspects of security are preserved.

PGP at the Receiver site (B)

Disadvantages of PGP Encryption

o The Administration is difficult: The different versions of PGP

complicate the administration.
o Compatibility issues: Both the sender and the receiver must have
compatible versions of PGP. For example, if you encrypt an email by
using PGP with one of the encryption technique, the receiver has a
different version of PGP which cannot read the data.
o Complexity: PGP is a complex technique. Other security schemes
use symmetric encryption that uses one key or asymmetric
encryption that uses two different keys. PGP uses a hybrid approach
that implements symmetric encryption with two keysNo
Recovery: Computer administrators face the problems of losing
their passwords. In such situations, an administrator should use a
special program to retrieve passwords.

S/MIME

S/MIME stands for Secure/Multipurpose Internet Mail Extensions. Through

encryption, S/MIME offers protection for business emails. S/MIME comes
under the concept of Cryptography. S/MIME is a protocol used for
encrypting or decrypting digitally signed E-mails. This means that users
can digitally sign their emails as the owner(sender) of the e-mail.

How S/MIME Works

S/MIME enables non-ASCII data to be sent using Secure Mail Transfer
Protocol (SMTP) via email. Moreover, many data files are sent, including
music, video, and image files. This data is securely sent using the
encryption method. The data which is encrypted using a public key is
then decrypted using a private key which is only present with the
receiver of the E-mail. The receiver then decrypts the message and then
the message is used. In this way, data is shared using e-mails providing
an end-to-end security service using the cryptography method.
Advantages of S/MIME
1. It offers verification.
2. It offers integrity to the message.
3. By the use of digital signatures, it facilitates non-repudiation of origin.
4. It offers seclusion.
5. Data security is ensured by the utilization of encryption.
6. Transfer of data files like images, audio, videos, documents, etc. in a
secure manner.
Services of S/MIME
1. Digital Signature, which can maintain data integrity.
2. S/MIME can be used in encrypting messages.
3. By using this we can transfer our data using an e-mail without any
problem.
Benefits of S/MIME
The encryption and digital signing of an email ensure that the data
transmitted through email is confidential, and true to its sender. S/MIME
protects an email in the following methods:

Email Encryption

The email content is encrypted using the recipient's public key, the
moment the sender hits the Send button. Even if the email gets
intercepted by anyone, they cannot view the content of the email unless
they have access to the private key of the recipient.

Data Confidentiality

The encryption of the email content ensures the confidentiality of the data
and attachments sent through the email. Any attempt to view the content
of the email is made void as the data can be decrypted only with the help
of a private key unique to the recipient.

Digital Signature

The email will be digitally signed along with encryption on installing the
S/MIME certificate. The email is signed using the private key of the sender
and authenticated by the public key of the recipient. An unaltered digital
signature shows that the email content has not been compromised and
tampered with.

Signature Authentication

When the sender digitally signs the email using their private key, the
recipient validates and authenticates the signature using their public key
to ensure that the email is received from a reliable source.

Non-repudiation by the Sender

The digital signature of each sender is unique and is assigned to the user
and the domain when the S/MIME certificate is purchased and installed.
This voluntarily provides the non-repudiation of the signature by the
sender in case of any legal proceedings.

Content Integrity of the Email

When the recipient of a digitally signed email is validated using the public
key of the recipient, they're assured of the absence of any alterations in
the content of the email and is intact as and when it was sent.

IP SECURITY (IPSEC)
IPSec refers to a collection of communication rules or protocols used to
establish secure network connections. Internet Protocol (IP) is the
common standard that controls how data is transmitted across the
internet. IPSec enhances the protocol’s security by
introducing encryption and authentication. For example, it encrypts data
at the source and then decrypts it at the destination. It also verifies the
source of the data.
Uses of IP Security
IPsec can be used to do the following things:
 To encrypt application layer data.
 To provide security for routers sending routing data across the public
internet.
 To provide authentication without encryption, like to authenticate that
the data originates from a known sender.
 To protect network data by setting up circuits using IPsec tunneling in
which all data being sent between the two endpoints is encrypted, as
with a Virtual Private Network(VPN) connection.
What is IPSec Encyrption?
IPSec encryption is a software function that encrypts data to protect it
from unauthorized access. An encryption key encrypts data, which must
be decrypted. IPSec supports a variety of encryption algorithms,
including AES, Blowfish, Triple DES, ChaCha, and DES-CBC. IPSec
combines asymmetric and symmetric encryption to provide both speed
and security during data transmission. In asymmetric encryption, the
encryption key is made public, while the decryption key remains private.
Symmetric encryption employs the same public key to encrypt and
decrypts data. IPSec builds a secure connection using asymmetric
encryption and then switches to symmetric encryption to speed up data
transmission.
Components of IP Security
It has the following components:
 Encapsulating Security Payload (ESP)
 Authentication Header (AH)
 Internet Key Exchange (IKE)
1. Encapsulating Security Payload (ESP): It provides data integrity,
encryption, authentication, and anti-replay. It also provides authentication
for payload.
2. Authentication Header (AH): It also provides data integrity,
authentication, and anti-replay and it does not provide encryption. The
anti-replay protection protects against the unauthorized transmission of
packets. It does not protect data confidentiality.

IP Header

3. Internet Key Exchange (IKE): It is a network security protocol

designed to dynamically exchange encryption keys and find a way over
Security Association (SA) between 2 devices. The Security Association (SA)
establishes shared security attributes between 2 network entities to
support secure communication. The Key Management Protocol (ISAKMP)
and Internet Security Association provides a framework for authentication
and key exchange. ISAKMP tells how the setup of the Security
Associations (SAs) and how direct connections between two hosts are
using IPsec. Internet Key Exchange (IKE) provides message content
protection and also an open frame for implementing standard algorithms
such as SHA and MD5. The algorithm’s IP sec users produce a unique
identifier for each packet. This identifier then allows a device to determine
whether a packet has been correct or not. Packets that are not authorized
are discarded and not given to the receiver.

Packets in Internet Protocol

IP Security Architecture
IPSec (IP Security) architecture uses two protocols to secure the traffic or
data flow. These protocols are ESP (Encapsulation Security Payload) and
AH (Authentication Header). IPSec Architecture includes protocols,
algorithms, DOI, and Key Management. All these components are very
important in order to provide the three main services:
 Confidentiality
 Authenticity
 Integrity
 IP Security Architecture

Working on IP Security
 The host checks if the packet should be transmitted using IPsec or not.
This packet traffic triggers the security policy for itself. This is done
when the system sending the packet applies appropriate encryption.
The incoming packets are also checked by the host that they are
encrypted properly or not.
 Then IKE Phase 1 starts in which the 2 hosts( using IPsec ) authenticate
themselves to each other to start a secure channel. It has 2 modes.
The Main mode provides greater security and the Aggressive mode
which enables the host to establish an IPsec circuit more quickly.
 The channel created in the last step is then used to securely negotiate
the way the IP circuit will encrypt data across the IP circuit.
 Now, the IKE Phase 2 is conducted over the secure channel in which
the two hosts negotiate the type of cryptographic algorithms to use on
the session and agree on secret keying material to be used with those
algorithms.
 Then the data is exchanged across the newly created IPsec encrypted
tunnel. These packets are encrypted and decrypted by the hosts using
IPsec SAs.
 When the communication between the hosts is completed or the
session times out then the IPsec tunnel is terminated by discarding the
keys by both hosts.
What are IPSec modes?
 Tunnel: The IPSec tunnel mode is appropriate for sending data over
public networks because it improves data security against
unauthorised parties. The computer encrypts all data, including the
payload and header, and adds a new header to it.
 Transport: IPSec transport mode encrypts only the data packet’s
payload while leaving the IP header unchanged. The unencrypted
packet header enables routers to determine the destination address of
each data packet. As a result, IPSec transport is utilized in a closed and
trusted network, such as to secure a direct link between two
computers.
Features of IPSec
 Authentication: IPSec provides authentication of IP packets
using digital signatures or shared secrets. This helps ensure that the
packets are not tampered with or forged.
 Confidentiality: IPSec provides confidentiality by encrypting IP
packets, preventing eavesdropping on the network traffic.
 Integrity: IPSec provides integrity by ensuring that IP packets have
not been modified or corrupted during transmission.
 Key management: IPSec provides key management services,
including key exchange and key revocation, to ensure that
cryptographic keys are securely managed.
 Tunneling: IPSec supports tunneling, allowing IP packets to be
encapsulated within another protocol, such as GRE (Generic Routing
Encapsulation) or L2TP (Layer 2 Tunneling Protocol).
 Flexibility: IPSec can be configured to provide security for a wide
range of network topologies, including point-to-point, site-to-site, and
remote access connections.
 Interoperability: IPSec is an open standard protocol, which means
that it is supported by a wide range of vendors and can be used in
heterogeneous environments.