What is
IPSec? Well, that’s one of those
questions that can’t be answered comprehensively in a single
sentence. Ask a techie the same question and the response
would more than likely be "a combination of RFCs and standards
that have been integrated to give the ultimate solution to
secure communications over a public IP network". And that’s
right, but it doesn’t give us mere mortals any understanding
of how, or even why, we would use it!
So, perhaps we should understand ‘why’ we would
need IPSec in the first place before attempting to understand
how that need is satisfied.
At this point I have to assume that you have at
least heard of IP, the Internet Protocol, which is the most
ubiquitous protocol used for communicating across computer
networks. It’s used to move data between computers on your
local office network, to send files to networked printers for
printing, to pass data along modem links, and of course, it’s
the protocol that holds the whole of the Internet
together.
Its popularity is due to its ease of use and
implementation, however, this also leaves it wide open to
abuse. A novice hacker could easily ‘sniff’ a network to
obtain all data passed along it, a more experienced one could
modify the data en route, a professional could even take full
control of the bi-directional flow of data between two
computers. Imagine it, you think you’re talking to your bank,
your bank thinks it’s talking to you, but in fact there’s
someone in the middle masquerading as you and the bank, and
modifying all information passed between you. This is called
the ‘man in the middle’ attack, and you have no way of
detecting this.
Now we’re getting closer to understanding the
need for IPSec, the standards-based solution for IP Security.
The two prime functions of IPSec are to ensure data security
and data integrity. Security is achieved through data
encryption techniques, and integrity through a combination of
techniques that authenticate the data sender.
Furthermore, IPSec can be used to form ‘tunnels’
through IP networks. In other words, it can make a connection
between two computers or networks on the Internet appear as
though they’re connected via a private link. This is known as
a VPN, a virtual private network.
So, in answer to the question, "what is
IPSec",
it’s a mechanism for providing totally secure virtual private
networks across low-cost public networks such as the
Internet.
Practical implementations of IPSec
There are two main scenarios associated with the
use of IPSec. The first being the establishing of a secure VPN
between geographically separated networks using the Internet
as the medium. And the second being the ability to remotely
access private networks from a stand-alone PC. The later is
commonly known as "road warrior" access, which alludes to the
busy salesperson or executive who spends more time out of the
office than in.
Implementing an IPSec VPN over the
Internet
Setting-up a secure VPN tunnel between the LANs
of two sites.
There’s not too much to do in order to get this
to work as most of the difficult stuff is done automatically
by the IPSec gateways. We’ll look at the configuration details
later, but basically, as long as each gateway knows about the
other, and they are both connected to the Internet, an IPSec
tunnel is automatically established between the respective
LANs.
What’s more, you’re not restricted to two sites.
You can establish as many tunnels as you like (within
operational limits) as long as each IPSec gateway knows the
network configuration details of each site it wishes to
communicate with in this manner.
Once again the operation of establishing a
secure tunnel between the PC and the office LAN is done
automatically as long as the IPSec client in the PC is
correctly configured. Practically, a user at the remote PC
would access the Internet over a modem or ISDN dial-up
connection, then connect directly to the office LAN in a
totally secure manner.
Configuring IPSec gateways and PC clients
Now we’re getting to the more techie bits of
implementing IPSec. Unfortunately IPSec is, by its
multi-standards-based nature, a very complex process that
requires as a minimum, detailed knowledge of the network
configuration at a remote site to which it wishes to
connect.
In reality, an IPSec tunnel routes between the
two local networks (LANs), which means that each local network
MUST be of a different IP address range.
For example, the two networks shown below would
present no problem, as the LAN IP address ranges are different
(Site A is 10.10.10.0 and site B 192.168.200.0). However, if
both were of the 10.10.10.0 or 192.168.200.0 range it would
not be possible to establish a VPN tunnel.
In addition to this, each IPSec node will need
to know the ‘real world’ IP address of the remote gateway ie
the WAN IP address of the remote NetPilot.
So, for the above example, the information site
A would need to know about site B:
Gateway –
137.44.100.2
LAN subnet – 192.168.200.0
subnet mask -
255.255.255.0
where the subnet mask defines the number of IP
addresses within the LAN. And similarly site B would need to
know about site A:
