Yenugula Rahul Rao
IPSec (Internet protocol security)
In computer science, Internet protocol security is nothing but a network protocol suite which encrypts and validates the packets i.e. data sent through a network. IPSec-VPN has created a logically secured information transmission channel on the insecure public networks so that dispersed and independent users on the physical location can transmit information mutually via this secure logical channel to provide a secure communication environment with the abilities of anti-eavesdropping (Eavesdropping = secretly listening to the private conversation of others without their consent), forgery and tamper resistance. However, when it comes to reliability it has given DPD( dead peer detection)technology used for checking whether the other IPSec-VPN gateway is available, which has solved the problem that when the opposite IPSec-VPN gateway is not working properly, we can stop the local IPSec- VPN gateway and use the original security association for encryption and send data so as to avoid the waste of a lot of packet loss and routing resources. (Yang & Zhao, IPSec-VPN Availability Research and simulation).
Main factors affecting IPSec-VPN availability:
IPSec-VPN mainly has two application modes: site-to-site mode and remote access mode, in which site-to-site mode is the most representative. In this mode, different branches can deploy IPSec-VPN gateways from their own local network to Internet outlets, establish IPSec-VPN channels via Internet and achieve interconnection and secure communications between remote LANs. Both the site-to-site mode and the remote access mode need at least one IPSec-VPN gateway erected on the public network outlet from the relevant LAN to Internet to establish IPSec tunnels with other IPSec-VPN gateways or remote mobile users and provide services of secure communications.
The factors that affect IPsec-VPN system normal applications are mainly:
(1) Equipment failure
(2) Link failure
(3) Performance bottleneck
(Yang & Zhao, IPSec-VPN Availability Research and Simulation, 2015)
During its journey through the various tunnels and gateways, additional headers are added to the packet. On each pass through a gateway, a datagram is wrapped in a new header. Included in this header is the security parameter index (SPI). The SPI specifies the algorithms and keys that were used by the last system to view the packet. The payload is also protected in this system because any change or error in the data will be detected, causing the receiving party to drop the packet. The headers are applied at the beginning of each tunnel and then verified and removed at the end of each tunnel. This method prevents the build-up of unnecessary overhead
An important part of IPsec is the security association (SA). The SA uses the SPI number that is carried in the AH and ESP to indicate which SA was used for the packet. An IP destination address is also included to indicate the endpoint: This may be a firewall, router or end user. A Security Association Database (SAD) is used to store all SAs that are used. A security policy is used by the SAD to indicate what the router should do with the packet. Three examples include dropping the packet altogether, dropping only the SA, or substituting a different SA. All of the security policies in use are stored in a security policy database. (computer world)
Features and benefits:
• Complete security monitoring and management.
• 24-hour, 365-day-a-year security coverage.
• Latest tools and resources available.
• Comprehensive security management SLA, underpinned by AS/NZS 27001 aligned policies.
• IPSec SLA guarantee rebates.
• Continuous access to the IPSec Customer Portal.
• Incident reports.
• Detailed monthly reports.
On average, implementation of the IPSec MSS will cost a fraction of that of an internal minimum-security service, and only 3-11% of the cost of an internal high-security service. Highlights from an Australian IT study on IT security incidents showed the least costly incident from the study came in at $410,000. Significant financial savings result from selecting IPSec to implement a managed security service for your organisation. (Ultimate Peace of Mind Through Comprehensive Security Management: IPSec Managed Security Services (MSS))
IPsec incorporates all of the most commonly employed security services, including authentication, integrity, confidentiality, encryption and nonrepudiation. However, the major drawbacks to IPsec are its complexity and the confusing nature of its associated documentation. In spite of these various drawbacks, IPsec is believed by many to be one of the best security systems available. It is hoped that considerable improvement will be evidenced in future revisions of IPsec and that the problems identified with the architecture will be remedied. (computer world)
TLS/SSL (Transport layer security / Secure sockets layer)
TLS is a successor to Secure Sockets Layer protocol. TLS provides secure communications on the Internet for such things as e-mail, Internet faxing, and other data transfers. There are slight differences between SSL 3.0 and TLS 1.0, but the protocol remains substantially the same. It is good idea to keep in mind that TLS resides on the Application Layer of the OSI model. This will save you a lot of frustrations while debugging and troubleshooting encryption problems related to TLS.The TLS Handshake Protocol allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before data is exchanged. In a typical scenario, only the server is authenticated, and its identity is ensured while the client remains unauthenticated. The mutual authentication of the servers requires public key deployment to clients. When a server and client communicate, TLS protocol ensures that no third party may eavesdrop, tamper with any message, and message forgery. (Network world)
The IETF officially took over the SSL protocol to standardize it with an open process and released version 3.1 of SSL in 1999 as TLS 1.0. The protocol was renamed TLS to avoid legal issues with Netscape, which developed the SSL protocol as a key feature part of its original Web browser.
TLS 1.2 is the current version of the protocol, and as of this writing, the Transport Layer Security Working Group of the IETF is working on TLS 1.3 to address the vulnerabilities that have been exposed over the past few years, reduce the chance of implementation errors and remove features no longer needed. TLS 1.3 is still a draft and has not been finalized yet, but having an updated protocol that’s faster, more secure and easier to implement is essential to ensure the privacy and security of information exchange and maintain trust in the Internet as a whole. (Network world)
Speed benefits TLS 1.3:
TLS and encrypted connections have always added a slight overhead when it comes to web performance. HTTP/2 definitely helped with this problem, but TLS 1.3 helps speed up encrypted connections even more. To put it simply, with TLS 1.2, two round-trips have been needed to complete the TLS handshake. With 1.3, it requires only one round-trip, which in turn cuts the encryption latency in half. This helps those encrypted connections feel just a little bit snappier than before.
Another advantage of is that in a sense, it remembers! On sites you have previously visited, you can now send data on the first message to the server. This is called a “zero round trip.” (0-RTT). And yes, this also results in improved load time times. (Kinsa)
Improved security with TLS1.3:
A big problem with TLS 1.2 is that it’s often not configured properly it leaves websites vulnerable to attacks. TLS 1.3 now removes obsolete and insecure features from TLS 1.2, including the following:
§ Arbitrary Diffie-Hellman groups — CVE-2016-0701
§ EXPORT-strength ciphers – Responsible for FREAK and Logjam
Because the protocol is in a sense more simplified, this make it less likely for administrators and developers to misconfigure the protocol. Google is also raising the bar, as they have started warning users in search console that they are moving to TLS version 1.2, as TLS 1 is no longer that safe. They are giving a final deadline of March 2018. (Kinsa)
Benefits of TLS:
Both the SSL protocol and the TLS protocol manage secure communication in a similar way. However, TLS provides a more secure method for managing authentication and exchanging messages, using the following features:
· While SSL provides keyed message authentication, TLS uses the more secure Key-Hashing for Message Authentication Code (HMAC) to ensure that a record cannot be altered during transmission over an open network such as the Internet.
· TLS defines the Enhanced Pseudorandom Function (PRF), which uses two hash algorithms to generate key data with the HMAC. Two algorithms increase security by preventing the data from being changed if only one algorithm is compromised. The data remains secure as long as the second algorithm is not compromised.
· While SSL and TLS both provide a message to each node to authenticate that the exchanged messages were not altered, TLS uses PRF and HMAC values in the message to provide a more secure authentication method.
· To provide more consistency, the TLS protocol specifies the type of certificate that must be exchanged between nodes.
· TLS provides more specific alerts about problems with a session and documents when certain alerts are sent.
· If you are required to have a FIPS 140-2-validated solution, a FIPS-mode of operation is available in Sterling Connect: Direct® for the TLS protocol. (IBM knowledge centre)
Since the protocol was taken over by the Internet Engineering Task Force, flaws such as the redirection attack that was mentioned earlier have often been quickly released. The issue with these flaws is the time it takes venders and administrators to patch their software and sites, leaving users data vulnerable.
In many of the examples that are given around defeating SSL and TLS, it’s not the actual protocols themselves that are allowing this leakage of data. The vulnerabilities that surround these security protocols often have more to do with the worsening certificate ecosystem and user education. This will only worsen unless something is done about growing companies lackadaisical approach to validating users. Due to this slip is validation, the traditional SSL certificate has somewhat been superseded by the Extended Validation (EV) certificate, which is not only more expensive but also requires a set criteria to be followed by the issuer (http://www.cabforum.org/Guidelines_v1_2.pdf) prior to issuing the certificate. (John’s Virtualization/security blog)
Advantages and Disadvantages:
Each has significant advantages – and disadvantages – in the corporate networking environment.
The greatest advantage of IPSec is its transparency to applications. Since IPSec operates at Layer 3, it has essentially no impact on the higher network layers. As implied by its name, IPSec runs at the IP layer and, as such, is indifferent as to whether application traffic is being transported using TCP or UDP protocols. Consequently, IPSec is equally as appropriate for securing real-time traffic (such as VoIP) as it is for traditional data applications.
Additionally, since IPSec is usually deployed for inter-site connections, it is quite possible that the computers attached to the network at a given site may not even have IPSec capabilities running on the attached PCs. In a remote-access environment where there is no IPSec-enabled router, however, the PC must run a copy of the IPSec stack.
The disadvantage to an IPSec remote-access approach is that once a computer is attached to the IPSec-based network, all of the additional devices attached to that local network might also be able to gain access across the WAN to the corporate network. So, it’s possible that a worm on the “kid’s computer” could easily spread to shared drives on the corporate network.
In other words, any vulnerabilities that exist at the IP layer in the remote network could be passed to the corporate network across the IPSec tunnel. Making sure that this doesn’t happen is doable, but results in higher support costs.
By contrast, SSL VPNs run at higher network layers so they don’t expose network drives to remote workers, shielding the network against vulnerabilities like worms.
Another IPSec disadvantage is that if you’re working off-site, say, at a partner location, connecting to your own company’s network is difficult if not impossible due to restrictions in most corporate firewalls.
Finally, for part-time teleworkers, it is becoming difficult to use the home Internet connection for corporate network access if using an IPSec-encrypted VPN tunnel. Increasingly, ISPs consider anything IPSec-encrypted to be a “business-class” transmission. As such, they want to charge higher rates for IPSec traffic and will block IPSec traffic if the service type is not business class. (Network world)