IPSec
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Now for our next section we have IPSec,
00:00
which shockingly enough is
00:00
a framework that's designed to secure IP,
00:00
>> hence the name.
00:00
>> In this section, we'll talk about
00:00
what force to hand and gave us the need for
00:00
IPSec and then we're going to talk about how
00:00
IPSec uses the process of encapsulation.
00:00
Then we'll talk about the security services
00:00
additionally that are provided in the next section.
00:00
Let's take a look at what IPSec is and why we need it.
00:00
Well, why we need it is because traditionally
00:00
our protocols themselves have not been secure,
00:00
IP being the first example.
00:00
Now, IP was designed for,
00:00
back in the 60s for use by the government
00:00
across lines that were physically secure.
00:00
We already had all that physical security,
00:00
there was no consideration of securing the protocol.
00:00
The protocol itself doesn't encrypt data,
00:00
IP doesn't encrypt or authenticate,
00:00
just is about transmitting data and network,
00:00
moving data from place to place.
00:00
As we went from the '60s to
00:00
the '70s to the '90s to where we are today,
00:00
2021 or so,
00:00
obviously the threat landscape has shifted drastically.
00:00
This protocol, IP that was
00:00
designed not to be secure but just to move traffic,
00:00
now is an environment where it's very,
00:00
very vulnerable because it
00:00
doesn't have built-in security.
00:00
IP Version 4 is what most of us are using today.
00:00
Then of course, we continue to hear that
00:00
IPv6 is on the horizon. It's coming.
00:00
I've been hearing IPv6 coming for 10, 15 years now.
00:00
Whether or not it does,
00:00
we move to IPv6 or not,
00:00
doesn't really matter as much for this discussion.
00:00
But the fact that IPSec was integrated
00:00
>> into IP Version 6, to solve that very problem.
00:00
>> IPv4 had no encryption,
00:00
no authentication, just move data on the network.
00:00
When the developers of IPv6 came along,
00:00
>> they said, well, let's make this secure,
00:00
>> and they integrated the IPSec framework into IPv6.
00:00
Now, because the bus bringing
00:00
IPv6 to all of us
00:00
has been a little bit slow in its delivery,
00:00
we've made IPSec backwards compatible
00:00
so that it can secure IP Version 4 traffic.
00:00
We'll see IPSec used in IPv4 environments.
00:00
Now the thing to understand about what
00:00
IPSec does, it's a framework.
00:00
It's supports security services
00:00
like authentication and encryption.
00:00
But IPSec itself doesn't do that.
00:00
It just provides the structure.
00:00
There are protocols that
00:00
IPSec uses to provide those security services.
00:00
What IPSec does in and of itself
00:00
is it provides what's referred to as encapsulation.
00:00
Sometimes people mistakenly use
00:00
the term encapsulation synonymously with encryption.
00:00
The two are different,
00:00
encapsulation is not the same as encryption.
00:00
Let me give you an example.
00:00
Let's say that my uncle Steve is having
00:00
an anniversary and I'm going to send him
00:00
a set of champagne glasses to help him celebrate.
00:00
Now technically, I could get a Sharpie and write
00:00
uncle Steve's address on
00:00
the champagne glasses and drop them in the mail.
00:00
Now of course, as soon as I
00:00
do that they're going to break.
00:00
Instead, I take their champagne glasses and
00:00
I wrap them in tissue paper or bubble wrap.
00:00
Then I wrap those glasses in more bubble wrap.
00:00
I'm going to put it in a box,
00:00
maybe a cardboard box.
00:00
I'm going to gift wrap the box and write on it,
00:00
happy anniversary uncle Steve.
00:00
By the way, when I put uncle Steve on that outer box,
00:00
that's a form of addressing.
00:00
It's not worldwide addressing,
00:00
but it is local addressing, meaning,
00:00
that once the data gets to Steve's house,
00:00
if we see that it's addressed to Steve
00:00
he'll know that's his package.
00:00
There are different types of addressing
00:00
and I've just added addressing by
00:00
writing uncle Steve. But I'm not done yet.
00:00
I got to make sure these glasses get there safely,
00:00
so I'm going to put the gift wrapped box in
00:00
another box with packing peanuts,
00:00
bubble wrap, whatever else I can
00:00
think of to get these glasses from point A to point B.
00:00
Then finally, I'm going to pack it all in
00:00
a Federal Express box with
00:00
a FedEx label on it or UPS box,
00:00
UPS label.
00:00
No favoritism here.
00:00
We're going to put it in the box that
00:00
the service provider requires
00:00
to go across that carrier's network.
00:00
I'm going to hand it off to
00:00
the FedEx or UPS person
00:00
and the champagne glasses are on their way.
00:00
That is encapsulation.
00:00
Did I ever encrypt the champagne glasses?
00:00
Did I magically turn them into coffee mugs?
00:00
No, they're still champagne glasses.
00:00
They've just been wrapped up in
00:00
such a way that they can get
00:00
from point A to point B safely,
00:00
but they have not been encrypted.
00:00
Now I would be remiss if I let you think that the steps
00:00
on this slide were complete
00:00
>> because any of us who have pets,
00:00
>> know that never is packaging something
00:00
>> as easy as Steps 1 through 6.
00:00
>> For those of you with pets,
00:00
I will mention the steps that were left out here.
00:00
If you have a cat before you ship off your package,
00:00
fish the cat out of the packing peanuts.
00:00
Poor pug, pug gets himself into all messes here.
00:00
Make sure he's out of the bubble wrap.
00:00
You got to do those two steps
00:00
before you can send the package on its way.
00:00
For those of you that don't have cats or pugs,
00:00
you have no idea how true this slide is.
00:00
Uncle Steve gets a champagne glasses,
00:00
they've been encapsulated,
00:00
>> they have not been encrypted.
00:00
>> When you start with IPSec and you go to install IPSec,
00:00
Windows gives you a wizard that you can walk through.
00:00
One of the first steps in that wizard it says is,
00:00
would you like to use tunnel mode or transport mode?
00:00
The modes of tunnel versus transport
00:00
is where you choose what gets encapsulated.
00:00
What I have here on this slide is I have
00:00
a typical IPv4 packet.
00:00
If you look at the first illustration in tunnel mode,
00:00
you can see that we have an IP header,
00:00
we have an IP payload and an IP trailer.
00:00
That is a complete IPv4 packet.
00:00
Now when you choose tunnel mode,
00:00
the entire IPv4 packet is encapsulated.
00:00
What that means is IPSec adds its own header.
00:00
The IPSec payload is the whole IPv4 packet and then
00:00
IPSec adds its own trailer so that
00:00
the entire IPv4 packet is wrapped up.
00:00
Now what gets encapsulated
00:00
now is going to be protected later.
00:00
What we're doing is we're
00:00
setting aside what we're going to
00:00
encrypt or get authentication
00:00
for whatever security services.
00:00
We haven't done that yet,
00:00
we're just packaging it, we're preparing it.
00:00
Tunnel mode, we're setting aside
00:00
the entire IPv4 packet for protection.
00:00
In transport mode, you'll notice that we
00:00
only encapsulate the IP payload.
00:00
That's where the data is.
00:00
In this configuration, transport mode,
00:00
it looks like we're only going to
00:00
be protecting the payload.
00:00
Here's the idea behind that.
00:00
If you're sending your information
00:00
across an unsecured network like the Internet,
00:00
then you're going to want to encapsulate
00:00
the entire packet.
00:00
That's what tunnel mode does and really think
00:00
about it when you think about tunneling,
00:00
usually you associate the ideas of like a VPN,
00:00
where you're sending traffic that
00:00
needs to be protected across an unsecure network.
00:00
Because the security risks are greater,
00:00
you can encapsulate the entire packet.
00:00
But maybe in your internal environment,
00:00
you want to secure your traffic too.
00:00
But because it's still a trusted network,
00:00
you don't have to encapsulate
00:00
the header and the trailer to protect those later,
00:00
you can just focus on the payload.
00:00
With tunnel mode, you get greater security.
00:00
With transport mode, you sacrifice
00:00
a little bit of security for performance.
00:00
Usually transport mode is for trusted networks.
00:00
Maybe I have a trusted network,
00:00
that doesn't mean I want to send
00:00
payroll information in plain text across it.
00:00
Transport mode might be appropriate then.
00:00
Just to wrap up, we've talked about
00:00
how IPSec is going to provide
00:00
security for the otherwise unprotected IPv4 protocol.
00:00
It was designed to go with IPv6,
00:00
but today we're really seeing it used with
00:00
IP Version 4 because that's what everybody's running.
00:00
We also talked about what
00:00
encapsulation was and how tunnel mode
00:00
versus transport mode determine
00:00
what portion of the IP packet is going to be protected.
Up Next
Instructed By
Similar Content
