Time
31 hours 29 minutes
Difficulty
Beginner
CEU/CPE
30

Video Description

IPSec / IP Security

  • IP Security, also known as IPSec is the protocol that allows the encryption of layer 3 communications with point to point connections. IP sec uses a number of sub protocols:
  • Encapsulated Security Payload (ESP): encrypts content with symmetrical algorithm
  • Authentication Header (AH): creates checks sum and hashes a data packet
  • IP Comp/IP Payload Compression: compresses IP payload
  • Internet Key Exchange (IKE): negotiates shared secret. In transport mode, it encrypts data while in tunnel mode it encrypts packets.

Internet Security Association on Key Management Protocol (ISAKMP): This is the procedure that works with IPSec Communications. It exchanges keys and provides security association and then creates the tunnel.

Video Transcription

00:04
So what is I p sec? Well, I p sec from stands for I p security. And it's the protocol that allows us to encrypt our layer three communications with our point to point connection with our point to point communication and R v p. M.
00:17
So it allows us to encrypt our data that we're sending at our layer three.
00:21
Now it does this with a couple of sub protocols.
00:25
Now, I P set has four sub protocols that it uses, and it can transport in two modes
00:33
the four protocols that it can use R E S P H i p comp in I. K
00:40
yes, P stands for encapsulated security payload. And it is the protocol that is actually going to encrypt our contents with a symmetric algorithm. A symmetric algorithm is an algorithm that is the same on both ends. If you take encrypted data and put it, if you take unencrypted data and put it into the algorithm
01:00
and then take in, quipped ID data and put it back through the same algorithm,
01:03
it's going to come. It's going to un encrypt itself so and a symmetric algorithm is the same on both ends and we encrypted and decrypted the same way. So that's what GSP does. Encrypted security encapsulated security Payload.
01:18
Next, we have a H is our authentication header. Our authentication header is ads on the part of ads on Apart to a packet that's going to create a check. Some and hashes are actual data packet. So what that means is it's going to create a receipt for a packet
01:34
and when our packing slip for our pack it essentially.
01:40
So when we're sending our data from Point A to point B, Point B looks at the packing slip, and if the data looks different than what's on that packing slip, it rejects it.
01:51
So think of it as when you get a box and you order something online when you get the box in and take a look at the packing slip. And if any of the contents are different than what's on that packing slip, then you say this packet isn't right. That's how you know that what's in the package wasn't changed between when it was sent and when it was delivered. Is that packing slip?
02:10
That's what authentication header does.
02:13
It's our packing slip for a packet that lets us know that the data wasn't modified in transit.
02:20
Then we have our I p cop I p comp stands for I p payload compression. And what this does is it compresses our entire I p payload to make it a bit smaller and make it a little bit easier and faster to transport.
02:34
And then lastly, we have i k e stands for Internet key exchange. And what it does is it negotiates this our shared secret that we use when we encapsulate the security payload. If we just
02:46
go ahead and we encrypt our data and we don't, we don't have a way of letting the other in Know how we encrypted the data than all the all the other in gets is just a jumble of, ah, jumble of encrypted data. It doesn't know how to decrypt it,
03:02
but in the same on the same spectrum. If
03:07
if I pee set used the same encryption and decryption algorithm across the board for anyone who sent data over I p sec anywhere, then it would point would almost be moved. Anyone could take the data that I p *** scent and just decrypted if we used the exact same
03:24
shared secret and exact same encryption decryption algorithm for everything.
03:29
Then it wouldn't work. So we need something that lets us negotiate with the in client as faras, what are shared secret is going to be without revealing that shared secret to anyone else. So that's what I k E does. It's gonna help negotiate that shared secret.
03:46
So what do all of these packets mean? What? How do we How do we take How do we use these different protocols and how do we use them with our data packet?
03:54
Well, how we use them is going to depend on our mode that we're using. We have transport mode, and then we also have tunnel mode. Transport mode is going to take our data packet and it's only going to encrypt our data. It's going to encrypt our data, and then it's going to
04:12
put on an authentication. Payload is gonna compress it,
04:15
and then it's just gonna negotiate with Internet key exchange and we're going to send the data back and forth Now, this is more for local peer to peer transfer a peer to peer communications than anything else. It's commit elections that we know are going to go over a private network.
04:30
We also have tunnel mode in tunnel mood is going to encrypt our entire packet.
04:34
We're gonna take our data. We're going to encrypt our data. Then we're going to add an authentication payload on authentication header, and then we're going to encrypt all of that as well. So that's going to provide us with an additional layer of security so that someone can take our authentication header, change the authentication header,
04:53
and then change our and been changed. Our data that we're sending
04:56
well, actually need to be able to be crypt, the entire pack it in order to change anything.
05:01
So let's take a look at our data. So we're going to start out with a packet that we're sending
05:08
over a over connection,
05:11
and we're gonna say, Okay,
05:13
I want to use eyepiece. I wanna use I want to send this packet and in clipped this packet over layer three with I p sec.
05:20
So
05:21
the first thing we're gonna do is we're negotiating with our incline using I k e. What are shared secret is
05:28
so our shared secret is our key That lets us know how we're going to de encrypt our data. So we've negotiated our shared secret. We've gotten our data ready to encrypt, and we're going to encrypt our data. We're gonna encrypt the packet that we have with
05:44
encapsulated security protocol.
05:46
So this data packet
05:48
we've now encrypted with the SP. So Ivar encapsulated security protocol.
05:54
Now
05:55
we're using transport mode, so we're just going to encrypt the data. And now what we need to do is we need to tack on an authentication header to this packet. We need to have a header on this packet. That's that. Let's are we need to have We need to add our packing slip into the box so that are in client knows. Okay, this data hasn't been modified in transit.
06:15
It can check the packing slip and make sure the data hasn't been modified.
06:18
So we're gonna take this.
06:21
We're gonna take our encapsulated security protocol packet. We're gonna take all our data that we encrypted, and then we're gonna add on our authentication header to the beginning of our packet.
06:30
And then after that, we're gonna send it off.
06:33
So we have our h. We have our communication header in our encapsulated security payload.
06:39
And then we'll take that. And we'll also compress it with our i p calm to make it a bit smaller to make it easier to send.
06:45
But this is a four on a private network. This is a peer to peer connectivity
06:49
way. Want it? We want to be running in tunnel mood. We're connecting over a VPN. We're on an insecure network on a public network. We're gonna transport the state over the internet. We want to secure as possible. We don't want anybody trying to modify authentication. Header. We don't want anybody to see this exact pay this exact payload here.
07:08
So
07:09
when we run in tunnel mode,
07:13
we have our authentication authentication header.
07:15
We have our encapsulated security packet, but what then we're going to do
07:20
is we're going to take this whole packet
07:26
and we're going to encrypt this entire packet again
07:30
with another round of our with another round of our encryption.
07:34
So now, as this data is traveling over the internet,
07:38
anything inside our green box here
07:43
cannot be read and clear text. It's all encrypted. So we still have our destination. We still have our destination header and all the rest of our header information as to where this packet needs to go. But it's not until it gets too are in point. It's not until it gets to the other point on our VPN where are in. Client says
08:01
it strips this headed away because it now has the packet,
08:05
and it says, Okay, I have an encrypted packet here. I know what the shared secret is because we already negotiated this.
08:11
So its able to strip this away
08:15
after it strips our outer layer away. It says, Okay, what's in my packing slip when we check my packing slip? Okay. Does Mike What's on my packing slip? Match my packet here? Yes, it does. So I'm good.
08:28
So now I just have my encapsulated security payload. I'm going to take that. I'm going to run it through my symmetric encryption algorithm again with my shared secret. So now I know. So now I've decrypted this packet,
08:41
and now I'm just back to my original data.
08:45
So that's how that's in a nutshell. How our I p sec works. That's the difference between our transport mode and our tunnel mode. Our transport mode just encrypts the data and adds an authentication header, whereas our tunnel mood is going to encrypt the data at an authentication layer out of authentication. Header and then encrypt
09:05
the entire packet again to make sure that we're We have a double layer of security and no one tries to modify that authentication header.
09:13
So
09:15
next we have ice a camp and
09:18
Aisa camp stands for Internet Security Association Key management protocol. Now this is a protocol that works with I P SEC in order to provide the procedure for the authentication of our I p set communications. Essentially all essentially all r I P. Sec is doing is it's negotiating a. It's
09:39
allowing us to equipped
09:41
our data. It's adding its authentication header. It's encrypting it. It's sending along, sending it along. We need something to actually set up the security association between us and our in client, as well as create the tunnel for us to go through. We need something to help start up that tunnel and we need something to see.
10:00
Start up our security association
10:01
and to set up our essentially start exchanging our keys to give our give our key to the sober so that it can often it can start authenticating us, and it can make sure that it knows what the shared secret is. And then the server sends us its key.
10:20
So we're making sure that we're we have our authentications set up.
10:24
We have our security, a social association set up, and that we both know what the key is for our transaction here because if we don't know the key, we won't be able to encrypt or decrypt the data properly.
10:35
So when you hear that when you see ice a camp, when you see the Internet Security Association and key management protocol
10:43
No, that that's our procedure for authenticating with and creating our I P sec tunnel. It starts up and exchanges are buzzwords are exchanges are keys and then provides a security association.
10:58
And then it starts up and it begins that encrypted tunnel that we're going to create between one point and our other point.
11:05
So, uh,
11:07
this doesn't replace
11:11
are other VP and protocols. It doesn't replace our layer to tunneling protocol and doesn't This does not replace our I p set protocol, but it is rather a protocol which functions within i p set in order to allow us to exchange the keys because again another
11:28
another protocol using another protocol in order to help fulfill its job. If we just use I p sec by itself, we won't have a way of exchanging our keys or creating a security association. If we just use
11:43
I c can't by itself, as a camp doesn't encrypt data camp doesn't create an authentication header or compress our data. So we need to have both of them working jointly in order to for a cZ well as our later to tunneling protocol, all working jointly in order to create the create, create the security association,
12:03
encrypt the data, and then our Leia to Tunneling Protocol provides the data that I p sec in Crips. So that data packet we started out with That's the packet provided by our layer to tunneling protocol, which is then encrypted on our next layer up by our I p SEC player.

Up Next

CompTIA Network+

This CompTIA Network+ certification training provides you with the knowledge to begin a career in network administration. This online course teaches the skills needed to create, configure, manage, and troubleshoot wireless and wired networks.

Instructed By

Instructor Profile Image
Anthony Harris
Systems Analyst and Administrator at SAIC
Instructor