The TCP/IP protocol suite is being used for communications, whether for voice,
video, or data. There is a new service being brought out for voice over IP at a
consumer cost of 5.5 cents per minute. Radio broadcasts are all over the Web.
Video is coming, but the images are still shaky and must be buffered heavily
before displaying on the monitor. However, give it time. All great things are
refined by time, and applications over TCP/IP are no exception.
Today, you will not find too many data communications installments that
have not implemented or have not thought about the TCP/IP protocol. TCP/IP is
becoming so common that it is not so much a matter of selecting the TCP/IP
protocol stack as it is selecting applications that support it. Many users do
not even know they are using the TCP/IP protocol. All they know is that they
have a connection to the Web, which many people confuse with the Internet. We’ll
get into the details of the differences later, but for now, you just need to
understand that the Web is an application of the Internet. The Web uses the
communications facilities of the Internet to provide for data flow between
clients and servers. The Internet is not the Web and the Web is not the
Internet.
In the 1970s, everyone had some type of WANG machine in their office.
IP Security in Action
IPSec is a robust and extensible mechanism for securing IP
datagrams. IPSec provides stateless security—data confidentiality, data
integrity, data source authentication, protection against traffic analysis, and
antireplay protection—and therefore does not make any requirements on the IP
protocol to achieve security. As such it is ideal for protecting any type of
traffic that can travel on top of IP—basically any traffic.
By providing security at the IP layer, IPSec allows any
application to take full advantage of its functionality. Security is done in one
place, in the stack, instead of in each application that requires security.
Authentication and access control are therefore done at the communications
aggregation point in the stack. It is important to contrast this with
socket-based security—such as SSL—in which every application that desires
security must be modified. With IPSec, you just modify your stack and, voila,
all applications can be secured.
Deployment Scenarios (Using IPsec to Secure the Network)
We have seen how IPsec operates in a stack, how a selector
database is constructed, how IPsec is applied to packets matching selectors, and
how IKE negotiates security associations for use by IPsec. But how is IPsec
actually deployed to help protect a network?
Before we dive into various deployment scenarios, though, it
will be helpful to define how IPsec is presented to an administrator. One way it
can be represented is as a virtual interface. All
packets going into and out of this interface have IPsec applied to them. This is
a useful representation on a router because routers have the ability to
configure virtual interfaces for other encapsulation schemes (for example, GRE).
The benefit of this representation is that routing protocols can be run on a
interface, just like any other interface. The drawback of this representation is
that now routing is playing a role in securing the network.
