IPSec is a robust and extensible mechanism for securing IP
datagrams. IPSec provides stateless security—data confidentiality, data
integrity, data source authentication, protection against traffic analysis, and
antireplay protection—and therefore does not make any requirements on the IP
protocol to achieve security. As such it is ideal for protecting any type of
traffic that can travel on top of IP—basically any traffic.
By providing security at the IP layer, IPSec allows any
application to take full advantage of its functionality. Security is done in one
place, in the stack, instead of in each application that requires security.
Authentication and access control are therefore done at the communications
aggregation point in the stack. It is important to contrast this with
socket-based security—such as SSL—in which every application that desires
security must be modified. With IPSec, you just modify your stack and, voila,
all applications can be secured.
By placing IPSec-enabled hardware at different points in the
network—routers, firewalls, hosts, and bump-in-the-wire (BITW) "crypto
boxes"—different security deployments can be realized. End-to-end security can
be achieved by deploying IPSec-enabled stacks on hosts or by providing a
bump-in-the-stack (BITS) solution as a "shim" inserted into the networking
stack. A virtual private network (VPN) can be constructed by IPSec-enabled
routers protecting traffic between protected subnets. Scenarios such as the
roaming road warrior can be achieved by combining host-based and router-based
IPSec solutions together.
Since IPSec-protected datagrams are themselves IP datagrams,
IPSec can be applied serially or recursively, allowing for hub-and-spoke
deployments, or end-to-end IPSec-secured packets being tunneled through an
IPSec-protected VPN.
0 comments:
Post a Comment