A large enterprise/company needs to connect its branches or offices across the country through the wan to share information resources with each other. Because it needs to transmit data on public data networks, as we all know, data transmission on public data networks is not particularly secure. To improve the security of transmitted data, you can consider using a security router. A security router can hide the company's internal network topology and encrypt the data to be transmitted, so that even if the transmitted data is intercepted by other users on the internet, they also cannot use IP packets to obtain the company's internal network IP addresses, understand the internal network topology, and encrypt data, without a dedicated decryption tool, the average user cannot know the content of the transmitted data packets. Shows the network topology of a security router:
Figure networking with a Security Router
Because the security router has the data encryption function, when the data to be transmitted on the LAN is sent out through the security router, the security router encrypts the data according to certain encryption algorithms, the peer that receives the data must use the same algorithm to restore the data.
The IPSec tunnel mode of the Security Router also provides the function of hiding the internal network topology. The security router re-encapsulates all the IP packets to be sent, encapsulate the IP addresses of the Source and Destination gateways in the original IP address package. When the destination router connects to the received IP address package, remove the IP Address Header added by the IPSec, and then according to the Source and Destination addresses of the IP address package, send the IP packet to the target host on the LAN.
When A user on lan a wants to send data to A user on lan B, the IP packet of user A is repackaged when it passes through the egress security router, the IP address of the Source and Destination gateway is encapsulated in the original IP package. When the encapsulated IP packet is sent to the security router at the destination B, it can be automatically identified and the IP packet is unwrapped again, it is finally transmitted to the B-end user.
IPSec Technology Introduction
IPSec is an open standard framework. Based on IETF development standards, IPSec can ensure the reliability and integrity of data communication on a public IP network. IPSec provides an essential element for a standard-based and flexible solution to implement general security policies.
TCP/IP protocol clusters provide an open protocol platform that is connecting more and more departments and people over the network. The network is rapidly changing the way we work and live, however, the lack of security has slowed down the development of networking. Currently, the network faces various threats, including leakage of confidential data, damage to integrity, identity camouflage, and denial of service.
The first is the leakage of confidential data. A criminal may Snoop confidential data on the Internet. This may be the biggest obstacle between communication. Not encrypted. Each sent message may be eavesdropped by an unauthorized organization. Due to the lack of security considerations in earlier protocols, all types of user authentication information, such as user names or passwords, are transmitted over the network using clear codes. Eavesdroppers can easily obtain user account information.
The second is the destruction of data integrity. Even if the data is not confidential, ensure data integrity. Maybe you don't care whether others see your transaction process, but you are sure you care whether the transaction is tampered. If you can verify your identity with the bank, make sure that the transaction content is not modified in some way, such as the deposit amount.
Again, it is an identity disguise. In addition to protecting data, you must also protect your identity. A smart intruder may forge your valid identity, and the access is limited to the confidential information that you can access. Currently, many security systems rely on IP addresses to uniquely identify users. Unfortunately, such systems are easily spoofed and can cause intrusion.
Another threat is denial of service. Once connected, you must ensure that the system can work at any time. In the past few years, attackers have discovered several vulnerabilities in TCP/IP protocol clusters and their specific implementations so that they can cause some computer system crashes.
There is no simple answer to resist the above threats to Ensure network security. Encryption and verification are key services to defend against the above threats. Obviously, if the data is encrypted during transmission, sniffer cannot listen and tamper with the data. Network-layer authentication can prevent identity camouflage and denial-of-service. If the device can correctly identify the data source, it is difficult to simulate a friendly device to launch DoS attacks.
To achieve security on IP networks, IETF has established an Internet Security Protocol Working Group to develop IP Security protocols and key management mechanisms. After several years of efforts, the working group proposed a series of protocols to form a Security system, collectively known as IP Security Protocol (IPSec.
IPSec mainly includes two Security protocols: AHAuthentication Header, ESPEncapsulating Security Payload, and IKEInternet Key Exchange ). AH provides connectionless integrity, data initiation verification, and replay protection. ESP can also provide encryption. The key management protocol IKE provides secure and reliable algorithms and key negotiation. These mechanisms are independent of algorithms. This modular design allows you to change only different algorithms without affecting the rest of the implementation. The application of the Protocol and the use of specific encryption algorithms depend on the security requirements of users and applications.
IPSec can provide high-quality communication security for IP addresses based on encrypted interoperability. The supported security services include access control, connectionless integrity, data initiator authentication, and encryption. These services are implemented on the IP address and provide protection on the IP address layer or the IP address layer. Network layer encryption and verification can provide an end-to-end security solution in the network structure. In this way, the terminal system and applications can use strong security to ensure the internal structure of the user's network without any changes. Because encrypted packets are similar to common IP packets, it is easy to pass through any IP network without changing the intermediate network device. Only terminal network devices need to understand encryption, which can greatly reduce the overhead of implementation and management. Because the implementation of IPSec is at the network layer, the devices that implement IPSec can still communicate with normal IP addresses, so that the devices can be remotely monitored and configured. (
