IP Security
Virtual Private Network
IPSec is a standard for Virtual Private Networks and was developed by the IETF (Internet Engineering Task Force). The Layer 3 tunneling process is a highly complex protocol family that has come about through different RFC (request for comment) drafts (RFC 1825-1829, 2401-2412). In contrast to Layer 2 tunneling it standardizes the application of cryptographic algorithms and authentication. The applied cryptographic process determines the IPSec security level. IPSec also describes processes for the secure exchange of keys and security parameters over public networks. The framework guidelines for this key management are specified in the ISAKMP (Internet Security Association and Key Management Protocol. In addition mechanisms for strong user authentication are supported that are implemented in the IP Authentication header (AH) and the IP Encapsulation Security Payload (ESP).
NCP developed the complete IPSec implementation on its own, the advantages are clear:
- Compatibility to third party products
- Universal implementation
- Simple configuration interface
- Immediate response for necessary adaptations
But be careful!
IPSec does not define how the different security processes should be implemented. Thus it is possible that IPSec products from different manufacturers may not be compatible. Added to that, IPSec was clearly not developed with remote access requirements in mind. Nor is it designed for implementation in environments with protocols other than IP. The developmental focus of IPSec was to network distributed networks over permanent IP addresses. Gateway to gateway communication (Site to Site) is certainly Secure, however the route to the PC workstation is not. This route remains open to so-called man-in-middle attacks. Protection is offered with IP Network Address Translation (IP-NAT), a feature of the NCP Personal Firewall. IP-NAT changes the IP Header which causes problems with the Authentication Header Protocol (the same applies for ESP) that is responsible for sender authentication. The dialing in of many mobile and stationary PC workstations becomes quite Complex, indeed from an administrative perspective it becomes almost impossible. IPSec is not multi-protocol enabled (native). IPSec over L2TP offers a solution to this deficiency.