IP Security enables secure communications over the Internet and within company networks by securing data traffic at the IP layer. This allows individual users or organizations to secure traffic for all applications, without having to make any modifications to the applications. Therefore the transmission of any data, such as e-mail or application-specific company data, can be made secure.
The mechanism for securing data between two nodes is accomplished by creating a virtual tunnel between two hosts. This is also referred to as creating a Virtual Private Network (VPN). The secure tunnel encapsulates all IP traffic between the two hosts in a manner specified by the user. It provides data integrity, privacy, and authentication depending on how the tunnel is defined.
This chapter discusses the following topics:
A virtual private network is an extension of an enterprise's private intranet across a public network such as the Internet. It creates a secure private connection through what is essentially a private tunnel. VPNs securely convey information across the Internet connecting remote users, branch offices, and business partners/suppliers into an extended corporate network. Internet service providers (ISPs) offer cost-effective access to the Internet through direct lines or local telephone numbers. Therefore, companies can eliminate their current networking options that use more expensive leased lines, long-distance calls, and toll-free telephone numbers.
AIX uses IP Security (IP Sec), which is an open, standard security technology developed by the Internet Engineering Task Force (IETF), as an integral element of eNetwork VPN solutions. IP Sec provides cryptography-based protection of all data at the IP layer of the communications stack. It provides secure communications transparently, with no changes required to existing applications. IP Sec is the IETF-chosen industry standard network security framework for use in both the IP Versions 4 and 6 environments.
IP Sec protects your data traffic in three ways using robust cryptographic techniques:
The process by which the identity of a host or end point is verified
The process of ensuring that no modifications were made to the data while in-transit across the network
The process of ensuring privacy by "hiding" data and private IP addresses while in-transit across the network
Authentication algorithms provide proof of the sender's identity and data integrity by using a cryptographic hash function to process a packet of data (with the immutable IP header fields included) with a secret key to produce a unique digest. On the receiver's side, the data is decapsulated using the same function and key. If either the data has been altered or the sender's key was not valid, the datagram is discarded.
Encryption uses a cryptographic algorithm to modify and randomize the data using a certain algorithm and key to produce cyphertext. Encryption makes the data unreadable while in transit. Once received, the data is recovered using the same algorithm and key (with symmetric encryption algorithms). Encryption must occur with authentication to verify the data integrity of the encrypted data.
These basic services are implemented in IP Sec by the use of the Encapsulating Security Payload (ESP) and the Authentication Header (AH). With ESP, confidentiality is provided by encrypting the original IP packet, building an ESP header, and putting the encrypted data (known as ciphertext) in the ESP payload.
When it is desired to have authentication and integrity checking without confidentiality, the AH may be used alone. With AH, the static fields of the IP header and the data have a hash algorithm applied to compute a keyed digest. The receiver uses its key to compute and compare the digest to make sure the packet is unaltered and the sender's identity is authenticated.