UDС 004.056.53 DOI 10.52167/1609-1817-2022-126-3-198-204
U.S. Yessenzholov , N.B. Kaliaskarov
Abylkas Saginov Karaganda Technical University, Karaganda, Kazakhstan E-mail: [email protected]
IMPLEMENTATION OF TRAFFIC PROTECTION BASED ON IPSEC VPN TECHNOLOGY AND NETWORK MODELING ON ENSP SOFTWARE
ENVIRONMENT
Abstract. The article is devoted to the study of such technology as IPsec VPN. This technology holds significant importance in the realm of information and communication technologies. Firstly, IPsec VPN supports many modern encryption algorithms and authentication methods. Secondly, IPsec VPN is supported by many vendors, which allows you to deploy this technology based on equipment from different manufacturers. Thirdly, IPsec VPN does not require much performance from the hardware. Fourth, IPsec VPN is easy to use and easy to monitor.
This article shows an example of IPsec VPN implementation on eNSP software environment based on Huawei equipment. As can be seen from the practical part of the article, the creation and implementation of this technology consists of only four steps.
Keywords. Security, latest technologies, data encryption, authentication, VPN.
Introduction.
In today's digital age, securing your data and privacy while accessing the internet has become more critical than ever. Whether you are working remotely or accessing sensitive information over the internet, there is always a risk of cyber attacks, data breaches, and unauthorized access to your data. This is where Virtual Private Network (VPN) technology comes into play. Out of the different VPN protocols that exist, the Internet Protocol Security (IPSec) VPN is regarded as one of the most dependable and secure protocols for establishing secure connections over the internet. In this article, we will explore what IPSec VPN is, how it works, and why it is an essential tool for secure online communication.
IPSec VPN is a widely used technology for securing network communications over the internet. With the rise of remote work and cloud-based applications, many organizations have turned to VPNs to protect their sensitive data from unauthorized access. An IPSec VPN, which stands for Internet Protocol Security Virtual Private Network, creates a secure tunnel between two devices or networks, allowing data to be transmitted securely over the public internet. In this article, we will delve into the technical details of IPSec VPNs, how they work, their advantages and disadvantages, and the different types of IPSec VPNs available. Additionally, we will discuss the best practices for configuring and managing an IPSec VPN to ensure maximum security and performance.
Ensuring the security of information transmission is the most basic criterion when creating a network of any scale. This has become especially relevant in the XXI century due to the active development of various kinds of threats (viruses, hacker attacks, phishing, etc.). For managers of an organization, ensuring the security of their own network is a top priority. To date, there are a huge number of methods for protecting information, and one of the most important of them is IPsec VPN technology, which is used in most large corporate networks.
Materials and methods.
IPSec (Internet Protocol Security) is a widely used VPN technology that provides secure communication between two endpoints over the internet. It is a protocol suite that authenticates and encrypts each IP packet in a communication session.
IPSec VPNs are commonly used in remote access and site-to-site VPNs. In a remote access VPN, the user connects to the network over the internet using a VPN client software installed on their device. Software makes a connection to the VPN server, which then authenticates and encrypts the communication. This allows remote users to securely access the network resources as if they were connected locally.
In a site-to-site VPN, two or more networks are connected over the internet using IPSec tunnels. This allows secure communication between different networks located in different physical locations. Site-to-site VPNs are commonly used by organizations to connect their branch offices or remote data centers to the main corporate network.
IPSec provides a high level of security through authentication and encryption. It uses various encryption algorithms such as DES, 3DES, AES, etc. for encrypting the data and protocols such as HMAC for authentication.
Internet Protocol security (IPSec) is a protocol suite defined by the Internet Engineering Task Force (IETF) for securing Internet Protocol (IP) communication by authenticating and/or encrypting each IP packet of a communication session. Two communicating parties can encrypt data and/or authenticate the data originating at the IP layer to ensure data confidentiality, integrity and service availability [1].
To ensure traffic security, IPSec employs two protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP). The IP Authentication Header (AH) provides connectionless integrity, data origin authentication, and an optional anti-replay service. The Encapsulating Security Payload (ESP) protocol may provide confidentiality (encryption), and limited traffic flow confidentiality.
Figure 1 – The general principle of IPsec VPN
IPsec VPNs use several authentication and encryption protocols to provide secure communication over the internet. The two main authentication protocols used in IPsec VPNs are:
1) Internet Key Exchange (IKE): This protocol is used to establish and manage the secure connection between the two devices. IKE uses a Diffie-Hellman key exchange to establish a shared secret key between the two devices, which is used to encrypt and decrypt the data. IKE also uses authentication protocols such as Digital Certificates, Pre-Shared Key (PSK) and Public Key Infrastructure (PKI) to verify the identity of the communicating devices.
2) Authentication Header (AH): AH is a protocol that provides authentication and integrity to the IP packets by adding a digital signature to the packet header. This signature is created using a shared secret key that is agreed upon during the IKE negotiation.
The encryption protocols used in IPsec VPNs include:
1) Encapsulating Security Payload (ESP): ESP is a protocol that encrypts the IP packets and encapsulates them within new IP packets. ESP provides confidentiality, integrity, and authentication to the data by encrypting the payload and adding a digital signature to the packet header. ESP can use a variety of encryption algorithms such as AES, 3DES, and Blowfish.
2) Data Encryption Standard (DES): DES is a symmetric-key encryption algorithm that is used to encrypt the data in the IP packets. DES is no longer considered secure and has been replaced by AES, but some legacy systems may still use it.
In summary, IPsec VPNs use IKE, AH, ESP, and DES (although not commonly used) protocols to provide secure communication by establishing a secure connection, verifying the identity of the communicating devices, and encrypting and authenticating the data.
ESP can provide confidentiality for traffic as an optional feature, depending on the encryption algorithm chosen. The strength of the confidentiality service depends on the particular encryption algorithm selected from the three main options available. In addition to confidentiality, ESP also has the capability to provide authentication, though it is not as comprehensive as AH. The reason for this is that ESP authentication does not protect the external IP header (in tunnel mode) or the ESP header itself [2].
Figure 2 – Authentication and encryption protocols in IPsec VPN
Results.
An important part of building VPN tunnels between offices is setting up a security association. A Security Association (SA) denotes a form of connection that is established in a single direction through which security services relevant to the traffic are defined. Security services are attributed to an SA in the form of either AH, or ESP, but not both. If both AH and ESP based protection is applied to a traffic stream, then two (or more) SAs are created to attribute protection to the traffic stream. In order to secure bi-directional communication between two hosts, or two security gateways as shown in the example, two Security Associations (one in each direction) are required [3].
IPSec SAs are established in either a manual mode or Internet Key Exchange (IKE) negotiation mode. Establishing SAs in manual mode requires all information such as those parameters displayed in the example, be configured manually. The SAs established in manual mode however will never age. Establishing SAs using IKE negotiation mode is simpler as IKE negotiation information needs to be configured only on two peers and SAs are created and maintained by means of IKE negotiation, for which the complexity exists mainly in the IKE automated negotiation process itself.
An IPSec VPN tunnel (Internet Protocol Security Virtual Private Network tunnel) is a secure network connection that allows two remote networks to communicate over the internet as if they were directly connected through a private network. IPSec is a set of protocols that provide secure communication by encrypting data packets and authenticating the identity of the sender and receiver.
In an IPSec VPN tunnel, data is encrypted and encapsulated within IP packets, which are then transmitted over the internet. The encryption and decryption of the data packets happen at both ends of the tunnel, using the shared keys and security protocols negotiated during the initial setup of the tunnel.
Businesses and organizations frequently utilize IPSec VPN tunnels to establish secure connections between remote offices or workers and their corporate networks. This enables employees to access company resources such as files, applications, and servers from a remote location as if they were physically present in the office. IPSec VPN tunnels are also employed to securely connect business partners, suppliers, and customers.
Figure 3 – Parameters for creating a security association
IPsec configuration can be performed in two main modes.
Transport mode SA is a security association between two hosts that protects higher layer protocols, with the security protocol header appearing directly after the IP header and any options but before any higher layer protocols like TCP or UDP in IPv4. The AH or ESP header is inserted between the IP header and the protocol header for the transport layer. In a transport mode SA with ESP, security services are only provided for the higher layer protocols and not for the IP header or any extension headers before the ESP header. AH, on the other hand, extends protection to specific parts of the IP header and selected options, in addition to the higher layer protocols [4].
Figure 4 – IPSec transport mode
In the IPSec context, using ESP in tunnel mode, especially at a security gateway, can provide some level of traffic flow confidentiality. The outer IP header source address and destination address identify the endpoints of the tunnel. The inner IP header source and destination addresses identify the original sender and recipient of the datagram, (from the perspective of this tunnel), respectively.
The inner IP header is not changed except to decrement the TTL, and remains unchanged during its delivery to the tunnel exit point. No change occurs to IP options or extension headers in the inner header during delivery of the encapsulated datagram through the tunnel. An AH or ESP header is inserted before the original IP header, and a new IP header is inserted before the AH or ESP header [5].
Discussions.
In the practical part of this article, we need to configure IPsec VPN on the topology shown in Figure 6. The network consists of a main office, a branch and a magitsral section between routers 1 and 3.
Figure 6 – Topology of IPSec configuration
Before configuring IPsec VPN, it is necessary to perform IP configuration for all computers and router interfaces.
Similarly, all computers of the topology are configured according to the IP configuration policy provided.
IPsec VPN configuration consists of several steps:
- allocation of the traffic of interest using the ACL mechanism;
- IPsec VPN offer configuration;
- creating an IPsec policy;
- applying the created IPsec policy to the desired port.
All the presented steps must be performed on routers R1 and R3. The created policy is applied to the output port of the router R1 and to the input port of the router R3.
Figure 9 – Configuring IPsec VPN
IPsec VPN is the most important element of ensuring the security of a practical network of any scale. Implementing IPsec VPN in a corporate environment does not require a lot of resources and time from the system administrator, but at the same time it is a reliable base for information protection.
Conclusion
The use of IPsec VPN technology ensures that data transmitted over the network is encrypted and authenticated, protecting it from unauthorized access and potential attacks.
Additionally, network modeling using ENSP software environment provides a reliable way to simulate and test the network infrastructure before actual implementation, allowing for the identification and resolution of potential issues before they become a problem.
The implementation of traffic protection based on IPsec VPN technology and network modeling on the ENSP software environment can also help organizations comply with various data security regulations and standards.
Overall, the implementation of traffic protection based on IPsec VPN technology and network modeling on the ENSP software environment is an effective approach to securing network traffic, ensuring confidentiality, integrity, and availability of data, and mitigating potential risks and vulnerabilities.
REFERENCES
[1] Barinov, V.V. Computer Networks: Textbook / V.V. Barinov, I.V. Barinov, A.V.
Proletarsky. - Moscow: Academia, 2018. - 192 p.
[2] Kurose, J. Computer Networking: A Top-Down Approach / J. Kurose. - Moscow:
Eksmo, 2018. - 800 p.
[3] Olifer, V. Computer Networks. Principles, Technologies, Protocols: Textbook / V.
Olifer, N. Olifer. - St. Petersburg: Piter, 2016. - 176 p.
[4] Stallings, W. Computer Networks, Protocols, and Internet Technologies / W.
Stallings. - St. Petersburg: BHV, 2005. - 832 p.
[5] Tanenbaum, A.S. Computer Networks / A.S. Tanenbaum. - St. Petersburg: Piter, 2019. - 960 p.
Улан Есенжолов, магистр, аға оқытушы, Әбілқас Сағынов атындағы Қарағанды техникалық университеті, Қарағанды, Қазақстан, [email protected]
Нурбол Калиаскаров, PhD, Әбілқас Сағынов атындағы Қарағанды техникалық университеті, Қарағанды, Қазақстан, [email protected]
IPSEC VPN ТЕХНОЛОГИЯСЫ НЕГІЗІНДЕ ТРАФИКТІ ҚОРҒАУДЫ ЖҮЗЕГЕ АСЫРУ ЖӘНЕ ENSP БАҒДАРЛАМАЛЫҚ ОРТАСЫНДА ЖЕЛІНІ МОДЕЛЬДЕУ
Аңдатпа. Мақала IPSecVPN сияқты технологияны зерттеуге арналған. Бұл технологияның инфокоммуникациялық технологиялар саласындағы рөлі айтарлықтай зор.
Біріншіден, IPSec VPN көптеген заманауи шифрлау алгоритмдері мен аутентификация әдістерін қолдайды. Екіншіден, IPSec VPN-ге көптеген жеткізушілер қолдау көрсетеді, бұл әртүрлі өндірушілердің жабдықтары негізінде осы технологияны орналастыруға мүмкіндік береді. Үшіншіден, IPSec VPN аппараттық құралдан жоғары өнімділікті талап етпейді. Төртіншіден, IPSec VPN пайдалану оңай және бақылауға оңай.
Бұл мақалада Huawei жабдығына негізделген eNSP бағдарламалық құрал ортасында IPSec VPN іске асыру мысалы көрсетілген. Мақаланың практикалық бөлімінен көріп отырғанымыздай, бұл технологияларды құру және енгізу тек төрт қадамнан тұрады.
Түйінді сөздер. Қауіпсіздік, жаңа технологиялар, деректерді шифрлау, аутентификация, VPN.
Улан Есенжолов, магистр, старший преподаватель, Карагандинский технический университет имени Абылкаса Сагинова, Караганда, Казахстан, [email protected]
Нурбол Калиаскаров, PhD, Карагандинский технический университет имени Абылкаса Сагинова, Караганда, Казахстан, [email protected]
РЕАЛИЗАЦИЯ ЗАЩИТЫ ТРАФИКА НА ОСНОВЕ ТЕХНОЛОГИИ IPSEC VPN И МОДЕЛИРОВАНИЕ СЕТИ НА ПРОГРАММНОЙ СРЕДЕ ENSP
Аннотация. Статья посвящена для изучение такой технологии как IPSecVPN. Роль данной тахнологии в области инфокоммуникационных технологиях является довольно весомым. Во первых, IPSec VPN поддерживает множство современных алгоритмов щифрования и методов аутентификации. Во вторых, IPSec VPN поддерживают множество вендоров, что позволяет развертывать данную технологию на основе оборудования разного производителя. В третьих, IPSec VPN не требует большой производительности от оборудования. В четвертых, IPSec VPN прост в применении и его легко мониторить.
В данной статья показан пример реализации IPSec VPN на программной среде eNSP на базе оборудования Huawei. Как видно из практической части статьи, создание и внедрение данных технологии состоит из всего лишь четырех шагов.
Ключевые слова. Обеспечение безопасности, новейшие технологии, шифрование данных, аутентификация, VPN.
*****************************************************************************
