ipsec client 03

7/31/2019 Ipsec Client 03

1/14

UNIT-2 UNIT-2


2/14

Basic issues with IPSEC clients

1.Client security

2.Floating security associations

3. IPSEC client software packaging.


3/14

An IPSEC client is a software package thatprovides IPSEC protection for TCP/IPnetwork traffic on a workstation or laptop.

It may be packaged as a shim that fitsbetween an existing TCP/IP stack and thehosts computers device drivers.

The client provide IPSEC protection withoutaffecting to the security associationsestablished by the workstations operator.


4/14

Lower stackapproach

it is separate softwarepackage residing betweenan existing TCP/IP stack and

the network device driver . It appear at a lower point inthe protocol stack.

It is also referred as a shim. The shim is much simpler

software component to

construct and maintainthan package including full

TCP/IP.

upper stackapproach

IPSECintegrated directly intothe TCP/IP stack.

It is best for sophisticatedsystems like Unix or windowNT.

It allow the software withdiffering security attributes to

use separate securityassociation.

It is more complex productand forces users to replacethe TCP/IP stack they

currently use.


5/14

a. Site Based Assignmentsa. A typical IPSEC client application is to protect

mobile users when connecting to a central site.

b. Central site generating all IPSEC association

parameter needed and provide a mechanism toimport them into the client.

b. Client mobilitya. In some cases client will use a unique

permanently assigned IP address.b. In other cases traveling client might use a

variety of ISPs according to location.


6/14

Client are less target than servers for twoReasons .

1.Client belonging to the typical user are not

perceived to be worthwhile target.2.Client lack the continuous accessibility of

servers.1. They are not always on-line.

2. Client IP address may change from one sessionto the next.


7/14

Block all communication that dont useIPSEC.

Configure the rest of your system to resistinternet attacks.


8/14

The security of computers system dependsheavily on its physical security.

There are essentially three techniques for

protecting key from theft. Store the keys on a removable device.

Password protection

Encrypted key


9/14

We use IPSEC clients to protect trafficbetween a central site and remote hosts.

Central site has a IPESC encrypting router or

similar IPSEC device. Central site assign security association andkeys to the individual clients.

Incoming traffic that uses assigned

association is then admitted to the site. All other traffic is blocked.


10/14

Password sniffing IP SPOOFING

IP Hijacking SYN Flooding


11/14

Message processing is always slower thanwhen you use IPSEC.

IPSEC protection will be applied occasionallyeven when not really needed.

IPSEC protection automatically wheneverthere is a security association in placebetween the client and the central site.

IPSEC works at the packet level and protecteverything travelling between a given pair ofhosts.


12/14

There are two parts to remote accesssecurity1. Risk to the central site.

2. Risks associated with clients.

The other risks to the mobile client are:- Clients attacks from the internet

Virus based attack on clients

Client theft


13/14

Client are at risk of attack simply becausethey are hosts on the internet.

How to block

1. Blocking all messages that dont carryvalid IPSEC header.

2. Take a close look at every TCP/IP softwarecomponent residing on the client.

3. To look for any mechanism that allows anoutside system to modify data on yourmachine and then block that mechanism orservices.


14/14

Client Theft

Does IPSEC provide any protection against viruses.

What special threat might viruses pose to IPSEC clients

ipsec client 03

Documents