IPSec is a series of protocols that allow the secure exchange of packets at the IP layer. This is principally designed to assist in the implementation of VPNs (Virtual Private Networks) between hosts or networks.
IPSec consists of two sub-protocols: Encapsulated Security Payload (ESP) and Authentication Header (AH). ESP provides packet-level encryption using symmetric cryptography algorithms like 3DES. AH provides protection for the IP packet header. It also prevents spoofing by computing a cryptographic checksum and performing hashing on the header fields. You can use ESP and AH on their own or together. IPSec also has two modes -- transport mode and tunnel mode. Transport mode is used to directly encrypt traffic between two hosts. Transport mode only encrypts the packet itself -- not the IP header. Tunnel mode, which is used in most VPNs, creates virtual tunnels between two subnets. This mode encrypts the payload and the IP header.
The principal advantage of IPSec is that it offers confidentiality and authentication at the packet level between hosts and networks. It provides this functionality using an exchange, either manually or using a protocol called IKE, of public keys. This means, if you are sure about the security of your keys, that traffic secured with IPSec can be assumed to have come from the correct host and has not be spoofed. Therefore, the content of those packets has been secured from prying eyes and no data has been substituted.
However, IPSec has two major drawbacks. First, it relies on the security of your public keys. If you have poor key management or the integrity of your keys is compromised then you lose the security factor. The second disadvantage is performance. IPSec can add overhead to your network and application traffic, hence the use of hardware appliances such as VPN Concentrators.
You can find an excellent explanation, including theory, of IPSec functionality and a "how-to" for Linux-based IPSec here.
Dig Deeper on Data center ops, monitoring and management
Related Q&A from James Turnbull
A Linux security expert explains that the difference between the Snort alert and log logs in the Snort /var/log/snort directory is based on how rules... Continue Reading