What is IPsec?
IPsec (Internet Protocol Security) refers to a set of protocols designed to ensure secure communication between devices across the internet or any public network.
IPsec enables businesses to authenticate data sources and to protect sensitive information (e.g. payment details and confidential communications) when this information is transmitted across a network. It’s also a frequent method of choice for authenticating traffic and securing data within a virtual private network (VPN).
What is IPsec?
Rather than a single technology, IPsec consists of a set of protocols (rules) and processes designed to ensure secure network communications. Here are the most important elements of the IPsec suite:
Authentication Header (AH)
Data is transmitted across a network in segments (packets). Each packet has a ‘header’: i.e. information that describes what the receiving device can expect from the data stream. The Authentication Header (AH) essentially acts like a tamper-proof seal. It enables the receiving device to verify the data packet’s origin and to check that it has not been accessed or altered in transmission.
Encapsulating Security Protocol (ESP)
As well as adding a further authentication layer, this protocol is responsible for encryption, ensuring that only authorised devices can read transmitted data
Internet Security Association and Key Management Protocol
With ESP, devices communicating with each other use a shared key for encrypting and decrypting the data they exchange. To facilitate this, ISAKMP defines the attributes of the connection, including establishing the encryption key and cryptographic algorithm to be used.
How does IPsec work?
IPsec operates in one of two modes: tunnel or transport.
Tunnel mode
In tunnel mode, the entire IP data packet – including both the data payload and the header – is encrypted during transmission. IPsec encrypts the packet, adds a new IP header and sends it to the other endpoint. This mode enables secure data transmission, even where you have multiple devices communicating with each other via different networks.
Transport mode
In transport mode, only the data packet payload is encrypted and authenticated. No changes are made to the header. In terms of bandwidth, transport mode has a lower overhead than tunnel mode. It’s often used for device and network management, such as a technician accessing a remote server for maintenance work.
IPsec operating steps
Here’s how an IPsec connection works in practice…
Host Recognition
The system recognises that a data packet requires protection. The packet is treated as “interesting traffic”, automatically triggering the appropriate IPsec security policies.
IKE Phase One
The communicating devices (peers) are authenticated. An Internet Key Exchange (IKE) policy is also negotiated between these peers. This ensures that the parties are using the same encryption key. A secure tunnel is established for the exchange of data.
IKE Phase Two
The parameters for data exchange are negotiated between peers using the ISAKMP.
Data Transfer
Data is encrypted and then transmitted through the IPsec tunnel. At the other end, the packets are decrypted.
How is IPsec used in VPN?
A virtual private network (VPN) links two or more devices, enabling them to access a shared system. It’s essentially a secure tunnel that can operate over a public network.
For businesses, a VPN can create a private connection between scattered employee devices and the company’s systems, making it ideal for a remote working set-up. This type of solution is also useful for IoT initiatives, allowing deployed smart devices to communicate with the infrastructure that manages or collects data from them.
In IoT systems, IPSec VPN is often used to secure connections between Enterprise networks and MNO/MVNO networks or to secure communications directly with devices.
With a VPN, transmitted data is encrypted before it reaches the sender’s internet service provider (ISP). One of the most common uses of IPsec is in encrypting and authenticating all traffic travelling through the tunnel.
Discover more
With Wireless Logic’s VPN solution, businesses get cost-effective and reliable security for M2M and IoT SIM-enabled devices, without the need for overhauling existing IT architecture.
Discover more here.