The pros and cons of IPsec
What are the advantages and disadvantages of IPSec? How does it work?

    Requires Free Membership to View

    Login

    When you register, my team of editors will also send you resources covering Linux administration and management; integration and interoperability between Linux, Windows and Unix; securing Linux and mixed-platform environments; and migrating to Linux.

    Cathleen A. Gagne, Senior Editorial Director

    By submitting your registration information to SearchEnterpriseLinux.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchEnterpriseLinux.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

IPSec is a series of protocols that allow the secure exchange of packets at the IP layer. This is principally designed to assist in the implementation of VPNs (Virtual Private Networks) between hosts or networks.

IPSec consists of two sub-protocols: Encapsulated Security Payload (ESP) and Authentication Header (AH). ESP provides packet-level encryption using symmetric cryptography algorithms like 3DES. AH provides protection for the IP packet header. It also prevents spoofing by computing a cryptographic checksum and performing hashing on the header fields. You can use ESP and AH on their own or together. IPSec also has two modes -- transport mode and tunnel mode. Transport mode is used to directly encrypt traffic between two hosts. Transport mode only encrypts the packet itself -- not the IP header. Tunnel mode, which is used in most VPNs, creates virtual tunnels between two subnets. This mode encrypts the payload and the IP header.

The principal advantage of IPSec is that it offers confidentiality and authentication at the packet level between hosts and networks. It provides this functionality using an exchange, either manually or using a protocol called IKE, of public keys. This means, if you are sure about the security of your keys, that traffic secured with IPSec can be assumed to have come from the correct host and has not be spoofed. Therefore, the content of those packets has been secured from prying eyes and no data has been substituted.

However, IPSec has two major drawbacks. First, it relies on the security of your public keys. If you have poor key management or the integrity of your keys is compromised then you lose the security factor. The second disadvantage is performance. IPSec can add overhead to your network and application traffic, hence the use of hardware appliances such as VPN Concentrators.

You can find an excellent explanation, including theory, of IPSec functionality and a "how-to" for Linux-based IPSec here.

This was first published in October 2005