Q

The pros and cons of IPsec

What are the advantages and disadvantages of IPSec? How does it work?

IPSec is a series of protocols that allow the secure exchange of packets at the IP layer. This is principally designed to assist in the implementation of VPNs (Virtual Private Networks) between hosts or networks.

IPSec consists of two sub-protocols: Encapsulated Security Payload (ESP) and Authentication Header (AH). ESP provides packet-level encryption using symmetric cryptography algorithms like 3DES. AH provides protection for the IP packet header. It also prevents spoofing by computing a cryptographic checksum and performing hashing on the header fields. You can use ESP and AH on their own or together. IPSec also has two modes -- transport mode and tunnel mode. Transport mode is used to directly encrypt traffic between two hosts. Transport mode only encrypts the packet itself -- not the IP header. Tunnel mode, which is used in most VPNs, creates virtual tunnels between two subnets. This mode encrypts the payload and the IP header.

The principal advantage of IPSec is that it offers confidentiality and authentication at the packet level between hosts and networks. It provides this functionality using an exchange, either manually or using a protocol called IKE, of public keys. This means, if you are sure about the security of your keys, that traffic secured with IPSec can be assumed to have come from the correct host and has not be spoofed. Therefore, the content of those packets has been secured from prying eyes and no data has been substituted.

However, IPSec has two major drawbacks. First, it relies on the security of your public keys. If you have poor key management or the integrity of your keys is compromised then you lose the security factor. The second disadvantage is performance. IPSec can add overhead to your network and application traffic, hence the use of hardware appliances such as VPN Concentrators.

You can find an excellent explanation, including theory, of IPSec functionality and a "how-to" for Linux-based IPSec here.

This was first published in October 2005

Dig deeper on Linux security risks and threats

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchDataCenter

SearchServerVirtualization

SearchCloudComputing

SearchEnterpriseDesktop

Close