Experiences with Host-to-Host IPsec
نویسندگان
چکیده
This paper recounts some lessons that we learned from the deployment of host-to-host IPsec in a large corporate network. Several security issues arise from mismatches between the different identifier spaces used by applications, by the IPsec security policy database, and by the security infrastructure (X.509 certificates or Kerberos). Mobile hosts encounter additional problems because private IP addresses are not globally unique, and because they rely on an untrusted DNS server at the visited network. We also discuss a feature interaction in an enhanced IPsec firewall mechanism. The potential solutions are to relax the transparency of IPsec protection, to put applications directly in charge of their security and, in the long term, to redesign the security protocols not to use IP addresses as host identifiers.
منابع مشابه
An IPSec-based Host Architecture for Secure Internet Multicast
We propose a host architecture for secure IP multicast. We identify the basic components of the architecture, describe their functionalities and how they interact with one another. The fundamental design tenets of the proposed architecture are simplicity, modularity, and compatibility with existing protocols and systems. More specifically, we try to re-use existing IPSec mechanisms as far as po...
متن کاملDynamic Host Configuration Protocol (DHCPv4) Configuration of IPsec Tunnel Mode
This memo explores the requirements for host configuration in IPsec tunnel mode, and describes how the Dynamic Host Configuration Protocol (DHCPv4) may be leveraged for configuration. In many remote access scenarios, a mechanism for making the remote host appear to be present on the local corporate network is quite useful. This may be accomplished by assigning the host a "virtual" address from ...
متن کاملIPsec
Prior to the explosion of computer networks in the late 1980s, enterprise environments were largely isolated collections of hosts. The protocols used to connect those computers did not require much security. Indeed, few security issues were considered by original designers of the Internet Protocol (IP) suite upon which those and subsequent networks are based. While the openness of these protoco...
متن کاملMaking Network Intrusion Detection Work with IPsec
Network-based intrusion detection systems (NIDSs) are one component of a comprehensive network security solution. The use of IPsec, which encrypts network traffic, renders network intrusion detection virtually useless unless traffic is decrypted at network gateways. One alternative to NIDSs, host-based intrusion detection systems (HIDSs), provide some of the functionality of NIDSs but with limi...
متن کاملZero - configuration Identity - based IP Network
For corporations or individuals who wish to protect the confidentiality of their data across computer networks, network-layer encryption offers an efficient and proven method for preserving data privacy. Network layer encryption such as IPSec is more flexible than higher layer solutions since it is not application-dependent and can protect all end-to-end traffics that go between two hosts. Usin...
متن کامل