Thursday, June 16, 2011

Primer: IPsec

Let's talk about a standard home or small office network. The typical components of such a network are:
  • Some Ethernet cables
  • Computers attached to Ethernet cables
  • Routers, switches, and hubs attached to Ethernet cables
  • A wireless router (also hooked up to Ethernet cables...)
  • Computers "attached" to the network via the wireless router
  • A router that's hooked up to the actual Internet connection (ie the modem - DSL, cable, or whatever...), which is also hooked up to the Ethernet cables.
In a typical network today, the router that's hooked up to the Internet does a number of different tasks. Primarily, it's responsible for giving computers on  your network access to the Internet, but it's generally also tasked - rightly or wrongly - with preventing outsiders from gaining access to your network. The general assumption is that as long as someone on the outside can't access your computers, those computers are safe.

Now, is this right? Are your computers protected by merely having a router block access to them? Well, yes and no. The practical upshot is that a large number of security breaches will be prevented, and many people will never experience a security breach as a result. But security professionals will tell you no, for the same reason that the same professionals will tell you that, say, running Ubuntu as your desktop operating system is no protection against hackers - as a security policy, it's flawed. Let's look at why:
  • Your computers are still accessing the Internet. They might unwittingly initiate a transfer of something bad to themselves. For example, you might be browsing the web, and click on a link that, unknown to you, links to a page that exploits a security flaw in your web browser.
  • Inevitably, for all but the simplest networks, you will have to open up some connections to allow outsiders in. Typically, you'd enable something like "Let users of this game access this computer that plays this game", or "Let people who want to call me using an Internet phone access this computer". The procedure is called "port forwarding", and each port you open inevitably creates a hole that might be exploitable if there's a flaw in any of the software on your side that services those systems.
  • Very few people have all of their computers connected permanently to one network. Anyone with a laptop might, for example, take that laptop to a hotel or coffee shop and use the Internet connection there. Likewise, you might let a friend or colleague use your network with their laptop to access the Internet. If such such systems are compromised when they're out of the network, then they're compromised.
  • Once you have a compromised device on your network, regardless of which of the above scenarios best described the cause, the router no longer provides any real protection against it. If that compromised device wants to compromise the other computers on your network, then you can't rely on your router.
The situation gets considerably worse once you factor in IPv6. In IPv6, every device on the Internet is supposed to be able to "see" every other device on the Internet. That doesn't mean that every device can access all of the services of another device, but it does mean that if, say, two computers want to engage in, say, a voice over IP session, those computers should be able to do so if the administrators of both machines are happy with that. In such circumstances, having a router manage security is completely inappropriate. A router doesn't know why two computers are communicating, and the likely result of it managing security is that it will allow communications it shouldn't, while blocking communications it should.

So, what's the right way to manage a network?

Making computers responsible for their own security

When IPv6 was being developed, the questions on security came up, and as a result, a certain amount of work was put in to making sure that the protocol would bring security with it. Two devices ought to be able to guarantee the following:
  • Devices should be able to decide who to have a conversation with
  • The device they're having a conversation with is the device they think they're having a conversation with.
  • That compromised devices that can "see" the traffic between the two cannot spy on the conversation.
The solution would require a mix of different technologies.  Some of these would exist outside of the realm of standardization - for example, so-called "software firewalls", where an operating system decides which applications are allowed to access the network and which aren't, and when they do what systems they can communicate with - were clearly operating system specific, and beyond the scope of the protocol.

Others however were created to ensure the security above was implementable. The major technology that was mandated was IPsec.

What IPsec is, and what it isn't.

IPsec is a low level protocol that encrypts the connection between any two devices on the Internet. Those devices can be in the same room, or on different sides of the planet, and they can be running any application, not just applications that were specially written to support encryption.

And that's pretty much it. IPsec is extremely lightweight. It assumes that two computers have identified one another, that they have found a way to securely exchange encryption keys with one another, and so on. But if two computers have actually been set up to use IPsec to communicate with one another, then they already can ensure that connections between the two are secure. Nothing can eavesdrop on the conversations between them, and nothing can send messages to one pretending to be the other.

To support IPsec, a number of other protocols have been created. The IKE system is used to exchange keys, and the master keys for each device can be stored in DNS in a secure, standard, way, secured using a system called DNSSEC. Unfortunately, at the time of writing, these technologies are only half implemented - most operating systems ignore the information in DNS by default, and most domain registrars do not actually allow domain owners to set up DNSSEC, but I expect both problems to be resolved in time.

By itself, IPsec isn't very useful, but combined with IKE and DNS, IPsec can be used by operating systems to ensure a large number of security measures are taken:
  • Connections between computers can be secured so no eavesdropping is possible. IPsec encrypts the connection.
  • Individual applications can be firewalled, using a software firewall, to only communicate with specific devices on the Internet. IPsec ensures that the devices on the Internet are identifiable and virtually impossible to impersonate
  • "Opportunistic encryption" becomes easier, making it harder for data thieves to intercept communications even between devices that are unrelated to one another.

IPsec with IPv4

While IPsec was originally intended as an IPv6 technology, it ended up being used on IPv4 networks, frequently for a slightly different purpose. The lack of devices with real Internet addresses, and the immature state of DNSSEC, meant that IPsec's intended role in the existant Internet was not terribly viable. However, the concept of IPsec "tunnels", used to implement VPNs, has become relatively popular.

Of course, there's little to stop you from running IPsec on your own network even if you assume that your computers will not be able to use it for communications over the Internet, and in many ways it's preferable to do so. As noted above, IPsec, combined with its support technologies, makes it much easier to secure each individual PC. If you would allow friends and colleagues to use your network, then it makes sense to implement a system that secures your computers against their's. The downside is increased complexity - nobody's making this particularly easy right now!

Support for IPsec

IPsec is supported by virtually all major operating systems (as is IPv6), and if you plan to use IPv6, I strongly advise you to investigate IPsec ensure it forms part of your strategy for rolling out IPv6 within your network. A roll-out of IPv6 implies opening your infrastructure to the outside world, and that makes security much more important.

IPsec does not, by itself, secure a network, but it is a mandatory component of a secure network. A properly set-up network that uses IPsec as part of its security will always be more secure than a network secured using a router - and it'll be one that works.

No comments: