Roadwarrior configuration, Ip sec protocols, Security associations – Dell POWEREDGE M1000E User Manual

Fabric OS Administrator’s Guide

233

53-1002745-02

Management interface security

7

FIGURE 16

Endpoint-to-gateway tunnel configuration

RoadWarrior configuration

In endpoint-to-endpoint security, packets are encrypted and decrypted by the host which produces
or consumes the traffic. In the gateway-to-gateway example, a router on the network encrypts and
decrypts the packets on behalf of the hosts on a protected network. A combination of the two is
referred to as a RoadWarrior configuration where a host on the Internet requires access to a
network through a security gateway that is protecting the network.

IP sec protocols

IP sec ensures confidentiality, integrity, and authentication using the following protocols:

•

Authentication Header (AH)

•

Encapsulating Security Payload (ESP)

IP sec protocols protect IP datagram integrity using hash message authentication codes (HMAC).
Using hash algorithms with the contents of the IP datagram and a secret key, the IP sec protocols
generate this HMAC and add it to the protocol header. The receiver must have access to the secret
key in order to decode the hash.

IP sec protocols use a sliding window to assist in flow control, The IP sec protocols also use this
sliding window to provide protection against replay attacks in which an attacker attempts a denial
of service attack by replaying an old sequence of packets. IP sec protocols assign a sequence
number to each packet. The recipient accepts each packet only if its sequence number is within
the window. It discards older packets.

Security associations

A security association (SA) is the collection of security parameters and authenticated keys that are
negotiated between IP sec peers to protect the IP datagram. A security association database
(SADB) is used to store these SAs. Information in these SAs—IP addresses, secret keys, algorithms,
and so on—is used by peers to encapsulate and decapsulate the IP sec packets

An IP sec security association is a construct that specifies security properties that are recognized
by communicating hosts. The properties of the SA are the security protocol (AH or ESP), destination
IP address, and Security Parameter Index (SPI) number. SPI is an arbitrary 32-bit value contained in
IP sec protocol headers (AH or ESP) and an IP sec SA is unidirectional. Because most
communication is peer-to-peer or client-to-server, two SAs must be present to secure traffic in both
directions. An SA specifies the IP sec protocol (AH or ESP), the algorithms used for encryption and
authentication, and the expiration definitions used in security associations of the traffic. IKE uses