Page 463 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 463
IPsec uses public key cryptography to provide encryption, access
control, nonrepudiation, and message authentication, all using IP-
based protocols. The primary use of IPsec is for virtual private
networks (VPNs), so IPsec can operate in either transport or tunnel
mode. IPsec is commonly paired with the Layer 2 Tunneling Protocol
(L2TP) as L2TP/IPsec.
The IP Security (IPsec) protocol provides a complete infrastructure for
secured network communications. IPsec has gained widespread
acceptance and is now offered in a number of commercial operating
systems out of the box. IPsec relies on security associations, and there
are two main components:
The Authentication Header (AH) provides assurances of message
integrity and nonrepudiation. AH also provides authentication and
access control and prevents replay attacks.
The Encapsulating Security Payload (ESP) provides confidentiality
and integrity of packet contents. It provides encryption and limited
authentication and prevents replay attacks.
ESP also provides some limited authentication, but not to
the degree of the AH. Though ESP is sometimes used without AH,
it’s rare to see AH used without ESP.
IPsec provides for two discrete modes of operation. When IPsec is
used in transport mode, only the packet payload is encrypted. This
mode is designed for peer-to-peer communication. When it’s used in
tunnel mode, the entire packet, including the header, is encrypted.
This mode is designed for gateway-to-gateway communication.
IPsec is an extremely important concept in modern
computer security. Be certain that you’re familiar with the
component protocols and modes of IPsec operation.
