Page 464 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 464
At runtime, you set up an IPsec session by creating a security
association (SA). The SA represents the communication session and
records any configuration and status information about the
connection. The SA represents a simplex connection. If you want a
two-way channel, you need two SAs, one for each direction. Also, if
you want to support a bidirectional channel using both AH and ESP,
you will need to set up four SAs.
Some of IPsec’s greatest strengths come from being able to filter or
manage communications on a per-SA basis so that clients or gateways
between which security associations exist can be rigorously managed
in terms of what kinds of protocols or services can use an IPsec
connection. Also, without a valid security association defined, pairs of
users or gateways cannot establish IPsec links.
Further details of the IPsec algorithm are provided in Chapter 11,
“Secure Network Architecture and Securing Network Components.”
ISAKMP
The Internet Security Association and Key Management Protocol
(ISAKMP) provides background security support services for IPsec by
negotiating, establishing, modifying, and deleting security
associations. As you learned in the previous section, IPsec relies on a
system of security associations (SAs). These SAs are managed through
the use of ISAKMP. There are four basic requirements for ISAKMP, as
set forth in Internet RFC 2408:
Authenticate communicating peers
Create and manage security associations
Provide key generation mechanisms
Protect against threats (for example, replay and denial-of-service
attacks)
Wireless Networking
The widespread rapid adoption of wireless networks poses a
tremendous security risk. Many traditional networks do not
implement encryption for routine communications between hosts on
