Did you know that there’s an Internet Engineering Task Force (IETF)? It sounds like a military unit you wouldn’t want to encounter but it’s really the premier internet standards body that governs how data is transmitted. Join us in exploring IPsec, the security protocol ‘arm’ of this task force. How does it help secure network communications and how does it work at all? If you’re privacy conscious, we recommend using Avira Phantom VPN whenever you go online to help protect and conceal your digital identity and communications.
What is IPsec and why is it so important?
IPsec, or Internet Protocol Security, is a common security standard that encrypts data to help keep it safe as it moves across networks and between devices. It’s vital for securing our internet communications and helping to ensure that data stays authentic and confidential while it’s in transit over public networks. Yet what exactly is an internet ‘protocol’? It refers to the set of rules that routers follow to identify and forward (or ‘route’) packets of data along the network path. Now you also know why they’re called routers. Picture an enormous post office that’s highly efficient at transferring parcels of data along the web super-highway to billions of global recipients. Ideally, the parcels will arrive unopened and undamaged at their intended addresses.
The Internet Engineering Task Force developed IPsec in the 1990s to help ensure data confidentiality, integrity, and authenticity as it travels across public networks (and proving that new-age superheroes don’t wear capes). In other words, it aims to keep our digital world private and secure. In the IETF’s own words, it’s important to note that: “… (the IETF)) makes voluntary standards that are often adopted by Internet users, network operators, and equipment vendors, and it thus helps shape the trajectory of the development of the Internet. But in no way does the IETF control, or even patrol, the Internet.” (About the IETF, status October 2024).
Imagine the internet without IPsec… We wouldn’t be able to protect data from unauthorised access and tampering and would have no guarantees that what we sent was the same as what was received. The protocol is essential for data protection and integrity because there’s a glaring Achilles heel in networking methods: They’re not encrypted by default, which means that messages aren’t concealed, so theoretically anyone can read them. Imagine billions of letters without envelopes! We can see IPsec in action, for example, when users access company files remotely by connecting to the internet via an IPsec virtual private network.
What is an IPsec VPN (and… wait a minute… what’s a VPN)?
A VPN, or virtual private network, is an internet security service that encrypts data and masks IP addresses to help protect users’ privacy and security. It works in two ways: Firstly, it encrypts data before it leaves a device. Then it sends that data through a secure tunnel to a VPN server where the data is decrypted and passed along to the website you’re visiting. A VPN also hides your IP (internet protocol) address, which is a unique number that identifies your device to the internet—much like the post office uses your home address to send you parcels. If you’re curious, here’s how to find your IP address. Your IP address is usually assigned by your internet service provider or ISP, but a VPN replaces your IP with its own address, so your device’s real location and digital identity remain hidden. When you use a VPN to browse the internet, you’re typically anonymous, which is why Avira Phantom VPN is so aptly named. Ideally, it helps make you invisible online and you’ll leave fewer digital traces.
The IP addresses that are visible to everyone online are called public IPs. There are also private IP addresses, which are only used within private networks. (You can explore the differences between public and private IPs here). Private IPs can only be tracked by other devices on the same network, creating a secure ‘bubble’ of connected machines that aren’t directly exposed to external threats and online tracking. It’s no wonder that private IPs are used by many organisations—but VPNs are a crucial corporate tool too.
When employees are working remotely instead of at the office, they commonly use VPNs to access company files and applications more privately and securely. Many VPNs use the IPsec protocol suite to establish and run encrypted connections, but some deploy another security protocol called SSL/TLS. This stands for Secure Sockets Layer and Transport Layer Security, which are cryptographic protocols that allow a web browser to identify and establish an encrypted connection with a website. If you visit a website that doesn’t have a valid SSL certificate, your browser will display the message “Your connection is not private”.
With such sophisticated privacy options, is there still a place for the humble firewall? Yes, so don’t dismiss it. Firewalls monitor and control incoming and outgoing network traffic to prevent unauthorised access—think of them as nightclub bouncers. They’re a trusted barrier that regulates the passage of data, and without them, anything (including malware) could access a system. VPNs, on the other hand, encrypt data and help ensure privacy. As a team, VPNs and firewalls can provide a multi-layered approach to network security as long as they agree to work together! Some firewalls are set to prevent you from using a VPN, proving once again that life is rarely simple and harmonious.
What is IPsec encryption?
IPsec works by using an encryption key to scramble data so that it appears random and unreadable. It also verifies where the data packets come from. IT pros ceremoniously call this verification process “authenticating the source”. IPsec deploys various types of encryptions, including AES, Blowfish, Triple DES, ChaCha, and DES-CBC. To make matters more complex, IPsec also uses a combination of asymmetric and symmetric encryption. Asymmetric encryption involves a public encryption key and a private decryption key. Symmetric encryption uses the same key for both encrypting and decrypting data.
Encryption is just part of what IPsec achieves—there are, in fact, multiple stages to sending data securely.
How does IPsec work?
IPsec connections follow these steps. Let’s look at each in turn:
Step 1: Key exchange
Cryptographic keys turn data into random characters to “lock” (encrypt) it and only someone with the key can “unlock” (decrypt) that data. IPsec sets up a key exchange between connected devices, so that they can decrypt each other’s messages.
Step 2: Packet headers and trailers
When data is sent over a network, it’s broken down into smaller chunks called “packets” that contain various parts: The payload (the data being sent) and headers (information about the data packets so that the devices receiving know what to do with them). IPsec adds various headers that hold authentication and encryption information. IPsec also has another job. It sends trailers, which add more information and come after each packet’s payload.
Step 3: Authentication
IPsec authenticates each packet with a unique ID. This helps ensure that packets are from a trusted source and not a cybercriminal.
Step 4: Encryption
IPsec encrypts the contents of the data packets and the IP header, helping to keep data secure and private.
Step 5: Transmission
Encrypted IPsec packets are then sent across one or more networks using a transport protocol—usually the User Datagram Protocol (UDP). Regular internet traffic uses the Transmission Control Protocol (TCP) to set up dedicated connections between devices. IPsec prefers UDP because it allows data packets to move more easily through firewalls.
Step 6: Decryption
Once they arrive, the data packets are unscrambled using the decryption key. Now applications like browsers can use this data.
What protocols does IPsec use?
IPsec uses several processes to establish secure network communications. Let’s explore some of these and what they contribute.
Authentication Header (AH)
When you open a container of pills it’s often closed with a tamper-proof seal. Similarly, the AH helps ensure that data packets are from a trusted source and haven’t been tampered with.
Encapsulating Security Payload (ESP)
This encrypts the packet payload or the entire packet, depending on how IPsec has been configured.
Internet Key Exchange (IKE)
This sets up a secure, authenticated communication channel between two parties via a VPN. In this secretive tunnel, data can move more safely from prying eyes. The IKE process can operate in two modes: main mode and aggressive mode. Main mode provides a higher level of security by protecting the identities of the communicating parties during the negotiation, though it requires more message exchanges. In contrast, aggressive mode offers a faster setup with fewer exchanges, but it does so at the expense of some security features, such as identity protection.
Transform sets
These are a combination of algorithms and protocols that provide different levels of encryption and authentication. They are also used to determine what is encrypted and who the recipient of the data traffic will be.
Security Associations (SA)
SA is a blanket term for several protocols that are used for negotiating encryption keys and algorithms. One of the most common SA protocols is Internet Key Exchange (IKE).
IPsec tunnel mode vs IPsec transport mode: What’s the difference?
There’s a clue in the name of IPsec tunnel mode: It’s used between two dedicated routers, with each router acting as one end of a virtual tunnel, often facilitating site-to-site communication by encrypting the original IP header and the packet payload. The original IP header (containing the destination of the packet) is encrypted, and so is the packet payload. IPsec also adds new IP headers so that intermediary routers know where to forward the packets to. At each end of the tunnel, the routers decrypt and “read” the IP headers to deliver the packets to their correct destinations.
Now what about transport mode? This is used when a single host needs to communicate with another single host over a public network. In transport mode, IPsec doesn’t encrypt the entire packet but only the packet payload. This leaves the original IP address information unencrypted and viewable.
Is one better than the other? That depends on the specific requirements of the network and the level of security you’re after. Tunnel mode is considered safer as it encrypts the entire IP packet to enable end-to-end security. However, if greater flexibility is needed for applications that require access to certain parts of a packet to function, then transport mode is king.
Are there any disadvantages to using IPsec?
Few things in life are perfect and IPsec has some drawbacks. If you’re a fan of high speeds, for example, you may be frustrated. IPsec can slow down data throughput and degrade network performance. Its encryption and authentication processes are to blame, as they take time and demand high levels of computing power. IPsec can also be complex to configure and troubleshoot and often requires knowledgeable IT staff to tame it.
Plus, ironically for a security protocol, it can contain security vulnerabilities if it’s configured incorrectly. Those IT staff better be truly knowledgeable…and to make their lives more complex, organisations often need to set up and configure multiple VPNs to allow for different levels of access. With IPsec VPNs, any user connected to the network can see all data contained within the VPN.
As we’ve already mentioned, firewalls (usually Network Address Translation or NAT firewalls) aren’t always friendly to IPsec. NAT rewrites IP addresses, which can cause the IKE part of IPsec to revolt and discard data packets.
There’s also a problem with broken algorithms now as hackers have cracked some of the algorithms used by IPsec. This poses a huge security risk, especially if network administrators unwittingly use those algorithms instead of newer, more complex ones.
What does the future hold for IPsec?
VPN protocols are vital for VPN services as they determine how data is routed and set the data encryption standards that are used. IPsec is still widely used and considered generally dependable, but many experts now find it outdated, inefficient, unstable, and far too slow.
There are bright new stars on the VPN horizon, like OpenVPN and the even newer Wireguard, and each protocol presents its own unique advantages and challenges. Some focus on data transmission speeds, making them good for gaming, while others prioritise data encryption to enhance privacy. These newcomers tend to be faster, simpler, more scalable, and more secure than IPsec. Is the writing on the wall for the trusted, plodding dinosaur that served us so well?
Surf more securely and anonymously with Avira Phantom VPN
All over the world, people use VPNs to embrace anonymity and help protect their data when they surf online. That’s because VPNs help conceal your identity, browsing activities, and location from those trying to track you, like advertisers and cybercriminals, making them an essential privacy and security tool. Put the powers of VPN to work for you for free with Avira Phantom VPN, brought to you by the born-in-Germany security experts, Avira. Choose yours for Windows, Mac, Android, or iOS.