IPSec , where is utilised

!30!30 Member Posts: 356
Hello !

I understand what and how does IPSec work's , but where it is used , besides VPN's , tuneling or secure transmision over LAN ? icon_confused.gif
Optimism is an occupational hazard of programming: feedback is the treament. (Kent Beck)

Comments

  • EdTheLadEdTheLad Member Posts: 2,111 ■■■■□□□□□□
    !30 wrote:
    Hello !

    I understand what and how does IPSec work's , but where it is used , besides VPN's , tuneling or secure transmision over LAN ? icon_confused.gif

    Thats like saying i know what a car is for but apart from driving,admiring and crashing what else can i do with it.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • SRTMCSESRTMCSE Member Posts: 249
    I think he's asking what are some of the more common uses for it. Personally I've used it for VPNs, but I'd love to use it for local LAN traffic, but unfortunately the banking software we use won't work with IPSec...well not that it won't work, I used it on a lab network, but the software company will not support problems on a IPSec secured network.
  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSEC EnCE C|EH Cloud+ CySA+ CASP+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,324 Admin
    IPSec can be used on any IPv4 or IPv6 network link which needs message authentication, encryption, or both at layer 3. Of course, the network stacks at each end of the link must support IPSec. With wireless networking, IPSec is used to create layer 3 VPN tunnels. One day I hope the world-wide adoption of IPv6 and IPSec will be used to clamp-down on message authentication on the Internet to aid in stamping out spam, phishing, and worms.
  • Danman32Danman32 Member Posts: 1,243
    I doubt IPv6/IPSec would stamp those out, those are problems at the application/user level, not network level.

    IPSec should be independent of the application (operates on layer 3 only) so the software company should have no problem supporting the software itself over IPSec. No different than saying the software will be run over a series of routers/networks. Now I would understand that they wouldn't support the IPSec issues themselves, but if you can show you have an end-end connection, then there's no reason the software shouldn't be supported. Of course if you had IPSec issues, you wouldn't be able to expect the software company to support fixing the IPSec. However, you shouldn't expect them to solve any router issues you have either.
  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSEC EnCE C|EH Cloud+ CySA+ CASP+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,324 Admin
    The problem starts with identification of the networks where such problems originate from. This is a layer 3 issue. For a solution to work, however, IPv6/IPSec would need to be mandatory across the entire Internet. The last time a significant protocol was made mandatory on the Internet was TCP/IP back in 1984. We're due for an upgrade.
  • Danman32Danman32 Member Posts: 1,243
    Again, worms, phishing, and spams start with the user. The user sends his email address to someone he thought he could trust, and now receives mail, worms, and phishes from people who got his email address from those he thought he could trust, which is a social engineering problem. IPSec and IPV6 isn't going to help with that. Nor will it help if I decide to enter a website that has malicious code or was directed there by Google based on a valid search.
  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSEC EnCE C|EH Cloud+ CySA+ CASP+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,324 Admin
    Danman32 wrote:
    Again, worms, phishing, and spams start with the user.
    I'm not trying to prevent people from freely using the Internet; I wish to swiftly and accurately identify those who misuse it. For me this starts at Layer 3.
  • Danman32Danman32 Member Posts: 1,243
    Ah, to have the ability to be reactive rather than proactive. That makes sense, since they can't easily hide their true identity.

    Of course just as it can be done with the phone network, one could still use application layer proxies and the like to make them harder to trace.
  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSEC EnCE C|EH Cloud+ CySA+ CASP+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,324 Admin
    Oh, I agree that abuse (and cyberterrorism) can never be fully eliminated, but its effects can be greatly reduced by quickly identifying and isolating the perpetrators.

    All-Internet authentication is also a great deterrent. If you knew that there was a 95% chance you'd be shut down and identified before you could do any significant spamming, phishing, worming, etc., you'd think twice before doing it. The professional Internet abusers (spammers) will stop once the money-making aspects are eliminated. This will leave only the script kiddies to "TP the neighborhood Internet." I'm hoping that the ISPs will handle this small stuff.

    Uh, what was this thread originally about?

    Oh yeah, IPSec is only a tool, and by itself is not a real solution to any problem. But with other such tools, IPSec is an important component for insuring the confidentiality, integrity, and availability of information transported across a computer network.
Sign In or Register to comment.