The IP Security (IPSec) and Internet Key Exchange (IKE) protocols are quickly becoming standards in VPN communications. All but one of the products in this review—Computer Associates' (CA's) eTrust VPN 2.1—use IPSec for the encapsulation of sensitive IP communication. IPSec is taking its place as a universal standard among firewall and router manufacturers. The reasons for IPSec's growing popularity are its ability to work on many types of network devices and its strong data-protection features.
IPSec is essentially a set of security protocols and algorithms that ensure data security on the network layer. IP encapsulation consists of four components: the IP Header, the Security Header, the Original IP Header, and the encrypted IP Payload. The IP Header (i.e., the first portion of the IP packet, containing identification and destination information) is a standard IP header that replaces the Original IP Header during the encapsulation process. The Security Header is the data-integrity component, which uses a hashing mechanism such as MD5 or Secure Hash Algorithm-1 (SHA-1) to ensure that a packet didn't change en route to the receiving party. The Original IP Header and IP Payload are encrypted by using an encryption algorithm (e.g., Data Encryption Standard—DES, Triple DES—3DES) that the sender and recipient of the data have agreed upon, along with a public-key private-key set. Encryption attempts to ensure that the data, if intercepted, is unreadable to the interceptor—unless he or she has the private key used in the encryption algorithm.
IKE involves the process of choosing the hashing and encryption methods and transferring key sets. Most encryption algorithms use a key to encrypt data. If the sender wants to send an encrypted message to the receiver, the sender would use the receiver's public key to encrypt the data. When the receiver gets the encrypted message, the receiver would use his or her private key to decrypt the message. This process takes place quickly, usually without the user noticing.
The key exchange can get quite complicated. In fact, several mechanisms exist to verify whether the public key that the sender gave the receiver actually belongs to the sender and wasn't obtained elsewhere. One powerful insurance mechanism—the Certificate Authority—can ensure that public keys are legitimate. Certificate Authorities verify the identity of a user or organization and assign digital certificates to the public keys.
Instead of using IKE, some smaller organizations use a preshared key for encryption. Preshared keys are easier to implement but less safe. In my lab environment, I used a preshared-key solution.