Internet Protocol Security |
Data must be protected from interception, modification, or access by unauthorized parties. Network attacks can result in system downtime and public exposure of sensitive information.
Network protection strategies generally focus only on preventing attacks from outside the private network by using firewalls, secure routers (security gateways), and user authentication of dial-up access. This is referred to as perimeter security, and it does not protect against attacks from within the network.
User access control security methods (smart cards; Kerberos v5 authentication), are not adequate to protect against most network-level attacks, because they rely solely on user names and passwords. Many computers are shared by multiple users. As a result, the computer is often left in a logged-on state, making it unsecured. If a user name and password have been hijacked, user access control security cannot stop the attacker's access to network resources.
Physical-level protection strategies, which are not commonly used, protect the actual network wires from being accessed and the network access points from being used. However, this rarely guarantees protection of the entire path the data must travel through the network from source to destination.
The best level of protection is provided with IPSec's end-to-end model: the sending computer secures the data prior to transmission (before it ever reaches the network wires), and the receiving computer unsecures the data only after it has been received. For this reason, IPSec should be one of the components in a layered enterprise security plan. It protects your private data in a public environment by providing a strong, cryptography-based defense against attacks. All network traffic is secured packet by packet rather than for a whole communication (that is, a flow of packets). Used in combination with strong user access control, perimeter, and possibly physical level security, IPSec ensures an in-depth defense for your data.