LOBOMETRICS : ADVANCED SECURITY

To Lobometrics security is key because obvious physical characteristics of wireless communications make them an easy target for hackers and competitors. Wireless equipment manufacturers too often \"forget\" to mention this issue.

In point-to-point and point-to-multipoint links, at Lobometrics we have gone straight to the safest technology, ICSA certified IPSec VPNs, the same technology used to give high grade security to corporate communications.

IPSec means high security, but it also means dedicating an important amount of the device resources to encryption. Most wireless systems in the market target wide market, and therefore, relatively low cost, so low performance CPUs are used. Lobometrics is the only supplier of competitively priced wireless equipment that installs high end CPUs as standard in their devices, high end CPUs that can easily handle the chores of high security IPSec VPN. All Lobometrics OSB series with heavy load CPUs are IPSec VPN servers.

WHAT IS IPSEC

In recent years, point-to-point links over Internet have emerged as a viable, cost-effective alternative to its more expensive leased lines, and is now regularly used to interconnect networks over Internet.

Since Internet uses the IP protocol, it therefore relies on IP security protocols. Unfortunately, basic IP transmissions lack security, allowing anyone with the know how and inclination to intercept or modify IP communications. One of the more popular methods used for securing IP communications is the IP Security Protocol (IPSec). IPSec is an IP layer-based security protocol, which is in contrast to other security protocols like SSL that operate at the application layer of the OSI model.

To create secure data transmissions, IPSec uses two separate protocols: Authentication Headers (AH) and Encapsulating Security Payloads (ESP). AH is primarily responsible for the authentication and integrity verification of packets. It provides source authentication and integrity for data communication but does not provide any form of encryption.

AH is capable of ensuring that network communications cannot be modified during transmission; however, it cannot protect transmitted data from being read. AH is often implemented when network communications are restricted to certain computers. In such instances, AH ensures that mutual authentication must take place between participating computers, which, in turn, prohibits network communications from occurring between non-authenticated computers.

ESP is responsible for providing encryption services for the network data; however, it can also be used for authentication and integrity services. The difference between AH authentication and ESP authentication is that ESP includes only the ESP header, trailer, and payload portions of a data packet, whereas AH protects the entire data packet, including the IP header.

Used together, AH and ESP provide integrity, authentication, and encryption protection for IP-based communications. To make this happen, IPSec uses a variety of security protocols. To better understand the level of protection IPSec can provide, let’s take a look at each of these security protocols individually.

IPSec Integrity Protocols

When we refer to integrity verification, we are talking about hash algorithms that are used to verify that the information received is exactly the same as the information sent. A hash algorithm is essentially a cryptographic checksum used by both the sender and receiver to verify that the message has not been changed. If the message has changed in transit, the hash values are different and the packet is rejected.

When configuring IPSec integrity security, there are two options: Message Digest 5 (MD5) and Secure Hash Algorithm 1 (SHA1). Of the two, SHA1 is more secure than MD5, but it requires more CPU resources. MD5 offers a 128-bit hashing algorithm, while SHA1 uses an algorithm that generates 160-bit authentication.

IPSec Authentication Protocols

Before two systems can exchange secure data, they have to mutually agree on a security pact. This security agreement is called a security association (SA). For communication to happen, both systems must agree on the same SA.

The Internet Key Exchange (IKE) manages the SA negotiation process for IPSec connections. IKE is an Internet Engineering Task Force (IETF)-established standard method of security association and key exchange resolution. IKE performs a two-phase operation: the first phase ensures a secure communications channel, while the second operation negotiates the use of SAs.

To establish IPSec communications, two hosts must authenticate with each other before SA negotiations can take place. Systems can be authenticated in three different ways:

• Kerberos – Kerberos v5 is commonly implemented and is the default authentication technology used with Windows Server 2003. Kerberos provides the primary security protocol for authentication within a domain; when used, it verifies both the identity of the user and network services. Advantages of Kerberos include the fact that it can provide mutual authentication between the user and the server, as well as its interoperability — Kerberos can provide authentication between Server 2003 domains and systems in a Unix environment that is using Kerberos for authentication.
  
• Public Key Certificates (PKIs) – PKIs are used to authenticate clients that are not members of a trusted domain, non-Windows clients, or computers that are not running the Kerberos v5 authentication protocol. The authentication certificates are issued from a system acting as a certification authority (CA).
  
• Preshared keys – In preshared key authentication, computer systems must agree on a shared, secret key to be used for authentication in an IPSec policy. Preshared keys are to be used only where certificates and Kerberos cannot be deployed.
  

IPSec Encryption Protocols

IPSec offers three primary methods of encryption. The one you should choose depends on the security needs of your organization.

• Data Encryption Standard (40-bit) – This encryption method provides the best performance but at a significant cost: the encryption security is lower. The 40-bit Data Encryption Standard (DES) is commonly known as Secure Sockets Layer (SSL). It can be used in environments where data security needs are a little lower.
  
• Data Encryption Standard (56-bit) – Through your IPSec policies you can implement 56-bit DES as the encryption method. The DES algorithm was published in 1977 by the U.S. National Bureau of Standards, and it allows for the ability to frequently regenerate keys during a communication. This ability prevents the entire data set from being compromised if one DES key is broken. However, its use is considered outdated for businesses; it should be used only for legacy application support. Specialized hardware has been able to crack the standard 56-bit key.
  
• Triple DES (3DES) – IPSec policies also allow the choice of a strong encryption algorithm, 3DES, which provides stronger encryption than DES for higher security. 3DES uses a 56-bit encryption key as well, but, as the name implies, it uses three of them. As a result, 3DES is considered 168-bit encryption, and it is used in high-security environments like the U.S. government. All computers to which the policy is assigned will receive this policy.

IPSec Transport Modes

IPSec can operate in one of two separate modes: transport mode and tunnel mode. These modes refer to how data is sent and secured throughout the network. In transport mode, IPSec protection is provided all the way from the source to the destination. In this way, transport mode is said to provide end-to-end transmission security.

Tunnel mode secures data only between tunnel points or gateways. Tunnel mode provides gateway-to-gateway transmission security. When data is in transmission between the client and the server, it remains unprotected until it reaches the gateway. Once at the gateway, it is secured with IPSec until it reaches the destination gateway. At this point, data packets are decrypted and verified. The data is then sent to the receiving host unprotected. Tunnel mode is often employed when data must leave the secure confines of a local LAN or WAN and travel between hosts over a public network such as the Internet.


In wireless links between networks, securing IP communications is an vital consideration. IPSec provides a method to secure IP transmissions.

WHY IPSEC

Internet Protocol Security (IPSec) is a framework of open standards for ensuring private, secure communications over IP networks, through the use of cryptographic security services. IPSec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection.

By using IPSec encrypted tunnels in point-to-point and point-to-multipoint to create Wireless Virtual Private Networks (VPNs) we are applying corporate grade security to our links while keeping transparency, standards and a low administration overhead.

Lobometrics OSB series are IPSec VPN endpoints, all the encryption/decryption and negotiations are handled by the Lobometrics systems, and from the Lobo to the Ethernet network all stays transparent, so no topology changes or re-configuration is needed. The links behave as local Ethernet connections.

OTHER SECURITY FEATURES

Apart from IPSec VPNs, Lobometrics offers other secure tunneling technologies in their products, including PPTP and L2TP.

In other deployments, different from point-to-point or point-to-multipoint links and private networks (for example standard Access Point to client connections) Lobometrics offers a complete set of security features like WEP64, WEP128, WPA and WPA2 with TKIP and AES CCM.

Lobometrics OSB series also include a Radius Server for extended authentication.