What is IPSec?

Twingate addresses the limitations of IPsec VPNs by providing focused, low-latency protection of critical resources

Internet Protocol Security (IPsec) is a collection of open standards that secures data transmitted over IP networks, including the public internet. This protocol suite protects the confidentiality and integrity of business data over authenticated internet connections. Virtual private network (VPN) solutions often use IPsec to let remote users securely access company resources. An essential part of developing a network security strategy is understanding how IPsec works, and the technology’s limitations.

What is IPsec?

The U.S. Department of Defense in the 1970s and 1980s developed the Internet Protocol (IP) to create ARPANET, the predecessor to the internet. Surprisingly, IP did not have a strong set of security features, a gap that became more of an issue as the internet spread beyond academia. Throughout the 1990s and early 2000s, the Internet Engineering Task Force (IETF) reached a consensus on a suite of open standards for communications security called Internet Protocol Security. However, IPsec is not part of the IPv4 or IPv6 standards and must be implemented separately as part of a network security strategy.

IPsec consists of several protocols that secure network communications. The three main protocols within IPsec are Encapsulating Security Payload (ESP), Authentication Header (AH), and Internet Key Exchange (IKE).

Encapsulating Security Payload

This protocol protects the authenticity, integrity, and confidentiality of each data packet while transporting it across the network. ESP uses cryptographic algorithms to encrypt each packet, encapsulates it within another header, and then hashes the data to create a Message Authentication Code (MAC). The encryption and integrity functions can be secured with separate keys or with a single key. On the receiving end, IPsec ESP compares its hash to the MAC and decrypts the encapsulated packet.

Authentication Header

Part of the original IPsec standard, AH provides authenticity and integrity protection. Since ESP also provides those functions, the IETF downgraded AH to an optional feature.

Both ESP and AH can operate in one of two modes. Tunnel mode protects the payload and IP header of each packet whereas transport mode leaves the IP header visible and only protects the payload. Although it imposes less overhead on IPsec transmissions, transport mode is less secure and incompatible with Network Address Translation (NAT). Tunnel mode, on the other hand, makes everything about the encapsulated packet invisible to outside inspection.

Internet Key Exchange

Internet Key Exchange creates a security association (SA) between the two ends of the connection before creating an IPsec SA through which the data packets pass. The command channel for the IPsec data channel, the IKE protocol negotiates connection settings, authenticates the endpoints, negotiates session keys, and manages the IPsec connection while the session lasts.

What are the benefits of IPsec?

IP has many methods of handling data which are grouped in four abstraction layers: application, transport, network, and data link. Security measures can be applied at each of these layers with layer-specific advantages and disadvantages. Secure Shell (SSH) and other application-layer security measures, for example, operate at the highest layer (i.e. the application layer) and cannot protect the packet metadata created at lower levels.

As a network-layer security framework, however, IPsec applies its security measures to each packet. Since most applications will work with IPsec VPN solutions, these protocols are the most common way to protect remote access and site-to-site connections. The benefits of IPsec include:

Confidentiality

An IPSec VPN uses secret keys and encryption to protect each packet’s data payload. Additionally, IPsec’s tunnel mode obfuscates data flowing between the endpoints by padding each packet to the largest supported MTU size and adding dummy packets to the transmission.

Integrity

Data packets can be corrupted, either accidentally or maliciously, as they traverse the internet. The receiving end of the IPsec connection can tell whether data within a packet has changed by comparing its own hash with the MAC created at the originating end.

Authentication

Internet Protocol Security uses IKE to establish and authenticate each endpoint to ensure that the data go where intended.

Replay protection

The Internet Protocol does not guarantee that packets will arrive sequentially. To protect against malicious attacks, IPsec creates a replay window that rejects packets sent multiple times or too far out of order.

Access control

Network administrators can use policy-based IPsec to control access to resources. Configuring IPsec endpoints can limit user access to specific resources as well as filter types of network traffic. Routing-based IPsec that uses routing tables to direct IPsec traffic is also possible, but not as secure.

What are the challenges with IPsec?

While applying communications security at the network layer provides many advantages, IPsec does come with certain tradeoffs.

All-or-nothing access

In a remote access scenario, an IPsec VPN creates a tunnel through which the user gains full access to a company’s network. Subnet architectures and other access control methods are needed to protect network resources from compromised end-user devices.

Integration with network security stack

Where administrators place an IPsec VPN gateway within the enterprise’s layered network security architecture can impact security and performance. For example, firewalls and other security measures cannot see IPsec connections to inspect traffic for malicious activity. Placing the gateway outside an internet firewall lets intrusion detection systems inspect the packets’ payloads but could expose traffic on the gateway-to-firewall connection.

Latency

IPsec VPNs can impose performance penalties on remote connections. Maxing out the packet size, sending dummy data packets, and other traffic flow confidentiality measures burden VPN gateways and create artificially-high latency for end users. Additionally, encryption and decryption are computationally intensive for user devices and gateways.

Management and implementation complexity

IPsec supports many key distribution methods, encryption protocols, and other features. Although that may seem like a benefit, the added complexity and large codebase makes IPsec implementation challenging. Even when done right, IPsec creates a large attack surface that undermines VPN security.

Twingate’s Zero Trust Network Future Proofs Business Security

For early adopters, migrating from traditional VPN security to ZTNA-based security required expensive, drawn-out re-engineering of the corporate network. But a next-generation alternative to corporate VPNs from Twingate lets companies deploy ZTNA quickly and painlessly. Thanks to its modern approach to security, Twingate enhances network security while making life easier for people across the organization.

Benefits for administrators

The maintenance and security overhead imposed by legacy VPNs goes away, freeing administrators. Twingate is:

  • More secure
    • Resources are hidden behind access nodes rather than public endpoints.
    • Access rules apply to all users, not just remote workers.
    • Granular, least-privileged access to resources instead of network-level access.
  • Easier to deploy
    • SaaS-based controller and relay technology rather than gateway hardware.
    • Software-only connectors deploy in any environment, whether on-premises or cloud-based.
    • Lightweight client is installable by users without needing support from IT.
  • More performant and maintainable
    • Lower latency, faster user connectivity, and less network congestion.
    • Logging and analytics for enterprise-wide visibility.
    • Centralized administration with no infrastructure changes needed.

Benefits for end-users

Twingate makes security as easy as possible for end-users, eliminating the risks created when users work around the limitations of traditional VPN solutions:

  • No backhauling
    • Users connect more directly to resources rather than through gateway chokepoints.
    • Split tunneling separates traffic to private resources from other activity.
  • Consumer-grade client app
    • Installs like any other app rather than requiring administrator assistance.
    • Almost no user interaction required, unlike VPNs which often require users to select different VPN gateways and toggle them on and off
    • Lightweight, always-on app has minimal impact on device performance.

Adopting ZTNA with Twingate’s alternative to corporate VPNs future proofs businesses for tomorrow’s computing environment. More resources will migrate from on-premises systems to the cloud. Remote working will be a permanent part of business life even as the pandemic fades. Adapting to these changes, Twingate is the next evolution of the corporate VPN, providing flexible, performant security to protect your company’s private data.dden behind access nodes rather than public endpoints.

"We evaluated several competing vendors for zero trust and Twingate was clearly the easiest to deploy. We got Twingate up in minutes."
Christian Trummer
CTO at Bitpanda

Get set up in minutes

Try Twingate today and give your team access to private applications in minutes