With the development of web services, more social networks and commercial networks are introduced in to the internet. These internet applications deal with various types of data. Securing data over networks is becoming a more critical issue on the internet. Network security should provide confidentiality, integrity and authenticity to data networks. Network layer security protection is essential to the internet communication. The IP Security (IPSec) protocol is the most famous, secure and widely deployed security protocol that secures the data communication on the internet at the network layer. The performance evaluation of IPSec is an important factor in network security. It is important to achieve network security without degrading the performance level in the communication system. In this paper, we analyze the IPSec performance as a network security gateway security protocol.
IPSec security protocol acts in the network layer. And it has two modes of operation: Transport mode and Tunnel mode. There are two major protocols in the IPSec protocol suite: the Authentication Header (AH) protocol and the Encapsulating Security Payload (ESP) protocol. ESP provides confidentiality, Integrity and authenticity for the communication. AH ensures authenticity and integrity of the data protected. IPSec consults Security Policy Database (SPD) and Security Association Database (SAD) to determine the way to security the IP packets. The security policy determines the security services offered to the IP flow. The Security Associations (SAs) act as the contract between two communicating entities. They determine the IPSec protocol used in the transforms, the keys, and the duration that the keys are valid. The Internet Key Exchange (IKE) creates SAs dynamically on behalf of IPSec and manages the SAD. IKE provides key management schemes for communicating entities. Establishing IPSec connection requires two phases. Phase 1 performs mutual authentication and produces the encryption key required to protect Phase 2 transactions. Phase 2 negotiates the cipher and authentication algorithm to protect future communication.
Security is a critical factor to the development of the internet. IPSec is a suite of protocols that provides source authentication, data integrity and data confidentiality at the network layer, in both the Ipv4 and Ipv6 environments. Linux kernel 2.6 is a powerful platform for the development of security gateway. We have analyzed the performance of the security gateway in different configurations of ESP tunneling.
When the compression is applied, we can see a drop in IPSec performance. This performance decrease happens due to the relation between the encryption algorithm speed and the compression algorithm speed. When we apply the compression to the higher speed encryption algorithm in IPSec, it will cause the throughput to degrade. HMAC-MD5 shows a higher performance than the HMAC-S HA1 in both with compression and without. Also AES performs better than the other encryption mechanism. DES and 3DES have lower throughput than others, because of their time consuming encryption process.
The increase and decrease of throughput is based on a combination of elements: the residing layer, the header size and the relevant speed between the compression, the encryption and the transfer. AES presents better encryption capability than DES and 3DES. HMAC-MD5 has better authentication compatibility than HMAC-SHA1. We can achieve higher network security and lower performance degradation by implementing ESP tunnel with AES encryption and HMAC-MD5 authentication.
No comments:
Post a Comment