IPsec is a set of protocols that enable encrypted device connections, providing an essential layer for securing data exchanges on a network. Let’s take a closer look at what IPsec is, how it works, and why it’s important for cellular IoT.
What is IPsec?
IPsec stands for Internet Protocol security, and it’s often used to set up a virtual protected network (VPN). It’s a set of protocols between two points on the IP network that provide data authentication, integrity, encryption, decryption, and confidentiality.
Transport Mode vs. Tunnel Mode
IPsec has two functional modes. Transport mode encrypts and secures the data that’s being transmitted, and tunnel mode establishes a secure connection or “tunnel” between two separate networks. The most common use for IPsec, tunnel mode is particularly helpful for creating a VPN. (More on that later.)
How Does IPsec work?
IPsec is a complicated web of processes, incorporating several different technologies and ways of encrypting data. But how it works can be explained in five steps:
1. Defining Interesting Traffic
The IPsec protocols determine what information to encrypt and how to encrypt it based on its destination. Once IPsec has found some interesting traffic, it starts sending the data over to the Internet Key Exchange (IKE). IKE is a hybrid protocol based on the Internet Security Association and Key Management Protocol, which establishes security associations, and the Oakley Protocol, which defines the algorithm used for the data exchange. Think of the Internet Security Association and Key Management Protocol as the key to open the box of data, and the Oakley Protocol as the box itself.
2. Establishing a Secure Connection
Next, the IKE establishes the connection, authenticating IPsec peers, exchanging secret encryption keys, and ensuring that all parties are using the same protocols. This sets the stage for creating a secure tunnel.
3. Building the Tunnel
The next step is setting up the IPsec tunnel, a direct router-to-router connection where all data is encrypted. To do this, the protocols must establish security associations and periodically regenerate the IPsec Security Association.
4. Using the Encrypted Tunnel
Data is sent back and forth through the tunnel based on IPsec parameters and keys.
5. Tunnel Termination
The tunnel can close either through manual deletion or timing out. It can be pre-set to close after a certain number of inactive seconds, or when a predetermined quantity of data have passed through.
Protocols Used in IPsec
Several protocols play roles in the IPsec layer, including:
The Authentication Header (AH) supplies data origin authentication, data integrity, and anti-replay services to IP. However, this protocol doesn’t encrypt anything — it just makes sure that information is coming from the right source.
Encapsulating Security Payloads (ESP)
Payloads contain key information to be sent through the network, and the ESP provides security for those packets or payloads by existing as a header between the Internet Protocol/IP and protocols in the upper layer like TCP, ICMP, and UDP. ESP can be applied either in tunnel mode or transport mode.
Internet Security Association and Key Management Protocol (ISAKMP)
A protocol designed to establish security association (SA), ISAKMP provides a framework for key exchange and authentication. Internet Key Exchange (IKE), mentioned earlier, is one source of keys that can be used with ISAKMP.
Why IPsec is Important for Cellular IoT
IPsec can play an important role in IoT security and often provides better protection than SSL, another form of network-based encryption. Here’s why IPsec is useful in cellular IoT:
IoT devices must connect with one another and the cloud, typically via a gateway. Authentication, which gives each device permission to join the network and exchange information, plays an important role in ensuring data security.
Encrypting data is a given for cybersecurity, but in the world of IoT, it’s not always end-to-end. That’s because IoT data often passes through different systems and software as it traverses the path from edge to cloud, making it harder to ensure constant encryption. When used in the context of a VPN and tunneling, IPsec can bridge those encryption gaps in a more secure way.
In its tunnel mode, IPsec can link two networks to create a VPN, which extends a private network across a public network, allowing you to share data across the public network as if you’re connected to a private network. In essence, it’s a tunnel that allows one private network to connect to another via the public internet — while maintaining the security and privacy of both private networks. To achieve that, the VPN encrypts and authenticates all traffic traveling through the tunnel.
Secure Tunneling with Hologram
All IoT devices need a dependable source of connectivity — one that emphasizes security and empowers you to use IPsec to the advantage of your IoT deployment. Hologram’s Spacebridge service allows you to create secure, authenticated tunnels to send data to a device with a Hologram SIM card connected to a cellular network. Hologram supports software-defined network solutions, giving you simpler, faster, less costly options that offer all the same benefits of a private APN without the need to construct your own network.