IPsec provides a mechanism for secure data transmission over IP networks, ensuring confidentiality, integrity, and authenticity of data communications over unprotected networks such as the Internet. IPsec encompasses a suite of protocols and is not bound to any specific encryption or authentication algorithms, key generation technique, or security association (SA). IPsec provides the rules while existing algorithms provide the encryption, authentication, key management, and so on. IPsec acts at the network layer, protecting and authenticating IP packets between IPsec device (peers) such as Cisco PIX Firewalls, Adaptive Security Appliances (ASA) Cisco routers, the Cisco Secure VPN Client and other IPsec-compliant products.
IPsec is an Internet Engineering Task Force (IETF) Standard (RFC 2401-2412) that defines how a VPN can be created over IP networks.
IPsec provides the following essential Security functions:
Data confidentiality: IPsec ensures confidentiality by using encryption. Data encryption prevents third parties from reading the data, especially data that is transmitted over public networks or wireless networks. The IPsec sender can encrypt packets before transmitting the packets across a network and prevent anyone from hearing or viewing the communication (eavesdropping).
Data integrity: IPsec ensures that data arrives unchanged at the destination; that is, that the data is not manipulated at any point along the communication path. IPsec ensures data integrity by using hashes.
Data origin authentication: The IPsec receiver can authenticate the source of the IPsec packets. Authentication ensure that the connection is actually made with the desired communication partner.
Anti-replay: Anti-replay protection verifies that each packets is unique; not duplicated. IPsec packets are protected by comparing the sequence number of the received packets and sliding window on the destination host, or security gateway. A packet whose sequence number is before the sliding window is considered late, or a duplicate. Late and duplicate packets are dropped.