The invention relates to establishing network security using Internet Protocol security (IPsec) policies.
IPsec is a network-layer security framework for implementing security for communications on networks using the Internet Protocol (IP) through the use of cryptographic key management procedures and protocols. Communications between two endpoints of an IP traffic flow are made secure by the IPsec protocol on an individual IP packet basis. IPsec entities at connection endpoints have access to and participate in operations that make a common connection secure.
IPsec establishes and uses a security association to identify a secure channel between two endpoints. A security association is a unidirectional session between two termination endpoints. One endpoint sends IP packets, and a second endpoint receives the IP packets. A minimum of two security associations is required for secure, bi-directional communications. The two endpoints can use the Internet Key Exchange (IKE) protocol to negotiate mutually acceptable encryption algorithms, associated parameters and secret keys to protect network traffic. The IKE protocol supports various authentication mechanisms including pre-shared keys, X.509 public key certificates and Kerberos tickets.
Policy-based network management (PMNM) often is used to determine who can use the resources and services associated with the network, under what conditions they are used, and when. Security policies, for example, define a set of rules governing encryption and access control decisions. The policies can be expressed as a set of rules each of which includes a predicate and an action. In other words, a rule can be expressed as “if <condition> is satisfied, then do <action>.”
An exemplary action at the IPsec layer may propose a specific set of security algorithms. Current IPsec protocol implementations typically use packet flow information, such as IP addresses, protocol and ports, to evaluate the policy decisions.