ipsec provides security for transmission of sensitive information over unprotected networks such as the internet. ipsec acts at the network layer, protecting and authenticating ip packets between participating ipsec devices (peers), such as pix firewall units.

    ipsec provides the following network security services:

    · data confidentiality—the ipsec sender can encrypt packets before transmitting them across a network.

    · data integrity—the ipsec receiver can authenticate packets sent by the ipsec sender to ensure that the data has not been altered during transmission.

    · data origin authentication—the ipsec receiver can authenticate the source of the ipsec packets sent. this service is dependent upon the data integrity service.· anti-replay—the ipsec receiver can detect and reject replayed packets.

    the term data authentication is generally used to mean data integrity and data origin authentication. within this chapter, it also includes anti-replay services, unless otherwise specified.

    ipsec provides secure tunnels between two peers, such as two pix firewall units. you define which packets are considered sensitive and should be sent through these secure tunnels, and you define the parameters that should be used to protect these sensitive packets, by specifying the characteristics of these tunnels. then, when the ipsec peer sees such a sensitive packet, it sets up the appropriate secure tunnel and sends the packet through the tunnel to the remote peer. the secure tunnel used to transmit information is based on encryption keys and other security parameters, described by security associations (sas).