Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
E COMMERCE, M COMMERCE
MT-23 C
Max. Marks – 10
ASSIGNMENT-1
A-1
Security overview
In the software industry, security has two different perspectives.
In the software development community, it describes the security features of a system.
Common security features are ensuring passwords that are at least six characters long and
encryption of sensitive data. For software consumers, it is protection against attacks
rather than specific features of the system. Your house may have the latest alarm system
and windows with bars, but if you leave your doors unlocked, despite the number of
security features your system has, it is still insecure. Hence, security is not a number of
features, but a system process. The weakest link in the chain determines the security of
the system. In this article, we focus on possible attack scenarios in an e-Commerce
system and provide preventive strategies, including security features, that you can
implement.
Security has three main concepts: confidentiality, integrity, and availability.
Security features
While security features do not guarantee a secure system, they are necessary to build a
secure system. Security features have four categories:
• Authentication: Verifies who you say you are. It enforces that you are the only
one allowed to logon to your Internet banking account.
• Authorization: Allows only you to manipulate your resources in specific ways.
This prevents you from increasing the balance of your account or deleting a bill.
• Encryption: Deals with information hiding. It ensures you cannot spy on others
during Internet banking transactions.
• Auditing: Keeps a record of operations. Merchants use auditing to prove that you
bought a specific merchandise.
Defenses
Despite the existence of hackers and crackers, e-Commerce remains a safe and secure
activity. The resources available to large companies involved in e-Commerce are
enormous.
• Install personal firewalls for the client machines.
• Store confidential information in encrypted form.
• Encrypt the stream using the Secure Socket Layer (SSL) protocol to protect
information flowing between the client and the e-Commerce Web site.
• Use appropriate password policies, firewalls, and routine external security audits.
• Use threat model analysis, strict development policies, and external security
audits to protect ISV software running the Web site.
Education
Your system is only as secure as the people who use it. If a shopper chooses a weak
password, or does not keep their password confidential, then an attacker can pose as that
user. This is significant if the compromised password belongs to an administrator of the
system. In this case, there is likely physical security involved because the administrator
client may not be exposed outside the firewall. Users need to use good judgement when
giving out information, and be educated about possible phishing schemes and other social
engineering attacks.
Personal firewalls
When connecting your computer to a network, it becomes vulnerable to attack. A
personal firewall helps protect your computer by limiting the types of traffic initiated by
and directed to your computer. The intruder can also scan the hard drive to detect any
stored passwords.
Secure Socket Layer (SSL) is a protocol that encrypts data between the shopper's
computer and the site's server. When an SSL-protected page is requested, the browser
identifies the server as a trusted entity and initiates a handshake to pass encryption key
information back and forth. Now, on subsequent requests to the server, the information
flowing back and forth is encrypted so that a hacker sniffing the network cannot read the
contents.
Secure icon in Mozilla Firefox
Server firewalls
A firewall is like the moat surrounding a castle. It ensures that requests can only enter the
system from specified ports, and in some cases, ensures that all accesses are only from
certain physical machines.
A common technique is to setup a demilitarized zone (DMZ) using two firewalls. The
outer firewall has ports open that allow ingoing and outgoing HTTP requests. This allows
the client browser to communicate with the server. A second firewall sits behind the e-
Commerce servers. This firewall is heavily fortified, and only requests from trusted
servers on specific ports are allowed through. Both firewalls use intrusion detection
software to detect any unauthorized access attempts.
Another common technique used in conjunction with a DMZ is a honey pot server. A
honey pot is a resource (for example, a fake payment server) placed in the DMZ to fool
the hacker into thinking he has penetrated the inner wall. These servers are closely
monitored, and any access by an attacker is detected.
You may choose to have different policies for shoppers versus your internal users. For
example, you may choose to lockout an administrator after 3 failed login attempts instead
of 6. These password policies protect against attacks that attempt to guess the user's
password. They ensure that passwords are sufficiently strong enough so that they cannot
be easily guessed. The account lockout capability ensures that an automated scheme
cannot make more than a few guesses before the account is locked.
Intrusion detection and audits of security logs
If a shopper makes 6 failed logon attempts, then his account is locked out. In this
scenario, the company sends an email to the customer, informing them that his account is
locked. This event should also be logged in the system, either by sending an email to the
administrator, writing the event to a security log, or both.
You should also log any attempted unauthorized access to the system. If a user logs on,
and attempts to access resources that he is not entitled to see, or performs actions that he
is not entitled to perform, then this indicates the account has been co-opted and should be
locked out. Analysis of the security logs can detect patterns of suspicious behavior,
allowing the administrator to take action.
In addition to security logs, use business auditing to monitor activities such as payment
processing. You can monitor and review these logs to detect patterns of inappropriate
interaction at the business process level.
A-2
Common Security Vulnerabilities in e-commerce Systems:
1. Introduction
The tremendous increase in online transactions has been accompanied by an equal rise in the
number and type of attacks against the security of online payment systems. Some of these
attacks have utilized vulnerabilities that have been published in reusable third-party
components utilized by websites, such as shopping cart software. Other attacks have used
vulnerabilities that are common in any web application, such as SQL injection or cross-site
scripting. This article discusses these vulnerabilities with examples, either from the set of
known vulnerabilities, or those discovered during the author's penetration testing
assignments. The different types of vulnerabilities discussed here are SQL injection, cross-
site scripting, information disclosure, path disclosure, price manipulation, and buffer
overflows.
Successful exploitation of these vulnerabilities can lead to a wide range of results.
Information and path disclosure vulnerabilities will typically act as initial stages leading to
further exploitation. SQL injection or price manipulation attacks could cripple the website,
compromise confidentiality, and in worst cases cause the e-commerce business to shut down
completely.
Wherever examples of such vulnerabilities are given in advisories published by Bugtraq, we
have given the Bugtraq ID in square brackets. Details of the vulnerability may be viewed by
navigating to http://www.securityfocus.com/bid/<bid_number> .
2. Vulnerabilities
2.1 Background
There are a number of reasons why security vulnerabilities arise in shopping cart and online
payment systems. The reasons are not exclusive to these systems, but their impact becomes
much greater simply because of the wide exposure that an online website has, and because of
the financial nature of the transactions.
One of the main reasons for such vulnerabilities is the fact that web application developers
are often not very well versed with secure programming techniques. As a result, security of
the application is not necessarily one of the design goals. This is exacerbated by the rush to
meet deadlines in the fast-moving e-commerce world. Even one day's delay in publishing a
brand new feature on your website could allow a competitor to steal a march over you. We've
typically found this in cases where e-commerce sites need to add functionality rapidly to deal
with a sudden change in the business environment or simply to stay ahead of the competition.
In such a scenario, the attitude is to get the functionality online; security can always be taken
care of later. Another reason why security vulnerabilities appear is because of the inherent
complexity in most online systems. Nowadays, users are placing very demanding
requirements on their e-commerce providers, and this requires complex designs and
programming logic.
3. Countermeasures
The most important point is to build security into the web application at the design stage
itself. In fact, one of the key activities during the design phase should be a detailed risk
assessment exercise. Here, the team must identify the key information assets that the web
application will be dealing with. These could include configuration information, user
transaction details, session IDs, credit card numbers, etc. Each of these information assets
needs to be classified in terms of sensitivity. Depending upon the tentative architecture
chosen, the developers along with security experts must analyze the threats, impact,
vulnerabilities and threat probabilities for the system. Once these risks are listed out, system
countermeasures must be designed and if necessary the architecture itself may be modified.
Countermeasures should also include strict input validation routines, a 3-tier modular
architecture, use of open-source cryptographic standards, and other secure coding practices.
Ecommerce Threats
ECommerce has forever revolutionized the way business is done. Retail has now a long
way from the days of physical transactions that were time consuming and prone to errors.
However, eCommerce has unavoidably invited its share of trouble makers. As much as
eCommerce simplifies transactions, it is occasionally plagued by serious concerns that
jeopardize its security as a medium of exchanging money and information.
Major threats to present day eCommerce include
Breach of Security:
Money Thefts
eCommerce services are about transactions, and transactions are very largely driven by
money. This attracts hackers, crackers and everyone with the knowledge of exploiting
loopholes in a system. Once a kink in the armor is discovered, they feed the system(and
A-3
Firewall components
A built-in firewall is provided for scenarios where servers (managers) are separated from
destination clients (agents) by one or more intermediary networks because of firewall
policies or address space concerns. The firewall components are used to tunnel traffic
between network zones, and can be chained together to allow for multiple hops.
The firewall components are intended to be used with the scalable distribution
infrastructure. It does not allow communication between the provisioning server and the
common agent using the port number 9510 for any provisioning workflow that you want
to run. If your scenario requires a provisioning workflow to communicate with the
common agent, then the provisioning server must be able to communicate with the
common agent using the listening port (9510 by default) or an alternative protocol.
The following graphic is a high-level, functional overview of the firewall components:
6. The gateway service ties connections 4 and 6 to form a virtual connection from
the manager to the agent.
Proxy relay
The firewall components operate by opening default port 1960 on the proxy relay
system, and then listening on this port for routed traffic. When a connection is made to
this port, the proxy relay expects control information to be sent, which instructs the
relay to create a new TCP/IP connection to the specified address and port. Once the
new connection is created, the two input and output stream connections are joined
together using a thread that reads data from an input stream and writes data to another
output stream.
Each proxy relay is configured with an access control list (ACL) which determines
which incoming and outgoing connections to allow.
For example, a target computer must create a TCP/IP connection to a resource (2).
Because of unidirectional firewall rules, connections can only originate from the
network where the resource (2) resides. Using the gateway, the target computer (1)
creates a connection to the gateway service (3), which is allowed, as they are in the
same network. A gateway manager (4) creates a connection to a resource (2), which
resides in the same network. Next, the gateway manager (4) creates a new connection
to the gateway service (3). Then, using the input and output streams, the original
connection from the target computer (1) to the gateway service (3) acts as though it is
connected directly to the resource (2). When the gateway manager and gateway service
are operating correctly, there is a persistent TCP/IP from the gateway manager to the
gateway service.
This “command channel” enables the gateway service to alert the gateway manager
when it receives a new connection request. A periodic “heartbeat” signal is sent to keep
the connection alive. If the “command channel” is closed, the gateway manager will
attempt to reconnect periodically. The gateway service will automatically stop listening
on that particular gateway manager's service ports when the connection is broken. The
gateway service can be configured to advertise a particular service. To use this feature,
user datagram protocol (UDP) broadcasting must be enabled for the local subnet. A
target computer can discover a service by sending a broadcast UDP packet containing
the service's name. If the gateway service receives the UDP packet and it currently
advertises that service name, then it will respond back with an addressed UDP packet
which contains the port number that service is listening on. The target computer can
then use the source address of the UDP packet and the port contained within the packet
to connect to the given service.
A-4
A virtual private network (VPN) is a computer network that is implemented in an
additional software layer (overlay) on top of an existing larger network for the purpose of
creating a private scope of computer communications or providing a secure extension of
a private network into an insecure network such as the Internet.
The links between nodes of a virtual private network are formed over logical connections
or virtual circuits between hosts of the larger network. The Link Layer protocols of the
virtual network are said to be tunneled through the underlying transport network.
One common application is to secure communications through the public Internet, but a
VPN does not need to have explicit security features such as authentication or traffic
encryption. For example, VPNs can also be used to separate the traffic of different user
communities over an underlying network with strong security features, or to provide
access to a network via customized or private routing mechanisms.
Virtual private wire and private line services (VPWS and VPLS)
In both of these services, the provider does not offer a full routed or bridged network, but
components from which the customer can build customer-administered networks. VPWS
are point-to-point while VPLS can be point-to-multipoint. They can be Layer 1 emulated
circuits with no data link structure.
The customer determines the overall customer VPN service, which also can involve
routing, bridging, or host network elements.
An unfortunate acronym confusion can occur between Virtual Private Line Service and
Virtual Private LAN Service; the context should make it clear whether "VPLS" means
the layer 1 virtual private line or the layer 2 virtual private LAN.
Virtual LAN
A Layer 2 technique that allows for the coexistence of multiple LAN broadcast domains,
interconnected via trunks using the IEEE 802.1Q trunking protocol. Other trunking
protocols have been used but have become obsolete, including Inter-Switch Link (ISL),
IEEE 802.10 (originally a security protocol but a subset was introduced for trunking), and
ATM LAN Emulation (LANE).
are a contracted security solution that can reach into hosts. In addition to providing
remote workers with secure access to their employer's internal network, other security
and management services are sometimes included as part of the package. Examples
include keeping anti-virus and anti-spyware programs updated on each client's computer.
A-5
Attacks
Attack methods from an attacker or hacker.
Tricking the shopper
Some of the easiest and most profitable attacks are based on tricking the shopper, also
known as social engineering techniques. These attacks involve surveillance of the
shopper's behavior, gathering information to use against the shopper. For example, a
mother's maiden name is a common challenge question used by numerous sites. If one of
these sites is tricked into giving away a password once the challenge question is
provided, then not only has this site been compromised, but it is also likely that the
shopper used the same logon ID and password on other sites.
customer service representative at the site, posing as the shopper and providing personal
information. The attacker then asks for the password to be reset to a specific value.
Another common form of social engineering attacks are phishing schemes. Typo pirates
play on the names of famous sites to collect authentication and registration information.
For example, http://www.ibm.com/shop is registered by the attacker as
www.ibn.com/shop. A shopper mistypes and enters the illegitimate site and provides
confidential information. Alternatively, the attacker sends emails spoofed to look like
they came from legitimate sites. The link inside the email maps to a rogue site that
collects the information.
A popular technique for gaining entry into the shopper's system is to use a tool, such as
SATAN, to perform port scans on a computer that detect entry points into the machine.
Based on the opened ports found, the attacker can use various techniques to gain entry
into the user's system. Upon entry, they scan your file system for personal information,
such as passwords.
While software and hardware security solutions available protect the public's systems,
they are not silver bullets. A user that purchases firewall software to protect his computer
may find there are conflicts with other software on his system. To resolve the conflict, the
user disables enough capabilities to render the firewall software useless.
Sniffing the network
In this scheme, the attacker monitors the data between the shopper's computer and the
server. He collects data about the shopper or steals personal information, such as credit
card numbers.
There are points in the network where this attack is more practical than others. If the
attacker sits in the middle of the network, then within the scope of the Internet, this attack
becomes impractical. A request from the client to the server computer is broken up into
small pieces known as packets as it leaves the client's computer and is reconstructed at
the server. The packets of a request is sent through different routes. The attacker cannot
access all the packets of a request and cannot decipher what message was sent.
Guessing passwords
Another common attack is to guess a user's password. This style of attack is manual or
automated. Manual attacks are laborious, and only successful if the attacker knows
something about the shopper. For example, if the shopper uses their child's name as the
password. Automated attacks have a higher likelihood of success, because the probability
of guessing a user ID/password becomes more significant as the number of tries
increases. Tools exist that use all the words in the dictionary to test user ID/password
combinations, or that attack popular user ID/password combinations. The attacker can
automate to go against multiple sites at one time.
Using denial of service attacks
The denial of service attack is one of the best examples of impacting site availability. It
involves getting the server to perform a large number of mundane tasks, exceeding the
capacity of the server to cope with any other task. For example, if everyone in a large
meeting asks you your name all at once, and every time you answer, they ask you again.
You have experienced a personal denial of service attack. To ask a computer its name,
you use ping. You can use ping to build an effective DoS attack. The smart hacker gets
the server to use more computational resources in processing the request than the
adversary does in generating the request.
Distributed DoS is a type of attack used on popular sites, such as Yahoo! In this type of
attack, the hacker infects computers on the Internet via a virus or other means. The
infected computer becomes slaves to the hacker.
A-6
Antivirus Technologies
Acomputer virus is a self-replicating program that spreads by inserting copies of itself
into other executable code or documents. The term virus is often extended to refer to
computer worms and other sorts of malware. The most common are:
• Viruses - A virus is a small piece of software that piggybacks on other programs
or files. Each time the program runs or file opens, the virus runs, too. It can
reproduce itself by attaching to other programs or files or wreak havoc.
• E-mail viruses - An e-mail virus moves around in e-mail messages, and usually
replicates itself by automatically mailing itself to dozens of people in the victim's
e-mail address book. Pharmers send e-mails contains a virus that installs small
software programs on users' computers. When a user tries to go to the bank's real
Web site, the program redirects the browser to the pharmer's fake site. It then asks
A-7
In computer networking, the term IP address spoofing or IP spoofing refers to the
creation of Internet Protocol (IP) packets with a forged source IP address, called
spoofing, with the purpose of concealing the identity of the sender or impersonating
another computing system.
Background
The basic protocol for sending data over the Internet network and many other computer
networks is the Internet Protocol ("IP"). The header of each IP packet contains, among
other things, the numerical source and destination address of the packet. The source
address is normally the address that the packet was sent from. By forging the header so it
contains a different address, an attacker can make it appear that the packet was sent by a
different machine. The machine that receives spoofed packets will send response back to
the forged source address, which means that this technique is mainly used when the
attacker does not care about the response or the attacker has some way of guessing the
response.
In certain cases, it might be possible for the attacker to see or redirect the response to his
own machine. The most usual case is when the attacker is spoofing an address on the
same LAN or WAN. Hence the hackers have an unauthorized access over computers.
Applications
IP spoofing is most frequently used in denial-of-service attacks. In such attacks, the goal
is to flood the victim with overwhelming amounts of traffic, and the attacker does not
care about receiving responses to the attack packets. Packets with spoofed addresses are
thus suitable for such attacks. They have additional advantages for this purpose—they are
more difficult to filter since each spoofed packet appears to come from a different
address, and they hide the true source of the attack. Denial of service attacks that use
spoofing typically randomly choose addresses from the entire IP address space, though
more sophisticated spoofing mechanisms might avoid unroutable addresses or unused
portions of the IP address space. The proliferation of large botnets makes spoofing less
important in denial of service attacks, but attackers typically have spoofing available as a
tool, if they want to use it, so defenses against denial-of-service attacks that rely on the
validity of the source IP address in attack packets might have trouble with spoofed
packets. Backscatter, a technique used to observe denial-of-service attack activity in the
Internet, relies on attackers' use of IP spoofing for its effectiveness.
IP spoofing can also be a method of attack used by network intruders to defeat network
security measures, such as authentication based on IP addresses. This method of attack on
a remote system can be extremely difficult, as it involves modifying thousands of packets
at a time. This type of attack is most effective where trust relationships exist between
machines. For example, it is common on some corporate networks to have internal
systems trust each other, so that users can log in without a username or password
provided they are connecting from another machine on the internal network (and so must
already be logged in). By spoofing a connection from a trusted machine, an attacker may
be able to access the target machine without an authentication.
Another more-recent use is to change a computer's country of origin for the purposes of
accessing internet content limited to specific geopolitical areas. For example, Hulu's
online-tv service can only be accessed by American residents, but theoretically also by
computers spoofing american locations.
Services vulnerable to IP spoofing
Configuration and services that are vulnerable to IP spoofing:
• RPC (Remote Procedure Call services)
A-8
A digital signature or digital signature scheme is a mathematical scheme for
demonstrating the authenticity of a digital message or document. A valid digital signature
gives a recipient reason to believe that the message was created by a known sender, and
that it was not altered in transit. Digital signatures are commonly used for software
distribution, financial transactions, and in other cases where it is important to detect
forgery and tampering.
Digital signatures are often used to implement electronic signatures, a broader term that
refers to any electronic data that carries the intent of a signature,[1] but not all electronic
signatures use digital signatures.[2][3][4] In some countries, including the United States, and
in the European Union, electronic signatures have legal significance. However, laws
concerning electronic signatures do not always make clear whether they are digital
cryptographic signatures in the sense used here, leaving the legal definition, and so their
importance, somewhat confused.
Digital signatures employ a type of asymmetric cryptography. For messages sent through
an insecure channel, a properly implemented digital signature gives the receiver reason to
believe the message was sent by the claimed sender. Digital signatures are equivalent to
traditional handwritten signatures in many respects; properly implemented digital
signatures are more difficult to forge than the handwritten type. Digital signature schemes
in the sense used here are cryptographically based, and must be implemented properly to
be effective. Digital signatures can also provide non-repudiation, meaning that the signer
cannot successfully claim they did not sign a message, while also claiming their private
key remains secret; further, some non-repudiation schemes offer a time stamp for the
digital signature, so that even if the private key is exposed, the signature is valid
nonetheless. Digitally signed messages may be anything representable as a bitstring:
examples include electronic mail, contracts, or a message sent via some other
cryptographic protocol.
Definition
Diagram showing how a simple digital signature is applied and then verified
A-9
Risk management is the identification, assessment, and prioritization of risks followed
by coordinated and economical application of resources to minimize, monitor, and
control the probability and/or impact of unfortunate events.[1] Risks can come from
uncertainty in financial markets, project failures, legal liabilities, credit risk, accidents,
natural causes and disasters as well as deliberate attacks from an adversary. Several risk
management standards have been developed including the Project Management Institute,
the National Institute of Science and Technology, actuarial societies, and ISO standards.[2]
[3]
Methods, definitions and goals vary widely according to whether the risk management
method is in the context of project management, security, engineering, industrial
processes, financial portfolios, actuarial assessments, or public health and safety.
The strategies to manage risk include transferring the risk to another party, avoiding the
risk, reducing the negative effect of the risk, and accepting some or all of the
consequences of a particular risk.
Certain aspects of many of the risk management standards have come under criticism for
having no measurable improvement on risk even though the confidence in estimates and
decisions increase.[1]
Introduction
This section provides an introduction to the principles of risk management. The
vocabulary of risk management is defined in ISO Guide 73, "Risk management.
Vocabulary".
In ideal risk management, a prioritization process is followed whereby the risks with the
greatest loss and the greatest probability of occurring are handled first, and risks with
lower probability of occurrence and lower loss are handled in descending order. In
practice the process can be very difficult, and balancing between risks with a high
probability of occurrence but lower loss versus a risk with high loss but lower probability
of occurrence can often be mishandled.
Intangible risk management identifies a new type of a risk that has a 100% probability of
occurring but is ignored by the organization due to a lack of identification ability. For
example, when deficient knowledge is applied to a situation, a knowledge risk
materialises. Relationship risk appears when ineffective collaboration occurs. Process-
engagement risk may be an issue when ineffective operational procedures are applied.
These risks directly reduce the productivity of knowledge workers, decrease cost
effectiveness, profitability, service, quality, reputation, brand value, and earnings quality.
Intangible risk management allows risk management to create immediate value from the
identification and reduction of risks that reduce productivity.
Risk management also faces difficulties allocating resources. This is the idea of
opportunity cost. Resources spent on risk management could have been spent on more
Methodology
For the most part, these methodologies consist of the following elements, performed,
more or less, in the following order.
1. identify, characterize, and assess threats
2. assess the vulnerability of critical assets to specific threats
3. determine the risk (i.e. the expected consequences of specific types of attacks on
specific assets)
4. identify ways to reduce those risks
5. prioritize risk reduction measures based on a strategy
Process
According to the standard ISO 31000 "Risk management -- Principles and guidelines on
implementation", the process of risk management consists of several steps as follows:
1. Identification of risk in a selected domain of interest
2. Planning the remainder of the process.
3. Mapping out the following:
o the social scope of risk management
o the identity and objectives of stakeholders
o the basis upon which risks will be evaluated, constraints.
4. Defining a framework for the activity and an agenda for identification.
5. Developing an analysis of risks involved in the process.
6. Mitigation of risks using available technological, human and organizational
resources.
A-10
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP)
communications by authenticating and encrypting each IP packet of a data stream. IPsec
also includes protocols for establishing mutual authentication between agents at the
beginning of the session and negotiation of cryptographic keys to be used during the
session. IPsec can be used to protect data flows between a pair of hosts (e.g. computer
users or servers), between a pair of security gateways (e.g. routers or firewalls), or
between a security gateway and a host. [1]
IPsec is a dual mode, end-to-end, security scheme operating at the Internet Layer of the
Internet Protocol Suite or OSI model Layer 3. Some other Internet security systems in
widespread use, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS)
and Secure Shell (SSH), operate in the upper layers of these models. Hence, IPsec can be
used for protecting any application traffic across the Internet. Applications need not be
specifically designed to use IPsec. The use of TLS/SSL, on the other hand, must typically
be incorporated into the design of applications.
IPsec is a successor of the ISO standard Network Layer Security Protocol (NLSP). NLSP
was based on the SP3 protocol that was published by NIST, but designed by the Secure
Data Network System project of the National Security Agency (NSA).
IPsec is officially specified by the Internet Engineering Task Force (IETF) in a series of
Request for Comments addressing various components and extensions, including the
official capitalization style of the term.
Security architecture
The IPsec suite is a framework of open standards. IPsec uses the following protocols to
perform various functions: [2][3]
• Internet key exchange (IKE and IKEv2) to set up a security association (SA) by
handling negotiation of protocols and algorithms and to generate the encryption
and authentication keys to be used by IPsec. [4][5]
• Authentication Header (AH) to provide connectionless integrity and data origin
authentication for IP datagrams and to provide protection against replay attacks. [6]
[7]