What is IPSec? Internet Protocol Security for cellular IoT

What is IPSec?

IPSec (Internet Protocol Security) is a set of protocols that authenticate and encrypt data packets between two points on an IP network. It provides data integrity, confidentiality, and anti-replay protection making it the foundation for most virtual private networks (VPNs).

IPSec is a complicated web of processes, incorporating several different technologies and ways of encrypting data. But how it works can be explained in five steps:

1. Defining interesting traffic

IPSec protocols determine what information to encrypt and how to encrypt it based on its destination. Once identified, this traffic is sent to the Internet Key Exchange (IKE) which is a hybrid protocol built on two components:

• Internet Security Association and Key Management Protocol (ISAKMP): Establishes security associations (the "key" to unlock the data)
• Oakley Protocol: Defines the algorithm for data exchange (the "box" containing the data)

2. Establishing a secure connection

Next, the IKE establishes the connection, authenticating IPSec peers, exchanging secret encryption keys, and ensuring that all parties are using the same protocols. This sets the stage for creating a secure tunnel.

3. Building the tunnel

The next step is setting up the IPSec tunnel, a direct router-to-router connection where all data is encrypted. To do this, the protocols must establish security associations and periodically regenerate the IPSec Security Association.

4. Using the encrypted tunnel

Data is sent back and forth through the tunnel based on IPSec parameters and keys.

5. Tunnel termination

The tunnel can close either through manual deletion or timing out. It can be pre-set to close after a certain number of inactive seconds, or when a predetermined quantity of data have passed through.

Protocols used in IPSec

IPSec relies on multiple protocols working together to secure network communications. Each protocol serves a specific function—from verifying data authenticity to encrypting payloads and managing encryption keys. Understanding these core protocols helps clarify how IPSec creates secure connections for cellular IoT devices. The main protocols include:

Authentication headers

The Authentication Header (AH) supplies data origin authentication, data integrity, and anti-replay services to IP. However, this protocol doesn't encrypt anything. It just makes sure that information is coming from the right source.

Encapsulating security payloads (ESP)

ESP encrypts and authenticates the payload which is the key information traveling through the network. It sits as a header between the IP layer and upper-layer protocols like TCP, ICMP, and UDP. ESP can operate in either tunnel mode or transport mode.

Internet security association and key management protocol (ISAKMP)

A protocol designed to establish security association (SA), ISAKMP provides a framework for key exchange and authentication. Internet Key Exchange (IKE), mentioned earlier, is one source of keys that can be used with ISAKMP.

Why IPSec is important for cellular IoT

For cellular IoT deployments, IPSec provides critical security capabilities that address the unique challenges of connecting distributed devices across public networks. From authenticating thousands of endpoints to encrypting sensitive sensor data in transit, IPSec forms the backbone of secure IoT communications. Here's why IPSec is essential for cellular IoT implementations:

Device authentication

IoT devices must connect with one another and the cloud, typically via a gateway. Authentication, which gives each device permission to join the network and exchange information, plays an important role in ensuring data security.

Encryption

Encrypting data is a given for cybersecurity, and best practice is to always use end-to-end encryption.

Secure tunneling

In tunnel mode, IPSec links two networks to create a VPN to extend a private network across public infrastructure. This allows you to share data over the public internet while maintaining the security of both private networks. The VPN encrypts and authenticates all traffic traveling through the tunnel.

Secure tunneling with Hologram

All IoT devices need dependable connectivity that emphasizes security. Hologram's Spacebridge service lets you create secure, authenticated tunnels to any device with a Hologram SIM card on a cellular network.

Hologram supports software-defined network solutions that deliver:

• Private APN benefits: Without the cost or complexity of building your own network
• Simplified deployment: Faster setup with less infrastructure overhead
• End-to-end security: Encrypted tunnels for your entire IoT fleet

Frequently asked questions

What is cellular IoT?

Cellular IoT connects physical devices using existing cellular networks, enabling sensors and actuators to exchange data without building new infrastructure. This approach reduces deployment costs while leveraging proven mobile network technology.

What are the main security protocols for IoT?

TLS (Transport Layer Security) and DTLS (Datagram Transport Layer Security) are the primary protocols protecting IoT communications. TLS secures TCP-based connections with encryption and authentication, while DTLS adapts these protections for UDP traffic.

What are the 4 types of IoT?

The four main IoT categories are consumer IoT (smart home devices), commercial IoT (retail and office applications), industrial IoT (manufacturing and logistics), and infrastructure IoT (smart cities and utilities). Each category addresses different connectivity and security requirements.

What are the biggest security risks with IoT devices?

Weak authentication poses the greatest threat to IoT security. Many devices ship with default passwords that hackers easily exploit. Once compromised, these devices expose common IoT security vulnerabilities across entire networks and sensitive data.