© MMII JW RyderCS 428 Computer Networking1 IP Security  IPSec  Firewall Design  Security - Understanding when and how users, computers, services, networks can trust one another  2 fundamental techniques  Perimeter security  Encryption

© MMII JW RyderCS 428 Computer Networking2 Security  Perimeter security - allows organization to determine services and networks it will make available to outsiders  Encryption handles most other aspects

© MMII JW RyderCS 428 Computer Networking3 Security  Security implies safety, assurance of data integrity, freedom from unauthorized access, freedom from snooping or wiretapping, freedom from disruption of service  Physical security is as important as protecting abstract resources

© MMII JW RyderCS 428 Computer Networking4 Aspects of Protection  Data Integrity - Protect from unauthorized change  Data Availability - Outsiders cannot prevent legitimate access to data  Confidentiality  Authorization - to only data as required  Replay Avoidance - Capture copies of packets by outsiders

© MMII JW RyderCS 428 Computer Networking5 Information Policy  “Before an organization can enforce network security, it must assess risks and develop a clear policy regarding information access and protection.”  An information policy begins with people - most susceptible point in any security scheme

© MMII JW RyderCS 428 Computer Networking6 Internet Security  Datagrams can be intercepted or compromised - the contents cannot be trusted  Example  Server attempts source authentication  Examine source IP address  Source authentication is weak  Stronger authentication requires encryption

© MMII JW RyderCS 428 Computer Networking7 IPSec  A set of protocols that provide secure Internet comm.  Valid for IPv4 and IPv6  IPSec is flexible and extensible  Can use authentication or encryption  Asymmetric choices ok  Does not demand a specific authentication or encryption algorithm  Includes a set of encryption algorithms that all implementations must recognize

© MMII JW RyderCS 428 Computer Networking8 IPSec AH  Authentication Header  See figures 32.1 and 2 on pages 584 and 585  Inserts AH after IP header and before transport header  PROTOCOL field in IP header changed to value 51  PROTOCOL field is changed so how does receiver determine type?

© MMII JW RyderCS 428 Computer Networking9 IPSec AH  AH has NEXT HEADER field. Original PROTOCOL values written into here  PAYLOAD LEN - Length of AH  SEQUENCE NUMBER - starts at 0 and increases monotonically  SECURITY PARAMETER INDEX - specifies Security Association (SA)  AUTHENTICATION DATA - based upon security scheme

© MMII JW RyderCS 428 Computer Networking10 Security Association  Security scheme includes  authentication algorithm  key(s)  key lifetime  algorithm lifetime for destination  authorized source addresses  Information cannot fit into header  Each receiver collects all details about security scheme into an abstraction call Security Assoc.

© MMII JW RyderCS 428 Computer Networking11 Security Association  Each SA given a number aka a security parameters index  Before sender can use IPSec to communicate with a receiver, sender must know index value of a SA on receiver  Index values owned by destinations, not globally known!  SAs can have lifetimes reusing index values

© MMII JW RyderCS 428 Computer Networking12 IPSec ESP  Privacy plus Authentication  Encapsulating Security Protocol  Value 50 in PROTOCOL field  See figures on 586 and 587  3 additional areas  ESP HEADER  ESP TRAILER  ESP AUTH - variable size

© MMII JW RyderCS 428 Computer Networking13 IPSec ESP  Uses many of same items as AH but reorders them  ESP HEADER  8 octets for SPI and SEQ Number  ESP TRAILER  Optional padding  Padding Length  NEXT HEADER  ESP AUTH data

© MMII JW RyderCS 428 Computer Networking14 IPSec ESP  Padding may be present for 3 reasons  Some decryption algorithms require zeros following encrypted message  NEXT HEADER is right justified within 4 octet field. IPSec requires that AITH data that follows trailer start on 4 octet boundary  Random padding to throw off sniffers

© MMII JW RyderCS 428 Computer Networking15 Mutable Fields  IPSec Authentication designed to assure arriving datagram identical to that sent by source  Intermediate routers decrement TTL fields and re-compute CKSUMs  Mutable fields = IP header fields that can change  IPSec only authenticates immutable fields

© MMII JW RyderCS 428 Computer Networking16 IPSec Tunneling  Standard defines both AH and ESP tunnels  See figure 32.4 on page 588  Required security algorithms  See figure 32.5 on page 588  Secure Sockets Layer (SSL)  Originated by Netscape  Dual authentication, negotiate for encryption algorithm  Secure connection, not formally adopted by IETF but defacto standard

© MMII JW RyderCS 428 Computer Networking17 Firewalls  Place firewall at connection to external internet  Inside and outside regions  Intranet can have several external connections  Strong as weakest link  All firewalls must be configured to use same access restrictions

© MMII JW RyderCS 428 Computer Networking18 Firewalls  In theory, a firewall simply blocks all communication between the organization and the outside  In practice, need more that this  Firewalls need to be tailored to specific organization  Must be have hardware and software to handle a potentially busy interface

© MMII JW RyderCS 428 Computer Networking19 Packet-Level Filters  High speed filtering mechanism  Manager configures filter in router  Filter(block) all datagrams form a specific source or those used by specific application  Does not keep record of filtering  Packet filters are free from TCP/IP standards

© MMII JW RyderCS 428 Computer Networking20  See figure 32.6 on page 591  Block incoming datagrams destined for well- known services  Block outgoing datagrams for any 16 bit prefix from to remote server (TCP port 25) Packet Filters

© MMII JW RyderCS 428 Computer Networking21  Previous example does not work well for firewall  Number of well-known ports is large  Much traffic on an internet does not travel on well- known ports  Programmers can choose  Remote Procedure Call assigns dynamic port numbers  Listing ports leaves the firewall open for tunneling Packet Filters

© MMII JW RyderCS 428 Computer Networking22  Tunneling can circumvent security  Host on inside agrees to accept encapsulated datagrams from host on outside  Remove one layer and then forward to internal service  Must reverse idea of filtering  Instead of identifying what datagrams should be filtered(blocked), block everything! Firewalls

© MMII JW RyderCS 428 Computer Networking23  Allow those only for approved networks, hosts, and ports  Examine organizations information policy then enable certain funtionality  Many packet filter use this approach  Solves many problems and has interesting consequence  Prevents inside user from accessing outside resources Firewalls

© MMII JW RyderCS 428 Computer Networking24  Servers may operate on well-known ports but clients do not  Clients may send data out but won’t get data back in  Packet filter will block client’s returning datagram  Not all organizations configure to block all internal unknown port numbers Firewalls

© MMII JW RyderCS 428 Computer Networking25  Secure Firewalls  Users on the inside need to access resources on the outside  Can only provide safe access through a secure computer  Install one secure computer with each firewall and install a set of application gateways on that computer  Bastion Host Proxy Access

© MMII JW RyderCS 428 Computer Networking26  See figure 32.7 on page 593  Outer barrier  Blocks all incoming traffic except for datagrams destined for  services on bastion that organization chooses to expose externally  clients on the bastion host  Inner barrier  Blocks incoming traffic except those coming from bastion  Manual bypass Secure Gateway

© MMII JW RyderCS 428 Computer Networking27  Web access example  Firewall prevents user computer from receiving datagrams  User cannot use browser for direct access  Arrange proxy server on bastion host  Inside, each browser configured to use the proxy  Proxy contacts URL, receives information and returns it transparently to user inside firewall Secure Firewalls

© MMII JW RyderCS 428 Computer Networking28  Each barrier requires router with packet filter  Network connections between the routers and bastion host  See figure 32.8 on page 594  R 2 = outer barrier  H = bastion host  R 1 = inner barrier  Safety of firewall depends on safety of bastion host (software and hardware) Firewall Implementation

© MMII JW RyderCS 428 Computer Networking29  Previous example known as stub network  Stub network isolates organization  May be considered unnecessary  See figure 32.9 on page 595 for alternative firewall permitting many external connections  One router per connection - All external connections also mistrust one another Stub Network

© MMII JW RyderCS 428 Computer Networking30  Monitoring  Active - Firewall notifies whenever there is an incident  Passive - Firewall records activity in logs Firewalls