Richard Henson University of Worcester November 2016 COMP3371 Cyber Security Richard Henson University of Worcester November 2016
Week 6: Securing LAN data using Firewalls, VPNs, etc. Objectives: Relate Internet security issues to the TCP/IP protocol stack Explain principles of firewalling Explain what a Proxy Service is, and why it can be a more flexible solution than a firewall Explain Internet security solutions that use the principles of a VPN
Security and the OSI layers Simplified TCP/IP model… Levels 1/2/3 combined as network Levels 5/6/7 combined as application HTTP FTP SMTP NFS DNS SNMP TCP UDP IP (network)
TCP/IP and the Seven Layers screen TCP (Transport Control Protocol) and IP (Internet Protocol) only make up part (layers 3 & 4) of the seven layers upper layers interface with TCP to produce the screen display lower layer packets required to interface with hardware to create/convert electrical signals Each layer represents a potential security vulnerability (!) app vulnerab… port vulnerab… TCP IP network vulnerab… hardware
Intranet Misunderstood term uses secure user authentication achieved by organisations using http to share data internally in a www-compatible format Many still call a protected file structure on its own an Intranet… (technically incorrect!) uses secure user authentication uses secure data transmission system Implemented as EITHER: single LAN (domain) with a web server (see diagram) several interconnected LANs (trusted domains) cover a larger geographic area
Extranet An extension of the Intranet beyond organisation boundary to cover selected trusted “links” e.g. customers and business partners uses the public Internet as its transmission system requires authentication to gain access Can provide secure TCP/IP access to: paid research current inventories internal databases any unpublished information
Securing Authentication through Extranets Connected Windows networks? Use Kerberos… ? VPN? BUT… several TCP ports used for authentication when establishing a session… Solution: firewall configuration allows relevant ports to be opened only for “trusted” hosts
Issues in creating an Extranet Public networks… Security handled through appropriate use of secure authentication & transmission technologies… If using the Internet… client-server web applications across different sites BUT security issues need resolving Could use a VPN (Virtual Private Network) Private leased lines between sites do not need to use http, etc. more secure, but expensive (BALANCE)
Unsecured LAN-Internet Connection: Router Only INTERNET/EXTERNAL NETWORK ROUTER – packet navigation, no filtering Internal Network ...
An Unsecured LAN-Internet Connection via Router Layer 3 Layer 3 Data through Unchanged Routed by IP address tables Layer 2 Layer 2 Layer 1 Layer 1 router
Securing Sharing of Data through Extranets One solution: Extranet client uses the web server & browser for user interaction secure level 7 application layer www protocols developed https: ensure that pages are only available to authenticated users Ssh (secure shell) : secure download of files secure level 4 transport (TLS) protocol to restrict use of IP navigation to only include secure sites Relevant firewall ports should be opened Port 22 if SSH data Port 443 if TCP data sent using http-s (secure http) Port 1723 if data sent as packets using VPN (later…)
The Internet generally uses IP - HOW can data be secured? 2016: more than a billion hosts!
Securing the Extranet Problem: IP protocol sends packets off in different directions according to: destination IP address routing data packets can be intercepted/redirected What about penetration through other protocols, working at different OSI layers? VPN controls the path of packets routed through IP addresses of secure servers
Other Secure level 7 protocols More about SSH SSH-1 1995, University of Helsinki, secure file transfer uses TCP port 22 runs on a variety of platforms Enhanced version SSH-2 using the PKI including digital certificates RFC 4252 – recent, 2006
Creating a “Secure Site”? To put it bluntly… a LAN that provides formidable obstacles to potential hackers keeps a physical barrier between local server and the internet linked through an intermediate computer called a Firewall or Proxy Server Restrictions on access security provided by authentication between level 4 & 7
Lower OSI layers security (Stage 1) Simple Firewall… packet filtering by header IP address fooled by “IP spoofing” TCP port filtering – data associated with blocked ports filtered out TCP port also held in packet header
Unsecured LAN-Internet Connection: Firewall INTERNET/EXTERNAL NETWORK FIREWALL – packet filtering Internal Network ...
Firewall Configuration Firewall blocks data via TCP port (logical) used by each application protocol connects to TCP all ports blocked… no data gets through unless (lol!) … https://www.youtube.com/watch?v=doAnB5_eDnw Configuration… includes which ports to block as well as which IP addresses to block… Includes auditing of packets
An Unsecured LAN-Internet Connection via Firewall IP filtering slows down packet flow… may not be necessary? Risk? Also… request by a LAN client for Internet data across a router reveals the client IP address generally a desired effect…. “local” IP address must be recorded on the remote server picks up required data & returns it via the router and server to the local IP address problem – could be intercepted, and future data to that IP address may not be so harmless…
An Unsecured LAN-Internet Connection via Router Another problem: wrath of IANA IP address awarding & controlling body big penalties if ANY internal LAN IP address conflicts with an existing Internet IP address they allocated… Safeguard: use DHCP (dynamic host configuration protocol) allocate client IP from within a fixed range allocated to that domain by IANA
A LAN-Internet connection via Gateway INTERNET/EXTERNAL NETWORK e.g. TCP/IP GATEWAY – packet conversion local protocol Internal Network ...
A LAN-Internet connection via Gateway At a gateway, processing can be at higher OSI levels: >= level 4 Local packets converted into other formats… remote network does not have direct access to the local machine IP packets only recreated at the desktop local client IP addresses therefore do not need to comply with IANA allocations
A LAN-Internet connection via Proxy Server INTERNET/EXTERNAL NETWORK e.g. TCP/IP Proxy Server – local IP addresses local protocol Internal Network ...
The Proxy Server Acts like a Gateway in some respects: provides physical block between external and internal networks But can still use the same protocol (e.g. TCP/IP), and can cache web pages for improved performance
VPNs (Virtual Private Networks) Two pronged defence: physically keeping the data away from unsecured servers… several protocols available for sending packets along a pre-defined route data encapsulated and encrypted so it appears to travel as if on a point-point link but is still secure even if intercepted Result: secure system with pre-determined pathways for all packets
VPNs: OSI levels 1-3: restricted use of the Physical Internet VPN shown in green
Principles of VPN protocols The tunnel - where the private data is encapsulated (or ”wrapped”) The VPN connection interfaces - where the private data is encrypted before entering the tunnel (and vice versa)
Principles of VPN protocols Emulate a point-to-point link: data encapsulated with header provides routing information allows packets to traverse the shared public network to its endpoint To emulate a private link: data encrypted for confidentiality Any packets intercepted on the shared public network are indecipherable without the encryption keys…
Using a VPN as part of an Extranet
Using a VPN for point-to-point
Using a VPN to connect a remote computer to a Secured Network
Potential weakness of the VPN Once the data is encrypted and in the tunnel it is very secure BUT watch for gaps… if any part of that journey is outside the tunnel… e.g. network path to an outsourced VPN provider scope for security breaches
VPN-related protocols offering even greater Internet security Two possibilities are available for creating a secure VPN: Layer 3: IPsec – fixed point routing protocol Layer 2 “tunnelling” protocols encapsulate the data within other data before converting it to binary data: PPTP (Point-point tunnelling protocol) L2TP (Layer 2 tunnelling protocol)
IPsec First VPN system defined by IETF RFC 2401 uses ESP (encapsulating security protocol) at the IP packet level IPsec provides security services at the IP layer by: enabling a system to select required security protocols (ESP possible with a number of encryption protocols) determining the algorithm(s) to use for the chosen service(s) putting in place any cryptographic keys required to provide the requested services
More about IPSec in practice Depends on PKI for authentication both ends must be IPSec compliant, but not the various network systems that may be between them… Can therefore be used to protect paths between a pair of hosts a pair of security gateways a security gateway and a host Can work with IPv4 and IPv6
Layer 2 Security: PPTP, L2TP Microsoft: PPTP CISCO L2F (layer 2 forwarding) Combine to create L2TP IPSec optional: Adv of L2TP: can use PPP authentication and access controls (PAP and CHAP!) uses NCP to handle remote address assignment of remote client no IPSec, no overhead of reliance on PKI