McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

IPSec.
CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication Security Security Secure Sockets Layer Secure.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
SCSC 455 Computer Security Virtual Private Network (VPN)
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
Chapters 8 Network Security Professor Rick Han University of Colorado at Boulder
Guide to Network Defense and Countermeasures Second Edition
Part 5:Security Network Security (Access Control, Encryption, Firewalls)
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Chapter 29 Internet Security
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
K. Salah1 Security Protocols in the Internet IPSec.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Secure connections.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.
Secure Socket Layer (SSL)
Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.
Chapter 13 – Network Security
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Lecture 12 Network Security (2)
Krerk Piromsopa. Network Security Krerk Piromsopa. Department of Computer Engineering. Chulalongkorn University.
©The McGraw-Hill Companies, Inc., 2000© Adapted for use at JMU by Mohamed Aboutabl, 2003Mohamed Aboutabl1 1 Chapter 29 Internet Security.
Private Network Interconnection Chapter 20. Introduction Privacy in an internet is a major concern –Contents of datagrams that travel across the Internet.
TCP/IP Protocols Contains Five Layers
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.
Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Karlstad University IP security Ge Zhang
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Chapter 14 Network Security: Firewalls and VPNs.
Network Security7-1 Today r Reminder Ch7 HW due Wed r Finish Chapter 7 (Security) r Start Chapter 8 (Network Management)
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Chapter 29 Internet Security.
Chapter 32 Internet Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Internet Security and Firewall Design Chapter 32.
TCP/IP Protocol Suite 1 Chapter 30 Security Credit: most slides from Forouzan, TCP/IP protocol suit.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
K. Salah1 Security Protocols in the Internet IPSec.
Securing Access to Data Using IPsec Josh Jones Cosc352.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Internet Protocol Version4 (IPv4)
IPSec Detailed Description and VPN
IPSecurity.
Chapter 18 IP Security  IP Security (IPSec)
IT443 – Network Security Administration Instructor: Bo Sheng
UNIT.4 IP Security.
Security Protocols in the Internet
Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls
NET 536 Network Security Lecture 5: IPSec and VPN
Presentation transcript:

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Network Layer: At the IP layer, implementation is quite complicated since every device must be enabled. It also provides services to many other protocols like OSPF, ICMP, IGMP, etc. IP Security (IPSec) is a protocol that provides security at the IP layer. Transport Layer: Quite complicated. New layer glues with the transport layer to provide security at this layer. Application Layer: Simplest. It concerns the client and the server. Pretty Good Privacy (PGP) Security in the Internet Model

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 IP Security (IPSec) is a collection of protocols designed by the IETF (Internet Engineering Task Force) to provide security for a packet at the IP level. IPSec does not define the use of any specific encryption or authentication method. IPSec provides a framework and a mechanism; it leaves the selection of the encryption, authentication, and hashing methods to the user. IP Level Security: IPSec

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Security Association IPSec requires a logical connection between two hosts using a signaling protocol, called Security Association (SA). Thus IP needs to be changed to connection oriented protocol before security can be applied. SA connection is a simplex (unidirectional) connection between a source and destination. If a duplex (bidirectional) connection is needed, two SA connections are required, one in each direction. SA connection is uniquely defined by three elements: 32-bit security parameter index (SPI), which acts as a virtual circuit identifier in connection-oriented protocols such as Frame Relay or ATM. Type of the protocol used for security; AH and ESP. Source IP address.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 IPSec Operation Modes IPSec operates are two different modes. Mode defined by where the IPSec header is applied to the IP packet. Transport mode IPSec header is added between the IP header and the rest of the packet.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 IPSec Operation Modes Tunnel mode IPSec header is placed in front of the original IP header. A new IP header is added in front. The IPSec header, the preserved IP header, and the rest of the packet are treated as the payload.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Security Protocols: Authentication Header Protocol (AH) Authentication Header (AH) protocol is designed to authenticate the source host and to ensure the integrity of the payload carried by the IP packet. The protocol calculates a message digest, using a hashing function and a symmetric key, and inserts the digest in the authentication header. AH is put in the appropriate location based on the mode (transport or tunnel).

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 When an IP datagram carries an AH, the original value in the protocol field of the IP header is replaced by the value 51. Addition of AH follows these steps: AH is added to payload with authentication data field set to zero. Padding may be added to make the total length even for a particular hashing algorithm. Hashing is done on the total packet. Message digest is calculated based only on those fields of IP header that don’t change. Authentication data are included in the AH IP header is added after change the value of protocol field to 51. AH protocol provides source authentication and data integrity, but not privacy.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Next header field: type of payload carried by IP datagram (TCP, UDP, ICMP, etc). Payload length field: Length of AH in 4-byte multiples. Security parameter index: Plays the role of virtual circuit identifier and is the same for all packets sent during a Security Association connection. Sequence number: Ordering sequence of datagram. A sequence number does not wrap around even after it reaches 2 32 ; a new connection must be established. Don’t repeat sequence number even if a packet is retransmitted. Authentication data: Result of applying a hash function to the entire IP datagram except for the fields that are changed during transit (e.g., time-to-live).

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Encapsulating Security Payload: ESP Encapsulation Security Payload (ESP) provides source authentication, privacy and integrity. ESP adds a header and trailer. ESP’s authentication data are added at the end of packet header and trailer. Value of IP protocol field is 50. Field inside the ESP trailer (next header field) holds the original value of the protocol field of IP header.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 ESP procedure follows these steps: ESP trailer is added to the payload. Payload and trailer are encrypted. ESP header is added. ESP header, payload, and ESP trailer are used to create the authentication data. Authentication data are added to the end of the ESP trailer. IP header is added after changing the protocol value to 50. Fields Security Parameter Index Sequence number Padding:Variable length field (0 to 255 bytes) of 0s serves as padding. Pad length: length defines number of padding bytes. Next header Authentication data: Result of applying an authentication scheme to parts of the datagram. But, IP header is not included in the calculation. Even though, ESP is better than AH, AH is still used because of certain commercial products use them.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Transport Layer Security Transport Layer Security (TLS) was designed to provide security at the transport layer. TLS was derived from a security protocol called Secure Sockets Layer (SSL). TLS is a non-proprietary version of SSL. For transactions on Internet, a browser needs: Make sure that server belongs to the actual vendor. Contents of message are not modified during transition. Make sure that the imposter doe not interpret sensitive information such as credit card number.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Transport Layer Security TLS has two protocols: Handshake and data exchange protocol. Handshake: Responsible for negotiating security, authenticating the server to the browser, and (optionally) defining other communication parameters. Data exchange (record) protocol uses the secret key to encrypt the data for secrecy and to encrypt the message digest for integrity.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Handshake Protocol 1. Browser sends a hello message that includes TLS version and some preferences 2. Server sends a certificate message that includes the public key of the server. The public key is certified by some certification authority, which means that the public key is encrypted by a CA private key. Browser has a list of CAs and their public keys. It uses the corresponding key to decrypt the certification and finds the server public key. This also authenticates the server because the public key is certified by the CA. 3. Browser sends a secret key, encrypts it with the server public key, and sends it to the server.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Handshake Protocol 4. Browser sends a message, encrypted by the secret key, to inform the server that handshaking is terminating from the browser key. 5. Server decrypts the secret key using it private key and decrypts the message using the secret key. It then sends a message, encrypted by the secret key, to inform the browser that handshaking is terminating from the server side. Note that handshaking uses the public key for two purposes: to authenticate the server and to encrypt the secret key, which is used in the data exchange protocol.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Application Layer Security: PGP Pretty Good Privacy (PGP) provides all four aspects of security in sending an . PGP uses digital signature (a combination of hashing and public-key encryption) to provide integrity, authentication, and non-repudiation. Uses a combination of secret-key and public-key encryption to provide privacy.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 PGP at the receiver site + +

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Firewall Firewall is a device (usually a router or a computer) installed between the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter (not forward) others. A firewall can be used to deny access to a specific host or a specific service in the organization. Firewall is classified into two classes: Packet-Filter Firewall Proxy-based Firewall

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Packet-filter firewall It can forward or block packets based on the information in the network layer and transport layer headers: source and destination port addresses, and type of protocol (TCP or UDP). Incoming packets from network are blocked. ‘*’ means any. Incoming packets destined for any internal TELNET server (port 23) are blocked. Outgoing packets destined for an HTTP server (port 80) are blocked. Packet-Filter firewall is a router that uses a filtering table to decide which packets must be discarded (not forwarded).

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Proxy firewall Filter based on information available at the message itself. A proxy firewall filters at the application layer Situation: Only those Internet users who have previously established business relations with the company can have access; access to other users must be blocked. In this case, a packet-filter firewall is not feasible because it cannot distinguish between different packets arriving at TCP port 80 (HTTP). Testing must be done at the application level (using URLs). Install a proxy computer (sometimes called an application gateway), which stands between the customer (user client) computer and the corporation computer.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Proxy firewall When the user client process sends a message, the proxy firewall runs a server process to receive the request. The server opens the packet at the application level and finds out if the request is legitimate. If it is, the server acts as a client process and sends the message to the real server in the corporation. If it is not, the message is dropped and an error message is sent to the external user.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 VPN is a technology that is gaining popularity among large organizations that use the global Internet for both intra- and inter-organization communication, but require privacy in their internal communication. Private network is designed for use inside an organization. It allows access to shared resources and, at the same time, provides privacy. Intranet: Private network which is limited to users inside the organization. Extranet: Same as intranet with one major difference: some resources can be accessed by specific group of users outside the organization under the control of the network administrator. Addressing for private networks: Use any address but don’t connect to Internet. Get address from Internet authorities but don’t connect to Internet. Wastage of public addresses. Use reserved addresses [private addresses]. Virtual Private Networks

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Table 31.1 Addresses for private networks PrefixRangeTotal 10/ to / to / to

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Achieving Privacy: Private networks LANs at different sites can be connected to each other using routes and leased lines. An internet can be made up of private LANs and private WANs. If an internet is private for an organization, it can use any IP address without consulting the Internet authorities.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Privacy: Hybrid networks Privacy within intra-organization is achieved but still connected to global Internet. Intra-organization data are routed through the private internet; Inter-organization data are routed through the global Internet.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Virtual private network Private and hybrid networks are costly. To connect several sites, an organization needs several several leased lines, which means a high monthly fee. Best solution is to use global Internet for both private and public communications. VPN creates a network that is private but virtual. It is private but it guarantees privacy inside the organization. It is virtual because it does not use real private WANs; the network is physically public but virtually private. VPN uses IPSec in tunnel mode to provide authentication, integrity and privacy.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Addressing in a VPN Using tunneling, each IP datagram destined for private use in the organization is encapsulated in another datagram. To use IPSec in the tunneling mode, the VPNs need to use two sets of addressing. The public network (Internet) is responsible for carrying the packet from R1 to R2. Outsiders cannot decipher the contents of the packet or the source and destination addresses. Deciphering takes place at R2, which finds the destination address of the packet and delivers it.