Chapters 8 Network Security Professor Rick Han University of Colorado at Boulder

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
Firewalls and Intrusion Detection Systems
Chapter 8 Authentication, Data Integrity, Public Key Distribution, Firewalls Professor Rick Han University of Colorado at Boulder
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Chapters 8 Network Security Professor Rick Han University of Colorado at Boulder
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
K. Salah1 Security Protocols in the Internet IPSec.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.
24-1 Last time □ Message Integrity □ Authentication □ Key distribution and certification.
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
FIREWALL Mạng máy tính nâng cao-V1.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Network Security7-1 Today r Collect Ch6 HW r Assign Ch7 HW m Ch7 #2,3,4,5,7,9,10,12 m Due Wednesday Nov 19 r Continue with Chapter 7 (Security)
1 Chapter 8 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Authentication, Data Integrity, Public Key Distribution, Firewalls Modified by Xiuzhen Cheng Originally provided by Professor Rick Han
Chapter 37 Network Security. Aspects of Security data integrity – data received should be same as data sent data availability – data should be accessible.
ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Lecture 12 Network Security (2)
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Krerk Piromsopa. Network Security Krerk Piromsopa. Department of Computer Engineering. Chulalongkorn University.
©The McGraw-Hill Companies, Inc., 2000© Adapted for use at JMU by Mohamed Aboutabl, 2003Mohamed Aboutabl1 1 Chapter 29 Internet Security.
Ch 8. Security in computer networks Myungchul Kim
TCP/IP Protocols Contains Five Layers
Lecture 11 Page 1 Advanced Network Security Cryptography and Networks: IPSec and SSL/TLS Advanced Network Security Peter Reiher August, 2014.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 4: Securing IP.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Karlstad University IP security Ge Zhang
Network Security David Lazăr.
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
Network Security Understand principles of network security:
4-Jun-164/598N: Computer Networks Differentiated Services Problem with IntServ: scalability Idea: segregate packets into a small number of classes –e.g.,
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh.
Network Security7-1 Today r Reminder Ch7 HW due Wed r Finish Chapter 7 (Security) r Start Chapter 8 (Network Management)
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
Chapter 32 Internet Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
K. Salah1 Security Protocols in the Internet IPSec.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.
Last time Message Integrity Authentication
VPNs & IPsec Dr. X Slides adopted by Prof. William Enck, NCSU.
IPSec Detailed Description and VPN
IPSecurity.
Security in the layers 8: Network Security.
Encryption and Network Security
Chapter 18 IP Security  IP Security (IPSec)
IT443 – Network Security Administration Instructor: Bo Sheng
Virtual Private Networks (VPNs)
NET 536 Network Security Lecture 5: IPSec and VPN
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

Chapters 8 Network Security Professor Rick Han University of Colorado at Boulder

Prof. Rick Han, University of Colorado at Boulder Announcements HW #5 (short) due May 2 Programming Assignment #3 due May 2 Final Exam May 7, 4:30-7:00 pm Comprehensive In this room Review next time Last week’s lectures on the Web Next, IPSec, Firewalls

Prof. Rick Han, University of Colorado at Boulder Recap of Previous Lecture Authentication via Digital Signatures Hash the document, encrypt the hash with your private key Data Integrity via One-Way Hashes Non-Repudiation comes for free with public-key authentication Key distribution via Digital Certificates from a trusted Certificate Authority SSL/TLS Public key handshake to negotiate secret session key HTTPS = HTTP over SSL/TLS

Prof. Rick Han, University of Colorado at Boulder Symmetric Key Distribution Key distribution Public key via trusted Certificate Authorities Symmetric key? Diffie-Helman Key Exchange Public key, then secret key (e.g. SSL) Symmetric Key distribution via a KDC (Key Distribution Center)

Prof. Rick Han, University of Colorado at Boulder Symmetric Key Distribution (2) Symmetric Key distribution via a KDC (Key Distribution Center) KDC is a server (trusted 3 rd party) sharing a different symmetric key with each registered user Alice wants to talk with Bob, and sends encrypted request to KDC, K A-KDC (Alice,Bob) KDC generates a one-time shared secret key R1 KDC encrypts Alice’s identity and R1 with Bob’s secret key, let m= K B-KDC (Alice,R1) KDC sends to both Alice R1 and m, encrypted with Alice’s key: i.e. K A-KDC (R1, K B-KDC (Alice,R1)) Alice decrypts message, extracting R1 and m. Alice sends m to Bob. Bob decrypts m and now has the session key R1

Prof. Rick Han, University of Colorado at Boulder Symmetric Key Distribution (3) Kerberos authentication basically follows this KDC trusted 3 rd party approach In Kerberos, the message m is called a ticket and has an expiration time m=

Prof. Rick Han, University of Colorado at Boulder IPsec IP security protocol is a suite of protocols for security at the network layer Provides data confidentiality/secrecy: Encrypt the IP payload (not header, except when tunneling) All higher layer information is encrypted, including TCP/UDP port #’s Called the Encapsulation Security Payload (ESP) protocol Provides source authentication and data integrity Authenticates the source to make sure the sender is not spoofing IP addresses Called the Authentication Header (AH) protocol

Prof. Rick Han, University of Colorado at Boulder IPsec (2) ESP protocol provides network-layer secrecy, source host authentication and data integrity TCP/UDP segment is surrounded by header and trailer fields DES-CBC encryption of TCP/UDP segment + trailer Trailer lists the Protocol of the segment (TCP, or UDP, or …). Hidden from observers. Normal IP routing using IP header. Destination sees protocol=50 and decrypts ESP packet

Prof. Rick Han, University of Colorado at Boulder IPsec (3) Authentication field contains digital signature of entire original IP datagram (same as AH signature) Signed message hash over IP header + TCP/UDP segment, including IP source address Can’t spoof an IP address or tamper with the IP header without being detected

Prof. Rick Han, University of Colorado at Boulder IPsec (4) AH protocol provides source authentication and data integrity, but not secrecy Insert an AH header between IP header (indicated by Protocol = 51) Next Header field indicates whether segment is TCP, UDP, etc. Authentication Data field contains a digital signature, or signed message digest calculated over the original IP datagram Provides source authentication Provides datagram integrity tamper check Digital signature could be DES, MD5, or SHA - negotiated

Prof. Rick Han, University of Colorado at Boulder IPsec (5) The two IP endpoints set up a logical connection called a Security Agreement (SA) Simplex/unidirectional end-to-end security Uniquely identified by 3-tuple: the security protocol (AH or ESP), source IP address, and a 32-bit ID called Security Parameter Index (SPI) Key management in an SA governed either by Internet Key Exchange (IKE) algorithm or Internet Security Association and Key Management Protocol (ISAKMP) IP router IP dest IP source Logical Security Agreement

Prof. Rick Han, University of Colorado at Boulder IPsec (6) Some implications: NAT’s will no longer work when dealing with IPsec- encrypted IP datagrams – why? NAT’s are transparent yet also require knowledge of TCP source port – this is encrypted by IPsec! Also, NAT’s require changing the source port and source IP address, but NAT can’t modify the digital signature (which prevents undetectable tampering) NATIP dest IP source Encrypted IP datagrams

Prof. Rick Han, University of Colorado at Boulder IPsec (7) Some implications: Virtual Private Networks (VPN’s) are created and connected using IPsec Create IPsec gateways that tunnel/encapsulate across the insecure Internet = “Virtual” IPsec provides confidentiality = “Private” IPsec gateway IP dest IP source IPsec gateway Secure Tunnel over Insecure IP routing Secure Intranet

Prof. Rick Han, University of Colorado at Boulder IPsec (8) May want to use IPsec over your corporate intranet, even though the intranet is protected by a firewall Protects against eavesdropping, tampering, and spoofing from the inside, i.e. disgruntled employees IPsec has been proposed as part of wireless solution to overcome WEP’s security flaws How widely deployed? In Windows 2000/XP, some Linux flavors (Suse 8.0, patch others with open source IPsec implementation called FreeSWAN), firewalls, Cisco routers Philosophy: if I have SSL end-to-end security why do I need IPsec end-to-end security? Headers still exposed and could reveal info

Prof. Rick Han, University of Colorado at Boulder Firewalls We’ve already seen two kinds of firewalls in action: NAT’s act as filter-based firewalls HTTP proxies can act as proxy-based firewalls Firewalls address the Availability problem in security Guaranteeing access to legitimate users. Prevention of Denial-of-Service (DOS) attacks to a corporate intranet

Prof. Rick Han, University of Colorado at Boulder Firewalls (2) Filter-based firewall can by default implement a policy that Admits packets not on a list, OR Only admits packets on a list The firewall’s list/table will contain 5-tuples Can specify wildcards, e.g. could mean to let pass all TCP packets with a source addr , any source port, which are destined for port 80.

Prof. Rick Han, University of Colorado at Boulder Firewalls (3) Sample policy #1: Filter-based firewalls can block all inbound packets claiming a source IP address from within an intranet Thus, the interface from which a packet arrives is as important as the IP header info Prevents easy spoofing of source IP addresses Sample policy #2: filtering of all inbound UDP packets is popular among corporations to block external video on intranet What about DNS? Can limit to a few inbound ports from trusted DNS servers can also remember that you’re expecting a response from a particular DNS server. Can’t entirely eliminate spoofing of external addresses though

Prof. Rick Han, University of Colorado at Boulder Firewalls (4) Sample policy #3: Enable all outgoing TCP connections but block all incoming TCP connections Looks inside TCP packets and rejects all inbound SYN attempts Variation: look inside TCP packets and reject all inbound packets with TCP ACK bit set to 0 – accomplishes same effect as rejecting inbound SYN’s TCP ACK bit is set to 0 only for first segment of a TCP connection, otherwise it is set to 1 for responses “Layer 4” switch

Prof. Rick Han, University of Colorado at Boulder Firewalls (5) Sample policy #4: Packet-filtering firewalls can reject all inbound packets from a block of addresses Some ISP’s have in the past rejected all packets with IP source addresses from China because hackers often use insecure servers in China to launch DOS attacks

Prof. Rick Han, University of Colorado at Boulder Firewalls (6) FTP and firewalls: FTP’ing between an intranet client to an external server creates both an outbound control connection (port 21) and an inbound TCP data connection (port 20) The inbound data connection gets blocked by a firewall implementing sample policy #3 Solution: server supports PASV option, chooses port > 1023, informs client of its port via the control channel, then the client initiates a TCP connection to server’s chosen port thru firewall Most Web browsers support the PASV option but not all FTP servers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.