Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra.

Slides:



Advertisements
Similar presentations
Encrypting Wireless Data with VPN Techniques
Advertisements

All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.
Internet Protocol Security (IP Sec)
Network Security.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.
1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.
SCSC 455 Computer Security Virtual Private Network (VPN)
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
1 Configuring Virtual Private Networks for Remote Clients and Networks.
Guide to Network Defense and Countermeasures Second Edition
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?
Internet Security Seminar Class CS591 Presentation Topic: VPN.
Internet Protocol Security (IPSec)
VPN – Virtual Private Networking. VPN A Virtual Private Network (VPN) connects the components of one network over another network. VPNs accomplish this.
K. Salah1 Security Protocols in the Internet IPSec.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
1 © J. Liebeherr, All rights reserved Virtual Private Networks.
Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
NetComm Wireless VPN Functionality Feature Spotlight.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
VPN Wireless Security at Penn State Rich Cropp Senior Systems Engineer Information Technology Services The Pennsylvania State University © All rights.
Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)
Course 201 – Administration, Content Inspection and SSL VPN
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 23 Virtual Private Networks (VPNs)
Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Virtual Private Network (VPN) SCSC 455. VPN A virtual private network that is established over, in general, the Internet – It is virtual because it exists.
What Is Needed to Build a VPN? An existing network with servers and workstations Connection to the Internet VPN gateways (i.e., routers, PIX, ASA, VPN.
1. Collision domains are unsecure 2. The employees often need to remote access to corporate network resources  The Internet traffic is much more vulnerable.
OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
11 SECURING COMMUNICATIONS Chapter 7. Chapter 7: SECURING COMMUNICATIONS2 CHAPTER OBJECTIVES  Explain how to secure remote connections.  Describe how.
BY MOHAMMED ALQAHTANI (802.11) Security. What is ? IEEE is a set of standards carrying out WLAN computer communication in frequency bands.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Virtual Private Networking Irfan Khan Myo Thein Nick Merante.
Module 5: Configuring Access for Remote Clients and Networks.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.
Network Security Lecture 20 Presented by: Dr. Munam Ali Shah.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
Virtual Private Networks (VPNs) Source: VPN Technologies: Definitions and Requirements. VPN Consortium, July 2008.VPN Technologies: Definitions and Requirements.
Virtual Private Network. VPN In the most basic definition, VPN is a connection which allows 2 computers or networks to communicate with each other across.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
IPSec VPN Chapter 13 of Malik. 2 Outline Types of IPsec VPNs IKE (or Internet Key Exchange) protocol.
Understand Network Isolation Part 2 LESSON 3.3_B Security Fundamentals.
Virtual Private Networks Ed Wagner CS Overview Introduction Types of VPNs Encrypting and Tunneling Pro/Cons the VPNs Conclusion.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
Mar 27, 2000IETF 47 - Pyda Srisuresh1 Secure Remote Access with L2TP Pyda Srisuresh.
K. Salah1 Security Protocols in the Internet IPSec.
Securing Access to Data Using IPsec Josh Jones Cosc352.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Lecture 10 Page 1 CS 236 Online SSL and TLS SSL – Secure Socket Layer TLS – Transport Layer Security The common standards for securing network applications.
Virtual Private Networks
Presentation transcript:

Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra

User Beware I am not a security expert I am a simple consumer of security solutions as a user of Internet-based secure services and applications

User Beware No security system is absolute All security measures mitigate risk, not eliminate it Security measures obey the law of diminishing return Determine what level of risk is acceptable Constantly review risk assumptions

The Issues Risks and vulnerabilities DNS hijacking Cache hijacking Routing hijacking Identity hijacking Session hijacking Session monitoring The Internets base trust model is very basic Security is an overlay, not an intrinsic property of the network itself

Secure Solutions What are the problems to be addressed? Identity authentication Application authentication Third party intervention monitoring awareness alteration disruption or denial hijacking

Security has many dimensions Secure end-to-end IP conversations Secure application-to-application conversations Authenticated communications Secure transport systems Secure VPNs

Security Building Blocks IPSEC + IKE End-to-End transport Gateway-to-Gateway transport Includes header and payload checksum Includes payload encryption Compute load is high IKE is not absolutely robust (evidently) Cannot tolerate NATs in the transport path Used in CPE devices for overlay VPNs

Security Building Blocks TLS (HTTPS) Application-level payload encryption Weak key exchange model Prevents interception monitoring of the application traffic No authentication

Security Building Blocks SSH Secure telnet tunnels Secure encrypted conversation between a roaming satellite and a SSH server Supports tunnels for application access (using NAT at the server) Used to support extensions of corporate access into public Internet environments Road Warrior tools

Security Building Blocks Public Key Infrastructure (PKI) Public / Private key infrastructure Allows for third party validation of identity of the end systems Allows for use of keys to perform encryption Keys normally associated with the host system, not the user of the host

Security Building Blocks Secure Transport Systems Data-link layer encryption e.g. WEP for Wi-FI Caveat regarding potential regulatory requirements for clear payload interception Not end-to-end No authentication

Secure VPNs Overlay VPNs with CPE-to-CPE IPSEC tunnels Issues with TCP MTU negotiation Issues with performance Issues with key management Vendor equipment available Common VPN solution

Secure VPNs 2547bis MPLS VPNS Use MPLS to switch from PE to PE across the provider core Further encryption of payload not strictly necessary (VC-style functionality) Requires explicit provider support Inter-provider interoperability limited

Secure Roaming IPSEC tunnel as overlay on dial PPP access SSH tunnel as overlay on access

Secure Application Services Certificates are excellent Requires initial overhead on certificate exchange Good browser support But not portable across hosts User/password + TLS is more flexible, but at a cost of higher vulnerability

Discussion Security is an overlay across the Internet, not an intrinsic part of the network itself Many security incidents are evidently the outcome of social rather than technical engineering

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.