_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1  Wiley and the book authors, 2001 E-Commerce: Fundamentals and Applications Chapter 8 : Internet Security

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications2  Wiley and the book authors, 2001 Outline IPSec protocol The authentication header (AH) service The encapsulating security payload (ESP) service Application of IPSec : Virtual private network Firewalls Different types of firewalls Examples of firewall systems Secure socket layer (SSL)

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications3  Wiley and the book authors, 2001 IPSec Service Protected IP packet Upper Layer Data IPSec Header IP Header SPD and SAD IPSec Processor IPSec-enabled host or gateway Non-IPSec enabled host IPSec-enabled gateway IP Header IPSec-enabled host/gateway SA Unprotected IP packet Protected IP packet through tunneling SA Upper Layer Data IP Header IPSec Header Gateway’s IP Header Upper Layer Data

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications4  Wiley and the book authors, 2001 Virtual Private Network Non- IPSec enabled host IPSec enabled gateway Internet IPSec enabled gateway Intranet IPSec enabled host Intranet Non- IPSec enabled host IPSec enabled host End-to-end SA IP Tunnel

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications5  Wiley and the book authors, 2001 Firewall Internet Firewall Insecure Secure Intranet

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications6  Wiley and the book authors, 2001 Types of Firewalls Packet Filtering Router Application Level Gateway Circuit Level Gateway

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications7  Wiley and the book authors, 2001 Firewall Example Intranet Internet Public server (e.g. web server) PR PR Private server Hosts Bastion host (application gateway) PR: Packet filtering router b a Hosts Source IP Address Source Port Destination IP address Destination Port Action (allow/ deny)Remarks * * b * Allow (inbound only) Allow internet hosts to communicate with the public server. b *** Allow (outbound only) Allow the public server to communicate with internet hosts. ** a * Allow (inbound only) Allow internet hosts to communicate with the intranet through the bastion host. a *** Allow (outbound only) Allow intranet hosts to communicate with the Internet through the bastion host. **** DenyDeny all other packets. (Note : Each small letter represents an IP address. * means any value. A specific port may also be set) Illustrative filtering rules for the packet filtering router Reference : Semeria, C., Internet Firewalls and Security, http://

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications8  Wiley and the book authors, 2001 Firewall Example Key filtering rules for the inside packet filtering router Intranet DMZ Internet Public server (e.g. web server) OP R Modem pools IP R Private server Hosts Bastion host (application gateway) IPR: Inside packet filtering router OPR: Outside packet filtering router a b Hosts Source IP Address Source PortDestination IP address Destination PortAction (allow/ deny) Remarks ** a * Allow (inbound only) Allow internet hosts to communicate with the bastion host. ** b * Allow (inbound only) Allow internet hosts to communicate with the public server directly. a *** Allow (outbound only) Allow intranet hosts to communicate with the internet through the bastion host. b *** Allow (outbound only) Allow the public server to communicate with internet hosts. **** DenyDeny all other packets. (Note : Each small letter represents an IP address. * means any value. A specific port may also be set.) Reference : Semeria, C., Internet Firewalls and Security, http://

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications9  Wiley and the book authors, 2001 Firewall Example (Cont’) Illustrative filtering rules for the inside packet filtering router (Note : Each small letter represents an IP address. * means any value. A specific port may also be set.) Source IP Address Source Port Destination IP address Destination Port Action Remarks a *** Allow Allow internet hosts to communicate with the intranet through the bastion host. (from the DMZ to the intranet only) ** a * Allow Allow intranet hosts to communicate with the internet through the bastion host. (from the intranet to the DMZ only) **** Deny Deny all other packets.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications10  Wiley and the book authors, 2001 Secure socket layer (SSL) SSL was invented by Netscape to make use of TCP to provide an end-to-end secure data transport service e.g., for HTTP A socket connection is set up to port 443 instead of port 80 of the Web server. In the URL, “https” instead of “http” is used. Visit:  A TLS working group has been formed within the IETF to develop a common standard.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications11  Wiley and the book authors, 2001 Functions of the SSL sub-protocols SSL handshake protocol  Allow the server and the client to agree the security parameters for subsequent data transfer SSL change cipher spec protocol  Change/update the cipher suite SSL alert protocol  Send an alert message to the other side SSL record protocol  Provide secure data transport service using the agreed security parameters

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications12  Wiley and the book authors, 2001 Handshake Protocol (a) Full version (b) Resuming a previous session (1) Send ClientHello (2) Return ServerHello (3) Send Digital Certificates(if required) (4) Send ServerKeyExchange(if required) (5) Send CertificateRequest(if required) (6) Send ServerHelloDone (7) Send Digital Certificates(if required) (8) Send ClientKeyExchange (9) Send CertificateVerify (if required) (10) Send ChangeCipherSpec (11) Send Finished (12) Send ChangeCipherSpec (13) Send Finished ClientServer (1) Send ClientHello (2) Return ServerHello (3) Send ChangeCipherSpec (4) Send Finished (5) Send ChangeCipherSpec (6) Send Finished ClientServer

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications13  Wiley and the book authors, 2001 Typical Secure Network Private Network Internet Business partners (e.g. publishers) Branch Offices Public IP tunnel SSL Other systems Firewall Intranet