COMP3123 Internet Security Richard Henson University of Worcester November 2010.

Slides:



Advertisements
Similar presentations
Encrypting Wireless Data with VPN Techniques
Advertisements

Internet Protocol Security (IP Sec)
Enabling Secure Internet Access with ISA Server
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 5: Configuring Access for Remote Clients and Networks.
SCSC 455 Computer Security Virtual Private Network (VPN)
1 Configuring Virtual Private Networks for Remote Clients and Networks.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.
Guide to Network Defense and Countermeasures Second Edition
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Jacob Boston Josh Pfeifer. Definition of HyperText Transfer Protocol How HTTP works How Websites work GoDaddy.com OSI Model Networking.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Internet Protocol Security (IPSec)
Remote Networking Architectures
Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
1 © J. Liebeherr, All rights reserved Virtual Private Networks.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.
Course 201 – Administration, Content Inspection and SSL VPN
COMP2121 Internet Technology Richard Henson April 2011.
Understanding VPN Concepts Virtual Private Network (VPN) enables computers to –Communicate securely over insecure channels –Exchange private encrypted.
Guide to Operating System Security Chapter 9 Web, Remote Access, and VPN Security.
Internet Business Foundations © 2004 ProsoftTraining All rights reserved.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.
OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN.
12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Network Services Networking for Home and Small Businesses – Chapter.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Chapter 13 – Network Security
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols.
Networks – Network Architecture Network architecture is specification of design principles (including data formats and procedures) for creating a network.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.
COMP1321 Digital Infrastructure Richard Henson February 2014.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Hands-On Microsoft Windows Server Introduction to Remote Access Routing and Remote Access Services (RRAS) –Enable routing and remote access through.
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications ◦The client requested data.
BZUPAGES.COM. What is a VPN VPN is an acronym for Virtual Private Network. A VPN provides an encrypted and secure connection "tunnel" path from a user's.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Tunneling and Securing TCP Services Nathan Green.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
TCP/IP (Transmission Control Protocol / Internet Protocol)
COMP3371 Cyber Security Richard Henson University of Worcester November 2015.
1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.
Understand Internet Security LESSON Security Fundamentals.
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
K. Salah1 Security Protocols in the Internet IPSec.
Securing Access to Data Using IPsec Josh Jones Cosc352.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
VIRTUAL PRIVATE NETWORKS Lab#9. 2 Virtual Private Networks (VPNs)  Institutions often want private networks for security.  Costly! Separate routers,
Lecture 10 Page 1 CS 236 Online SSL and TLS SSL – Secure Socket Layer TLS – Transport Layer Security The common standards for securing network applications.
COMP1321 Digital Infrastructure Richard Henson March 2016.
COMP3123 Internet Security Richard Henson University of Worcester November 2011.
IPSec Detailed Description and VPN
Virtual Private Networks
Remote Access Lecture 2.
Richard Henson University of Worcester November 2016
Richard Henson University of Worcester November 2017
Goals Introduce the Windows Server 2003 family of operating systems
Richard Henson University of Worcester October 2018
Virtual Private Network zswu
Presentation transcript:

COMP3123 Internet Security Richard Henson University of Worcester November 2010

Week 7: Communications: Securing LAN–LAN data using VPNs and secure protocols n Objectives:  Relate Internet security problems to the TCP/IP protocol stack  Explain Internet security solutions that use the principles of a VPN  Explain Internet security solutions at OSI levels above IP routing

Security and the OSI layers n Actually 7 layers in original OSI model… n Unix TCP/IP leaves out level 1 (physical) level 2 (data link), and level 5 (session) TELNETFTP NFSDNS SNMP TCP (transport) UDP IP (network) SMTP

TCP/IP and the Seven Layers n TCP (Transport Control Protocol) and IP (Internet Protocol) only make up part (layers 3 & 4) of the seven layers  lower layers are required to interface with IP to create/convert electrical signals  upper layers interface with TCP to produce the screen display n Each layer interface represents a potential security problem… IP hardware screen TCP

Intranets n Definition:  An in-house Web site that serves the employees of the enterprise. Although intranet pages may link to the Internet, an intranet is not a site accessed by the general public. n Achieved by organisations using http to share data in a www-compatible format n Implemented as:  single LAN with a web server  several interconnected LANs »cover a larger geographic area »use secure user authentication »use secure data transmission system

Extranets n Definition:  organisational web sites for employees and existing customers rather than the general public n An extension of the Intranet to cover selected trusted “links”  e.g. for an organisation the “trusted” links might be to customers and business partners  uses the public Internet as its transmission system, but requires passwords to gain access n Can provide access to:  paid research  current inventories  internal databases  OR virtually any information that is private and not published for everyone

Issues in creating an Extranet n As with the Intranet, use of public networks means that security must be handled through the appropriate use of secure authentication and transmission technologies… n Private leased lines between sites do not need to use http, etc.  therefore more secure, but expensive (BALANCE) n If using the Internet…  can use client-server web applications across different sites  BUT security issues need resolving

Securing Authentication through Extranets n Kerberos and trusted domains…  Windows 2000 Solution: n Potential security problem…  several TCP ports used for e.g. Kerberos authentication when establishing a session… n Solution:  firewall configured to allow relevant ports to be opened only for “trusted” hosts

Securing Sharing of Data through Extranets n An Extranet client uses the web server & browser for user interaction  standard level 7 www protocol to display html data n Raw HTML data will pass through the firewall to the Internet  could be “sensitive” for the organisation… n Under IETF guidance, developers came up with RFCs for a secure version of http…  standardised as http-s (secure http)

The Internet generally uses IP - HOW can data be secured? 2010: more than 600 million hosts!

Securing the Extranet n Problem:  IP protocol sends packets off in different directions according to: »destination IP address »routing data  packets can be intercepted/redirected n Solution:  secure level 7 application layer www protocols developed »https: ensure that pages are only available to authenticated users »ssh : secure download of files »sftp: as above  secure level 4 transport (TLS) protocol to restrict use of IP navigation to only include secure sites n Protection against interception at lower OSI layers  Virtual Private Networks: use of level 2 & 3

SSH (Secure Shell) n Designed 1995, University of Helsinki, for secure file transfer SSH-1  server listens on TCP port 22  runs on a variety of platforms n Enhanced version SSH-2  using the PKI  including digital certificates  RFC 4252 – recent, 2006 n By contrast, Telnet and FTP:  can use authentication  BUT DO NOT use encrypted text…

Secure http (http-s) n IETF set up WTS (Web Transaction Security) in 1995 to:  look at proposals for a secure version of http  ensure secure embedding of any emerging protocol with HTML n Proposals agreed in 1999  defined as: »RFC #2659 – secure HTML documents »RFC #2660 – the secure protocol itself

More about Secure http n Modification of http:  works with Netscape’s SSL/TLS and the PKI  ensures security of HTML data sent through the Internet n When a browser requests a web page…  normally, just downloaded  HOWEVER, if the page is held on a HTTP-S server it must be downloaded using the https protocol »will ONLY be downloaded and displayed if its URL has been authenticated and certificated n Authentication handled by a PKI-affiliated body (e.g. Verisign)  therefore considered to be very secure

SSL (Secure Sockets Layer) n Developed by Netscape in 1995  so browsers could participation in secure Internet transactions  soon became most commonly used protocol for e- commerce transactions  still not been accessed by hackers (so far…) n Excellent upper layer security:  RSA public key en/decryption of http packets at the session layer (OSI 5) before sending/after receiving between Internet hosts  PKI-compatibility means that digital certificates are supported as well

Extending SSL n SSL standard submitted by Netscape to IETF for further development  working party set up in 1996  worked with Netscape to standardise SSL v3.0 »RFC draft same year  agreed standard RFC #2246: TLS (Transport Layer Security) n TLS was the result of IETF development of components of Netscape’s SSL lower down the OSI layers »SSL – level 5 »TLS – level 4

Secure HTTP, SSL and TLS n Together, HTTPS/SSL/TLS can provide a secure interface between TCP (level 4) and HTML (level 7)  very secure conduit for message transfer across the Internet…

VPNs: restricted use of the Physical Internet VPN shown in green

VPNs (Virtual Private Networks) n Two pronged defence:  physically keeping the data away from unsecured servers… »several protocols available for sending packets along a pre-defined route  data encapsulated and encrypted so it appears to travel as if on a point-point link but is still secure even if intercepted n Whichever protocol is used, the result is a secure system with pre-determined pathways for all packets

Principles of VPN protocols n The tunnel the private data is encapsulated n The tunnel - where the private data is encapsulated n The VPN connection - where the private data is encrypted

Principles of VPN protocols n To emulate a point-to-point link:  data encapsulated, or wrapped, with a header »provides routing information »allows packets to traverse the shared public network to its endpoint n To emulate a private link:  data encrypted for confidentiality n Any packets intercepted on the shared public network are indecipherable without the encryption keys…

Potential weakness of the VPN n Once the data is encrypted and in the tunnel it is very secure n BUT  to be secure, it MUST be encrypted and tunnelled throughout its whole journey  if any part of that journey is outside the tunnel… »e.g. network path to an outsourced VPN provider »obvious scope for security breaches

Using a VPN as part of an Extranet

Using a VPN for point-to-point

Using a VPN to connect a remote computer to a Secured Network

VPN-related protocols offering even greater Internet security n Two possibilities are available for creating a secure VPN:  Layer 3: »IPsec – fixed point routing protocol  Layer 2 “tunnelling” protocols »encapsulate the data within other data before converting it to binary data: n PPTP (Point-point tunnelling protocol) n L2TP (Layer 2 tunnelling protocol)

IPsec n First VPN system  defined by IETF RFC 2401  uses ESP (encapsulating security protocol) at the IP packet level n IPsec provides security services at the IP layer by:  enabling a system to select required security protocols (ESP possible with a number of encryption protocols)  determining the algorithm(s) to use for the chosen service(s)  putting in place any cryptographic keys required to provide the requested services

More about IPSec in practice n Depends on PKI for authentication  both ends must be IPSec compliant, but not the various network systems that may be between them… n Can therefore be used to protect paths between  a pair of hosts  a pair of security gateways  a security gateway and a host n Can work with IPv4 and IPv6

PPTP n Sponsored by Microsoft  proposal submitted for consideration by IETF n Extension of PPP  Uses PPP authentication and Microsoft’s own encryption  allow organisations to extend their own corporate network by using private “tunnels” over public Internet  effectively using WAN as a single large LAN n Claimed to provide a secure connection over public networks  but not universally accepted as secure…

L2TP n Microsoft hybrid of:  their own PPTP  CISCO’s L2F (layer 2 forwarding) n With L2TP, IPSec is optional:  like PPTP: »it can use PPP authentication and access controls (PAP and CHAP!) »It uses NCP to handle remote address assignment of remote client  as no IPSec, no overhead of reliance on PKI

Implementation of Secure HTTP n Like http, http-s is a client-server protocol  Server end: »PKI-compliant Web Server configured to provide https access »valid server certificate to authenticate server to client  Client end »browser needs to be able to identify & authenticate secure http traffic: n URL header n “lock” sign at bottom of screen

Configuring a Web Server for https… n Any properly configured web server will offer unsecured links to many www pages (http) n A secure web server can ADDITIONALLY offer secure links to specified folders (https)  BUT… it must first acquire that PKI server certificate from e.g. Verisign or an affiliate…  the server certificate needs to be viewable by a client browser to verify trust in the web page provider

IIS Configuration to support SSL and https n A “wizard” drives the whole process  need administrator access to IIS in “webserver” mode  access the “directory security” tab  click on “server certificate”… »and the process begins n Once IIS has downloaded & installed that server certificate, developments of a secure website can begin in specific folders

Web Server Configuration for client-end https n IF the webserver is properly configured for https…  IS username/password protected  HAS a Server Certificate… »viewable by client browsers not revoked or out of date n THEN, via username/password authentication  browser will allow https access via the web  “lock” symbol appears below the web page display »click on “lock” symbol for server certificate details n Otherwise, a “not authorised” message will be displayed

The Server Certificate n Both encryption and identity checking require the owner of the server to obtain and install a Digital SSL (Server) Certificate  more expensive than a personal certificate  Verisign again a suitable source… n SSL Certificate has to be:  downloaded from source website  installed onto the relevant web server  authenticated by a named individual (administrator?) at the server end

Ways to “sign” an SSL Certificate n Three possibilities:  Commercial »usually recognised silently by browsers, with no pop-up or alert  Self-signing »almost always produce an alert on the browser »shows the identity asserted (but not proved) by the server owner »the user is likely to be offered the option to recognise this certificate in future (effectively silencing the alert)  Organisation-signed »also likely to result in an alert that names the organisation »an organisation with an existing relationship with most of its users can instruct them to configure their browsers to silently recognise certificates signed by their own organisation