TCP/IP Protocols Contains Five Layers

Slides:



Advertisements
Similar presentations
CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Advertisements

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Copyright © 2011, Dr. Dharma P. Agrawal and Dr. Qing-An Zeng. All rights reserved. 1 Chapter 09 Network Protocols.
IUT– Network Security Course 1 Network Security Firewalls.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.
Lecture 5: TCP/IP OSI layers 3 (IP) and 4 (TCP/UDP) IPv4 – addresses and routing, “best-effort” service Ethernet, Appletalk, etc wrap IP packets with their.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewalls and Intrusion Detection Systems
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Chapter 5 The Network Layer.
IP Security. IPSEC Objectives n Band-aid for IPv4 u Spoofing a problem u Not designed with security or authentication in mind n IP layer mechanism for.
K. Salah1 Security Protocols in the Internet IPSec.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
Intranet, Extranet, Firewall. Intranet and Extranet.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
Introduction to Networks CS587x Lecture 1 Department of Computer Science Iowa State University.
Component 9 – Networking and Health Information Exchange Unit 1-1 ISO Open Systems Interconnection (OSI) This material was developed by Duke University,
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Network Security Fundamentals Chapter 6: Securing Network Transmission.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 4: Securing IP.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Karlstad University IP security Ge Zhang
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
Cisco Networking Academy S2 C9 TCP/IP. ensure communication across any set of interconnected networks Stack components such as protocols to support file.
FreeS/WAN & VPN Cory Petkovsek VPN: Virtual Private Network – a secure tunnel through untrusted networks. IP Security (IPSec): a standardized set of authentication.
Karlstad University Firewall Ge Zhang. Karlstad University A typical network topology Threats example –Back door –Port scanning –…–…
Securing Network Communications Using IPSec Chapter Twelve.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
1 Computer Communication & Networks Lecture 19 Network Layer: IP and Address Mapping Waleed Ejaz.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSEC Modes of Operation. Breno de MedeirosFlorida State University Fall 2005 IPSEC  To establish a secure IPSEC connection two nodes must execute a.
K. Salah1 Security Protocols in the Internet IPSec.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 27 November 23, 2004.
TCP/IP PROTOCOL UNIT 6. Overview of TCP/IP Application FTP, Telnet, SMTP, HTTP.. Presentation Session TransportHost-to-HostTCP, UDP NetworkInternetIP,
@Yuan Xue CS 285 Network Security IP Security Yuan Xue Fall 2013.
Security fundamentals
Executive Director and Endowed Chair
IPSec Detailed Description and VPN
IPSecurity.
CSE 4905 IPsec.
Chapter 18 IP Security  IP Security (IPSec)
IT443 – Network Security Administration Instructor: Bo Sheng
TCP/IP Internetworking
IPSec IPSec is communication security provided at the network layer.
Standards Basics.
TCP/IP Internetworking
Lecture # 7 Firewalls الجدر النارية. Lecture # 7 Firewalls الجدر النارية.
תרגול 11 – אבטחה ברמת ה-IP – IPsec
Virtual Private Networks (VPNs)
Virtual Private Networks (VPNs)
Networking Essentials For Firewall-1 Administrators
Presentation transcript:

TCP/IP Protocols Contains Five Layers Top three layers contains many protocols Actual transmission at the physical layer

TCP/IP Layers Application Presentation Session SMTP FTP DNS TELNET Applications SMTP FTP DNS TELNET HTTP Transport TCP UDP Network ICMP ARP RARP Data Link Physical Protocols specific to the underlying physical media used for data communication at the hardware level IP

Message Transfer using TCP/IP Original Message Original Message TCP header IP header Frame header Source Destination

TCP Reliable transport layer communication Establishes a logical connection between the communicating hosts Socket-to-socket communication (Socket = Port + IP address)

TCP Segment Format Source Port number Destination Port number Sequence Number Acknowledgement Number Data 2 bytes 4 bytes 20-to-60 bytes header consisting of the following fields Header Length 4 bits Reserved 6 bits Flag Window size Checksum Urgent pointer Options 0 to 40 bytes

IP Best effort delivery Does not guarantee success Leaves error checking to higher layers (e.g. to TCP)

Destination IP address IP Datagram Format Version HLEN Service Type Total Length (4 bits) (4 bits) (8 bits) (16 bits) Identification Flags Fragmentation Offset (16 bits) (3 bits) (13 bits) Time to live Protocol Header Checksum (8 bits) (8 bits) (16 bits) Source IP address (32 bits) Destination IP address Data Options

Network Aspects Internal network (e.g. LAN) External Network (e.g. Internet) Threats from the External Network to the Internal Network

Network Threats N e t w o r k B a c k b o n e Router To Internet Outside dangers can come in from here Inside information can leak out from here Corporate network

Firewall Special type of router Controls transmission between internal and external networks Decides what to allow/disallow

NAT Implementation Internal network with internal IP addresses  192.168.10.1 192.168.10.3 192.168.10.2 192.168.10.10 Internet 201.26.7.9 Router’s internal IP address Router’s external IP address NAT router

Internal network with internal IP addresses NAT Example Internal network with internal IP addresses 192.168.10.1 192.168.10.10 Internet 201.26.7.9 NAT router Source: 192.168.10.1 Source: 201.26.7.9 Destination: 192.168.10.1 Destination: 201.26.7.9

NAT Translation Table Source: 192.168.10.1 Destination: 210.10.20.20 192.168.10.10 201.26.7.9 192.168.10.1 210.10.20.20 Source: 210.10.20.20 Destination: 192.168.10.1 Destination: 201.26.7.9 Internal … External Translation table

Firewall Concept N e t w o r k B a c k b o n e To Internet Firewall Corporate network Firewall

Firewall Types Firewalls Packet Filters Application Gateways

Internal (Private) Network Packet Filter Internet Internal (Private) Network Packet filter Protected zone

Packet Filter Operation Outgoing packets Incoming packets Receive each packet. Apply rules. If no rules, apply default rules.

Packet Filter Defeating IP Spoofing Attack Incoming packet  178.29.10.89 178.29.10.90 178.29.10.91 Internal network and the IP addresses of the hosts Packet filter Source address: 178.29.10.91 STOP!

Application Gateway Inside connection Outside connection HTTP SMTP FTP TELNET Outside connection Inside connection Application gateway

Circuit Gateway Source address = 178.29.10.90 HTTP SMTP FTP TELNET Application gateway IP address = 178.29.10.90 IP address = 178.29.10.70 Source address = 178.29.10.90 Source address = 178.29.10.70 IP packet Inside host Outside host

Application Gateway - Illusion HTTP SMTP FTP TELNET External host Internal host Application gateway User’s illusion Real connection

Firewall Configurations Screened host firewall, Single-homed bastion Dual-homed bastion Screened subnet firewall

Screened Host Firewall, Single-homed Bastion  Packet filter HTTP SMTP FTP TELNET Internet Application gateway Internal network

Screened Host Firewall, Dual-homed Bastion  Packet filter HTTP SMTP FTP TELNET Internet Application gateway Internal network

Screened Subnet Firewall  Packet filter HTTP SMTP FTP TELNET Internet Application gateway Internal network

Demilitarized Zone (DMZ)  Internet Internal private network Demilitarized Zone (DMZ) Firewall

Security at multiple Layers Application Layer Transport Layer Internet Layer Data Link Layer Physical Layer First level of security Second level of security

IPSec Not concerned with application layer security Applies security at the Internet layer More effective in IPv6

IPSec Processing Result Actual data (Encrypted) Transport header (Encrypted) Internet header (Not encrypted)

IPSec in TCP/IP Sender Receiver Original message Application Transport Transmission medium Application Transport IPSec Internet Data link Sender Receiver

Authentication Header (AH) Encapsulating Security Payload (ESP) IPSec Protocols IPSec Authentication Header (AH) Encapsulating Security Payload (ESP)

AH and ESP Operation Modes AH and ESP modes of operation Tunnel mode Transport mode

Tunnel Mode X  P1 Proxy P2 Y Network 1 Network 2 Tunnel

Tunnel Mode Implementation A <---> B P1 <---> P2 … Internal IP header and data (encrypted) External IP header (not encrypted)

IPSec steps Step 1 Algorithm and Key negotiations using IKE Step 2 Actual AH and ESP operations

Security Parameter Index (SPI) Authentication data (Variable size) AH Format Bit 0 8 16 31 Next header Payload length Reserved Security Parameter Index (SPI) Sequence number Authentication data (Variable size)

Receiver’s Sliding Window Receiver’s sliding window (W = 8) N – W Marked if a valid packet is received Unmarked if a valid packet is not yet received N

AH Transport Mode IP header TCP header Original data (a) Before applying AH (b) After applying AH AH

AH Tunnel Mode IP header TCP header Original data (a) Before applying AH Original IP header (b) After applying AH AH New IP header

ESP Format Bit 0 16 24 31 Security Parameter Index (SPI) Sequence Number Padding (0-255 bytes) Payload data (Variable size) Padding length Next header Authentication data (Variable size)

(a) Before applying ESP ESP Transport Mode IP header TCP header Original data (a) Before applying ESP (b) After applying ESP ESP header Original IP header ESP trailer ESP auth Encrypted Authenticated

(a) Before applying ESP ESP Tunnel Mode IP header TCP header Original data (a) Before applying ESP (b) After applying ESP ESP header Original IP header ESP trailer ESP auth Encrypted Authenticated New IP header

ISAKMP Header Format Bit 0 8 16 24 31 Initiator cookie Responder cookie Next payload Major version Minor version Exchange type Flags Message ID Length

Virtual Private Network (VPN) Uses the Internet as if it is a private network Far less expensive than a leased line Uses IPSec protocol

VPN Between Two Networks X  Network 1 Y Network 2 Firewall 1 Firewall 2 VPN tunnel Internet

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.