1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh.

Slides:



Advertisements
Similar presentations
IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Advertisements

Internet Protocol Security (IP Sec)
IPSec.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
SCSC 455 Computer Security Virtual Private Network (VPN)
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IPSec Isaac Ghansah.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
Guide to Network Defense and Countermeasures Second Edition
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.
K. Salah1 Security Protocols in the Internet IPSec.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
1 Chapter 8 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
IP Security: Security Across the Protocol Stack
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
TCP/IP Protocols Contains Five Layers
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 4: Securing IP.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Karlstad University IP security Ge Zhang
Network Security David Lazăr.
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives  VPN Overview  Tunneling Protocol  Deployment models  Lab Demo.
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
K. Salah1 Security Protocols in the Internet IPSec.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
@Yuan Xue CS 285 Network Security IP Security Yuan Xue Fall 2013.
IPSec Detailed Description and VPN
UNIT 7- IP Security 1.IP SEC 2.IP Security Architecture
IPSecurity.
CSE 4905 IPsec.
Chapter 18 IP Security  IP Security (IPSec)
Internet and Intranet Fundamentals
Virtual Private Networks (VPNs)
NET 536 Network Security Lecture 5: IPSec and VPN
Virtual Private Networks (VPNs)
Presentation transcript:

1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh

2 Contents l What is a VPN? l Types of VPN l Standards l How does it Work l Issues l Books: Comer ch. 15.5, 40.13, 40.14; Stallings 6 th Ed. Ch (“IPv4/IPV6 security”)

3 What is a VPN? (1) l Public network: –Shared network using common networking infrastructure, e.g. the Internet Public Network (insecure, open) Trusted machines Malicious machines

4 What is a VPN? (2) l Private network: –Dedicated network, specific to a single company/organisation l More secure, guaranteed quality of service, but more expensive Trusted machines Private Network No physical access to private network for untrusted machines

5 What is a VPN? (3) l Virtual Private Network: –Benefits of a private network, but making use of a public network to carry packets l Secure, cheaper than a private network Public Network (insecure, open) Trusted machines Can access packets on public network but cannot read/write VPN data VPN

6 VPN Overview Regular IP packet Encrypted IP packet VPN Access (encrypt/decrypt) hardware or software Public Network Regular IP packet Encrypted IP packet VPN Access Cannot understand encrypted packets; cannot forge encrypted packets. Virtual Private Network!

7 Types of VPN (CISCO-speak!) l Intranet VPN –Straight replacement for an internal private network l Access VPN –Allows remote dialup users (e.g. from laptop) to securely ‘join’ the company internet l Authentication is a critical concern! i.e. securely identifying the remote user/device l Extranet VPNs –Includes partner organisations, but retains additional security and QoS support over public network(s).

8 Standards? l E.g. the Internet IP Security (IPsec) standards: –RFCs & 2451 l Includes standards: –Internet Key Exchange (RFC 2409) l Allows peers to authenticate and establish secure session information –Authentication Header (AH) (RFC 2402) l Packet (& header) integrity & authentication –Encapsulated Security Payload (ESP) (RFC 2406) l Additionally, packet contents are encrypted l (Or Microsoft protocols, MPPE, MMTP?)

9 How does it work? l Transport mode –End systems negotiate IKE Security Association (SA) directly and use AH and/or ESP on packets sent to each other. l Tunnel mode (more common) –Intermediate systems (e.g. access routers, firewalls) negotiate IKE SAs and tunnel packets to each other (with AH and/or ESP). Router Transport mode: secured packets Tunnel mode: secured packets Tunnel mode: normal packets

10 Security Agreement (SA) l Unidirectional logical channel between two hosts –Logical secure ‘connection’ for ‘connectionless’ IP packets! l Typically defines: –Protocol; chosen ciphers, e.g. HMAC Hash function –shared secret key l Identified by: –Security protocol (AH or ESP) identifier –Destination IP address (not source as per some texts) –32 bit connection identifier or Security Parameter Index (SPI), selected by destination host l Established before secure communication can take place –e.g. using SKE, or pre-configured

11 Authentication Header protocol l AH fields: –Next Header: points to TCP/UDP segment –Security Parameter Index: identifies SA –Sequence Number (32 bit): prevent playback/MITM –Authentication Data: signed message digest for whole IP datagram (e.g. DES, MD5, or SHA) l Uses HMAC authentication scheme (see RFC 2104) using shared secret key: –Hash(Key XOR outpad, Hash(Key XOR inpad, text)) IP HeaderAH HeaderTCP/UDP Segment Protocol 51

12 AH Notes l Only the parties sharing the SA’s secret key can compute the Hashed Message Authentication Code (HMAC) l The HMAC covers the source IP address, SPI, sequence number and payload l Therefore: –Another host cannot construct a packet appearing to come from the source host with a correct (for that source) HMAC –Another host cannot re-generate a correct HMAC for that source if it changes any of the packet in transit –Replay is easily detected and packets with repeated sequence number dropped early in processing

13 Encapsulated Security Payload protocol l Header includes: –Security Parameter Index: as per AH –Sequence Number (32 bit): as per AH l Encryption: e.g. DES-CBC l Trailer include: –Next Header: encrypted, so segment protocol is hidden l Authentication trailer: as per AH authentication data (optional, per SA) ESP Header Protocol 50 ESP Auth. ESP Trailer TCP/UDP Segment IP Header Authenticated Encrypted

14 ESP Notes l Can be used as above in transport mode –NB does not authenticate or encrypt IP Header info (AH does authenticate IP Header info) l Can also be used in tunnel mode: –Encrypts and authenticates all of original packet –Especially between security gateways, but also between hosts Original IP Header ESP Auth. ESP Trailer TCP/UDP Segment ESP Header Authenticated Encrypted Protocol 50 New IP Header

15 Issues l Configuration –Public Key infrastructure (or shared initial secrets) for IKE SA establishment –Security policies – defining what is allowed l Resources/deployment –Client IPsec software for transport mode –VPN-capable routers for tunnel mode –Encryption CPU costs (e.g. extra router hardware support)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.