Chapter 32 Internet Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

IPSec.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Security at the Network Layer: IPSec
Chapter 5 Network Security Protocols in Practice Part I
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
K. Salah1 Security Protocols in the Internet IPSec.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
Secure connections.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
Secure Socket Layer (SSL)
16.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 16 Security at the Application Layer: PGP and.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Chapter 10 Network Security.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
©The McGraw-Hill Companies, Inc., 2000© Adapted for use at JMU by Mohamed Aboutabl, 2003Mohamed Aboutabl1 1 Chapter 29 Internet Security.
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Karlstad University IP security Ge Zhang
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Chapter 14 Network Security: Firewalls and VPNs.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Chapter 29 Internet Security.
TCP/IP Protocol Suite 1 Chapter 30 Security Credit: most slides from Forouzan, TCP/IP protocol suit.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
K. Salah1 Security Protocols in the Internet IPSec.
Chapter 7 : Web Security Lecture #1-Week 12 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.
CSEN 1001 Computer and Network Security Amr El Mougy Mouaz ElAbsawi.
Securing Access to Data Using IPsec Josh Jones Cosc352.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter Twelve Network Security.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Internet Protocol Version4 (IPv4)
Chapter 18 IP Security  IP Security (IPSec)
Internet and Intranet Fundamentals
IT443 – Network Security Administration Instructor: Bo Sheng
UNIT.4 IP Security.
Security at the Application Layer: PGP and S/MIME
Security Protocols in the Internet
Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls
Presentation transcript:

Chapter 32 Internet Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Chapter 32: Outline 32.1 NETWORK-LAYER SECURITY 32.2 TRANSPORT-LAYER SECURITY 32.3 APPLICATION-LAYER SECURITY 32.4 FIREWALLS

Chapter 32: Objective  The first section discusses security at the network layer, IPSec. The section explains the two modes of IPSec: transport mode and tunnel mode. It then describes the two versions of the protocol: AS and ESP.  The second section discusses one of the security protocols at the transport layer, SSL (the other protocol, TLS, is similar). The section first describes the SSL architecture: services, algorithms, and parameter generation. It then explains the four protocols that SSL is made of: Handshake, ChangeCipherSpec, Alert, and Record.

Chapter 32: Objective  The third section discusses security at the application layer. At this layer, security is provided only for the application; other applications can use the security at the transport layer, but , because of its one-way communication, cannot do so. We first describe Pretty Good Privacy (PGP), which provides security mostly for personal use. The section then describes S/MIME, a secured version of the MIME protocol that provides security mostly for an enterprise.  The fourth section discusses firewalls, a technology that can protect an enterprise from the malicious intension of an intruder. The section describes two versions: packet-filter firewalls and proxy firewalls. The first gives protection only at the network layer; the second can provide protection at the application layer.

NETWORK-LAYER SECURITY We start this chapter with the discussion of security at the network layer. At the network layer, security is applied between two hosts, two routers, or a host and a router. The purpose of network-layer security is to protect those applications that use the service of the network layer directly.

Two Modes IPSec operates in one of two different modes: transport mode or tunnel mode.

32.7 Figure 332.1: IPSec in transport mode

32.8 Figure 32.2: Transport mode in action

32.9 Figure 32.3: IPSec in tunnel mode

32.10 Figure 32.5: Tunnel mode in action

Two Security Protocols IPSec defines two protocols, the Authentication Header (AH) Protocol and the Encapsulating Security Payload (ESP) Protocol, to provide authentication and/or encryption for packets at the IP level.

32.12 Figure 32.6: Transport mode versus tunnel mode

32.13 Figure 32.7: Authentication Header (AH) protocol

32.14 Figure 32.7: Encapsulating Security Payload (ESP)

Security Association Security Association is a very important aspect of IPSec. IPSec requires a logical relationship, called a Security Association (SA), between two hosts. The security association changes the connectionless service provided by IP to a connection-oriented service upon which we can apply security. This section first discusses the idea and then shows how it is used in IPSec.

Table 32.1 : IPSec services 32.16

32.17 Figure 32.8: Simple SA

32.18 Figure 32.9: SAD

32.19 Figure 32.10: Security Policy Database

32.20 Figure 32.11: Outbound processing

32.21 Figure 32.12: Inbound processing

Internet Key Exchange (IKE) The Internet Key Exchange (IKE) is a protocol designed to create both inbound and outbound Security Associations. As we discussed in the previous section, when a peer needs to send an IP packet, it consults the Security Policy Database (SPD) to see if there is an SA for that type of traffic. If there is no SA, IKE is called to establish one.

32.23 Figure 32.13: IKE components

Virtual Private Network (VPN) One of the applications of IPSec is in virtual private networks. A virtual private network (VPN) is a technology that is gaining popularity among large organizations that use the global Internet for both intra- and inter-organization communication, but require

32.25 Figure 32.14: Virtual private network

TRANSPORT-LAYER SECURITY Security at the transport layer provides security for the application layer, which uses the services of TCP (or SCTP) as a connection-oriented protocol. Two protocols are dominant today for providing security at the transport layer: the Secure Sockets Layer (SSL) protocol and the Transport Layer Security (TLS) protocol.

32.27 Figure 32.15: Location of SSL and TLS in the Internet model

SSL Architecture SSL is designed to provide security and compression services to data generated from the application layer. Typically, SSL can receive data from any application-layer protocol, but usually the protocol is HTTP. The data received from the application is compressed (optional), signed, and encrypted. The data is then passed to a reliable transport-layer protocol such as TCP. Netscape developed SSL in Versions 2 and 3 were released in In this section, we discuss SSLv3.

32.29 Figure 32.16: Calculation of master secret from pre-master secret

32.30 Figure 32.17: Calculation of key material from master secret

32.31 Figure 32.18: Extractions of cryptographic secrets from key material

Four Protocols We have discussed the idea of SSL without showing how SSL accomplishes its tasks. SSL defines four protocols in two layers, as shown in Figure

32.33 Figure 32.19: Four SSL protocols

32.34 Figure 13.20: Handshake Protocol

32.35 Figure 32.21: Processing done by the Record Protocol

APPLICATION-LAYER SECURITY This section discusses two protocols providing security services for s: Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extension (S/MIME).

Security Sending an is a one-time activity. The nature of this activity is different from those we saw in the two previous sections: SSL or IPSec. In those protocols, we assume that the two parties create a session between themselves and exchange data in both directions. In , there is no session. Alice and Bob cannot create a session. Alice sends a message to Bob; sometime later, Bob reads the message and may or may not send a reply.

Pretty Good Privacy (PGP) The first protocol discussed in this section is called Pretty Good Privacy (PGP). PGP was invented by Phil Zimmermann to provide with privacy, integrity, and authentication. PGP can be used to create secure messages.

32.39 Figure 32.22: A plaintext message

32.40 Figure 32.23: An authenticated message

32.41 Figure 13.24: A compressed message

32.42 Figure 32.25: A confidential message

32.43 Figure 32.26: Key rings in PGP

32.44 Figure 32.27: Trust model

32.45 Figure 32.28: Signed-data content type

S/MIME Another security service designed for electronic mail is Secure/Multipurpose Internet Mail Extension (S/MIME). The protocol is an enhancement of the Multipurpose Internet Mail Extension (MIME) protocol we discussed in Chapter 26.

32.47 Figure 32.29: Enveloped-data content type

32.48 Figure 32,30: Digested-data content type

32.49 Figure 32.31: Authenticated-data content type

Example 32.1 The following shows an example of an enveloped-data in which a small message is encrypted using triple DES

FIREWALLS All previous security measures cannot prevent Eve from sending a harmful message to a system. To control access to a system we need firewalls. A firewall is a device (usually a router or a computer) installed between the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter (not forward) others.

32.52 Figure 32.32: Firewall

Packet-Filter Firewalls A firewall can be used as a packet filter. It can forward or block packets based on the information in the network-layer and transport-layer headers: source and destination IP addresses, source and destination port addresses, and type of protocol (TCP or UDP). A packet-filter firewall is a router that uses a filtering table to decide which packets must be discarded (not forwarded). Figure shows an example of a filtering table for this kind of a firewall.

32.54 Figure 32.33: Packet-filter firewall

Proxy Firewall The packet-filter firewall is based on the information available in the network layer and transport layer headers (IP and TCP/UDP). However, sometimes we need to filter a message based on the information available in the message itself (at the application layer). As an example, assume that an organization wants to implement the following

32.56 Figure 32.34: Proxy firewall

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.