COMP3371 Cyber Security Richard Henson University of Worcester November 2015

Week 6: Securing LAN–LAN data using Firewalls, VPNs, etc. n Objectives:  Relate Internet security to the TCP/IP protocol stack  Explain principles of firewalling  Explain what a Proxy Service is, and why it can be a more flexible solution than a firewall  Explain Internet security solutions that use the principles of a VPN

Security and the OSI layers n Simplified TCP/IP n Leaves out level 1 (physical) level 2 (data link), and combines levels 5/6/7) TELNETFTP NFSDNS SNMP TCP UDP IP (network) SMTP

TCP/IP and the Seven Layers n TCP (Transport Control Protocol) and IP (Internet Protocol) only make up part (layers 3 & 4) of the seven layers  upper layers interface with TCP to produce the screen display  lower layers required to interface with IP to create/convert electrical signals n Each layer interface represents a potential security problem (!) IP hardware screen TCP

Intranet n Misunderstood term  achieved by organisations using http to share data internally in a www-compatible format  Many still call a protected file structure on its own an Intranet… (technically incorrect!)  uses secure user authentication  uses secure data transmission system n Implemented as EITHER:  single LAN (domain) with a web server  several interconnected LANs (trusted domains) »cover a larger geographic area

Extranet n An extension of the Intranet to cover selected trusted “links”  e.g. for an organisation the “trusted” links might be to customers and business partners  uses the public Internet as its transmission system  requires authentication to gain access n Can provide TCP/IP access to:  paid research  current inventories  internal databases  OR virtually any information that is private and not published for everyone

Issues in creating an Extranet n Public networks…  Security handled through appropriate use of secure authentication & transmission technologies… n If using the Internet…  client-server web applications across different sites  BUT security issues need resolving n Private leased lines between sites do not need to use http, etc.  more secure, but expensive (BALANCE)

Securing Authentication through Extranets n Kerberos and trusted domains…  Windows networks… n BUT…  several TCP ports used for authentication when establishing a session… n Solution:  firewall configured to allow relevant ports to be opened only for “trusted” hosts

Securing Sharing of Data through Extranets n Extranet client uses the web server & browser for user interaction  standard http protocol to display html data n Raw HTML data will pass through the firewall (port 80) to the Internet  could be “sensitive data” for the organisation… n Under IETF guidance, Netscape ~ SSL with secure version of http…  standardised as http-s (secure http) on port 443

The Internet generally uses IP - HOW can data be secured? 2015: more than a billion hosts!

Securing the Extranet n Problem:  IP protocol sends packets off in different directions according to: »destination IP address »routing data  packets can be intercepted/redirected n One solution: »secure level 7 application layer www protocols developed n https: ensure that pages are only available to authenticated users n ssh : secure download of files »secure level 4 transport (TLS) protocol to restrict use of IP navigation to only include secure sites n What about penetration through other protocols, working at different OSI layers?

Other Secure level 7 protocols n Telnet and FTP:  can use authentication  BUT DO NOT use encrypted text… n SSH (Secure Shell)  SSH , University of Helsinki, secure file transfer »uses TCP port 22 »runs on a variety of platforms  Enhanced version SSH-2 »using the PKI »including digital certificates »RFC 4252 – recent, 2006

... ROUTER – no packet filtering INTERNET/EXTERNAL NETWORK Internal Network Unsecured LAN-Internet Connection: Router Only

An Unsecured LAN-Internet Connection via Router router Layer 3 Layer 1 Layer 2 Layer 3 Layer 2 Layer 1 Data through unchanged

Lower OSI layers security (Stage 1) n Simple Firewall…  use packet filtering  IP address-based »Fooled by “IP spoofing”

Creating a “Secure Site”? n To put it bluntly…  secure site is a LAN that provides formidable obstacles to potential hackers  keeps a physical barrier between local server and the internet n Physical barrier linked through an intermediate computer called a Firewall or Proxy Server  may place unnecessary restrictions on access  security could be provided at one of the seven layers of the TCP/IP stack

... FIREWALL – packet filtering INTERNET/EXTERNAL NETWORK Internal Network Unsecured LAN-Internet Connection: Firewall

An Unsecured LAN-Internet Connection via Firewall n IP filtering will slow down packet flow… n Also…  request by a LAN client for Internet data across a router reveals the client IP address »generally a desired effect…. n “local” IP address must be recorded on the remote server n picks up required data & returns it via the router and server to the local IP address »problem – could be intercepted, and future data to that IP address may not be so harmless…

An Unsecured LAN-Internet Connection via Router n Another problem: wrath of IANA  IP address awarding & controlling body  big penalties if ANY internal LAN IP address conflicts with an existing Internet IP address they allocated… n Safeguard:  use DHCP (dynamic host configuration protocol)  allocate client IP from within a fixed range allocated to that domain by IANA

... GATEWAY – packet conversion INTERNET/EXTERNAL NETWORK Internal Network A LAN-Internet connection via Gateway e.g. TCP/IP local protocol

A LAN-Internet connection via Gateway n At a gateway, processing can be at higher OSI levels:  >= level 4 n Local packets converted into other formats…  remote network does not have direct access to the local machine  IP packets only recreated at the desktop  local client IP addresses therefore do not need to comply with IANA allocations

... Proxy Server – local IP addresses INTERNET/EXTERNAL NETWORK Internal Network A LAN-Internet connection via Proxy Server e.g. TCP/IP local protocol

The Proxy Server n Acts like a Gateway in some respects:  provides physical block between external and internal networks n But can still use the same protocol (e.g. TCP/IP), and can cache web pages for improved performance

Firewall Configuration n Blocks data via TCP port (logical)  used by each application protocol connects to TCP  all ports blocked… no data gets through n Configuration  includes which ports to block as well as which IP addresses to block…  Includes auditing of packets

VPNs: OSI levels 1-3: restricted use of the Physical Internet VPN shown in green

VPNs (Virtual Private Networks) n Two pronged defence:  physically keeping the data away from unsecured servers… »several protocols available for sending packets along a pre-defined route  data encapsulated and encrypted so it appears to travel as if on a point-point link but is still secure even if intercepted n Whichever protocol is used, the result is a secure system with pre-determined pathways for all packets

Principles of VPN protocols n The tunnel the private data is encapsulated n The tunnel - where the private data is encapsulated n The VPN connection - where the private data is encrypted

Principles of VPN protocols n To emulate a point-to-point link:  data encapsulated, or wrapped, with a header »provides routing information »allows packets to traverse the shared public network to its endpoint n To emulate a private link:  data encrypted for confidentiality n Any packets intercepted on the shared public network are indecipherable without the encryption keys…

Potential weakness of the VPN n Once the data is encrypted and in the tunnel it is very secure n BUT  to be secure, it MUST be encrypted and tunnelled throughout its whole journey  if any part of that journey is outside the tunnel… »e.g. network path to an outsourced VPN provider »obvious scope for security breaches

Using a VPN as part of an Extranet

Using a VPN for point-to-point

Using a VPN to connect a remote computer to a Secured Network

VPN-related protocols offering even greater Internet security n Two possibilities are available for creating a secure VPN:  Layer 3: »IPsec – fixed point routing protocol  Layer 2 “tunnelling” protocols »encapsulate the data within other data before converting it to binary data: n PPTP (Point-point tunnelling protocol) n L2TP (Layer 2 tunnelling protocol)

IPsec n First VPN system  defined by IETF RFC 2401  uses ESP (encapsulating security protocol) at the IP packet level n IPsec provides security services at the IP layer by:  enabling a system to select required security protocols (ESP possible with a number of encryption protocols)  determining the algorithm(s) to use for the chosen service(s)  putting in place any cryptographic keys required to provide the requested services

More about IPSec in practice n Depends on PKI for authentication  both ends must be IPSec compliant, but not the various network systems that may be between them… n Can therefore be used to protect paths between  a pair of hosts  a pair of security gateways  a security gateway and a host n Can work with IPv4 and IPv6

Layer 2 Security: L2TP n Microsoft hybrid of:  their own PPTP  CISCO’s L2F (layer 2 forwarding) n With L2TP, IPSec is optional:  like PPTP: »it can use PPP authentication and access controls (PAP and CHAP!) »It uses NCP to handle remote address assignment of remote client  as no IPSec, no overhead of reliance on PKI