Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security in the layers 8: Network Security.

Published byGriselda Gallagher Modified over 6 years ago

Similar presentations

Presentation on theme: "Security in the layers 8: Network Security."— Presentation transcript:

1 Security in the layers 8: Network Security

2 Secure sockets layer (SSL)
Server authentication: SSL-enabled browser includes public keys for trusted CAs. Browser requests server certificate, issued by trusted CA. Browser uses CA’s public key to extract server’s public key from certificate. Transport layer security to any TCP-based app using SSL services. Used between Web browsers, servers for e-commerce (https). Security services: server authentication data encryption client authentication (optional) https  HTTP Secure CA  Certification authority 8: Network Security

3 SSL (continued) Encrypted SSL session:
Browser generates symmetric session key, encrypts it with server’s public key, sends encrypted key to server. Using private key, server decrypts session key. Browser, server know session key All data sent into TCP socket (by client or server) encrypted with session key. SSL: basis of IETF Transport Layer Security (TLS). SSL can be used for non-Web applications, e.g., IMAP. Client authentication can be done with client certificates. The Internet Engineering Task Force (IETF) develops and promotes Internet standards. Internet message access protocol (IMAP) is one of the two most prevalent Internet standard protocols for retrieval, the other being the Post Office Protocol (POP) 8: Network Security

4 IPsec: Network Layer Security
Network-layer secrecy: sending host encrypts the data in IP datagram TCP and UDP segments; ICMP and SNMP messages. Network-layer authentication destination host can authenticate source IP address Two principal protocols: authentication header (AH) protocol encapsulation security payload (ESP) protocol For both AH and ESP, source, destination handshake: create network-layer logical channel called a security association (SA) Designed for IPv6 Backward compatible with IPv4 IPsec supports 2 Modes Transport mode Only payload encrypted/authenticated Tunnel mode (used to create Virtual Private Networks (VPNs) Everything encrypted/authenticated Mostly used to create VPN connections. 8: Network Security

5 IEEE security War-driving: drive around Bay area, see what networks available? More than 9000 accessible from public roadways 85% use no encryption/authentication packet-sniffing and various attacks easy! Securing encryption, authentication first attempt at security: Wired Equivalent Privacy (WEP): a failure current attempt: i 8: Network Security

6 Wired Equivalent Privacy (WEP):
authentication as in a weak protoocol host requests authentication from access point access point sends 128 bit nonce host encrypts nonce using shared symmetric key access point decrypts nonce, authenticates host no key distribution mechanism authentication: knowing the shared key is enough 8: Network Security

7 WEP data encryption Host/AP share 40 bit symmetric key
Host appends 24-bit Initialization Vector (IV) to create 64-bit key 64 bit key used to generate stream of keys, kiIV kiIV used to encrypt ith byte, di, in frame: ci = di XOR kiIV IV and encrypted bytes, ci sent in frame 8: Network Security

8 Sender-side WEP encryption
8: Network Security

9 Breaking 802.11 WEP encryption
Security hole: 24-bit IV, one IV per frame, -> IV’s eventually reused IV transmitted in plaintext -> IV reuse detected Attack: Trudy causes Alice to encrypt known plaintext d1 d2 d3 d4 … Trudy sees: ci = di XOR kiIV Trudy knows ci di, so can compute kiIV Trudy knows encrypting key sequence k1IV k2IV k3IV … Next time IV is used, Trudy can decrypt! 8: Network Security

10 802.11i: improved security numerous (stronger) forms of encryption possible provides key distribution uses authentication server separate from access point 8: Network Security

11 WPA - Wi-Fi Protected Access
Implements i 128-bit key, 48-bit IV Uses TKIP (Temporary Key Integrity Protocol) Hash of IV (not sent in plaintext) Ensures each frame is sent with a unique key 8: Network Security

12 Phase 1: AP advertises presence & security capabilities to wireless client. Client requests desired security needs. Several more steps required for proper authentication. 8: Network Security

13 Firewalls firewall isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. administered network public Internet firewall 8: Network Security

14 Firewalls: Why prevent denial of service attacks:
SYN flooding: attacker establishes many bogus TCP connections, no resources left for “real” connections. prevent illegal modification/access of internal data. e.g., attacker replaces CIA’s homepage with something else allow only authorized access to inside network (set of authenticated users/hosts) two types of firewalls: application-level packet-filtering 8: Network Security

15 Should arriving packet be allowed in? Departing packet let out?
Packet Filtering Should arriving packet be allowed in? Departing packet let out? internal network connected to Internet via router firewall router filters packet-by-packet, decision to forward/drop packet based on: source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type TCP SYN and ACK bits A network admin can configure firewall based on the policies or the organization. Different filter settings can be used for different policies. 8: Network Security

16 Packet Filtering Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23. All incoming and outgoing UDP flows and telnet connections are blocked. Example 2: Block inbound TCP segments with ACK=0. Prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside. Filter setting is given in red font. Policy is given in black font. 8: Network Security

17 Application gateways gateway-to-remote host telnet session host-to-gateway telnet session Filters packets on application data as well as on IP/TCP/UDP fields. Example: allow select internal users to telnet outside. application gateway router and filter 1. Require all telnet users to telnet through gateway. 2. For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. Router filter blocks all telnet connections not originating from gateway. 8: Network Security

18 Limitations of firewalls and gateways
IP spoofing: router can’t know if data “really” comes from claimed source if multiple app’s. need special treatment, each has own app. gateway. client software must know how to contact gateway. e.g., must set IP address of proxy in Web browser filters often use all or nothing policy for UDP. tradeoff: degree of communication with outside world, level of security many highly protected sites still suffer from attacks. 8: Network Security

19 Network Security (summary)
Basic techniques…... cryptography (symmetric and public) authentication message integrity key distribution …. used in many different security scenarios secure secure transport (SSL) IP sec 802.11 Firewall 8: Network Security

Download ppt "Security in the layers 8: Network Security."

Similar presentations

IPSec.

IPSec.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
Security in Networks (Part 2) CPSC 363 Computer Networks Ellen Walker Hiram College (Includes figures from Computer Networking by Kurose & Ross, © Addison.

Security in Networks (Part 2) CPSC 363 Computer Networks Ellen Walker Hiram College (Includes figures from Computer Networking by Kurose & Ross, © Addison.
(4.4) Internet Protocols Layered approach to Internet Software 1.

(4.4) Internet Protocols Layered approach to Internet Software 1.
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
Chapters 8 Network Security Professor Rick Han University of Colorado at Boulder

Chapters 8 Network Security Professor Rick Han University of Colorado at Boulder
Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Part 5:Security Network Security (Access Control, Encryption, Firewalls)
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Review and Announcement r Ethernet m Ethernet CSMA/CD algorithm r Hubs, bridges, and switches m Hub: physical layer Can’t interconnect 10BaseT & 100BaseT.

Review and Announcement r Ethernet m Ethernet CSMA/CD algorithm r Hubs, bridges, and switches m Hub: physical layer Can’t interconnect 10BaseT & 100BaseT.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.

8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.
24-1 Last time □ Message Integrity □ Authentication □ Key distribution and certification.

24-1 Last time □ Message Integrity □ Authentication □ Key distribution and certification.
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.

8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.
Network Security7-1 Today r Collect Ch6 HW r Assign Ch7 HW m Ch7 #2,3,4,5,7,9,10,12 m Due Wednesday Nov 19 r Continue with Chapter 7 (Security)

Network Security7-1 Today r Collect Ch6 HW r Assign Ch7 HW m Ch7 #2,3,4,5,7,9,10,12 m Due Wednesday Nov 19 r Continue with Chapter 7 (Security)
Secure connections.

Secure connections.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
Network Security7-1 Chapter 7 Network Security Computer Networking: A Top Down Approach Featuring the Internet, 2 nd edition. Jim Kurose, Keith Ross Addison-Wesley,

Network Security7-1 Chapter 7 Network Security Computer Networking: A Top Down Approach Featuring the Internet, 2 nd edition. Jim Kurose, Keith Ross Addison-Wesley,
Firewalls A note on the use of these ppt slides:

Firewalls A note on the use of these ppt slides:

Similar presentations

Ads by Google