Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT443 – Network Security Administration Instructor: Bo Sheng

Published byDoris Horn Modified over 6 years ago

Similar presentations

Presentation on theme: "IT443 – Network Security Administration Instructor: Bo Sheng"— Presentation transcript:

1 IT443 – Network Security Administration Instructor: Bo Sheng
IPsec IT443 – Network Security Administration Instructor: Bo Sheng

2 Monitoring/Logging/Intrusion Detection
Securing Networks Applications Layer telnet/ftp: ssh, http: https, mail: PGP (SSL/TLS) Transport Layer (TCP) (IPSec, IKE) Network Layer (IP) Monitoring/Logging/Intrusion Detection Network Security Tools: Control/Management (configuration) Link Layer (IEEE802.1x/IEEE802.10) Physical Layer (spread-Spectrum, quantum crypto, etc.)

3 IPsec Objectives Why do we need IPsec? IP V4 has no authentication
IP spoofing Payload could be changed without detection. IP V4 has no confidentiality mechanism Eavesdropping Denial of service (DoS) attacks Cannot hold the attacker accountable due to the lack of authentication.

4 IPsec Objectives IP layer security mechanism for IPv4 and IPv6
Not all applications need to be security aware Can be transparent to users Provide authentication and confidentiality mechanisms.

5 IPsec Architecture IPsec module 1 IPsec module 2 SPD SPD IKE IKE SAD
SPD: Security Policy Database; IKE: Internet Key Exchange; SA: Security Association; SAD: Security Association Database.

6 IPsec Architecture Two Protocols (Mechanisms) IKE Protocol
Authentication Header (AH) Encapsulating Security Payload (ESP) IKE Protocol Internet Key Management

7 IPsec Architecture Can be implemented in Can work in two Modes
Host or gateway Can work in two Modes Tunnel mode Transport mode Hosts can implement IPsec to connect to: Other hosts in transport or tunnel mode Or Gateways in tunnel mode Gateways to gateways

8 Authentication Header (AH)
Data integrity Entire packet has not been tampered with Authentication Can “trust” IP address source Use MAC to authenticate Anti-replay feature

9 Encapsulated Security Protocol (ESP)
Confidentiality for upper layer protocol Partial traffic flow confidentiality (Tunnel mode only) Data origin authentication and connectionless integrity (optional)

10 Tunnel Mode A Encrypted Tunnel Gateway Gateway Encrypted Unencrypted
B New IP Header AH or ESP Header TCP Data Orig IP Header

11 Tunnel Mode Real IP destination Destination IPsec entity
Outer IP header IPsec header Inner IP header Higher layer protocol ESP Real IP destination Destination IPsec entity AH ESP applies only to the tunneled packet AH can be applied to portions of the outer header

12 Transport Mode A Encrypted/Authenticated B New IP Header
AH or ESP Header TCP Data

13 Transport Mode Real IP destination
header IP options IPsec header Higher layer protocol ESP Real IP destination AH ESP protects higher layer payload only AH can protect IP headers as well as higher layer payload

14 Security Association (SA)
An association between a sender and a receiver Consists of a set of security related parameters E.g., sequence number, encryption key One way relationship Determine IPsec processing for senders Determine IPsec decoding for destination SAs are not fixed! Generated and customized per traffic flows

15 Security Parameters Index (SPI)
A 32-bits string assigned to an SA. Carried in AH and ESP headers to enable the receiving system to select the SA under which the packet will be processed. SPI + Dest IP address + IPsec Protocol Uniquely identifies each SA in SA Database (SAD)

16 SA Database (SAD) Holds parameters for each SA
Sequence number counter Lifetime of this SA AH and ESP information Tunnel or transport mode Every host or gateway participating in IPsec has their own SA database

17 SA Bundle More than 1 SA can apply to a packet
Example: ESP does not authenticate new IP header. How to authenticate? Use SA to apply ESP w/out authentication to original packet Use 2nd SA to apply AH

18 Security Policy Database (SPD)
Decide What traffic to protect? Has incoming traffic been properly secured? Policy entries define which SA or SA Bundles to use on IP traffic Each host or gateway has their own SPD Index into SPD by Selector fields Selectors: IP and upper-layer protocol field values. Examples: Dest IP, Source IP, Transport Protocol, IPSec Protocol, Source & Dest Ports, …

19 Outbound Processing A Outbound packet (on A) Send to B B IP Packet …
SPD (Policy) SA Database Is it for IPsec? If so, which policy entry to select? IPSec processing SPI & IPsec Packet Determine the SA and its SPI Send to B

20 Inbound Processing A Inbound packet (on B) From A B SA Database
SA Database SPD (Policy) SPI & Packet Use SPI to index the SAD Was packet properly secured? Original IP Packet “un-process”

21 Issues Firewalls AH mutable/immutable/predictable fields:
IPsec encrypts information used by firewalls to filter traffic (e.g., port number) AH mutable/immutable/predictable fields: Some fields get modified by the intermediate routers and can’t be protected by the AH Mutable: type of service, flags, fragment offset, TTL, header checksum Mutable but predictable fields are included in the AH computation using their expected value at the destination (e.g., destination address even when using source routing)

22 Internet Key Exchange Why do we need Internet key management
AH and ESP require encryption and authentication keys Process to negotiate and establish IPsec SAs between two entities

23 Security Principles Basic security principle for session keys
Compromise of a session key Doesn’t permit reuse of the compromised session key. Doesn’t compromise future session keys and long-term keys. Perfect forward secrecy (PFS) Compromise of current keys (session key or long-term key) doesn’t compromise past session keys. Concern for encryption keys but not for authentication keys.

24 A Note about IKE IKE v2 was introduced in RFC 4306 (December 2005)
IKE v2 does not interoperate with IKE v1 Both version can unambiguously run over the same UDP port IKE v2 combines the contents of previously separate documents ISAKMP IKE v1 DOI NAT

25 IKE Overview A separate RFC has been published for IKE
Request-response protocol Initiator Responder Two phases Phase 1: Establish an IKE (ISAKMP) SA Essentially the ISAKMP phase 1 Bi-directional Phase 2: Use the IKE SA to establish IPsec SAs Key exchange phase Directional

26 A Clarification About PFS
In RFC 2409: When used in the memo Perfect Forward Secrecy (PFS) refers to the notion that compromise of a single key will permit access to only data protected by a single key. The key used to protect transmission of data MUST NOT be used to derive any additional keys. If the key used to protect transmission of data was derived from some other keying material, that material MUST NOT be used to derive any more keys.

Download ppt "IT443 – Network Security Administration Instructor: Bo Sheng"

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.2: IPsec.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.2: IPsec.
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.

IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.

IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
1 IPsec Youngjip Kim 2004. 05. 24. 2 Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.

1 IPsec Youngjip Kim Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
IP Security. IPSEC Objectives n Band-aid for IPv4 u Spoofing a problem u Not designed with security or authentication in mind n IP layer mechanism for.

IP Security. IPSEC Objectives n Band-aid for IPv4 u Spoofing a problem u Not designed with security or authentication in mind n IP layer mechanism for.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.

IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.

IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
CSCE 715: Network Systems Security

CSCE 715: Network Systems Security
TCP/IP Protocols Contains Five Layers

TCP/IP Protocols Contains Five Layers
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

Similar presentations

Ads by Google