Presentation is loading. Please wait.

Presentation is loading. Please wait.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Similar presentations


Presentation on theme: "Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work."— Presentation transcript:

1 Encryption and Firewalls Chapter 7

2 Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work and why they are important security tools Analyze the workings of SSL, PGP, and other popular encryption schemes Enable Internet Protocol Security (IPSec) and identify its protocols and modes

3 Encryption Process of encoding and decoding information to: Preserve its integrity Maintain privacy Ensure identity of users participating in the encrypted data session

4 Why Firewalls Need to Use Encryption Hackers take advantage of a lack of encryption Encryption: Preserves data integrity Increases confidentiality Is relied upon by user authentication Plays a fundamental role in enabling VPNs

5 Hackers Take Advantage of a Lack of Encryption

6

7 The Cost of Encryption CPU resources and time Bastion host that hosts the firewall should be robust enough to manage encryption and other security functions Encrypted packets may need to be padded to uniform length to ensure that some algorithms work effectively Can result in slowdowns Monitoring can burden system administrator

8 Preserving Data Integrity Even encrypted sessions can go wrong as a result of man-in-the-middle attacks Encryption can perform nonrepudiation using a digital signature

9 Maintaining Confidentiality Encryption conceals information to render it unreadable to all but intended recipients

10 Authenticating Network Clients Firewalls need to trust that the person’s claimed identity is genuine Firewalls that handle encryption can be used to identify individuals who have “digital ID cards” that include encrypted codes Digital signatures Public keys Private keys

11 Enabling VPNs As an integral part of VPNs, encryption: Enables the firewall to determine whether the user who wants to connect to the VPN is actually authorized to do so Encodes payload of information to maintain privacy

12 Digital Certificates and Public and Private Keys Digital certificate Electronic document that contains a digital signature (encrypted series of numerals and characters), which authenticates identity of person sending certificate Keys Basis of digital certificates and signatures Enable holders of digital certificates to encrypt communications (using their private key) or decrypt communications (using sender’s public key)

13 Digital Certificates Transport encrypted codes (public and private keys) through the firewall from one host to another Help ensure identity of the individual who owns the digital certificate Provide another layer of security in firewall architecture

14 Aspects of Digital Certificates Establishment of an infrastructure for exchanging public and private keys Need to review and verify someone’s digital certificate Difference between client- and server-based digital certificates

15 The Private Key Infrastructure Lightweight Directory Access Protocol (LDAP) Publicly available database that holds names of users and digital certificates Public-Key Infrastructure (PKI) Enables distribution of digital certificates and public and private keys Underlies many popular and trusted security schemes (eg, PGP and SSL)

16 Viewing a Digital Certificate

17

18 Types of Digital Certificates a Firewall Will Encounter Client-based digital certificates Obtained by users from a Certification Authority (CA), which issues them and vouches for owner’s identity Server-based digital certificates Issued by a CA to a company that issues them to individuals

19 Keys Value generated by an algorithm that can also be processed by an algorithm to encrypt or decrypt text Length of the key determines how secure the level of encryption is

20 Aspects of Keys That Pertain to Firewall-Based Encryption Public and private keys Need to generate public keys Need to securely manage private keys Need to use a key server either on network or Internet Differences between private and public key servers

21 Public and Private Keys Private key Secret code generated by an algorithm Never shared with anyone Public key Encoded information generated when private key is processed by the same algorithm Can be exchanged freely with anyone online

22 A Public Key Generated by PGP

23 An Encrypted Communication Session

24 Choosing the Size of Keys

25 Generating Keys

26 Managing Keys Manual distribution Use of a CA Use of a Key Distribution Center (KDC)

27 Using a Key Server That Is on Your Network

28 Using an Online Key Server

29 Analyzing Popular Encryption Schemes Symmetric key encryption Asymmetric key encryption Pretty Good Privacy (PGP) Secure Sockets Layer (SSL)

30 Symmetric Encryption Use of only one key to encrypt information, rather than a public-private key system Same key is used to encrypt/decrypt a message Both sender and recipient must have same key Not scalable

31 Symmetric Key Encryption

32 Asymmetric Encryption Uses only one user’s public key and private key to generate unique session keys that are exchanged by users during a particular session Only the private key must be kept secret Scales better than symmetric encryption Disadvantages Slower Only a few public key algorithms are available (eg, RSA and EIGamal) that are secure and easy to use for both encryption and key exchange

33 Asymmetric Key Encryption

34 PGP Hybrid system that combines advantages of asymmetric (scalability) and symmetric (speed) encryption systems

35 PGP Process File/message is encrypted Session key is encrypted using public key half of asymmetric public-private key pair Recipient of encrypted message uses his/her private key to decode the session key Session key is used to decode message/file Encryption schemes used to generate public and private key pairs Rivest-Shamir-Adleman (RSA) encryption Diffie-Hellman encryption

36 Using PGP

37

38 X.509 Standard set of specifications for assembling and formatting digital certificates and encrypting data within them A commonly used type of PKI Widely used and well trusted

39 X.509 and PGP Compared X.509 Perception of trust PGP Does not make use of the CA concept Gives users ability to wipe files from hard disk (and delete permanently) Available both in freeware and commercial versions

40 X.509 and PGP Compared

41 SSL Secure way to transmit data Uses both symmetric and asymmetric keys Asymmetric keys start an SSL session Symmetric keys are dynamically generated for the bulk of the transfer

42 Using Internet Protocol Security (IPSec) Encryption Creates a secure IP connection between two computers Operates under the Application layer Transparent to users

43 Understanding IPSec Set of standards and software tools that encrypt IP connections between computers Allows a packet to specify a mechanism for authenticating its origin, ensuring data integrity, and ensuring privacy

44 Modes of IPSec Transport mode Tunnel mode Choice depends on type of network and whether it uses NAT

45 Transport Mode IPSec authenticates two computers that establish a connection Can optionally encrypt packets Does not use a tunnel

46 Tunnel Mode IPSec encapsulates IP packets and can optionally encrypt them Encrypts packet headers rather than the data payload Incompatible with NAT

47 IPSec Protocols Authentication Header (AH) Encapsulation Security Payload (ESP)

48 Authentication Header (AH) Adds a digital signature to packets to protect against repeat attacks, spoofing, or other tampering Verifies that parts of packet headers have not been altered between client and IPSec- enabled host Incompatible with NAT

49 AH

50 Encapsulation Security Payload (ESP) More robust than AH; encrypts data part of packets as well as the headers Provides confidentiality and message integrity Can cause problems with firewalls that use NAT

51 Components of IPSec Two modes: transport and tunnel Two protocols: AH and ESP IPSec driver Internet Key Exchange (IKE) Internet Security Association Key Management Protocol (ISAKMP) Oakley IPSec Policy Agent

52 Choosing the Best IPSec Mode for Your Organization

53 ESP plus tunnel mode provides best level of protection ESP conceals IP header information Tunnel mode can both encapsulate and encrypt packets

54 Enabling IPSec Select group policy security setting for computers that need to communicate with enhanced security Define at group policy level in Windows 2000 Define at local policy level if not in Windows 2000 Predefined IPSec policy levels in Windows 2000 or XP: Client (Respond only) Server (Request Security) Secure Server (Require Security)

55 Defining IPSec Policy at Local Policy Level

56 Limitations of IPSec If machine that runs IPSec-compliant software has been compromised, communications from that machine cannot be trusted Encrypts IP connection between two machines— not the body of e-mail messages or content of other communications Not an end-to-end security method Authenticates machines, not users Doesn’t prevent hackers from intercepting encrypted packets

57 Chapter Summary How and why encryption is used in a network How to use encryption to complement the firewall’s activities Encryption applications PGP SSL IPSec Schemes that can form part of a firewall architecture


Download ppt "Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work."

Similar presentations


Ads by Google