Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The Internet offers no inherent security services to its users; the data transmitted.

Similar presentations


Presentation on theme: "1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The Internet offers no inherent security services to its users; the data transmitted."— Presentation transcript:

1 1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The Internet offers no inherent security services to its users; the data transmitted in the Internet is insecure and vulnerable to various kinds of attacks. The data that is transmitted can be altered in transit, the source address of the data packets can be altered, the data packets can be intercepted and resent, etc. This thesis introduces two different security protocols, namely IPSEC and SSH, on a F-server platform in a single-point-of-contact environment, and evaluates each protocols suitability and PKI extension for the given environment. Literature survey

2 2 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Secure Shell in a clustered single-point-of- contact corporate environment By Olli Tuominen Supervisor Jorma Jormakka SSH IPSEC

3 3 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Security attacks Active attack Passive attack Security services Authentication Data confidentiality Data Integrity No repudiation Cryptographic basics Types of cryptographic functions secret key cryptography public key cryptography key management Hash algorithms Digital signatures and authentication protocols

4 4 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The most important development from the work on public key cryptography is the digital signature public-key authentication allows people to check the integrity of signed documents Digital signatures provide the highest levels of data integrity, since any tampering after signing invalidates the signature. They also provide unforgeable origin authentication, since they are based on the sender's private signing key, and authenticated by the public verifying key. Both protocols SSH and IPSEC are cryptographically equally strong

5 5 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential PKI Security in different levels of the TCP/IP stack Application LayerApplication Protocol SSH Transport LayerTCP/UDPTLS Network LayerIPIPSEC Data Link Layer

6 6 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential SSH protocol overview IPSEC protocol overview Protocol evaluation Analysis -Security criteria -Interoperability criteria - Complexity of deployment criteria - Environment usability criteria -Scalability criteria

7 7 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Introduction to the clustered environment Evaluated protocols in conjunction with PKI -SSH with PKI -IPSEC with PKI Investments very similar. Same advantages for both; binding of end-entity to a certificate. SSH vs. IP VPN conclusion -both on different layers, suited for different scenarios -SSH software based, IPSEC VPN usually needs hardware -not necessarily exclusive -IPSEC is more expensive to implement and to maintain, low ROI (return on investment) -IPSEC requires investments also from partnering organizations -IPSEC better suited for VPN use -SSH able to provide end-to-end security, IPSEC not well suited for that -SSH is point-to-point, IPSEC not, IPSEC always open, and encrypts everything, regardless of the need. -> high bandwidth consumption

8 8 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential -SSH has good interoperability for products with different vendors -IPSEC more easy to use for the end-user -SSH can encrypt applications with known port numbers only -IPSEC can encrypt every application that runs on top of it, including FTP -SSH cannot encrypt FTP traffic properly -Administrative burdens very different in nature for IPSEC and SSH -IPSEC has complex IPSEC policies, with SSH the administrator has to concern himself only with authentication and access control, IPSEC virtually part of the LAN perimeter -Processing delays between SSH and IPSEC are insignificant SFTP vs. IPSEC secured FTP -SFTP provides better control over end users - FTP is inherently a insecure protocol

9 9 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential -SFTP doesn’t require open ports on the firewall or NAT services PKI integration into the corporate network -previous experiences -recommendations -implementation in a phased approach -benefits

10 10 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Conclusions SSH is a very portable protocol, and it has a very wide platform support. SSH implementations are very interoperable, due to the extensive standardization of the protocol. IPSEC has been traditionally more difficult to port to other operating systems. The implementations on different platforms vary greatly for IPSEC. IPSEC is very prone to configuration errors. IPSEC has issues with traversal of firewalls and NATs, more standardization is needed. The needed configurations are much easier for SSH than for IPSEC. SSH is significantly easier to maintain and administer than IPSEC, also after the implementation process. The installation process with IPSEC is significantly more complex. Needs to be integrated into the kernel. The needed policy configuration and centralized management are complex and error prone features.

11 11 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential SSH not as user friendly, requires tunnel setup configuration from users. Not very transparent. Not suited for VPN functionality. SSH is a point-to-point application, and best suited for terminal use and file transfer. IPSEC very user friendly, problem in providing feedback for the user. More encompassing security solution. The administrative work that comes with IPSEC is far more complex than it is with SSH. SSH scales badly without the use of certificates in distributing its public keys. IPSEC has the same problem with its pre-shared secrets Recommended configurations -SSH implementation and configuration in Linux based clustered environment -Authentication and access control with SSH

12 12 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Thank you


Download ppt "1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The Internet offers no inherent security services to its users; the data transmitted."

Similar presentations


Ads by Google