Download presentation
Presentation is loading. Please wait.
Published bySilas Boone Modified over 9 years ago
1
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1 Wiley and the book authors, 2001 E-Commerce: Fundamentals and Applications Chapter 8 : Internet Security
2
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications2 Wiley and the book authors, 2001 Outline IPSec protocol The authentication header (AH) service The encapsulating security payload (ESP) service Application of IPSec : Virtual private network Firewalls Different types of firewalls Examples of firewall systems Secure socket layer (SSL)
3
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications3 Wiley and the book authors, 2001 IPSec Service Protected IP packet Upper Layer Data IPSec Header IP Header SPD and SAD IPSec Processor IPSec-enabled host or gateway Non-IPSec enabled host IPSec-enabled gateway IP Header IPSec-enabled host/gateway SA Unprotected IP packet Protected IP packet through tunneling SA Upper Layer Data IP Header IPSec Header Gateway’s IP Header Upper Layer Data
4
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications4 Wiley and the book authors, 2001 AH Service (Transport Mode) IP Header Upper Layer Data IP Header AH Authenticated (for immutable fields in the IP Packet) Protected IP packet (AH transport mode) Unprotected IP packet Upper Layer Data
5
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications5 Wiley and the book authors, 2001 AH Service (Tunnel Mode) IP Header Upper Layer Data IP Header Authenticated (for immutable fields in the IP packet) Protected IP packet (AH tunnel mode) Unprotected IP packet New IP Header * * typically with gateway’s IP address Upper Layer Data IP HeaderAH
6
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications6 Wiley and the book authors, 2001 ESP Service (Transport Mode) Protected IP Packet (ESP transport mode) Unprotected IP packet Upper Layer Data IP Header Upper Layer Data ESP Header Authenticated Encrypted IP Header ESP Trailer ESP Auth
7
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications7 Wiley and the book authors, 2001 ESP Service (Tunnel Mode) * with gateway’s IP address Protected IP packet (ESP tunnel mode) Unprotected IP packet IP Header Upper Layer Data ESP Header Authenticated Encrypted New IP Header * ESP Trailer ESP Auth Upper Layer Data
8
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications8 Wiley and the book authors, 2001 Virtual Private Network Non- IPSec enabled host IPSec enabled gateway Internet IPSec enabled gateway Intranet IPSec enabled host Intranet Non- IPSec enabled host IPSec enabled host End-to-end SA IP Tunnel
9
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications9 Wiley and the book authors, 2001 Firewall Internet Firewall Insecure Secure Intranet
10
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications10 Wiley and the book authors, 2001 Types of Firewalls Packet Filtering Router Application Level Gateway Circuit Level Gateway
11
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications11 Wiley and the book authors, 2001 Firewall Example Intranet Internet Public server (e.g. web server) PR PR Private server Hosts Bastion host (application gateway) PR: Packet filtering router b a Hosts Source IP Address Source Port Destination IP address Destination Port Action (allow/ deny)Remarks * * b * Allow (inbound only) Allow internet hosts to communicate with the public server. b *** Allow (outbound only) Allow the public server to communicate with internet hosts. ** a * Allow (inbound only) Allow internet hosts to communicate with the intranet through the bastion host. a *** Allow (outbound only) Allow intranet hosts to communicate with the Internet through the bastion host. **** DenyDeny all other packets. (Note : Each small letter represents an IP address. * means any value. A specific port may also be set) Illustrative filtering rules for the packet filtering router Reference : Semeria, C., Internet Firewalls and Security, http://www.3com.com/technology/tech_net/white_papers/500619s.html, 1996http://www.3com.com/technology/tech_net/white_papers/500619s.html
12
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications12 Wiley and the book authors, 2001 Firewall Example Key filtering rules for the inside packet filtering router Intranet DMZ Internet Public server (e.g. web server) OP R Modem pools IP R Private server Hosts Bastion host (application gateway) IPR: Inside packet filtering router OPR: Outside packet filtering router a b Hosts Source IP Address Source PortDestination IP address Destination PortAction (allow/ deny) Remarks ** a * Allow (inbound only) Allow internet hosts to communicate with the bastion host. ** b * Allow (inbound only) Allow internet hosts to communicate with the public server directly. a *** Allow (outbound only) Allow intranet hosts to communicate with the internet through the bastion host. b *** Allow (outbound only) Allow the public server to communicate with internet hosts. **** DenyDeny all other packets. (Note : Each small letter represents an IP address. * means any value. A specific port may also be set.) Reference : Semeria, C., Internet Firewalls and Security, http://www.3com.com/technology/tech_net/white_papers/500619s.html, 1996http://www.3com.com/technology/tech_net/white_papers/500619s.html
13
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications13 Wiley and the book authors, 2001 Firewall Example (Cont’) Illustrative filtering rules for the inside packet filtering router (Note : Each small letter represents an IP address. * means any value. A specific port may also be set.) Source IP Address Source Port Destination IP address Destination Port Action Remarks a *** Allow Allow internet hosts to communicate with the intranet through the bastion host. (from the DMZ to the intranet only) ** a * Allow Allow intranet hosts to communicate with the internet through the bastion host. (from the intranet to the DMZ only) **** Deny Deny all other packets.
14
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications14 Wiley and the book authors, 2001 Secure socket layer (SSL) SSL was invented by Netscape to make use of TCP to provide an end-to-end secure data transport service e.g., for HTTP A socket connection is set up to port 443 instead of port 80 of the Web server. In the URL, “https” instead of “http” is used. Visit: http://home.netscape.com/eng/ssl3/draft302.txt A TLS working group has been formed within the IETF to develop a common standard.
15
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications15 Wiley and the book authors, 2001 Functions of the SSL sub-protocols SSL handshake protocol Allow the server and the client to agree the security parameters for subsequent data transfer SSL change cipher spec protocol Change/update the cipher suite SSL alert protocol Send an alert message to the other side SSL record protocol Provide secure data transport service using the agreed security parameters
16
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications16 Wiley and the book authors, 2001 Handshake Protocol (a) Full version (b) Resuming a previous session (1) Send ClientHello (2) Return ServerHello (3) Send Digital Certificates(if required) (4) Send ServerKeyExchange(if required) (5) Send CertificateRequest(if required) (6) Send ServerHelloDone (7) Send Digital Certificates(if required) (8) Send ClientKeyExchange (9) Send CertificateVerify (if required) (10) Send ChangeCipherSpec (11) Send Finished (12) Send ChangeCipherSpec (13) Send Finished ClientServer (1) Send ClientHello (2) Return ServerHello (3) Send ChangeCipherSpec (4) Send Finished (5) Send ChangeCipherSpec (6) Send Finished ClientServer
17
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications17 Wiley and the book authors, 2001 Secure System for The VBS Private Network Internet Business partners (e.g. publishers) Branch Offices Public IP tunnel SSL Other systems Firewall VBS Intranet
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.