Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP3123 Internet Security Richard Henson University of Worcester November 2010.

Published byKevin Anthony Modified over 9 years ago

Similar presentations

Presentation on theme: "COMP3123 Internet Security Richard Henson University of Worcester November 2010."— Presentation transcript:

1

2 COMP3123 Internet Security Richard Henson University of Worcester November 2010

3 Week 7: Communications: Securing LAN–LAN data using VPNs and secure protocols n Objectives:  Relate Internet security problems to the TCP/IP protocol stack  Explain Internet security solutions that use the principles of a VPN  Explain Internet security solutions at OSI levels above IP routing

4 Security and the OSI layers n Actually 7 layers in original OSI model… n Unix TCP/IP leaves out level 1 (physical) level 2 (data link), and level 5 (session) TELNETFTP NFSDNS SNMP TCP (transport) UDP IP (network) SMTP

5 TCP/IP and the Seven Layers n TCP (Transport Control Protocol) and IP (Internet Protocol) only make up part (layers 3 & 4) of the seven layers  lower layers are required to interface with IP to create/convert electrical signals  upper layers interface with TCP to produce the screen display n Each layer interface represents a potential security problem… IP hardware screen TCP

6 Intranets n Definition:  An in-house Web site that serves the employees of the enterprise. Although intranet pages may link to the Internet, an intranet is not a site accessed by the general public. n Achieved by organisations using http to share data in a www-compatible format n Implemented as:  single LAN with a web server  several interconnected LANs »cover a larger geographic area »use secure user authentication »use secure data transmission system

7 Extranets n Definition:  organisational web sites for employees and existing customers rather than the general public n An extension of the Intranet to cover selected trusted “links”  e.g. for an organisation the “trusted” links might be to customers and business partners  uses the public Internet as its transmission system, but requires passwords to gain access n Can provide access to:  paid research  current inventories  internal databases  OR virtually any information that is private and not published for everyone

8 Issues in creating an Extranet n As with the Intranet, use of public networks means that security must be handled through the appropriate use of secure authentication and transmission technologies… n Private leased lines between sites do not need to use http, etc.  therefore more secure, but expensive (BALANCE) n If using the Internet…  can use client-server web applications across different sites  BUT security issues need resolving

9 Securing Authentication through Extranets n Kerberos and trusted domains…  Windows 2000 Solution: n Potential security problem…  several TCP ports used for e.g. Kerberos authentication when establishing a session… n Solution:  firewall configured to allow relevant ports to be opened only for “trusted” hosts

10 Securing Sharing of Data through Extranets n An Extranet client uses the web server & browser for user interaction  standard level 7 www protocol to display html data n Raw HTML data will pass through the firewall to the Internet  could be “sensitive” for the organisation… n Under IETF guidance, developers came up with RFCs for a secure version of http…  standardised as http-s (secure http)

11 The Internet generally uses IP - HOW can data be secured? 2010: more than 600 million hosts!

12 Securing the Extranet n Problem:  IP protocol sends packets off in different directions according to: »destination IP address »routing data  packets can be intercepted/redirected n Solution:  secure level 7 application layer www protocols developed »https: ensure that pages are only available to authenticated users »ssh : secure download of files »sftp: as above  secure level 4 transport (TLS) protocol to restrict use of IP navigation to only include secure sites n Protection against interception at lower OSI layers  Virtual Private Networks: use of level 2 & 3

13 SSH (Secure Shell) n Designed 1995, University of Helsinki, for secure file transfer SSH-1  server listens on TCP port 22  runs on a variety of platforms n Enhanced version SSH-2  using the PKI  including digital certificates  RFC 4252 – recent, 2006 n By contrast, Telnet and FTP:  can use authentication  BUT DO NOT use encrypted text…

14 Secure http (http-s) n IETF set up WTS (Web Transaction Security) in 1995 to:  look at proposals for a secure version of http  ensure secure embedding of any emerging protocol with HTML n Proposals agreed in 1999  defined as: »RFC #2659 – secure HTML documents »RFC #2660 – the secure protocol itself

15 More about Secure http n Modification of http:  works with Netscape’s SSL/TLS and the PKI  ensures security of HTML data sent through the Internet n When a browser requests a web page…  normally, just downloaded  HOWEVER, if the page is held on a HTTP-S server it must be downloaded using the https protocol »will ONLY be downloaded and displayed if its URL has been authenticated and certificated n Authentication handled by a PKI-affiliated body (e.g. Verisign)  therefore considered to be very secure

16 SSL (Secure Sockets Layer) n Developed by Netscape in 1995  so browsers could participation in secure Internet transactions  soon became most commonly used protocol for e- commerce transactions  still not been accessed by hackers (so far…) n Excellent upper layer security:  RSA public key en/decryption of http packets at the session layer (OSI 5) before sending/after receiving between Internet hosts  PKI-compatibility means that digital certificates are supported as well

17 Extending SSL n SSL standard submitted by Netscape to IETF for further development  working party set up in 1996  worked with Netscape to standardise SSL v3.0 »RFC draft same year  agreed standard RFC #2246: TLS (Transport Layer Security) n TLS was the result of IETF development of components of Netscape’s SSL lower down the OSI layers »SSL – level 5 »TLS – level 4

18 Secure HTTP, SSL and TLS n Together, HTTPS/SSL/TLS can provide a secure interface between TCP (level 4) and HTML (level 7)  very secure conduit for message transfer across the Internet…

19 VPNs: restricted use of the Physical Internet VPN shown in green

20 VPNs (Virtual Private Networks) n Two pronged defence:  physically keeping the data away from unsecured servers… »several protocols available for sending packets along a pre-defined route  data encapsulated and encrypted so it appears to travel as if on a point-point link but is still secure even if intercepted n Whichever protocol is used, the result is a secure system with pre-determined pathways for all packets

21 Principles of VPN protocols n The tunnel the private data is encapsulated n The tunnel - where the private data is encapsulated n The VPN connection - where the private data is encrypted

22 Principles of VPN protocols n To emulate a point-to-point link:  data encapsulated, or wrapped, with a header »provides routing information »allows packets to traverse the shared public network to its endpoint n To emulate a private link:  data encrypted for confidentiality n Any packets intercepted on the shared public network are indecipherable without the encryption keys…

23 Potential weakness of the VPN n Once the data is encrypted and in the tunnel it is very secure n BUT  to be secure, it MUST be encrypted and tunnelled throughout its whole journey  if any part of that journey is outside the tunnel… »e.g. network path to an outsourced VPN provider »obvious scope for security breaches

24 Using a VPN as part of an Extranet

25 Using a VPN for point-to-point

26 Using a VPN to connect a remote computer to a Secured Network

27 VPN-related protocols offering even greater Internet security n Two possibilities are available for creating a secure VPN:  Layer 3: »IPsec – fixed point routing protocol  Layer 2 “tunnelling” protocols »encapsulate the data within other data before converting it to binary data: n PPTP (Point-point tunnelling protocol) n L2TP (Layer 2 tunnelling protocol)

28 IPsec n First VPN system  defined by IETF RFC 2401  uses ESP (encapsulating security protocol) at the IP packet level n IPsec provides security services at the IP layer by:  enabling a system to select required security protocols (ESP possible with a number of encryption protocols)  determining the algorithm(s) to use for the chosen service(s)  putting in place any cryptographic keys required to provide the requested services

29 More about IPSec in practice n Depends on PKI for authentication  both ends must be IPSec compliant, but not the various network systems that may be between them… n Can therefore be used to protect paths between  a pair of hosts  a pair of security gateways  a security gateway and a host n Can work with IPv4 and IPv6

30 PPTP n Sponsored by Microsoft  proposal submitted for consideration by IETF n Extension of PPP  Uses PPP authentication and Microsoft’s own encryption  allow organisations to extend their own corporate network by using private “tunnels” over public Internet  effectively using WAN as a single large LAN n Claimed to provide a secure connection over public networks  but not universally accepted as secure…

31 L2TP n Microsoft hybrid of:  their own PPTP  CISCO’s L2F (layer 2 forwarding) n With L2TP, IPSec is optional:  like PPTP: »it can use PPP authentication and access controls (PAP and CHAP!) »It uses NCP to handle remote address assignment of remote client  as no IPSec, no overhead of reliance on PKI

32 Implementation of Secure HTTP n Like http, http-s is a client-server protocol  Server end: »PKI-compliant Web Server configured to provide https access »valid server certificate to authenticate server to client  Client end »browser needs to be able to identify & authenticate secure http traffic: n URL header https:// n “lock” sign at bottom of screen

33 Configuring a Web Server for https… n Any properly configured web server will offer unsecured links to many www pages (http) n A secure web server can ADDITIONALLY offer secure links to specified folders (https)  BUT… it must first acquire that PKI server certificate from e.g. Verisign or an affiliate…  the server certificate needs to be viewable by a client browser to verify trust in the web page provider

34 IIS Configuration to support SSL and https n A “wizard” drives the whole process  need administrator access to IIS in “webserver” mode  access the “directory security” tab  click on “server certificate”… »and the process begins n Once IIS has downloaded & installed that server certificate, developments of a secure website can begin in specific folders

35 Web Server Configuration for client-end https n IF the webserver is properly configured for https…  IS username/password protected  HAS a Server Certificate… »viewable by client browsers not revoked or out of date n THEN, via username/password authentication  browser will allow https access via the web  “lock” symbol appears below the web page display »click on “lock” symbol for server certificate details n Otherwise, a “not authorised” message will be displayed

36 The Server Certificate n Both encryption and identity checking require the owner of the server to obtain and install a Digital SSL (Server) Certificate  more expensive than a personal certificate  Verisign again a suitable source… n SSL Certificate has to be:  downloaded from source website  installed onto the relevant web server  authenticated by a named individual (administrator?) at the server end

37 Ways to “sign” an SSL Certificate n Three possibilities:  Commercial »usually recognised silently by browsers, with no pop-up or alert  Self-signing »almost always produce an alert on the browser »shows the identity asserted (but not proved) by the server owner »the user is likely to be offered the option to recognise this certificate in future (effectively silencing the alert)  Organisation-signed »also likely to result in an alert that names the organisation »an organisation with an existing relationship with most of its users can instruct them to configure their browsers to silently recognise certificates signed by their own organisation

Download ppt "COMP3123 Internet Security Richard Henson University of Worcester November 2010."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Jacob Boston Josh Pfeifer. Definition of HyperText Transfer Protocol How HTTP works How Websites work GoDaddy.com OSI Model Networking.

Jacob Boston Josh Pfeifer. Definition of HyperText Transfer Protocol How HTTP works How Websites work GoDaddy.com OSI Model Networking.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
Remote Networking Architectures

Remote Networking Architectures
Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.

Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
1 © J. Liebeherr, All rights reserved Virtual Private Networks.

1 © J. Liebeherr, All rights reserved Virtual Private Networks.

Similar presentations

Ads by Google