Presentation is loading. Please wait.

Presentation is loading. Please wait.

March 2005 1R. Smith - University of St Thomas - Minnesota CISC 210 - Class Today Homework RemindersHomework Reminders RecapRecap Finish up Public Key.

Published byBrice Anderson Modified over 9 years ago

Similar presentations

Presentation on theme: "March 2005 1R. Smith - University of St Thomas - Minnesota CISC 210 - Class Today Homework RemindersHomework Reminders RecapRecap Finish up Public Key."— Presentation transcript:

1 March 2005 1R. Smith - University of St Thomas - Minnesota CISC 210 - Class Today Homework RemindersHomework Reminders RecapRecap Finish up Public Key CryptoFinish up Public Key Crypto FirewallsFirewalls Firewall LabFirewall Lab

2 Homework Reminders DUE TODAY: Lab and DiagramsDUE TODAY: Lab and Diagrams DUE Monday: Project OutlineDUE Monday: Project Outline –Requirements/Grading Rubric are posted on the Web DUE Following Monday: A10 Lab (Firewall)DUE Following Monday: A10 Lab (Firewall) March 2005 2R. Smith - University of St Thomas - Minnesota

3 Recap: IP Security Protocol – IPSEC Security protection that’s IP routableSecurity protection that’s IP routable We authenticate the IP addressesWe authenticate the IP addresses We encrypt everything inside the IP headerWe encrypt everything inside the IP header March 2005 3R. Smith - University of St Thomas - Minnesota

4 March 2005 4R. Smith - University of St Thomas - Minnesota Uses a pair of keys: the Private Key and the Public KeyUses a pair of keys: the Private Key and the Public Key Usually, one key of the pair decrypts what the other key encrypts, and vice versaUsually, one key of the pair decrypts what the other key encrypts, and vice versa “Asymmetric Encryption”“Asymmetric Encryption” Encryption Procedure Clear Text Clear Text Recap: Public Key Encryption Cipher Text Public Key Decryption Procedure Private Key

5 March 2005 5R. Smith - University of St Thomas - Minnesota Public Key cryptography First successful version: Diffie HellmanFirst successful version: Diffie Hellman ‘Distributive property’ of exponents‘Distributive property’ of exponents –(B X ) Y = (B Y ) X Or, in Diffie-Hellman:Or, in Diffie-Hellman: –(B X mod M) Y mod M = (B Y mod M) X mod M –(x) is Private Key; (B X mod M) is Public Key Why is it secure? Because…Why is it secure? Because… –(B X mod M) * (B Y mod M) mod M ! = (B Y mod M) X mod M –Modulus makes it impractical to reverse

6 March 2005 6R. Smith - University of St Thomas - Minnesota RSA More flexible variantMore flexible variant –Basic Math: Given M, M y = Ciphertext; M = (M y ) -y –y = Public Key; -y = Private Key (inverse of public key) –RSA uses “Modular Inverse” instead of simple inverse Multiply two primes P x QMultiply two primes P x Q –Product is the Modulus, part of the published key, –2 other numbers form rest of the key “Public” exponent “E” (often 3 or 65537)“Public” exponent “E” (often 3 or 65537) “Private” inverse “D” (computed from P, Q, and E)“Private” inverse “D” (computed from P, Q, and E) Works in both directions – encrypt and decryptWorks in both directions – encrypt and decrypt

7 March 2005 7R. Smith - University of St Thomas - Minnesota Using Public Key Diffie HellmanDiffie Hellman –I can share one secret with another D-H user I use the other user’s PUBLIC key with my PRIVATE keyI use the other user’s PUBLIC key with my PRIVATE key RSARSA –If I have a user’s PUBLIC key, I can send them a secret I encrypt the secret with THEIR public keyI encrypt the secret with THEIR public key They decrypt with their own private keyThey decrypt with their own private key –I can use my PRIVATE key to “sign” things I encrypt a hash (checksum) with my PRIVATE keyI encrypt a hash (checksum) with my PRIVATE key Others can check the result with my PUBLIC keyOthers can check the result with my PUBLIC key

8 IKE – Internet Key Exchange Sets Up “Security Associations” for IPSECSets Up “Security Associations” for IPSEC –Assigns SPIs to connections between crypto –Negotiates crypto selection and establishes secret keys March 2005 8R. Smith - University of St Thomas - Minnesota

9 How IKE Works Phase 1: Establish a shared secret (Diffie Hellman)Phase 1: Establish a shared secret (Diffie Hellman) –Set up the shared secret –Authenticate each other How? Shared secrets or public keysHow? Shared secrets or public keys “Challenge Response” protocols (next slide)“Challenge Response” protocols (next slide) Phase 2: Negotiate or update an associationPhase 2: Negotiate or update an association –One asks for an association, specifying an SPI –The other says what crypto it supports –They agree on crypto to use –One provides a shared secret from which they produce keys March 2005 9R. Smith - University of St Thomas - Minnesota

10 Challenge Response Protocols Bob says “I’m Bob”Bob says “I’m Bob” Alice says, “Prove it with this nonce: 1928”Alice says, “Prove it with this nonce: 1928” Bob encrypts itBob encrypts it Alice verifies the encrypted nonceAlice verifies the encrypted nonce Crypto alternativesCrypto alternatives –Use a shared secret –Use public/private key pairs March 2005 10R. Smith - University of St Thomas - Minnesota

11 March 2005 11R. Smith - University of St Thomas - Minnesota Firewalls ObjectivesObjectives Types of firewall traffic controlTypes of firewall traffic control Firewall FilteringFirewall Filtering Network Address TranslationNetwork Address Translation The LabThe Lab

12 Firewall objectives Provide outbound Internet accessProvide outbound Internet access Restrict/forbid inbound connectionsRestrict/forbid inbound connections Detect and block malicious trafficDetect and block malicious traffic March 2005 12R. Smith - University of St Thomas - Minnesota

13 Types of firewall traffic control Service control (allow specific protocols)Service control (allow specific protocols) –Block unauthorized protocols –Permit authorized ones –Actually very hard to do Direction control (in/out)Direction control (in/out) –Allow outbound browsing –Restrict access to internal servers User control (source/destination)User control (source/destination) –User authorization, or perhaps subnet filtering Behavior controlBehavior control –bandwidth, application specific cases –Look in e-mail for malware –Filter access to Web sites (China, Saudi, …) March 2005 13R. Smith - University of St Thomas - Minnesota

14 Oct 2001 14 Network Access Architectures Routers Router Internet Internal Network Screened Subnet (Basic) Router Bastion Host Screened Subnet Internet Internal Network Dual-Homed Gateway (Sophisticated) Router Dual- Homed Firewall Internet Internal Network

15 Oct 2001 15 Types of Firewall Filtering Packet Filtering: based on packet header (Unsophisticated) Circuit Filtering: restricts connections (Common) Application Proxy: restricts based on general policy (Refined) IP HeaderTCP DataTCP HeaderApplication DataAppl. HeaderUser Data + Connection state + Connection state + application state

16 Oct 2001 16 Firewalls in Different Strengths Packet Filter Control Based on Source / Destination Internet Addresses IP Link Circuit Gateway Hides Internal Network Details TCP/UDP IP Link Application Gateway Control Based on Application Type and Content Application TCP/UDP IP Link INTERNET

17 Oct 2001 17 Proxies.... for the Application Gateway M. A. Proxy Proxies are small ( less than 2000 lines of code), “minimal and modular”

18 Oct 2001 18 Proxies... for the Application Gateway. M. A. Proxy User’s requests CLIENT SERVER

19 Oct 2001 19 Proxies... for the Application Gateway. User’s requests forwarded Application output CLIENT SERVER M. A. Proxy User’s requests

20 Oct 2001 20 Proxies... for the Application Gateway. User’s requests forwarded Application output Application output forwarded CLIENT SERVER M. A. Proxy Logs maintained

21 Oct 2001 21 Internet Firewall Application Level Gateway Router Audit Logs Private Network Ethernet Card Public Network nntp proxy http proxy smtp proxy telnet proxy ftp proxy X11 proxy snmp proxy rlogin proxy Ethernet Card

22 Oct 2001 22 Issues with using Firewalls All firewalls are NOT created equalAll firewalls are NOT created equal –Type and rigor of controls –OS security Correct configuration is critical for any FirewallCorrect configuration is critical for any Firewall –Many attacks exploit insecure default configurations Firewalls, even when functioning correctly, open BIG holes in the security perimeterFirewalls, even when functioning correctly, open BIG holes in the security perimeter –World-Wide Web (HTTP) –Active content (Java, Java-Script, ActiveX)

23 March 2005 23R. Smith - University of St Thomas - Minnesota Network Address Translation Original purpose: more hosts & addressesOriginal purpose: more hosts & addresses –Let “insiders” use restricted addresses –Translate them on the way out A ‘multiplexing’ mechanismA ‘multiplexing’ mechanism –Users share a “real” Internet address

24 March 2005 24R. Smith - University of St Thomas - Minnesota Firewalls and LAN support Provide a few standard LAN servicesProvide a few standard LAN services –Router connection –DHCP –Network Address Translation

25 Firewall Lab OverviewOverview –Rewire the lab to use the firewall –Map the rewired lab –Demonstrate host blocking through the firewall –Demonstrate NAT through the firewall March 2005 25R. Smith - University of St Thomas - Minnesota

26 March 2005 26R. Smith - University of St Thomas - Minnesota That’s it Questions?Questions? Creative Commons License This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.

Download ppt "March 2005 1R. Smith - University of St Thomas - Minnesota CISC 210 - Class Today Homework RemindersHomework Reminders RecapRecap Finish up Public Key."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
Local Wireless Network - An wireless Access Point (AP) which is the bridge the ethernet network and the wireless network -The AP protect its wireless network.

Local Wireless Network - An wireless Access Point (AP) which is the bridge the ethernet network and the wireless network -The AP protect its wireless network.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Chapter 11 Firewalls.

Chapter 11 Firewalls.
Firewall Configuration Strategies

Firewall Configuration Strategies
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
March 2005 1R. Smith - University of St Thomas - Minnesota QMCS 490 - Class Today Working the InternetWorking the Internet RoutingRouting Firewalling in.

March R. Smith - University of St Thomas - Minnesota QMCS Class Today Working the InternetWorking the Internet RoutingRouting Firewalling in.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
March 2005 1R. Smith - University of St Thomas - Minnesota QMCS 490 - Class Today Homework due TodayHomework due Today LAN and Internet AddressesLAN and.

March R. Smith - University of St Thomas - Minnesota QMCS Class Today Homework due TodayHomework due Today LAN and Internet AddressesLAN and.
March 2005 1R. Smith - University of St Thomas - Minnesota QMCS 490 - Class Today Homework backHomework back Take-home exam will be on Blackboard after.

March R. Smith - University of St Thomas - Minnesota QMCS Class Today Homework backHomework back Take-home exam will be on Blackboard after.

Similar presentations

Ads by Google