Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tunneling and Securing TCP Services Nathan Green.

Published byAugustus Patterson Modified over 9 years ago

Similar presentations

Presentation on theme: "Tunneling and Securing TCP Services Nathan Green."— Presentation transcript:

1 Tunneling and Securing TCP Services Nathan Green

2 Outline Concept of Tunneling Tunneling Protocols –SSL –SSH –SOCKS Examples of Useful Tunnels

3 Introduction Many popular protocols were designed before security became a major issue –FTP –POP –Telnet –HTTP

4 Vulnerabilities Sniffing – a problem because many protocols (SMTP, POP, HTTP, etc) transmit data in clear text. Connection hijacking – after a successful authentication, an attacker can take over the connection and initiate requests/intercept replies

5 Vulnerabilities False Authentication – many protocols rely solely on IP or domain names Data Spoofing – attackers can easily manipulate/inject packets (MitM) Implementation/configuration – misconfigured systems can put machines at risk DoS Attacks

6 Unfortunately, most companies can’t afford to discontinue the use of POP or FTP since many still use them A solution to this problem is tunneling

7 Tunneling Tunneling is the transmission of data intended for private use through a public network Tunnel: a virtual link between two network nodes Generally accomplished by encapsulating the private data and protocol information within public network packets so the private protocol appears to the public as ordinary data

8

9 Low Level Tunneling Protocols Layer 2 –L2F: Layer 2 Forwarding –PPTP: Point-To-Point Tunneling Protocol –L2TP: Layer 2 Tunneling Protocol Layer 3 –IPSec: IP Security Protocol –VTP: Virtual Terminal Protocol –ATMP: Ascend Tunnel Management Protocol

10 High-Level Tunneling Protocols SSL SSH SOCKS

11 SSL: Secure Sockets Layer Encrypts communications between Web servers and Web browsers for tunneling over the Internet. SSL alone is nothing but a handshake and encryption. Developed by Netscape for securing HTTP Not clear at what level it is implemented. Transport? Session? Application layer?

12 SSL: Secure Sockets Layer http://www.nortelnetworks.com/solutions/ip_vpn/collateral/nn102260-10802.pdf

13 SSL Architecture Has two layers of protocols...

14 SSL Architecture SSL Handshake Protocol –Negotiation of security algorithms and parameters –Key exchange –Server/client authentication SSL Alert Protocol –Error messages SSL Change Cipher Spec Protocol –A single message that indicates the end of the SSL handshake SSL Record Protocol –Fragmentation –Compression –Message authentication –Encryption

15 SSL Handshake Protocol Establishes a TCP/IP connection Client/server negotiate encryption and MAC algorithms Negotiate cryptographic keys to be used. The client and server agree on the level of security they will use

16 SSL Handshake Protocol 1)The client sends the server the client's SSL version number, cipher settings, session-specific data, and other information that the server needs to communicate with the client using SSL. 2) The server sends the client the server's SSL version number, cipher settings, session-specific data, and other information that the client needs to communicate with the server over SSL. The server also sends its own certificate. INTERNET

17 Server Authentication Sample Certificate

18 5) Both the client and the server use the master secret to generate the session keys, which are symmetric keys used to encrypt and decrypt information exchanged during the SSL session and to verify its integrity (that is, to detect any changes in the data between the time it was sent and the time it is received over the SSL connection). 7) The server sends a message to the client informing it that future messages from the server will be encrypted with the session key. It then sends a separate (encrypted) message indicating that the server portion of the handshake is finished. 6) The client sends a message to the server informing it that future messages from the client will be encrypted with the session key. It then sends a separate (encrypted) message indicating that the client portion of the handshake is finished. SSL Handshake Protocol 3) The client creates the pre-master secret for the session, encrypts it with the server’s public key obtained from the server’s certificate, and sends it to the server Optional: Server requests client authentication: the client also signs another piece of data that is unique to this handshake and known by both the client and server. In this case, the client sends both the signed data and the client's own certificate to the server along with the encrypted pre-master secret. The server then authenticates the client 4) The server uses its private key to decrypt the pre-master secret, and then performs a series of steps (which the client also performs, starting from the same pre-master secret) to generate the master secret. Does this different ways: RSA, Fixed DH, Ephemeral DH, Anonymous DH, Fortezza INTERNET

19 In the case of server authentication, the client encrypts the pre-master secret with the server's public key. Only the corresponding private key can correctly decrypt the secret, so the client has some assurance that the identity associated with the public key is in fact the server with which the client is connected. Otherwise, the server cannot decrypt the pre-master secret and cannot generate the symmetric keys required for the session, and the session will be terminated. This is the normal operation condition of the secure channel. At any time, due to internal or external stimulus (either automation or user intervention), either side may renegotiate the connection, in which case, the process repeats itself.

20 Single message that indicates end of handshake SSL Change Cipher Spec Protocol

21 SSL Alert Protocol Fatal alerts and warnings

22 SSL Record Protocol Fragment: separated into blocks Compress MAC: Message Authentication Code, a cryptographic checksum Encrypt

23 SSL Record Protocol Format

24 Difference Between SSL and TLS Not much –TLS is the IETF protocol standard that grew out of SSL 3.0, documented by RFC 2246 –TLS doesn’t support Fortezza key exchange/encryption –More alert codes in SSL –TLS current version number is 3.1

25 SSH SSH is a protocol for secure remote login, shell, and file copying other secure network services over an insecure network Replace RSH, RCP, RLOGIN Runs at application layer Uses RSA public key cryptography Data flow directions client->server and server->client are independent, may use different algos (i.e. 3DES+SHA1 and Blowfish+MD5) Currently SSH v2 is the standard

26 SSH Components The Transport Layer Protocol provides server authentication, confidentiality, and integrity. It may optionally also provide compression. The transport layer will typically be run over a TCP/IP connection. The User Authentication Protocol authenticates the client-side user to the server. It runs over the transport layer protocol. The Connection Protocol multiplexes the encrypted tunnel into several logical channels. It runs over the user authentication protocol. –these logical channels can be used for a wide range of purposes secure interactive shell sessions TCP port forwarding

27 Difference Between SSL and SSH SSL originally intended for web sessions SSL is a drop-in which other applications run over Server authentication optional SSL alone is just a handshake and encryption SSH originally intended for replacing telnet and FTP SSH is a Swiss-army-knife designed to do many different things Server authentication required SSH alone allows you to do lots of different things http://www.rpatrick.com/tech/ssh-ssl/ http://www.snailbook.com/faq/ssl.auto.html

28 SOCKS A security protocol used to communicate through a firewall or proxy server Defined in RFC 1928

29 SOCKS When a TCP-based client wishes to establish a connection to an object that is reachable only via a firewall, it must open a TCP connection to the appropriate SOCKS port on the SOCKS server system. The SOCKS service is conventionally located on TCP port 1080. If the connection request succeeds, the client enters a negotiation for the authentication method to be used, authenticates with the chosen method, then sends a relay request. The SOCKS server evaluates the request, and either establishes the appropriate connection or denies it.

30 Example of Useful Tunnels POP3 –Open a secure tunnel using SSH –Needs an accessible shell account on the server –$ ssh -L 110:mail.my.org:110 tunnel.my.org –Set mail client to query ‘localhost’ as the POP3 server IMAP –Same setup, different port number (220) Telnet –$ ssh -L 23:server.my.org:23 tunnel.my.org –$ telnet localhost

31 Alternatives IPv6 VPN IPSec

Download ppt "Tunneling and Securing TCP Services Nathan Green."

Similar presentations

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.5 Transport Layer Security.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.5 Transport Layer Security.
Cryptography and Network Security Chapter 16

Cryptography and Network Security Chapter 16
Web security: SSL and TLS

Web security: SSL and TLS
SSL Protocol By Oana Dini. Overview Introduction to SSL SSL Architecture SSL Limitations.

SSL Protocol By Oana Dini. Overview Introduction to SSL SSL Architecture SSL Limitations.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Cryptography and Network Security

Cryptography and Network Security
Secure Socket Layer.

Secure Socket Layer.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
J. Wang. Computer Network Security Theory and Practice. Springer 2009 Chapter 5 Network Security Protocols in Practice Part II.

J. Wang. Computer Network Security Theory and Practice. Springer 2009 Chapter 5 Network Security Protocols in Practice Part II.
Internet Security Protocols

Internet Security Protocols
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Securing Network Communication. 2 Security Issues in Communication Privacy  Anyone can see content Integrity  Someone might alter content Authentication.

Securing Network Communication. 2 Security Issues in Communication Privacy  Anyone can see content Integrity  Someone might alter content Authentication.
Cryptography and Network Security

Cryptography and Network Security
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Similar presentations

Ads by Google