Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP3371 Cyber Security Richard Henson University of Worcester November 2015.

Published byGeraldine Townsend Modified over 9 years ago

Similar presentations

Presentation on theme: "COMP3371 Cyber Security Richard Henson University of Worcester November 2015."— Presentation transcript:

1

2 COMP3371 Cyber Security Richard Henson University of Worcester November 2015

3 Week 6: Securing LAN–LAN data using Firewalls, VPNs, etc. n Objectives:  Relate Internet security to the TCP/IP protocol stack  Explain principles of firewalling  Explain what a Proxy Service is, and why it can be a more flexible solution than a firewall  Explain Internet security solutions that use the principles of a VPN

4 Security and the OSI layers n Simplified TCP/IP n Leaves out level 1 (physical) level 2 (data link), and combines levels 5/6/7) TELNETFTP NFSDNS SNMP TCP UDP IP (network) SMTP

5 TCP/IP and the Seven Layers n TCP (Transport Control Protocol) and IP (Internet Protocol) only make up part (layers 3 & 4) of the seven layers  upper layers interface with TCP to produce the screen display  lower layers required to interface with IP to create/convert electrical signals n Each layer interface represents a potential security problem (!) IP hardware screen TCP

6 Intranet n Misunderstood term  achieved by organisations using http to share data internally in a www-compatible format  Many still call a protected file structure on its own an Intranet… (technically incorrect!)  uses secure user authentication  uses secure data transmission system n Implemented as EITHER:  single LAN (domain) with a web server  several interconnected LANs (trusted domains) »cover a larger geographic area

7 Extranet n An extension of the Intranet to cover selected trusted “links”  e.g. for an organisation the “trusted” links might be to customers and business partners  uses the public Internet as its transmission system  requires authentication to gain access n Can provide TCP/IP access to:  paid research  current inventories  internal databases  OR virtually any information that is private and not published for everyone

8 Issues in creating an Extranet n Public networks…  Security handled through appropriate use of secure authentication & transmission technologies… n If using the Internet…  client-server web applications across different sites  BUT security issues need resolving n Private leased lines between sites do not need to use http, etc.  more secure, but expensive (BALANCE)

9 Securing Authentication through Extranets n Kerberos and trusted domains…  Windows networks… n BUT…  several TCP ports used for authentication when establishing a session… n Solution:  firewall configured to allow relevant ports to be opened only for “trusted” hosts

10 Securing Sharing of Data through Extranets n Extranet client uses the web server & browser for user interaction  standard http protocol to display html data n Raw HTML data will pass through the firewall (port 80) to the Internet  could be “sensitive data” for the organisation… n Under IETF guidance, Netscape ~ SSL with secure version of http…  standardised as http-s (secure http) on port 443

11 The Internet generally uses IP - HOW can data be secured? 2015: more than a billion hosts!

12 Securing the Extranet n Problem:  IP protocol sends packets off in different directions according to: »destination IP address »routing data  packets can be intercepted/redirected n One solution: »secure level 7 application layer www protocols developed n https: ensure that pages are only available to authenticated users n ssh : secure download of files »secure level 4 transport (TLS) protocol to restrict use of IP navigation to only include secure sites n What about penetration through other protocols, working at different OSI layers?

13 Other Secure level 7 protocols n Telnet and FTP:  can use authentication  BUT DO NOT use encrypted text… n SSH (Secure Shell)  SSH-1 1995, University of Helsinki, secure file transfer »uses TCP port 22 »runs on a variety of platforms  Enhanced version SSH-2 »using the PKI »including digital certificates »RFC 4252 – recent, 2006

14 ... ROUTER – no packet filtering INTERNET/EXTERNAL NETWORK Internal Network Unsecured LAN-Internet Connection: Router Only

15 An Unsecured LAN-Internet Connection via Router router Layer 3 Layer 1 Layer 2 Layer 3 Layer 2 Layer 1 Data through unchanged

16 Lower OSI layers security (Stage 1) n Simple Firewall…  use packet filtering  IP address-based »Fooled by “IP spoofing”

17 Creating a “Secure Site”? n To put it bluntly…  secure site is a LAN that provides formidable obstacles to potential hackers  keeps a physical barrier between local server and the internet n Physical barrier linked through an intermediate computer called a Firewall or Proxy Server  may place unnecessary restrictions on access  security could be provided at one of the seven layers of the TCP/IP stack

18 ... FIREWALL – packet filtering INTERNET/EXTERNAL NETWORK Internal Network Unsecured LAN-Internet Connection: Firewall

19 An Unsecured LAN-Internet Connection via Firewall n IP filtering will slow down packet flow… n Also…  request by a LAN client for Internet data across a router reveals the client IP address »generally a desired effect…. n “local” IP address must be recorded on the remote server n picks up required data & returns it via the router and server to the local IP address »problem – could be intercepted, and future data to that IP address may not be so harmless…

20 An Unsecured LAN-Internet Connection via Router n Another problem: wrath of IANA  IP address awarding & controlling body  big penalties if ANY internal LAN IP address conflicts with an existing Internet IP address they allocated… n Safeguard:  use DHCP (dynamic host configuration protocol)  allocate client IP from within a fixed range allocated to that domain by IANA

21 ... GATEWAY – packet conversion INTERNET/EXTERNAL NETWORK Internal Network A LAN-Internet connection via Gateway e.g. TCP/IP local protocol

22 A LAN-Internet connection via Gateway n At a gateway, processing can be at higher OSI levels:  >= level 4 n Local packets converted into other formats…  remote network does not have direct access to the local machine  IP packets only recreated at the desktop  local client IP addresses therefore do not need to comply with IANA allocations

23 ... Proxy Server – local IP addresses INTERNET/EXTERNAL NETWORK Internal Network A LAN-Internet connection via Proxy Server e.g. TCP/IP local protocol

24 The Proxy Server n Acts like a Gateway in some respects:  provides physical block between external and internal networks n But can still use the same protocol (e.g. TCP/IP), and can cache web pages for improved performance

25 Firewall Configuration n Blocks data via TCP port (logical)  used by each application protocol connects to TCP  all ports blocked… no data gets through n Configuration  includes which ports to block as well as which IP addresses to block…  Includes auditing of packets

26 VPNs: OSI levels 1-3: restricted use of the Physical Internet VPN shown in green

27 VPNs (Virtual Private Networks) n Two pronged defence:  physically keeping the data away from unsecured servers… »several protocols available for sending packets along a pre-defined route  data encapsulated and encrypted so it appears to travel as if on a point-point link but is still secure even if intercepted n Whichever protocol is used, the result is a secure system with pre-determined pathways for all packets

28 Principles of VPN protocols n The tunnel the private data is encapsulated n The tunnel - where the private data is encapsulated n The VPN connection - where the private data is encrypted

29 Principles of VPN protocols n To emulate a point-to-point link:  data encapsulated, or wrapped, with a header »provides routing information »allows packets to traverse the shared public network to its endpoint n To emulate a private link:  data encrypted for confidentiality n Any packets intercepted on the shared public network are indecipherable without the encryption keys…

30 Potential weakness of the VPN n Once the data is encrypted and in the tunnel it is very secure n BUT  to be secure, it MUST be encrypted and tunnelled throughout its whole journey  if any part of that journey is outside the tunnel… »e.g. network path to an outsourced VPN provider »obvious scope for security breaches

31 Using a VPN as part of an Extranet

32 Using a VPN for point-to-point

33 Using a VPN to connect a remote computer to a Secured Network

34 VPN-related protocols offering even greater Internet security n Two possibilities are available for creating a secure VPN:  Layer 3: »IPsec – fixed point routing protocol  Layer 2 “tunnelling” protocols »encapsulate the data within other data before converting it to binary data: n PPTP (Point-point tunnelling protocol) n L2TP (Layer 2 tunnelling protocol)

35 IPsec n First VPN system  defined by IETF RFC 2401  uses ESP (encapsulating security protocol) at the IP packet level n IPsec provides security services at the IP layer by:  enabling a system to select required security protocols (ESP possible with a number of encryption protocols)  determining the algorithm(s) to use for the chosen service(s)  putting in place any cryptographic keys required to provide the requested services

36 More about IPSec in practice n Depends on PKI for authentication  both ends must be IPSec compliant, but not the various network systems that may be between them… n Can therefore be used to protect paths between  a pair of hosts  a pair of security gateways  a security gateway and a host n Can work with IPv4 and IPv6

37 Layer 2 Security: L2TP n Microsoft hybrid of:  their own PPTP  CISCO’s L2F (layer 2 forwarding) n With L2TP, IPSec is optional:  like PPTP: »it can use PPP authentication and access controls (PAP and CHAP!) »It uses NCP to handle remote address assignment of remote client  as no IPSec, no overhead of reliance on PKI

Download ppt "COMP3371 Cyber Security Richard Henson University of Worcester November 2015."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.

Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?

Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
Remote Networking Architectures

Remote Networking Architectures
Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.

Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Similar presentations

Ads by Google