of 34

Computer Networks 13 Security in the Internet IPSec SSLTLS PGP VPN and Firewalls

Published on 6 days ago | Categories: Documents | Downloads: 0 | Comments: 0



TCE 2321 Computer Networks Lecture 13

Security in the Internet: IPSec, SSL/TLS, PGP, PN, !n" #irew!$$s %Ch!pter32& 1

Figure 32.1 Common structure of three security protocols

• •


In IP, TCP & SMTP protocols, (1) MAC need to be created; (2) The message need to be encrpted!  Al"ce & #ob need to $no% $no% seeral seeral p"eces o' "n'ormat"on, secr"t parameters, parameters, be'ore be'ore the can send secred data to each other!

32-1 IPSecurity (IPSec)  IPSecurity (IPSec) is a collection of protocols designed by the Internet  Engineering Task Force (IETF) to provide security for a packet at the netork level!

Figure 32.2 TCP#IP protocol suite and IPSec T o pics discussed section" Topics discussed in this section" Two Tw o Modes Mo des Two Security Protocols Security Association 3 Internet Key Exchange IKE!

Transport mode and tunnel modes m odes of IPSec protocol  Figure 32.3 Transport


Transport mode  the IPSec header & tra"ler are added to the "n'ormat"on " n'ormat"on com"ng 'rom the transport laer!  the IP header "s added later! Tnnel mode  IPSec protects the ent"re IP pac$et!  It ta$es an IP pac$et, "ncld"ng the header, header, appl"es IPSec secr"t methods to the ent"re pac$et & then adds a ne% IP header!

Transport mode in action Figure 32.& Transport

• • •

Transport mode  "s normall sed %hen hosttohost (endtoend) (endtoend) protect"on o' data "s needed! Send"ng host  ses IPSec to athent"cate &* encrpt the paload del"ered 'rom the transport laer! +ece""ng host  ses IPSec to chec$ the athent"cat"on &* decrpt the IP pac$et & del"er "t to the transport laer! IPSec in the tr!nsport mo"e "oes not protect the IP he!"er) it on$y protects the in*orm!tion comin+ *rom the tr!nsport $!yer


Tunnel mode in action Figure 32.' Tunnel

Tnnel mode "s normall sed bet%een (1) 2 roters; (2) a host & a roter; (-) a roter & a host!  "n others %ords, "t sed %hen e"ther the sender or the rece"er "s not a host!

IPSec in tunne$ mo"e protects the ori+in!$ IP he!"er


Figure 32.( Security )rotocols1! )rotocols1! * $uthentication %eader ($%) Protocol in transport tra nsport mode

The 0 Protoco$ proi"es source !uthentic!tion !n" "!t! inte+rity, ut not pri!cy .

Figure 32.+ Security )rotocols2! * Encapsulating * Encapsulating Security Payload (ESP) Protocol in transport mode

ESP proi"es source !uthentic!tion, "!t! inte+rity, !n" pri!cy

Ta,le 32.1  IPSec services


Table -2!1 sho%s the l"st o' ser"ces aa"lable 'or A. & /SP

Figure 32.- Security AssociationSA! AssociationSA!** Simple inbound and outbound outbound security associations associations

• •

• 15

 Al"ce %ants to hae an assoc"at"on assoc"at"on %"th #ob 'or se se "n a 2%a commn"cat"on!  Al"ce & #ob can hae hae  0tbond assoc"at"on  Inbond assoc"at"on The secr"t assoc"at"ons assoc"at"ons are redced to 2 small tables 'or Al"ce & #ob

Figure 32. Internet Key Exchange Exchange IKE!*  I&E components

I6E cre!tes Ss *or IPSec 11

Ta,le 32.2  $ddresses for private netorks


Pr"ate net%or$  "s des"gned 'or se "ns"de an organ"at"on  allo%s access to shared resorces & pro"des pr"ac

Figure 32.1/  Private netork 

• • • • •


The A3s at d"''erent s"tes  connected to each other b s"ng roters & leased l"nes In '"gre -2!14, the A3s connected to each other b roters & 1 leased l"ne!  A pr"ate "nternet (totall (totall "solated 'rom 'rom the global "nternet) has been created! created! The organ"at"on does not need to appl 'or IP addresses %"th the Internet athor"t"es; can se pr"ate addresses "nternall! #ecase the "nternet "s pr"ate, dpl"cat"on o' addresses b another organ"at"on organ"at"on "n the global Internet "s not a problem!

Figure 32.11  %ybrid netork 

• • • 1'

5se'l %hen the organ"at"ons need to hae pr"ac "n " ntraorgan"at"on ntraorgan"at"on data e6change, bt at the same t"me, the need to be connected to the global Internet 'or data e6change %"th other organ"at"on!  Allo%s an organ"at"on organ"at"on to hae "ts o%n o%n pr"ate "nternet "nternet & at the same t"me, access to the global Internet! Intraorgan"at"on Intraorgan"at"on data  roted throgh the pr"ate "nternet Interorgan"at"on Interorgan"at"on data  roted throgh the global "nternet

Figure 32.12 'irtual private netork ('P)

• •


7P3 creates a net%or$ that "s  pr"ate (garantees pr"ac "ns"de the organ"at"on)  "rtal (does not need real pr"ate 8A3s) The net%or$ "s phs"call pbl"c bt "rtall pr"ate In '"gre -2!12, roters +1 & +2 se 7P3 technolog to garantee pr"ac 'or the organ"t"on!

Figure 32.13  $ddressing in a 'P 

• • • • • • 1-

7P3 ses IPSec "n the tnnel mode! /ach IP datagram dest"ned 'or pr"ate se "n the organ"at"on "s encapslated "n another datagram! 2 sets o' address"ng are needed to se IPSec "n tnnel"ng! The pbl"c net%or$ ("nternet)  carr the pac$et 'rom +1 to +2 0ts"ders cannot dec"pher the the (1) contents o' the pac$et; (2) sorce & dest"nat"on dest"nat"on addresses 9ec"pher"ng ta$es place at +2, %h"ch '"nds the dest"nat"on address o' the pac$et & del"ers "t!

32-2 SSL/TLS To protocols are dominant today for providing security at the transport layer" the Secure Sockets ayer (SS) Protocol and the Transport ayer  Security (TS) Protocol! The latter is actually an IETF version of the  former!

Figure 32.1&  ocation of SS and TS in the Internet model  T o pics discussed section" Topics discussed in this section" SS0 Ser#ices Security Paraeters Sessions and onnections 1. Four Protocols

cipher suite list  Ta,le 32.3  SS cipher

• • • 1

The comb"nat"on o' $e e6change, hash & encrpt"on algor"thms de'"nes a cipher suite 'or suite 'or each SS sess"on! sess"on! /ach s"te starts %"th the term SSL, 'ollo%ed b the $ee6change algor"thm! The %ord WITH  separates  separates the $e e6change algor"thm 'rom the encrpt"on & hash algor"thms!

cipher suite list ( continued  continued   ) Ta,le 32.3  SS cipher


Figure 32.1' Creation of cryptographic secrets in SS •

The cl"ent & serer e6change 2 random nmbers; 1 "s created b the cl"ent & the other b the serer! The cl"ent & serer e6change 1 premaster secret b s"ng 1 o' the $ee6change algor"thms  A :bte master secret "s created 'rom the premaster secret b appl"ng 2 hash 'nct"ons (S.A1 & M9<) The master secret "s sed to create ar"ablelength secrets b appl"ng the same set o' hash 'nct"ons & prepend"ng %"th d"''erent constants!

The c$ient !n" the serer h!e si7 "i**erent crypto+r!phy secrets 25

Figure 32.1( Four SS protocols


Figure 32.1+  %andshake Protocol 


the sender site) Figure 32.1-  Processing done by the *ecord Protocol (at the •


The +ecord Protocol carr"es messages 'rom the pper laer (.andsha$e Protocol,ChangeCh"pherSpec Protocol,ChangeCh"ph erSpec Protocol, Alert Protocol*appl"cat"on laer)! The message "s 'ragmented & opt"onall compressed; a MAC "s added to the compressed message b s"ng the negot"ated hash algor"thm! The compressed 'ragment & the MAC are encrpted b s"ng the negot"ated encrpt"on algor"thm! ="nall, the SS header "s added to the encrpted message!

32-3 PGP +ne of the protocols to provide security at the application layer is Pretty ,ood Privacy (P,P)! P,P is designed to create authenticated and confidential e-mails!

Figure 32.1  Position of P,P in the TCP#IP TCP#IP protocol suite T o pics discussed section" Topics discussed in this section" Security Paraeters Ser#ices A Scenario PP Algoriths 2' 4ings Key


In PGP, the sen"er o* the mess!+e nee"s to inc$u"e the i"enti*iers o* the !$+orithms use" in the mess!+e !s we$$ !s the !$ues o* the keys


Figure 32.2/  $ scenario in hich an e-mail message is authenticated and encrypted  Sen"er site: 1 •  Al"ce creates a sess"on $e & concatenates "t %"th the "dent"t o' t he algor"thm %h"ch %"ll se th"s $e! • The reslt "s encrpted %"th #ob>s pbl"c $e! •  Al"ce adds the "dent"'"cat"on o' the pbl"c$e algor"thm to the encrpted reslt! 2 •  Al"ce athent"cates the message b s"ng a pbl"c$e s"gnatre algor"thm & encrpts "t %"th her pr"ate $e! • The reslt "s called the s"gnatre! •  Al"ce appends the "dent"'"cat"on o' the pbl"c $e as %ell as the "dent"'"cat"on o' the hash algor"thm to the s"gnatre! •  Al"ce comb"nes the reslts o' Steps 1 & 2 & sends to them to #ob! 8eceier site: 1! #ob ses ses h"s h"s pr" pr"ate ate $e $e to decr decrpt pt the the comb"n comb"nat" at"on on o' the the sess"o sess"on n $e & smmet smmetr"c r"c$e $e algor" algor"thm thm "dent"'"cat"on! 2! #ob ses ses sess"o sess"on n $e $e & the the algor algor"thm "thm obta"n obta"ned ed "n "n step step 1 to decrp decrptt the rest o' the the P?P P?P messa message! ge! -! #ob ses ses Al"c Al"ce> e>s s pbl" pbl"c c $e & the algor" algor"thm thm de'" de'"ned ned b PA PA2 to decr decrp ptt the d"ge d"gest! st! :! #ob ses ses the hash hash algor algor"th "thm m de'"n de'"ned ed b b .A to a hash hash ot ot o' messa message ge he he obta" obta"ned ned "n step step2! 2! <! #ob compar compares es the the hash hash create created d "n step step : & the the hash hash he decrp decrpted ted "n "n step step -! I' I' 2 are are "dent" "dent"cal cal,, he accepts the message; other%"se, he d"scards the message! 2-

Ta,le 32.&  P,P $lgorithms


Figure 32.21  *ings

 Al"ce ma need to send messages to man people! people! Ths, she needs needs a $e r"ngs o' pbl"c $e, $e, %"th a $e belong to each person %"th %hom Al"ce needs to correspond!  Al"ce ma need to se a d"''erent d"''erent $e pa"r 'or each grop! grop! There'ore, each each ser needs to hae 2 sets o' r"ngs a r"ng o' pr"ate*pbl"c $es & a r"ng o' pbl"c $es o' other people! ="gre -2!21 sho%s a commn"t o' : people, each ha"ng a r"ng o' pa"rs o' pr"ate*pbl"c $e & at the same t"me, a r"ng o' : pbl"c $es belong"ng to the other : people "n the commn"t! The '"gre sho%s @ pbl"c $es 'or each pbl"c r"ng; each person "n the r"ng can $eep more than 1 pbl"c $e 'or each other person!

• • •



In PGP, there c!n e mu$tip$e p!ths *rom *u$$y or p!rti!$$y truste" !uthorities to !ny su9ect


32-4 FIREWALLS  $ll previous security measures cannot prevent Eve  from sending a harmful message to a system! To control access to a system. e need firealls! $ fireall is a device installed beteen the internal netork of an organi/ation and the rest of the Internet! It is designed to forard some packets and filter (not forard) others! T o pics discussed section" Topics discussed in this section" Pac%et6Filter Firewall Proxy Firewall 35

Figure 32.22 Fireall 


="re%all  a de"ce (a roter*compter) "nstalled bet%een the "nternal net%or$ o' a organ"at"on & the rest o' the Internet!  "s des"gned to 'or%ard some pac$ets & '"lter (not 'or%ard) others!

fireall  Figure 32.23  Packet-filter fireall  •

 A pac$et'"lter pac$et'"lter '"re%all "s a roter that ses a '"lter"ng table to dec"de %h"ch pac$ets mst be d"scarded! ="gre -2!2- sho%s an e6ample o' a '"lter"ng table 'or th"s $"nd o' a '"re%all!

 Accord"ng to ="gre -2!2-, the 'ollo%"ng pac$ets are '"ltered Inco Incom" m"n ng pac pac$e $ets ts 'ro 'rom m net% net%or or$ $ 1-1!-:!4!4 are bloc$ed! Incom"n Incom"ng g pac$et pac$ets s dest"ne dest"ned d 'or an an "ntern "nternal al T/3 T/3/T /T sere sererr (port (port 2-) 2-) are bloc bloc$ed $ed!! Incom"n Incom"ng g pac$et pac$ets s dest"n dest"ned ed 'or 'or "ntern "nternal al host host 1D:[email protected] 1D:[email protected]!2 !24! 4! are are bloc$e bloc$ed! d! The The organ"at"on %ants th"s host 'or "nternal se onl! onl! 0tgo" 0tgo"ng ng pac$e pac$ets ts dest"n dest"ned ed 'or 'or an .TTP .TTP serer serer (por (portt 4) are bloc$e bloc$ed! d! The The organ"at"on does not %ant emploees to bro%se the "nternet!

1! 2! -! :!


 (aster"s$) means Ban


 p!cket*i$ter p!cket*i$ter *irew!$$ *i$ters !t the network or tr!nsport $!yer


Figure 32.2&  Pro0y fireall  1!

8hen 8hen the the se serr cl" cl"en entt pro proce cess ss send sends s : a message, the pro6 '"re%all rns a serer process to rece"e the reEest, 1 2 2! The The ser serer er open opens s the the pac$ pac$et et at the the appl"cat"on leel & '"nds ot "' the reEest "s leg"t"mate! -! I' "t "s, "s, the the ser serer er acts acts as a cl" cl"en entt process & sends the message to the real serer "n the corporat"on! :! I' "t "s "s not, not, the mess message age "s dropp dropped ed & an an error error messag message e "s sent sent to the the e6te e6terna rnall ser! ser!  In th"s %a %a, the reEests o' the e6ternal sers are '"ltered based on the contents at the appl"cat"on laer! laer!

 pro7y *irew!$$ *i$ters !t the !pp$ic!tion $!yer $!yer 3'

Sponsor Documents

Or use your account on DocShare.tips


Forgot your password?

Or register your new account on DocShare.tips


Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in