of 34

Computer Networks 13 Security in the Internet IPSec SSLTLS PGP VPN and Firewalls

Published on May 2018 | Categories: Documents | Downloads: 0 | Comments: 0
102 views

Comments

Content

TCE 2321 Computer Networks Lecture 13

Security in the Internet: IPSec, SSL/TLS, PGP, PN, !n" #irew!$$s %Ch!pter32& 1

Figure 32.1 Common structure of three security protocols

• •

2

In IP, TCP & SMTP protocols, (1) MAC need to be created; (2) The message need to be encrpted!  Al"ce & #ob need to $no% $no% seeral seeral p"eces o' "n'ormat"on, secr"t parameters, parameters, be'ore be'ore the can send secred data to each other!

32-1 IPSecurity (IPSec)  IPSecurity (IPSec) is a collection of protocols designed by the Internet  Engineering Task Force (IETF) to provide security for a packet at the netork level!

Figure 32.2 TCP#IP protocol suite and IPSec T o pics discussed section" Topics discussed in this section" Two Tw o Modes Mo des Two Security Protocols Security Association 3 Internet Key Exchange IKE!

Transport mode and tunnel modes m odes of IPSec protocol  Figure 32.3 Transport





'

Transport mode  the IPSec header & tra"ler are added to the "n'ormat"on " n'ormat"on com"ng 'rom the transport laer!  the IP header "s added later! Tnnel mode  IPSec protects the ent"re IP pac$et!  It ta$es an IP pac$et, "ncld"ng the header, header, appl"es IPSec secr"t methods to the ent"re pac$et & then adds a ne% IP header!

Transport mode in action Figure 32.& Transport

• • •

Transport mode  "s normall sed %hen hosttohost (endtoend) (endtoend) protect"on o' data "s needed! Send"ng host  ses IPSec to athent"cate &* encrpt the paload del"ered 'rom the transport laer! +ece""ng host  ses IPSec to chec$ the athent"cat"on &* decrpt the IP pac$et & del"er "t to the transport laer! IPSec in the tr!nsport mo"e "oes not protect the IP he!"er) it on$y protects the in*orm!tion comin+ *rom the tr!nsport $!yer

(

Tunnel mode in action Figure 32.' Tunnel



Tnnel mode "s normall sed bet%een (1) 2 roters; (2) a host & a roter; (-) a roter & a host!  "n others %ords, "t sed %hen e"ther the sender or the rece"er "s not a host!

IPSec in tunne$ mo"e protects the ori+in!$ IP he!"er

-

Figure 32.( Security )rotocols1! )rotocols1! * $uthentication %eader ($%) Protocol in transport tra nsport mode

The 0 Protoco$ proi"es source !uthentic!tion !n" "!t! inte+rity, ut not pri!cy .

Figure 32.+ Security )rotocols2! * Encapsulating * Encapsulating Security Payload (ESP) Protocol in transport mode

ESP proi"es source !uthentic!tion, "!t! inte+rity, !n" pri!cy



Ta,le 32.1  IPSec services



4

Table -2!1 sho%s the l"st o' ser"ces aa"lable 'or A. & /SP

Figure 32.- Security AssociationSA! AssociationSA!** Simple inbound and outbound outbound security associations associations

• •

• 15

 Al"ce %ants to hae an assoc"at"on assoc"at"on %"th #ob 'or se se "n a 2%a commn"cat"on!  Al"ce & #ob can hae hae  0tbond assoc"at"on  Inbond assoc"at"on The secr"t assoc"at"ons assoc"at"ons are redced to 2 small tables 'or Al"ce & #ob

Figure 32. Internet Key Exchange Exchange IKE!*  I&E components

I6E cre!tes Ss *or IPSec 11

Ta,le 32.2  $ddresses for private netorks



12

Pr"ate net%or$  "s des"gned 'or se "ns"de an organ"at"on  allo%s access to shared resorces & pro"des pr"ac

Figure 32.1/  Private netork 

• • • • •

13

The A3s at d"''erent s"tes  connected to each other b s"ng roters & leased l"nes In '"gre -2!14, the A3s connected to each other b roters & 1 leased l"ne!  A pr"ate "nternet (totall (totall "solated 'rom 'rom the global "nternet) has been created! created! The organ"at"on does not need to appl 'or IP addresses %"th the Internet athor"t"es; can se pr"ate addresses "nternall! #ecase the "nternet "s pr"ate, dpl"cat"on o' addresses b another organ"at"on organ"at"on "n the global Internet "s not a problem!

Figure 32.11  %ybrid netork 



• • • 1'

5se'l %hen the organ"at"ons need to hae pr"ac "n " ntraorgan"at"on ntraorgan"at"on data e6change, bt at the same t"me, the need to be connected to the global Internet 'or data e6change %"th other organ"at"on!  Allo%s an organ"at"on organ"at"on to hae "ts o%n o%n pr"ate "nternet "nternet & at the same t"me, access to the global Internet! Intraorgan"at"on Intraorgan"at"on data  roted throgh the pr"ate "nternet Interorgan"at"on Interorgan"at"on data  roted throgh the global "nternet

Figure 32.12 'irtual private netork ('P)



• •

1(

7P3 creates a net%or$ that "s  pr"ate (garantees pr"ac "ns"de the organ"at"on)  "rtal (does not need real pr"ate 8A3s) The net%or$ "s phs"call pbl"c bt "rtall pr"ate In '"gre -2!12, roters +1 & +2 se 7P3 technolog to garantee pr"ac 'or the organ"t"on!

Figure 32.13  $ddressing in a 'P 

• • • • • • 1-

7P3 ses IPSec "n the tnnel mode! /ach IP datagram dest"ned 'or pr"ate se "n the organ"at"on "s encapslated "n another datagram! 2 sets o' address"ng are needed to se IPSec "n tnnel"ng! The pbl"c net%or$ ("nternet)  carr the pac$et 'rom +1 to +2 0ts"ders cannot dec"pher the the (1) contents o' the pac$et; (2) sorce & dest"nat"on dest"nat"on addresses 9ec"pher"ng ta$es place at +2, %h"ch '"nds the dest"nat"on address o' the pac$et & del"ers "t!

32-2 SSL/TLS To protocols are dominant today for providing security at the transport layer" the Secure Sockets ayer (SS) Protocol and the Transport ayer  Security (TS) Protocol! The latter is actually an IETF version of the  former!

Figure 32.1&  ocation of SS and TS in the Internet model  T o pics discussed section" Topics discussed in this section" SS0 Ser#ices Security Paraeters Sessions and onnections 1. Four Protocols

cipher suite list  Ta,le 32.3  SS cipher

• • • 1

The comb"nat"on o' $e e6change, hash & encrpt"on algor"thms de'"nes a cipher suite 'or suite 'or each SS sess"on! sess"on! /ach s"te starts %"th the term SSL, 'ollo%ed b the $ee6change algor"thm! The %ord WITH  separates  separates the $e e6change algor"thm 'rom the encrpt"on & hash algor"thms!

cipher suite list ( continued  continued   ) Ta,le 32.3  SS cipher

14

Figure 32.1' Creation of cryptographic secrets in SS •

The cl"ent & serer e6change 2 random nmbers; 1 "s created b the cl"ent & the other b the serer! The cl"ent & serer e6change 1 premaster secret b s"ng 1 o' the $ee6change algor"thms  A :bte master secret "s created 'rom the premaster secret b appl"ng 2 hash 'nct"ons (S.A1 & M9<) The master secret "s sed to create ar"ablelength secrets b appl"ng the same set o' hash 'nct"ons & prepend"ng %"th d"''erent constants!







The c$ient !n" the serer h!e si7 "i**erent crypto+r!phy secrets 25

Figure 32.1( Four SS protocols

21

Figure 32.1+  %andshake Protocol 

22

the sender site) Figure 32.1-  Processing done by the *ecord Protocol (at the •







23

The +ecord Protocol carr"es messages 'rom the pper laer (.andsha$e Protocol,ChangeCh"pherSpec Protocol,ChangeCh"ph erSpec Protocol, Alert Protocol*appl"cat"on laer)! The message "s 'ragmented & opt"onall compressed; a MAC "s added to the compressed message b s"ng the negot"ated hash algor"thm! The compressed 'ragment & the MAC are encrpted b s"ng the negot"ated encrpt"on algor"thm! ="nall, the SS header "s added to the encrpted message!

32-3 PGP +ne of the protocols to provide security at the application layer is Pretty ,ood Privacy (P,P)! P,P is designed to create authenticated and confidential e-mails!

Figure 32.1  Position of P,P in the TCP#IP TCP#IP protocol suite T o pics discussed section" Topics discussed in this section" Security Paraeters Ser#ices A Scenario PP Algoriths 2' 4ings Key

 ote

In PGP, the sen"er o* the mess!+e nee"s to inc$u"e the i"enti*iers o* the !$+orithms use" in the mess!+e !s we$$ !s the !$ues o* the keys

2(

Figure 32.2/  $ scenario in hich an e-mail message is authenticated and encrypted  Sen"er site: 1 •  Al"ce creates a sess"on $e & concatenates "t %"th the "dent"t o' t he algor"thm %h"ch %"ll se th"s $e! • The reslt "s encrpted %"th #ob>s pbl"c $e! •  Al"ce adds the "dent"'"cat"on o' the pbl"c$e algor"thm to the encrpted reslt! 2 •  Al"ce athent"cates the message b s"ng a pbl"c$e s"gnatre algor"thm & encrpts "t %"th her pr"ate $e! • The reslt "s called the s"gnatre! •  Al"ce appends the "dent"'"cat"on o' the pbl"c $e as %ell as the "dent"'"cat"on o' the hash algor"thm to the s"gnatre! •  Al"ce comb"nes the reslts o' Steps 1 & 2 & sends to them to #ob! 8eceier site: 1! #ob ses ses h"s h"s pr" pr"ate ate $e $e to decr decrpt pt the the comb"n comb"nat" at"on on o' the the sess"o sess"on n $e & smmet smmetr"c r"c$e $e algor" algor"thm thm "dent"'"cat"on! 2! #ob ses ses sess"o sess"on n $e $e & the the algor algor"thm "thm obta"n obta"ned ed "n "n step step 1 to decrp decrptt the rest o' the the P?P P?P messa message! ge! -! #ob ses ses Al"c Al"ce> e>s s pbl" pbl"c c $e & the algor" algor"thm thm de'" de'"ned ned b PA PA2 to decr decrp ptt the d"ge d"gest! st! :! #ob ses ses the hash hash algor algor"th "thm m de'"n de'"ned ed b b .A to a hash hash ot ot o' messa message ge he he obta" obta"ned ned "n step step2! 2! <! #ob compar compares es the the hash hash create created d "n step step : & the the hash hash he decrp decrpted ted "n "n step step -! I' I' 2 are are "dent" "dent"cal cal,, he accepts the message; other%"se, he d"scards the message! 2-

Ta,le 32.&  P,P $lgorithms

2.

Figure 32.21  *ings



 Al"ce ma need to send messages to man people! people! Ths, she needs needs a $e r"ngs o' pbl"c $e, $e, %"th a $e belong to each person %"th %hom Al"ce needs to correspond!  Al"ce ma need to se a d"''erent d"''erent $e pa"r 'or each grop! grop! There'ore, each each ser needs to hae 2 sets o' r"ngs a r"ng o' pr"ate*pbl"c $es & a r"ng o' pbl"c $es o' other people! ="gre -2!21 sho%s a commn"t o' : people, each ha"ng a r"ng o' pa"rs o' pr"ate*pbl"c $e & at the same t"me, a r"ng o' : pbl"c $es belong"ng to the other : people "n the commn"t! The '"gre sho%s @ pbl"c $es 'or each pbl"c r"ng; each person "n the r"ng can $eep more than 1 pbl"c $e 'or each other person!

• • •

2

 ote

In PGP, there c!n e mu$tip$e p!ths *rom *u$$y or p!rti!$$y truste" !uthorities to !ny su9ect

24

32-4 FIREWALLS  $ll previous security measures cannot prevent Eve  from sending a harmful message to a system! To control access to a system. e need firealls! $ fireall is a device installed beteen the internal netork of an organi/ation and the rest of the Internet! It is designed to forard some packets and filter (not forard) others! T o pics discussed section" Topics discussed in this section" Pac%et6Filter Firewall Proxy Firewall 35

Figure 32.22 Fireall 



31

="re%all  a de"ce (a roter*compter) "nstalled bet%een the "nternal net%or$ o' a organ"at"on & the rest o' the Internet!  "s des"gned to 'or%ard some pac$ets & '"lter (not 'or%ard) others!

fireall  Figure 32.23  Packet-filter fireall  •

 A pac$et'"lter pac$et'"lter '"re%all "s a roter that ses a '"lter"ng table to dec"de %h"ch pac$ets mst be d"scarded! ="gre -2!2- sho%s an e6ample o' a '"lter"ng table 'or th"s $"nd o' a '"re%all!





 Accord"ng to ="gre -2!2-, the 'ollo%"ng pac$ets are '"ltered Inco Incom" m"n ng pac pac$e $ets ts 'ro 'rom m net% net%or or$ $ 1-1!-:!4!4 are bloc$ed! Incom"n Incom"ng g pac$et pac$ets s dest"ne dest"ned d 'or an an "ntern "nternal al T/3 T/3/T /T sere sererr (port (port 2-) 2-) are bloc bloc$ed $ed!! Incom"n Incom"ng g pac$et pac$ets s dest"n dest"ned ed 'or 'or "ntern "nternal al host host 1D:[email protected] 1D:[email protected]!2 !24! 4! are are bloc$e bloc$ed! d! The The organ"at"on %ants th"s host 'or "nternal se onl! onl! 0tgo" 0tgo"ng ng pac$e pac$ets ts dest"n dest"ned ed 'or 'or an .TTP .TTP serer serer (por (portt 4) are bloc$e bloc$ed! d! The The organ"at"on does not %ant emploees to bro%se the "nternet!

1! 2! -! :!

32

 (aster"s$) means Ban

 ote

 p!cket*i$ter p!cket*i$ter *irew!$$ *i$ters !t the network or tr!nsport $!yer

33

Figure 32.2&  Pro0y fireall  1!

8hen 8hen the the se serr cl" cl"en entt pro proce cess ss send sends s : a message, the pro6 '"re%all rns a serer process to rece"e the reEest, 1 2 2! The The ser serer er open opens s the the pac$ pac$et et at the the appl"cat"on leel & '"nds ot "' the reEest "s leg"t"mate! -! I' "t "s, "s, the the ser serer er acts acts as a cl" cl"en entt process & sends the message to the real serer "n the corporat"on! :! I' "t "s "s not, not, the mess message age "s dropp dropped ed & an an error error messag message e "s sent sent to the the e6te e6terna rnall ser! ser!  In th"s %a %a, the reEests o' the e6ternal sers are '"ltered based on the contents at the appl"cat"on laer! laer!

 pro7y *irew!$$ *i$ters !t the !pp$ic!tion $!yer $!yer 3'

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close