Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University
|
|
- Norma Adams
- 6 years ago
- Views:
Transcription
1 Chapter 6 IP Security Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University bhargavigoswami@gmail.com
2 Topic List 1. IP Security Overview 2. IP Security Architecture 3. Authentication Header 4. Encapsulating Security Payload 5. Combinations of Security Associations 6. Key Management
3 Introduction: There are application-specific security mechanisms for a number of application areas, like Electronic mail (S/MIME, PGP), Client/server (Kerberos), Web access (Secure Sockets Layer). IP-level security encompasses three functional areas: authentication, confidentiality, and key management.
4
5 IP Security Overview IPSec is not a single protocol. Instead, IPSec provides a set of security algorithms plus a general framework that allows a pair of communicating entities to use whichever algorithms provide security appropriate for the communication.
6 IP Security Overview Applications of IPSec: Secure branch office connectivity over the Internet: A company can build a secure virtual private network over the Internet or over a public WAN. Saving costs and network management overhead. Secure remote access over the Internet: reduces the cost of toll charges for traveling employees and telecommuters. Establsihing extranet and intranet connectivity with partners: secure communication with other organizations, ensuring authentication and confidentiality and providing a key exchange mechanism. Enhancing electronic commerce security: Web and electronic commerce applications have built-in security protocols, the use of IPsec enhances security.
7 IPSec Features: Can encrypt and/or authenticate all traffic at the IP level. All distributed applications (including remote logon, client/server, , file transfer, Web access, and so on) can be secured. IPSec protocols operate in networking devices, such as a router or firewall, that connect each LAN to the outside world. The IPsec networking device will typically encrypt/decrypt and compress all traffic going/coming from/to the WAN These operations are transparent to workstations and servers on the LAN. Lets have a look at scenario of IPSec Usage.
8 IP Security Scenario
9 Benefits of IPSec: Transparent to applications (below transport layer (TCP, UDP). Provide security for individual users. IPsec in a firewall is resistant to bypass if all traffic from the outside must use IP. No need to change software on a user or server system when IPsec is implemented in the firewall or router. Transparent to users, results no need to train users on security mechanisms, issue keying material on a per-user basis, or revoke keying material when users leave the organization. IPsec can provide security for setting up a secure virtual sub-network within an organization for sensitive applications.
10 IPSec can assure that: A router or neighbor advertisement comes from an authorized router. A redirect message comes from the router to which the initial packet was sent. A routing update is not forged.
11 IP Security Architecture a) IPSec Documents b) IPSec Services c) Security Associations d) SA Parameters e) SA Selectors f) Transport & Tunnel Mode
12 (a) IPSec documents: RFC 2401: An overview of security architecture RFC 2402: Description of a packet authentication extension to IPv4 and IPv6 RFC 2406: Description of a packet encryption extension to IPv4 and IPv6 RFC 2408: Specification of key managament capabilities The documents can be categorized into the following groups. Architecture Encapsulating Security Payload (ESP) Authentication Header (AH) Encryption Algorithm Authentication Algorithm Key Management Domain of Interpretation (DOI)
13 IPSec Document Overview
14 Architecture: Covers the general concepts, security requirements, definitions, and mechanisms defining IPsec technology. Authentication Header (AH): AH is an extension header to provide message authentication. Used for backward compatibility, not used in new applications. Encapsulating Security Payload (ESP): ESP consists of an encapsulating header and trailer used to provide encryption or combined encryption/authentication. Internet Key Exchange (IKE): This is a collection of documents describing the key management schemes for use with IPsec. Cryptographic algorithms: This category encompasses a large set of documents that define and describe cryptographic algorithms for encryption, message authentication, pseudorandom functions (PRFs), and cryptographic key exchange. Domain of Interpretation (DOI): Contains doc needed for other documents to relate to each other. Includes ids for encryption and authentication algorithms.
15 (b) IPSec Services IPsec provides security services at the IP layer and can be customized. Services provided are: Access Control Connectionless integrity Data origin authentication Rejection of replayed packets Confidentiality (encryption) Limited traffic flow confidentiallity Lets see which services are provided by AH and ESP protocols.
16
17 (c) Security Association An association is one way relationship between sender and receiver that affords security services to traffic carried on it. For two way secure exchange, two security associations are required. Used by AH or ESP, but not both. SA is uniquely identified by three parameters: Security Parameters Index (SPI) IP Destination Address Security Protocol Identifier(AH or ESP).
18 (d) SA Parameter: In each IPSec implementation there is nominal security association database that defines parameters associated with each SA. Parameters: Sequence Number Counter. Sequence Counter Overflow(flag for preventing further transmission). Anti-Replay Window(determine if packet replayed). AH Information. ESP Information Lifetime of this Security Association IPSec Protocol Mode (Tunnel, Transport, Wildcard) Path MTU (path of max transmission unit and aging variables)
19 (e) SA Selectors SA can be combined to desired user configuration. IP traffic is related to specific SA defined in nominal SPD (Security Policy Database). These SPD entry is defined by set of IP and upper layer protocol field values called selectors. Process: 1. Compare fields in packet with SPD. 2. Determine SA and associated SPI. 3. Do IPSec processing. SPD Entry: Destination IP Address Source IP Address User ID Data Sensitivity Level Transport Layer Protocol Source and Destination Ports.
20 Transport & Tunnel Mode AH ESP Transport Mode SA Authenticates IP payload and selected portions of IP header and IPv6 extension headers Encrypts IP payload and any IPv6 extesion header Tunnel Mode SA Authenticates entire inner IP packet plus selected portions of outer IP header Encrypts inner IP packet ESP with authentication Encrypts IP payload and any IPv6 extesion header. Authenticates IP payload but no IP header Encrypts inner IP packet. Authenticates inner IP packet.
21 Authentication Header Provides support for data integrity and authentication (MAC code) of IP packets. Guards against replay attacks.
22 AH has following fields: Next Header: 8 bits. Identifies type of header. Payload Length: 8 bits. Length 4 bits. Reserved: 16 bits. For future use. Security Parameter Index: 32 bits. Identifies security association. Sequence Number: 32 bit. Monotonic increasing counter value. Authentication Data: Variable length field of 32 bit-3 words that contain Integrity Check Value (ICV) or MAC.
23 How to provide Anti-Replay Service? Step 1: Sequence Number Generation. Step 2: Processed by Recipient for checking. Sequencing starts with 1. If cycle past back to zero, terminate current SA and negotiate a new SA with new key. But, IP is connectionless, unreliable service. Protocol does not guarantee ordered arrival of packets. Solution? IPSec should implement window size W = 64.
24
25 Sequence number received from N-W+1 till N are marked (shaded) as received shown in previous figure. If received packet falls within window and is new, MAC is checked. If authenticated, relevant window slot is marked. If received packet is to the right, MCA is checked, packet is authenticated, window is advanced and slot is marked. If received packet is to the left, or authentication failed, packet is discarded.
26 ICV: Integrity Check Value Authentication Data field has this value. ICV is MAC ( message authentication code). May support HMAC-MD5-96 or HMAC- SHA Here, full HMAC value is calculated and then truncated to first 96bits (default length of Authentication data field).
27 Transport & Tunnel Modes: IPSec authentication service: Type 1: End to End Type 2: End to intermediate authentication. Transport Mode AH: Authentication covers entire packet excluding mutable fields for MAC calculation. IPv4 AH is inserted after original IP header and before IP Payload. For IPv6, AS is end to end payload, not processed by intermediate routers. Tunnel Mode AH: Entire original IP packet is authenticated. Inner IP header (original) carries ultimate source and destination address. Outer IP header (new) carries address of firewalls or outer gateways. In tunnel mode, entire inner IP packet is protected by AH. Outer IP is protected except mutable and unpredictable fields.
28 End-to-end versus End-to- Intermediate Authentication
29 Before applying AH
30 Transport Mode (AH Authentication)
31 Tunnel Mode (AH Authentication)
32 Encapsulating Security Payload ESP provides confidentiality services
33 Security Parameters Index (32 bits): Identifies a security association. Sequence Number (32 bits): A monotonically increasing counter value; used for anti replay attack. Payload Data (variable): This is a transport-level segment / IP packet protected by Encryption. Padding (0 255 bytes): The purpose is discussed later. Pad Length (8 bits): Indicates the number of pad bytes immediately preceding this field. Next Header (8 bits): Identifies the type of data contained in the payload data field by identifying the first header in that payload Authentication Data (Variable) : Integrity Check Value (variable) A variable-length field (must be an integral number of 32-bit words) that contains the Integrity Check Value.
34 Encryption and Authentication Algorithms Encryption: Three-key triple DES RC5 IDEA Three-key triple IDEA CAST Blowfish Authentication: HMAC-MD5-96 HMAC-SHA-1-96
35 Padding: Padding field is used to expand the plaintext to the required length. The ESP format requires that the Pad Length and Next Header fields be right aligned within a 32-bit word which is fulfilled by Padding. Additional padding may be added to provide partial traffic-flow confidentiality.
36 Transport v/s Tunnel Mode for ESP
37 Figure (b) shows how tunnel mode operation can be used to set up a virtual private network. Four private networks interconnected across the Internet. Internal networks use the Internet for transport of data but do not interact with other Internet-based hosts. By terminating the tunnels at the security gateway to each internal network, the configuration allows the hosts to avoid implementing the security capability.
38 Before applying ESP
39 ESP header is inserted IPv4, the ESP header is inserted into the IP packet immediately prior to the transport-layer header (e.g., TCP, UDP, ICMP), and an ESP trailer (Padding, Pad Length, and Next Header fields) is placed after the IP packet. If authentication is selected, the ESP Authentication Data field is added after the ESP trailer. The entire transport-level segment plus the ESP trailer are encrypted. Authentication covers all of the ciphertext plus the ESP header.
40 IPv6,ESP is viewed as an end-to-end payload; that is, it is not examined or processed by intermediate routers. Therefore, the ESP header appears after the IPv6 base header and the hop-by-hop, routing, and fragment extension headers. The destination options extension header could appear before or after the ESP header, depending on the semantics desired. For IPv6, encryption covers the entire transport-level segment plus the ESP trailer plus the destination options extension header if it occurs after the ESP header. Again, authentication covers the ciphertext plus the ESP header. Operations: ESP trailer plus the entire transport-layer segment is encrypted and the plaintext is replaced with its cipher text to form the IP packet for transmission. Authentication is optional. The packet is then routed to the destination. Each intermediate router needs to examine and process the IP header plus any plaintext IP extension headers but does not need to examine the cipher text. The destination node examines and processes the IP header plus IP extension headers. Then, on the basis of the SPI in the ESP header, the destination node decrypts the remainder of the packet to recover the plaintext transport-layer segment. Provides confidentiality. Advantage: Avoid need to implement confidentiality at every application. Disadvantage: Traffic analysis.
41 Used to counter traffic analysis. ESP header is prefixed to the packet and then the packet plus the ESP trailer is encrypted. Need of New IP header: Intermediate routers would be unable to process such a packet. Therefore, it is necessary to encapsulate the entire block with a new IP header that will contain sufficient information for routing but not for traffic analysis.
42 Tunnel mode is useful in a configuration that includes a firewall or security gateway that protects a trusted network from external networks. Advantage: Only external gateways need to provide encryption, no burden on internal networks. Simplifies the key distribution task by reducing the number of needed keys. Thwarts traffic analysis based on ultimate destination. Steps: 1. Source prepares an inner IP packet with a destination address. ESP header and ESP Trailer is added and encrypted. Then resulting block is encapsulated with a new IP header. Thus forms the outer IP packet. 2. Outer packet is routed to the destination firewall. Needed information is available with hidden cipher data. 3. Destination firewall examines and processes the outer IP header. On base of SPI in ESP Header, decrypts and recover entire packet. Then transmit it to destination of internal n/w. 4. Inner packet is routed through zero or more routers in the internal network to the destination host.
43 Combining Security Associates: So far we studied that An individual SA can implement either the AH or ESP protocol but not both. Sometimes a particular traffic flow will call for the services provided by both AH and ESP. Multiple SAs must be employed for the same traffic flow to achieve the desired IPsec services. The term security association bundle refers to a sequence of SAs through which traffic must be processed to provide a desired set of IPsec services. Two ways: Transport adjacency Iterated tunnelling
44 Transport adjacency: Refers to applying more than one security protocol to the same IP packet without invoking tunnelling. This approach to combining AH and ESP allows for only one level of combination; further nesting yields no added benefit since the processing is performed at one IPsec instance: the (ultimate) destination.
45
46 Iterated tunnelling: Refers to the application of multiple layers of security protocols effected through IP tunnelling. This approach allows for multiple levels of nesting, since each tunnel can originate or terminate at a different IPsec site along the path.
47
48 Issue? issue that arises when considering SA bundles is the order in which authentication and encryption would be applied. Encryption and authentication can be combined in order to transmit an IP packet that has both confidentiality and authentication between hosts. Order maintained can be First apply ESP on field to be protected. Then append authentication field. Or first apply AH. Then apply ESP. Both way is possible with certain advantage s and disadvantages.
49 Basic Combinations of Security Associations Four examples of combinations of SAs that must be supported by compliant IPsec hosts (e.g., workstation, server) or security gateways (e.g. firewall, router). Solid lines represent physical connectivity. Dotted lines represent logical connectivity via one or more nested SAs. Each SA can be either AH or ESP. For host-to-host SAs, the mode may be either transport or tunnel; otherwise it must be tunnel mode.
50 Case 1 All security is provided between end systems that implement IPsec. they must share the appropriate secret keys. possible combinations: a. AH in transport mode b. ESP in transport mode c. ESP followed by AH in transport mode (an ESP SA inside an AH SA) d. Any one of a, b, or c inside an AH or ESP in tunnel mode
51 Case 1
52 Case 2 Security is provided only between gateways (routers, firewalls, etc.) and no hosts implement IPsec. Illustrates simple virtual private network support. Only a single tunnel SA is needed. The tunnel could support AH, ESP, or ESP with the authentication option. Nested tunnels are not required, because the IPsec services apply to the entire inner packet. * indicates that it implements IPSec.
53 Case 2
54 Case 3 This builds on case 2 by adding endto-end security. Combination remains same for AH and ESP. The gateway-to-gateway tunnel provides either authentication, confidentiality, or both for all traffic between end systems.
55 Case 3
56 Case 4 This provides support for a remote host. He uses the Internet to reach an organization s firewall and then to gain access to some server or workstation behind the firewall. Only tunnel mode is required between the remote host and the firewall. As in case 1, one or two SAs may be used between the remote host and the local host.
57 Case 4
58 Key Management Two types: Manual: A system administrator manually configures each system with its own keys and with the keys of other communicating systems. This is practical for small, relatively static environments. Automated: On demand creation of keys. Used for large distributed systems. IPSec protocol is referred as: Oakley Key Determination Protocol Internet Security Association and Key Management Protocol (ISAKMP)
59 1. Oakley Based on the Diffie-Hellman algorithm but providing added security. Generic and not specific. K = (y B ) XA mod 9. = (Y A ) XB mod q = α XAXB mod q Three authentication methods: Digital signatures Public-key encryption Symmetric-key encryption
60 Pros & Corns: Diffie Hellman Advantages: Secret keys are created only when needed. Exchange requires no prerequisite infrastructure other than agreement on global parameters. Disadvantages: Does not identify the parties. Subject to Man in Middle attack. It is computationally intensive as a result, it is vulnerable to a clogging attack.
61 Features of Oakley Employs mechanism called cookies to thwart clogging attack. Enables two parties to negotiate into a group; defining global parameters. Uses nonces to ensure against replay attack. Enables exchange of Diffie Hellman public key values. It authenticates Diffie Hellman exchange to thwart Man-in-Middle attack.
62 Clogging Attack: Opponent forges source address of legitimate user and sends public key victim. Victim performs modular exponentiation to computer secret key. Repeated msg of this kind can clog the victim s system with useless work. Solution? Cookie Exchange: Each side send pseudorandom number, the cookie, in initial msg, which is Ack by other side. This ACK must be obtained in 1 st msg of Diffie- Hellman key exchange. If the source address is forged, opponent get no answer from other side because he can not perform Diffie Hellman Calculations.
63 Oakley supports groups where each group include definition of two global parameters and identity of algorithm. Following group exist: Modular Exponentiation with a 768-bit modulus: q = X ([2 638 X π] ) α = 2 Modular Exponentiation with a 1024-bit modulus: q = X ([2 894 X π] ) α = 2 Modular exponentiation with a 1536-bit modulus Parameters to be determined. Elliptic curve group over Generator (hexadecimal): X = 7B, Y = 1C8 Elliptic curve parameters (hexadecimal): A=0, Y=7338F Elliptic curve group over Generator (hexadecimal): X = 18, Y = D Elliptic curve parameters (hexadecimal): A=0, Y=1EE9
64 Oakley employs nonces to ensure against replay attacks. Nonces? Each nonce is locally generated pseudorandom number. Nonces appear in responses. Nonces are encrypted to secure exchange. Oakley Example: Aggressive Key Exchange Only three msg are exchanged.
65
66 2. ISAKMP
67 Provides framework for Internet key management & specific protocol support for negotiation of security attributes. ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete security associations. ISAKMP defines payloads for exchanging key generation and authentication data. Header format given in previous slides consist of following fields: Initiator Cookie: 64 bit. Cookie of communication initiator. SA Establishment, notification, deletion. Responder Cookie: 64 bit. Cookie of responder. Null if first msg from initiator. Next Payload: 8 bit. Type of first payload in msg. Major Version: 4 bit. Minor Version: 4 bit. Exchange Type: 8 bit. Flags: 8 bit Encryption bit: Is set if all payloads are encrypted. Commit bit: Ensure that encrypted material is not received prior to completion of SA establishment. Message ID: 32 bits. Unique id for msg. Length: 32 bits. Length of total msg in octets. Header + Payload.
68
69 Type Parameters Decryption Security Association (SA) Proposal (P) Transform(T) Domain of Interpretation, Situation. Proposal #, Protocol-ID, SPI Size, #Transforms, SPI. Transform #, Transform ID, SA Attributes. Negotiate security attributes and indicate DOI and Situation. Used during SA negotiation. Indicates protocol to be used and number of transforms. Used at negotiation. Indicates and transform and SA attributes. Key Exchange (KE) Key exchange data Supports variety of key exchange techniques. Identification (ID) ID type, ID data Used to exchange identification information. Certificate (CERT) Certificate Request(CR) Cert Encoding, Certificate Data. #Cert Types, Certificate Types, #Cert Auths, Cert Authorities. Used to transport certificate and other certificate related information. Used to request certificates, its types and accepted authorities.
70 Type Parameter Description Hash(HASH) Hash Data Contains data generated by hash function Signature (SIG) Signature Data Contains data generated by hash function Nonce (NONCE) Nonce Data Contains a nonce. Notification (N) Delete(D) DOI, Protocol ID, SPI size, Notify Msg Type, Notification Data DOI, Protocol-ID, SPI size, #of SPI, SPI Used to transmit notification data, such as an error condition. Indicate as SA that is no longer valid
71 Chapter Ends Here... Please start practicing figures. Give test for chapter 4, 5 and 6. Its high time to start preparation then don t come with sad face. Your current deeds define your future. 60% syllabus over, 40% remaining. 6 Chapters over, 3 Chapters remaining.
72 TCP/IP Example
73 IPv4 Header
74 IPv6 Header
Chapter 6/8. IP Security
Chapter 6/8 IP Security Prof. Bhargavi H Goswami Department of MCA, Sunshine Group of Institutes, Rajkot, Gujarat, India. Mob: +918140099018. Email: bhargavigoswami@gmail.com Topic List 1. IP Security
More informationCryptography and Network Security. Sixth Edition by William Stallings
Cryptography and Network Security Sixth Edition by William Stallings Chapter 20 IP Security If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death, together with
More informationThe Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,
1 The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME, PGP), client/server (Kerberos), Web access (Secure Sockets
More informationCSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Security in Network Layer Implementing security in application layer provides flexibility in security
More informationCryptography and Network Security Chapter 16. Fourth Edition by William Stallings
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Chapter 16 IP Security If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death,
More informationIP Security. Have a range of application specific security mechanisms
IP Security IP Security Have a range of application specific security mechanisms eg. S/MIME, PGP, Kerberos, SSL/HTTPS However there are security concerns that cut across protocol layers Would like security
More informationIPSec. Overview. Overview. Levente Buttyán
IPSec - brief overview - security associations (SAs) - Authentication Header (AH) protocol - Encapsulated Security Payload () protocol - combining SAs (examples) Overview Overview IPSec is an Internet
More informationIPSec. Slides by Vitaly Shmatikov UT Austin. slide 1
IPSec Slides by Vitaly Shmatikov UT Austin slide 1 TCP/IP Example slide 2 IP Security Issues Eavesdropping Modification of packets in transit Identity spoofing (forged source IP addresses) Denial of service
More informationIP Security Part 1 04/02/06. Hofstra University Network Security Course, CSC290A
Network Security IP Security Part 1 1 IP Security Overview 1994 RFC1636, Security in the Internet Architecture Identified key needs: Secure network infrastructure from unauthorized monitoring Control network
More informationCSC 6575: Internet Security Fall 2017
CSC 6575: Internet Security Fall 2017 Network Security Devices IP Security Mohammad Ashiqur Rahman Department of Computer Science College of Engineering Tennessee Tech University 2 IPSec Agenda Architecture
More informationThe IPsec protocols. Overview
The IPsec protocols -- components and services -- modes of operation -- Security Associations -- Authenticated Header (AH) -- Encapsulated Security Payload () (c) Levente Buttyán (buttyan@crysys.hu) Overview
More informationIP Security IK2218/EP2120
IP Security IK2218/EP2120 Markus Hidell, mahidell@kth.se KTH School of ICT Based partly on material by Vitaly Shmatikov, Univ. of Texas Acknowledgements The presentation builds upon material from - Previous
More informationCIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec
CIS 6930/4930 Computer and Network Security Topic 8.1 IPsec 1 IPsec Objectives Why do we need IPsec? IP V4 has no authentication IP spoofing Payload could be changed without detection. IP V4 has no confidentiality
More informationChapter 5: Network Layer Security
Managing and Securing Computer Networks Guy Leduc Mainly based on Network Security - PRIVATE Communication in a PUBLIC World C. Kaufman, R. Pearlman, M. Speciner Pearson Education, 2002. (chapters 17 and
More informationProtocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.
P2 Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE 802.11i, IEEE 802.1X P2.2 IP Security IPsec transport mode (host-to-host), ESP and
More informationCONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements
CONTENTS Preface Acknowledgements xiii xvii Chapter 1 TCP/IP Overview 1 1.1 Some History 2 1.2 TCP/IP Protocol Architecture 4 1.2.1 Data-link Layer 4 1.2.2 Network Layer 5 1.2.2.1 Internet Protocol 5 IPv4
More informationIPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security
IPsec (AH, ESP), IKE Guevara Noubir noubir@ccs.neu.edu Securing Networks Control/Management (configuration) Applications Layer telnet/ftp: ssh, http: https, mail: PGP (SSL/TLS) Transport Layer (TCP) (IPSec,
More information8. Network Layer Contents
Contents 1 / 43 * Earlier Work * IETF IP sec Working Group * IP Security Protocol * Security Associations * Authentication Header * Encapsulation Security Payload * Internet Key Management Protocol * Modular
More informationChapter 11 The IPSec Security Architecture for the Internet Protocol
Chapter 11 The IPSec Security Architecture for the Internet Protocol IPSec Architecture Security Associations AH / ESP IKE [NetSec], WS 2008/2009 11.1 The TCP/IP Protocol Suite Application Protocol Internet
More informationCryptography and Network Security
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown Chapter 15 Electronic Mail Security Despite the refusal of VADM Poindexter and LtCol North to appear,
More informationThe IPSec Security Architecture for the Internet Protocol
Chapter 11 The IPSec Security Architecture for the Internet Protocol [NetSec], WS 2005/2006 11.1 Overview Brief introduction to the Internet Protocol (IP) suite Security problems of IP and objectives of
More informationINFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP
INFS 766 Internet Security Protocols Lectures 7 and 8 IPSEC Prof. Ravi Sandhu IPSEC ROADMAP Security Association IP AH (Authentication Header) Protocol IP ESP (Encapsulating Security Protocol) Authentication
More informationIP Security. Cunsheng Ding HKUST, Kong Kong, China
IP Security Cunsheng Ding HKUST, Kong Kong, China Agenda Some attacks against the IP Brief introduction to IPSec Building Block: Security Association Building Block: Security Association Database Building
More informationCIS 6930/4930 Computer and Network Security. Topic 8.2 Internet Key Management
CIS 6930/4930 Computer and Network Security Topic 8.2 Internet Key Management 1 Key Management Why do we need Internet key management AH and ESP require encryption and authentication keys Process to negotiate
More informationCSE509: (Intro to) Systems Security
CSE509: (Intro to) Systems Security Fall 2012 Invited Lecture by Vyas Sekar IPSec 2005-12 parts by Matt Bishop, used with permission Security in Real Life: Motivation Site SF Company X $$$ Site NY Site
More informationVirtual Private Network
VPN and IPsec Virtual Private Network Creates a secure tunnel over a public network Client to firewall Router to router Firewall to firewall Uses the Internet as the public backbone to access a secure
More informationLecture 9: Network Level Security IPSec
Lecture 9: Network Level Security IPSec CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, and Tony Barnard HW3 being graded Course Admin HW4 will
More informationCOSC4377. Chapter 8 roadmap
Lecture 28 Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing e mail 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7
More informationJunos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services
Junos Security Chapter 8: IPsec VPNs 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net Worldwide Education Services Chapter Objectives After successfully completing this chapter, you will
More informationNetwork Security - ISA 656 IPsec IPsec Key Management (IKE)
Network Security - ISA 656 IPsec IPsec (IKE) Angelos Stavrou September 28, 2008 What is IPsec, and Why? What is IPsec, and Why? History IPsec Structure Packet Layout Header (AH) AH Layout Encapsulating
More informationLecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005
Firewalls Lecture 33 Security April 15, 2005 Idea: separate local network from the Internet Trusted hosts and networks Intranet Firewall DMZ Router Demilitarized Zone: publicly accessible servers and networks
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Photuris and SKIP PHASE 1 IKE PHASE 2 IKE How is SA established? How do parties negotiate
More informationCryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption
and secure channel May 17, 2018 1 / 45 1 2 3 4 5 2 / 45 Introduction Simplified model for and decryption key decryption key plain text X KE algorithm KD Y = E(KE, X ) decryption ciphertext algorithm X
More informationNetwork Security: IPsec. Tuomas Aura
Network Security: IPsec Tuomas Aura 3 IPsec architecture and protocols Internet protocol security (IPsec) Network-layer security protocol Protects IP packets between two hosts or gateways Transparent to
More informationIP Security Discussion Raise with IPv6. Security Architecture for IP (IPsec) Which Layer for Security? Agenda. L97 - IPsec.
IP Security Discussion Raise with IPv6 Security Architecture for IP (IPsec) Security Association (SA), AH-Protocol, -Protocol Operation-Modes, Internet Key Exchange Protocol (IKE) End-to-end security will
More informationCSC/ECE 574 Computer and Network Security. Outline. Key Management. Key Management. Internet Key Management. Why do we need Internet key management
Computer Science CSC/ECE 574 Computer and Network Security Topic 8.2 Internet Key Management CSC/ECE 574 Dr. Peng Ning 1 Outline Key Management Security Principles Internet Key Management Manual Exchange
More informationOutline. CSC/ECE 574 Computer and Network Security. Key Management. Security Principles. Security Principles (Cont d) Internet Key Management
Outline Computer Science CSC/ECE 574 Computer and Network Security Topic 8.2 Internet Key Management Key Management Security Principles Internet Key Management Manual Exchange SKIP Oakley ISAKMP IKE CSC/ECE
More informationVirtual Private Networks
EN-2000 Reference Manual Document 8 Virtual Private Networks O ne of the principal features of routers is their support of virtual private networks (VPNs). This document discusses transmission security,
More informationLecture 13 Page 1. Lecture 13 Page 3
IPsec Network Security: IPsec CS 239 Computer Software March 2, 2005 Until recently, the IP protocol had no standards for how to apply security Encryption and authentication layered on top Or provided
More informationNetwork Security (NetSec) IN2101 WS 16/17
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Network Security (NetSec) IN2101 WS 16/17 Prof. Dr.-Ing. Georg Carle Dr. Heiko Niedermayer, Cornelius
More informationOutline. Key Management. Security Principles. Security Principles (Cont d) Escrow Foilage Protection
Outline CSCI 454/554 Computer and Network Security Topic 8.2 Internet Key Management Key Management Security Principles Internet Key Management Manual Exchange SKIP Oakley ISAKMP IKE 2 Key Management Why
More informationSample excerpt. Virtual Private Networks. Contents
Contents Overview...................................................... 7-3.................................................... 7-5 Overview of...................................... 7-5 IPsec Headers...........................................
More informationOutline. Key Management. CSCI 454/554 Computer and Network Security. Key Management
CSCI 454/554 Computer and Network Security Topic 8.2 Internet Key Management Key Management Outline Security Principles Internet Key Management Manual Exchange SKIP Oakley ISAKMP IKE 2 Key Management Why
More informationCSCI 454/554 Computer and Network Security. Topic 8.2 Internet Key Management
CSCI 454/554 Computer and Network Security Topic 8.2 Internet Key Management Outline Key Management Security Principles Internet Key Management Manual Exchange SKIP Oakley ISAKMP IKE 2 Key Management Why
More informationNetwork Security IN2101
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security IN2101 Prof. Dr.-Ing. Georg Carle Dipl.-Inform. Ali Fessi Institut für Informatik Technische
More informationVPN Overview. VPN Types
VPN Types A virtual private network (VPN) connection establishes a secure tunnel between endpoints over a public network such as the Internet. This chapter applies to Site-to-site VPNs on Firepower Threat
More informationCRYPTOGRAPHY AND NETWROK SECURITY-QUESTION BANK
CRYPTOGRAPHY AND NETWROK SECURITY-QUESTION BANK UNIT-1 1. Answer the following: a. What is Non-repudiation b. Distinguish between stream and block ciphers c. List out the problems of one time pad d. Define
More informationVPNs and VPN Technologies
C H A P T E R 1 VPNs and VPN Technologies This chapter defines virtual private networks (VPNs) and explores fundamental Internet Protocol Security (IPSec) technologies. This chapter covers the following
More informationET4254 Communications and Networking 1
Topic 9 Internet Protocols Aims:- basic protocol functions internetworking principles connectionless internetworking IP IPv6 IPSec 1 Protocol Functions have a small set of functions that form basis of
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
More informationComputer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1
Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1415/ Chapter 16: 1 Chapter 16: Communications Security Chapter 16: 2 Agenda Threat model Secure tunnels Protocol design principles IPsec
More informationInternet security and privacy
Internet security and privacy IPsec 1 Layer 3 App. TCP/UDP IP L2 L1 2 Operating system layers App. TCP/UDP IP L2 L1 User process Kernel process Interface specific Socket API Device driver 3 IPsec Create
More informationLecture 12 Page 1. Lecture 12 Page 3
IPsec Network Security: IPsec CS 239 Computer Software February 26, 2003 Until recently, the IP protocol had no standards for how to apply security Encryption and authentication layered on top Or provided
More informationIPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43
0/43 IPsec and SSL/TLS Applied Cryptography 0 Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, 2016 Cryptography in the TCP/IP stack application layer transport layer network layer data-link
More informationVPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009
VPN and IPsec Network Administration Using Linux Virtual Private Network and IPSec 04/2009 What is VPN? VPN is an emulation of a private Wide Area Network (WAN) using shared or public IP facilities. A
More informationInternet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho
Internet Security - IPSec, SSL/TLS, SRTP - 29th. Oct. 2007 Lee, Choongho chlee@mmlab.snu.ac.kr Contents Introduction IPSec SSL / TLS SRTP Conclusion 2/27 Introduction (1/2) Security Goals Confidentiality
More informationCS 356 Internet Security Protocols. Fall 2013
CS 356 Internet Security Protocols Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5
More informationSankalchand Patel College of Engineering, Visnagar Department of Computer Engineering & Information Technology. Question Bank
Sankalchand Patel College of Engineering, Visnagar Department of Computer Engineering & Information Technology Question Bank Subject: Information Security (160702) Class: BE Sem. VI (CE/IT) Unit-1: Conventional
More informationVoice over IPSec. Emilia Rosti Dip. Informatica e Comunicazione Univ. Degli Studi di Milano
Voice over IPSec Emilia Rosti Dip. Informatica e Comunicazione Univ. Degli Studi di Milano Outline IP refresher IPSec VoIP and QoS - basics VoIPSec Experiments Results 2 IP refresher - network layers 3
More informationIPSec Guide. ISAKMP & IKE Formats
http://www.tech-invite.com IPSec Guide This document illustrates message formats. These formats result from ISAKMP framework definition (RFC 2408) refined by IPSec DOI (domain of interpretation, defined
More informationINTERNET PROTOCOL SECURITY (IPSEC) GUIDE.
INTERNET PROTOCOL SECURITY (IPSEC) GUIDE www.insidesecure.com INTRODUCING IPSEC NETWORK LAYER PACKET SECURITY With the explosive growth of the Internet, more and more enterprises are looking towards building
More informationIKE and Load Balancing
Configure IKE, page 1 Configure IPsec, page 9 Load Balancing, page 22 Configure IKE IKE, also called ISAKMP, is the negotiation protocol that lets two hosts agree on how to build an IPsec security association.
More informationUse of IPSec in Mobile IP
Department of Electrical and Computer Engineering ELEG 777 Internet Engineering ( TERM PAPER ) Use of IPSec in Mobile IP DONE BY: SALEM ITANI ID #: 20011003 SUBMITTED TO: Dr. AYMAN KAYSSI DATE: MAY 21,
More informationAIT 682: Network and Systems Security
AIT 682: Network and Systems Security Final Exam Review Instructor: Dr. Kun Sun Topics covered by Final Topic before Midterm 10% Topic after Midterm 90% Date: 12/13/2017 7:30am 10:15am Place: the same
More informationThe EN-4000 in Virtual Private Networks
EN-4000 Reference Manual Document 8 The EN-4000 in Virtual Private Networks O ne of the principal features of routers is their support of virtual private networks (VPNs). This document discusses transmission
More informationIP Security II. Overview
IP Security II Dr. Arjan Durresi Louisiana State University Baton Rouge, LA 70810 Durresi@csc.lsu.Edu These slides are available at: http://www.csc.lsu.edu/~durresi/csc4601-04/ Louisiana State University
More informationKALASALINGAM UNIVERSITY
KALASALINGAM UNIVERSITY (Kalasalingam Academy of Research and Education) DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING CLASS NOTES CRYPTOGRAPHY AND NETWOTK SECURITY (CSE 405) Prepared by M.RAJA AP/CSE
More informationIPSec implementation for SCTP
SCTP and Proposed Modifications to Aditya Kelkar Alok Sontakke Srivatsa R. Dept. of CSE. IIT Bombay October 31, 2004 SCTP and Proposed Modifications to 1 2 3 SCTP and 4 Proposed Modifications to 5 SCTP
More informationSEN366 (SEN374) (Introduction to) Computer Networks
SEN366 (SEN374) (Introduction to) Computer Networks Prof. Dr. Hasan Hüseyin BALIK (12 th Week) The Internet Protocol 12.Outline Principles of Internetworking Internet Protocol Operation Internet Protocol
More information(2½ hours) Total Marks: 75
(2½ hours) Total Marks: 75 N. B.: (1) All questions are compulsory. (2) Makesuitable assumptions wherever necessary and state the assumptions made. (3) Answers to the same question must be written together.
More informationNetworking interview questions
Networking interview questions What is LAN? LAN is a computer network that spans a relatively small area. Most LANs are confined to a single building or group of buildings. However, one LAN can be connected
More informationInt ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28
Int ernet w orking Internet Security Literature: Forouzan: TCP/IP Protocol Suite : Ch 28 Internet Security Internet security is difficult Internet protocols were not originally designed for security The
More informationSecure channel, VPN and IPsec. stole some slides from Merike Kaeo
Secure channel, VPN and IPsec stole some slides from Merike Kaeo 1 HTTP and Secure Channel HTTP HTTP TLS TCP TCP IP IP 2 SSL and TLS SSL/TLS SSL v3.0 specified
More informationComputer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1
Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1516/ Chapter 16: 1 Chapter 16: Communications Security Chapter 16: 2 Agenda Threat model Secure tunnels Protocol design principles IPsec
More informationConfiguring Security for VPNs with IPsec
This module describes how to configure basic IPsec VPNs. IPsec is a framework of open standards developed by the IETF. It provides security for the transmission of sensitive information over unprotected
More informationIBM i Version 7.2. Security Virtual Private Networking IBM
IBM i Version 7.2 Security Virtual Private Networking IBM IBM i Version 7.2 Security Virtual Private Networking IBM Note Before using this information and the product it supports, read the information
More informationshow crypto group summary, page 1 show crypto ikev2-ikesa security-associations summary spi, page 2
This chapter includes the command output tables. group summary, page 1 ikev2-ikesa security-associations summary, page 2 ikev2-ikesa security-associations summary spi, page 2 ipsec security-associations,
More informationThe World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to
1 The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to compromises of various sorts, with a range of threats
More informationVPN Ports and LAN-to-LAN Tunnels
CHAPTER 6 A VPN port is a virtual port which handles tunneled traffic. Tunnels are virtual point-to-point connections through a public network such as the Internet. All packets sent through a VPN tunnel
More informationFirepower Threat Defense Site-to-site VPNs
About, on page 1 Managing, on page 3 Configuring, on page 3 Monitoring Firepower Threat Defense VPNs, on page 11 About Firepower Threat Defense site-to-site VPN supports the following features: Both IPsec
More informationCIS 6930/4930 Computer and Network Security. Final exam review
CIS 6930/4930 Computer and Network Security Final exam review About the Test This is an open book and open note exam. You are allowed to read your textbook and notes during the exam; You may bring your
More informationOutline. 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE
Outline 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE 2 Securing Real-time Communications 0 In a real-time protocol, two parties negotiate
More informationLehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec
Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München ilab Lab 8 SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one specific port SSL
More informationTransport Level Security
2 Transport Level Security : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l12, Steve/Courses/2013/s2/css322/lectures/transport.tex,
More informationNetwork Encryption 3 4/20/17
The Network Layer Network Encryption 3 CSC362, Information Security most of the security mechanisms we have surveyed were developed for application- specific needs electronic mail: PGP, S/MIME client/server
More informationINF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang
INF3510 Information Security University of Oslo Spring 2011 Lecture 9 Communication Security Audun Jøsang Outline Network security concepts Communication security Perimeter security Protocol architecture
More informationInformation Security & Privacy
IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 2 Sept 4, 2013 Key Management Network Security 1 Objectives Understand/explain the issues related to, and
More informationApplication Layer. Presentation Layer. Session Layer. Transport Layer. Network Layer. Data Link Layer. Physical Layer
ISO/OSI Model SSL: Security at Transport Layer Application Layer Peer-to-peer Application Layer Network Security Assurance Presentation Layer Session Layer Transport Layer Presentation Layer Session Layer
More informationTable of Contents 1 IKE 1-1
Table of Contents 1 IKE 1-1 IKE Overview 1-1 Security Mechanism of IKE 1-1 Operation of IKE 1-1 Functions of IKE in IPsec 1-2 Relationship Between IKE and IPsec 1-3 Protocols 1-3 Configuring IKE 1-3 Configuration
More informationSet Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers
Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers Objective A Virtual Private Network (VPN) is a private network that is used to virtually
More informationNetwork Security: IPsec. Tuomas Aura T Network security Aalto University, Nov-Dec 2014
Network Security: IPsec Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2014 2 IPsec: Architecture and protocols Internet protocol security (IPsec) Network-layer security protocol Protects
More informationChapter 10: Cipher Techniques
Chapter 10: Cipher Techniques Some Problems Types of Ciphers Networks Examples Slide #10-1 Overview Problems What can go wrong if you naively use ciphers Cipher types Stream or block ciphers? Networks
More informationVirtual Private Networks
Chapter 12 Virtual Private Networks Introduction Business has changed in the last couple of decades. Companies now have to think about having a global presence, global marketing, and logistics. Most of
More informationChapter 8 Network Security
Chapter 8 Network Security A note on the use of these ppt slides: We re making these slides freely available to all (faculty, students, readers). They re in PowerPoint form so you can add, modify, and
More informationSecuring Networks with Cisco Routers and Switches
SNRS Securing Networks with Cisco Routers and Switches Volume 2 Version 2.0 Student Guide Editorial, Production, and Web Services: 02.06.07 DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO
More informationConfiguration of an IPSec VPN Server on RV130 and RV130W
Configuration of an IPSec VPN Server on RV130 and RV130W Objective IPSec VPN (Virtual Private Network) enables you to securely obtain remote access to corporate resources by establishing an encrypted tunnel
More informationCSC 4900 Computer Networks: Security Protocols (2)
CSC 4900 Computer Networks: Security Protocols (2) Professor Henry Carter Fall 2017 Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message Integrity 8.4 End point Authentication
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationVPN, IPsec and TLS. stole slides from Merike Kaeo apricot2017 1
VPN, IPsec and TLS stole slides from Merike Kaeo apricot2017 1 Virtual Private Network Overlay Network a VPN is built on top of a public network (Internet)
More informationService Managed Gateway TM. Configuring IPSec VPN
Service Managed Gateway TM Configuring IPSec VPN Issue 1.2 Date 12 November 2010 1: Introduction 1 Introduction... 3 1.1 What is a VPN?... 3 1.2 The benefits of an Internet-based VPN... 3 1.3 Tunnelling
More information