Network Security. Rev 1.0.

Size: px

Start display at page:

Download "Network Security. Rev 1.0."

Deborah Hicks
5 years ago
Views:

4 Filtering Layer 2 header IP header TCP header Application-level header Data The ACL classifies packets according to series matching conditions. The ACL is applied to a switch port to determine whether a packet should be forwarded or discarded. The matching rules defined by the ACL can also be quoted in other occasions needing traffic differentiation, such as, definition of traffic classification rule in QoS. An access control rule can be composed of multiple sub-rules. Time segment control can be defined. HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 4

5 ACL Example acl number 3001 rule 10 permit tcp source destination source-port any destination-port 80 rule 20 deny ip source any destination any HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 5

9 Why NAT? NAT (Network Address Translation) Why do we use NAT? Increasingly insufficient IP address resources. Multiple hosts in a LAN to access Internet by a public IP address, address translation can be used. Network security protection: Address translation technology can effectively hide the hosts of the internal LAN. To provide such services as FTP, WWW and Telnet of the internal network to external network HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 9

11 Address Pool PC Address Pool Internet PC2 LAN Address Pool is the collection of some continuous public IP addresses, identified by a number. NAT process will select an address from the address pool as the source address after the translation. Address pools enable more LAN users to access Internet simultaneously. HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 11

R Application of Internal Server Internal server private address:10.0.1.1 port:80 E0 Serial 0 Internet map on router: address: 10.0.1.1 202.38.160.

12 R Application of Internal Server Internal server private address: port:80 E0 Serial 0 Internet map on router: address: port: public address: port:80 Access the server referring to the map IP: extranet user HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 12

13 Disadvantages of NAT Since the IP address translation is needed for data packets, the header of the data packet related to IP address cannot be encrypted, nor to use encrypted FTP connection in the application protocol. Otherwise, FTP port command cannot be correctly translated. Network debugging becomes more difficult. For instance, while a router in internal network host attempts to attack other networks, it is hard to point out which computer is malicious, for the host IP address is shielded. HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 13

Network Architecture and Position of BRAS

15 Network Architecture and Position of BRAS NMS AAA Platform Service Platform Core Layer Core Network Convergence Layer NAS (BRAS) Access Layer Access Network LAN Switch AP DSLAM Ethernet WLAN ADSL User User User HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 15

17 Architecture of NAS(BRAS) device DHCP Server Policy Server Address Management Service Control BRAS Connection Management User Packet User Identification AAA&UM AAA Server HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 17

18 User Identification Access types PPP packet EAPoL packet IP/ARP/DHCP packet IP/ARP/DHCP packet PPP User 802.1x User Web User Bind User Portal Protocol Packet NAS Web Server HTTP packet HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 18

19 PPP overview Network Layer Network Protocol IP IPX Network Control Protocol IPCP IPXCP BCP Data Link Layer Authentication Protocol PAP CHAP EAP Link Control Protocol LCP Physical Layer Physical Layer HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 19

21 PAP & CHAP Authentication Process Client BRAS PAP ChallengePwd generation Authentication_Req (username, password) Accept/Reject CHAP Challenge Authentication_Req (username, ChallengePwd) Accept/Reject Passwords comparing Challenge generation ChallengePwds comparing HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 24

23 Discovery and Session Stages Discovery stage Discover the AC (Access Concentrator) and acquiring AC s MAC Allocate Session ID Session stage PPP parameters negotiation Data transmission Maintain session HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 27

24 PPPoE Discovery phase diagram Client AC PADI (Service-Name, Session-ID=0x0000) PADO (Service-Name, AC-Name, Session-ID=0x0000) PADR (Service-Name, AC-Name, Session-ID=0x0000) PADS (Service-Name, AC-Name, Session-ID=0x055A) HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 28

25 DHCP Address allocation modes Automatic allocation DHCP server assign a permanent address to a client Dynamic allocation DHCP server assign an IP address to a client for a limited period of time (or until the client explicitly relinquishes the address) Manual allocation a client's IP address is assigned by the network administrator, and DHCP is used simply to convey the assigned address to the client HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 29

27 Packet format op (1) htype (1) hlen (1) hops (1) xid (4) secs (2) flags (2) ciaddr (4) yiaddr (4) siaddr (4) giaddr (4) chaddr (16) sname (64) file (128) options (variable) HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 31

28 Option 82 Preventing IP address from exhausting by DHCP requests Realizing static allocation of IP address by DHCP Preventing static IP address cheating Option 82: Agent Circuit ID {atm eth} frame/slot/subslot/port[:vpi.vci outer_vlan.inner_vlan] Agent Remote ID AccessNodeIdentifier Example: Quidway Eth 0/1/0/1:0.0 HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 32

29 Option 82 PC DSLAM NAS DHCP Server DISCOVER DISCOVER DISCOVER Option 82 Option 82 OFFER REQUEST ACK OFFER Option 82 REQUEST Option 82 ACK Option 82 OFFER Option 82 REQUEST Option 82 ACK Option 82 HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 33

Networking Application of RADIUS NAS AAA Server Core Network (Internet) NAS DSLAM

32 Architecture of NAS device DHCP Server Policy Server Address Management Service Control NAS Connection Management User Packet User Identification AAA&UM AAA Server HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 36

Client-Server Model AAA Server User NAS (RADIUS Client) RADIUS Server RADIUS = Remote

36 Authentication and Accounting Procedure User NAS RADIUS Server User request access Configure user Access-Request Access-Accept Access-Reject Accounting-Request (start) Accounting-Response Authentication Accounting start User request termination Accounting-Request (Interim update) Accounting-Response Accounting-Request (stop) Accounting-Response Interim Accounting Accounting stop HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 40

37 PAP and CHAP Interoperation PAP RADIUS User NAS Server Username Access-Request Password Username, Password Access-Accept Configure user Access-Reject Check Challenge CHAP Username Encrypted challenge Configure user Access-Request Username, Challenge, Encrypted Challenge Access-Accept Access-Reject HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 41

38 Why UDP? 1. If the request to a primary Authentication server fails, a secondary server must be queried 2. The timing requirements of this particular protocol are significantly different than TCP provides 3. The stateless nature of this protocol simplifies the use of UDP 4. UDP simplifies the server implementation HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 42

Accounting (AAA) function Advanced than radius, so it is called diameter AAA

39 What s Diameter? Diameter protocol An AAA protocol, provide Authentication, Authorization and Accounting (AAA) function Advanced than radius, so it is called diameter AAA server NAS Radius Diameter AAA server AAA client PPP Traditional network DSL 3G Future network WLAN HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page43

40 New demands on AAA protocols Network access requirements for AAA protocols Failover Transmission-level security Reliable transport Agent support Server-initiated messages Capability negotiation Peer discovery and configuration HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page44

41 Diameter Framework The Diameter protocol consists of the Diameter base protocol and the Diameter application protocol. Diameter base protocol: Provides a secure, reliable, and extensible framework for various authentication, authorization, and accounting services. Diameter application protocol: Defines functional and data units for particular applications. MIP Diameter Application Diameter Stack SCTP TCP application NASREQ application SIP application EAP Diameter base protocol application HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 45

42 Diameter node type Diameter node type Client A Diameter Client is a device at the edge of the network that performs access control. An example of a Diameter client is a Network Access Server (NAS) or a Foreign Agent (FA). Server A Diameter Server is one that handles authentication, authorization and accounting requests for a particular realm. By its very nature, a Diameter Server MUST support Diameter applications in addition to the base protocol. Agent HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page46

49 Diameter Message Structure The Diameter message structure consists of two parts: Diameter message head Diameter AVP Message head Message body version command flags R P E T r r r r Message Length Command-Code Application-ID Hop-by-Hop Identifier End-to-End Identifier AVPs HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 53

50 Diameter PDU Command code Command-Name Abbrev Code Abort-Session-Request ASR 274 Abort-Session-Answer ASA 274 Accounting-Request ACR 271 Accounting-Answer ACA 271 Capabilities-Exchange-Request CER 257 Capabilities-Exchange- Answer CEA 257 Device-Watchdog-Request DWR 280 Device-Watchdog-Answer DWA 280 Session-Termination- Request STR 275 Session-Termination- Answer STA 275 HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page54

51 Diameter AVP AVP (attribute-value pair) The Diameter message body is composed of Diameter AVPs. Each AVP carries a specific message parameter value, and contains an AVP head and data. The AVP carries the authentication information, authorization information, charging information, routing information, security information, and the request and response configuration information. AVP structure AVP flags V M P r r r r r AVP Code Vendor-ID (opt) AVP data AVP Length HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 58

52 Example Use Cx message as an example I-CSCF Diameter message: UAA HSS Diameter header AVPs Command code UAA AVP header AVP data AVP code AVP length : server capabilities HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page60

53 Diameter Link Establishment- Capability Exchange Client Connection Establish CER Server CEA CER / CEA (Capabilities-Exchange-Request / Answer) When the two Diameter peers creates the connection, they need to perform capability exchange. CER/CEA capability exchange is used to notify the capability (such as protocol version, diameter application, and security mechanism). If the peer receives CER from the unknown peer, it will discard the message or return the result code DIAMETER_UNKNOWN_PEER. HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page61

54 Diameter Link Heartbeat Message Node1 Node2 DWR DWA DWR/DWA (Device-Watchdog-Request / Answer) DWR command code is 280. It is used to detect link, also called heartbeat message or shake hand message. If the Node sends several DWR messages continuously, but the peer Node will not return DWA, the status of the link will be set down. (not release the link). HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page62

55 Diameter Link Disconnection Message Node1 DPR Node2 DPA Connection Release DPR/DPA (Disconnect-Peer-Request / Answer) Command code is 282. DPR is used to notify the peer Node to disconnect the link, and the peer Node return the DPA and then the link is disconnected. HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page63

56 Diameter Link Management Process DA PEER DA PEER Capability exchange is successful and link is normal. SCTP association establishment CER CEA DA initiate to disconnect link DPR DPA SCTP association disconnect Sends heartbeat message periodically to maintain the link status DWR DWA The peer initiate to disconnect link DPR DPA SCTP association disconnect 1. Diameter link establishment process 2.Diameter link disconnection process Diameter connection is established through the capability exchange with the peer; When DA or the peer want to release the diameter link, it need to send the DPR message initially to disconnect the link. HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page64

57 Diameter Message Routing Function Diameter basic protocol layer Check the routing table based on the D-Realm and forward the mesage N N Check the adjacent peer device based on the D-Host? Y Whether carry the D-Host? Y Choose the route and forward M s g D-Host= D-Realm= HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page67

58 Diameter Message Routing Function (Cont.) Request (ApplicationID, DestRealm= RealmB, DestHost=Server.RealmB 2.Routing Request ( ) 5.Response( ) DA2 RealmB 3.Forwarding Request ( ) Server 4.Response ( ) Hostname=Server.RealmB Client Hostname=Client.RealmA RealmA 1.Routing Request ( ) 6.Respons e ( ) IETF RFC3588 Diameter Base Protocol DA1 Routing:message routing based on the Realm-Based Routing Table. Forwarding:message forwarding based on the peer device table. The response message does not carry the target address information, it is returned according to the path of the corresponding request message. HUAWEI TECHNOLOGIES CO., LTD. All rights reserved

59 2.Request 5.Response Switchover T bit is set to 1, the message is a retransmission message DA2 Request Queue Server Diameter cache for each request message, its purpose is to retransmit the message when the link is fault, to ensure that the message can be sent to the destination as soon as possible, to reduce delay. Client Request Queue 1.Request 6.Response DA1 Request Queue Due to link failure, Request message is not sent to the peer or did not receive the response message HUAWEI TECHNOLOGIES CO., LTD. All rights reserved

61 VPN Definition Remote office Partner Headquarter Tunnel Internet Leased line Branch Employees in business trips Office VPN Virtual Private Network HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 73

Intranet VPN HQ Research Institute Internet/ ISP IP ATM/FR Branch

66 Classification Based on Realization Layer Layer 2 VPN L2TP: Layer 2 Tunnel Protocol (RFC 2661) PPTP: Point To Point Tunnel Protocol L2F: Layer 2 Forwarding Layer 3 VPN GRE : General Routing Encapsulation IPSEC : IP Security Protocol HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 78

67 Principle of VPN Design Security Tunnel and Encryption Data Authentication User Authentication Fire Wall and Attack Examination Reliability Economical Efficiency Expansibility HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 79

68 GRE Overview GRE is generic routing encapsulation protocol. It will encapsulate datagram of some network layer protocol (e.g. IP, IPX, AppleTalk, etc.) and enable these datagram to transmit on IP network GRE is the layer 3 tunnel protocol of VPN (Virtual Private Network), that is, a technique called as Tunnel is adopted between protocol layers HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 80

69 GRE Protocol Stack IP/IPX GRE IP Link Layer Passenger Protocol Encapsulation Protocol Transmission Protocol GRE Protocol Stack Data Link Layer IP GRE IP/IPX Payload Tunnel Interface Message Format HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 81

GRE Build VPN Original Data Packet GRE Header Transfer Protocol Header

71 IPSec Overview IPSec(IP Security) is a framework of open standards developed by the Internet Engineering Task Force (IETF) IPSec include two protocol: AH (Authentication Header ) protocol and ESP (Encapsulating Security Payload ) protocol IPSec provides security services at the IP layer, there are two types of work mode: tunnel mode and transport mode HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 83

72 Compose of IPSec Protocol IPSec provides two security protocols AH (Authentication Header) MD5(Message Digest 5) SHA1(Secure Hash Algorithm) ESP (Encapsulation Security Payload) DES (Data Encryption Standard) 3DES The other algorithm: Blowfish, cast... HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 84

73 Security Feature of IPSec Confidentiality: encrypt a client data and then transmit it in cipher text. Data Integrity: authenticate the received data so as to determine whether the packet has been modified. Data Authentication: to authenticate the data source to make sure that the data is sent from a real sender. Data integrity Data origin authentication Anti-Replay : prevent some malicious client from repeatedly sending a data packet. In other words, the receiver will deny old or repeated data packets. HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 85

75 AH Protocol IP HDR Data Transport mode IP HDR AH Data Tunnel mode New IP HDR AH Org IP HDR Data AH Format Next Header Payload Len RESERVED Security Parameters Index (SPI) Sequence Number Field Authentication Data (variable) HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 87

76 ESP Protocol Transport mode IP HDR Data IP HDR ESP Hdr Encryption Data ESP Trailer ESP Auth Tunnel mode Encryption part New IP HDR ESP Hdr Org IP HDR Data ESP Trailer ESP Auth ESP format Security Parameters Index (SPI) Sequence Number Payload Data* (variable) Padding (0-255 bytes) Pad Length Next Header Authentication Data (variable) HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 88

77 IKE IKE (Internet Key Exchange), an Internet key exchange protocol, implements hybrid protocol of both Oakley and SKEME key exchanges This protocol defines standards for automatically authenticating IPSec peer end, negotiating security service and generating shared key IKE calculate the key, not transmit the key HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 89

79 IKE Exchange Process Peer1 Peer2 Send local IKE strategy Strategy of sender Strategy of receiver conformed Search the Matched strategy Confirm the algorithm used by both sides SA Exchange Strategy confirmed The key information of sender Generate Key Key Key Exchange ID Exchange and authentication Key Generation ID and Exchange auth The key information of receiver The ID and auth data of sender The ID and auth data of receiver generation ID and Exchange auth Authentication Peer Identity HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 91

81 The Function of IKE in IPSec Reduce the complex of configuration by manual Update the IPSec SA after an Interval time Update the encryption key after an Interval time Permit IPSec to provide anti-replay Permit dynamic authentication between the Peers HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 93

Relation Between IPSec and IKE IKE IKE SA negotiation IKE TCP UDP SA SA TCP UDP IPSec

83 Thank you

L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application

L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application Table of Contents L2TP Configuration 1 L2TP Overview 1 Introduction 1 Typical L2TP Networking Application 1 Basic Concepts of L2TP 2 L2TP Tunneling Modes and Tunnel Establishment Process 4 L2TP Features