IT Security Chapter 04: Security Architectures and Firewalls Joachim Charzinski

Transcription

1 IT Security Chapter 04: Security Architectures and Firewalls Joachim Charzinski 1 Joachim Charzinski

2 Lecture outline Introduction Malicious software, Spam, etc. Communication on the Internet the TCP/IP protocols and their weaknesses attacks against TCP/IP weaknesses Security architectures and firewalls Security mechanisms symmetric and asymmetric crypto mechanisms message authentication codes, digital signatures, authentication protocols Security protocols and products application layer: S/MIME, PGP, DKIM authentication frameworks and identity management transport layer: SSL/TLS, SSH network layer: IPsec lower layers: link layer, WLAN mobile network security: GSM, UMTS and LTE 2 Joachim Charzinski

3 Chapter 4: Security Architectures and Firewalls Perimeter defense principle Firewalls Security architectures Intrusion detection systems 3 Joachim Charzinski

4 Perimeter defense image by Pierre Mairé, via Wikipedia 4 Joachim Charzinski

5 Perimeter defense known from castles and medieval cities perimeter defense is a security architecture principle definition of a system boundary between inside and outside different threat models for inside and outside inside: trusted outside: untrusted, probably a source of attacks objective of perimeter defense: create a boundary to separate inside from outside only a well-defined set of (security uncritical) communication relations can pass special security checks at a limited number of interconnection points simpler to manage and audit than a completely open architecture requires intelligent selection of system boundaries may require multiple levels of perimeters, as there is no such thing as a completely secure inside 5 Joachim Charzinski

6 Perimeter defense in networking Defend inside of a network against attacks from the outside by installing security devices at the perimeter (network border) Separation of network areas into a presumably secure and/or trusted inside an insecure and/or untrusted outside Also (in some enterprise scenarios): border line is often not easy to define prevent sensitive information from being sent to the outside Internet Internet Intranet defend network at its perimeter Multi-level perimeter defense increasing levels of security inside Perimeter defense alone is not sufficient there will often be additional non-secured paths into the secure network some attack traffic looks perfectly legitimate while on the network 6 Joachim Charzinski multiple lines of defense

7 Chapter 4: Security Architectures and Firewalls Perimeter defense principle Firewalls Security architectures Intrusion detection systems 7 Joachim Charzinski

8 How to pass the perimeter defense Drawbridge at Forte da Ponta da Bandeira; Lagos, Portugal image by Georges Jansoone (JoJan) via wikipedia Palazzo d Accursio, Bologna, Italia image by Georges Jansoone (JoJan) via wikipedia 8 Joachim Charzinski

9 A firewall alone does not bring security image source: Joachim Charzinski

10 Firewalls one or more hardware and/or software components connecting two networks assuring that any traffic between the network is routed through the firewall realization of a security strategy consisting of access restrictions authentication (optional) only data packets compliant with the security strategy are forwarded between the networks 10 Joachim Charzinski

11 Types of firewalls realization in hardware and/or software separate appliance vs. integrated function advantage of separate appliance: independent of local operating system typical principles packet filtering routers stateless packet filters stateful packet filters application level gateways circuit level gateways personal firewall 11 Joachim Charzinski

12 Stateless packet filter Internet packet filtering router private network security perimeter packet filter applies a set of rules (access control list, ACL) to each incoming IP packet and then forwards or discards the packet filters packets going in both directions packet filter is typically configured by a list of rules based on matches to IP and TCP/UDP header fields stateless inspection established connections can only be detected from ACK control flag in TCP header two actions: discard (deny, block, ) or forward (allow, permit, ) do not forget to allow essential protocols for network operation DNS (request and reply) ICMP: TTL exceeded, fragmentation required, echo request+reply 12 Joachim Charzinski ACK Acknowledgement ACL Access Control List ICMP Internet Control Message Protocol MTU Maximum Transmission Unit TCP Transmission Control Protocol TTL Time to Live

13 Default discard policy block everything that is not explicitly allowed block everything for which there is no rule issue: security policy must be revised for every new protocol or service (blocked by default) for firewalls that check packets on one rule after the other, this rule must come last to block everything that has not been explicitly allowed by a preceding rule action protocol source IP source port dest. IP dest. port flags description block * * * * * * default rule 13 Joachim Charzinski

14 Default forward policy forward everything that is not explicitly forbidden forward everything for which there is no rule big security problem: every new protocol is allowed per default 1000 ways to bypass the rules may be useful during testing for temporarily disabling the firewall or for temporary filtering of a current attack pattern DO NOT USE A DEFAULT FORWARD RULE IN A LIVE NETWORK action protocol source IP source port dest. IP dest. port flags description allow * * * * * * default rule 14 Joachim Charzinski

15 example filtering rules action protocol source IP source port dest. IP dest. port flags description block * evil hosts * internal * * don t trust them allow tcp internal * our mail server 25 * outgoing e- mail traffic allow tcp our mail server 25 * * ACK duplex part for our mail connections block tcp external * * * SYN no incoming connections block * * * * * * default: block everything else 15 Joachim Charzinski

16 Another packet filter example simplified example internal network N1 = /24 SMTP server at MS protected network /24 FW Internet security policy: the only allowed traffic is: all hosts in N1 allowed to access the Web with HTTP mail server can send mails to Internet with SMTP mail server can receive mails from Internet with SMTP known spam hosts (blacklisted) should not be able to connect to Mail server all hosts on N1 can send ICMP packets to the Internet hosts on N1 can only receive ICMP packets of types echo reply, fragmentation required, TTL exceeded from the Internet all hosts in N1 can resolve DNS requests from DNS servers on the Internet 16 Joachim Charzinski FW MS Firewall Mail Server

17 Another packet filter example simplified example (real syntax is different) internal network N1 = /24 SMTP server at MS protected network /24 FW Internet No. action prot. srcip srcport dstip dstport sel. remark 101 allow tcp /24 any any 80 # allow outgoing HTTP 102 allow tcp any /24 any ACK=1 # allow packets for estab. HTTP conns. 103 deny tcp {on blacklist} any /32 25 # block incoming SMTP spam 104 allow tcp any any /32 25 # allow incoming SMTP to mail server 105 allow tcp /32 25 any any ACK=1 # allow pkts. for estab. SMTP conns. 106 allow tcp /32 any any 25 # allow outgoing SMTP from MS 107 allow tcp any /32 any ACK=1 # allow pkts. for estab. SMTP conns. 108 allow icmp /24 any # allow all outgoing ICMP packets 109 allow icmp any /24 echo-reply # allow incoming ICMP echo replies 110 allow icmp any /24 frag-required # allow in ICMP fragmentation required 111 allow icmp any /24 ttl-exceeded # allow in ICMP TTL exceeded 112 allow udp /24 any any 53 dns-request # allow outgoing DNS requests 113 allow udp any /24 any dns-reply # allow incoming DNS replies 999 deny any any any any any # default block rule 17 Joachim Charzinski FW MS Firewall Mail Server

18 Filter rules decision graph Start y 101: TCP & srcip in /24 & dstport==80? y y y y y y y y y y y n n n n n n n n n n n n y 102: TCP & dstip in /24 & srcport==80 & ACK==1? 103: TCP & srcip on blacklist & dstip:dstport==ms:25? 104: TCP & dstip:dstport==ms:25? 105: TCP & srcip:srcport==ms:25 & ACK==1? 106: TCP & srcip==ms & dstport == 25? 107: TCP & dstip==ms & srcport == 25 & ACK==1? 108: ICMP & srcip in /24? 109: ICMP & dstip in /24 & echo-reply? 110: ICMP & dstip in /24 & frag-required? 111: ICMP & dstip in /24 & ttl-exceeded? 112: UDP & srcip in /24 & dstport==53? 113: UDP & srcport==53 & dstip in /24? pass 18 Joachim Charzinski drop 999: block everything else

19 Attacks to bypass packet filters source routing attack sender uses IP source routing option to specify the route a packet has to take through the Internet some packet filters can be convinced to trust such packets countermeasure (commonly configured): drop all packets using the source routing option IP address spoofing tiny fragment attack 19 Joachim Charzinski

20 IP address spoofing (repeated) 3. firewall host B attacker M 1. host A 2. Internet 4. protected network firewall configured to allow A to connect to B but block incoming connections from all other IP addresses M circumvents this restriction via IP address spoofing: 1. M starts DoS attack on A (e.g. SYN flooding) to prevent A from sending RST packets to B 2. M sends a TCP connection set-up packet with A s source IP to B 3. B sends SYN+ACK packet to A (who does not respond due to DoS) 4. M sends TCP connection ACK packet to B with ACK matching the correctly guessed initial sequence number chosen by B M does not see any packets from B but many protocols are predictable the attack works if B uses a predictable algorithm for initial sequence numbers and M is not blocked by ingress or egress filtering 20 Joachim Charzinski

21 Further simple rules ingress filtering incoming packets are not allowed to have a source IP address from the internal address range prevention of attacks spoofing local IP addresses egress filtering packets leaving the internal network have to have a source IP address from within the internal network prevention of IP spoofing attacks to outside hosts 21 Joachim Charzinski

22 Tiny fragment attack use IP fragmentation option to split a TCP packet into small fragments such that the TCP header in the first fragment is not complete purely stateless packet filters can only use the first fragment of a packet for a decision all subsequent fragments of a packet always have to be forwarded (ask yourself: why?) packet filters have to be configured to drop first fragments of packets if there is a filtering rule that requires more information than is present in the header contained in the fragment even better would be to also drop all subsequent fragments of the same packet 22 Joachim Charzinski

23 Stateless packet filters: assessment advantages fast (high throughput performace) simple to realize, also as add-on functions on routers, switches, operating systems, simple to configure (really?) disadvantages inflexible many attacks cannot be blocked without stateful filtering rules quickly get confusing it is hard to set up a large and correct rule set 23 Joachim Charzinski

24 Stateful (dynamic) packet filters and firewalls store connection states checks and decisions on basis of TCP connections UDP reply to previous outgoing packet with same IP:port relation application protocol states (in application layer firewalls) similar functionality to application layer gateway/proxy firewalls but less intruding in communication rules can be more specific than in packet filters and are easier to enforce e.g. incoming TCP packets need not to be allowed in just because they carry an ACK flag schematic example (see before): No. action prot. int. IP int.port ext. IP ext.portdir. remark 201 allow tcp /24 any any 80 out # allow outgoing HTTP 202 deny tcp /32 any {blacklist} any in # block incoming SMTP spam 203 allow tcp /32 25 any any in # allow incoming SMTP 204 allow tcp /32 any any 25 out # allow outgoing SMTP 205 allow udp /24 any any 53 out # outgoing DNS requests, incl. replies 999 deny any any any any any any # default block rule 24 Joachim Charzinski

25 Stateful firewalls problems of stateless inspection too many packets have to be allowed by default to emulate the security strategy e.g. all incoming TCP packets with ACK set are allowed to enter no protection against SYN-ACK or ACK scans applications with dynamic allocation of port numbers (such as FTP or SIP) cannot be filtered securely allowing FTP or SIP severely compromises security with a stateless packet filter create state per TCP or UDP flow each packet that is not dropped immediately is associated with a state state = {source and destination IP addresses and ports, protocol, connection state} if a packet belongs to a previously established connection (or allowed UDP relation) it is allowed to pass without further checks state tables have to be cleaned up regularly in order to prevent resource starvation attacks on the firewall soft state with timeouts 25 Joachim Charzinski

26 Connection state table schematic example inside IP outside IP protocol inside port outside port direction state tcp out established tcp out established tcp out syn_sent tcp out established tcp in established tcp in extablished tcp in established tcp in extablished tcp in fin_wait udp out udp out 26 Joachim Charzinski

27 Stateful firewalls: assessment advantages table lookup can support high throughput no actions required on subsequent packets no rules required for answer packets allow filtering connectionless protocols such as UDP and ICMP dynamic port assignments can be correctly filtered requires application layer awareness disadvantages state table is a limited resource no new connections possible when the table is full number of connections or IP addresses also used as licensing parameter still incomplete analysis of application layer, impossible to filter out attack patterns within application layer 27 Joachim Charzinski

28 Application layer firewalls / gateways / proxies proxy (Stellvertreter) between A and B acts as B to A and as A to B represents protected host during connection establishment different kinds of proxies application level gateway circuit level gateway forward proxy (on client side) reverse proxy (on server side) 28 Joachim Charzinski

29 Application level gateways outside host outside connection ALG HTTP SMTP FTP telnet inside connection inside host classical usage: conversion between different application layer protocols evaluation of information up to the application layer (OSI layer 7) protocol verification authentication scanning for viruses and other malware spam filtering specific ALGs can even filter certain attack patterns advantage: security policies can be enforced on application level disadvantage: computing and memory performance requirements 29 Joachim Charzinski ALG FTP HTTP SMTP application level gateway file transfer protocol hypertext transfer protocol simple mail transfer protocol

30 Circuit level gateways control on TCP connection level typically combined with access restrictions or authentication no strict control of applications gateway establishes own connections on the outside example: SOCKS server SOCKSv5 defined in RFC 1928 as a framework to allow TCP and UDP based applications to transparently and securely traverse a firewall components: server on firewall, client library and SOCKSified client applications (e.g. ssh, telnet, ftp) client app contacts SOCKS server on SOCKS port 1080, authenticates and sends relay request SOCKS server evaluates and establishes relay connection UDP handled with parallel TCP control channel, e.g. for user authentication 30 Joachim Charzinski outside host outside connection out out out CLG in in in inside connection inside host

31 image source: Personal Firewalls 31 Joachim Charzinski

32 Personal (desktop) firewall software function on a computer realizing firewall functions hooks into networking code of operating system checks all outgoing and incoming packets usual configuration: block all incoming connections users can define exceptions, e.g. for chat or file sharing tools application specific rules in addition to normal firewall functions outgoing access can be limited per application e.g. outgoing connections to port 25, 110, 146 only allowed if initiated by the thunderbird executable file helps somewhat against malware (worms, viruses, trojans, loggers) spreading or leaking information out of the computer this cannot be realized by external firewalls usually coupled with a user interface dynamically asking for permission if an application attempts outgoing network access advantage: application process specific filtering disadvantages: cannot protect against operating system or configuration weaknesses may be disabled or reconfigured by malware running on the same system 32 Joachim Charzinski

33 Personal firewall app 1 app k Op. sys. IP stack process information outside host outside connection stateful packet filter network interface protected computer schematic configuration example: No. action prot. int.port ext. IP ext.port dir. app. remark 201 allow tcp any any 80 out firefox-bin # allow outgoing HTTP 202 allow tcp any any 80 out acroread # also for acrobat 203 allow tcp any out thunderbird # our mail server 204 allow tcp any any 443 out firefox-bin # https 205 allow tcp any any 80 out wget # for system updates 206 allow tcp 22 any any in sshd # incoming ssh connections allowed 207 allow udp any out nscd # central DNS resolver for all apps 208 allow icmp echo any any out # be able to use ping 209 allow icmp frag-needed any any in # don t break path MTU discovery 209 deny any any any any any any # default: block everything 33 Joachim Charzinski

34 Summary of firewall varieties general model: personal firewall: external (untrusted) network firewall internal (protected) network transport connection app. app. app. transport Internet network access physical app info stateless packet filter: stateful firewall: end-to-end transport connection transport Internet network access physical end-to-end transport connection end-to-end transport connection transport Internet network access physical state info end-to-end transport connection application proxy firewall: outside transport connection app. proxy app. app. trsp. trsp. Inet Inet access access Phy Phy inside transport connection circuit-level proxy firewall: outside transport connection transport proxy trsp. Inet access Phy trsp. Inet access Phy inside transport connection 34 Joachim Charzinski

35 NATs network address translation (NAT) typically employed in home networks to share a single IP address allocated by a provider between multiple internal computers A NAT box is not a security device! however, the fact that NATs by default block all incoming connections offers some basic protection to internal hosts blocks attacks originating from the outside without prior connection setup from the inside but some NAT boxes (DSL routers) bring their own weaknesses 35 Joachim Charzinski

36 General aspects of firewalls all firewalls (packet filters, stateful firewalls, application layer proxies) must be specially hardened, as they are preferred attack targets install firewall patches! protect the firewall from physical and configuration access regularly check rule sets for tampering / reconfiguration for timeliness / adequacy evaluate logs / audit traces if certain attack patterns are observed, it may be advisable to take extra caution e.g. restrict communcations, re-configure network, shift priorities between patching and stability often people inside the protected area feel restrained by the damn firewall and start using weird practices to circumvent its rules (also for a good cause) 36 Joachim Charzinski

37 Risks and limitations of firewalls considerable experience in networking required for good configuration continuous administration effort required create illusion of security firewalls only offer only rudimentary protection against application layer attacks problems with tunneling packets 37 Joachim Charzinski

38 Some legal aspects with firewall operation private s are covered by telecommunications regulation legal requirements for privacy legal obligation for delivery (no deliberate withholding of communications!) automatic contents scanning may be legally critical typical (simple) solution: banning private communication at work 38 Joachim Charzinski

39 Economic issues equipment cost effort for operation and maintenance 39 Joachim Charzinski

40 Example for cost/benefit analysis enterprise with 300 PCs one-time cost firewall software ~ 25k firewall hardware ~ 5k admin training ~ 10k installation and configuration ~ 5k total one-time cost: ~ 45k recurring cost (annual) software maintenance ~ 5k hardware maintenance ~ 1k personnel ~ 20k benefit = mitigated risk = cost of damage * probability of occurrence assumptions: cost of damage = loss of data + loss of reputation ~ 100k probability ~ 1 severe attack every 2 years reasonable investment 40 Joachim Charzinski

41 Chapter 4: Security Architectures and Firewalls Perimeter defense principle Firewalls Security architectures Intrusion detection systems 41 Joachim Charzinski

42 Basic realization of perimeter defense Internet Internet Intranet perimeter defense by firewalls firewall filters traffic between internal and external networks control reachability of nodes on IP, TCP, UDP level (packet filter) control connection setup directions control allowed protocols (ports) drop known attack packets enforce basic anti-spoofing rules (packets with IP souce = internal address cannot come from outside) 42 Joachim Charzinski

43 Demilitarized zone (DMZ) Outside world (insecure) 43 Joachim Charzinski Global Internet route packets only to and from Bastion Host Bastion Host proxy server and relay host Outside Router Stub Network Inside Router DMZ Intranet Inside (protected) route packets only to and from Bastion Host DMZ realizes 2 (3) lines of defense need to create a DMZ at every interconnection point between Intranet and other networks DMZ De-militarized zone

44 Realizing perimeter defense Question: how to run a server that is reachable from the Internet without putting the whole Intranet at risk? 44 Joachim Charzinski

45 Multi-level DMZ (example) Global Internet Access Router + Packet Filter block packets Public Services offer e.g. Host Web service to outside Screening Router + Packet Filter prevent IP spoofing for external mail communication Mail Host Bastion Host e.g. proxy for FTP and Web access Intranet 45 Joachim Charzinski

46 Bastion host specially secured computer with minimal functionality secure platform for application and circuit level gateways secured operating system with minimal services no telnet, FTP, SMTP, DNS only user authentication and management no hard disk access (except at boot time, which can be from a CD-ROM) critical point in the security infrastructure often combined with packet filtering 46 Joachim Charzinski

47 Single-homed bastion host all connections between inside and outside have to pass the bastion host packet filters configured such that all packets are routed via the bastion bastion only forwards if the connection is allowed hacking the packet filter will render the bastion host ineffective bastion host Internet hosts in internal network packet filtering router Web server 47 Joachim Charzinski

48 Dual homed bastion host connection between Internet and internal network needs to physically pass the bastion host packet filter configuration is less critical here Web server is located in the demilitarized zone bastion host Internet hosts in internal network packet filtering router Web server 48 Joachim Charzinski

49 Screened subnet firewall system separate subnet for bastion host and Web server both inside and outside can only see the DMZ subnet bastion host Internet hosts in internal network packet filtering router (outside) Web server packet filtering router (inside) 49 Joachim Charzinski

50 Full DMZ design (schematic) DNS server HTTP proxy Mail server Web server application and database servers Internet LAN switch external boundary router external firewall LAN switch internal DMZ network internal firewall workstations and office equipment 50 Joachim Charzinski DMZ demilitarized zone

51 Security domains Use separate IP networks for different functions, traffic types, roles network management, network internal control user access media Physical network separation each network interface of a machine is dedicated to only one of the network domains well-defined points of interconnection between network domains secured by perimeter defense Logical network separation different address spaces ensure that there is no routing between domains Side effect: traffic segregation also helps with traffic management 51 Joachim Charzinski

52 Security domains schematic example Internet DMZ IP Network Infrastructure Management Network Access Network Control Network Voice Traffic Network Video Traffic Network Allow only well-defined traffic flows between the security domains filtering by firewalls and/or router ACLs 52 Joachim Charzinski ACL DMZ Access Control List De-militarized Zone

53 Security domains Example: SIP based fixed network Web browser (config. access) SIP phone HTTPS SIP network management SIP Management Network DMZ Firewall HTTPS Media Network SBC HTTPS SIP application control SIP SIP application server Media Server MGCP SIP:NNI MGCP Media Server Media Gateway Controller MGCP or H.248 Trunk Gateway SS7 STP Control Network PSTN Switch Soft Client Access Network 53 Joachim Charzinski DMZ de-militarized zone HTTPS hypertext transfer protocol / secure MGCP media gateway control protocol NNI network to network interface PSTN public switched telephone network SBC session border controller SIP session initiation protocol SS7 signaling system number 7 STP signalling transfer point

54 Managed security provider (MSP) external service provider (MSP) is paid for managing and administering firewall systems advantages: no allocation of personnel no direct hardware purchases no direct cost for training, updates, etc MSP can leverage economy of scale by managing multiple companies security issues: MSP gets to know all of the company security infrastructure and can even influence it what happens in case the MSP goes out of business or becomes part of your competitor? what happens in case employees leave the MSP? precise cost/benefit/risk analysis required 54 Joachim Charzinski

55 Chapter 4: Security Architectures and Firewalls Perimeter defense principle Firewalls Security architectures Intrusion detection systems 55 Joachim Charzinski

56 Intrusion detection systems (IDS) security product that is specialized on detecting anomalies during live operation of networks and computers virus, worm, botnet activity suspicious network activity (e.g. malware phoning home ) detection based on attack signatures (known malicious communication activity patterns) significant deviation from previously recorded baseline activity rules actions send out alarm logging (also useful for a posteriori investigations) blocking of known patterns (see IPS) realizations stand-alone appliance integration in firewall integration into host ( host IDS ) 56 Joachim Charzinski

57 Host IDS merging with 3rd generation virus scanners signature based detection packet contents are checked for known attack signatures (layer 7 and above) anomaly detection integrity check of installed software and configurations (hash based) check of access control settings monitoring of suspicious activities network activity critical system calls needs to be installed on every host of a network 57 Joachim Charzinski

58 Network IDS stand-alone appliance or part of network firewall monitoring of traffic for suspicious traffic flows placed centrally in a network (e.g. on monitor port of LAN switch) analysis of current and (optionally) past traffic employed methods: pattern matching, scanning for bit patterns known from attacks stateful matching, relating patterns to the current state of a protocol a pattern might be ok in one situation, but an attack in another situation protocol anomaly, deviations from standard RFC behavior e.g. specific abnormal sequences of control packets or commands e.g. detection of half open TCP connections, clients ignoring server messages traffic anomaly, observing traffic flow patterns e.g. new service appearing on the network, floods of packets statistical anomaly, deviations from normal traffic activity and volume baselines e.g. abnormal relation of traffic volumes in duplex connections (e.g. more HTTP upstream than downstream or printer sending more traffic than it receives) abnormal relation of protocols (more DNS than HTTP) abnormal amounts of certain traffic 58 Joachim Charzinski

59 Honeypots computers without a valid use except for being attack targets by definition, there is no legitimate traffic to or from a honeypot used as bait for attackers allows isolated observation of attack traffic backtracing of attacks, correlation with host software state extraction of new attack signatures detection of new behavior anomalies caused by an attack advantages: high value data sets, pure attack traffic low rates of false positives or false negatives works also in encrypted or IPv6 environments problems: honeypots must be prevented from infecting other hosts inside and especially outside the network attackers try to detect and avoid honeypots, making malicious software behave unconspiciously high maintenance effort 59 Joachim Charzinski see also:

60 Intrusion prevention systems (IPS) basically a combination of IDS rule derivation machine dynamically configurable firewall idea: quickly react on identified intrusions and automatically block corresponding traffic problem: hard to ensure that automatic blocking actions cannot be turned into DoS attacks triggered by intelligently crafted attacks 60 Joachim Charzinski

61 Chapter 4: Security Architectures and Firewalls Perimeter defense principle Firewalls Security architectures Intrusion detection systems 61 Joachim Charzinski

62 Lecture outline Introduction Malicious software, Spam, etc. Communication on the Internet the TCP/IP protocols and their weaknesses attacks against TCP/IP weaknesses Security architectures and firewalls Security mechanisms symmetric and asymmetric crypto mechanisms message authentication codes, digital signatures, authentication protocols Security protocols and products application layer: S/MIME, PGP, DKIM authentication frameworks and identity management transport layer: SSL/TLS, SSH network layer: IPsec lower layers: link layer, WLAN mobile network security: GSM, UMTS and LTE 62 Joachim Charzinski