Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Similar documents
IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Network Security. Thierry Sans

Firewalls, Tunnels, and Network Intrusion Detection

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Chapter 8 roadmap. Network Security

CSC 4900 Computer Networks: Security Protocols (2)

14. Internet Security (J. Kurose)

Computer Networks. Wenzhong Li. Nanjing University

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

IP Security IK2218/EP2120

CSCE 715: Network Systems Security

Advanced Security and Mobile Networks

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

IPSec. Overview. Overview. Levente Buttyán

IP Security. Have a range of application specific security mechanisms

CTS2134 Introduction to Networking. Module 08: Network Security

Internet and Intranet Protocols and Applications

IP Security. Cunsheng Ding HKUST, Kong Kong, China

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Cryptography and Network Security

INDEX. Symbols. 3DES over4 mechanism to4 mechanism...101

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

PROGRAMMING Kyriacou E. Frederick University Cyprus. Network communication examples

Internet Technology. Security

Lecture 13 Page 1. Lecture 13 Page 3

Introduction and Overview. Why CSCI 454/554?

Sample excerpt. Virtual Private Networks. Contents

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

Lecture 12 Page 1. Lecture 12 Page 3

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

Virtual Private Network

CSC 6575: Internet Security Fall 2017

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

ECE 435 Network Engineering Lecture 23

Security: Focus of Control. Authentication

Chapter 8 Network Security

COSC4377. Chapter 8 roadmap

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Network Security and Cryptography. December Sample Exam Marking Scheme

Prof. Shervin Shirmohammadi SITE, University of Ottawa. Security Architecture. Lecture 13: Prof. Shervin Shirmohammadi CEG

BCA III Network security and Cryptography Examination-2016 Model Paper 1

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Network Security and Cryptography. 2 September Marking Scheme

Chapter 8 Security. Computer Networking: A Top Down Approach. Andrei Gurtov. 7 th edition Jim Kurose, Keith Ross Pearson/Addison Wesley April 2016

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography

Fundamentals of Network Security v1.1 Scope and Sequence

Network Security: IPsec. Tuomas Aura

Networking Security SPRING 2018: GANG WANG

HP Instant Support Enterprise Edition (ISEE) Security overview

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

IKE and Load Balancing

Network Security Chapter 8

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

Chapter 6/8. IP Security

Indicate whether the statement is true or false.

ISACA CISA. ISACA CISA ( Certified Information Systems Auditor ) Download Full Version :

Networks and Communications MS216 - Course Outline -

Transport Level Security

The IPsec protocols. Overview

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

Virtual Private Networks.

Network Security Fundamentals

Security: Focus of Control

iii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11

AIT 682: Network and Systems Security

CSE543 Computer and Network Security Module: Network Security

20-CS Cyber Defense Overview Fall, Network Basics

Service Managed Gateway TM. Configuring IPSec VPN

CS 356 Internet Security Protocols. Fall 2013

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

Network Interconnection

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

Application Layer. Presentation Layer. Session Layer. Transport Layer. Network Layer. Data Link Layer. Physical Layer

Network Security. Computer Networking: A Top Down Approach Featuring the Internet, 2 nd edition. Jim Kurose, Keith Ross Addison-Wesley, July 2002.

Chapter 5: Network Layer Security

Lecture 9: Network Level Security IPSec

(2½ hours) Total Marks: 75

Cryptography and Network Security. Sixth Edition by William Stallings

Internet security and privacy

Sirindhorn International Institute of Technology Thammasat University

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

Configuring L2TP over IPsec

I N D E X. Numerics. 3DES (triple Data Encryption Standard), 199

Network Encryption 3 4/20/17

Data Communication Prof.A.Pal Dept of Computer Science & Engineering Indian Institute of Technology, Kharagpur Lecture - 40 Secured Communication - II

Glenda Whitbeck Global Computing Security Architect Spirit AeroSystems

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

ECE 435 Network Engineering Lecture 23

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

INFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP

SE 4C03 Winter Final Examination Answer Key. Instructor: William M. Farmer

Configuring Internet Key Exchange Security Protocol

Transcription:

Int ernet w orking Internet Security Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Internet Security Internet security is difficult Internet protocols were not originally designed for security The protocols are full of security holes. In all levels of the stack: ARP - L2 hijacking IP - spoofing, fragments, broadcast, UDP - stateless easy to spoof TCP - hijacking sessions, denying service DNS contaminating DNS caches Dynamic routing false RIP messages Tunneling - bypass firewall rules

Attack Examples Spoofing forging someone else s address Dictionary attack getting passwords Port scanning finding open services Sniffing listening on internal traffic Denial of service attacks (DOS) Distributed DOS (DDOS) Man-in-the-middle Virus Trojan horse Worm Ping of death - killer packets

Address spoofing Forge addresses L2 / IP addr / UDP ports / Names Easy to do ARP & L2 spoofing redirects ARP caches and learning tables Hijacking of sessions blind spoofing : return traffic goes to wrong host attacking of the spoofed source man-in-the middle pretend to be other host DNS forging DNS RR entries

Denial of service DOS/DDOS Prevent normal use of a service TCP syn attack at TCP connection setup routing attacks make networks unaccessable web defacing mail attacks fragment attacks Distributed DOS (DDOS) use many hosts to launch a DOS smurf: use ping to directed multicast and spoofed src

Aspects of security (Forouzan) Privacy Message readable only by receiver and sender Unreadable by others Authentication The receiver is certain of the sender s identity No imposter Integrity Message receives exactly as it was sent. No changes during transmission. Nonrepudiation A receiver can prove that message came from a specific sender.

Secret key encryption Secret-key encryption/decryption symmetric encryption same key used at both parties Advantage Efficient algorithms: good for large messages Disadvantages Lots of keys: n(n-1)/2 Key distribution KDC Key Distribution Center Examples Data Encryption Standard (DES) Advanced Encryption Standard (AES)

Public key encryption Use two keys Public key available to all Private key secret Advantages No shared keys Fewer keys Disadvantages Algorithm complexity Public key needs verification Certification Authority (CA) Example: Rivest, Shamir, Adleman (RSA)

Digital Signature For authentication, integrity and nonrepudiation Signing the document digital signature Approach 1: Public-key encryption (RSA) for signing the whole document Use own private key to encrypt, public key to decrypt Approach 2: Signing a digest of the document Use a secure hash function (one-way) SHA-1, MD5

Sender signing the digest Sender produces a digest using hashing Digest is encrypted using its private key signed digest Singed digest appended to message

Receiver verifies signature Receiver extracts signed digest decrypts it using sender s public key Produces a digest using hashing Verification by comparing the two

Application/Transport layer security Security can be implemented in different layers of the IP stack Application/Transport/Networking Kerberos Authentication and key distribution PGP Pretty Good Privacy Digital signature using hashing and public-key encryption combined secret-/public-key encryption for privacy SSH Secure Shell A secure version of rlogin Numerous functions SSL Secure Socket Layer (https:) IETF version: TLS Transport Layer Security Confidential pipe between browser and web server Server authentication S/MIME Mail security

Security in the IP layer: IPsec A sender and receiver agree on a set of security schemes, Security Association (SA) a cleartext index (SPI) SA includes: encryption algorithm, keys, lifetime, addresses IPsec implemented in the IP header Part of IP stack, network layer IPsec consists of two protocols Privacy: Encapsulation Security Payload (ESP) Authentication, etc: Authentication Header (AH) IPsec has two modes Tunnel mode useful for VPNs Transport mode end-to-end Dynamic key management ISAKMP Internet SA and Key Management Protocol IKE Internet Key Exchange

IPsec Transport Mode End-to-end security Only end-host is trusted Security Association (SA) between H1 and H2. IPsec Transport m ode Securit y Associat ion Int ernet H 1 H 2

IPsec Tunnel Mode Security Association (SA) between R1 and R2. Cleartext packet to H1/H2. H1 - R1 and R2-H2 trusted IPsec headers encapsulate the packet Securit y Associat ion Int ernet H 1 R 1 R 2 H 2

Authentication Header - AH AH supports a digital signature digest produced by hash function addresses integrity, authentication, non-repudiation Some AH header fields: SA index, message digest, sequence number (may not re-occur), original datagram IP hdr TCP hdr Payload transport mode New proto: 51 IP hdr AH hdr TCP hdr Payload authenticated tunnel mode IP hdr AH hdr IP hdr TCP hdr Payload New hdr authenticated

Encapsulation Security Payload - ESP ESP encrypts the payload of an IP datagram But ESP also has authentication ESP addresses privacy, but also authentication, etc. In tunnel mode, the whole datagram is encrypted Some ESP header fields: SA index, sequence number (may not re-occur), padding original datagram IP hdr TCP hdr Payload transport mode New proto: 50 IP hdr ESP hdr TCP hdr Payload encrypted authenticated ESP trailer ESP auth tunnel mode IP hdr ESP hdr IP hdr TCP hdr Payload ESP trailer ESP auth New hdr encrypted authenticated

Automatic key distribution IKE/ISAKMP Basic IPsec requires manual key configurations. But keys are long and difficult to administer: We need key distribution protocols automatic keying Also, sequence numbers in ESP/AH do not wrap around New keys need to be used after 2 32 messages For further information see: Internet Security Association and Key Management Protocol (ISAKMP) The Internet Key Exchange (IKE/IKEv2)

Firewalls (on six slides)

Firewalls Keeping the bad guys out Prevent unauthorized access Forward some packets and blocks others But the roles are not always clear What do we mean by secure? Ext ranet Int ranet? Int ernet Servers (DMZ)

Packet-filter firewall A router with filtering capabilities The firewall uses packet-filters (ACLs) to drop or pass traffic Stateful inspection keep state of every TCP/UDP flow and allow reverse traffic traffic from inside opens the firewall for incoming traffic dynamically Example: permit out on eth0 from 77.2.3.0/24 to any proto tcp keep state permit inout on eth0 proto icmp deny default trusted Int ranet untrusted Int ernet Firewall router with packet filtering

Example rules ICMP allow all output, filter input (path MTU discovery) TCP allow connections created from inside, block all other input UDP block all input and output,... H.323/SIP use the phone? WWW allow all output/proxy, block all input, put web server in DMZ DNS block internal info from outside SSH allow all input and output Free from Cheswick et al Firewalls and Internet Security

Proxy firewall / Application-level gateway Better application-level understanding than packet-filtering An ALG is a firewall program that runs in user-space at the application level typically in combination with packet-filtering Two separate TCP connections one from a client to the ALG; one from the ALG to the server The ALG terminates the connections Disadvantages slower: more memory and processing one proxy per new application: web, sip, ftp,... trusted Int ranet untrusted Int ernet Applicat ion-level gateway

Demilitarized Zone A DMZ contains server accessible from the Internet but the intranet is not accessible from the outside two levels of defence: defence in depth If a server is attacked, the intranet is still safe Can be combined with application proxies Servers / Proxies trusted Int ranet Inner Barrier DMZ Outer Barrier untrusted Int ernet

Firewall Design Criteria There is no absolute security It is always a question of economics Defense in depth place several firewalls after each other Weakest link The strength of your security system is bounded by the weakness of your weakest link Least privilege Give the smallest amount of privilege possible Fail safe Even if everything is going wrong, the security system should not leave any security hole in the system. Keep it simple!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback