CSCE 715: Network Systems Security

Similar documents
Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

IP Security. Have a range of application specific security mechanisms

Cryptography and Network Security. Sixth Edition by William Stallings

IPSec. Overview. Overview. Levente Buttyán

The IPsec protocols. Overview

Chapter 6/8. IP Security

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

IP Security Part 1 04/02/06. Hofstra University Network Security Course, CSC290A

Cryptography and Network Security

CSC 6575: Internet Security Fall 2017

IP Security IK2218/EP2120

IP Security. Cunsheng Ding HKUST, Kong Kong, China

CSE509: (Intro to) Systems Security

Chapter 5: Network Layer Security

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

Virtual Private Networks (VPN)

Network Security: IPsec. Tuomas Aura

Chapter 11 The IPSec Security Architecture for the Internet Protocol

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

INFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

Virtual Private Network

8. Network Layer Contents

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

The IPSec Security Architecture for the Internet Protocol

IP Security II. Overview

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Lecture 9: Network Level Security IPSec

Lecture 13 Page 1. Lecture 13 Page 3

VPN Overview. VPN Types

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

Virtual Private Networks

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

L13. Reviews. Rocky K. C. Chang, April 10, 2015

CIS 6930/4930 Computer and Network Security. Topic 8.2 Internet Key Management

IPSec Transform Set Configuration Mode Commands

Voice over IPSec. Emilia Rosti Dip. Informatica e Comunicazione Univ. Degli Studi di Milano

Lecture 12 Page 1. Lecture 12 Page 3

CSCE 715: Network Systems Security

IPSec Site-to-Site VPN (SVTI)

Configuring Security for VPNs with IPsec

IP Security Discussion Raise with IPv6. Security Architecture for IP (IPsec) Which Layer for Security? Agenda. L97 - IPsec.

Network Security: IPsec. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

IPSec Transform Set Configuration Mode Commands

CS 356 Internet Security Protocols. Fall 2013

IPSec implementation for SCTP

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

IBM i Version 7.2. Security Virtual Private Networking IBM

Network Security IN2101

The EN-4000 in Virtual Private Networks

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

CIS 6930/4930 Computer and Network Security. Final exam review

Secure channel, VPN and IPsec. stole some slides from Merike Kaeo

Network Security (NetSec) IN2101 WS 16/17

AIT 682: Network and Systems Security

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

IKE and Load Balancing

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

COSC4377. Chapter 8 roadmap

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

Application Layer. Presentation Layer. Session Layer. Transport Layer. Network Layer. Data Link Layer. Physical Layer

Firewalls, Tunnels, and Network Intrusion Detection

Configuration of an IPSec VPN Server on RV130 and RV130W

CSC 4900 Computer Networks: Security Protocols (2)

Table of Contents 1 IKE 1-1

Network Encryption 3 4/20/17

Outline. 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE

Sample excerpt. Virtual Private Networks. Contents

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Internet security and privacy

Security for VPNs with IPsec Configuration Guide, Cisco IOS XE Release 3S

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

VPN, IPsec and TLS. stole slides from Merike Kaeo apricot2017 1

IPSec. Dr.Talal Alkharobi. IPsec (IP security)

Security for VPNs with IPsec Configuration Guide Cisco IOS Release 12.4T

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

VPN Ports and LAN-to-LAN Tunnels

BCRAN. Section 9. Cable and DSL Technologies

iii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway

CSCE 715: Network Systems Security

IPv6 Protocol. Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer Cisco Systems, Inc.

Global Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights

Virtual Tunnel Interface

Network Security 2. Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys

Configuring a Hub & Spoke VPN in AOS

Virtual Private Network. Network User Guide. Issue 05 Date

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

Site-to-Site VPN. VPN Basics

IPSec Network Applications

Transcription:

CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina

Security in Network Layer Implementing security in application layer provides flexibility in security policy and key management Problem is the need to implement security mechanism in every application individually To reduce the overhead, we can implement security in network layer to provide security for all applications between selected pair of computers 02/22/2017 2

IPSec Current security standard for IP layer Provide general security services for IP Authentication Confidentiality Anti-replay Key management Applicable to use over LANs, across public and private WANs, and for the Internet 02/22/2017 3

Scenario of IPSec Uses 02/22/2017 4

Benefits of IPSec Provide strong security to all traffic crossing the perimeter if installed in a firewall/router Resistant to bypass IPSec is below transport layer, hence transparent to applications Can be transparent to end users Can provide security for individual users if desired 02/22/2017 5

IP Security Architecture Specification is quite complex Defined in numerous RFC s Latest version in RFC 4301/4302/4303/4306 many others, grouped by category Two protocols Authentication Header (AH) Encapsulating Security Payload (ESP) Mandatory in IPv6, optional in IPv4 02/22/2017 6

IP Security Architecture 02/22/2017 7

Transport Mode and Tunnel Mode Transport mode provides protection for upper-layer protocols, namely on the payload of an IP packet Suitable for end-to-end communication between two hosts Tunnel mode provides protection to the entire IP packet Entire packet plus security fields is treated as the payload of new outer IP packet with new outer IP header Suitable when one or both ends of SA are a security gateway 02/22/2017 8

Security Association (SA) A unidirectional relationship between sender and receiver that affords security for traffic flow Each IPSec computer maintains a database of SA s Defined by 3 parameters Security Parameters Index (SPI) IP Destination Address Security Protocol Identifier 02/22/2017 9

SA Parameters Sequence Number Counter Sequence Number Overflow Anti-Replay Window AH and ESP information Lifetime IPSec Protocol Mode Path MTU 02/22/2017 10

Security Policy Database Used to relate IP traffic to specific SAs (or no SA if the given traffic is allowed to bypass IPsec) Each SPD entry is defined by selectors, which are a set of IP and upper-layer protocol field values Remote IP address Local IP address Next layer protocol Name Local and remote ports 02/22/2017 11

SPD Example Protocol Local IP Port Remote IP Port Action Comment UDP 1.2.3.101 500 * 500 BYPASS IKE ICMP 1.2.3.101 * * * BYPASS Error message * 1.2.3.101 * 1.2.3.0/24 * PROTECT: ESP intransport-mode TCP 1.2.3.101 * 1.2.4.10 80 PROTECT: ESP intransport-mode Encrypt intranet traffic Encrypt to server TCP 1.2.3.101 * 1.2.4.10 443 BYPASS TLS: avoid double encryption * 1.2.3.101 * 1.2.4.0/24 * DISCARD Others in DMZ * 1.2.3.101 * * * BYPASS Internet 02/22/2017 12

IP Traffic Processing: Outbound Packets 02/22/2017 13

IP Traffic Processing: Inbound Packets 02/22/2017 14

Authentication Header (AH) Provide support for data integrity and authentication of IP packets end system/router can authenticate user/app prevent address spoofing attacks guard against replay attacks by tracking sequence numbers Based on use of a MAC HMAC-MD5-96 or HMAC-SHA-1-96 MAC is calculated over IP header fields that are either immutable or predictable, AH header other than authentication data, and entire upper-level protocol data Parties must share a secret key 02/22/2017 15

IPv4 Header 02/22/2017 16

Authentication Header 02/22/2017 17

Transport vs Tunnel Mode AH Transport mode is used to authenticate IP payload and selected portion of IP header good for host-to-host traffic Tunnel mode authenticates entire IP packet and selected portion of outer IP header good for VPNs, gateway-to-gateway security 02/22/2017 18

Encapsulating Security Payload (ESP) Provide message content confidentiality and limited traffic flow confidentiality Can optionally provide the same authentication services as AH Support a variety of ciphers, modes, padding AES, Triple-DES, RC5, IDEA, CAST etc CBC most common pad to meet blocksize, for traffic flow 02/22/2017 19

Encapsulating Security Payload 02/22/2017 20

Padding Serve several purposes expand the plaintext to required length make Pad Length and Next Header fields aligned to 32-bit word boundary conceal actual length of payload 02/22/2017 21

Transport vs Tunnel Mode ESP Transport mode is used to encrypt and optionally authenticate IP data data protected but header left in clear can suffer from traffic analysis but is efficient good for ESP host-to-host traffic Tunnel mode encrypts entire IP packet add new header for next hop can counter traffic analysis good for VPNs, gateway-to-gateway security 02/22/2017 22

Transport vs Tunnel Mode ESP 02/22/2017 23

Scope of ESP Encryption and Authentication 02/22/2017 24

Scope of ESP Encryption and Authentication 02/22/2017 25

Protocol Operation for ESP 02/22/2017 26

Combining Security Associations SAs can implement either AH or ESP, but each SA can implement only one Some traffic flows may require services of both AH and ESP, while some other flows may require both transport and tunnel modes To address these concerns, need to combine SAs to form a security association bundle 02/22/2017 27

Authentication plus Confidentiality Which one first? Three approaches to consider ESP with Authentication Option Transport mode or tunnel mode Authentication after encryption Transport Adjacency A bundle of two transport SAs, with the inner being an ESP SA and the outer being an AH SA Authentication after encryption Transport-Tunnel Bundle A bundle consisting of an inner AH transport SA and an outer ESP tunnel SA Authentication before encryption 02/22/2017 28

Combining Security Associations 02/22/2017 29

Key Management Handle key generation and distribution Typically need 2 pairs of keys 2 per direction (for AH & ESP) Manual key management sysadmin manually configures every system Automated key management automated system for on demand creation of keys for SA s in large systems Oakley and ISAKMP are two essential elements IKEv2 does not use the terms Oakley and ISAKMP but basic functionality is the same 02/22/2017 30

IKE Key Determination (OAKLEY) A key exchange protocol Based on Diffie-Hellman key exchange Add features to address weaknesses of Diffie- Hellman cookies to counter clogging attacks nonces to counter replay attacks key exchange authentication to counter man-inthe-middle attacks Can use arithmetic in prime fields or elliptic curve fields 02/22/2017 31

Usage of Cookies Three basic requirements Must depend on specific parties Impossible for anyone other than issuing entity to generate cookies that will be accepted by issuing entity Cookie generation and verification must be fast To create a cookie, perform a fast hash over src and dst IP addresses, src and dst ports, and a locally generated secret value 02/22/2017 32

ISAKMP Internet Security Association and Key Management Protocol Provide framework for key management Define procedures and packet formats to establish, negotiate, modify, and delete SAs Independent of any specific key exchange protocol, encryption algorithm, and authentication method 02/22/2017 33

IKE Header 02/22/2017 34

IKE Payload 02/22/2017 35

IKE Exchange 02/22/2017 36

02/22/2017 37

Next Class Denial-of-Service (DoS) attack Hop Integrity 02/22/2017 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback