CSC 6575: Internet Security Fall 2017

Similar documents
IP Security. Have a range of application specific security mechanisms

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

IPSec. Overview. Overview. Levente Buttyán

The IPsec protocols. Overview

CSCE 715: Network Systems Security

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

IP Security IK2218/EP2120

IP Security. Cunsheng Ding HKUST, Kong Kong, China

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Cryptography and Network Security

Chapter 6/8. IP Security

Lecture 12 Page 1. Lecture 12 Page 3

Lecture 13 Page 1. Lecture 13 Page 3

INTERNET PROTOCOL SECURITY (IPSEC) GUIDE.

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

IPSec implementation for SCTP

Virtual Private Networks (VPN)

Cryptography and Network Security. Sixth Edition by William Stallings

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Virtual Private Network

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

CSE509: (Intro to) Systems Security

Internet security and privacy

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

CSC 4900 Computer Networks: Security Protocols (2)

Chapter 11 The IPSec Security Architecture for the Internet Protocol

IPSec Transform Set Configuration Mode Commands

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

The IPSec Security Architecture for the Internet Protocol

Manual Key Configuration for Two SonicWALLs

IP Security Part 1 04/02/06. Hofstra University Network Security Course, CSC290A

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Firewalls, Tunnels, and Network Intrusion Detection

Lecture 9: Network Level Security IPSec

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1

Network Encryption 3 4/20/17

COSC4377. Chapter 8 roadmap

IPSec Transform Set Configuration Mode Commands

Chapter 5: Network Layer Security

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

Virtual Private Networks

8. Network Layer Contents

Network Security Protocols NET 412D

VPN Overview. VPN Types

CS 356 Internet Security Protocols. Fall 2013

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

BCRAN. Section 9. Cable and DSL Technologies

AIT 682: Network and Systems Security

VPNs and VPN Technologies

Configuration of an IPSec VPN Server on RV130 and RV130W

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

Network Security: IPsec. Tuomas Aura

Network Security (NetSec) IN2101 WS 16/17

Network Security IN2101

Time Synchronization Security using IPsec and MACsec

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

INFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP

Application Layer. Presentation Layer. Session Layer. Transport Layer. Network Layer. Data Link Layer. Physical Layer

IPsec NAT Transparency

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Voice over IPSec. Emilia Rosti Dip. Informatica e Comunicazione Univ. Degli Studi di Milano

Security and Lawful Intercept In VoIP Networks. Manohar Mahavadi Centillium Communications Inc. Fremont, California

Network Security 2. Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys

Sample excerpt. Virtual Private Networks. Contents

Network Security: IPsec. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

Virtual Private Network. Network User Guide. Issue 05 Date

Configuring Security for VPNs with IPsec

Internet Protocol and Transmission Control Protocol

IBM i Version 7.2. Security Virtual Private Networking IBM

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

Case 1: VPN direction from Vigor2130 to Vigor2820

IKE and Load Balancing

IP Security Discussion Raise with IPv6. Security Architecture for IP (IPsec) Which Layer for Security? Agenda. L97 - IPsec.

The EN-4000 in Virtual Private Networks

How to Configure IPSec Tunneling in Windows 2000

Service Managed Gateway TM. Configuring IPSec VPN

Sharing IPsec with Tunnel Protection

Service Managed Gateway TM. How to Configure and Debug Generic Routing Encapsulation (GRE)

VPN Ports and LAN-to-LAN Tunnels

Network Working Group. Obsoletes: 2402 December 2005 Category: Standards Track

KB How to Configure IPSec Tunneling in Windows 2000

IPsec Working Group. Expires January 2003 July IP Authentication Header draft-ietf-ipsec-rfc2402bis-01.txt. Status of This Memo

IPsec Working Group. draft-ietf-ipsec-rfc2402bis-05.txt September 2003 Expires March IP Authentication Header draft-ietf-ipsec-rfc2402bis-05.

Chapter 10: Cipher Techniques

EEC-682/782 Computer Networks I

CIS 6930/4930 Computer and Network Security. Final exam review

IPsec NAT Transparency

Secure channel, VPN and IPsec. stole some slides from Merike Kaeo

Transcription:

CSC 6575: Internet Security Fall 2017 Network Security Devices IP Security Mohammad Ashiqur Rahman Department of Computer Science College of Engineering Tennessee Tech University

2 IPSec Agenda Architecture IPSec Packets Security Association IPSec Policy IPSec Policy Anomaly

3 IPSec: IP Security To perform authentication To verify sources of IP packets To prevent replaying of old packets To protect integrity and/or confidentiality of packets Data integrity and encryption Applicable to use over LANs, across public & private WANs, & for the Internet There are application specific security mechanisms E.g., S/MIME, PGP, Kerberos, SSL/HTTPS IPSec provides security implemented at the network layer for all applications

The IPSec Security Model Communicating parties are authenticated. Intermediate IPSec devices/gateways are secured. Communication needs to be secured over insecure network. authenticated, data integrity protected, and/or confidential. Secure Insecure 4

5 IPSec Architecture ESP AH IPSec Security Policy IKE Have two security header extensions: Authentication Header (AH) Encapsulating Security Payload (ESP) Exchange and negotiate security policies Internet Key Exchange (IKE) Security Associations

6 IPSec Architecture (2) IPSec provides security in three situations: Host-to-host, host-to-gateway (router), gateway-to-gateway IPSec operates in two modes: Transport mode (for end-to-end) Tunnel mode (for VPN) Host Transport Mode Host Unencrypted/Insecure (tunnel mode only) Router Tunnel Mode Router

7 IPSec Packets Original IP header TCP header data Transport mode IP header IPSec header TCP header data Tunnel mode IP header IPSec header IP header TCP header data A collection of protocols (see RFC 2401) Authentication Header- RFC 2402 Encapsulated Security Payload- RFC 2406 Internet Key Exchange- RFC 2409

8 Authentication Header (AH) Provides source authentication Protects against source spoofing Provides data integrity Protects against replay attacks Use monotonically increasing sequence numbers Protects against denial of service attacks No protection for confidentiality! Uses 32-bit sequence number to avoid replay attacks Uses cryptographically strong hash algorithms to protect data integrity (96-bit) Uses symmetric key cryptography HMAC-SHA-96, HMAC-MD5-96

9 AH Packet New IP header Next header Payload length Reserved Authenticated Security Parameters Index (SPI) Sequence Number Old IP header (only in Tunnel mode) TCP header Data Authentication Data Encapsulated TCP or IP packet (Tunnel Mode) Integrity Checked Value (ICV)

10 Integrity Check Value (ICV) Keyed Message authentication code (MAC) calculated over IP header fields that do not change or are predictable Source IP address, destination IP, header length, etc. Prevent spoofing Mutable fields excluded: e.g., time-to-live (TTL), IP header checksum, etc. IPSec protocol header except the ICV value field Upper-level (TCP and ) data Code may be truncated to first 96 bits

11 Encapsulating Security Payload (ESP) Provides all that AH offers plus Same as AH: Use 32-bit sequence number to counter replaying attacks Use integrity check algorithms Only in ESP: Data confidentiality Uses symmetric key encryption algorithms to encrypt packets

12 ESP Packet Details Next header IP header Payload length Reserved Authenticated Security Parameters Index (SPI) Sequence Number Initialization vector TCP header Data Pad Pad length Next Authentication Data Encrypted TCP packet

13 Internet Key Exchange (IKE) Exchange and negotiate security policies Establish security sessions Identified as Security Associations Key exchange and key management Security Association (SA) Security Parameter Index (SPI) SA Database (SAD) Security Policy Database (SPD)

14 Security Association (SA) Has three parameters: Security Parameter Index (SPI) Destination IP address Specifies the security protocol identifier Algorithm and its mode Keys Have a database for Security Policy (SPD) Look for IPSec policy for each traffic Have a database of Security Associations (SAD) Determine IPSec encoding for senders Determine IPSec decoding for the destination

15 Security Parameters Index (SPI) SPI is a 32 bit number. The SPI allows the destination to select the correct SA under which the received packet will be processed. According to the agreement with the sender The SPI is sent with the packet by the sender SA is uniquely identified with: SPI + Dest IP address [+ IPSec Protocol (AH or ESP)]

16 SA Database (SAD) Holds parameters for each SA Lifetime of this SA AH and ESP information Tunnel or transport mode Every host or gateway participating in IPSec has their own SA database.

17 Security Policy Database (SPD) What traffic to protect? Policy entries define which SA or SA bundles to use on each IP traffic flow. Each host or gateway has their own SPD Index into SPD by Selector fields Dest IP, Source IP, Transport Protocol, IPSec Protocol, Source Port, Dest Port,

18 SPD Entry Actions Discard Do not let in or out Bypass Do not apply IPSec for the outbound traffic Do not expect IPSec for the inbound traffic Protect Point to an SA or SA bundle Outbound: Apply security Inbound: Check that security must have been applied Actions for Protect If the SA does not exist Outbound processing: use IKE to generate SA dynamically Inbound processing: drop packet

Outbound Processing Outbound packet (on A) A B IP Packet SPD SAD Is it for IPSec? If so, which policy entry to select? IPSec processing Determine the SA and its SPI SPI & IPSec Packet Send to B 19

20 Outbound Packet Processing Form ESP header Security parameter index (SPI) Sequence number Pad as necessary Encrypt result payload, padding, pad length, and next header Apply authentication Allow rapid detection of replayed/bogus packets Integrity Check Value (ICV) includes whole ESP packet minus authentication data field

Inbound Processing Inbound packet (on B) A B From A SPI & Packet SAD SPD Use SPI to index the SAD Was packet properly secured? un-process Original IP Packet 21

22 Inbound Packet Processing... Sequence number checking Duplicates are rejected! Replay attack mitigation Packet decryption Decrypt based on the SA specification ESP payload, padding, pad length, next header Processing (stripping) padding per encryption algorithm Reconstruct the original IP datagram Authentication verification Allow potential parallel processing (decryption) and verifying authentication code

23 IPSec Security Policy: Example TCP 1.1.*.* : any 2.2.*.* : any protect TCP 1.1.1.1 : any 2.2.2.2 : any AH Transport {MD5} TCP 1.1.*.* : any 2.2.*.* : any protect TCP 1.1.1.* : any 2.2.2.* : any ESP Tunnel 6.6.6.6 {3DES} 1.1.1.1 5.5.5.5 6.6.6.6 2.2.2.2 TCP 2.2.*.* : any 1.1.*.* : any protect TCP 2.2.2.* : any 1.1.1.* : any ESP Tunnel 5.5.5.5 {3DES} TCP 2.2.*.* : any 1.1.*.* : any protect TCP 2.2.2.2 : any 1.1.1.1 : any AH Transport {MD5}

24 IPSec Inter-Policy Conflicts Shadowing: Upstream policy blocks traffic TCP 1.1.*.* : any 2.2.*.* : any protect Traffic Dropped 1.1.1.1 2.2.2.2 TCP 2.2.*.* : any 1.1.*.* : any bypass Spurious: Downstream policy blocks traffic TCP 1.1.*.* : any 2.2.*.* : any bypass Traffic Dropped 1.1.1.1 2.2.2.2 TCP 2.2.*.* : any 1.1.*.* : any protect

25 IPSec Inter-Policy Conflicts (2) Overlapping tunnels with shared/common traffic Traffic is decapsulated in reverse order to traffic flow TCP 1.1.1.1 : any 2.2.*.* : any protect TCP 1.1.1.1 : any 2.2.*.* : any ESP Tunnel 6.6.6.6 {3DES} 1.1.1.1 5.5.5.5 6.6.6.6 2.2.2.2 TCP 1.1.*.* : any 6.6.*.* : any protect TCP 1.1.*.* : any 6.6.*.* : any ESP Tunnel 2.2.2.2 {3DES} Plain Text

26 IPSec Intra-Policy Conflicts Traffic is decapsulated in reverse order of the traffic flow. TCP 1.1.1.1 : any 2.2.*.* : any protect TCP 1.1.1.1 : any 2.2.2.* : any ESP Tunnel 5.5.5.5 {3DES} TCP 1.1.1.1 : any 2.2.2.2 : any AH Tunnel 6.6.6.6 {MD5} 1.1.1.1 5.5.5.5 6.6.6.6 2.2.2.2 Plain Text

27 IPSec Intra-Policy Conflicts (3) Application of redundant or weaker protection TCP 1.1.1.1 : any 2.2.*.* : any protect TCP 1.1.1.1 : any 2.2.*.* : any ESP Transport {3DES} 1.1.1.1 5.5.5.5 6.6.6.6 2.2.2.2 TCP 1.1.*.* : any 2.2.*.* : any protect TCP 1.1.*.* : any 2.2.*.* : any AH Tunnel 6.6.6.6 {MD5}

28 THANKS Source: - http://www.tcpipguide.com/free/t_ipsecurityipsecprotocols.htm -http://www.ietf.org/html.charters/ipsec-charter.html - IPsec: RFC 2401, IKE: RFC 2409 - http://pages.cs.wisc.edu/~jha/course-archive/642-spring-2006/slides/ipsec.ppt - H. Hamed, E. Al-Shaer, and W. Marrero. Modeling and Verification of IPSec and VPN Security Policies, In IEEE ICNP, 2005.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback