View
234
Download
0
Category
Preview:
Citation preview
Securing Insecure Networks
SSL/TLS
&
IPSec
4-1: Cryptographic System
Copyright Pearson Prentice-Hall 2010 2
Cryptographic System Standards
Transmission across Un-trusted Networks Internet, Wireless LAN’s, etc. Companies will (should) apply Cryptographic
Systems Virtual Private Network (VPN)
SSL/TLS Secure Socket Layer/Transport Layer Security Non-Transparent, doesn’t automatically protect
application messages. Only messages from applications that are SSL/TSL
aware Web Browsers/Web Servers; Many email
But there’s a problem
IPsec Operates on the Internet layer Everything in IP packet data file is protected Transparent protection – applications and transport
layer are protected (see Module A)
Copyright Pearson Prentice-Hall 2010 3
Layer Hybrid TCP/IP-OSI
Application Application
Internet Transport (TCP, UDP)
IP
Single Network Data Link
Physical
4-2: Virtual Private Networks (VPNs)
Copyright Pearson Prentice-Hall 2010 4
SSL/TSLOr
Ipsec (Transport) SSL/
TSL
Ipsec (Tunnel)
Host-to-Host VPNs
Connect one Client to one Server
Copyright Pearson Prentice-Hall 2010 5
4-3: Host-to-Host SSL/TLS VPN
Copyright Pearson Prentice-Hall 2010 6
Remote Access VPNs
Connects a single Client to a Network
Connection is to a VPN Gateway Used for Authentication and Access Control Depending on Access Authorization connection
can be to multiple computers on the network.
Uses SSL/TSL between Browser and Gateway The Gateway is a WebServer to SSL/TSL SSL/TSL protects messages between client and
Gateway Gateway authenticates with the client via Public
Key Authentication
Copyright Pearson Prentice-Hall 2010 7
Types of Remote Access Connections
Web server
Database server Gateway translates browser requests to Queries to
database Gateway translates database response to web pages
“webifies”
Router Connection to subnet of network
Copyright Pearson Prentice-Hall 2010 8
4-5: SSL/TLS and Remote Access VPN Using a Gateway
Copyright Pearson Prentice-Hall 2010 9
4-4: SSL/TLS Handshaking Phase
Copyright Pearson Prentice-Hall 2010 10
Step Sender Name of Message
Semantics (Meaning)
1 Client Client Hello Client requests secure connection.
Client lists cipher suites it supports.
2 Server Server Hello Server indicates willingness to proceed.
Selects a cipher suite to use in the session.
3 Server Certificate Server sends its digital certificate containing its public key.
(Client should check the certificate’s validity.)
4 Server ServerHelloDone Server indicates that its part in the initial introduction is finished.
Stage 1
Stage 2 & 3 ???
4-4: SSL/TLS HandshakingPhase
Copyright Pearson Prentice-Hall 2010 11
Step Sender Name of Message
Semantics (Meaning)
5 Client ClientKeyExchange
Client generates a random symmetric session key. Encrypts it with the server’s public key.
It sends this encrypted key to the server. Only the server can decrypt the key, using the server’s own private key.
The server decrypts the session key.
Both sides now have the session key.
6 Client ChangeCipherSpec*
Client changes selected cipher suite from pending to active.
7 Client Finish Client indicates that its part in the initial introduction is finished.
*Not cipher suite.
Key Exchangeusing public key encryption
for confidentiality
Stage 2 & 3
4-4: SSL/TLS Handshaking Phase
Copyright Pearson Prentice-Hall 2010 12
Step Sender Name of Message Semantics (Meaning)
8 Server ChangeCipherSpec* Server changes selected cipher suite from pending to active.
9 Server Finish Server indicates that its role in selecting options is finished.
10 Ongoing communication stage begins
*Not cipher suite.
Copyright Pearson Prentice-Hall 2010 13
Site-to-Site VPNs
Protects all traffic between two sites
VPN Gateway on both ends of transmission
VPN Gateway’s encrypt/decrypt messages
Copyright Pearson Prentice-Hall 2010 14
IPsec Modes
Transport (Host-to-Host) Protects messages from host-to-host
Over the internet and Internet Requires installing IPsec on each client/server (not
built into browser) Costly Eliminates ability of Firewall to filter content as it is
encrypted
Tunnel (Site-to-Site) Protects messages between VPN Gateways over the
Internet Less Costly than Transport Firewall can filter content
Copyright Pearson Prentice-Hall 2010 15
IPsec Operation: Transport Mode
Copyright Pearson Prentice-Hall 2010 16
1.End-to-End
Security(Good)
2.Security in
Site Network(Good)
3.Setup Cost
On Each Host(Costly)
IPsec Operation: Tunnel Mode
Copyright Pearson Prentice-Hall 2010 17
2.No Security inSite Network
(Bad)
3.No Setup
CostOn Each Host
(Good)
4-8: Comparing IPsec Transport and Tunnel Modes
Copyright Pearson Prentice-Hall 2010 18
Characteristic Transport Mode Tunnel ModeUses an IPsec VPN Gateway?
No Yes
Cryptographic Protection
All the way from the source host to the destination host, including the Internet and the two site networks.
Only over the Internet between the IPsec gateways. Not within the two site networks.
Setup Costs High. Setup requires the creation of a digital certificate for each client and significant configuration work.
Low. Only the IPsec gateways must implement IPsec, so only they need digital certificates and need to be configured.
4-8: Comparing IPsec Transport and Tunnel Modes
Copyright Pearson Prentice-Hall 2010 19
Characteristic Transport Mode Tunnel Mode
Firewall Friendliness Bad. A firewall at the border to a site cannot filter packets because the content is encrypted.
Good. Each packet is decrypted by the IPsec gateway. A border firewall after the IPsec gateway can filter the decrypted packet.
The “Bottom Line” End-to-end security at high cost.
Low cost and protects the packet over the most dangerous part of its journey.
4-6: IP Security (IPsec) versus SSL/TLS
Copyright Pearson Prentice-Hall 2010 20
SSL/TLS IPsec
Cryptographic security standard Yes Yes
Cryptographic security protections Good Gold Standard
Supports central management No Yes
Complexity and expense Lower Higher
Layer of operation Transport Internet
Transparently protects all higher-layer traffic
No Yes
Works with IPv4 and IPv6 NA Yes
Modes of operation NA Transport, Tunnel
4-9: IPsec Security Associations
Copyright Pearson Prentice-Hall 2010 21
Kind of like a cipher suite
Enables Central
Management
Recommended