• Home

  • Documents

  • Computer Networks 13 Security in the Internet IPSec SSLTLS PGP VPN and Firewalls
34
1 TCE 2321 Computer Networks Lecture 13 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Computer Networks 13 Security in the Internet IPSec SSLTLS PGP VPN and Firewalls

Tags:

Embed Size (px)

DESCRIPTION

COMPUTER NETWORKS SECURITY

Citation preview

  • *TCE 2321 Computer NetworksLecture 13

    Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls(Chapter32)Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

  • *Figure 32.1 Common structure of three security protocolsIn IP, TCP & SMTP protocols, (1) MAC need to be created; (2) The message need to be encrypted.Alice & Bob need to know several pieces of information, security parameters, before they can send secured data to each other.

  • *32-1 IPSecurity (IPSec)IPSecurity (IPSec) is a collection of protocols designed by the Internet Engineering Task Force (IETF) to provide security for a packet at the network level. Two Modes Two Security Protocols Security Association Internet Key Exchange (IKE)Virtual Private NetworkTopics discussed in this section:Figure 32.2 TCP/IP protocol suite and IPSec

  • *Figure 32.3 Transport mode and tunnel modes of IPSec protocolTransport mode the IPSec header & trailer are added to the information coming from the transport layer. the IP header is added later.Tunnel mode IPSec protects the entire IP packet. It takes an IP packet, including the header, applies IPSec security methods to the entire packet & then adds a new IP header.

  • *Figure 32.4 Transport mode in actionTransport mode is normally used when host-to-host (end-to-end) protection of data is needed.Sending host uses IPSec to authenticate &/ encrypt the payload delivered from the transport layer.Receiving host uses IPSec to check the authentication &/ decrypt the IP packet & deliver it to the transport layer.IPSec in the transport mode does not protect the IP header; it only protects the information coming from the transport layer.

  • *Figure 32.5 Tunnel mode in actionTunnel mode is normally used between: (1) 2 routers; (2) a host & a router; (3) a router & a host. in others words, it used when either the sender or the receiver is not a host.IPSec in tunnel mode protects the original IP header.

  • *Figure 32.6 Security protocols(1) : Authentication Header (AH) Protocol in transport modeThe AH Protocol provides source authentication and data integrity, but not privacy.

  • *Figure 32.7 Security protocols(2) : Encapsulating Security Payload (ESP) Protocol in transport modeESP provides source authentication, data integrity, and privacy.

  • *Table 32.1 IPSec servicesTable 32.1 shows the list of services available for AH & ESP

  • *Figure 32.8 Security Association(SA): Simple inbound and outbound security associationsAlice wants to have an association with Bob for use in a 2-way communication.Alice & Bob can have: Outbound association Inbound associationThe security associations are reduced to 2 small tables for Alice & Bob

  • *Figure 32.9 Internet Key Exchange (IKE): IKE componentsIKE creates SAs for IPSec.

  • *Table 32.2 Addresses for private networksPrivate network is designed for use inside an organization allows access to shared resources & provides privacy

  • *Figure 32.10 Private networkThe LANs at different sites connected to each other by using routers & leased linesIn figure 32.10, the LANs connected to each other by routers & 1 leased line.A private internet (totally isolated from the global internet) has been created.The organization does not need to apply for IP addresses with the Internet authorities; can use private addresses internally.Because the internet is private, duplication of addresses by another organization in the global Internet is not a problem.

  • *Figure 32.11 Hybrid networkUseful when the organizations need to have privacy in intraorganization data exchange, but at the same time, they need to be connected to the global Internet for data exchange with other organization.Allows an organization to have its own private internet & at the same time, access to the global Internet.Intraorganization data routed through the private internetInterorganization data routed through the global internet

  • *Figure 32.12 Virtual private network (VPN)VPN creates a network that is private (guarantees privacy inside the organization) virtual (does not need real private WANs)The network is physically public but virtually privateIn figure 32.12, routers R1 & R2 use VPN technolog to guarantee privacy for the organiztion.

  • *Figure 32.13 Addressing in a VPNVPN uses IPSec in the tunnel mode.Each IP datagram destined for private use in the organization is encapsulated in another datagram.2 sets of addressing are needed to use IPSec in tunneling.The public network (internet) carry the packet from R1 to R2Outsiders cannot decipher the (1) contents of the packet; (2) source & destination addressesDeciphering takes place at R2, which finds the destination address of the packet & delivers it.

  • *32-2 SSL/TLSTwo protocols are dominant today for providing security at the transport layer: the Secure Sockets Layer (SSL) Protocol and the Transport Layer Security (TLS) Protocol. The latter is actually an IETF version of the former. SSL ServicesSecurity Parameters Sessions and Connections Four ProtocolsTransport Layer SecurityTopics discussed in this section:Figure 32.14 Location of SSL and TLS in the Internet model

  • *Table 32.3 SSL cipher suite listThe combination of key exchange, hash & encryption algorithms defines a cipher suite for each SSL session.Each suite starts with the term SSL, followed by the key-exchange algorithm.The word WITH separates the key exchange algorithm from the encryption & hash algorithms.

  • *Table 32.3 SSL cipher suite list (continued)

  • *Figure 32.15 Creation of cryptographic secrets in SSLThe client and the server have six different cryptography secrets.The client & server exchange 2 random numbers; 1 is created by the client & the other by the server.The client & server exchange 1 premaster secret by using 1 of the key-exchange algorithmsA 48-byte master secret is created from the premaster secret by applying 2 hash functions (SHA-1 & MD5)The master secret is used to create variable-length secrets by applying the same set of hash functions & prepending with different constants.

  • *Figure 32.16 Four SSL protocols

  • *Figure 32.17 Handshake Protocol

  • *Figure 32.18 Processing done by the Record Protocol (at the sender site)The Record Protocol carries messages from the upper layer (Handshake Protocol,ChangeChipherSpec Protocol, Alert Protocol/application layer).The message is fragmented & optionally compressed; a MAC is added to the compressed message by using the negotiated hash algorithm.The compressed fragment & the MAC are encrypted by using the negotiated encryption algorithm.Finally, the SSL header is added to the encrypted message.

  • *32-3 PGPOne of the protocols to provide security at the application layer is Pretty Good Privacy (PGP). PGP is designed to create authenticated and confidential e-mails. Security Parameters Services A Scenario PGP AlgorithmsKey RingsPGP CertificatesTopics discussed in this section:Figure 32.19 Position of PGP in the TCP/IP protocol suite

  • *In PGP, the sender of the message needs to include the identifiers of thealgorithms used in the message as well as the values of the keys.

  • *Figure 32.20 A scenario in which an e-mail message is authenticated and encryptedSender site: Alice creates a session key & concatenates it with the identity of the algorithm which will use this key.The result is encrypted with Bobs public key.Alice adds the identification of the public-key algorithm to the encrypted result. Alice authenticates the message by using a public-key signature algorithm & encrypts it with her private key.The result is called the signature.Alice appends the identification of the public key as well as the identification of the hash algorithm to the signature.Alice combines the results of Steps 1 & 2 & sends to them to Bob.Receiver site:Bob uses his private key to decrypt the combination of the session key & symmetric-key algorithm identification.Bob uses session key & the algorithm obtained in step 1 to decrypt the rest of the PGP message.Bob uses Alices public key & the algorithm defined by PA2 to decrypt the digest.Bob uses the hash algorithm defined by HA to a hash out of message he obtained in step2.Bob compares the hash created in step 4 & the hash he decrypted in step 3. If 2 are identical, he accepts the message; otherwise, he discards the message.

  • *Table 32.4 PGP Algorithms

  • *Figure 32.21 RingsAlice may need to send messages to many people. Thus, she needs a key rings of public key, with a key belong to each person with whom Alice needs to correspond.Alice may need to use a different key pair for each group. Therefore, each user needs to have 2 sets of rings: a ring of private/public keys & a ring of public keys of other people.Figure 32.21 shows a community of 4 people, each having a ring of pairs of private/public key & at the same time, a ring of 4 public keys belonging to the other 4 people in the community.The figure shows 7 public keys for each public ring; each person in the ring can keep more than 1 public key for each other person.

  • *In PGP, there can be multiple paths from fully or partially trusted authorities to any subject.

  • *32-4 FIREWALLSAll previous security measures cannot prevent Eve from sending a harmful message to a system. To control access to a system, we need firewalls. A firewall is a device installed between the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter (not forward) others.Packet-Filter Firewall Proxy FirewallTopics discussed in this section:

  • *Figure 32.22 FirewallFirewall a device (a router/computer) installed between the internal network of a organization & the rest of the Internet. is designed to forward some packets & filter (not forward) others.

  • *Figure 32.23 Packet-filter firewallA packet-filter firewall is a router that uses a filtering table to decide which packets must be discarded.Figure 32.23 shows an example of a filtering table for this kind of a firewall.

    According to Figure 32.23, the following packets are filtered:-Incoming packets from network 131.34.0.0 are blocked.* (asterisk) means anyIncoming packets destined for any internal TELNET server (port 23) are blocked.Incoming packets destined for internal host 194.78.20.8 are blocked. The organization wants this host for internal use only.Outgoing packets destined for an HTTP server (port 80) are blocked. The organization does not want employees to browse the internet.

  • *A packet-filter firewall filters at the network or transport layer.

  • *Figure 32.24 Proxy firewallWhen the user client process sends a message, the proxy firewall runs a server process to receive the request,The server opens the packet at the application level & finds out if the request is legitimate.If it is, the server acts as a client process & sends the message to the real server in the corporation.If it is not, the message is dropped & an error message is sent to the external user.*** In this way, the requests of the external users are filtered based on the contents at the application layer.A proxy firewall filters at the application layer.1234

    **********************************


IPsec - Columbia Universitysmb/classes/s09/l12.pdf · IPsec IPsec Encryption at Different Layers Link Layer IPsec History Why IPsec? Protects All Applications IPsec Structure Some

IPsec - Columbia Universitysmb/classes/s09/l12.pdf · IPsec IPsec Encryption at Different Layers Link Layer IPsec History Why IPsec? Protects All Applications IPsec Structure Some

Documents
HB FW EN FREE - config.emule-french.orgconfig.emule-french.org/firewalls/img/Securepoint_pf/spfwen_hb.pdf · 5.4.3 Configuring the IPSec connection on the firewall.....56 6 Recording

HB FW EN FREE - config.emule-french.orgconfig.emule-french.org/firewalls/img/Securepoint_pf/spfwen_hb.pdf · 5.4.3 Configuring the IPSec connection on the firewall.....56 6 Recording

Documents
Pretty Good Privacy - SRM · PDF fileOutline Introduction PGP Operation PGP Key Management 1 Introduction PGP Services 2 PGP Operation PGP Components PGP Message Generation and Reception

Pretty Good Privacy - SRM · PDF fileOutline Introduction PGP Operation PGP Key Management 1 Introduction PGP Services 2 PGP Operation PGP Components PGP Message Generation and Reception

Documents
HUAWEI Eudemon200E-G85 Firewalls (Fixed-Configuration)carrier.huawei.com/~/media/CNBGV2/download/...Concurrent 1Sessions (HTTP1.1) 4,000,000 New Sessions/Second (HTTP1.1)1 80,000 IPsec

HUAWEI Eudemon200E-G85 Firewalls (Fixed-Configuration)carrier.huawei.com/~/media/CNBGV2/download/...Concurrent 1Sessions (HTTP1.1) 4,000,000 New Sessions/Second (HTTP1.1)1 80,000 IPsec

Documents
UNIT 2: Firewalls Content : Firewalls in general basic operation and architecture Main border firewalls using stateful inspection Screening firewalls

UNIT 2: Firewalls Content : Firewalls in general basic operation and architecture Main border firewalls using stateful inspection Screening firewalls

Documents
WHITE PAPER UNCOMPROMISED PERFORMANCE: Multi-Core …€¦ · malware detection, gateway antivirus, traffic analytics, application control, IPSec and SSL VPN. Next Generation Firewalls

WHITE PAPER UNCOMPROMISED PERFORMANCE: Multi-Core …€¦ · malware detection, gateway antivirus, traffic analytics, application control, IPSec and SSL VPN. Next Generation Firewalls

Documents
Application Security: internet, mobile ed oltre · 2017-01-23 · Applicazione . Trasporto (TCP) Rete (IP) Data Link : Fisico . WPA2 . IPsec . SSL/TLS SSH PGP . S-HTTP •Tali protocolli

Application Security: internet, mobile ed oltre · 2017-01-23 · Applicazione . Trasporto (TCP) Rete (IP) Data Link : Fisico . WPA2 . IPsec . SSL/TLS SSH PGP . S-HTTP •Tali protocolli

Documents
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction

Documents
Network Access and Security Chapter 13 – 15. Topics Security protocols –IPSec –L2TP –SSL –WEP –WPA –802.x Authentication Protocols Firewalls Proxy Services

Network Access and Security Chapter 13 – 15. Topics Security protocols –IPSec –L2TP –SSL –WEP –WPA –802.x Authentication Protocols Firewalls Proxy Services

Documents
PGP - Tietoverkkolaboratorio - · PDF file1 PGP • PGP Introduction – Kari Naukkarinen • PGP Algorithms – Antti Gröhn • PGP Key Management – Pasi Lehtonen • PGP Usability

PGP - Tietoverkkolaboratorio - · PDF file1 PGP • PGP Introduction – Kari Naukkarinen • PGP Algorithms – Antti Gröhn • PGP Key Management – Pasi Lehtonen • PGP Usability

Documents
IPSec Certificates · IPSec Certificates ThischapterdescribesanumberofStarOSfeaturesthatsupportIPSeccertificatemanagement. ThecommandsdescribedinthischapterappearintheCLIforthisrelease

IPSec Certificates · IPSec Certificates ThischapterdescribesanumberofStarOSfeaturesthatsupportIPSeccertificatemanagement. ThecommandsdescribedinthischapterappearintheCLIforthisrelease

Documents
Unblocking IPv6 Applications: Safely Connecting Through ...Unblocking IPv6 Applications: Safely Connecting Through Host and Edge Firewalls with IPsec By William Dixon President, V6

Unblocking IPv6 Applications: Safely Connecting Through ...Unblocking IPv6 Applications: Safely Connecting Through Host and Edge Firewalls with IPsec By William Dixon President, V6

Documents
Network Security. Today’s Universities Campus Perimeter Security Anti-virus system Firewalls Remote access VPN, using IPSEC Access control Content filtering

Network Security. Today’s Universities Campus Perimeter Security Anti-virus system Firewalls Remote access VPN, using IPSEC Access control Content filtering

Documents
UNIT II E-MAIL SECURITY & FIREWALLS...CS6004 / CYBER FORENSICS Prepared By: Mr X.MARTIN LOURDURAJ AP/CSE ,ST.ANNESCET 1 UNIT II E-MAIL SECURITY & FIREWALLS PGP – S/MIME – Internet

UNIT II E-MAIL SECURITY & FIREWALLS...CS6004 / CYBER FORENSICS Prepared By: Mr X.MARTIN LOURDURAJ AP/CSE ,ST.ANNESCET 1 UNIT II E-MAIL SECURITY & FIREWALLS PGP – S/MIME – Internet

Documents
Network Security: Firewalls, IPSec - · PDF fileNetwork Security: Firewalls, IPSec Tuomas Aura ... allow (=accept, permit, bypass) or block (=drop, deny, ... intercepting web proxy

Network Security: Firewalls, IPSec - · PDF fileNetwork Security: Firewalls, IPSec Tuomas Aura ... allow (=accept, permit, bypass) or block (=drop, deny, ... intercepting web proxy

Documents
2G1305 Internetworking/Internetteknik Spring 2005, Period ... · Maguire Proxy Access Through A Firewall IPSec, VPNs, Firewalls, and NAT 680 of 697 ... Proxy Server Bastion host

2G1305 Internetworking/Internetteknik Spring 2005, Period ... · Maguire Proxy Access Through A Firewall IPSec, VPNs, Firewalls, and NAT 680 of 697 ... Proxy Server Bastion host

Documents
ProSAFE VPN Firewall Series · Highlights Secure NETGEAR ProSAFE VPN Firewalls provide both secure IPsec site-to-site tunnels and IPsec secure access for remote clients and also support

ProSAFE VPN Firewall Series · Highlights Secure NETGEAR ProSAFE VPN Firewalls provide both secure IPsec site-to-site tunnels and IPsec secure access for remote clients and also support

Documents
PGP Public Key Import PGP Data Encryption

PGP Public Key Import PGP Data Encryption

Documents
Building scalable IPSec infrastructure with MikroTik · PDF fileBuilding scalable IPSec infrastructure with MikroTik IPSec, L2TP/IPSec, OSPF

Building scalable IPSec infrastructure with MikroTik · PDF fileBuilding scalable IPSec infrastructure with MikroTik IPSec, L2TP/IPSec, OSPF

Documents
Lawful Interception of IP Traffic: The European Context · Lawful Interception of IP Traffic: The European Context ... §VPNs (e.g. IPSec) §Encrypted IP Telephony (e.g. pgp -phone

Lawful Interception of IP Traffic: The European Context · Lawful Interception of IP Traffic: The European Context ... §VPNs (e.g. IPSec) §Encrypted IP Telephony (e.g. pgp -phone

Documents
Firewalls CS432. Overview What are firewalls? Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls

Firewalls CS432. Overview What are firewalls? Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls

Documents
HUAWEI HiSecEngine USG6500E Series Firewalls (Desktop) · 2019. 10. 21. · VPN encryption Supports multiple highly available VPN features, such as IPSec VPN, SSL VPN, L2TP VPN, and

HUAWEI HiSecEngine USG6500E Series Firewalls (Desktop) · 2019. 10. 21. · VPN encryption Supports multiple highly available VPN features, such as IPSec VPN, SSL VPN, L2TP VPN, and

Documents
Pretty Good Privacyweb.cse.msstate.edu/~ramkumar/pgp.pdf · Outline Introduction PGP Operation PGP Key Management PGP Components PGP - Sending and Receiving Messages Keys 1 Four types

Pretty Good Privacyweb.cse.msstate.edu/~ramkumar/pgp.pdf · Outline Introduction PGP Operation PGP Key Management PGP Components PGP - Sending and Receiving Messages Keys 1 Four types

Documents
High-Performance Integrated Firewalls · ith businessesbecoming ... 2-517-7111 TEL: 39-02-2900-0676 ... security than open source-based firewalls DHCP Server/Client/Relay/over IPSec

High-Performance Integrated Firewalls · ith businessesbecoming ... 2-517-7111 TEL: 39-02-2900-0676 ... security than open source-based firewalls DHCP Server/Client/Relay/over IPSec

Documents
Security in the Internet: IPSec, SSUTLS, PGp, VPN

Security in the Internet: IPSec, SSUTLS, PGp, VPN

Documents
Analisis Keamanan pada Pretty Good Privacy (PGP)informatika.stei.itb.ac.id/~rinaldi.munir/Kriptografi/2006-2007/... · cara kerja PGP, eksperimen dengan PGP, algoritma pada PGP, dan

Analisis Keamanan pada Pretty Good Privacy (PGP)informatika.stei.itb.ac.id/~rinaldi.munir/Kriptografi/2006-2007/... · cara kerja PGP, eksperimen dengan PGP, algoritma pada PGP, dan

Documents
Network Security Professor Dr. Adeel Akram. Firewalls, SSL, VPN and IPSec

Network Security Professor Dr. Adeel Akram. Firewalls, SSL, VPN and IPSec

Documents
High-Performance Integrated Firewalls · ith businessesbecoming ... security than open source-based firewalls DHCP Server/Client/Relay/over IPSec Active/passive modes ... 2-517-7111

High-Performance Integrated Firewalls · ith businessesbecoming ... security than open source-based firewalls DHCP Server/Client/Relay/over IPSec Active/passive modes ... 2-517-7111

Documents
1 Firewalls Firewalls Firewalls von Hendrik Lennarz Hendrik Lennarz

1 Firewalls Firewalls Firewalls von Hendrik Lennarz Hendrik Lennarz

Documents
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux

Documents