CSCE 813
Download
1 / 31

CSCE 813 Internet Security TCP/IP - PowerPoint PPT Presentation


  • 115 Views
  • Uploaded on

CSCE 813 Internet Security TCP/IP. Reading Assignment. Reading: R. Oppliger, Internet and Intranet Security, Artech House, Google Book, http://books.google.com/books/about/Internet_and_Intranet_Security.html?id=vtyowiyW9BkC , Chapter 2 Recommended Reading:

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' CSCE 813 Internet Security TCP/IP' - jean


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

CSCE 813Internet SecurityTCP/IP

Internet Security - Farkas


Reading Assignment

Reading:

R. Oppliger, Internet and Intranet Security, Artech House, Google Book, http://books.google.com/books/about/Internet_and_Intranet_Security.html?id=vtyowiyW9BkC, Chapter 2

Recommended Reading:

CISCO: TCP/IP Technology, http://www.cisco.com/en/US/tech/tk365/technologies_white_paper09186a008014f8a9.shtml

Internet Security - Farkas


Before the internet
Before the Internet

  • Isolated, local packet-switching networks

    • only nodes on the same network could communicate

  • Each network was autonomous

  • different services

  • different interfaces

  • different protocols

Internet Security - Farkas


Before the internet cont
Before the Internet (cont.)

  • ARPANET: sponsored by Defense Advanced Research Projects

  • Agency (DARPA):

  • 1969: interconnected 4 hosts

  • 1970: host-to-host protocol: Network Control Protocol (NCP)

  • 1972: first application: e-mail

Stanford Research Institute (SRI)

Univ. of California at

Santa Barbara (UCSB)

Univ. of California at LA (UCLA)

Univ. of Utah

Internet Security - Farkas


Internet
Internet

Connect Existing Networks:

  • ARPANET, Packet Radio, and Packet Satellite

  • NCP not sufficient Develop new protocol

  • 1970s: Transmission Control Protocol (Kahn and Vinton)

    • Based on packet switching technology

    • Good for file transfer and remote terminal access

  • Divide TCP into 2 protocols

    • Internet Protocol (IP): addressing and forwarding of packets

    • Transmission Control Protocol (TCP): sophisticated services, e.g., flow control, recovery

  • 1980: TCP/IP adopted as a DoD standard

  • 1983: ARPANET protocol officially changed from NCP to TCP/IP

  • 1985: Existing Internet technology

  • 1995: U.S. Federal Networking Council (FNC) defines the term Internet

Internet Security - Farkas


Goals clark 88
Goals (Clark’88)

Connect existing networks

  • Survivability

  • Support multiple types of services

  • Must accommodate a variety of networks

  • Allow distributed management

  • Allow host attachment with a low level of effort

  • Be cost effective

  • Allow resource accountability

Internet Security - Farkas


Internet challenge
Internet Challenge

  • Interconnected networks differ (protocols, interfaces, services, etc.)

  • Possibilities:

    • Reengineer and develop one global packet switching network standard: not economically feasible

    • Have every host implement the protocols of every network it wants to communicate with: too complex, very high engineering cost

    • Add an extra layer: internetworking layer

      • Hosts: one higher-level protocol

      • Network connecting use the same protocol

      • Interface between the new protocol and network

Internet Security - Farkas


Layering
Layering

  • Organize a network system into logically distinct entities

    • the service provided by one entity is based only on the service provided by the lower level entity

Internet Security - Farkas


Without layering
Without Layering

  • Each application has to be implemented for every network technology!

FTP

HTTP

SMTP

Application

Coaxial

cable

Fiber

optic

Transmission

Media

Internet Security - Farkas


With layering

HTTP

With Layering

  • Intermediate layer provides a unique abstraction for various network technologies

FTP

SMTP

Application

Intermediate

layer

Coaxial

cable

Fiber

optic

Transmission

Media

Internet Security - Farkas


Layering1
Layering

  • Advantages

    • Modularity – protocols easier to manage and maintain

    • Abstract functionality –lower layers can be changed without affecting the upper layers

    • Reuse – upper layers can reuse the functionality provided by lower layers

  • Disadvantages

    • Information hiding – inefficient implementations

Internet Security - Farkas


Iso osi reference model
ISO OSI Reference Model

  • ISO – International Standard Organization

  • OSI – Open System Interconnection

  • Goal: a general open standard

    • allow vendors to enter the market by using their own implementation and protocols

Internet Security - Farkas


Osi model concepts
OSI Model Concepts

  • Service – says what a layer does

  • Interface – says how to access the service

  • Protocol – says how is the service implemented

    • a set of rules and formats that govern the communication between two peers

Internet Security - Farkas


Tcp ip protocol stack
TCP/IP Protocol Stack

Application Layer

  • Each layer interacts with

  • neighboring layers above

  • and below

  • Each layer can be defined

  • independently

  • Complexity of the networkingis hidden from the application

Transport Layer

Internetwork Layer

Network Access Layer

Internet Security - Farkas


Osi vs tcp ip
OSI vs. TCP/IP

  • OSI: conceptually define: service, interface, protocol

  • Internet: provide a successful implementation

Application

Application

Telnet

FTP

DNS

Presentation

Session

TCP

UDP

Transport

Transport

IP

Network

Internet

Datalink

Host-to-

network

Packet

radio

LAN

Physical

Internet Security - Farkas


Network access layer
Network Access Layer

  • Responsible for packet transmission on thephysical media

  • Transmission between two devices that are physically connected

  • The goal of the physical layer is to move information across one “hop”

  • For example: Ethernet, token ring, Asynchronous Transfer Mode (ATM)

Internet Security - Farkas


Intern etwork layer
Internetwork Layer

  • Provides connectionlessand unreliable service

  • Routing (routers): determine the path a path has to traverse to reach its destination

  • Defines addressing mechanism

    • Hosts should conform to the addressing mechanism

Internet Security - Farkas


IP Addresses

  • IP provides logical address space and a corresponding addressing schema

  • IP address is a globally unique or private number associated with a host network interface

  • Every system which will send packets directly out across the Internet must have a unique IP address

  • IP addresses are based on where the hosts are connected

  • IP addresses are controlled by a single organization - address ranges are assigned

  • They are running out of space!

Internet Security - Farkas


Routing Protocols

  • Enable routing decisions to be made

  • Manage and periodically update routing tables, stored at each router

  • Router : “which way” to send the packet

  • Protocol types:

    • Reachability

    • Distance vector

Internet Security - Farkas


The Domain Name System

  • Each system connected to the Internet also has one or more logical addresses.

  • Unlike IP addresses, the domain address have no routing information - they are organized based on administrative units

  • There are no limitations on the mapping from domain addresses to IP addresses

Internet Security - Farkas


Domain Name Resolution

  • Domain Name Resolution: looking up a logical name and finding a physical IP address

  • There is a hierarchy of domain name servers

  • Each client system uses one domain name server which in turn queries up and down the hierarchy to find the address

  • If your server does not know the address, it goes up the hierarchy possibly to the top and works its way back down

Internet Security - Farkas


Transport layer
Transport Layer

  • Provides services to the application layer

  • Services:

    • Connection-oriented or connectionless transport

    • Reliable or unreliable transport

    • Security (authenticity, confidentiality, integrity)

  • Application has to choose the services it requires from the transport layer

  • Limitations of combinations, e.g., connectionless and reliable transport is invalid

Internet Security - Farkas


Application layer
Application Layer

  • Provides services for an application to send and recieve data over the network, e.g., telnet (port 23), mail (port 25), finger (port 79)

  • Interface to the transport layer

    • Operating system dependent

    • Socket interface

Internet Security - Farkas


Communication between layers
Communication Between Layers

Application Data

Application layer

Application layer

Transport payload

Transport layer

Transport layer

Network

Payload

Network layer

Network layer

Network layer

Network layer

Data Link layer

Data Link layer

Data Link layer

Data Link layer

Data Link

Payload

Host A

Router

Router

Host B

Internet Security - Farkas


Security at what level
Security -- At What Level?

  • Secure traffic at various levels in the network

  • Where to implement security? -- Depends on the security requirements of the application and the user

  • Basic servicesthat need to be implemented:

    • Key management

    • Confidentiality

    • Nonrepudiation

    • Integrity/authentication

    • Authorization

Internet Security - Farkas


Network access layer security
Network Access Layer Security

  • Dedicated link between hosts/routers  hardware devices for encryption

  • Advantages:

    • Speed

  • Disadvantages:

    • Not scaleable

    • Works well only on dedicates links

    • Two hardware devices need to be physically connected

Internet Security - Farkas


Intern etwork layer security
Internetwork Layer Security

IP Security (IPSec)

  • Advantages:

    • Overhead involved with key negotiation decreases <-- multiple protocols can share the same key management infrastructure

    • Ability to build VPN and intranet

  • Disadvantages:

    • Difficult to handle low granularity security, e.g., nonrepudation, user-based security,

Internet Security - Farkas


Transport layer security
Transport Layer Security

  • Advantages:

    • Does not require enhancement to each application

  • Disadvantages:

    • Difficult to obtain user context

    • Implemented on an end system

    • Protocol specific  implemented for each protocol

Internet Security - Farkas


Transport layer security1
Transport Layer Security

  • Advantages:

    • Does not require enhancement to each application

  • Disadvantages:

    • Obtaining user context gets complicated

    • Protocol specific --> need to duplicated for each transport protocol

    • Need to maintain context for connection (not currently implemented for UDP)

Internet Security - Farkas


Application layer security
Application Layer Security

  • Advantages:

    • Executing in the context of the user --> easy access to user’s credentials

    • Complete access to data --> easier to ensure nonrepudation

    • Application can be extended to provide security (do not depend on the operating system)

    • Application understand data --> fine tune security

  • Disadvantages:

    • Implemented in end hosts

    • Security mechanisms have to be implemented for each application -->

      • expensive

      • greated probability of making mistake

Internet Security - Farkas


Application example
Application Example

  • E-mail client using PGP

  • Extended capabilities

    • Ability to look up public keys of the users

    • Ability to provide securiy services such as encryption/decrytion, nonrepudation, and authentication for e-mail messages

Internet Security - Farkas


ad