Ip security
This presentation is the property of its rightful owner.
Sponsored Links
1 / 30

IP Security PowerPoint PPT Presentation


  • 86 Views
  • Uploaded on
  • Presentation posted in: General

IP Security. IPSec Firewall Design Security - Understanding when and how users, computers, services, networks can trust one another 2 fundamental techniques Perimeter security Encryption. Security.

Download Presentation

IP Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Ip security

IP Security

IPSec

Firewall Design

Security - Understanding when and how users, computers, services, networks can trust one another

2 fundamental techniques

Perimeter security

Encryption

CS 428 Computer Networking


Security

Security

Perimeter security - allows organization to determine services and networks it will make available to outsiders

Encryption handles most other aspects

CS 428 Computer Networking


Security1

Security

Security implies safety, assurance of data integrity, freedom from unauthorized access, freedom from snooping or wiretapping, freedom from disruption of service

Physical security is as important as protecting abstract resources

CS 428 Computer Networking


Aspects of protection

Aspects of Protection

Data Integrity - Protect from unauthorized change

Data Availability - Outsiders cannot prevent legitimate access to data

Confidentiality

Authorization - to only data as required

Replay Avoidance - Capture copies of packets by outsiders

CS 428 Computer Networking


Information policy

Information Policy

“Before an organization can enforce network security, it must assess risks and develop a clear policy regarding information access and protection.”

An information policy begins with people - most susceptible point in any security scheme

CS 428 Computer Networking


Internet security

Internet Security

Datagrams can be intercepted or compromised - the contents cannot be trusted

Example

Server attempts source authentication

Examine source IP address

Source authentication is weak

Stronger authentication requires encryption

CS 428 Computer Networking


Ipsec

IPSec

A set of protocols that provide secure Internet comm.

Valid for IPv4 and IPv6

IPSec is flexible and extensible

Can use authentication or encryption

Asymmetric choices ok

Does not demand a specific authentication or encryption algorithm

Includes a set of encryption algorithms that all implementations must recognize

CS 428 Computer Networking


Ipsec ah

IPSec AH

Authentication Header

See figures 32.1 and 2 on pages 584 and 585

Inserts AH after IP header and before transport header

PROTOCOL field in IP header changed to value 51

PROTOCOL field is changed so how does receiver determine type?

CS 428 Computer Networking


Ipsec ah1

IPSec AH

AH has NEXT HEADER field. Original PROTOCOL values written into here

PAYLOAD LEN - Length of AH

SEQUENCE NUMBER - starts at 0 and increases monotonically

SECURITY PARAMETER INDEX - specifies Security Association (SA)

AUTHENTICATION DATA - based upon security scheme

CS 428 Computer Networking


Security association

Security Association

Security scheme includes

authentication algorithm

key(s)

key lifetime

algorithm lifetime for destination

authorized source addresses

Information cannot fit into header

Each receiver collects all details about security scheme into an abstraction call Security Assoc.

CS 428 Computer Networking


Security association1

Security Association

Each SA given a number aka a security parameters index

Before sender can use IPSec to communicate with a receiver, sender must know index value of a SA on receiver

Index values owned by destinations, not globally known!

SAs can have lifetimes reusing index values

CS 428 Computer Networking


Ipsec esp

IPSec ESP

Privacy plus Authentication

Encapsulating Security Protocol

Value 50 in PROTOCOL field

See figures on 586 and 587

3 additional areas

ESP HEADER

ESP TRAILER

ESP AUTH - variable size

CS 428 Computer Networking


Ipsec esp1

IPSec ESP

Uses many of same items as AH but reorders them

ESP HEADER

8 octets for SPI and SEQ Number

ESP TRAILER

Optional padding

Padding Length

NEXT HEADER

ESP AUTH data

CS 428 Computer Networking


Ipsec esp2

IPSec ESP

Padding may be present for 3 reasons

Some decryption algorithms require zeros following encrypted message

NEXT HEADER is right justified within 4 octet field. IPSec requires that AITH data that follows trailer start on 4 octet boundary

Random padding to throw off sniffers

CS 428 Computer Networking


Mutable fields

Mutable Fields

IPSec Authentication designed to assure arriving datagram identical to that sent by source

Intermediate routers decrement TTL fields and re-compute CKSUMs

Mutable fields = IP header fields that can change

IPSec only authenticates immutable fields

CS 428 Computer Networking


Ipsec tunneling

IPSec Tunneling

Standard defines both AH and ESP tunnels

See figure 32.4 on page 588

Required security algorithms

See figure 32.5 on page 588

Secure Sockets Layer (SSL)

Originated by Netscape

Dual authentication, negotiate for encryption algorithm

Secure connection, not formally adopted by IETF but defacto standard

CS 428 Computer Networking


Firewalls

Firewalls

Place firewall at connection to external internet

Inside and outside regions

Intranet can have several external connections

Strong as weakest link

All firewalls must be configured to use same access restrictions

CS 428 Computer Networking


Firewalls1

Firewalls

In theory, a firewall simply blocks all communication between the organization and the outside

In practice, need more that this

Firewalls need to be tailored to specific organization

Must be have hardware and software to handle a potentially busy interface

CS 428 Computer Networking


Packet level filters

Packet-Level Filters

High speed filtering mechanism

Manager configures filter in router

Filter(block) all datagrams form a specific source or those used by specific application

Does not keep record of filtering

Packet filters are free from TCP/IP standards

CS 428 Computer Networking


Packet filters

See figure 32.6 on page 591

Block incoming datagrams destined for well-known services

Block outgoing datagrams for any 16 bit prefix from 128.5.0.0 to remote e-mail server (TCP port 25)

Packet Filters

CS 428 Computer Networking


Packet filters1

Previous example does not work well for firewall

Number of well-known ports is large

Much traffic on an internet does not travel on well-known ports

Programmers can choose

Remote Procedure Call assigns dynamic port numbers

Listing ports leaves the firewall open for tunneling

Packet Filters

CS 428 Computer Networking


Firewalls2

Tunneling can circumvent security

Host on inside agrees to accept encapsulated datagrams from host on outside

Remove one layer and then forward to internal service

Must reverse idea of filtering

Instead of identifying what datagrams should be filtered(blocked), block everything!

Firewalls

CS 428 Computer Networking


Firewalls3

Allow those only for approved networks, hosts, and ports

Examine organizations information policy then enable certain funtionality

Many packet filter use this approach

Solves many problems and has interesting consequence

Prevents inside user from accessing outside resources

Firewalls

CS 428 Computer Networking


Firewalls4

Servers may operate on well-known ports but clients do not

Clients may send data out but won’t get data back in

Packet filter will block client’s returning datagram

Not all organizations configure to block all internal unknown port numbers

Firewalls

CS 428 Computer Networking


Proxy access

Secure Firewalls

Users on the inside need to access resources on the outside

Can only provide safe access through a secure computer

Install one secure computer with each firewall and install a set of application gateways on that computer

Bastion Host

Proxy Access

CS 428 Computer Networking


Secure gateway

See figure 32.7 on page 593

Outer barrier

Blocks all incoming traffic except for datagrams destined for

services on bastion that organization chooses to expose externally

clients on the bastion host

Inner barrier

Blocks incoming traffic except those coming from bastion

Manual bypass

Secure Gateway

CS 428 Computer Networking


Secure firewalls

Web access example

Firewall prevents user computer from receiving datagrams

User cannot use browser for direct access

Arrange proxy server on bastion host

Inside, each browser configured to use the proxy

Proxy contacts URL, receives information and returns it transparently to user inside firewall

Secure Firewalls

CS 428 Computer Networking


Firewall implementation

Each barrier requires router with packet filter

Network connections between the routers and bastion host

See figure 32.8 on page 594

R2 = outer barrier

H = bastion host

R1 = inner barrier

Safety of firewall depends on safety of bastion host (software and hardware)

Firewall Implementation

CS 428 Computer Networking


Stub network

Previous example known as stub network

Stub network isolates organization

May be considered unnecessary

See figure 32.9 on page 595 for alternative firewall permitting many external connections

One router per connection - All external connections also mistrust one another

Stub Network

CS 428 Computer Networking


Firewalls5

Monitoring

Active - Firewall notifies whenever there is an incident

Passive - Firewall records activity in logs

Firewalls

CS 428 Computer Networking


  • Login