ip security n.
Skip this Video
Download Presentation
IP Security

Loading in 2 Seconds...

play fullscreen
1 / 30

IP Security - PowerPoint PPT Presentation

  • Uploaded on

IP Security. IPSec Firewall Design Security - Understanding when and how users, computers, services, networks can trust one another 2 fundamental techniques Perimeter security Encryption. Security.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'IP Security' - oswald

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
ip security
IP Security


Firewall Design

Security - Understanding when and how users, computers, services, networks can trust one another

2 fundamental techniques

Perimeter security


CS 428 Computer Networking


Perimeter security - allows organization to determine services and networks it will make available to outsiders

Encryption handles most other aspects

CS 428 Computer Networking


Security implies safety, assurance of data integrity, freedom from unauthorized access, freedom from snooping or wiretapping, freedom from disruption of service

Physical security is as important as protecting abstract resources

CS 428 Computer Networking

aspects of protection
Aspects of Protection

Data Integrity - Protect from unauthorized change

Data Availability - Outsiders cannot prevent legitimate access to data


Authorization - to only data as required

Replay Avoidance - Capture copies of packets by outsiders

CS 428 Computer Networking

information policy
Information Policy

“Before an organization can enforce network security, it must assess risks and develop a clear policy regarding information access and protection.”

An information policy begins with people - most susceptible point in any security scheme

CS 428 Computer Networking

internet security
Internet Security

Datagrams can be intercepted or compromised - the contents cannot be trusted


Server attempts source authentication

Examine source IP address

Source authentication is weak

Stronger authentication requires encryption

CS 428 Computer Networking


A set of protocols that provide secure Internet comm.

Valid for IPv4 and IPv6

IPSec is flexible and extensible

Can use authentication or encryption

Asymmetric choices ok

Does not demand a specific authentication or encryption algorithm

Includes a set of encryption algorithms that all implementations must recognize

CS 428 Computer Networking

ipsec ah

Authentication Header

See figures 32.1 and 2 on pages 584 and 585

Inserts AH after IP header and before transport header

PROTOCOL field in IP header changed to value 51

PROTOCOL field is changed so how does receiver determine type?

CS 428 Computer Networking

ipsec ah1

AH has NEXT HEADER field. Original PROTOCOL values written into here

PAYLOAD LEN - Length of AH

SEQUENCE NUMBER - starts at 0 and increases monotonically

SECURITY PARAMETER INDEX - specifies Security Association (SA)

AUTHENTICATION DATA - based upon security scheme

CS 428 Computer Networking

security association
Security Association

Security scheme includes

authentication algorithm


key lifetime

algorithm lifetime for destination

authorized source addresses

Information cannot fit into header

Each receiver collects all details about security scheme into an abstraction call Security Assoc.

CS 428 Computer Networking

security association1
Security Association

Each SA given a number aka a security parameters index

Before sender can use IPSec to communicate with a receiver, sender must know index value of a SA on receiver

Index values owned by destinations, not globally known!

SAs can have lifetimes reusing index values

CS 428 Computer Networking

ipsec esp

Privacy plus Authentication

Encapsulating Security Protocol

Value 50 in PROTOCOL field

See figures on 586 and 587

3 additional areas



ESP AUTH - variable size

CS 428 Computer Networking

ipsec esp1

Uses many of same items as AH but reorders them


8 octets for SPI and SEQ Number


Optional padding

Padding Length



CS 428 Computer Networking

ipsec esp2

Padding may be present for 3 reasons

Some decryption algorithms require zeros following encrypted message

NEXT HEADER is right justified within 4 octet field. IPSec requires that AITH data that follows trailer start on 4 octet boundary

Random padding to throw off sniffers

CS 428 Computer Networking

mutable fields
Mutable Fields

IPSec Authentication designed to assure arriving datagram identical to that sent by source

Intermediate routers decrement TTL fields and re-compute CKSUMs

Mutable fields = IP header fields that can change

IPSec only authenticates immutable fields

CS 428 Computer Networking

ipsec tunneling
IPSec Tunneling

Standard defines both AH and ESP tunnels

See figure 32.4 on page 588

Required security algorithms

See figure 32.5 on page 588

Secure Sockets Layer (SSL)

Originated by Netscape

Dual authentication, negotiate for encryption algorithm

Secure connection, not formally adopted by IETF but defacto standard

CS 428 Computer Networking


Place firewall at connection to external internet

Inside and outside regions

Intranet can have several external connections

Strong as weakest link

All firewalls must be configured to use same access restrictions

CS 428 Computer Networking


In theory, a firewall simply blocks all communication between the organization and the outside

In practice, need more that this

Firewalls need to be tailored to specific organization

Must be have hardware and software to handle a potentially busy interface

CS 428 Computer Networking

packet level filters
Packet-Level Filters

High speed filtering mechanism

Manager configures filter in router

Filter(block) all datagrams form a specific source or those used by specific application

Does not keep record of filtering

Packet filters are free from TCP/IP standards

CS 428 Computer Networking

packet filters
See figure 32.6 on page 591

Block incoming datagrams destined for well-known services

Block outgoing datagrams for any 16 bit prefix from to remote e-mail server (TCP port 25)

Packet Filters

CS 428 Computer Networking

packet filters1
Previous example does not work well for firewall

Number of well-known ports is large

Much traffic on an internet does not travel on well-known ports

Programmers can choose

Remote Procedure Call assigns dynamic port numbers

Listing ports leaves the firewall open for tunneling

Packet Filters

CS 428 Computer Networking

Tunneling can circumvent security

Host on inside agrees to accept encapsulated datagrams from host on outside

Remove one layer and then forward to internal service

Must reverse idea of filtering

Instead of identifying what datagrams should be filtered(blocked), block everything!


CS 428 Computer Networking

Allow those only for approved networks, hosts, and ports

Examine organizations information policy then enable certain funtionality

Many packet filter use this approach

Solves many problems and has interesting consequence

Prevents inside user from accessing outside resources


CS 428 Computer Networking

Servers may operate on well-known ports but clients do not

Clients may send data out but won’t get data back in

Packet filter will block client’s returning datagram

Not all organizations configure to block all internal unknown port numbers


CS 428 Computer Networking

proxy access
Secure Firewalls

Users on the inside need to access resources on the outside

Can only provide safe access through a secure computer

Install one secure computer with each firewall and install a set of application gateways on that computer

Bastion Host

Proxy Access

CS 428 Computer Networking

secure gateway
See figure 32.7 on page 593

Outer barrier

Blocks all incoming traffic except for datagrams destined for

services on bastion that organization chooses to expose externally

clients on the bastion host

Inner barrier

Blocks incoming traffic except those coming from bastion

Manual bypass

Secure Gateway

CS 428 Computer Networking

secure firewalls
Web access example

Firewall prevents user computer from receiving datagrams

User cannot use browser for direct access

Arrange proxy server on bastion host

Inside, each browser configured to use the proxy

Proxy contacts URL, receives information and returns it transparently to user inside firewall

Secure Firewalls

CS 428 Computer Networking

firewall implementation
Each barrier requires router with packet filter

Network connections between the routers and bastion host

See figure 32.8 on page 594

R2 = outer barrier

H = bastion host

R1 = inner barrier

Safety of firewall depends on safety of bastion host (software and hardware)

Firewall Implementation

CS 428 Computer Networking

stub network
Previous example known as stub network

Stub network isolates organization

May be considered unnecessary

See figure 32.9 on page 595 for alternative firewall permitting many external connections

One router per connection - All external connections also mistrust one another

Stub Network

CS 428 Computer Networking


Active - Firewall notifies whenever there is an incident

Passive - Firewall records activity in logs


CS 428 Computer Networking