Chapter 5: Network Layer Security

Size: px
Start display at page:

Download "Chapter 5: Network Layer Security"

Transcription

1 Managing and Securing Computer Networks Guy Leduc Mainly based on Network Security - PRIVATE Communication in a PUBLIC World C. Kaufman, R. Pearlman, M. Speciner Pearson Education, (chapters 17 and 18) For a summary, see: Chapter 5: Network Layer Security Computer Networking: A Top Down Approach, 6 th edition. Jim Kurose, Keith Ross Addison-Wesley, March (section 8.7) 5: Securing IP 5-1 Chapter 5: Network Layer Security Chapter goals: security in practice: Security in the network layer (versus other layers) IPsec 5: Securing IP 5-2 1

2 Chapter Roadmap Security in the network layer IPsec - The big picture IPsec protocols: AH and ESP IPsec Key Exchange protocol: IKE 5: Securing IP 5-3 Relative Location of Security Facilities in the TCP/IP Stack HTTP FTP SMTP TCP / UDP IP / IPsec Security at network level HTTP FTP SMTP SSL / TLS TCP IP Security at transport level Both are general-purpose (i.e. application independent) solutions, but IPsec is NOT specific to TCP Does work with UDP, and any other protocol above IP (e.g., ICMP, OSPF) IPsec protects the whole IP payload, including transport s (e.g. port #) Traffic analysis is thus more difficult (could be web, , ) IPsec is from network entity to network entity, not from application process to application process Blanket coverage 5: Securing IP 5-4 2

3 Virtual Private Networks (VPNs) Institutions often want private networks for security Costly! Separate routers, links, DNS infrastructure VPN: institution s inter-office traffic is sent over public Internet instead Encrypted before entering public Internet Logically separate from other traffic 5: Securing IP 5-5 Virtual Private Networks (VPNs) public Internet IP IPsec Secure payload laptop w/ IPsec Secure payload IPsec IP IPsec salesperson in hotel Secure payload IP router w/ IPv4 and IPsec router w/ IPv4 and IPsec payload IP IP payload headquarters branch office 5: Securing IP 5-6 3

4 Three functional areas IP-level security encompasses the following 3 functional areas: origin authentication (and data integrity) assures that a received packet was, in fact, transmitted by the party identified as the source in the packet includes replay attack prevention also assures that the packet has not been altered confidentiality enables communicating nodes to encrypt messages to prevent eavesdropping by third parties key management secure exchange of keys 5: Securing IP 5-7 IP Security Overview In 1994, the Internet Architecture Board (IAB) issued a report entitled "Security in the Internet Architecture" General consensus that the Internet needs more and better security In 1997, 2500 reported security incidents affecting nearly 150,000 sites Most serious attacks: IP spoofing and packet sniffing This justified the 2 main functions of IPsec The security capabilities were designed for IPv6 but fortunately they were also designed to be usable with the current IPv4 IPsec can encrypt and/or authenticate all traffic at the IP level. Thus IPsec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet VPN (Virtual Private Networks) Secure remote access over the Internet Enhancing Extranet and Intranet connectivity with partners Enhancing Electronic Commerce 5: Securing IP 5-8 4

5 Benefits of IPsec When IPsec is implemented in a firewall or router, it provides strong security that can be applied to all traffic crossing the perimeter IPsec is below the transport layer and so is transparent to applications No need to change software on a user or server system when IPsec is implemented in a firewall or router No need to train users, issue keying material on a per-user basis, or revoke keying material when users leave the organization IPsec can provide security to individual users if needed IPsec can play a vital role in the routing architecture. It can ensure that: router and neighbour advertisements come from authorized routers a redirect message comes from the router to which the initial packet was sent a routing update is not forged 5: Securing IP 5-9 Chapter Roadmap Security in the network layer IPsec - The big picture IPsec protocols: AH and ESP IPsec Key Exchange protocol: IKE 5: Securing IP

6 IPsec Transport Mode IPsec IPsec IPsec datagram emitted and received by end-system Protects upper level protocols 5: Securing IP 5-11 IPsec tunneling mode (1) IPsec IPsec End routers are IPsec aware Hosts need not be 5: Securing IP

7 IPsec tunneling mode (2) IPsec IPsec Also tunneling mode 5: Securing IP 5-13 Two Ipsec protocols Authentication Header (AH) protocol provides source authentication & data integrity but not confidentiality Encapsulation Security Protocol (ESP) provides source authentication, data integrity, and confidentiality more widely used than AH 5: Securing IP

8 Four combinations are possible! Host mode with AH Host mode with ESP Tunnel mode with AH Tunnel mode with ESP Most common and most important 5: Securing IP 5-15 IP Security Overview IPsec enables a system to select security protocols, determine the algorithm(s) to use, and put in place any cryptographic keys required IPsec services and their support by AH and ESP AH ESP ESP encryption only encryption+authentication Access Control x x x Connectionless integrity x x Data origin authentication x x Rejection of replayed packets x x x Confidentiality x x Limited traffic flow confidentiality x x 5: Securing IP

9 Security associations (SAs) Before sending data, a virtual connection is established from sending entity to receiving entity Called security association (SA) SAs are simplex: for only one direction Both sending and receiving entities maintain state information about the SA Recall that TCP endpoints also maintain state information IP is connectionless; IPsec is connection-oriented! How many SAs in VPN w/ headquarters, branch office, and n traveling salespeople? 5: Securing IP 5-17 Security Association (2) An SA is uniquely identified by 3 parameters: Security Parameters Index (SPI): a bitstring assigned to this SA by the receiver end, and having local significance only. Used to select the SA under which a received packet will be processed. IP Destination Address: can be a router address, can be unicast or multicast. Security Protocol Identifier: indicates whether the association is an AH or ESP SA The SPI alone seems to suffice to uniquely identify the SA, but The same SPI can be assigned to both an ESP SA and an AH SA, so this security protocol identifier is needed to remove ambiguity For multicast, the SPI is chosen by the source, so the destination address field is also needed to remove ambiguity Hence, in any IP packet, the SA is uniquely identified by these 3 fields 5: Securing IP

10 Example SA from R1 to R2 headquarters Internet branch office /24 R1 security association R /24 R1 stores for SA: 32-bit identifier for SA: Security Parameter Index (SPI) origin SA interface ( ) destination SA interface ( ) type of encryption used (e.g., 3DES with CBC) encryption key type of integrity check used (e.g., HMAC with MD5) authentication key 5: Securing IP 5-19 Security Association Database (SAD) endpoint holds SA state in security association database (SAD), where it can locate them during processing with n salespersons, 2 + 2n SAs in R1 s SAD when sending IPsec datagram, R1 accesses SAD to determine how to process datagram when IPsec datagram arrives to R2, R2 examines SPI in IPsec datagram, indexes SAD with SPI, and processes datagram accordingly 5: Securing IP

11 IPsec datagram Focus for now on tunnel mode with ESP enchilada authenticated encrypted new IP ESP hdr original IP hdr Original IP datagram payload ESP trl ESP auth SPI Seq # padding pad length next 5: Securing IP 5-21 What happens? headquarters Internet branch office /24 R1 security association R /24 enchilada authenticated encrypted new IP ESP hdr original IP hdr Original IP datagram payload ESP trl ESP auth SPI Seq # padding pad length next 5: Securing IP

12 R1 converts original datagram into IPsec datagram Appends to back of original datagram (which includes original fields!) an ESP trailer field Encrypts result using algorithm & key specified by SA Appends to front of this encrypted quantity the ESP, creating enchilada Creates authentication MAC over the whole enchilada, using algorithm and key specified in SA Appends MAC to back of enchilada, forming payload Creates brand new IP, with all the classic IPv4 fields, which it appends before payload 5: Securing IP 5-23 Inside the enchilada: enchilada authenticated encrypted new IP ESP hdr original IP hdr Original IP datagram payload ESP trl ESP auth SPI Seq # padding pad length next ESP trailer: Padding for block ciphers Next contains original packet type Packet type in new IP is ESP ESP : SPI, so receiving entity knows what to do Sequence number, to thwart replay attacks MAC in ESP auth field is created with shared secret key 5: Securing IP

13 IPsec sequence numbers For new SA, sender initializes seq. # to 0 Each time datagram is sent on SA: Sender increments seq # counter Places value in seq # field Goal: Prevent attacker from sniffing and replaying a packet Receipt of duplicate, authenticated IP packets may disrupt service Method: Destination checks for duplicates But doesn t keep track of ALL received packets; instead uses a window 5: Securing IP 5-25 IPsec Anti-Replay in Action R1 #4 #3 #2 #1 R2 #2 #2 #4 #2 #1 #2 #2 Packet #3 lost, Packets #2 are out of sequence and/or duplicates no problem 5: Securing IP

14 #4 Packet reordering and IPsec Anti-Replay Window R1 #3 #2 #1 R2 Network may change the packet order #4 #1 #3 #2 Packet #1 out of sequence. If in window: OK, otherwise: drop & log 5: Securing IP 5-27 SA Database (SAD) - More When sending IPsec datagram, R1 accesses SAD to determine how to process datagram When IPsec datagram arrives to R2, R2 examines SPI in IPsec datagram, indexes SAD with SPI, and processes datagram accordingly Parameters associated with each SA: AH information: authentication algorithm, keys, key lifetime, ESP information: encryption and authentication algorithm, keys, initialization values, key lifetimes, Sequence number counter: used to generate the sequence number field in AH and ESP s Anti-replay window: used to determine whether an inbound AH or ESP packet is a replay Lifetime of the SA Sequence counter overflow flag: indicates what to do when a counter overflow occurs (usually close the SA) IPsec protocol mode: tunnel or transport mode Path MTU: any observed path maximum transmission unit (to avoid fragmentation) 5: Securing IP

15 Security Policy Database (SPD) Policy: For a given datagram, sending entity needs to know if it should use IPsec Needs also to know which SA to use A nominal Security Policy Database (SPD) defines the means by which IP traffic is related to specific SAs (or possibly to no SA) Info in SPD indicates what to do with arriving datagram Then info in the SAD indicates how to do it An SPD contains entries, each of which defines a subset of IP traffic (via some IP and upper-layer protocol field values, called selectors) and points to an SA for that traffic Outbound processing obeys the following general sequence for each packet: Compare the values of the appropriate fields in the packet (selector fields) against the SPD to find a matching SPD entry Determine the SA associated with that entry (if any) and its associated SPI Do the required IPsec processing (i.e. AH or ESP processing) Like the packet filter rules in firewalls (see next chapter) 5: Securing IP 5-29 Summary: IPsec services Suppose Trudy sits somewhere between R1 and R2. She doesn t know the keys. Will Trudy be able to see contents of original datagram? How about source, dest IP address, transport protocol, application port? flip bits without detection? masquerade as R1 using R1 s IP address? replay a datagram? 5: Securing IP

16 Chapter Roadmap Security in the network layer IPsec - The big picture IPsec protocols: AH and ESP IPsec Key Exchange protocol: IKE 5: Securing IP 5-31 Transport and Tunnel Modes Brief overview Transport mode Protection of the IP packet payload only IP unchanged Tunnel mode Protection of the entire IP packet To do this, the entire protected original packet is treated as the payload of a new "outer" IP packet, with a new outer IP 5: Securing IP

17 AH - Transport Mode Original IP datagram Original IP other s and payloads secret key Non mutable fields only Parts of Original Auth. IP AH but PT = 51 Digital signature produced by a MAC (Message Authentication Code) algorithm (MD5 or SHA-1) other s and payloads Authenticated IP datagram Part of the AH is also authenticated 5: Securing IP 5-33 AH - Tunnel Mode New IP built by tunnel end Original IP datagram Original IP other s and payloads Non mutable fields only All fields secret key Parts of Digital signature produced by a MAC (Message Authentication Code) algorithm (MD5 or SHA-1) New IP Auth. AH Original IP other s and payloads Authenticated IP datagram Part of the AH is also authenticated 5: Securing IP

18 IPsec AH Header Next Header Payload Len RESERVED Security Parameters Index (SPI) Sequence Number Field Authentication Data (variable) Total length = 32 bytes Next identifies protocol type above IP The sequence number is used to guard against the replay attack 5: Securing IP 5-35 ESP without Authentication Transport Mode Original IP datagram Original IP other s and payloads ESP trailer (padding) Encryption algorithm (e.g. DES with CBC) secret key Original IP but PT = 50 ESP other s and payloads and ESP trailer IP datagram with transport ESP 5: Securing IP

19 ESP without Authentication Tunnel Mode Original IP datagram new IP built by tunnel end IP other s + payloads ESP trailer (padding) secret key Encryption algorithm (e.g. DES with CBC) new IP ESP IP other s + payloads + ESP trailer IP datagram with tunnel ESP 5: Securing IP 5-37 ESP with Authentication Transport Mode Original IP datagram Original IP other s + payloads ESP trailer Encrypted part IP datagram with transport ESP Original IP ESP other s + payloads + ESP trailer ESP authentication Authenticated part 5: Securing IP

20 ESP with Authentication Tunnel Mode Original IP datagram IP other s + payloads ESP trailer Encrypted part IP datagram with tunnel ESP new IP ESP IP other s + payloads + ESP trailer ESP authentication Authenticated part 5: Securing IP 5-39 IPsec ESP format Security Parameters Index (SPI) ^Auth Cov- Sequence Number erage Payload Data* (variable) ^ ~ ~ Conf Cov- Padding (0-255 bytes) erage* Pad Length Next Header v v Authentication Data (variable) ~ ~ Added length: minimum 8 bytes (+4 bytes IV for DEC-CBC) before and minimum 2 bytes after without authentication. 5: Securing IP

21 Combining authentication and confidentiality First method: ESP with authentication does not authenticate the non mutable parts of the IP (in transport mode) or new IP (in tunnel mode) applies encryption before authentication so authentication applies to the cyphertext, rather than the plaintext Second method: ESP (without authentication), then AH does authenticate the non mutable parts of the IP has the disadvantage of using two SAs Third method: first AH, then ESP (without authentication) authentication applies to the plaintext allows to store the authentication information together with the message (without having to reencrypt the message to verify the authentication) the authentication is protected by encryption still two SAs Usage of AH and ESP can be in transport or tunnel modes 5: Securing IP 5-41 Do we need AH? We clearly need ESP for encryption, but do we need AH? AH protects the IP itself. But does IP protection matter? If it were necessary, ESP in tunnel mode could provide it Note that intermediate routers cannot check integrity. Why? So integrity can only be checked at the other end of the SA Note also that, even with AH, an untrusted source host could still spoof its own IP address Only integrity is ensured 5: Securing IP

22 IPsec and NAT NAT translates the source IP address and the source port of the IP packet! A NAT box actually does IP spoofing An IPsec SA cannot go through a NAT box With AH, the integrity check would fail With ESP, the port number is encrypted And the NAT box doesn t have the key Need to encapsulate IPsec packets in UDP packets: IP TCP User Data IP ESP 50 Encrypted Data HASH IP UDP Payload 5: Securing IP 5-43 IPSec Tunnels & QoS Original IP datagram IP IP payload TOS / DSCP New IP built by tunnel end TOS byte is copied new IP ESP IP IP payload IP datagram with ESP tunnel 5: Securing IP

23 Chapter Roadmap Security in the network layer IPsec - The big picture IPsec protocols: AH and ESP IPsec Key Exchange protocol: IKE 5: Securing IP 5-45 IKE: Internet Key Exchange In previous examples, we manually established IPsec SAs in IPsec endpoints: Example SA: SPI: Source IP: Dest IP: Protocol: ESP Encryption algorithm: 3DES-cbc HMAC algorithm: MD5 Encryption key: 0x7aeaca HMAC key:0xc0291f Manual keying is impractical for large VPN with 100s of endpoints Instead use IPsec IKE (Internet Key Exchange) 5: Securing IP

24 IKE: PSK and PKI Authentication (proof of who you are) with either pre-shared secret (PSK) or with PKI (public/private keys and certificates) With PSK: both sides start with secret: run IKE to authenticate each other and to generate IPsec SAs (one in each direction), including encryption and authentication keys With PKI: both sides start with public/private key pair and certificate: run IKE to authenticate each other and obtain IPsec SAs (one in each direction) Similar with handshake in SSL 5: Securing IP 5-47 IKE - 2 phases - overview IKE has two phases Phase 1: establish bi-directional IKE SA The two peers establish a secure, authenticated channel with which to communicate. This is called the IKE Security Association (SA), aka ISAKMP SA Note: IKE SA is different from IPsec SA Based on a Diffie-Hellman (DH) exchange computationally expensive, but done only once Result: one shared key used in (possibly many instances of) phase 2 More precisely, 3 keys are derived from this one (one for IKE encryption, one for IKE authentication, and one for phase 2) Phase 1 has two modes: aggressive mode and main mode Phase 2: IKE SA is used to securely negotiate IPsec pair of SAs SAs are negotiated on behalf of services such as IPsec (e.g. AH or ESP) or any other service which needs key material and/or parameter negotiation Uses the 3rd shared secret key (of phase 1) and random numbers to create IPsec shared secret keys for AH and ESP SAs Those IPsec SAs are unidirectional Quick procedure and keys can be changed often 5: Securing IP

25 IKE Phase 1 - Thwarting Clogging Attacks (1) DH is computationally expensive IKE employs a mechanism, known as cookies, to thwart clogging attacks The protocol starts by a cookie request containing a random value (c 1 ) The other side will send back a cookie response containing this value (c 1 ) and a new random number (c 2 ) The only overhead is to send an acknowledgement, not to perform a DH calculation If the source address was forged, the opponent may not get any answer If the responder is too busy, it does not send acknowledgements The returned value (c 2 ) must be repeated in the first message of the DH key exchange Gets it only if initial IP address was not spoofed c 1 c 2, c 1 DHparam, c 2 Check c 2, if OK starts DH 5: Securing IP 5-49 Thwarting Clogging Attacks(2) c 1 c 2, c 1 DHparam, c 2 Improvement: Don t keep a copy of c 2. Possible thanks to the fact that the party can recognise that c 2 is one of its own cookies! But then the scheme is vulnerable to the following attack: Spoofed IP address c 1 Don t know c 2, but can use another c 2 recorded in a run with my address So, cookies must depend on (i.e. be a hash of) the specific parties (IP source and destination addresses, UDP source and destination ports) and a locally generated secret value c 2, c 1 DHparam, c 2 OK, c 2 is one of my cookies I start DH 5: Securing IP

26 DH - Defence against Man-in-the-Middle (MIM) (1) If DH parameters (Y A and Y B ) are permanent and public numbers And if we can be sure that Y A and Y B are the numbers reliably associated with A and B respectively For example, by means of a PKI (Public Key Infrastructure) That is the pairs (A, Y A ) and (B, Y B ) are certified by some trusted authority So-called Fixed DH Then The Man-in-the-Middle attack is not possible And the exchanges of Y A and Y B can even be eliminated B will need to fetch the certified Y A only once But this needs a PKI We lose the simplicity of the original Diffie-Hellman scheme Also, the fact that Y A and Y B are permanent makes them more vulnerable to brute-force attacks to find X A and X B 5: Securing IP 5-51 DH - Defence against MIM (2) Authenticated (Ephemeral) Diffie-Hellman If A and B know some sort of secret with which they can authenticate each other (before running DH) Knowledge of a (pre-shared) secret key, or Knowledge of each other s public key (and their own private key) Then they can use this secret to prove it was they who generated their DH values Several solutions: Encrypt the DH exchange with the pre-shared secret key Sign the transmitted DH value (Y) with own private key Encrypt the DH value (Y) with the other side s public key Why does it work, knowing that anyone can so encrypt? Following the DH exchange, transmit a hash of the pre-shared key and the DH value (Y) you transmitted Following the DH exchange, transmit a hash of the agreed-upon shared DH value, your name and the pre-shared key Again this needs a PKI or a pre-shared key Note that the DH values can be changed often in this case 5: Securing IP

27 Back to IKE phase 1 - Authentication The DH exchange should be authenticated to bar the MIM attack Several authentication methods are used Authentication with a pre-shared key Authentication based on public key cryptography Authentication with signatures Authentication with public key encryption But, if one needs public key cryptography anyway, why using DH to generate a shared secret in the first place? After all, one party could have generated the secret key and sent it encrypted with the other party s public key! With DH, both parties contribute to the shared secret/key. So it will be random if either side has a good random number generator. 5: Securing IP 5-53 IKE phase 1 - main mode Crypto_suite A Crypto_suite_chosen B Negotiation of the cryptographic methods used in later exchanges Y B Y A K AB (A, proof I m A) Anonymous DH: no identity revealed, only the IP addresses K AB is the calculated DH shared key. Note, both computations in //. A only reveals her identity here. K AB (B, proof I m B) Moreover, identities are hidden to passive attackers. So, a MIM will only discover A s id. But could also be hidden. How? Proof of identity: proof that the sender knows the key associated with the identity, which can be based on The pre-shared key The private signature key or encryption key (two pairs of asymmetric keys are used) Typically some hash of (1) the key associated with the identity and (2) almost all fields in previous messages (also provides integrity). With private signature keys, the proof can also be a signature on the fields 5: Securing IP

28 IKE phase 1 - aggressive mode A, Y A, Crypto_proposal A Take-it-or-leave-it negotiation. In particular, A chooses a (g,p) pair. B, Y B, proof I m B proof I m A Identities revealed, even to passive attackers: no encryption. How would you change this mode to hide identities to passive attackers (with public keys)? Note: in both modes (main and aggressive), nonces are added to messages. The DH shared key is then computed from the DH values AND the nonces For example: K AB = hash (nonces, standard DH key) This allows IKE to reuse the same DH values in successive runs and still generate different shared keys Protection against replay attack 5: Securing IP 5-55 IPsec only authenticates the host! If the host is stolen, it can still establish IPsec SAs and connect to a VPN! IPsec does not authenticate the user Needs an extra level: user authentication E.g., IPsec client with Smart card Or, extra authentication with username and password after IKE phase 1 5: Securing IP

29 Automated Public Key Exchange Peers choose their private/public key pairs they keep the secret key their public keys must be certified Use a notary = Certification Authority = CA Peer must prove authenticity in front of CA Notary signs certificates Peers dynamically exchange certificates Scalable: n peers requires n authentications and n certificates 5: Securing IP 5-57 Certificates peer name peer public key expiration date other info signature by the CA Certificates are not secret Common structure ITU X.509 v3 or PKCS#6 (S/MIME, SSL, ) 5: Securing IP

30 How peers work with CA CAʼs own certificate signed by CA 3. peer s certificate signed by CA 1. peer fetches CA s certificate 2. peer transmits its public key 4. peer fetches its certificate Strong or human authentication needed for steps 1. and peer generates public/private key pair 5: Securing IP 5-59 How to check a certificate? Check CA signature CA s certificate needed to get CA signature Check black list = CRL (Certificate Revocation List) connect to CA to get the CRL CRL List of revoked certificates signed by CA Stored on CA or directory service No requirement on devices to ensure CRL is current 5: Securing IP

31 How to scale CA? A root CA can delegate authentication to lower CA root lower CA root CA own certificate signed by root CA lower CA certificate signed by root CA router certificate signed by lower CA certificates chain of router 5: Securing IP 5-61 IPsec: summary IKE used to establish shared secret keys, algorithms, SPI numbers two principal protocols: authentication (AH) protocol encapsulation security payload (ESP) protocol for both AH and ESP, source, destination handshake: create network-layer logical channel called a security association (SA) Tunnel and transport modes shortcomings IPsec departs from the pure connectionless paradigm IPsec interferes with NAT boxes IPsec only authenticates a host, not a user IPsec is complex: more than a dozen RFCs 5: Securing IP

APNIC elearning: IPSec Basics. Contact: training@apnic.net. esec03_v1.0

APNIC elearning: IPSec Basics. Contact: training@apnic.net. esec03_v1.0 APNIC elearning: IPSec Basics Contact: training@apnic.net esec03_v1.0 Overview Virtual Private Networks What is IPsec? Benefits of IPsec Tunnel and Transport Mode IPsec Architecture Security Associations

More information

IP Security. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49

IP Security. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 IP Security Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security

More information

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1 Network Security Abusayeed Saifullah CS 5600 Computer Networks These slides are adapted from Kurose and Ross 8-1 roadmap 1 What is network security? 2 Principles of cryptography 3 Message integrity, authentication

More information

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec CSCI 454/554 Computer and Network Security Topic 8.1 IPsec Outline IPsec Objectives IPsec architecture & concepts IPsec authentication header IPsec encapsulating security payload 2 IPsec Objectives Why

More information

INF3510 Information Security University of Oslo Spring 2011. Lecture 9 Communication Security. Audun Jøsang

INF3510 Information Security University of Oslo Spring 2011. Lecture 9 Communication Security. Audun Jøsang INF3510 Information Security University of Oslo Spring 2011 Lecture 9 Communication Security Audun Jøsang Outline Network security concepts Communication security Perimeter security Protocol architecture

More information

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP) Security Protocols Security Protocols Necessary to communicate securely across untrusted network Provide integrity, confidentiality, authenticity of communications Based on previously discussed cryptographic

More information

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide Network Security [2] Public Key Encryption Also used in message authentication & key distribution Based on mathematical algorithms, not only on operations over bit patterns (as conventional) => much overhead

More information

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity Basic Security Requirements and Techniques Confidentiality The property that stored or transmitted information cannot be read or altered by an unauthorized party Integrity The property that any alteration

More information

Network Security Part II: Standards

Network Security Part II: Standards Network Security Part II: Standards Raj Jain Washington University Saint Louis, MO 63131 Jain@cse.wustl.edu These slides are available on-line at: http://www.cse.wustl.edu/~jain/cse473-05/ 18-1 Overview

More information

Network Security. Lecture 3

Network Security. Lecture 3 Network Security Lecture 3 Design and Analysis of Communication Networks (DACS) University of Twente The Netherlands Security protocols application transport network datalink physical Contents IPSec overview

More information

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security? 7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk

More information

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts Outline INF3510 Information Security Lecture 10: Communications Security Network security concepts Communication security Perimeter security Protocol architecture and security services Example security

More information

Chapter 4 Virtual Private Networking

Chapter 4 Virtual Private Networking Chapter 4 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FVL328 Firewall. VPN tunnels provide secure, encrypted communications between

More information

Chapter 10. Network Security

Chapter 10. Network Security Chapter 10 Network Security 10.1. Chapter 10: Outline 10.1 INTRODUCTION 10.2 CONFIDENTIALITY 10.3 OTHER ASPECTS OF SECURITY 10.4 INTERNET SECURITY 10.5 FIREWALLS 10.2 Chapter 10: Objective We introduce

More information

Protocol Security Where?

Protocol Security Where? IPsec: AH and ESP 1 Protocol Security Where? Application layer: (+) easy access to user credentials, extend without waiting for OS vendor, understand data; (-) design again and again; e.g., PGP, ssh, Kerberos

More information

Lecture 10: Communications Security

Lecture 10: Communications Security INF3510 Information Security Lecture 10: Communications Security Audun Jøsang University of Oslo Spring 2015 Outline Network security concepts Communication security Perimeter security Protocol architecture

More information

Security Engineering Part III Network Security. Security Protocols (II): IPsec

Security Engineering Part III Network Security. Security Protocols (II): IPsec Security Engineering Part III Network Security Security Protocols (II): IPsec Juan E. Tapiador jestevez@inf.uc3m.es Department of Computer Science, UC3M Security Engineering 4th year BSc in Computer Science,

More information

IPsec Details 1 / 43. IPsec Details

IPsec Details 1 / 43. IPsec Details Header (AH) AH Layout Other AH Fields Mutable Parts of the IP Header What is an SPI? What s an SA? Encapsulating Security Payload (ESP) ESP Layout Padding Using ESP IPsec and Firewalls IPsec and the DNS

More information

Securing IP Networks with Implementation of IPv6

Securing IP Networks with Implementation of IPv6 Securing IP Networks with Implementation of IPv6 R.M.Agarwal DDG(SA), TEC Security Threats in IP Networks Packet sniffing IP Spoofing Connection Hijacking Denial of Service (DoS) Attacks Man in the Middle

More information

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

CS 356 Lecture 27 Internet Security Protocols. Spring 2013 CS 356 Lecture 27 Internet Security Protocols Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

Internet Protocol Security IPSec

Internet Protocol Security IPSec Internet Protocol Security IPSec Summer Semester 2011 Integrated Communication Systems Group Ilmenau University of Technology Outline Introduction Authentication Header (AH) Encapsulating Security Payload

More information

IP SECURITY (IPSEC) PROTOCOLS

IP SECURITY (IPSEC) PROTOCOLS 29 IP SECURITY (IPSEC) PROTOCOLS One of the weaknesses of the original Internet Protocol (IP) is that it lacks any sort of general-purpose mechanism for ensuring the authenticity and privacy of data as

More information

Laboratory Exercises V: IP Security Protocol (IPSec)

Laboratory Exercises V: IP Security Protocol (IPSec) Department of Electronics Faculty of Electrical Engineering, Mechanical Engineering and Naval Architecture (FESB) University of Split, Croatia Laboratory Exercises V: IP Security Protocol (IPSec) Keywords:

More information

Security vulnerabilities in the Internet and possible solutions

Security vulnerabilities in the Internet and possible solutions Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in

More information

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku Univerzita Komenského v Bratislave Fakulta matematiky, fyziky a informatiky Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku ITMS: 26140230008 dopytovo orientovaný projekt Moderné

More information

Bit Chat: A Peer-to-Peer Instant Messenger

Bit Chat: A Peer-to-Peer Instant Messenger Bit Chat: A Peer-to-Peer Instant Messenger Shreyas Zare shreyas@technitium.com https://technitium.com December 20, 2015 Abstract. Bit Chat is a peer-to-peer instant messaging concept, allowing one-to-one

More information

Lecture 17 - Network Security

Lecture 17 - Network Security Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ Idea Why donʼt we just integrate some of these neat

More information

Chapter 7 Transport-Level Security

Chapter 7 Transport-Level Security Cryptography and Network Security Chapter 7 Transport-Level Security Lectured by Nguyễn Đức Thái Outline Web Security Issues Security Socket Layer (SSL) Transport Layer Security (TLS) HTTPS Secure Shell

More information

Telematics Chapter 11: Network Security Beispielbild User watching video clip

Telematics Chapter 11: Network Security Beispielbild User watching video clip Telematics Chapter 11: Network Security Beispielbild User watching video clip Server with video clips Application Layer Application Layer Prof. Dr. Mesut Güneş Presentation Layer Presentation Layer Computer

More information

CS 4803 Computer and Network Security

CS 4803 Computer and Network Security Network layers CS 4803 Computer and Network Security Application Transport Network Lower level Alexandra (Sasha) Boldyreva IPsec 1 2 Roughly Application layer: the communicating processes themselves and

More information

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode 13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) PPP-based remote access using dial-in PPP encryption control protocol (ECP) PPP extensible authentication protocol (EAP) 13.2 Layer 2/3/4

More information

Netzwerksicherheit: Anwendungen

Netzwerksicherheit: Anwendungen Internet-Technologien (CS262) Netzwerksicherheit: Anwendungen 22. Mai 2015 Christian Tschudin & Thomas Meyer Departement Mathematik und Informatik, Universität Basel Chapter 8 Security in Computer Networks

More information

Part III-b. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT

Part III-b. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT Part III-b Contents Part III-b Secure Applications and Security Protocols Practical Security Measures Internet Security IPSEC, IKE SSL/TLS Virtual Private Networks Firewall Kerberos SET Security Measures

More information

Chapter 8 Network Security. Slides adapted from the book and Tomas Olovsson

Chapter 8 Network Security. Slides adapted from the book and Tomas Olovsson Chapter 8 Network Security Slides adapted from the book and Tomas Olovsson Roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity Security protocols and measures: Securing

More information

Case Study for Layer 3 Authentication and Encryption

Case Study for Layer 3 Authentication and Encryption CHAPTER 2 Case Study for Layer 3 Authentication and Encryption This chapter explains the basic tasks for configuring a multi-service, extranet Virtual Private Network (VPN) between a Cisco Secure VPN Client

More information

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP Overview Securing TCP/IP Chapter 6 TCP/IP Open Systems Interconnection Model Anatomy of a Packet Internet Protocol Security (IPSec) Web Security (HTTP over TLS, Secure-HTTP) Lecturer: Pei-yih Ting 1 2

More information

Managing and Securing Computer Networks. Guy Leduc. Chapter 4: Securing TCP. connections. connections. Chapter goals: security in practice:

Managing and Securing Computer Networks. Guy Leduc. Chapter 4: Securing TCP. connections. connections. Chapter goals: security in practice: Managing and Securing Computer Networks Guy Leduc Chapter 4: Securing TCP connections Computer Networking: A Top Down Approach, 6 th edition. Jim Kurose, Keith Ross Addison-Wesley, March 2012. (section

More information

CSCI 454/554 Computer and Network Security. Final Exam Review

CSCI 454/554 Computer and Network Security. Final Exam Review CSCI 454/554 Computer and Network Security Final Exam Review Topics covered by Final Topic before Midterm 20% Topic after Midterm 80% Date: 05/13/2015 9:00am noon Place: the same classroom Open book/notes

More information

Security. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Security. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1 Contents Security requirements Public key cryptography Key agreement/transport schemes Man-in-the-middle attack vulnerability Encryption. digital signature, hash, certification Complete security solutions

More information

Internetwork Security

Internetwork Security Internetwork Security Why Network Security Layers? Fundamentals of Encryption Network Security Layer Overview PGP Security on Internet Layer IPSec IPv6-GCAs SSL/TLS Lower Layers 1 Prof. Dr. Thomas Schmidt

More information

Chapter 32 Internet Security

Chapter 32 Internet Security Chapter 32 Internet Security Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 32: Outline 32.1 NETWORK-LAYER SECURITY 32.2 TRANSPORT-LAYER SECURITY 32.3

More information

Chapter 17. Transport-Level Security

Chapter 17. Transport-Level Security Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics

More information

Overview. SSL Cryptography Overview CHAPTER 1

Overview. SSL Cryptography Overview CHAPTER 1 CHAPTER 1 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. The features in this chapter apply to IPv4 and IPv6 unless otherwise noted. Secure

More information

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security UNIT 4 SECURITY PRACTICE Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security Slides Courtesy of William Stallings, Cryptography & Network Security,

More information

Internet Security Architecture

Internet Security Architecture accepted for publication in Computer Networks and ISDN Systems Journal Internet Security Architecture Refik Molva Institut Eurécom 2229, route des Crêtes F-06904 Sophia-Antipolis molva@eurecom.fr Abstract

More information

Implementing and Managing Security for Network Communications

Implementing and Managing Security for Network Communications 3 Implementing and Managing Security for Network Communications............................................... Terms you ll need to understand: Internet Protocol Security (IPSec) Authentication Authentication

More information

Introduction to Security and PIX Firewall

Introduction to Security and PIX Firewall Introduction to Security and PIX Firewall Agenda Dag 28 Föreläsning LAB PIX Firewall VPN A Virtual Private Network (VPN) is a service offering secure, reliable connectivity over a shared, public network

More information

Site to Site Virtual Private Networks (VPNs):

Site to Site Virtual Private Networks (VPNs): Site to Site Virtual Private Networks Programme NPFIT DOCUMENT RECORD ID KEY Sub-Prog / Project Information Governance NPFIT-FNT-TO-IG-GPG-0002.01 Prog. Director Mark Ferrar Owner Tim Davis Version 1.0

More information

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli 4-25-2002

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli 4-25-2002 INTERNET SECURITY: FIREWALLS AND BEYOND Mehernosh H. Amroli 4-25-2002 Preview History of Internet Firewall Technology Internet Layer Security Transport Layer Security Application Layer Security Before

More information

Branch Office VPN Tunnels and Mobile VPN

Branch Office VPN Tunnels and Mobile VPN WatchGuard Certified Training Branch Office VPN Tunnels and Mobile VPN Fireware XTM and WatchGuard System Manager v11.7 Revised: January 2013 Updated for: Fireware XTM v11.7 Notice to Users Information

More information

Introduction to Computer Security

Introduction to Computer Security Introduction to Computer Security Network Security Pavel Laskov Wilhelm Schickard Institute for Computer Science Circuit switching vs. packet switching OSI and TCP/IP layered models TCP/IP encapsulation

More information

Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress

Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress Alan Davy and Lei Shi Telecommunication Software&Systems Group, Waterford Institute of Technology, Ireland adavy,lshi@tssg.org

More information

21.4 Network Address Translation (NAT) 21.4.1 NAT concept

21.4 Network Address Translation (NAT) 21.4.1 NAT concept 21.4 Network Address Translation (NAT) This section explains Network Address Translation (NAT). NAT is also known as IP masquerading. It provides a mapping between internal IP addresses and officially

More information

Chapter 9. IP Secure

Chapter 9. IP Secure Chapter 9 IP Secure 1 Network architecture is usually explained as a stack of different layers. Figure 1 explains the OSI (Open System Interconnect) model stack and IP (Internet Protocol) model stack.

More information

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT) Network Security Securing communications (SSL/TLS and IPSec) Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT) Network communication Who are you

More information

Chapter 8 Virtual Private Networking

Chapter 8 Virtual Private Networking Chapter 8 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FWG114P v2 Wireless Firewall/Print Server. VPN tunnels provide secure, encrypted

More information

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Final exam review, Fall 2005 FSU (CIS-5357) Network Security Final exam review, Fall 2005 FSU (CIS-5357) Network Security Instructor: Breno de Medeiros 1. What is an insertion attack against a NIDS? Answer: An insertion attack against a network intrusion detection

More information

Secure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity

Secure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity Secure Remote Monitoring of the Critical System Infrastructure An Application Note from the Experts in Business-Critical Continuity TABLE OF CONTENTS Introduction................................................2

More information

Introduction to Computer Security

Introduction to Computer Security Introduction to Computer Security Network Security Pavel Laskov Wilhelm Schickard Institute for Computer Science Circuit switching vs. packet switching OSI and TCP/IP layered models TCP/IP encapsulation

More information

The BANDIT Products in Virtual Private Networks

The BANDIT Products in Virtual Private Networks encor! enetworks TM Version A.1, March 2010 2010 Encore Networks, Inc. All rights reserved. The BANDIT Products in Virtual Private Networks One of the principal features of the BANDIT products is their

More information

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright 2007-2015 Palo Alto Networks

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright 2007-2015 Palo Alto Networks VPNs Palo Alto Networks PAN-OS Administrator s Guide Version 6.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us

More information

Using IPSec in Windows 2000 and XP, Part 2

Using IPSec in Windows 2000 and XP, Part 2 Page 1 of 8 Using IPSec in Windows 2000 and XP, Part 2 Chris Weber 2001-12-20 This is the second part of a three-part series devoted to discussing the technical details of using Internet Protocol Security

More information

Computer and Network Security

Computer and Network Security Computer and Network Security c Copyright 2000 R E Newman Computer & Information Sciences & Engineering University Of Florida Gainesville, Florida 32611-6120 nemo@ciseufledu Network Security Protocols

More information

CS 494/594 Computer and Network Security

CS 494/594 Computer and Network Security CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Exercise: Chapters 13, 15-18 18 1. [Kaufman] 13.1

More information

Security Architecture for IP (IPsec)

Security Architecture for IP (IPsec) Security Architecture for IP (IPsec) Security Association (SA), AH-Protocol, ESP-Protocol Operation-Modes, Internet Key Exchange Protocol (IKE) Agenda Overview AH Protocol ESP Protocol Security Association

More information

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300 Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300 This example explains how to configure pre-shared key based simple IPSec tunnel between NetScreen Remote Client and RN300 VPN Gateway.

More information

Insecure network services. Firewalls. Two separable topics. Packet filtering. Example: blocking forgeries. Example: blocking outgoing mail

Insecure network services. Firewalls. Two separable topics. Packet filtering. Example: blocking forgeries. Example: blocking outgoing mail Insecure network services NFS (port 2049) - Read/write entire FS as any non-root user given a dir. handle - Many OSes make handles easy to guess Portmap (port 111) - Relays RPC requests, making them seem

More information

Transport Level Security

Transport Level Security Transport Level Security Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/

More information

VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls

VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls Overview VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls Computer Net Lab/Praktikum Datenverarbeitung 2 1 VPN - Definition VPNs (Virtual Private Networks) allow secure data transmission

More information

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway Fireware How To VPN How do I set up a manual branch office VPN tunnel? Introduction You use Branch Office VPN (BOVPN) with manual IPSec to make encrypted tunnels between a Firebox and a second IPSec-compliant

More information

VPN Solutions. Lesson 10. etoken Certification Course. April 2004

VPN Solutions. Lesson 10. etoken Certification Course. April 2004 VPN Solutions Lesson 10 April 2004 etoken Certification Course VPN Overview Lesson 10a April 2004 etoken Certification Course Virtual Private Network A Virtual Private Network (VPN) is a private data network

More information

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder ) Application Note Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder ) This document describes how to configure McAfee Firewall Enterprise to provide

More information

Chapter 49 IP Security (IPsec)

Chapter 49 IP Security (IPsec) Chapter 49 IP Security (IPsec) Introduction...49-3 IP Security (IPsec)...49-4 Security Protocols and Modes... 49-4 Compression Protocol... 49-5 Security Associations (SA)... 49-5 ISAKMP/IKE...49-6 ISAKMP...

More information

Application Note: Onsight Device VPN Configuration V1.1

Application Note: Onsight Device VPN Configuration V1.1 Application Note: Onsight Device VPN Configuration V1.1 Table of Contents OVERVIEW 2 1 SUPPORTED VPN TYPES 2 1.1 OD VPN CLIENT 2 1.2 SUPPORTED PROTOCOLS AND CONFIGURATION 2 2 OD VPN CONFIGURATION 2 2.1

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

Chapter 8. Cryptography Symmetric-Key Algorithms. Digital Signatures Management of Public Keys Communication Security Authentication Protocols

Chapter 8. Cryptography Symmetric-Key Algorithms. Digital Signatures Management of Public Keys Communication Security Authentication Protocols Network Security Chapter 8 Cryptography Symmetric-Key Algorithms Public-Key Algorithms Digital Signatures Management of Public Keys Communication Security Authentication Protocols Email Security Web Security

More information

PKI-based cryptosystems

PKI-based cryptosystems PKI-based cryptosystems Authentication Symmetric encryption is a relatively lightweight method to protect confidentiality in transit Public key cryptography can be used to transmit the session key But:

More information

Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering

Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering Internet Firewall CSIS 3230 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 8.8: Packet filtering, firewalls, intrusion detection Ch

More information

: Network Security. Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT

: Network Security. Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT Subject Code Department Semester : Network Security : XCS593 : MSc SE : Nineth Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT Part A (2 marks) 1. What are the various layers of an OSI reference

More information

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer Other VPNs TLS/SSL, PPTP, L2TP Advanced Computer Networks SS2005 Jürgen Häuselhofer Overview Introduction to VPNs Why using VPNs What are VPNs VPN technologies... TLS/SSL Layer 2 VPNs (PPTP, L2TP, L2TP/IPSec)

More information

Chapter 6 CDMA/802.11i

Chapter 6 CDMA/802.11i Chapter 6 CDMA/802.11i IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 Some material copyright 1996-2012 J.F Kurose and K.W. Ross,

More information

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers Application Note Revision 1.0 10 February 2011 Copyright 2011. Aruba Networks, Inc. All rights reserved. IPsec VPN Security

More information

SonicOS Enhanced 3.2 IKE Version 2 Support

SonicOS Enhanced 3.2 IKE Version 2 Support SonicOS Enhanced 3.2 IKE Version 2 Support Document Scope This document describes the integration of SonicOS Enhanced 3.2 with Internet Key Exchange protocol version 2 (IKEv2). This document contains the

More information

FortiOS Handbook IPsec VPN for FortiOS 5.0

FortiOS Handbook IPsec VPN for FortiOS 5.0 FortiOS Handbook IPsec VPN for FortiOS 5.0 IPsec VPN for FortiOS 5.0 26 August 2015 01-504-112804-20150826 Copyright 2015 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered

More information

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 12 Applying Cryptography

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 12 Applying Cryptography Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography Objectives Define digital certificates List the various types of digital certificates and how they are used

More information

VPN. VPN For BIPAC 741/743GE

VPN. VPN For BIPAC 741/743GE VPN For BIPAC 741/743GE August, 2003 1 The router supports VPN to establish secure, end-to-end private network connections over a public networking infrastructure. There are two types of VPN connections,

More information

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.

More information

IPV6 vs. SSL comparing Apples with Oranges

IPV6 vs. SSL comparing Apples with Oranges IPV6 vs. SSL comparing Apples with Oranges Reto E. Haeni r.haeni@cpi.seas.gwu.edu The George Washington University Cyberspace Policy Institute 2033 K Str. Suite 340 N Washington DC 20006 Washington DC,

More information

EXAM questions for the course TTM4135 - Information Security May 2013. Part 1

EXAM questions for the course TTM4135 - Information Security May 2013. Part 1 EXAM questions for the course TTM4135 - Information Security May 2013 Part 1 This part consists of 5 questions all from one common topic. The number of maximal points for every correctly answered question

More information

Lab14.8.1 Configure a PIX Firewall VPN

Lab14.8.1 Configure a PIX Firewall VPN Lab14.8.1 Configure a PIX Firewall VPN Complete the following lab exercise to practice what you learned in this chapter. Objectives In this lab exercise you will complete the following tasks: Visual Objective

More information

Overview. Protocols. VPN and Firewalls

Overview. Protocols. VPN and Firewalls Computer Network Lab 2015 Fachgebiet Technische h Informatik, Joachim Zumbrägel Overview VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls VPN-Definition VPNs (Virtual Private Networks)

More information

IPSec and SSL Virtual Private Networks

IPSec and SSL Virtual Private Networks IPSec and SSL Virtual Private Networks ISP Workshops Last updated 29 June 2014 1 Acknowledgment p Content sourced from n Merike Kaeo of Double Shot Security n Contact: merike@doubleshotsecurity.com Virtual

More information

WEB Security: Secure Socket Layer

WEB Security: Secure Socket Layer WEB Security: Secure Socket Layer Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - COMP581 - L22 1 Outline of this Lecture Brief Information on SSL and TLS Secure Socket Layer (SSL) Transport Layer Security

More information

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Internet Protocol: IP packet headers. vendredi 18 octobre 13 Internet Protocol: IP packet headers 1 IPv4 header V L TOS Total Length Identification F Frag TTL Proto Checksum Options Source address Destination address Data (payload) Padding V: Version (IPv4 ; IPv6)

More information

Security issues with Mobile IP

Security issues with Mobile IP Technical report, IDE1107, February 2011 Security issues with Mobile IP Master s Thesis in Computer Network Engineering Abdel Rahman Alkhawaja & Hatem Sheibani School of Information Science, Computer and

More information

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 http://technet.microsoft.com/en-us/library/cc757501(ws.10).aspx Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 Updated: October 7, 2005 Applies To: Windows Server 2003 with

More information

Communication Security for Applications

Communication Security for Applications Communication Security for Applications Antonio Carzaniga Faculty of Informatics University of Lugano March 10, 2008 c 2008 Antonio Carzaniga 1 Intro to distributed computing: -server computing Transport-layer

More information

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products Application Note Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products Version 1.0 January 2008 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089

More information