CSC474: Network Security
|
|
- Kathlyn Parks
- 7 years ago
- Views:
Transcription
1 CSC474: Network Security Lecture 18 Prof. William Enck Fall 2016 (Derived from slides by Micah Sherr and Peng Ning)
2 Virtual Private Networks
3 Problem: 3
4 Problem? 17 UNC System Campuses (
5 Virtual Private Networks (VPNs) Provides secure access to private network over public links Often, goal is to provide access to corporate network (intranet) from outside (Internet) Or, logically join physically separated networks Achieves some combination of: Confidentiality Integrity Mutual authentication 5
6 Telecommuter VPNs: Client-to-Gateway Enterprise Network Enterprise Servers 6
7 Gateway-to-Gateway VPNs Branch Branch Branch Branch 7
8 How do we build VPNs? 8
9 We can t rebuild the Internet 9
10 VPN Tunneling Enterprise Network Enterprise Servers 10
11 IPsec (not IPSec!) Host level protection service IP-layer security (below TCP/UDP) De-facto standard for host level security Developed by the IETF (over many years) Available in most operating systems/devices E.g., Windows, OS X, Linux, BSD*, Not a single protocol; IPsec is a protocol suite Implements a wide range of protocols and cryptographic algorithms Selectively provides. Confidentiality, integrity, authenticity, replay protection, DoS protection 11
12 IPsec Protocol Suite Policy/ Configuration Management Key Management Packet Processing (SPS) Security Policy System Manual (ESP) Encapsulating Security Payload (IKE) Internet Key Exchange (AH) Authentication Header 12
13 IPsec Architecture IPsec module 1 IPsec module 2 SPD SPD IKE IKE SAD IPsec SA IPsec SAD SPD: Security Policy Database; IKE: Internet Key Exchange; SA: Security Association; SAD: Security Association Database. 13
14 Internet Key Exchange (IKE) Two phase protocol used to establish parameters and keys for session Phase 1: authenticate peers, establish secure channel via Diffie- Hellman key exchange Phase 2: negotiate parameters, establish a security association (SA) The SA defines algorithms, keys, and policy used to secure the session for a unidirectional traffic flow Pairing requires two SAs -- one for each direction SAs stored in host s Security Association Database (SAD) Each gateway may define policies for each SA Policies stored in the SAD 14
15 IPsec: Packet Handling Application Presentation Session Transport SPD/SAD IPsec Network (IP) Data Link Physical 15
16 Transport Mode A Encrypted/Authenticated B Orig IP Header AH or ESP Header TCP Data 16
17 Tunnel Mode Encrypted Tunnel Gateway Gateway A Unencrypted Encrypted Unencrypted B New IP Header AH or ESP Header Orig IP Header TCP Data 17
18 Key Management Two options: Manual: use pre-shared secrets; or Internet Key Exchange (IKE) 18
19 Internet Key Exchange Harkins and Carrel, RFC2409, Nov Phase 1: Key Exchange (Simplified) 1. Initiator sends list of supported crypto algos to responder 2. Responder chooses crypto algo from sender s list 3. Initiator sends first half of DH exchange and a noncei to responder 4. Responder sends second half of DH exchange, and a noncer to initiator 5. Initiator sends its id, its cert, and a sig, all encrypted using key derived from previously exchanged messages 6. Responder sends its id, its cert, and a sig, all encrypted using key derived from previously exchanged messages 19
20 Internet Key Exchange Phase II: Security Associations Using secure channel, establish at least 2 security associations: inbound outbound 20
21 IPsec and the IP protocol stack IPsec puts the two main protocols in between IP and the other protocols HTTP FTP SMTP AH: Authentication Header TCP UDP AH ESP ESP: Encapsulating Security Payload IP Other functions provided by external protocols and architectures 21
22 Security Association (SA) An association between a sender and a receiver Consists of a set of security related parameters E.g., sequence number, encryption key One way relationship Determine IPsec processing for senders Determine IPsec decoding for destination SAs are not fixed! Generated and customized per traffic flows 22
23 Security Parameters Index (SPI) A bit string assigned to an SA. Carried in AH and ESP headers to enable the receiving system to select the SA under which the packet will be processed. 32 bits SPI + Dest IP address + IPsec Protocol Uniquely identifies each SA in SA Database (SAD) 23
24 SA Database (SAD) Holds parameters for each SA Sequence number counter Lifetime of this SA AH and ESP information Tunnel or transport mode Every host or gateway participating in IPsec has their own SA database 24
25 SA Bundle More than 1 SA can apply to a packet Example: ESP does not authenticate new IP header. How to authenticate? Use SA to apply ESP w/out authentication to original packet Use 2 nd SA to apply AH 25
26 Security Policy Database (SPD) Decide What traffic to protect? Has incoming traffic been properly secured? Policy entries define which SA or SA Bundles to use on IP traffic Each host or gateway has their own SPD Index into SPD by Selector fields Selectors: IP and upper-layer protocol field values. Examples: Dest IP, Source IP, Transport Protocol, IPSec Protocol, Source & Dest Ports, 26
27 SPD Entry Actions Discard Do not let in or out Bypass Outbound: do not apply IPSec Inbound: do not expect IPSec Protect will point to an SA or SA bundle Outbound: apply security Inbound: security must have been applied 27
28 SPD Protect Action If the SA does not exist Outbound processing Trigger key management protocols to generate SA dynamically, or Request manual specification, or Other methods Inbound processing Drop packet 28
29 Authentication Header (AH) Provides authenticity and integrity via HMAC over immutable IP headers and data Advantage: the authenticity of data and IP header information is protected Disadvantage: the set of immutable IP headers isn t necessarily fixed For example? Confidentiality of data is not preserved Replay protection via AH sequence numbers note that this replicates some features of TCP 29
30 Mutable fields 30
31 IPsec AH Packet Format IPv4 AH Packet Format IPv4 Header Authentication Header Higher Level Protocol Data AH Header Format Next Header Length Reserved Security Parameter Index Authentication Data (variable number of 32-bit words) 31
32 IPsec Authentication SPI: (spy) identifies the SA for this packet Type of crypto checksum, how large it is, and how it is computed Really, the policy for the packet Authentication data Hash of packet contents include IP header as specified by SPI Treat mutable fields (TTL, header checksum) as zero Keyed MD5 Hash is default 32
33 Encapsulating Security Payload (ESP) Confidentiality, authenticity, and integrity via encryption and HMAC over IP payload (data) Advantage: encapsulated packet is fully secured Use null encryption to get authenticity/integrity only Note that the TCP/UDP ports are hidden when encrypted good: better security, less is known about traffic bad: impossible for FW to filter/traffic based on port Cost: can require many more resources than AH 33
34 Outbound Packet Processing Sequence number generation Increment then use With anti-replay enabled, check for rollover and send only if no rollover With anti-replay disabled, still needs to increment and use but no rollover checking ICV calculation ICV includes whole ESP packet except for authentication data field. Implicit padding of 0 s between next header and authentication data is used to satisfy block size requirement for ICV algorithm Not include the IP header. 34
35 32 bits Security parameters index (SPI) Sequence number Encrypted ICV coverage Payload data (variable) Padding (0-255 bytes) Pad length Next header ESP Integrity check value - ICV (variable) (a) Top-level format of an ESP Packet Packet Security parameters index (SPI) Sequence number Format Encrypted ICV coverage Initializtion value - IV (optional) Rest of payload data (variable) TFC padding (optional, variable) Padding (0-255 bytes) Payload Pad length Next header Integrity check value - ICV (variable) (b) Substructure of payload data (from Stallings, Crypto and Net Security)
36 Inbound Packet Processing Sequence number checking Anti-replay is used only if authentication is selected Sequence number should be the first ESP check on a packet upon looking up an SA Duplicates are rejected! 0 reject Check bitmap, verify if new Sliding Window size >= 32 verify 36
37 Modes of Operation Transport: the payload is (optionally) encrypted and the non-mutable fields are integrity verified (via MAC) Tunnel: each packet is completely encapsulated (and optionally encrypted) in an outer IP packet Hides not only data, but some routing information 37
38 Modes of Operation AH Transport Mode AH Tunnel Mode ESP Transport Mode ESP Tunnel Mode
39 Transport Example (ipsec-howto.org) #!/usr/sbin/setkey -f # Configuration for # Flush the SAD and SPD flush; spdflush; # Attention: Use this keys only for testing purposes! # Generate your own keys! # AH SAs using 128 bit long keys add ah 0x200 -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6; add ah 0x300 -A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b; # ESP SAs using 192 bit long keys ( parity) add esp 0x201 -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c fae69a96c831; add esp 0x301 -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f afe8eb df; # Security policies spdadd any -P in ipsec esp/transport//require ah/transport//require; spdadd any -P out ipsec esp/transport//require ah/transport//require; Only thing that changes between and
40 Tunnel Example (ipsec-howto.org) #!/usr/sbin/setkey -f # Flush the SAD and SPD flush; spdflush; # ESP SAs doing encryption using 192 bit long keys ( parity) # and authentication using 128 bit long keys add esp 0x201 -m tunnel -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c fae69a96c831 -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6; add esp 0x301 -m tunnel -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f afe8eb df -A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b; # Security policies spdadd / /24 any -P out ipsec esp/tunnel/ /require; spdadd / /24 any -P in ipsec esp/tunnel/ /require; 40
41 Practical Issues and Limitations IPsec implementations Large footprint resource poor devices are in trouble New standards to simplify (e.g, JFK, IKE2) Slow to adopt new technologies Configuration is extremely complicated/ obscure 41
42 Practical Issues and Limitations Issues IPsec tries to be everything for everybody at all times Massive, complicated, and unwieldy Large-scale management tools are limited (e.g., CISCO) Often not used securely (common pre-shared keys) In theory, IPsec support required in IPv6 42
43 Alternatives to IPsec SSH Tunneling: Tunnel packets over SSH connection OpenVPN: Tunnel traffic via SSL/TLS connections Point-to-Point Tunneling Protocol (PPTP): Tunnel using Control (TCP) and Data (GRE) channels; mostly a Microsoft thing 43
44 SSH Tunneling Alice has an account on myhost.csc.ncsu.edu Alice wants to access page at page is only available to NCSU IPs... and Alice lives off campus ssh -L9999: -NfCx myhost.csc.ncsu.edu forward local port 9999 to port 80 via ssh tunnel to seva firefox & Q: Where does think the connection comes from? ssh -Dlocalhost:9999 -NfCx myhost.csc.ncsu.edu run SOCKS server locally on port 9999, forwarding all traffic to myhost.csc.ncsu.edu 44
CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec
CSCI 454/554 Computer and Network Security Topic 8.1 IPsec Outline IPsec Objectives IPsec architecture & concepts IPsec authentication header IPsec encapsulating security payload 2 IPsec Objectives Why
More informationProtocol Security Where?
IPsec: AH and ESP 1 Protocol Security Where? Application layer: (+) easy access to user credentials, extend without waiting for OS vendor, understand data; (-) design again and again; e.g., PGP, ssh, Kerberos
More informationLecture 17 - Network Security
Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ Idea Why donʼt we just integrate some of these neat
More informationAPNIC elearning: IPSec Basics. Contact: training@apnic.net. esec03_v1.0
APNIC elearning: IPSec Basics Contact: training@apnic.net esec03_v1.0 Overview Virtual Private Networks What is IPsec? Benefits of IPsec Tunnel and Transport Mode IPsec Architecture Security Associations
More informationIPsec Details 1 / 43. IPsec Details
Header (AH) AH Layout Other AH Fields Mutable Parts of the IP Header What is an SPI? What s an SA? Encapsulating Security Payload (ESP) ESP Layout Padding Using ESP IPsec and Firewalls IPsec and the DNS
More informationNetwork Security Part II: Standards
Network Security Part II: Standards Raj Jain Washington University Saint Louis, MO 63131 Jain@cse.wustl.edu These slides are available on-line at: http://www.cse.wustl.edu/~jain/cse473-05/ 18-1 Overview
More informationSecurity Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)
Security Protocols Security Protocols Necessary to communicate securely across untrusted network Provide integrity, confidentiality, authenticity of communications Based on previously discussed cryptographic
More information21.4 Network Address Translation (NAT) 21.4.1 NAT concept
21.4 Network Address Translation (NAT) This section explains Network Address Translation (NAT). NAT is also known as IP masquerading. It provides a mapping between internal IP addresses and officially
More informationIP Security. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49
IP Security Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security
More informationCS 4803 Computer and Network Security
Network layers CS 4803 Computer and Network Security Application Transport Network Lower level Alexandra (Sasha) Boldyreva IPsec 1 2 Roughly Application layer: the communicating processes themselves and
More informationNetwork Security. Lecture 3
Network Security Lecture 3 Design and Analysis of Communication Networks (DACS) University of Twente The Netherlands Security protocols application transport network datalink physical Contents IPSec overview
More informationPríprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku
Univerzita Komenského v Bratislave Fakulta matematiky, fyziky a informatiky Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku ITMS: 26140230008 dopytovo orientovaný projekt Moderné
More informationSecurity in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity
Basic Security Requirements and Techniques Confidentiality The property that stored or transmitted information cannot be read or altered by an unauthorized party Integrity The property that any alteration
More informationInternet Protocol Security IPSec
Internet Protocol Security IPSec Summer Semester 2011 Integrated Communication Systems Group Ilmenau University of Technology Outline Introduction Authentication Header (AH) Encapsulating Security Payload
More informationIP SECURITY (IPSEC) PROTOCOLS
29 IP SECURITY (IPSEC) PROTOCOLS One of the weaknesses of the original Internet Protocol (IP) is that it lacks any sort of general-purpose mechanism for ensuring the authenticity and privacy of data as
More informationSecuring IP Networks with Implementation of IPv6
Securing IP Networks with Implementation of IPv6 R.M.Agarwal DDG(SA), TEC Security Threats in IP Networks Packet sniffing IP Spoofing Connection Hijacking Denial of Service (DoS) Attacks Man in the Middle
More informationCSC574: Computer and Network Security Module: Network Security
CSC574: Computer and Network Security Module: Network Security Prof. William Enck Spring 2013 1 Networking Fundamentally about transmitting information between two devices Direct communication is now possible
More informationINF3510 Information Security University of Oslo Spring 2011. Lecture 9 Communication Security. Audun Jøsang
INF3510 Information Security University of Oslo Spring 2011 Lecture 9 Communication Security Audun Jøsang Outline Network security concepts Communication security Perimeter security Protocol architecture
More informationIntroduction to Security and PIX Firewall
Introduction to Security and PIX Firewall Agenda Dag 28 Föreläsning LAB PIX Firewall VPN A Virtual Private Network (VPN) is a service offering secure, reliable connectivity over a shared, public network
More informationLaboratory Exercises V: IP Security Protocol (IPSec)
Department of Electronics Faculty of Electrical Engineering, Mechanical Engineering and Naval Architecture (FESB) University of Split, Croatia Laboratory Exercises V: IP Security Protocol (IPSec) Keywords:
More informationNetwork Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide
Network Security [2] Public Key Encryption Also used in message authentication & key distribution Based on mathematical algorithms, not only on operations over bit patterns (as conventional) => much overhead
More informationChapter 7 Transport-Level Security
Cryptography and Network Security Chapter 7 Transport-Level Security Lectured by Nguyễn Đức Thái Outline Web Security Issues Security Socket Layer (SSL) Transport Layer Security (TLS) HTTPS Secure Shell
More informationSecurity Engineering Part III Network Security. Security Protocols (II): IPsec
Security Engineering Part III Network Security Security Protocols (II): IPsec Juan E. Tapiador jestevez@inf.uc3m.es Department of Computer Science, UC3M Security Engineering 4th year BSc in Computer Science,
More informationChapter 5: Network Layer Security
Managing and Securing Computer Networks Guy Leduc Mainly based on Network Security - PRIVATE Communication in a PUBLIC World C. Kaufman, R. Pearlman, M. Speciner Pearson Education, 2002. (chapters 17 and
More informationNetwork Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1
Network Security Abusayeed Saifullah CS 5600 Computer Networks These slides are adapted from Kurose and Ross 8-1 roadmap 1 What is network security? 2 Principles of cryptography 3 Message integrity, authentication
More informationNetwork Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)
Network Security Securing communications (SSL/TLS and IPSec) Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT) Network communication Who are you
More informationChapter 32 Internet Security
Chapter 32 Internet Security Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 32: Outline 32.1 NETWORK-LAYER SECURITY 32.2 TRANSPORT-LAYER SECURITY 32.3
More informationAppendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003
http://technet.microsoft.com/en-us/library/cc757501(ws.10).aspx Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 Updated: October 7, 2005 Applies To: Windows Server 2003 with
More informationVirtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance
Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance Johnnie Chen Project Manager of Network Security Group Network Benchmarking Lab Network Benchmarking Laboratory
More informationComputer and Network Security
Computer and Network Security c Copyright 2000 R E Newman Computer & Information Sciences & Engineering University Of Florida Gainesville, Florida 32611-6120 nemo@ciseufledu Network Security Protocols
More informationChapter 10. Network Security
Chapter 10 Network Security 10.1. Chapter 10: Outline 10.1 INTRODUCTION 10.2 CONFIDENTIALITY 10.3 OTHER ASPECTS OF SECURITY 10.4 INTERNET SECURITY 10.5 FIREWALLS 10.2 Chapter 10: Objective We introduce
More informationNetwork Security Essentials Chapter 5
Network Security Essentials Chapter 5 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 5 Transport-Level Security Use your mentality Wake up to reality From the song, "I've Got
More informationInternetwork Security
Internetwork Security Why Network Security Layers? Fundamentals of Encryption Network Security Layer Overview PGP Security on Internet Layer IPSec IPv6-GCAs SSL/TLS Lower Layers 1 Prof. Dr. Thomas Schmidt
More information13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode
13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) PPP-based remote access using dial-in PPP encryption control protocol (ECP) PPP extensible authentication protocol (EAP) 13.2 Layer 2/3/4
More informationChapter 4 Virtual Private Networking
Chapter 4 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FVL328 Firewall. VPN tunnels provide secure, encrypted communications between
More informationChapter 17. Transport-Level Security
Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics
More informationCS 356 Lecture 27 Internet Security Protocols. Spring 2013
CS 356 Lecture 27 Internet Security Protocols Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationOutline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts
Outline INF3510 Information Security Lecture 10: Communications Security Network security concepts Communication security Perimeter security Protocol architecture and security services Example security
More informationLecture 10: Communications Security
INF3510 Information Security Lecture 10: Communications Security Audun Jøsang University of Oslo Spring 2015 Outline Network security concepts Communication security Perimeter security Protocol architecture
More informationETSF10 Part 3 Lect 2
ETSF10 Part 3 Lect 2 DHCP, DNS, Security Jens A Andersson Electrical and Information Technology DHCP Dynamic Host Configuration Protocol bootp is predecessor Alternative: manual configuration IP address
More informationAuthentication applications Kerberos X.509 Authentication services E mail security IP security Web security
UNIT 4 SECURITY PRACTICE Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security Slides Courtesy of William Stallings, Cryptography & Network Security,
More informationIPv6 Security: How is the Client Secured?
IPv6 Security: How is the Client Secured? Jeffrey L Carrell Network Conversions Network Security Consultant 1 IPv6 Security: How is the Client Secured? IPv6/IPsec IPsec Challenges IPsec Monitoring/Management
More informationIntroduction to Computer Security
Introduction to Computer Security Network Security Pavel Laskov Wilhelm Schickard Institute for Computer Science Circuit switching vs. packet switching OSI and TCP/IP layered models TCP/IP encapsulation
More informationInternet Security Architecture
accepted for publication in Computer Networks and ISDN Systems Journal Internet Security Architecture Refik Molva Institut Eurécom 2229, route des Crêtes F-06904 Sophia-Antipolis molva@eurecom.fr Abstract
More informationOverview. Protocols. VPN and Firewalls
Computer Network Lab 2015 Fachgebiet Technische h Informatik, Joachim Zumbrägel Overview VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls VPN-Definition VPNs (Virtual Private Networks)
More informationVPN. VPN For BIPAC 741/743GE
VPN For BIPAC 741/743GE August, 2003 1 The router supports VPN to establish secure, end-to-end private network connections over a public networking infrastructure. There are two types of VPN connections,
More informationINTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli 4-25-2002
INTERNET SECURITY: FIREWALLS AND BEYOND Mehernosh H. Amroli 4-25-2002 Preview History of Internet Firewall Technology Internet Layer Security Transport Layer Security Application Layer Security Before
More informationUsing IPSec in Windows 2000 and XP, Part 2
Page 1 of 8 Using IPSec in Windows 2000 and XP, Part 2 Chris Weber 2001-12-20 This is the second part of a three-part series devoted to discussing the technical details of using Internet Protocol Security
More information7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?
7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk
More informationVirtual Private Networks
Virtual Private Networks ECE 4886 Internetwork Security Dr. Henry Owen Definition Virtual Private Network VPN! Virtual separation in protocol provides a virtual network using no new hardware! Private communication
More informationChapter 9. IP Secure
Chapter 9 IP Secure 1 Network architecture is usually explained as a stack of different layers. Figure 1 explains the OSI (Open System Interconnect) model stack and IP (Internet Protocol) model stack.
More informationSecurity vulnerabilities in the Internet and possible solutions
Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in
More informationSecure Sockets Layer
SSL/TLS provides endpoint authentication and communications privacy over the Internet using cryptography. For web browsing, email, faxing, other data transmission. In typical use, only the server is authenticated
More informationIntroduction to Computer Security
Introduction to Computer Security Network Security Pavel Laskov Wilhelm Schickard Institute for Computer Science Circuit switching vs. packet switching OSI and TCP/IP layered models TCP/IP encapsulation
More informationCCNA Security 1.1 Instructional Resource
CCNA Security 1.1 Instructional Resource Chapter 8 Implementing Virtual Private Networks 2012 Cisco and/or its affiliates. All rights reserved. 1 Describe the purpose and types of VPNs and define where
More informationConfiguring IPSec VPN Tunnel between NetScreen Remote Client and RN300
Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300 This example explains how to configure pre-shared key based simple IPSec tunnel between NetScreen Remote Client and RN300 VPN Gateway.
More informationOther VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer
Other VPNs TLS/SSL, PPTP, L2TP Advanced Computer Networks SS2005 Jürgen Häuselhofer Overview Introduction to VPNs Why using VPNs What are VPNs VPN technologies... TLS/SSL Layer 2 VPNs (PPTP, L2TP, L2TP/IPSec)
More informationInsecure network services
NFS (port 2049) Insecure network services - Read/write entire FS as any non-root user given a dir. handle - Many OSes make handles easy to guess Portmap (port 111) - Relays RPC requests, making them seem
More informationBit Chat: A Peer-to-Peer Instant Messenger
Bit Chat: A Peer-to-Peer Instant Messenger Shreyas Zare shreyas@technitium.com https://technitium.com December 20, 2015 Abstract. Bit Chat is a peer-to-peer instant messaging concept, allowing one-to-one
More informationCommunication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009
16 th lecture Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009 1 25 Organization Welcome to the New Year! Reminder: Structure of Communication Systems lectures
More informationBuilding scalable IPSec infrastructure with MikroTik. IPSec, L2TP/IPSec, OSPF
Building scalable IPSec infrastructure with MikroTik IPSec, L2TP/IPSec, OSPF Presenter information Tomas Kirnak Network design Security, wireless Servers Virtualization MikroTik Certified Trainer Atris,
More informationCS 494/594 Computer and Network Security
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Exercise: Chapters 13, 15-18 18 1. [Kaufman] 13.1
More informationBranch Office VPN Tunnels and Mobile VPN
WatchGuard Certified Training Branch Office VPN Tunnels and Mobile VPN Fireware XTM and WatchGuard System Manager v11.7 Revised: January 2013 Updated for: Fireware XTM v11.7 Notice to Users Information
More informationInternet Protocol: IP packet headers. vendredi 18 octobre 13
Internet Protocol: IP packet headers 1 IPv4 header V L TOS Total Length Identification F Frag TTL Proto Checksum Options Source address Destination address Data (payload) Padding V: Version (IPv4 ; IPv6)
More informationVirtual Private Networks: IPSec vs. SSL
Virtual Private Networks: IPSec vs. SSL IPSec SSL Michael Daye Jr. Instructor: Dr. Lunsford ICTN 4040-001 April 16 th 2007 Virtual Private Networks: IPSec vs. SSL In today s society organizations and companies
More informationComputer and Network Security Exercise no. 4
University of Haifa Winter Semester 11/1/12 Computer and Network Security Exercise no. 4 Submit in Pairs/Single to mailbox 19 by 25/1/12, 2:00 p.m. 1. Following the sensitivity of the information in its
More informationConfiguring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router
print email Article ID: 4938 Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router Objective Virtual Private
More informationImplementing and Managing Security for Network Communications
3 Implementing and Managing Security for Network Communications............................................... Terms you ll need to understand: Internet Protocol Security (IPSec) Authentication Authentication
More informationVirtual Private Networks
Virtual Private Networks Jonathan Reed jdreed@mit.edu MIT IS&T VPN Release Team Overview Basic Networking Terms General Concepts How the VPN works Why it s useful What to watch out for Q&A Networking 101
More informationApplication Note: Onsight Device VPN Configuration V1.1
Application Note: Onsight Device VPN Configuration V1.1 Table of Contents OVERVIEW 2 1 SUPPORTED VPN TYPES 2 1.1 OD VPN CLIENT 2 1.2 SUPPORTED PROTOCOLS AND CONFIGURATION 2 2 OD VPN CONFIGURATION 2 2.1
More informationConfiguration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example
Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example Document ID: 113337 Contents Introduction Prerequisites Requirements Components Used Conventions Configuration
More informationIPsec VPN Application Guide REV: 1.0.0 1910010876
IPsec VPN Application Guide REV: 1.0.0 1910010876 CONTENTS Chapter 1. Overview... 1 Chapter 2. Before Configuration... 2 Chapter 3. Configuration... 5 3.1 Configure IPsec VPN on TL-WR842ND (Router A)...
More informationDeploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels
Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels This article provides a reference for deploying a Barracuda Link Balancer under the following conditions: 1. 2. In transparent (firewall-disabled)
More informationWe will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall
Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,
More informationSecurity. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1
Contents Security requirements Public key cryptography Key agreement/transport schemes Man-in-the-middle attack vulnerability Encryption. digital signature, hash, certification Complete security solutions
More informationKeying Mode: Main Mode with No PFS (perfect forward secrecy) SA Authentication Method: Pre-Shared key Keying Group: DH (Diffie Hellman) Group 1
Prepared by SonicWALL, Inc. 09/20/2001 Introduction: VPN standards are still evolving and interoperability between products is a continued effort. SonicWALL has made progress in this area and is interoperable
More informationLab14.8.1 Configure a PIX Firewall VPN
Lab14.8.1 Configure a PIX Firewall VPN Complete the following lab exercise to practice what you learned in this chapter. Objectives In this lab exercise you will complete the following tasks: Visual Objective
More informationMost Common DMVPN Troubleshooting Solutions
Most Common DMVPN Troubleshooting s Document ID: 111976 Contents Introduction Prerequisites Requirements Components Used Conventions DMVPN Configuration does not work s Common Issues Verify if ISAKMP packets
More informationCommunication Security for Applications
Communication Security for Applications Antonio Carzaniga Faculty of Informatics University of Lugano March 10, 2008 c 2008 Antonio Carzaniga 1 Intro to distributed computing: -server computing Transport-layer
More informationChapter 4: Security of the architecture, and lower layer security (network security) 1
Chapter 4: Security of the architecture, and lower layer security (network security) 1 Outline Security of the architecture Access control Lower layer security Data link layer VPN access Wireless access
More informationIPSec and SSL Virtual Private Networks
IPSec and SSL Virtual Private Networks ISP Workshops Last updated 29 June 2014 1 Acknowledgment p Content sourced from n Merike Kaeo of Double Shot Security n Contact: merike@doubleshotsecurity.com Virtual
More informationz/os Firewall Technology Overview
z/os Firewall Technology Overview Mary Sweat E - Mail: sweatm@us.ibm.com Washington System Center OS/390 Firewall/VPN 1 Firewall Technologies Tools Included with the OS/390 Security Server Configuration
More informationComputer Networks. Secure Systems
Computer Networks Secure Systems Summary Common Secure Protocols SSH HTTPS (SSL/TSL) IPSec Wireless Security WPA2 PSK vs EAP Firewalls Discussion Secure Shell (SSH) A protocol to allow secure login to
More informationVPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls
Overview VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls Computer Net Lab/Praktikum Datenverarbeitung 2 1 VPN - Definition VPNs (Virtual Private Networks) allow secure data transmission
More informationCryptography and network security CNET4523
1. Name of Course 2. Course Code 3. Name(s) of academic staff 4. Rationale for the inclusion of the course/module in the programme Cryptography and network security CNET4523 Major The Great use of local
More informationHow To Understand And Understand The Ssl Protocol (Www.Slapl) And Its Security Features (Protocol)
WEB Security: Secure Socket Layer Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - COMP581 - L22 1 Outline of this Lecture Brief Information on SSL and TLS Secure Socket Layer (SSL) Transport Layer Security
More informationAbstract. SZ; Reviewed: WCH 6/18/2003. Solution & Interoperability Test Lab Application Notes 2003 Avaya Inc. All Rights Reserved.
A Sample VPN Tunnel Configuration Using Cisco 3640 and 7100 Routers for Avaya Media Servers and Media Gateways running Avaya MultiVantage Software - Issue 1.1 Abstract These Application Notes outline the
More informationIPsec VPN Security between Aruba Remote Access Points and Mobility Controllers
IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers Application Note Revision 1.0 10 February 2011 Copyright 2011. Aruba Networks, Inc. All rights reserved. IPsec VPN Security
More informationChapter 12 Supporting Network Address Translation (NAT)
[Previous] [Next] Chapter 12 Supporting Network Address Translation (NAT) About This Chapter Network address translation (NAT) is a protocol that allows a network with private addresses to access information
More informationTable of Contents. Cisco Configuring an IPSec LAN to LAN Tunnel for Cisco VPN 5000 Concentrator to Cisco Secure PIX Firewall
IPSec LAN to LAN Tunnel for Cisco VPN 5000 Concentrator to irewall Table of Contents Configuring an IPSec LAN to LAN Tunnel for Cisco VPN 5000 Concentrator to Cisco Secure PIX Firewall...1 Cisco has announced
More informationInternet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering
Internet Firewall CSIS 3230 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 8.8: Packet filtering, firewalls, intrusion detection Ch
More informationSecurity Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress
Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress Alan Davy and Lei Shi Telecommunication Software&Systems Group, Waterford Institute of Technology, Ireland adavy,lshi@tssg.org
More informationChapter 49 IP Security (IPsec)
Chapter 49 IP Security (IPsec) Introduction...49-3 IP Security (IPsec)...49-4 Security Protocols and Modes... 49-4 Compression Protocol... 49-5 Security Associations (SA)... 49-5 ISAKMP/IKE...49-6 ISAKMP...
More informationVPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright 2007-2015 Palo Alto Networks
VPNs Palo Alto Networks PAN-OS Administrator s Guide Version 6.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us
More informationSecurity in Computer Networks
Security in Computer Networks Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@wustl.edu Audio/Video recordings of this lecture are available on-line at: http://www.cse.wustl.edu/~jain/cse473-10/
More informationVirtual Private Networks
Virtual Private Networks The Ohio State University Columbus, OH 43210 Jain@cse.ohio-State.Edu http://www.cse.ohio-state.edu/~jain/ 1 Overview Types of VPNs When and why VPN? VPN Design Issues Security
More informationVPN Solutions. Lesson 10. etoken Certification Course. April 2004
VPN Solutions Lesson 10 April 2004 etoken Certification Course VPN Overview Lesson 10a April 2004 etoken Certification Course Virtual Private Network A Virtual Private Network (VPN) is a private data network
More informationProxy firewalls. thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/
Proxy firewalls thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/ Content Proxy Firewalls How Proxy Firewalls Work Forward / Reverse Proxies Application-Level Proxies Gateways (Circuit-Level
More informationSolution of Exercise Sheet 5
Foundations of Cybersecurity (Winter 15/16) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Protocols = {????} Client Server IP Address =???? IP Address =????
More informationDigi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering
Introduction Digi Connect Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering The Digi Connect supports five features which provide security and IP traffic forwarding when using incoming
More information