6 Internet Security Protocol Layers Electronic Commerce Layer SET, Ecash, S-HTTP PGP PEM S/MIME Transport Layer Security (SSH, SSL, TLS) Datagram Security Protocol (WTLS, DSP) PKIX Transmission Control Protocol (TCP) User Datagram Protocol (UDP) IP/ IP/ IPSec (Internet Protocol Security) Public-Key Infrastructure The security services provided by security mechanisms or protocols depend on the layer of integration: the mechanisms can only protect the payload and/or header information available at this layer header information of lower layers is not protected
7 Placement of Security Functions Higher Layers K K K K Middle Layers K Lower Layers K K K K application specific, technology independent, end-to-end security possible usually software implementations higher layer security does not protect lower layers attractive when balancing security concepts from higher and lower layers link/point-to-point security suited for crypto hardware lower layer can provide security services for and protect higher layers security functions inside the operating systems
8 Internet Protocol Security (IPSEC) IP Authentication Header (AH) for IP packet integrity and partial replay protection Encapsulating Security Payload (ESP) for IP packet confidentiality and integrity Application // IKE Application Data SA SA Establishment Authentication Key Key Establishment AH, ESP can operate in a Transport and in a Tunnel mode application for Transport mode is secure host-to-host transport application for Tunnel mode is secure Virtual private networking (VPN) with security gateways TCP/UDP IP/IPSec Encapsulation Decapsulation Handshake IKE is the default key-management protocol for IPSEC various key-exchange/keyestablishment protocols defined based on Diffie-Hellman Protected Data See IETF RFC
9 IPSEC Transport and Tunnel mode Original IP packet IP Header TCP Header Data encrypted Transport Mode protected packet IP Header ESP header TCP Header Data ESP trailer Authenticated encrypted Tunnel Mode protected packet IP Header ESP header IP Header TCP Header Data ESP trailer Authenticated
10 Internet Key Management (IKE) Peer A IKE phase 1: Create secure IKE channel Peer B IKE IKE phase 2: Create IPSEC SA IKE supply IPsec SA AH/ESP AH/ESP protected channel supply IPsec SA AH/ESP
11 IKE Phases IKE operates in two phases Phase 1 sets up a secure channel (referenced as ISAKMP SA). This requires a key exchange (Diffie-Hellman algorithm) with authentication (based on preshared symmetric keys, public key encryption or digital signatures). Phase 2 negotiates IPsec SAs over this secure channel. Derivation of several IPsec SAs or re-negotiation is possible without a new Phase 1 exchange.
12 Transport Layer Security (TLS) Secure Socket Layer (SSL) Application TLS Application Data Negotiation Encapsulation Authentication Decapsulation Key Establishment Browser https:// SSL Secure WWW Server SSL TCP IP IP Protected Data Handshake Transport System Transport System HTTP HTTP over SSL SSL/TLS provide optional client and server authentication with keymanagement and connection-oriented data confidentiality and integrity. There are only minor differences between SSL and TLS but they are not interoperable.
14 Some SSL/TLS applications secure WWW communication (HTML/XML over TLS) secure LDAP (LDAPS) secure mobile WAP communication with WTLS secured network management (SNMP over TLS) secure e-commerce transactions (protected credit-card number) secure login (server certificate + user password or with client certificate) other secured Internet Applications (IMAP/POP3, NNTP, FTP, over TLS,...) secured multimedia/voice-over-ip signaling (H.235)
16 SSL/TLS record layer encapsulation Plaintext application layer PDU Content Type TLS/ SSL version length Application layer PDU MAC CBC padding CBC padding length encrypted protected SSL/TLS record layer PDU
17 SSL/TLS References IETF RFC 2246 The TLS Protocol Version 1.0, IETF RFC 2487 SMTP Service Extension for Secure SMTP over TLS, IETF RFC 2595 Using TLS with IMAP, POP3 and ACAP, IETF RFC 2817 Upgrading to TLS Within HTTP/1.1, 2000.
19 VPN are secure, private overlay networks over the Internet. secure tunneling protects any transmitted traffic between secure islands. IPSEC, L2TP, PPP and SSL are the most widely used VPN techniques. a VPN can be built on its own or be provided externally as a network service. Firewalls or cryptoboxes can provide VPNs.
20 Firewall Mail Authentication Logging NEWS Accounting Client Anti Virus Internet WWW DNS other Proxy NAT IPSEC Crypto box VPN Intranet (Corporate Network) Client
21 Firewall are security gateways that are placed at the perimeter of a security domain. control in/outgoing access to/from Intranet, Extranets and the Internet. help enforcing a security policy. Policies rules can be built using K packet filter K stateful inspection K application level gateway (ALG) typically provide auxiliary security functions such as remote authentication, VPN, Anti Virus filter, proxies, logging/accounting and network address translation (NAT). are a potential bottleneck.
22 Kerberos Architecture Kerberos Server 2. TGS ticket Ticket Granting Server 4. Server ticket 1. Request a TGS TGS ticket 3. Request a server ticket Client 5. Service Request Application Server
23 Kerberos was developed by MIT in 1970s for large campus computer networks. uses a central, trusted key management center for authentication and as a key distribution facility. is based entirely on symmetric keys (master keys, authentication keys, session keys) and synchronized time clocks. Tickets convey shielded session keys and granted permission. provides (authenticated) single-sign on and access control services to authorized resources. supports reliable accounting for used services. the core crypto protocols had several weaknesses, some caution is still necessary. there is also a public-key variant of Kerberos. there is a UNIX version in the public-domain.
24 Secure Electronic Transaction (SET) Scenario Bank issues a credit card for the customer Issuer (Customer s bank) Secure financial network Acquirer (Merchant s bank) Bank accepts and processes payment offer from Merchant owns a credit card purchases and pays digitally Customer relationship Cardholder (customer) Certification Authority (CA) Issues certificates Internet Monetary transfer Payment Gateway (PG) Processes payment offer Customer relationship Merchant (shop) sells goods via Internet accepts digital payments
25 SET Transaction 1. Customer queries shop 2. Merchant sends order form 3. Customer chooses payment method 4. Customer sends purchase order and payment authorization (SET) 5. Merchant confirms purchase order (SET) 6. Authorization Request, acquirer bank confirms customer s payment authorization (SET) 7. Merchant delivers goods Issuer (Customer s bank) a Acquirer (Merchant s bank) 6 Payment Gateway (PG) 8 SET 8. Merchant requests payment from acquirer bank (SET) 9. Acquirer bank performs clearing with customer s bank Cardholder (customer) Merchant (shop) 10. Customer s bank sends bill to customer. SET SET
27 SET Security Hash-Algorithms SHA-1 (160 bit has length) Encryption DES-56 in CBC mode, exportable DES-40 (CDMF) RSA (1024 bit key length, Root CA 2048 bit) X.509 certificates RSA for digital envelopes and digital signatures (PKCS#7) Dual signatures: Sign (MD (MD (payment auth.) MD (offer desc.))) idempotent messages, multiple send possible nonces allow detection of duplicates
Introduction to PKI Technology Version 1.5 Elaborated by Sylvain Maret & Cédric Enzler October 1999 Rev. 1.5: August 2000 1 Course Map Day One Introduction Key Terms Cryptosystems Services, Mechanisms,
Payment Card Industry (PCI) Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS) Glossary of Terms, Abbreviations, and Acronyms Version 3.0 January 2014 AAA Access Control
VOICE OVER IP SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
SCTP Strategies to Secure End-To-End Communication DISSERTATION to obtain the academic grade doctor rerum naturalium (Dr. rer. nat.) in Computer Science Submitted to the Faculty of Economics and Business
Data sheet Product overview The HP VPN Firewall Module Family enables advanced network protection at multigigabit speeds and combines built-in protection against denial-of-service (DoS) and hacking attacks
NIST Special Publication 800-52 Revision 1 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations Tim Polk Kerry McKay Santosh Chokhani http://dx.doi.org/10.6028/nist.sp.800-52r1
CHAPTER 9 Firewalls and Virtual Private Networks Introduction In Chapter 8, we discussed the issue of security in remote access networks. In this chapter we will consider how security is applied in remote
Certificate Management Palo Alto Networks PAN-OS Administrator s Guide Version 6.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us
Cisco ASA Configuration Guidance Abstract The modern network perimeter is more complicated than ever. The number of applications, protocols, and attacks that a firewall is expected to support and protect
Siebel Security Guide Siebel Innovation Pack 2013 Version 8.1/8.2 September 2013 Copyright 2005, 2013 Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided
Special Publication 800-41 Revision 1 Guidelines on Firewalls and Firewall Policy Recommendations of the National Institute of Standards and Technology Karen Scarfone Paul Hoffman NIST Special Publication
Abstract An Investigation into the Effect of Security on Performance in a VoIP Network Muhammad Tayyab Ashraf, John N. Davies and Vic Grout Centre for Applied Internet Research (CAIR) Glyndŵr University,
Report Number: I332-016R-2005 Security Guidance for Deploying IP Telephony Systems Systems and Network Attack Center (SNAC) Released: 14 February 2006 Version 1.01 SNAC.Guides@nsa.gov ii This Page Intentionally
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
RSA Authentication Manager 8.1 Planning Guide Revision 1 Contact Information Go to the RSA corporate website for regional Customer Support telephone and fax numbers: www.emc.com/domains/rsa/index.htm Trademarks
ZyWALL 5 Internet Security Appliance Support Notes Version 4.02 Dec. 2006 INDEX Application Notes...12 Seamless Incorporation into your network...12 Using Transparent (Bridge Mode) Firewall...12 Internet
r uhr-university bochum Department of Computer Science Prof. Dr.-Ing. Dr. h.c. Wolfgang Weber Modern Firewalls Security Management in Local Networks ICINAS-98 St.Petersburg Thomas Droste Wolfgang Weber
Cisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release PB526545 Cisco ASA Software Release 8.2 offers a wealth of features that help organizations protect their networks against new threats
Version 1.2 September 23, 2013 Secure Installation and Operation of Your ColorQube 8700 / 8900 Xerox ConnectKey Controller Secure Installation and Operation of Your ColorQube 8700 / 8900 Xerox ConnectKey
Server Management with Lenovo ThinkServer System Manager For next-generation Lenovo ThinkServer systems Lenovo Enterprise Product Group Version 1.0 September 2014 2014 Lenovo. All rights reserved. LENOVO