Computer Networks. Secure Systems

Transcription

1 Computer Networks Secure Systems

2 Summary Common Secure Protocols SSH HTTPS (SSL/TSL) IPSec Wireless Security WPA2 PSK vs EAP Firewalls Discussion

3 Secure Shell (SSH) A protocol to allow secure login to a remote machine Provides the following guarantees Privacy (via encryption) Authentication (Public/Private keys) Data Integrity

4 SSH (Cont ) SSH is a suite of protocols SSH-TRANS (transport protocol) SSH-AUTH (authentication protocol) SSH-CONN (connection protocol) Each protocol serves a specific purpose

5 SSH-TRANS & SSH-AUTH Use TCP to create a connection to the host and authenticate (the host) using RSA. How do you authenticate the servers public key? A symmetric session key is then established and used. The user then needs to authenticate their id with the remote host. How is this done?

6 SSH-CONN Extends SSH to support applications other than a remote shell. X Windows IMAP mail clients Etc How? Port Forwarding

7 Port Forwarding Uses SSH to form a secure tunnel between hosts. When data arrives at host B, SSH will forward the incoming data to the appropriate port. Host A Host B Application client Direct connection Application server SSH Forwarded connection SSH

8 HTTPS HTTPS = HTTP running on Secure Channel Originally the secure channel was SSL Developed by Netscape The new standard is TLS Developed by IETF HTTPS will run on either SSL or TLS (SSL/TLS)

9 Transport Layer Security (TLS) Allows for a variety of different security algorithms to be used. Both sides agree to a set of algorithms Application (e.g., HTTP) Secure transport layer TCP IP Subnet

10 IPSec A framework for providing security services to the network layer Optional in IPv4 but mandatory in IPv6 Idea: if you provide security in a lower layer then all layers above implicitly inherit that protection

11 IPSec (Cont ) 2 Types Authentication Header Authentication only Encapsulating Security Payload Authentication plus confidentiality ESP encrypts the entire IP payload. Why is this a problem? Doesnʼt play nicely with firewalls

12 Summary Common Secure Protocols SSH HTTPS (SSL/TSL) IPSec Wireless Security WPA2 PSK vs EAP Firewalls Discussion

13 WPA2 WiFi Protected Access 2 Can be broken into two logical units Authentication Encryption Why not talk about other protocols? WEP (virtually useless) WPA (nearly identical to WPA2 but not quite)

14 WPA2 Authentication Supports 2 Authentication Mechanisms Pre-shared Key (PSK) Extensible Authentication Protocol (EAP) PSK common in homes and home offices. requires that both the host and access point share a common key EAP Usually implemented in enterprises using a RADIUS server

15 WPA2 Encryption After authenticating the wireless device then establishes a session key with the access point. The session key is really a collection of keys that is used by the Temporal Key Integrity Protocol (TKIP) Each frame transmitted encrypts the data using AES and a key, which is provided by TKIP.

16 TKIP Ensures that each packet is sent with its own unique encryption key If an attacker knows the initial set of keys then they can decrypt the traffic It is computationally infeasible to determine the what the next key will be

17 Summary Common Secure Protocols SSH HTTPS (SSL/TSL) IPSec Wireless Security WPA2 PSK vs EAP Firewalls Discussion

18 Firewall A system which is a sole point of connectivity between a network and all other external networks and protects that network from the external networks Firewall Rest of the Internet Local site

19 Firewall Services The key service is access control decides which message flow into and out of the network Example: disallow any outgoing messages from a specific IP Allows admins to create zones of trust The three common zones are Internal Network Demilitarized Zone (DMZ) External Network

20 Zones of Trust You can define an arbitrary number of zones Each subsequent zone must be less restrictive than the previous Common Setup Internal Network -- trust everything in this zone DMZ -- allow external network access but the internal network hosts see this host as outside the firewall External Network -- donʼt trust anyone out here If you donʼt trust someone you can still communicate with them but rules will apply

21 Access Control Filter based on IP, TCP, UDP, and other headers. Uses the data provided and a set of rules to determine whether or not to forward the traffic Rules are configured in the firewall There can be a lot of rules to manage If a rule is missing or malformed it can create an unwanted security hole

22 Stateful Firewalls Many programs dynamically assign clients port numbers. Consider the following scenario Internal host initiates connection to external host using a dynamic port External host responds to the client What will the firewall do? Stateless firewall -- discard the data Stateful firewall -- allow the data through Keeps track of the state of all connections to allow for this dynamic mapping to happen

23 Summary Common Secure Protocols SSH HTTPS (SSL/TSL) IPSec Wireless Security WPA2 PSK vs EAP Firewalls Discussion

24 Discussion Questions Benefits of a firewall? Problems with firewalls? Open Q/A on any remaining security questions?