INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

Transcription

1 INTERNET SECURITY: FIREWALLS AND BEYOND Mehernosh H. Amroli

2 Preview History of Internet Firewall Technology Internet Layer Security Transport Layer Security Application Layer Security

3 Before We Start During the last Decade, Internet has experienced a triumphant advance. Internet is see as First Incarnation of a National Information Infrastructure

4 History The Beginning Research oriented Internet (collegial environment) Users and Hosts were mutually trusting and interested in a free and open exchange of information Users were the creators Internet became more useful and reliable, and users grew

5 History Problems Since opening and commercialization, the internet has become a popular target to attack. November Internet worm Flooded thousands of hosts by Robert T. Morris, Jr. More recently- Thousands of Passwords sniffed on the Internet and sequence number guessing attacks used for IP Spoofing.

6 History Connections to Us. Virtual everyone on Internet is vulnerable and security problems are the center of attention. Many people and companies are abstaining from joining because of security issues.

7 Internet Security Vague terms that mean various things to different people. I.S. can only be achieved by 2 classes of security services: Access control services- protect computing and networking resources from unauthorized use. Communication Security Services- provide authentication, data confidentiality and integrity, as well as nonrepudiation services to communicating peers.

8 Firewall Technology What is a Firewall? The aim is to protect and provide a single choke point where security and audit can be imposed. Builds a blockade between an internal network and another network. Firewall is to prevent unwanted and unauthorized communication into or out of the network, and allow enforcement of network policy on traffic flow between the 2 networks.

9 How does a Firewall Work? Usually consists of screening routers and proxy servers. Screening routers? A multiport IP router that applies a set of rules to IP packets and decides whether to forward or not. Proxy servers? Server process running on Firewall system to perform a specific TCP/IP function as a proxy on behalf of the network users.

10 Screening Routers The advantages are simplicity and low costs. The Disadvantages are related to difficulties in setting up packet filters rules, cost of managing, and lack of user-level authentication.

11 Proxy Servers The advantages are userlevel authentication, logging and accounting. The disadvantages are related to the fact that the for full benefit, an applicationlayer gateway must be built specifically for each application. May severely limit deployment of new applications. Solution: SOCKS Package of Library routines to be linked into network application programs.

12 Internet Layer Security The Idea of a standardized network layer security protocol is not new Several proposals have been made. Security protocol 3 (SP3) Network Layer Security Protocol (NLSP) Integrated Network Layer Security Protocol (I-NLSP) SwIPe All use IP encapsulation as their enabling technique.

13 Cryptography The mechanisms should work for both versions of IP, IPv4 and IPv6. Should be algorithm-independent. Should be useful in enforcing different security policies 2 cryptographic security mechanisms: Authentication Header (AH) Encapsulating Security Payload (ESP)

14 Authentication Header Provide Authenticity and integrity to IP packets Refers to a message authentication code (MAC) that is computed prior to sending packet. Sender uses a key to compute the AH and the receiver uses the same or different key to verify it. Keys same if sender s and receiver s computations are based on secret key cryptography. Keys different if their computations are based on public key cryptography.

15 Encapsulating Security Provide confidentiality Payload Encapsulate either entire packet (tunnel mode) or the upper-layer protocol data (transport mode) inside the ESP. In Tunnel Mode, a new IP header is added in plaintext to the encrypted ESP. Used to route the packet through the internet. Receiver removes and discards the plaintext header and options, decrypts, processes and removes ESP header, and processes the original packet.

16 Transport Layer Security Internet application programming commonly uses a generalized interprocess communications facility (IPC) to work with different transport layer protocols. 2 popular interfaces: BSD sockets Transport Layer Interface (TLI)

17 Secure Socket Layer (SSL) Exchange of secret key that can be used to encrypt and decrypt data stream transmitted between communicating peers. SSL on top of a reliable transport service. Used by Netscape Communications

18 More on SSL SSL record protocol deals with fragmentation, compression, data authentication and encryption of messages provided by applications. Keys that are used for data authentication and encryption are negotiated by SSL handshake protocol. SSL Handshake protocol deals with the exchange of protocol version numbers and supported cryptographic algorithms along with authentication and key exchange.

19 More on SSL Netscape made publicly available a reference implementation of SSL, SSLref. Freely available SSL implementation call SSLeay. Both can be used to incorporate SSL functionality into arbitrary TCP/IP applications.

20 Private Communication Technology Proposed by MicroSoft Updated version of SSL v2

21 SSL vs PCT Most significant bit in version number field set to 0 Most significant bit in version number field set to 1 Allows Internet server to dynamically decide whether a request refers to SSL or PCT.

22 Application Layer Security Network layer security protocols allow to attach security properties to network data channels between hosts. Providing Security services on the application layer is the most flexible way to handle individual security requirements. Modify each each application accordingly. ( )

23 Privacy Enhanced Mail Used to provide security services for SMTP based systems. Acceptance has been slow because PEM depends on existant and fully operable PKI. PEM PKI is hierarchically structured and consists of 3 levels: An Internet Policy Registration Authority (IPRA) on top level Policy Certification Authorities (PCAs) on the second level Certifications Authorities (Cas) on third level

24 PKI and PGP Creation of a PKI that conforms to the PEM specification is also a political process different parties need to agree on common points of trust. Birth of Pretty Good Privacy (PGP) as an intermediate step by Phil Zimmerman PGP conforms to most parts of the PEM, but doesn t require a PKI to be in place.

25 S-HTTP Security enhanced version of HTTP Provides security at the document level Currently no standard for Web security.

26 S-HTTP and SSL Follow different approaches to provides security for the web S-HTTP marks individual documents as private or signed SSL mandates the data channel used for communication between the corresponding processes as private or authenticated.

27 E-Commerce In order to secure transactions over the internet companies have specified a similar Secure Transaction Technology protocol.

28 Conclusions Focus on various techniques that are available and that can provide IS. Internet needs a security model similar to traveling It is not possible to achieve IS in a complete sense.

29 Analysis Well written Mixed levels of experience

30 Improvements The paper could be written at a stand level- all easy or all technical. Give more examples.