How To Secure My Data

Similar documents
LAYER 2 ENCRYPTORS METRO AND CARRIER ETHERNET METROS AND WIDE AREA NETWORKS ETHERNET ENCRYPTION FOR PRESENTS:

ETHERNET WAN ENCRYPTION SOLUTIONS COMPARED

NATIONAL RESEARCH AGENCY CASE STUDY - CCTV NETWORK SERVICES

Best practices for protecting network data

Securing IP Networks with Implementation of IPv6

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Technical papers Virtual private networks

ethernet services for multi-site connectivity security, performance, ip transparency

Virtual Private Networks

Lecture 17 - Network Security

TrustNet CryptoFlow. Group Encryption WHITE PAPER. Executive Summary. Table of Contents

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

L2 Box. Layer 2 Network encryption Verifiably secure, simple, fast.

SafeNet Network Encryption Solutions Safenet High-Speed Network Encryptors Combine the Highest Performance With the Easiest Integration and

Network Access Security. Lesson 10

Layer 2 Encryption Fortifying data transport

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

HIGH PERFORMANCE ENCRYPTION SOLUTIONS SECURING CRITICAL NATIONAL INFRASTRUCTURE

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Chapter 10. Network Security

Chapter 9. IP Secure

IP Security. Ola Flygt Växjö University, Sweden

Network Security Part II: Standards

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

A Performance Analysis of Gateway-to-Gateway VPN on the Linux Platform

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

ETHERNET ENCRYPTION MODES TECHNICAL-PAPER

MPLS VPN basics. E-Guide

Data Networking and Architecture. Delegates should have some basic knowledge of Internet Protocol and Data Networking principles.

Internetworking. Problem: There is more than one network (heterogeneity & scale)

TrustNet Group Encryption

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

First Semester Examinations 2011/12 INTERNET PRINCIPLES

IPv6 Security: How is the Client Secured?

Virtual Privacy vs. Real Security

TDM services over IP networks

Protocols. Packets. What's in an IP packet

Introduction to Computer Security

Securing an IP SAN. Application Brief

IP SECURITY (IPSEC) PROTOCOLS

CS 494/594 Computer and Network Security

IN CONTROL AT LAYER 2: A TECTONIC SHIFT IN NETWORK SECURITY.

Security vulnerabilities in the Internet and possible solutions

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

MPLS VPN Services. PW, VPLS and BGP MPLS/IP VPNs

Fundamentals of Mobile and Pervasive Computing

Wireless VPN White Paper. WIALAN Technologies, Inc.

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

BLACK BOX. EncrypTight

Steelcape Product Overview and Functional Description

Remote Access VPNs Performance Comparison between Windows Server 2003 and Fedora Core 6

Layer 2 Network Encryption where safety is not an optical illusion Marko Bobinac SafeNet PreSales Engineer

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

CCNA Security 1.1 Instructional Resource

Security Engineering Part III Network Security. Security Protocols (II): IPsec

Rohde & Schwarz R&S SITLine ETH VLAN Encryption Device Functionality & Performance Tests

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Chapter 5. Data Communication And Internet Technology

VPN. Date: 4/15/2004 By: Heena Patel

Definition. A Historical Example

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Managed Services: Taking Advantage of Managed Services in the High-End Enterprise

Dr. Arjan Durresi. Baton Rouge, LA These slides are available at:

MPLS L2VPN (VLL) Technology White Paper

Application Note How To Determine Bandwidth Requirements

Virtual Private Networks

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Case Study for Layer 3 Authentication and Encryption

VPN SECURITY. February The Government of the Hong Kong Special Administrative Region

Chapter 6 CDMA/802.11i

Client Server Registration Protocol

CCNA R&S: Introduction to Networks. Chapter 5: Ethernet

Cisco Group Encrypted Transport VPN: Tunnel-less VPN Delivering Encryption and Authentication for the WAN

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

High Speed Ethernet WAN: Is encryption compromising your network?

Introduction to Computer Security

ICTTEN8195B Evaluate and apply network security

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Quality of Service Analysis of site to site for IPSec VPNs for realtime multimedia traffic.

Objectives. Remote Connection Options. Teleworking. Connecting Teleworkers to the Corporate WAN. Providing Teleworker Services

Monitoring Remote Access VPN Services

Cisco Networks (ONT) 2006 Cisco Systems, Inc. All rights reserved.

NETWORK SECURITY (W/LAB) Course Syllabus

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

The term Virtual Private Networks comes with a simple three-letter acronym VPN

Using Carrier Ethernet to Create Cost Effective and Secure Wide Area Networks How Layer 2 Encryption Enables Better Use of Bandwidth.

IPV6 vs. SSL comparing Apples with Oranges

Cisco Integrated Services Routers Performance Overview

Chapter 17. Transport-Level Security

Group Encryption. The key to protecting data in motion BLACK BOX blackbox.com

CS 4803 Computer and Network Security

Network Simulation Traffic, Paths and Impairment

Comparing Mobile VPN Technologies WHITE PAPER

Solutions Guide. Secure Remote Access. Allied Telesis provides comprehensive solutions for secure remote access.

Protocol Security Where?

Secure Network Design: Designing a DMZ & VPN

Transcription:

How To Secure My Data

What to Protect???

DATA

Data At Rest

Data at Rest Examples

Lost Infected Easily Used as Backup Lent to others Data Corruptions more common

Stolen Left at airports, on trains etc Hard disk corruption common Connected to many networks

& Data in Motion

Laptops and Memory sticks should never have a unique copy of important information. All confidential information should be encrypted. Staff informed of good working practises. Make Sure Laptops are Patched

Encryption is the conversion of data into a form called a ciphertext that cannot be easily understood by unauthorized people. Decryption is the process of converting encrypted data back into its original form, so it can be understood

In reality, encryption can happen at different layers of a network stack, the following are just a few examples: End-to-end encryption happens within applications. SSL encryption takes place at the transport layer. IPSec encryption takes place at the network layer. Layer 2 encryption takes place at the data link layer.

At first glance encryption seems an easy choice; after all why expose confidential information to prying eyes when you can protect it by scrambling? Some of the traditional objections to encryption include loss of performance and the complexity of managing encryption keys.

Today however modern hardware and software systems have whittled away these issues to the extent that it is now possible to deploy hardware encryption to secure information at full line rates up to 10Gbps and with simple fully automatic key management.

Layer 2 encryption is often referred to as a bump in the wire technology. The phrase conveys the simplicity, maintainability and performance benefits of layer 2 solutions that are designed to be transparent to end users with little or no performance impact on network throughput.

In a recent study by the Rochester Institute of Technology (RIT), it was determined that Layer 2 encryption technologies provide superior throughput and far lower latency than IPSec VPNs, which operate at Layer 3.

The RIT study concludes: Enterprises that need to secure a point-to-point link are likely to achieve better encryption performance by shifting from traditional encryption with IPSec at Layer 3 to the overheadfree encryption of frame payloads at Layer 2.

Only Layer 2 encryption solution worldwide with 100% data throughput rates of up to 10 gigabits per second without overhead scalable encryption solutions and optional upgrades Easy to integrate into existing point-to-point, point-tomultipoint and multipoint-to-multipoint networks Encrypts unicast, multicast and broadcast, supports class of service, VLAN-ID and tagging

The outstanding performance with 100% encryption throughput of up to 10 gigabits per second and the extremely low latency in the microsecond range allow the equipment to be used even in time-critical applications and connections subject to heavy loads. The Layer 2 approach guarantees a simple configuration, bump-in-the-wire integration and minimal maintenance.

Lowest impact on network performance Reduced complexity (bump in the wire) Transparent to media (voice, data, video etc.) Little or no configuration Operates at wire speed up to 10Gbps. Introduces no overhead. In contrast, Layer 3 IPSec typically adds significant overhead (over 40% of available bandwidth for smaller packets) Implementation of Layer 2 encryption devices is simple

Outsourcing of routing tables is also seen as a weakness of Layer 3 VPN services because many corporations don't want to relinquish control or even share their routing schemes with anyone, not even their service provider. They prefer Layer 2 network services, such as Ethernet, Frame Relay or ATM as these are simpler in architecture and allow customers to retain control of their own routing tables.

Let s start with a packet the way it is transported on layer 3: It consists of an IP header and the payload. IPSec ESP transport mode adds an ESP Header, an ESP trailer and ESP authentication. In transport mode only the payload is encrypted while the IP header remains unprotected. The established way to encrypt site-to-site traffic with IPSec is the tunnel mode. A new IP Header is added, so that the entire IP packet (header and payload) can be encrypted without sacrificing network compatibility.

For the transport over an Ethernet network the encrypted IP packet gets a MAC header and a CRC checksum.

For Ethernet the entire IP packet encrypted with IPSec ESP Tunnel Mode is pure payload. Accordingly a transport mode encryption at layer 2 can provide the same protection as IPSec ESP Tunnel Mode without generating packet overhead. The encryption can encrypt the entire IP packet without introducing packet overhead. IPSec ESP Mode features Encapsulating Security Payload, which provides confidentiality, data origin authentication, connectionless integrity and an anti-replay mechanism. To maintain comparable layer-specific security, equivalent features need to be implemented at layer 2. Some of the overhead that would have been generated at layer 3 thus moves down to layer 2. Properly implemented it will cause less overhead and be much more flexible in terms of network functionality than IPSec at layer 3.

At layer 3 it also matters if you encrypt IPv4 or IPv6. Both are using IPSec as encryption standard, but the differences between IPv4 and IPv6 make it a completely different story. At layer 2 though, it does not make any difference if the payload to be encrypted consists of IPv4 or IPv6.

It is possible to encrypt Ethernet using IPSec. In order to do so the Ethernet frame has to be fork lifted up to layer 3 to become IP payload. As soon as the Ethernet frame is IP payload it can be encrypted at layer 3 with IPSec. As IP is transported over Ethernet the result is Ethernet transported over IP over Ethernet. It is as inefficient as it sounds. If e.g. L2TPv3 is used to transport Ethernet over IP the overhead generated by encapsulation is 50 bytes.

IPSec encryption will add another 38-53 bytes. The security overhead and the security are limited as only transport mode can be used in this scenario.

Let s start again with an IP packet the way it is transported on layer 3: It consists of an IP-header and the payload. For the transport on layer 2 on Ethernet the packet is framed with a MAC header and a CRC checksum. For Ethernet it doesn t make a difference if the IP packet is encrypted or not, it is just payload.

A transport mode encryption at layer 2 will encrypt the entire IP packet including the IP header without requiring any tunneling. Tunneling alone generates 20-40 bytes of avoidable overhead and adds noticeable latency.

To get a better understanding how layer 2 encryptors encrypt at layer 2 it is best to look at the different encryption modes:

A- Bulk Mode Bulk Mode (also known under the terms Frame Encryption and Link Encryption) encrypts the entire Ethernet frame between the Preamble and the Interframe Gap. To reach the same coverage when encrypting the frame with a layer 3 encryptor, the entire Ethernet frame would have to be lifted up to layer 3, encapsulated and then encrypted with IPSec ESP Tunnel Mode. This would cause massive and unnecessary overhead. The Bulk Mode on layer 2 limits the available usage scenario to Hop-to-hop, as all relevant addressing info is encrypted

B- Transport Mode The most widely used encryption mode is the transport mode. The reason behind this is the full network compatibility ensured by limiting the encryption to the payload.

C- Tunnel Mode Tunnel mode is also an option on layer 2, but only used if the entire original frame must be encrypted and the encryption needs to support a multi-hopscenario. Tunneling adds overhead and processing time.

What are Weaknesses?? How To Solve??

There are a few attacks, Below are some of them: Replay Attacks Rewrite Attacks Convert Signalling Attacks

If the message is an encrypted, why should we care about replay? The reason is that: o If an outsider captures the encrypted message and re-send it, he/ she might attack the system

Send a message of "pay Chan Tai Man 1000" Pay Chan Tai Man 1000 Pay Chan Tai Man 1000 Pay Chan Tai Man 1000 Genuine $%&*( Alice $%&*( $%&*( Bogus Copies Bob and his colleagues Play-it-agan Sam

Alice sends a message of pay Chan Tai Man to Bob. She sends one genuine (true) message. Play-it-again Sam captures the encrypted message and resends twice to Bob. Bob and his colleagues will then pay Chan Tai Man three times. Of course, Sam will have certain benefits of doing this.

Each plaintext message must have an extra information such as message number. If the receiver receives a duplicated message, it is discarded. 2 data2 22 data2 This will solve it in TCP/IP (layers 3 & 4). It has this feature to solve this problem

If an hacker knows the contents, he/she can modify the encrypted message. Say for example, the encrypted message of pay 1000 is 89^&oiu, he/she can modify 89^&aiu by changing o to a. The resulting plaintext message is 9000. (This assumes that 89^&aiu will produce 9000.)

There are many methods. Below are some of them 1. Avoid products using other modes. Always use block ciphers techniques. (crude rewrite attacks are still possible with block mode.); or 2. Insert a random number into each packet, include it in the packet checksum and encrypt the resulting packet; or 3. Use digital signature to authenticate the source of data. (the message is signed)

A digital signature is basically a way to ensure that an electronic document (e-mail, spreadsheet, text file, etc.) is authentic. Authentic means that you know who created the document and you know that it has not been altered in any way since that person created it.

Digital signatures rely on certain types of encryption to ensure authentication. Encryption is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode. Authentication is the process of verifying that information is coming from a trusted source. These two processes work hand in hand for digital signatures.

a message may be encrypted, but not digitally signed (only people with the key can read it, but the reader cannot be certain who actually wrote it) a message may be digitally signed, but not encrypted (everyone can tell who wrote it, and everyone can read it) a message may be encrypted first, then digitally signed (only someone with the key can read it, but anyone can tell who wrote it) a message may be digitally signed first, then encrypted (only someone with the key can read it, and only that same reader can be sure who sent the document)

Thank You Mohammad Jarrar

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information