CS 4803 Computer and Network Security



Similar documents
Protocol Security Where?

Introduction to Computer Security

Chapter 32 Internet Security

Introduction to Computer Security

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Lecture 17 - Network Security

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

Securing IP Networks with Implementation of IPv6

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

IP Security. Ola Flygt Växjö University, Sweden

Chapter 9. IP Secure

Overview. Protocols. VPN and Firewalls

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Virtual Private Networks

Chapter 10. Network Security

VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls

Security Engineering Part III Network Security. Security Protocols (II): IPsec

VPN. VPN For BIPAC 741/743GE

Computer Networks. Secure Systems

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

Network Security Part II: Standards

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Internet Protocol Security IPSec

CS 494/594 Computer and Network Security

Secure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity

21.4 Network Address Translation (NAT) NAT concept

Laboratory Exercises V: IP Security Protocol (IPSec)

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

How To Understand And Understand The Security Of A Key Infrastructure

Dr. Arjan Durresi. Baton Rouge, LA These slides are available at:

Part III-b. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Network Security. Lecture 3

Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Network Security Fundamentals

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

Using IPSec in Windows 2000 and XP, Part 2

Measurement of the Usage of Several Secure Internet Protocols from Internet Traces

Lecture 10: Communications Security

CCNA Security 1.1 Instructional Resource

Virtual Private Networks: IPSec vs. SSL

LinkProof And VPN Load Balancing

Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

IP SECURITY (IPSEC) PROTOCOLS

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

Chapter 7 Transport-Level Security

Insecure network services. Firewalls. Two separable topics. Packet filtering. Example: blocking forgeries. Example: blocking outgoing mail

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Chapter 5: Network Layer Security

Why SSL is better than IPsec for Fully Transparent Mobile Network Access

Security vulnerabilities in the Internet and possible solutions

Internet Privacy Options

Introduction to Security and PIX Firewall

IPsec Details 1 / 43. IPsec Details

Case Study for Layer 3 Authentication and Encryption

Internetwork Security

CPS Computer Security Lecture 9: Introduction to Network Security. Xiaowei Yang

Computer and Network Security Exercise no. 4

IP Security. IPSec, PPTP, OpenVPN. Pawel Cieplinski, AkademiaWIFI.pl. MUM Wroclaw

VPN SECURITY. February The Government of the Hong Kong Special Administrative Region

CSCI 454/554 Computer and Network Security. Final Exam Review

Security Technology: Firewalls and VPNs

Virtual Private Networks

Security (II) ISO : Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Virtual Private Networks

SSL VPN vs. IPSec VPN

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

IPV6 vs. SSL comparing Apples with Oranges

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Solution of Exercise Sheet 5

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Implementing and Managing Security for Network Communications

Network Working Group Request for Comments: Category: Standards Track December Security Architecture for the Internet Protocol

WEB Security & SET. Outline. Web Security Considerations. Web Security Considerations. Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Network Security. by David G. Messerschmitt. Secure and Insecure Authentication. Security Flaws in Public Servers. Firewalls and Packet Filtering

This section provides a summary of using network location profiles to identify network connection types. Details include:

Protocol Rollback and Network Security

ETSF10 Part 3 Lect 2

Branch Office VPN Tunnels and Mobile VPN

Lecture 9 - Network Security TDTS (ht1)

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

MPLS VPN in Cellular Mobile IPv6 Architectures(04##017)

Transcription:

Network layers CS 4803 Computer and Network Security Application Transport Network Lower level Alexandra (Sasha) Boldyreva IPsec 1 2 Roughly Application layer: the communicating processes themselves and the actual messages transmitted Transport layer: handles transmissions on an end-to-end basis Network layer: handles transmissions on a hop-by-hop basis Application layer: PGP, SSH Transport layer: SSL/TLS Network layer: IPsec Security at the lower layer? Examples 3 4

Security in what layer? Depends on the purpose What information needs to be protected? What is the attack model? Who shares keys in advance? Should the user be involved? E.g., a network-layer protocol cannot authenticate two endusers to each other An application-layer protocol cannot protect information PGP is an application-level protocol for secure email Can provide security on insecure systems Users choose when to use PGP; user must be involved Alice s signature on an email proves that Alice actually generated the message, and it was received unaltered; also non-repudiation In contrast, SSL would secure the connection from Alice s computer Also affects efficiency, ease of deployment, etc. 5 6 SSL sits on top of the transport layer End-to-end security, best for connection-oriented sessions User does not need to be involved The OS does not have to be changed Easy to modify applications to use SSL If SSL rejects packet accepted by TCP, then TCP rejects correct packet when it arrives! SSL must then close the connection IPsec sits on top of the network layer End-to-end or hop-by-hop security Best for connectionless channels Need to modify OS All applications are protected by default, without requiring any change to applications or actions on behalf of users Can only authenticate hosts, not users User completely unaware that IPsec is running 7 8

Take home message Best solution may involve changes at both the OS and applications layers IPSec = AH + ESP + IKE Overview The best solution is not to run SSL and IPsec! Would have been better to design system with security in mind from the beginning (Keep in mind for future systems ) Protection for IP traffic AH provides integrity and origin authentication ESP also confidentiality Sets up keys and algorithms for AH and ESP 9 10 Security associations (SAs) An SA is a crypto-protected connection One SA in each direction At each end, the SA contains a key, the identity of the other party, the sequence number, and crypto parameters IPsec header indicates which SA to use Parties will maintain a database of SAs for currently-open connections Used both to send and receive packets Authentication header (AH) AH vs. ESP Provides integrity only Encapsulating security payload (ESP) Provides encryption and/or integrity Both provide cryptographic protection of everything beyond the s AH additionally provides integrity protection of some fields of the 11 12

Transport vs. tunnel mode Transport mode: add IPsec information between and rest of packet Transport vs. tunnel mode Tunnel mode: keep original IP packet intact; add new header information Most logical when IPsec used end-to-end (gateway) IPSec header (real dest) TCP/UDP header + data (real dest) IPSec header TCP/UDP header + data Can be used when IPSec is applied at intermediate point along path (e.g., for firewall-to-firewall traffic) E.g., change source/destination info Results in slightly longer packet 13 14 Tunnel mode illustration More on AH AH provides integrity protection on header Implements IPSec Implements IPSec But some fields change en route! Only immutable fields are included in the integrity check Mutable but predictable fields are also included in the integrity check E.g., payload length The final value of the field is used 15 16

More on AH vs. ESP Recall that ESP provides encryption and/or authentication So why do we need AH? AH also protects the Export restrictions Firewalls need some high-level data to be unencrypted None of these are compelling The future of IPsec? In the long run, it seems that AH will become obsolete Better to encrypt everything anyway No real need for AH Certain performance disadvantages AH is complex Etc. IPsec is still evolving 17 18

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information