IPsec: Security Across the Protocol Stack. Brad Stephenson CSCI NetProg

Similar documents
IP Security. Ola Flygt Växjö University, Sweden

Protocol Security Where?

Securing IP Networks with Implementation of IPv6

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Security Engineering Part III Network Security. Security Protocols (II): IPsec

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security

21.4 Network Address Translation (NAT) NAT concept

Network Security. Lecture 3

Virtual Private Networks

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Chapter 32 Internet Security

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

IPv6 Security: How is the Client Secured?

Network Security Part II: Standards

Chapter 9. IP Secure

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

CS 4803 Computer and Network Security

IP Security. IPSec, PPTP, OpenVPN. Pawel Cieplinski, AkademiaWIFI.pl. MUM Wroclaw

CS549: Cryptography and Network Security

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

IPsec Details 1 / 43. IPsec Details

Chapter 10. Network Security

Internetwork Security

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

Lecture 10: Communications Security

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Cryptography and Network Security IPSEC

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress

Using IPSec in Windows 2000 and XP, Part 2

Lecture 17 - Network Security

Introduction to Security and PIX Firewall

Cisco Which VPN Solution is Right for You?

Laboratory Exercises V: IP Security Protocol (IPSec)

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Introduction to Computer Security

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

Chapter 7 Transport-Level Security

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Security vulnerabilities in the Internet and possible solutions

z/os Firewall Technology Overview

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

Virtual Private Networks: IPSec vs. SSL

Introduction to Computer Security

Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance

Network Access Security. Lesson 10

IT Networks & Security CERT Luncheon Series: Cryptography

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

CCNA Security 1.1 Instructional Resource

This section provides a summary of using network location profiles to identify network connection types. Details include:

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

How To Understand And Understand The Ssl Protocol ( And Its Security Features (Protocol)

Insecure network services

Overview. Protocols. VPN and Firewalls

Network Security Fundamentals

IP SECURITY (IPSEC) PROTOCOLS

Dr. Arjan Durresi. Baton Rouge, LA These slides are available at:

Security (II) ISO : Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

CS 494/594 Computer and Network Security

Securing an IP SAN. Application Brief

Remote user access VPN with IPsec

Michal Ludvig, SUSE Labs, 01/30/2004, Secure networking, 1

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

Implementing and Managing Security for Network Communications

VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls

Gerardo L. Ahuatzin Sánchez Desarrollo de un esquema de traducción de direcciones IPv6-IPv4-IPv6. Anexo A. RFC s

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

MINI-FAQ: OpenBSD 2.4 IPSEC VPN Configuration

WEB Security & SET. Outline. Web Security Considerations. Web Security Considerations. Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Cryptography and network security CNET4523

CRYPTOG NETWORK SECURITY

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

Part III-b. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Chapter 5: Network Layer Security

MPLS VPN in Cellular Mobile IPv6 Architectures(04##017)

VPN. Date: 4/15/2004 By: Heena Patel

Building scalable IPSec infrastructure with MikroTik. IPSec, L2TP/IPSec, OSPF

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Creating a Gateway to Gateway VPN between Sidewinder G2 and Linux

Secure Sockets Layer

Internet Protocol Security IPSec

T Cryptography and Data Security

NETWORK SECURITY (W/LAB) Course Syllabus

OVERVIEW OF TYPICAL WINDOWS SERVER ROLES

Executive Summary and Purpose

Security Technology: Firewalls and VPNs

Computer and Network Security Exercise no. 4

Introduction to Network Security. 1. Introduction. And People Eager to Take Advantage of the Vulnerabilities

Today s Topics SSL/TLS. Certification Authorities VPN. Server Certificates Client Certificates. Trust Registration Authorities

High Performance VPN Solutions Over Satellite Networks

SOFTWARE ENGINEERING 4C03. Computer Networks & Computer Security. Network Firewall

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Transcription:

IPsec: Security Across the Protocol Stack Brad Stephenson CSCI NetProg

Network Security There are application specific security mechanisms (eg. S/MIME, PGP, Kerberos, SSL/HTTPS) But there are security concerns that cut across protocol layers Can we implement security in the network for all applications?

What is IPsec? A collection of tools and algorithms (protocols) General IP security mechanisms It provides authentication confidentiality key management

Services Provided by IPsec Authentication ensure the identity of an entity Confidentiality protection of data from unauthorized disclosure Key Management generation, exchange, storage, safeguarding, etc. of keys in a public key cryptosystem

IPsec Services (detailed) Access control Connectionless integrity Data origin authentication Rejection of replayed packets Confidentiality (via encryption) Some traffic flow confidentiality (firewall to firewall)

Benefits of IPsec If implemented in a firewall or router, provides strong security to all traffic crossing the perimeter Resides below the transport layer, hence transparent to application layer Can be transparent to end users Note: Mandatory for IPv6 implementations

AH and ESP Authentication Header (AH) provides: Data integrity Authentication of IP packets Prevents replay attacks Encapsulating Security Payload (ESP): Data confidentiality Some traffic flow confidentiality Authentication services of AH (optional)

Authentication Header (AH) Provides support for data integrity & authentication of IP packets end system/router can authenticate user/app prevents address spoofing attacks by tracking sequence numbers Based on use of a MAC HMAC-MD5-96 or HMAC-SHA-1-96 Parties must share a secret key

Authentication Header Figure 32.1, D. Comer Figure 16-3, W. Stallings

Encapsulating Security Payload (ESP) Provides message content confidentiality & limited traffic flow confidentiality Can optionally provide the same authentication services as AH Supports many ciphers, modes, padding DES, Triple-DES, RC5, IDEA, CAST, others

Encapsulating Security Payload Figure 32.3, D. Comer Figure 16-7, W. Stallings

Security Associations (SAs) A one-way relationship between sender & receiver that affords security for traffic flow Defined by 3 parameters: Security Parameters Index (local identifier) IP Destination Address Security Protocol Identifier (AH or ESP) Each implementation of IPsec must keep a database of SAs

Combining Security Associations SAs can implement either AH or ESP To implement both need to combine SAs into a security bundle

Combining Security Associations * = Implements IPsec Figure 16-10, W. Stallings

Transport vs. Tunnel Mode Transport mode data protected but header left in clear can do traffic analysis but is efficient good for ESP host to host traffic Tunnel mode add new header for next hop hides end-host IP addresses through insecure networks good for VPNs, gateway to gateway security

Transport & Tunnel Modes Figure 16-8, W. Stallings

So you wanna try it? Implemented in OS kernel Non-trivial to understand

So you wanna try it? Linux racoon openswan (openswan.org) Free S/WAN (freeswan.org) Unix man ipsec Windows mmc (Microsoft Management Console)

Linux Must specify a security policy in kernel Who do you trust? racoon Key management daemon Free S/WAN IPsec implementation for Linux openswan Another IPsec implementation for Linux

Unix IPsec policy is enforced in the ip(7p) driver for system-wide policy Use ndd to alter /dev/ip at the system level Or specify per-socket options

Unix Socket Options #include <sys/socket.h> #include <netinet/in.h> #include <net/pfkeyv2.h> /*... socket setup */ rc = setsockopt(sock, IPPROTO_IP, IP_SEC_OPT, (const char *)&ipsec_req, sizeof (ipsec_req_t));

ipsec_req typedef struct ipsec_req { uint_t ipsr_ah_req; /* AH request */ uint_t ipsr_esp_req; /* ESP request */ uint_t ipsr_self_encap_req; /* Self-Encap request */ uint8_t ipsr_auth_alg; /* Auth algs for AH */ uint8_t ipsr_esp_alg; /* Encr algs for ESP */ uint8_t ipsr_esp_auth_alg; /* Auth algs for ESP */ } ipsec_req_t;

Windows XP Type mmc at a command line Add snap-in IPsec Policy Edit the policy as you see fit

Summary IPsec is a collection of protocols that provide low-level network security Last specification was in 1998, currently being revised as Internet Draft Required for IPv6 Currently the most popular use is for implementing VPNs

References RFC 2401 Security Architecture for the Internet Protocol Internet Draft, Dec 2004, Security Architecture for the Internet Protocol Cryptography and Network Security, W. Stallings, Chap. 16 IP Security Internetworking with TCP/IP Vol. 1, D. Comer, Chap. 32 Internet Security

ERROR: undefined OFFENDING COMMAND: STACK:

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information