IP Security. What s IP Security (IPsec)

Similar documents
IP Security. Ola Flygt Växjö University, Sweden

Protocol Security Where?

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

IPsec Details 1 / 43. IPsec Details

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Introduction to Security and PIX Firewall

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Security Engineering Part III Network Security. Security Protocols (II): IPsec

Securing IP Networks with Implementation of IPv6

Network Security. Lecture 3

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Network Security Part II: Standards

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Chapter 5: Network Layer Security

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

The BANDIT Products in Virtual Private Networks

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Dr. Arjan Durresi. Baton Rouge, LA These slides are available at:

Lecture 17 - Network Security

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security

Chapter 49 IP Security (IPsec)

CSCI 454/554 Computer and Network Security. Final Exam Review

Internet Protocol Security IPSec

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

Chapter 3. Network Domain Security

Lecture 10: Communications Security

Chapter 4 Virtual Private Networking

IPsec VPN Application Guide REV:

Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress

Security vulnerabilities in the Internet and possible solutions

Application Note: Onsight Device VPN Configuration V1.1

Chapter 10. Network Security

Computer and Network Security Exercise no. 4

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Internet Security Architecture

Security Architecture for IP (IPsec)

Internetwork Security

Laboratory Exercises V: IP Security Protocol (IPSec)

IPv6 Security: How is the Client Secured?

Comparison of VPN Protocols IPSec, PPTP, and L2TP

IP SECURITY (IPSEC) PROTOCOLS

Cryptography and Network Security IPSEC

21.4 Network Address Translation (NAT) NAT concept

CS 494/594 Computer and Network Security

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

SonicOS Enhanced 3.2 IKE Version 2 Support

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

Internet. SonicWALL IP SEV IP IP IP Network Mask

Chapter 32 Internet Security

Vodafone MachineLink 3G. IPSec VPN Configuration Guide

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Implementing and Managing Security for Network Communications

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

CS 4803 Computer and Network Security

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

MPLS VPN in Cellular Mobile IPv6 Architectures(04##017)

CCNA Security 1.1 Instructional Resource

Building scalable IPSec infrastructure with MikroTik. IPSec, L2TP/IPSec, OSPF

Cryptography and network security CNET4523

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

Branch Office VPN Tunnels and Mobile VPN

Chapter 9. IP Secure

ETSF10 Part 3 Lect 2

Case Study for Layer 3 Authentication and Encryption

Chapter 7 Transport-Level Security

Chapter 2 Virtual Private Networking Basics

VPN SECURITY. February The Government of the Hong Kong Special Administrative Region

CS549: Cryptography and Network Security

Chapter 8 Virtual Private Networking

IPSEC: IKE. Markus Hidell Based on material by Vitaly Shmatikov, Univ. of Texas, and by the previous course teachers

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Computer and Network Security

3GPP TSG SA WG3 Security S Meeting S3#16 Sophia Antipolis, November, Abstract

Virtual Private Networks

Katana Client to Linksys VPN Gateway

Using IPSec in Windows 2000 and XP, Part 2

IPSec and SSL Virtual Private Networks

Introduction. An Overview of the DX Industrial Router Product Line. IP router and firewall. Integrated WAN, Serial and LAN interfaces

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

OfficeConnect Internet Firewall VPN Upgrade User Guide

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

This section provides a summary of using network location profiles to identify network connection types. Details include:

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

VPN Solutions. Lesson 10. etoken Certification Course. April 2004

Group Encrypted Transport VPN

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

z/os Firewall Technology Overview

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Insecure network services

VPN. VPN For BIPAC 741/743GE

IPsec Simplified. Peter J. Welcher. Introduction. Just a Very Wee Bit of Cryptology. First, a couple of personal and company news items:

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Transcription:

IP Security CSCI 454/554 What s IP Security (IPsec) w IETF standard for network layer security n Layer-3 security protocol for IP w Three related things n IPsec data protocols: 51 (AH) and 50 (ESP) n Key management protocol: IKE/ISAKMP n Configuration languages, GUIs and management software (still missing) 1

IPsec Does w Provide n Authentication n Confidentiality n Integrity n Key management w Applicable to use over LANs, across public & private WANs, & for the Internet Layer-3 Security w Network layer is choke-point in the network stack w Hourgalss figure w Putting security in the network layer allows both higher and lower-layer protocol to use it 2

Benefits of IPsec w Link encryption become almost obsolete w Any network node can be a security endpoint n end-to-end, end-to-edge, edge-to-edge (VPN) w Applications can be written without explicit support for communication security n Code economy (transparent to applications) n Decouple security policy management from application management IPsec Documents w specification is quite complex w defined in numerous RFC s n RFC 2401: overview of architecture n RFC 2402: packet authentication (AH) n RFC 2406: packet encryption (ESP) n RFC 2408: key management n many others, grouped by category 3

IPSec Services Security Associations w an one-way relationship between sender & receiver that affords security service for IP traffic w defined by 3 parameters: n Security Parameters Index (SPI) n IP Destination Address n Security Protocol Identifier w has a number of other parameters n seq no, AH & ESP info, lifetime etc w have a table (database) of Security Associations 4

Key exchange IKEv2 IKEv2 SPD IKE SA SPD Security policy database IPsecv3 IPsec SA Pair IPsecv3 Security policy database SAD Security association database ESP protects data Security association database SAD Figure 20.2 IPsec Architecture Security Association Database (SAD) w Defines the parameters associated with each SA w Using the following parameters in a SAD entry: n Security parameter index n Sequence number counter n Sequence counter overflow n Anti-replay window n AH information n ESP information n Lifetime of this security association 5

Security Policy Database (SPD) w The means by which IP traffic is related to specific SAs n Contains entries, each of which defines a subset of IP traffic and points to an SA for that traffic n Each SPD entry is defined by a set of IP and upper-layer protocol field values called selectors n These are used to filter outgoing traffic in order to map it into a particular SA Authentication Header (AH) w provides support for data integrity & authentication of IP packet header n n detect modification on packet s content prevents address spoofing attacks n counter reply attacks by tracking sequence numbers w based on the use of HMAC n HMAC-MD5-96 or HMAC-SHA-1-96 w parties must share a secret key 6

Encapsulating Security Payload (ESP) w provides message content confidentiality & limited traffic flow confidentiality w can optionally provide the authentication services as AH, but only cover IP payload w supports range of ciphers, modes, padding n DES, Triple-DES, RC5, etc n CBC most common n pad to meet block size, for traffic flow Transport & Tunnel Modes w Both AH and ESP support two modes of use n transport and tunnel mode w Transport mode n protection primarily for IP payload (upper-layer protocols) w Tunnel mode n protection covered the entire IP packet 7

Transport mode in AH Tunnel mode in AH 8

Authentication Header AH (bigger scope) 9

Transport & Tunnel Modes in Authentication Transport mode in ESP 10

Tunnel Mode in ESP ESP Format 11

ESP Format (bigger scope) Transport Mode Encryption 12

Tunnel Mode Encryption Transport vs Tunnel Mode ESP w transport mode is used to encrypt & optionally authenticate IP data n data protected but header left in clear n good for ESP host to host traffic (end-to-end) w tunnel mode encrypts entire IP packet n add new header for next hop n good for VPNs, gateway to gateway security (edge-to-edge) 13

Combining Security Associations w SA s can implement either AH or ESP but not both w to implement both need to combine SA s n form a security bundle w security association bundle n Transport adjacency (no tunnelling) n Iterated tunnelling (multi-level nesting) Combining SAs (Cont d) w Transport adjacent (two bundled transport SAs) n Inner ESP transport SA, while outer AH transport SA w Transport-Tunnel Bundle n Inner AH transport SA, while outer ESP tunnel SA 14

Combining Security Associations Key Management w handles key generation & distribution w typically need 2 pairs of session keys n 2 per direction for AH & ESP w automated key management n automated system for on demand creation of keys for SA s in large systems n ISAKMP and IKE (Oakley) 15

ISAKMP w Internet Security Association and Key Management Protocol w only provides framework for key management w defines procedures and packet formats to establish, negotiate, modify, & delete SAs w independent of key exchange protocol, encryption alg, & authentication method Internet Key Exchange (IKE) w Default key management protocol w Re-synchronize two ends of an IPsec SA n Authenticate endpoints n Choose cryptographic keys n Reset sequence numbers to zero w IKE are based on OAKLEY, and using ISAKMP syntax n IKE implements a subset of the OAKLEY protocol n borrows fast rekeying technique from SKEME 16

Oakley w a key exchange protocol before IKE w based on Diffie-Hellman key exchange w adds features to address weaknesses n Cookies n groups (global params of DH key exchange) n nonces n DH key exchange with authentication Conceptual IKE w Diffie-Hellman for perfect forward security w Signed D-H to avoid man-in-the-middle attack w Cookies for DoS protection 17

Perfect Forward Security w Two parties communicate use different session keys at different time periods w Image an adversary n records all communication between Alice and Bob n is able to break into Alice (or Bob) s computer and obtain all of her secrets at some point w PFS is achieved if he cannot decrypt message that occurred before the latest session change Diffie-Hellman 18

Man in the Middle Signed D-H Exchange 19

But if already have RSA IKE Phases w Two phases w Phase 1: expensive mutual authentication (based on public keys), establish ISAKMP SA (or IKE SA) n Aggressive mode (three messages in IKEv1) n Main mode (six messages in IKEv1) w Phase 2: leverage the phase 1 SA to create AH or ESP SAs. 20

Summary w have considered: n IPSec security framework n AH n ESP n key management (ISAKMP & IKE) 21

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information