CSE543 Computer and Network Security Module: Network Security

Similar documents
Lecture 17 - Network Security

Chapter 17. Transport-Level Security

Protocol Security Where?

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Chapter 7 Transport-Level Security

CSC574: Computer and Network Security Module: Network Security

Introduction to Security and PIX Firewall

Virtual Private Networks

z/os Firewall Technology Overview

Secure Sockets Layer

CS 4803 Computer and Network Security

21.4 Network Address Translation (NAT) NAT concept

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Chapter 10. Network Security

Introduction to Computer Security

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

ETSF10 Part 3 Lect 2

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Laboratory Exercises V: IP Security Protocol (IPSec)

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

VPN. Date: 4/15/2004 By: Heena Patel

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Computer Networks. Secure Systems

Introduction to Computer Security

Chapter 32 Internet Security

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Network Security Part II: Standards

Network Security Essentials Chapter 5

Network Access Security. Lesson 10

How To Understand And Understand The Security Of A Key Infrastructure

ReadyNAS Remote White Paper. NETGEAR May 2010

IPsec Details 1 / 43. IPsec Details

CCNA Security 1.1 Instructional Resource

Network Security Fundamentals

Cornerstones of Security

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Web Security Considerations

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

Building scalable IPSec infrastructure with MikroTik. IPSec, L2TP/IPSec, OSPF

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Lecture 10: Communications Security

CTS2134 Introduction to Networking. Module Network Security

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

IPv6 Security: How is the Client Secured?

Insecure network services

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Security vulnerabilities in the Internet and possible solutions

Network Security. Lecture 3

Enterprise Security Management CheckPoint SecuRemote VPN v4.0 for pcanywhere

Cleaning Encrypted Traffic

Part III-b. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Case Study for Layer 3 Authentication and Encryption

Transport Level Security

Linux Web Based VPN Connectivity Details and Instructions

OS/390 Firewall Technology Overview

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

IP Security. Ola Flygt Växjö University, Sweden

Securing an IP SAN. Application Brief

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Communication Security for Applications

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

Security Protocols/Standards

The Secure Sockets Layer (SSL)

Security Engineering Part III Network Security. Security Protocols (II): IPsec

Keying Mode: Main Mode with No PFS (perfect forward secrecy) SA Authentication Method: Pre-Shared key Keying Group: DH (Diffie Hellman) Group 1

Implementing Cisco IOS Network Security

Exam Questions SY0-401

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

How To Understand And Understand The Ssl Protocol ( And Its Security Features (Protocol)

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

Application Note: Onsight Device VPN Configuration V1.1

Internet Privacy Options

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Campus VPN. Version 1.0 September 22, 2008

Overview SSL/TLS HTTPS SSH. TLS Protocol Architecture TLS Handshake Protocol TLS Record Protocol. SSH Protocol Architecture SSH Transport Protocol

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Firewalls, Tunnels, and Network Intrusion Detection

High Performance VPN Solutions Over Satellite Networks

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Windows Web Based VPN Connectivity Details & Instructions

Networked AV Systems Pretest

Michal Ludvig, SUSE Labs, 01/30/2004, Secure networking, 1

Executive Summary and Purpose

Today s Topics SSL/TLS. Certification Authorities VPN. Server Certificates Client Certificates. Trust Registration Authorities

Transcription:

CSE543 Computer and Network Security Module: Network Security Professor Trent Jaeger 1

Communication Security Want to establish a secure channel to remote hosts over an untrusted network Users - when logging in to a remote host Applications - when communicating across network Hosts - when logically part of the same network The protection service must Authenticate the end-points (each other) Negotiate what security is necessary (and how achieved) Establish a secure channel (e.g., key distribution/agreement) Process the traffic between the end points Also known as communications security. 2

Users Communications Security Login to a host over an untrusted network Using unauthenticated login - telnet, rsh - up to this point Problems How does user authenticate host? How does host authenticate user? 3

SSH Secure communication protocol Between user s client and remote machine (server) Used to implement remote login Runs on any transport layer (TCP/IP) Setup Authentication agent on client To produce and process messages on behalf of the user SSH Server To handle user logins to that host Forward X and TCP communications Remote machine use approximates local 4

SSH Protocol (1) Client opens connection to server (2) Server responds with its host key and server key Public keys identifying server and enabling communication (3) Client generates random number and encrypts with host and server keys (4) Server extracts random number (key) and can use Server is authenticated (5) Server authenticates user Password and RSA authentication (6) Preparatory phase To setup TCP/IP, X11 forwarding, etc. (7) Interactive session phase 5

SSHv2 Protocol A number of improvements were made to the SSHv2 protocol (see Section 5) Flexible use of crypto - more algorithms Performance - 1.5 round trips on average Prevent eavesdropping - encrypt all SSH traffic Prevent IP spoofing - always validates server identity Prevent hijacking - integrity checking using HMAC Not backwards compatible with SSHv1 6

Application Comm Security Applications may want to construct secure communication channels transparently to users How can they do that? 7

Application (Web) Security: SSL Secure socket Layer (SSL/TLS) Used to authenticate servers Uses certificates, root CAs Can authenticate clients Inclusive security protocol Security at the socket layer Transport Layer Security (TLS) Provides authentication confidentiality integrity HTTP SSL TCP IP CMPSC443 - Introduction to Computer and Network Security 8

SSL Handshake (1) Client Hello (algorithms, ) Client (2) Server Hello (alg. selection, ) (3) Server Certificate (4) ClientKeyRequest (5) ChangeCipherSuite (6) ChangeCipherSuite (7) Finished (8) Finished Server CMPSC443 - Introduction to Computer and Network Security 9

Simplified Protocol Detail Participants: Alice/A (client) and Bob/B (server) Crypto Elements : Random R, Certificate C, k + i Public Key (of i) Crypto Functions : Hash function H(x), Encryption E(k, d), Decryption D(k, d), Keyed MAC HMAC(k, d) 1. Alice! Bob R A 2. Bob! Alice R B, C B Alice pick pre-master secret S Alice calculate master secret K = H(S, R A, R B ) 3. Alice! Bob E(k + B, S), HMAC(K,0 CLNT 0 + [#1, #2]) Bob recover pre-master secret S = D(k B, E(k + B, S)) Bob calculate master secret K = H(S, R A, R B ) 4. Bob! Alice HMAC(K, 0 SRV R 0 + [#1, #2]) Note: Alice and Bob : IV Keys, Encryption Keys, and Integrity Keys 6 keys,where each key k i = g i (K, R A, R B ), and g i is key generator function. CMPSC443 - Introduction to Computer and Network Security 10

SSL Tradeoffs Pros Server authentication* GUI clues for users Built into every browser Easy to configure on the server Protocol has been analyzed like crazy Cons Users don t check certificates Too easy to obtain certificates Too many roots in the browsers Some settings are terrible CMPSC443 - Introduction to Computer and Network Security 11

IPsec (not IPSec!) Host-level protection service IP-layer security (below TCP/UDP) De-facto standard for host level security Developed by the IETF (over many years) Available in most operating systems/devices E.g., XP, Vista, OS X, Linux, BSD*, Implements a wide range of protocols and cryptographic algorithms Selectively provides. Confidentiality, integrity, authenticity, replay protection, DOS protection 12

IPsec and the IP protocol stack IPsec puts the two main protocols in between IP and the other protocols AH - authentication header ESP - encapsulating security payload Other functions provided by external protocols and architectures HTTP TCP AH FTP IP SMTP UDP ESP 13

Modes of operation Transport : the payload is encrypted and the nonmutable fields are integrity verified (via MAC) MACed encrypted Header Payload Header Payload Tunnel : each packet is completely encapsulated (encrypted) in an outer IP packet Hides not only data, but some routing information MACed encrypted Header Payload Header Header Payload 14

Tunneling IP over IP Network-level packets are encapsulated Allows traffic to avoid firewalls IP layer IP layer 15

Authentication Header (AH) Authenticity and integrity via HMAC over IP headers and data Advantage: the authenticity of data and IP header information is protected it gets a little complicated with mutable fields, which are supposed to be altered by network as packet traverses the network some fields are immutable, and are protected Confidentiality of data is not preserved Replay protection via AH sequence numbers note that this replicates some features of TCP (good?) 16

Authentication Header (AH) Modifications to the packet format IP Header Payload IP Header AH Header MAC Payload AH Packet Authenticated Encrypted 17

Encapsulating Security Payload (ESP) Confidentiality, authenticity and integrity via encryption and HMAC over IP payload (data) Advantage: the security manipulations are done solely on user data TCP packet is fully secured simplifies processing Use null encryption to get authenticity/integrity only Note that the TCP ports are hidden when encrypted good: better security, less is known about traffic bad: impossible for FW to filter/traffic based on port 18

Encapsulating Security Payload (ESP) Modifications to packet format IP Header Payload IP Header ESP Header Payload ESP Trailer MAC ESP Packet Authenticated Encrypted 19

Practical Issues and Limitations IPsec implementations Large footprint resource poor devices are in trouble New standards to simplify (e.g, JFK, IKE2) Slow to adopt new technologies Configuration is really complicated/obscure Issues IPsec tries to be everything for everybody at all times Massive, complicated, and unwieldy Policy infrastructure has not emerged Large-scale management tools are limited (e.g., CISCO) Often not used securely (common pre-shared keys) 20

Network Isolation: VPNs Idea: I want to create a collection of hosts that operate in a coordinated way E.g., a virtual security perimeter over physical network Hosts work as if they are isolated from malicious hosts Solution: Virtual Private Networks Create virtual network topology over physical network Use communications security protocol suites to secure virtual links tunneling Manage networks as if they are physically separate Hosts can route traffic to regular networks (split-tunneling) 21

VPN Example: RW/Telecommuter (network edge) Internet LAN Physical Link Logical Link (IPsec) 22

VPN Example: Hub and Spoke (network edge) Internet LAN Physical Link Logical Link (IPsec) 23

VPN Example: Mesh (network edge) Internet LAN Physical Link Logical Link (IPsec) 24

Virtual LANs (VLANs) VPNs built with hardware Physically wire VPN via soft configuration of a switch crossbar No encryption none needed wire based isolation Many switches support VLANs Allows networks to be reorganized without rewiring Example usage: two departments in same hallway Each office is associated with department Configuring the network switch gives physical isolation Note: often used to ensure QoS A B C D E A B C D E VLAN 1: A,B VLAN 2: C,D,E 25

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information