Introduction to Computer Security

Similar documents
Introduction to Computer Security

CS 4803 Computer and Network Security

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

IP Security. Ola Flygt Växjö University, Sweden

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Chapter 7 Transport-Level Security

Virtual Private Networks

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

Lecture 10: Communications Security

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

How To Understand And Understand The Security Of A Key Infrastructure

Protocol Security Where?

Chapter 32 Internet Security

Security Engineering Part III Network Security. Security Protocols (II): IPsec

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Chapter 10. Network Security

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Lecture 17 - Network Security

Network Security Fundamentals

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

Network Security Essentials Chapter 5

Virtual Private Networks: IPSec vs. SSL

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Security vulnerabilities in the Internet and possible solutions

Chapter 9. IP Secure

Solution of Exercise Sheet 5

21.4 Network Address Translation (NAT) NAT concept

Security (II) ISO : Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

Exam Questions SY0-401

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

IP Security. IPSec, PPTP, OpenVPN. Pawel Cieplinski, AkademiaWIFI.pl. MUM Wroclaw

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

T Cryptography and Data Security

Computer Networks. Secure Systems

Network Security Part II: Standards

Chapter 17. Transport-Level Security

Computer and Network Security

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Securing IP Networks with Implementation of IPv6

Internet Protocol Security IPSec

Transport Layer Security Protocols

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Transport Level Security

ICTTEN8195B Evaluate and apply network security

Protocols. Packets. What's in an IP packet

Lecture 23: Firewalls

finger, ftp, host, hostname, mesg, rcp, rlogin, rsh, scp, sftp, slogin, ssh, talk, telnet, users, w, walla, who, write,...

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

VPN. VPN For BIPAC 741/743GE

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Why SSL is better than IPsec for Fully Transparent Mobile Network Access

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

Linux Network Security

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Chapter 4: Security of the architecture, and lower layer security (network security) 1

Network Access Security. Lesson 10

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Overview. Protocols. VPN and Firewalls

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

CS5008: Internet Computing

Security Technology: Firewalls and VPNs

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

Steelcape Product Overview and Functional Description

Network Security. Lecture 3

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Computer security Lecture 9

Firewalls. Network Security. Firewalls Defined. Firewalls

Web Security Considerations

Securing an IP SAN. Application Brief

VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls

Laboratory Exercises V: IP Security Protocol (IPSec)

Virtual Private Networks

Secure SCADA Network Technology and Methods

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

CCNA Security 1.1 Instructional Resource

Post-Class Quiz: Telecommunication & Network Security Domain

VPN SECURITY. February The Government of the Hong Kong Special Administrative Region

Overview SSL/TLS HTTPS SSH. TLS Protocol Architecture TLS Handshake Protocol TLS Record Protocol. SSH Protocol Architecture SSH Transport Protocol

Chapter 5: Network Layer Security

Secure Sockets Layer

Measurement of the Usage of Several Secure Internet Protocols from Internet Traces

Protocol Rollback and Network Security

Secure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity

Cornerstones of Security

Part III-b. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Insecure network services. Firewalls. Two separable topics. Packet filtering. Example: blocking forgeries. Example: blocking outgoing mail

LinkProof And VPN Load Balancing

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

IPV6 vs. SSL comparing Apples with Oranges

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Network Security in Practice

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Transcription:

Introduction to Computer Security Network Security Pavel Laskov Wilhelm Schickard Institute for Computer Science

Circuit switching vs. packet switching

OSI and TCP/IP layered models

TCP/IP encapsulation

TCP connection synchronization Initial handshake Termination Host Host Host Host Send SYN seq=x Send FIN seq=x Receive SYN Receive FIN Send SYN seq=y, CK x+1 Send CK x+1 Receive SYN + CK Receive CK Send CK y+1 Send FIN seq=y, CK x+1. data transmission Receive CK Receive FIN + CK Send CK y+1 Receive CK

What can go wrong: TCP session hijacking C() Seq: x PSH/CK: y (60) Seq: y PSH/CK: x+60 (20) Seq: x+60 PSH/CK: y+20 (30) Seq: y+20 PSH/CK: x+90 (20) Seq: x+90 PSH/CK: y+40 (30) Seq: y+40 PSH/CK: x+120 (20)

Example: SYN flood Normal TCP handshake SYN flood

Placement of security instruments Network layer Transport layer pplication layer

IP layer security: IPsec Objectives: secure connectivity of branch offices secure remote access dvantages: bypass resistance transparency to end users and applications Disadvantages: infrastructure support needed performance degradation

IPsec services and protocols H: uthentication Header ESP: Encapsulating Security Payload Services / Protocols H ESP ESP + auth. ccess control Connectionless integrity Data origin authentication Replay protection Confidentiality Traffic flow confidentiality

Transport mode Protection of packet payload Used for end-to-end communication Small performance overhead Tunnel mode Protection of entire packet (payload and headers) Communication between gateways Invisible to intermediate routers Considerable performance overhead IPsec modes

ration allows the hosts to avoid implementing the security capability. The former technique is supported by a transport mode S, while the latter technique uses a tunnel mode S. In this section, we look at the scope of ESP for the two modes. The considerations are somewhat different for IPv4 and IPv6. We use the packet formats of Figure 8.8a as a starting point. TRNSPORT MODE ESP Transport mode ESP is used to encrypt and optionally authenticate the data carried by IP (e.g., a TCP segment), as shown in Figure 8.8b. Transport mode vs. tunnel mode Encrypted TCP session Internal network External network (a) Transport-level security Corporate network Corporate network Encrypted tunnels carrying IP traffic Internet Corporate network Corporate network (b) virtual private network via tunnel mode Figure 8.7 Transport-Mode versus Tunnel-Mode Encryption

(a) efore pplying H orig IP IPv4 TCP Data authenticated except for mutable fields H service IPv6 orig IP extension orig IP headers IPv4 (if present) H TCP Data IPv6 Transport mode orig IP (a) efore pplying H authenticated except for mutable fields authenticated except for mutable fields hop-by-hop, dest, routing, fragment H dest TCP Data orig IP IPv4 H TCP Data (b) Transport Mode IPv6 Tunnel mode orig IP authenticated except for mutable fields authenticated except for mutable fields in the new IP header hop-by-hop, dest, routing, fragment H dest TCP Data New IP orig IP IPv4 H TCP Data (b) Transport Mode IPv6 new IP ext headers authenticated except for mutable fields in new IP header and its extension headers authenticated except for mutable orig IP fields extin the new IP header H headers TCP Data New IP orig IP IPv4 H TCP Data

IPv4 orig IP ESP TCP authenticated encrypted Data ESP ESP service trlr auth IPv6 Transport mode orig IP hop-by-hop, dest, routing, fragment ESP authenticated encrypted authenticated dest TCP encrypted Data ESP ESP trlr auth IPv4 orig IP ESP (a) TCP Transport Mode Data ESP ESP trlr auth IPv6 Tunnel mode orig IP authenticated authenticated encrypted encrypted hop-by-hop, dest, ESP dest TCP Data routing, New fragment IP ESP orig IP IPv4 TCP Data (a) Transport Mode ESP ESP ESP trlr auth ESP trlr auth authenticated encrypted new IP ext ESP authenticated orig IP ext ESP ESP

Transport layer security: SSL/TLS Objectives: secure information transmission in Internet applications mutual authentication in Internet applications dvantages: secure end-to-end communication over TCP (not limited to HTTP) Disadvantages: PKI support needed potential use of weak cryptographic algorithms (e.g. RC4)

SSL architecture SSL connection corresponds to TCP connections. SSL sessions represent an association between a client and a server. Sessions define parameters that can be share between connections.

SSL Record Protocol Carries out information transfer Provides confidentiality and message integrity services.

SSL handshake protocol Client Server Random number Crypto info Random number Crypto info Server certificate Request client auth. Extract server public key Client certificate Hash over prev. messages Extract client public key Random pre-master secret Calculate master secret Calculate master secret Switch to master secret End handshake Switch to master secret End handshake

pplication layer security: SSH pplications secure remote login secure services (e.g. FTP, copy) over an insecure network secure port forwarding dvantages various authentication methods a neat way to circumvent firewalls Disadvantages point-to-point only some security vulnerabilities

SSH architecture Client Server known-hosts H host keys H host key H H SSH Connection H session key interactive session secure copy port forwarding... session key User ccount User ccount U user key U U user key

SSH functionality Remote Login Username / password Public key Remote command execution Remote copying (rcp) Secure ftp service (sftp) Remote synchronization (rsync) Port forwarding and tunneling Secure file system mounting (sshfs)

SSH port forwarding Syntax: Local forwarding: ssh -L <lport>:<rhost>:<rport> username@host Remote forwarding: ssh -R <port>:<lhost>:<lport> username@host

SSH port forwarding: examples IMP requiests for an intermal IMP server: ssh -L 8143:exchange.first.fraunhofer.de:993 laskov@vnc00.first.fraunhofer.de Sending mail over an internal server: ssh -L 8025:smtpserv.uni-tuebingen.de:25 laskov@smb1.cs.uni-tuebingen.de rowsing with an external IP address: ssh -L 8081:proxy0.first.fraunhofer.de:3128 -L 8080:proxy0.first.fraunhofer.de:3128 laskov@vnc00.first.fraunhofer.de External SSH access bypassing a firewall: ssh -R 22:montreal.cs.uni-tuebingen.de:22 laskov@sshgw.cs.uni-tuebingen.de

Summary Network security technologies can be deployed at all layers of network protocols. IP layer security provides a transparent security service; needs, however, infrastructure support. Trasport layer security provides a reliable end-to-end security services. pplication layer security mechanisms can be tailored to specific application needs.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information