Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Similar documents
Chapter 8 Network Security

Chapter 8 Security Pt 2

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

COSC4377. Chapter 8 roadmap

Netzwerksicherheit: Anwendungen

VLAN und MPLS, Firewall und NAT,

Chapter 8 Network Security. Slides adapted from the book and Tomas Olovsson

Chapter 8 Network Security

Chapter 6: Network Access Control

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

Chapter 5: Network Layer Security

Chapter 8. Computer Networking: A Top Down Approach, 5 th edition. Jim Kurose, Keith Ross Addison-Wesley, sl April Thanks and enjoy!

Chapter 8 Network Security

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Data Communications & Networks. Session 11 Main Theme Network Security. Dr. Jean-Claude Franchitti

Chapter 6 CDMA/802.11i

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Network Security Part II: Standards

Telematics Chapter 11: Network Security Beispielbild User watching video clip

Securing IP Networks with Implementation of IPv6

Chapter 10. Network Security

Overview of Network Security

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

Lecture 10: Communications Security

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Security Engineering Part III Network Security. Security Protocols (II): IPsec

Managing and Securing Computer Networks. Guy Leduc. Chapter 4: Securing TCP. connections. connections. Chapter goals: security in practice:

Security vulnerabilities in the Internet and possible solutions

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Chapter 32 Internet Security

Key Management (Distribution and Certification) (1)

Insecure network services. Firewalls. Two separable topics. Packet filtering. Example: blocking forgeries. Example: blocking outgoing mail

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

CS5008: Internet Computing

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security

Protocol Security Where?

Lecture 17 - Network Security

Computer Networks. Secure Systems

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

CS 4803 Computer and Network Security

IP Security. Ola Flygt Växjö University, Sweden

CS 3251: Computer Networking 1 Security Protocols I

Firewalls. Ahmad Almulhem March 10, 2012

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

OS/390 Firewall Technology Overview

Client Server Registration Protocol

Cornerstones of Security

Part III-b. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Computer Networks - CS132/EECS148 - Spring

Introduction to Computer Security

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Network Access Security. Lesson 10

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

21.4 Network Address Translation (NAT) NAT concept

Virtual Private Networks

Network Security in Practice

Firewalls, Tunnels, and Network Intrusion Detection

Network Security Fundamentals

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Introduction to Computer Security

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Chapter 7 Transport-Level Security

Internetwork Security

Protocol Rollback and Network Security

Computer security Lecture 9

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Computer and Network Security

High Performance VPN Solutions Over Satellite Networks

Insecure network services

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Security in Computer Networks

Lecture 23: Firewalls

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Network Security. Lecture 3

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

IP SECURITY (IPSEC) PROTOCOLS

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Chapter 8. Cryptography Symmetric-Key Algorithms. Digital Signatures Management of Public Keys Communication Security Authentication Protocols

How To Understand And Understand The Ssl Protocol ( And Its Security Features (Protocol)

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Transcription:

Network Security Abusayeed Saifullah CS 5600 Computer Networks These slides are adapted from Kurose and Ross 8-1

roadmap 1 What is network security? 2 Principles of cryptography 3 Message integrity, authentication 4 Securing e-mail 5 Securing TCP connections: SSL 6 Network layer security: Ipsec 7 Securing wireless LANs 8 Operational security: firewalls and IDS 8-2

Secure e-mail v Alice wants to send confidential e-mail, m, to Bob. K S m. K S ( ) K S (m ) K S (m ). K S ( ) m K S +. K B ( ) K+ B + K B (K S ) + - Internet + K B (K S ) K- B K S -. K B ( ) Alice: v generates random symmetric private key, K S v encrypts message with K S (for efficiency) v also encrypts K S with Bob s public key v sends both K S (m) and K B (K S ) to Bob 8-3

Secure e-mail v Alice wants to send confidential e-mail, m, to Bob. K S m. K S ( ) K S (m ) K S (m ). K S ( ) m K S +. K B ( ) K+ B + K B (K S ) + - Internet + K B (K S ) K- B K S -. K B ( ) Bob: v uses his private key to decrypt and recover K S v uses K S to decrypt K S (m) to recover m 8-4

Secure e-mail (continued) v Alice wants to provide sender authentication, message integrity m K A -. -. H( ) KA ( ) - K A (H(m)) - K A (H(m)) K+ A +. K A ( ) H(m ) + - Internet compare m m. H( ) H(m ) v Alice digitally signs message v sends both message (in the clear) and digital signature 8-5

Secure e-mail (continued) v Alice wants to provide secrecy, sender authentication, message integrity. m m - K A. -. H( ) KA ( ) - K A (H(m)) + K S. K S ( ) +. K B ( ) K+ B Alice uses three keys: her private key, Bob s public key, newly created symmetric key K S + + K B (K S ) Internet 8-6

roadmap 1 What is network security? 2 Principles of cryptography 3 Message integrity 4 Securing e-mail 5 Securing TCP connections: SSL 6 Network layer security: Ipsec 7 Securing wireless LANs 8 Operational security: firewalls and IDS 8-7

SSL: Secure Sockets Layer v widely deployed security protocol supported by almost all browsers, web servers https v mechanisms: [Woo 1994], implementation: Netscape v variation -TLS: transport layer security, RFC 2246 v provides confidentiality integrity authentication v original goals: Web e-commerce transactions encryption (especially credit-card numbers) Web-server authentication optional client authentication minimum hassle in doing business with new merchant v available to all TCP applications 8-8

SSL and TCP/IP Application TCP IP normal application Application SSL TCP IP application with SSL v v SSL provides application programming interface (API) to applications C and Java SSL libraries/classes readily available 8-9

SSL overview v handshake: Alice and Bob use their certificates, private keys to authenticate each other and exchange shared secret v key derivation: Alice and Bob use shared secret to derive set of keys bad to use same key for more than one cryptographic operation use different keys for message authentication and encryption v data transfer: data to be transferred is broken up into series of records v connection closure: securely close connection 8-10

roadmap 1 What is network security? 2 Principles of cryptography 3 Message integrity 4 Securing e-mail 5 Securing TCP connections: SSL 6 Network layer security: Ipsec 7 Securing wireless LANs 8 Operational security: firewalls and IDS 8-11

What is network-layer confidentiality? between two network entities: v sending entity encrypts datagram payload, payload could be: TCP or UDP segment, ICMP message, OSPF message. v all data sent from one entity to other would be hidden: web pages, e-mail, P2P file transfers, TCP SYN packets blanket coverage 8-12

Virtual Private Networks (VPNs) motivation: v institutions often want private networks for security. costly: separate routers, links, DNS infrastructure. v VPN: institution s inter-office traffic is sent over public Internet instead encrypted before entering public Internet logically separate from other traffic 8-13

Virtual Private Networks (VPNs) public Internet IP header IPsec header Secure payload laptop w/ IPsec Secure payload IPsec header salesperson in hotel IP header router w/ IPv4 and IPsec router w/ IPv4 and IPsec headquarters branch office 8-14

IPsec services v data integrity v origin authentication v replay attack prevention v confidentiality v two protocols providing different service models: AH ESP 8-15

Two IPsec protocols v Authentication Header (AH) protocol provides source authentication & data integrity but not confidentiality v Encapsulation Security Protocol (ESP) provides source authentication, data integrity, and confidentiality more widely used than AH 8-16

IPsec transport mode IPsec IPsec v IPsec datagram emitted and received by end-system v Real end-to-end connection mode v Encrypts only IP payload v IP addresses are visible 8-17

IPsec tunneling mode IPsec IPsec v edge routers IPsec-aware IPsec IPsec v hosts IPsec-aware v Either gateway-to-gateway mode or end-to-end mode v Encrypts IP header and payload 8-18

Four combinations are possible! Host mode with AH Host mode with ESP Tunnel mode with AH Tunnel mode with ESP most common and most important. Why? 8-19

Security associations (SAs) v before sending data, security association (SA) established from sending to receiving entity SAs are simplex: for only one direction v ending, receiving entities maintain state information about SA IP is connectionless; IPsec is connection-oriented! v how many SAs in VPN w/ headquarters, branch office, and n traveling salespeople? 8-20

Security associations (SAs) v before sending data, security association (SA) established from sending to receiving entity SAs are simplex: for only one direction v ending, receiving entitles maintain state information about SA IP is connectionless; IPsec is connection-oriented! v how many SAs in VPN w/ headquarters, branch office, and n traveling salespeople? Ans. 2+2n (2 between HQ-BO and 2n for each SP) 8-21

Example SA from R1 to R2 headquarters Internet branch office 200.168.1.100 193.68.2.23 172.16.1/24 R1 security association R2 172.16.2/24 R1 stores for SA: v 32-bit SA identifier: Security Parameter Index (SPI) v origin SA interface (200.168.1.100) v destination SA interface (193.68.2.23) v type of encryption used (e.g., 3DES with CBC) v encryption key v type of integrity check used, e.g., HMAC (Hash based MAC) v authentication key 8-22

Security Association Database (SAD) v endpoint holds SA state in security association database (SAD), where it can locate them during processing. v SAD: data structure in the entity s OS kernel. v with n salespersons, 2 + 2n SAs in R1 s SAD v when sending IPsec datagram, R1 accesses SAD to determine how to process datagram. v when IPsec datagram arrives to R2, R2 examines SPI in IPsec datagram, indexes SAD with SPI, and processes datagram accordingly. 8-23

IPsec datagram focus for now on tunnel mode with ESP enchilada authenticated encrypted new IP header ESP hdr original IP hdr Original IP datagram payload ESP trl ESP auth SPI Seq # padding pad length next header 8-24

What happens? headquarters Internet branch office 200.168.1.100 193.68.2.23 172.16.1/24 R1 security association R2 172.16.2/24 enchilada authenticated encrypted new IP header ESP hdr original IP hdr Original IP datagram payload ESP trl ESP auth SPI Seq # padding pad length next header 8-25

R1: convert original datagram to IPsec datagram v appends to back of original datagram (which includes original header fields!) an ESP trailer field. v encrypts result using algorithm & key specified by SA. v appends to front of this encrypted quantity the ESP header, creating enchilada. v creates message authentication code (MAC) over the whole enchilada, using algorithm and key specified in SA; v appends MAC to back of enchilada, forming payload; v creates brand new IP header, with all the classic IPv4 header fields, which it appends before payload. 8-26

Inside the enchilada: enchilada authenticated encrypted new IP header ESP hdr original IP hdr Original IP datagram payload ESP trl ESP auth SPI Seq # padding pad length next header v ESP trailer: Padding for block ciphers v ESP header: SPI, so receiving entity knows what to do Sequence number, to thwart replay attacks v MAC in ESP auth field is created with shared secret key 8-27

roadmap 1 What is network security? 2 Principles of cryptography 3 Message integrity 4 Securing e-mail 5 Securing TCP connections: SSL 6 Network layer security: Ipsec 7 Securing wireless LANs 8 Operational security: firewalls and IDS 8-28

WEP design goals WEP - Wired Equivalent Privacy v symmetric key crypto confidentiality end host authorization data integrity v each packet separately encrypted given encrypted packet and key, can decrypt; can continue to decrypt packets when preceding packet was lost (unlike Cipher Block Chaining (CBC) in block ciphers) v Efficient implementable in hardware or software 8-29

WEP encryption v v v v v v sender calculates Integrity Check Value (ICV) over data four-byte hash/crc for data integrity each side has 104-bit shared key sender creates 24-bit initialization vector (IV), appends to key: gives 128-bit key sender also appends keyid (in 8-bit field) 128-bit key inputted into pseudo random number generator to get keystream data in frame + ICV is encrypted with RC4 (Ron Rivest Cipher): B\bytes of keystream are XORed with bytes of data & ICV IV & keyid are appended to encrypted data to create payload payload inserted into 802.11 frame encrypted IV Key ID data ICV MAC payload 8-30

WEP decryption overview encrypted IV Key ID data ICV MAC payload v receiver extracts IV v inputs IV, shared secret key into pseudo random generator, gets keystream v XORs keystream with encrypted data to decrypt data + ICV v verifies integrity of data with ICV 8-31

roadmap 1 What is network security? 2 Principles of cryptography 3 Message integrity 4 Securing e-mail 5 Securing TCP connections: SSL 6 Network layer security: Ipsec 7 Securing wireless LANs 8 Operational security: firewalls and IDS 8-32

Firewalls firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others administered network trusted good guys firewall public Internet untrusted bad guys 8-33

Firewalls: why prevent denial of service attacks: v SYN flooding: attacker establishes many bogus TCP connections, no resources left for real connections prevent illegal modification/access of internal data v e.g., attacker replaces homepage with something else allow only authorized access to inside network v set of authenticated users/hosts three types of firewalls: v stateless packet filters v stateful packet filters v application gateways 8-34

Stateless packet filtering Should arriving packet be allowed in? Departing packet let out? v internal network connected to Internet via router firewall v router filters packet-by-packet, decision to forward/drop packet based on: source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type TCP SYN and ACK bits 8-35

Stateless packet filtering: example v example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 result: all incoming, outgoing UDP flows and telnet connections are blocked v example 2: block inbound TCP segments with ACK=0. result: prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside. 8-36

Stateless packet filtering: more examples Policy No outside Web access. No incoming TCP connections, except those for institution s public Web server only. Prevent Web-radios from eating up the available bandwidth. Prevent your network from being used for a smurf DoS attack. Prevent your network from being tracerouted Firewall Setting Drop all outgoing packets to any IP address, port 80 Drop all incoming TCP SYN packets to any IP except 130.207.244.203, port 80 Drop all incoming UDP packets - except DNS and router broadcasts. Drop all ICMP packets going to a broadcast address (e.g. 130.207.255.255). Drop all outgoing ICMP TTL expired traffic 8-37

Access Control List v ACL - firewall rules on router: an example of an ACL for an organization 222.22/16 (for an interface that connects the router to the organization s external ISPs. ) action source address allow 222.22/16 allow outside of 222.22/16 allow 222.22/16 allow outside of 222.22/16 dest address outside of 222.22/16 222.22/16 outside of 222.22/16 222.22/16 protocol source port dest port TCP > 1023 80 flag bit any TCP 80 > 1023 ACK UDP > 1023 53 --- UDP 53 > 1023 ---- deny all all all all all all 8-38

Explanation of the Prev ACL v Rules are applied to each datagram that passes through the interface. v The first two rules allow internal users to surf the Web: The first rule allows any TCP packet with destination port 80 to leave the organization s network; the second rule allows any TCP packet with source port 80 and the ACK bit set to enter the organization s network. v Note that if an external source attempts to establish a TCP connection with an internal host, the connection will be blocked, even if the source or destination port is 80. 8-39

Explanation of the Prev ACL v The second two rules together allow DNS packets to enter and leave the organization s network. v In summary, this rather restrictive access control list blocks all traffic except Web traffic initiated from within the organization and DNS traffic. 8-40

Stateful packet filtering v stateless packet filter: admits packets that make no sense, e.g., dest port = 80, ACK bit set, even though no TCP connection established: action source address dest address protocol source port dest port flag bit allow outside of 222.22/16 222.22/16 TCP 80 > 1023 ACK v stateful packet filter: track status of every TCP connection track connection setup (SYN), teardown (FIN): determine whether incoming, outgoing packets makes sense timeout inactive connections at firewall: no longer admit packets 8-41

Stateful packet filtering v ACL augmented to indicate need to check connection state table before admitting packet action source address allow 222.22/16 allow outside of 222.22/16 dest address outside of 222.22/16 222.22/16 proto source port dest port TCP > 1023 80 flag bit any check connection TCP 80 > 1023 ACK x allow 222.22/16 outside of 222.22/16 UDP > 1023 53 --- allow outside of 222.22/16 222.22/16 UDP 53 > 1023 ---- x deny all all all all all all 8-42

Application gateways v filter packets on application data as well as on IP/TCP/UDP fields. host-to-gateway telnet session application gateway router and filter v Application gateway: appspecific server through which all application data (in/out) must pass. gateway-to-remote host telnet session case: allow certain internal users to telnet outside 1. Require telnet users to telnet through application gateway. 2. for authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. router filter blocks all telnet connections not originating from gateway. 8-43

Limitations of firewalls, gateways v IP spoofing: router can t know if data really comes from claimed source v if multiple app s. need special treatment, each has own app. gateway v client software must know how to contact gateway. e.g., must set IP address of proxy in Web browser v filters often use all or nothing policy for UDP v many highly protected sites still suffer from attacks 8-44

Intrusion detection systems v packet filtering: operates on TCP/IP headers only no correlation check among sessions v IDS: intrusion detection system deep packet inspection: look at packet contents (e.g., check character strings in packet against database of known virus, attack strings) examine correlation among multiple packets port scanning network mapping DoS attack 8-45

Intrusion detection systems v multiple IDSs: different types of checking at different locations high security zone firewall internal network Internet IDS sensors Web server FTP server DNS server demilitarized zone 8-46

Network Security (summary) basic techniques... cryptography (symmetric and public) message integrity end-point authentication. used in many different security scenarios secure email secure transport (SSL) IP sec 802.11 operational security: firewalls and IDS 8-47

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information