• No results found

Lecture 17 - Network Security

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Lecture 17 - Network Security"

Copied!
20
0
0

Loading.... (view fulltext now)

Download now ( 20 Page )

Full text

(1)

Lecture 17 - Network Security

CMPSC 443 - Spring 2012

Introduction Computer and Network Security Professor Jaeger

www.cse.psu.edu/~tjaeger/cse443-s12/

(2)

Idea

• Why donʼt we just integrate some of these neat crypto tricks directly into the IP protocol stack?

• This is called transport security

(3)

IPsec

• IP layer security protocol

– Integrated directly into protocol stack

– Defined as an extension to the network layer – Transparent to the above layers and application

• Provides

– confidentiality – integrity

– authenticity

– replay protection – DOS protection

IPsec SA Ethernet

IP TCP HTTP

Physical

Ethernet IP TCP HTTP

Physical

(4)

Tunnel vs. Transport Mode

• Transport mode

– default mode of IPsec -- protects transport layer packet – end-to-end encapsulation of data

– useful when both endpoints are configured to use/manage IPsec

• Tunnel mode

– encapsulates all of the IP data over a new IP level packet – useful when the device applying IPsec to the packet is not

the originating host, e.g., at a gateway – Also known as, “ip over ip”

• IPsec provides the mechanism, you provide the policy

(5)

IPsec Processing

ESP

Start

IKE Phase 1:

Negotiate Session ISAKMP Keys

IKE Phase 2:

Negotiate SA Keys

Process Using AH Encoding and

Policy

Process Using ESP Encoding and

Policy ISAKMP Keys

Exist?

SA Keys Exist?

Processing Policy Yes

Yes

No

No

ESP AH

IKE

AH

(6)

Internet Key Exchange (IKE)

• Built on of ISAKMP framework

• Two phase protocol used to establish parameters and keys for session

– Phase 1: negotiate parameters, authenticate peers, establish secure channel

• ISAKMP keys

– Phase 2: Establish a security association (SA)

• SA keys used to process user traffic

• The details are unimaginably complex

• The SA defines algorithms, keys, and policy used to secure the session

(7)

IPsec Implementation

• User: ISAKMP framework

• Kernel: IPsec processing

User Kernel

Policy Engine

Policy Cache

SA

Administration ISAKMP

Daemon

SA Cache IPSec

Engine

Crypto Engine

Policy Interface SA Interface

(8)

Authentication Header (AH)

• Authenticity and integrity

– via HMAC

– over IP headers and and data

• Advantage: the authenticity of data and IP header information is protected

– it gets a little complicated with mutable fields, which are

supposed to be altered by network as packet traverses the network

– some fields a immutable, and are protected

• Confidentiality of data is not preserved

• Replay protection via AH sequence numbers

– note that this replicates some features of TCP (good?)

(9)

Authentication Header (AH)

• Modifications to the packet format

IP Header AH Header

MAC Payload

AH Packet Encrypted Authenticated

IP Header Payload

(10)

IPsec Authentication

• SPI: (spy) identifies the security association for this packet

– Type of crypto checksum, how large it is, and how it is computed – Really the policy for the packet

• Authentication data

– Hash of packet contents include IP header as as specified by SPI – Treat transient fields (TTL, header checksum) as zero

• Keyed MD5 Hash is default

Headers and data being sent

Key Key

Secret Key

MD5 Hash

(11)

Encapsulating Security Payload (ESP)

• Confidentiality, authenticity and integrity

– via encryption and HMAC – over IP payload (data)

• Advantage: the security manipulations are done solely on user data

– TCP packet is fully secured – simplifies processing

• Use “null” encryption to get authenticity/integrity only

• Note that the TCP ports are hidden when encrypted

– good: better security, less is known about traffic

– bad: impossible for FW to filter/traffic based on port

• Cost: can require many more resources than AH

(12)

Encapsulating Security Payload (ESP)

• Modifications to packet format

IP Header ESP Header Payload ESP Trailer MAC

ESP Packet Encrypted Authenticated

IP Header Payload

(13)

Is AH necessary?

• Some argue that AH is subsumed by ESP

– Header protection can be achieved by tunnel mode ESP – Protection of header has limited utility

• Should we allow firewalls (and eavesdroppers) to look at layer 4 (TCP) information

– e.g., filter on ports

– exposes a lot of information

• In practice, the protocol AH is generally not used.

?

(14)

IPsec Tunnel Mode

• Encapsulate IP packet

Payload Source

Dest

C D

ESP Header Source Payload ESP Trailer MAC Dest

Tunnel

Source Dest

Tunnel Header

(15)

Practical Issues and Limitations

• IPsec implementations

– Often not compatible (ungh.) – Large footprint

• resource poor devices are in trouble

• New standards to simplify (e.g, JFK, IKE2)

– Slow to adopt new technologies

• Issues

– IPsec tries to be “everything for everybody at all times”

• Massive, complicated, and unwieldy

– Policy infrastructure has not emerged

– Large-scale management tools are limited (e.g., CISCO) – Often not used securely (common pre-shared keys)

(16)

Network Isolation: VPNs

• Idea: I want to create a collection of hosts which operate in a coordinated way

– E.g., a virtual security perimeter over physical network – Hosts work as if they are isolated from malicious hosts

• Solution: Virtual Private Networks

– Create virtual network topology over physical network – Use communications security protocol suites to secure

virtual links “tunneling”

– Manage networks as if they are physically separate

– Hosts can route traffic to regular networks (split-tunneling)

(17)

VPN Example: RW/Telecommuter

Internet

LAN

(network edge)

Physical Link

Logical Link (IPsec)

(18)

VPN Example: Hub and Spoke

Internet

LAN

(network edge)

Physical Link

(19)

VPN Example: Mesh

Internet

LAN

(network edge)

Physical Link

Logical Link (IPsec)

(20)

Virtual LANs (VLANs)

• VPNs build with hardware

– No encryption – none needed – “wire based isolation”

– Switches increasingly support VLANs

– Allows networks to be reorganized without rewiring

• Example usage: two departments in same hallway

– Each office is associated with department

– Configuring the network switch gives physical isolation – Note: often used to ensure QoS

References

Download now ( PDF - 20 Page - 397.47 KB )

Related documents

White Paper. Telenor VPN

Virtual Private Network (VPN) technology are used to attend to the security over the external network to make sure that the Customer can communicate with Telenors mobile network in

As 2758.6-2008 Aggregates and Rock for Engineering Purposes Guidelines for the Specification of Armourstone

This Standard was prepared by the Standards Australia Committee CE-012, Aggregates and This Standard was prepared by the Standards Australia Committee CE-012, Aggregates and Rock

How Strong is European Solidarity?

 

SDN, NFV & Future Technologies. Chris Thompson Director of Product Management, Cloud Connectivity Solutions

Managed Data Virtual Network Direct Internet Data Virtual Network Voice Services Virtual Network Virtual Routers Physical Network SDN Controller Flow Switch Network

Bell And Howell Solar Animal Repeller Instructions

Vegetable garden not and bell and howell solar animal repeller instructions said to exterminate a powerful ultrasonic waves so do not hear the pest control and not!.

Huawei esight Full Product Datasheet

Supports topology management, Network Elements (NEs), links, physical resources, e-labels, alarms, performance, configuration files, logs, Virtual Local Area Network (VLAN)

1. Product Overview 2. Product Features 3. Comparison Chart 4. Product Applications 5. Order Information 6. Q & A

Network Security, Secure Messaging Network Security, Secure Messaging PKI Application, Network Security, Secure Messaging Security Access Module (SAM), Secure Messaging

Pay Off Mortgage Or Invest

Starts investing in paying mortgage or list, or raising passive income value each year required monthly cash flow on debt is higher return decreases your tail and did.. Can i pay