1 / 14

Internet and Intranet Fundamentals

Internet and Intranet Fundamentals. Class 10 Session A. Topics. Review the Midterm Results Security Wrapup: IPSEC. IPSEC. Security Architecture for the Internet Protocol RFC 2401 Access Control Connectionless Integrity Data Origin Authentication Protection Against Replays

lynne
Télécharger la présentation

Internet and Intranet Fundamentals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet and Intranet Fundamentals Class 10 Session A

  2. Topics • Review the Midterm Results • Security Wrapup: IPSEC

  3. IPSEC • Security Architecture for the Internet Protocol • RFC 2401 • Access Control • Connectionless Integrity • Data Origin Authentication • Protection Against Replays • Confidentiality • Limited Traffic Flow Confidentiality

  4. Objectives of RFC 2401 Achieved Through • Two Major Security Protocols • AH = Authentication Header • ESP = Encapsulating Security Payload • Cryptographic Key Management Procedures and Protocols • Algorithm independence

  5. Security Policy Database (SPD) • Established / Maintained by User, Sys Admin, Application • Three Processing Modes for Packets • Afforded IPsec Security Services • Discarded • Allowed to Bypass IPsec Security Services

  6. Security Gateway • Intermediate System Implementing IPsec Protocols • Paths Defined between • Hosts • Security Gateways • Hosts and Security Gateways

  7. AH = Authentication Header • "IP Authentication Header", RFC 2402 • Connectionless Integrity • Data Origin Authentication • Anti-Replay

  8. ESP = Encapsulating Security Payload • "IP Encapsulating Security Payload (ESP)", RFC 2406 • Confidentiality (Encryption) • Limited Traffic Flow Confidentiality • Connectionless Integrity • Data Origin Authentication • Anti-Replay

  9. AH / ESP Modes • Transport Mode • Protection for upper layer protocols • Tunnel Mode • Applied to tunneled packets • Tunnels can be • end-to-end between two security gateways, or • between individual TCP connections

  10. AH / ESP Modes • Hosts MUST support both modes • Security Gateways need only support tunnel mode • May support transport mode, but only when acting as a host

  11. Implementation • Native IP Implementation • Source code • Bump-in-the-Stack (BITS) • In between native IP and data link layer • Outboard Cryptoprocessor • Military • Bump-in-the-wire (BITW). • Supporting Router acts as security gateway, as single host == BITS

  12. Security Association • Simplex connection affording security services to the traffic carried by it • Two way traffic will require two SAs. • Triple defines: • Security Parameter Index (SPI) • IP Destination Address • security protocol identifier (AH or ESP)

  13. Security Association • Transport Mode Security Protocol Header Immediately After IP Header, but before high layer headers. • Outer and Inner IP headers

  14. Implementations of IPSec Internet Host Computer Host Computer Router w/ IPSec Router w/ IPSec Host Computer Host Computer Host Computer w/IPSec Host Computer w/IPSec Router w/o IPSec Router w/o IPSec Independent of Security Security Applied

More Related