1 / 82

Network Security

Network Security. Today’s Universities C ampus P erimeter Security. Anti-virus system. Firewalls. 100 %. Anti-virus system. Remote access VPN, using IPSEC. Access control. 96.2 %. Firewalls. Content filtering. Remote access VPN, using IPSEC. Intrusion Detection System. 78.8 %.

kimi
Télécharger la présentation

Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security

  2. Today’s Universities CampusPerimeter Security Anti-virus system Firewalls 100 % Anti-virus system Remote access VPN, using IPSEC Access control 96.2 % Firewalls Content filtering Remote access VPN, using IPSEC Intrusion Detection System 78.8 % Remote access VPN using SSL Other 78.8 % Access control 55.8 % Content filtering 57.7 % Intrusion Detection System Remote access VPN using SSL 25 % 11.5 % Other * * Other includes packet shapers, proxy servers and smart-card authentication.

  3. Lack of personnel/expertise Complexity 53.8 % Management costs are too high 51.9 % Solution costs are too high Lack of one-stop shopping from vendors 42.3 % 36.5 % 21.2 % Security challenges for remote offices

  4. Agenda • NAT – the most common and quite effective zero-mainetnance firewall • PacketFilters and RealFirewalls • SSL/TLS: transport layer security • Easy to use • CA infrastructure • SSH • IPSec: network layer security (VPN) • Difficult to deploy • Transport or Tunnel mode

  5. Use of Private Addresses • Routers in the public Internet will notroute packets whose destination are private addresses • 10.0.0.0/8, • 172.16.0.0/12, • 192.168.0.0/16 • However, it is possible for routers in aprivate network to route packets with private addresses • The same private addresses can be reused in different private networks

  6. NAT Basics • Network Address Translator (NAT) • Defined in RFC 3022 • Standard application • map private IP address range • 10.0.0.0 – 10.255.255.255 • 172.16.0.0 – 172.31.255.255 • 192.168.0.0-192.168.255.255 • to public IP address range

  7. Network Address Port Translation (NAPT or Masquerading)

  8. NAPT Basics • Network Address Port Translator • Can map multiple private IP addresses and ports to one public IP address and ports

  9. NAT Internals • NAT modifies headers in IP and TCP/UDP • IP header • Source (outgoing) or destination (incoming) IP address • IP header checksum • TCP/UDP header • Source (outgoing) or destination (incoming) TCP/UDP port • TCP/UDP checksum

  10. IP header TCP Header vsn len tos total length source port destination port identification flgs fragment offset sequence number TTL protocol header checksum acknowledgement number source IP address hlen rsv flags window size destination IP address TCP checksum urgent pointer options (optional) options (optional) data data (optional) NAT • Fields modified in IP and TCP header:

  11. NAT • Some protocols include IP address in data portion of IP datagram • Example is FTP: • FTP uses 2 connections • Control connection for login, commands • Data connection for data transfer • FTP client tells FTP server how to open the data connection -- supplies IP address and port • These are in data section of IP datagram; not protocol headers, so NAT translation becomes application-specific

  12. NAT - ALG’s • Application Layer Gateways (or ALG’s) sit on NAT gateway to translate IP and port information in data • Must have separate ALG for each application to be translated • Common applications which need ALG: • FTP, DNS, SNMP, H.323 (Voice over IP) • USNET-NAT has an FTP ALG • Further complications possible besides IP/Port translation

  13. NAT ALG for FTP • FTP ALG must: • Translate IP address in data portion • Set up NAT router to accept incoming connection • Modify TCP (or UDP) checksum • Check for data length changes - if even one segment length changes, modify TCP sequence and ACK numbers for remainder of session

  14. RFC 3022

  15. Example NAT Configuration

  16. Types of NAT I • Static NAT • maintains a fixed mapping from private addresses to global addresses, which must be configured manually. • Dynamic NAT • Global IP address is issued for each “session” • TCP/IP: NAT router checks for SYN/FIN flags

  17. Types of NAT II • Full Cone • Restricted Cone • Port Restricted Cone • Symmetric

  18. Network Address Translation • NAT is a major problem for media communications • NAT:

  19. Full Cone • Any computer can send back data to an open port.

  20. Restricted Cone • Any computer can send back data to an open port AFTER we send data to their IP.

  21. Port Restricted Cone • Same as restricted cone but we need to first send data to their IP AND the port that will be allowed to send back.

  22. Symmetric

  23. Internet Security Threats I • Packet Sniffing • Broadcast media e.g. Ethernet, wireless comms • Promiscuous NIC reads all packets passing by • Can read all unencrypted data (e.g. passwords) • E.g. C sniffs B’s packets

  24. Internet Security Threats II • IP Spoofing • Can generate “raw” IP packets directly from application, putting any value into IP source address field • Receiver can’t tell if source is spoofed • E.g.: C pretends to be (trusted host) B

  25. Internet Security Threats III • Denial of service (DOS) • Flood of maliciously generated packets “swamp” to receiver • Distributed DOS (DDOS): multiple coordinated sources swamp one receiver • E.g.: C and remote host SYN-attack A • No real defense against this attack!!

  26. Types of firewalls • Packet filters • Standard packet filter • Stateful packet filter • Proxy gateways • Network Address Translation (NAT) • Intrusion Detection • Logging

  27. Components of firewall

  28. Firewall Example HTTP-Server (only port 80 open) Internet File-Server (not accessible from outside) Firewall And NAT Gateway

  29. Packet Filtering • Block or allow packets based on rules. • Filtering based on packet headers and interface it arrives on. • Example – Inbound telnet open not allowed. • Filtering Strategies • That which is not explicitly permitted is prohibited. • That which is not explicitly prohibited is permitted. • Session and protocol tracking • Fragmented IP packets • Packets violating the L4-L7 protocol

  30. Proxy Servers • Proxy services sit between user on the inside and server on the outside. Instead of talking directly, user and server talk through proxy.

  31. Network Address Translation • Network Address Translation (NAT) allows a network to use one set of addresses internally and a different set when dealing with external networks. • It helps conceal internal network and force connections to go through choke point. • Router does the extra work required for address translation.

  32. Threat Alice Bob Eve • Alice and Bob want to communicate • Eve is eavesdropping (intercept, delete, add messages)

  33. What is Network Security? • Secrecy: Only sender and intended receiver should be able to “understand” message • Authentication: Sender and receiver want to confirm identity of each other • Message Integrity: Sender and receiver want to ensure that message has not been altered without detection

  34. Taxonomy of Network Security Secure Communication SymmetricCryptography(e.g., DES) AsymmetricCryptography(e.g., RSA) MessageDigests(e.g., MD5)

  35. Cryptographic Security Technologies • En-/Decryption/Signing of E-Mail • e.g. PrettyGoodPrivacy (PGP) • En-/Decryption of Shell Communication • e.g. SecureShell (SSH) • En-/Decryption on Protocol Level • e.g. SSL (TCP), IPSec (IP)

  36. Basic crypto applications • Algorithms: DES, AES, 3DES • Used for actual reversible encryption • “non-entropic”, reversible operations • Requires a unique “secret key” for the encryptor and decryptor • Hashes: SHA-1, MD5 • Used to generate a unique mathematical “summary value” for a given dataset • “Entropic”, non-reversible operation • Used to authenticate a data set • Can be combined with a “secret key” value to create a custom Hash- ensures that your hash was created by someone you trust.

  37. Symmetric Key Distribution • Key distribution • Public key via trusted Certificate Authorities • Symmetric key? • Diffie-Helman Key Exchange • Public key, then symmetric key (e.g. SSL)

  38. Secure Socket Layer (SSL) • SSL works at transport layer. Provides security to any TCP-based app using SSL services. • SSL: used between WWW browsers, servers for E-commerce (shttp, scp). • SSL security services: • server authentication • data encryption • client authentication (optional) • Server authentication: • SSL enabled browser includes public keys of trusted CAs. • Browser requests servercertificate, issued by trusted CA. • Browser uses CA’s public key to extract server’s public key from certificate. • Visit your browser’s security menu to see its trusted CAs.

  39. SSL and TLS • SSL designed by Netscape • TLS IETF standard • compromise between SSL and a Microsoft protocol • SSL and TLS provide applications: • Encryption • Server authentication • (Optional) client authentication • SSL programming libraries are pretty easy to use

  40. SSL Protocol Architecture SSL Change Cipher Spec Protocol SSL Handshake Protocol SSL Alert Protocol HTTP, other apps SSL Record Protocol TCP

  41. SSL Handshake • Pretty complicated • why HTTPS websites seem sooooooo slow. • Server (and client) authentication • Negotiation of: • Encryption algorithm • MAC algorithm • Encryption key • Must be done before any data transmission

  42. SSL/TLS and IPSec

  43. How does SSL differ? • SSL is based on PKI, which uses public/private key pairs- using entirely different math • Designed to enable secure transfer of data (like a temporary crypto key) to someone you don’t necessarily trust • IKE/IPSec does not use PKI, as it is inherently less safe- and designed for e-commerce use • Actually, PKI-like key exchange is used in some limited ways in IKE, but the core of IPSec is not based on public/private key exchange

  44. IPSec Overview • What is IKE and IPSEC? • Generally speaking, IKE is a method for securely exchanging encryption ciphers that will be used in a later encrypted session • IPSec is an overall term used to describe encrypted data communication over IP, using the keys exchanged with IKE • Remember, the problem is not just encrypting the messages- it’s keeping your keys safe in the long term • This is accomplished by renegotiating keys often in IPSec- this compartmentalizes the encryption and data exchange • This means that secret keys must be exchanged often

  45. IPSec Architecture

  46. IPSec • There are three parts to IPSec: • AH- authentication header- provides session security at a “sophisticated” level by checking data integrity and protecting against “replay” attacks (protocol 51) • ESP- encapsulating security payload- provides the bulk data encryption method (protocol 50) • IKE- handles the exchange of secret keys used in the prior two categories (udp port 500) • NOTE: IKE generally cannot be NATted, as the IP addresses used by each participating gateway are tracked, and NAT looks like a replay attack

  47. The guts of key exchange • Sending Gateway determines a packet needs to be encrypted • Sending Gateway opens an IKE session with the Receiving gateway- this step defines the IKE SA • Diffie-Hellman key exchange uses hashing of a certificate or shared secret to authenticate each gateway, and sets up a public/private data exchange channel • Sending and Receiving Gateways exchange protocol settings, algorithm settings, and secret keys using PKI • A new IPSec SA is defined for the ESP tunnel, and data begins to be transferred • New term: Selector- a logical construct similar to a route, that allows the gateway to determine if an inbound packet is to be encrypted and passed over a particular SA

  48. Quick Mode IKE Hash type, SA type (ESP), IP information (encryption domains/selectors) Hash type, SA type (ESP), IP information (encryption domains/selectors) ACK HASH return HASH

More Related