* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Intro to Internet-services from Security Standpoint
Survey
Document related concepts
Extensible Authentication Protocol wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Computer network wikipedia , lookup
Airborne Networking wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Network tap wikipedia , lookup
Wireless security wikipedia , lookup
Computer security wikipedia , lookup
Distributed firewall wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Deep packet inspection wikipedia , lookup
UniPro protocol stack wikipedia , lookup
Internet protocol suite wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Transcript
Intro to Internet-services from Security Standpoint, Part II SOEN321-Information-Systems Security Revision 1.1 Date: October 21, 2003 October 22, 2002 Serguei A. Mokhov, [email protected] 1 Secure Communication (Chapter 9 Summary) • People need to “talk” over the network, they got encryption and authentication keys all set up. • Now, how do they communicate securely? – Precisely: Where to put security in the ISO stack? October 22, 2002 Serguei A. Mokhov, [email protected] 2 ISO Stack • Recall the 7-layer OSI model from the networks course: Application Presentation Session Transport Network So, on which level(s) can you possibly put security mechanisms? Link Physical October 22, 2002 Serguei A. Mokhov, [email protected] 3 Which Layers? • The layers in gray are the ones, on which Internet security protocols are implemented. Application Presentation Session Transport Network There are a always tradeoffs for each level you decide to secure. Link Physical October 22, 2002 Serguei A. Mokhov, [email protected] 4 Which Layers? • Application? • Network? – App independent • Between App and Transport? – Greater flexibility to select different protection levels depending on a type of comm used. • Link? – Makes media-tapping protection October 22, 2002 Serguei A. Mokhov, [email protected] 5 Packet Encapsulation • Before we proceed to the layers … • Encapsulation – Encapsulation is a technique that is used to add services to network protocols. – Technique: • Get the original packet • Add new headers • Apply desired service to the original packet October 22, 2002 Serguei A. Mokhov, [email protected] 6 Packet Encapsulation • The service may include: – Real-time data transfer over the Internet – Security • Encryption • Authentication –… Original IP Datagram IP header TCP header Payload Encapsulated IP Datagram New IP header ESP|AH IP header October 22, 2002 TCP header Serguei A. Mokhov, [email protected] Payload 7 ESP and AH • Encapsulating Security Payload – Goal: confidentiality of the payload – Often used with AH • IP Authentication Header – Goal: authenticity of the data in IP packets – MAC • ESP and AH are often used together because use of confidentially w/o authentication has been shown to be vulnerable to crypto attacks. October 22, 2002 Serguei A. Mokhov, [email protected] 8 Application Layer • Very specific security needs required by an app. • An app doesn’t trust underlying levels to satisfy those requirements. • No direct end-to-end communication exists. • Examples: – email; app: PGP – SSH October 22, 2002 Serguei A. Mokhov, [email protected] 9 Transport Layer • Between an app and networking • Refers to TCP and UDP • Transport layer security sits on top of the Transport Layer: – Does not alter TCP/UPD headers – Security is maintained when apps perform socket calls, which being replaced by their secure versions, i.e. read(socketd) -> secure_read(socketd) October 22, 2002 Serguei A. Mokhov, [email protected] 10 Transport Layer (2) • Examples - SSL – Secure Socket Layer, SSL; was introduced by Netscape, then standardized, became TLS – transport layer security, RFC 2246. – Typical example: Web browsers, and other Client sever architectures (RDBMS, for example). – Provides encryption and authentication – Services can easily be configured on top of SSL, w/o requiring much knowledge of it. October 22, 2002 Serguei A. Mokhov, [email protected] 11 Network Layer • Natural place for security mechanisms. • Applications should not be changed. • Independent from other layers, so an insecure version of an IP layer can be replaced by a secure one with authentication and encryption. – Securing NFS • Employs encapsulation. October 22, 2002 Serguei A. Mokhov, [email protected] 12 Network Layer (2) • Examples of use: – Virtual Private Network, VPN, between communicating firewalls – a static route, a pipe or a tunnel, between two or more organizations, providing confidentiality and authentication using public networks (the Internet) as a transport media. (This is very cost effective in comparison with EDI) . – Personal communication with insecure applications (transparent security). October 22, 2002 Serguei A. Mokhov, [email protected] 13 Network Layer (3) • Challenges and Disadvantages – Challenge: setting the right policy for the right kind of communication. – The concept of layer independence complicates things => security associations to transport level port numbers. – Disadvantages: requires replacement of the TCP/IP stack. • On UNIX/Linux this requires kernel recompilation. • On Windows update of its files and reboot. (That’s why it’s easier just upgrade your browser to have SSL, then reinstall OS). October 22, 2002 Serguei A. Mokhov, [email protected] 14 Link Layer • The lowest level people ever consider putting security on. • Makes sense when there is a high-volume traffic between two directly connected nodes or if physical layer is not protected well enough. October 22, 2002 Serguei A. Mokhov, [email protected] 15 Link Layer (2) • Examples: – School campus or an organization with a network spanning across two or more buildings: it is easier to install and maintain antennas on top to link different building then cables underground. – Home or small organization wireless LAN, so no one can get anything meaningful from the radio waves it’s being run on. October 22, 2002 Serguei A. Mokhov, [email protected] 16 Link Layer (3) • Advantages: – Does not require any knowledge of routing, networking, apps, etc. – Key management relatively simple: two devices share a long-term key, and periodically derive session keys from them. • Disadvantages: – Not appropriate when there is no direct connection between communicating parties (e.g.: need routing info, which is encrypted otherwise) October 22, 2002 Serguei A. Mokhov, [email protected] 17