Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Zero-configuration networking wikipedia , lookup
Computer network wikipedia , lookup
Airborne Networking wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Network tap wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Deep packet inspection wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Wireless security wikipedia , lookup
Computer security wikipedia , lookup
Lecture 06 IP Security Dr. Supakorn Kungpisdan [email protected] Outline Motivation IPSec Architecture How IPSec Works IPSec Security Protocols IPSec Modes Combining Security Associations IPSec Key Exchange and Management Protocol IPSec benefits and limitations ITEC4621 Network Security 2 Motivations Originally authentication and confidentiality were not enforced at the IP level Source/Destination IP address spoofing Inspection of IP payload Replay ITEC4621 Network Security 3 IP Spoofing Attack router a.b.c.100 NFS server x.y.z.200 Authorized NFS client x.y.x.201 UNAuthorized NFS client router a.b.c.100 NFS server ITEC4621 Network Security x.y.z.200 - shutdown For maintenance x.y.x.201 -> x.y.x.200 Authorized NFS client Masquerading as authorised client 4 Ping Of Death Attack ICMP, an integral part of IP, is utilized to report network errors. PING (Packet InterNet Grouper) utilizes ICMP echo request and reply packets to test host reachability. ICMP messages normally consist of the IP Header and enclosed ICMP data with a default size of 64 bytes. If the Hacker sends an ICMP Echo request that is greater than 65,536 bytes, this can crash or reboot the system. A newer attack method modifies the header to indicate that there is more data in the packet than there actually is. ITEC4621 Network Security 5 Smurf Attack Hacker sends an ICMP echo request to the target network with a destination broadcast address and a spoofed source address of the target The network serves as a "bounce site" and returns an echo reply packet for each station on the network The network serves to multiply the effect of the "ping". The echo request packet could be sent to multiple networks ITEC4621 Network Security 6 Why look for security at IP level? Below Transport Layer Not specific to network applications no need to change software at Application Layer Transparent to users no need to train users Enhance security when used with higher-level applications Enhance security of firewalls Easily identify authorised access to the network ITEC4621 Network Security 7 What can be done at IP Layer? Authentication: Allows the receiver to validate the identity of a sender, client/server machine or process. Integrity: Provides assurance to the receiver that the transmitted data has not been changed. Confidentiality: Preventing the unwanted disclosure of information during transit. ITEC4621 Network Security 8 TCP/IP & Possible Security Enhancement Kerboros, HTTPS, S/MIME, PGP… Application SSL, TLS Transport (TCP, UDP) IPSec Network (IP) Data Link Physical ITEC4621 Network Security 9 IPSec A type of VPN (Virtual Private Network) Types of VPNs VPN over SSH (Secure Shell) and PPP (Point-to-point Protocol) VPN over SSL/TLS (Secure Socket Layer/Transport Layer Security) and PPP IPSec PPTP (Point-to-point Tunneling Protocol) etc. ITEC4621 Network Security 10 Roadmap Motivation IPSec Architecture How IPSec Works IPSec Security Protocols IPSec Modes Combining Security Associations IPSec Key Exchange and Management Protocol IPSec benefits and limitations ITEC4621 Network Security 11 An IP Security Scenario ITEC4621 Network Security 12 Applications of IPSec Secure branch office connectivity over the Internet Save cost no need to have leased line Secure remote access over the Internet Establishing extranet and intranet connectivity with partners Enhancing electronic commerce security Extranet enables B2B ecommerce transactions among business partners ITEC4621 Network Security 13 IP Security Architecture ITEC4621 Network Security 14 IP Security Architecture (cont.) Architecture: general concepts, requirements, definitions, and mechanisms defining IPSec technology Encapsulating Security Payload (ESP) Generally provide encryption to IP Payload (data) and optionally provide authentication Authentication Header (AH) Provide authentication to IP headers Encryption algorithm Describe encryption algo used for ESP Authentication algorithm Describe authentication algo. For AH and ESP Key Management Involve determination and distribution of secret keys Domain of interpretation (DOI) Contains identifiers for approved encryption and authentication algorithms, key lifetime parameters, etc. ITEC4621 Network Security 15 Roadmap Motivation IPSec Architecture How IPSec Works IPSec Modes IPSec Security Protocols Combining Security Associations IPSec Key Exchange and Management Protocol IPSec benefits and limitations ITEC4621 Network Security 16 Security Associations a one-way relationship between sender & receiver that affords security for traffic flow A party who wants to send and receive data needs 2 SAs defined by 3 parameters: Security Parameters Index (SPI) IP Destination Address Security Protocol Identifier (AH or ESP) has a number of other parameters seq no, AH & ESP info, lifetime etc have a database of Security Associations (SADs) Security services are afforded to an SA for the use of AH or ESP, but not both ITEC4621 Network Security 17 SAD Example Incoming packet contains SPI, dest IP, security protocol used to refer to an entry in SAD Can configure to specific app. E.g. http traffic ITEC4621 Network Security 18 Security Policy Database (SPD) Make higher-level decision on what to do with IP packet SPD enforces protection policy, whereas SAD supplies the necessary parameters and makes it possible. ITEC4621 Network Security 19 How IPSec Works SPD IPSec needed? If so, pass to SAD SAD If so, check header to see how IPSec is implemented SAD Check header to see if IPSec packet is received Remove IPSec header Sender Recipient SPD ITEC4621 Network Security Decide to allow or drop incoming packet 20 How IPSec Works (cont.) Outbound Traffic: Send packet out to the network IPSec checks Security Policy Database (SPD) to decide to Let the packet go through without IPSec protected Drop packet Protect packet using IPSec ITEC4621 Network Security 21 How IPSec Works (cont.) Inbound Traffic: Incoming packet from the network 1. System determines Security Association (SA) for the packet. SA is composed of: Security Parameters Index (SPI): served as an index in Security Association Database (SAD) Destination IP Address IPSec Data Manipulation Protocol (Authentication Header (AH) or Encapsulation Security Payload (ESP)) 2. Determine appropriate SA, then perform authentication/decryption to extract data from IPSec data 3. Once original header is extract, look up SPD rules to see if it matches any rule or not. ITEC4621 Network Security 22 Example: Outbound Traffic SPD Rule # Src IP Dst IP Src Port Dst Port Action IPSec Protocol Mode Outbound SA Index 1 192.168.1.1 192.168.2.1 Any 80 IPSec AH Tunnel 400 2 192.168.1.23 192.168.2.5 Any 22 Accept - - 8500 SAD SPI Src IP Dst IP Src Port Dst Port Parameter Type Pointer to SPD 400 192.168.1.1 192.168.2.1 Any 80 ..... Outbound 1 8500 192.168.1.23 192.168.2.5 Any 22 - - 2 ITEC4621 Network Security 23 Roadmap Motivation IPSec Architecture How IPSec Works IPSec Security Protocols IPSec Modes Combining Security Associations IPSec Key Exchange and Management Protocol IPSec benefits and limitations ITEC4621 Network Security 24 Authentication Header (AH) provides support for data integrity & authentication of IP packets end system/router can authenticate user/app prevents address spoofing attacks by tracking sequence numbers based on use of a MAC HMAC-MD5-96 or HMAC-SHA-1-96 parties must share a secret key ITEC4621 Network Security 25 Authentication Header Contain MAC of the packet ITEC4621 Network Security 26 AH Frame Mutable fields: fields that can be changed during transmission e.g. TTL Immutable fields: source address, header length, destination address, upper-layer protocol data e.g. TCP or UDP segments ITEC4621 Network Security 27 Encapsulating Security Payload (ESP) provides message content confidentiality & limited traffic flow confidentiality can optionally provide the same authentication services as AH supports range of ciphers, modes, padding incl. DES, Triple-DES, RC5, IDEA, CAST etc CBC & other modes padding needed to fill blocksize, fields, for traffic flow Current specs supports CBC-DES encryption ITEC4621 Network Security 28 ESP (cont.) ITEC4621 Network Security 29 ESP Frame ITEC4621 Network Security 30 Roadmap Motivation IPSec Architecture How IPSec Works IPSec Modes IPSec Security Protocols Combining Security Associations IPSec Key Exchange and Management Protocol IPSec benefits and limitations ITEC4621 Network Security 31 Transport Mode Typically used in peer-to-peer communications, especially for internal networks Data packet is encrypted but the IP header is not. IP Payload and parts of IP header are authenticated No modification of original IP header. Only authentication can be provided at header ITEC4621 Network Security 32 Transport AH ITEC4621 Network Security 33 Transport ESP ITEC4621 Network Security 34 Tunnel Mode Used for remote access and site-to-site security Entire packet (header & payload) is encrypted and treated as a Payload Then a new header is added to establish a “tunnel” for original IP datagram Generally used between firewalls or gateways -> hosts in network do not need to implement IPSec ESP encrypts entire inner IP datagram AH authenticates entire inner datagram and parts of outer IP header ITEC4621 Network Security 35 Tunnel AH and ESP ITEC4621 Network Security 36 Transport VS Tunnel ESP Transport ESP mode is used to encrypt & optionally authenticate IP data Data is protected but header is left in clear Can do traffic analysis but is efficient Good for ESP host-to-host traffic Tunnel ESP mode encrypts the entire IP packet Add new header for next hop Good for VPNs, gateway-to-gateway security ITEC4621 Network Security 37 Transport Mode and Tunnel Mode Functionality Inner IP -> host Outer IP -> gateway ITEC4621 Network Security 38 Transport & Tunnel Modes Transport: end-to-end Tunnel: end-to-intermediate or intermediate-to-intermediate ITEC4621 Network Security 39 Roadmap Motivation IPSec Architecture How IPSec Works IPSec Security Protocols IPSec Modes Combining Security Associations IPSec Key Exchange and Management Protocol IPSec benefits and limitations ITEC4621 Network Security 40 Security Association Bundles SAs can implement either AH or ESP To implement both, we need to combine SA’s Form a security association (SA) bundle May terminate at different or same endpoints Combined by Transport adjacency Iterated tunneling issue of authentication & encryption order Authentication before encryption or encryption before authentication? ITEC4621 Network Security 41 Transport Adjacency Applying more than one security protocol to the same IP packet. Combining AH & ESP -> performing at only one IPSec instance ITEC4621 Network Security 42 Transport Adjacency (cont.) Use two bundled transport SAs Inner SA ESP without authentication option Payload is encrypted Outer SA AH Authentication covers header + ESP However, need two SAs comparing to one SA ITEC4621 Network Security 43 Iterated Tunneling Allow multiple levels of nesting Each tunnel can originate or terminate at different IPSec site along the path ITEC4621 Network Security 44 Iterated Tunneling (cont.) ITEC4621 Network Security 45 Combining Security Associations End-to-end IPSec connection Added confidentiality btw gateways from Case2 Simple VPN Remote access to host through firewall ITEC4621 Network Security 46 Roadmap Motivation IPSec Architecture How IPSec Works IPSec Security Protocols IPSec Modes Combining Security Associations IPSec Key Exchange and Management Protocol IPSec benefits and limitations ITEC4621 Network Security 47 Key Management Handles key generation & distribution Typically need 2 pairs of shared keys 2 per direction for AH & ESP Manual key management System admin manually configures every system Automated key management Automated system for on demand creation of keys for SA’s in large distribution systems Has Oakley & ISAKMP elements ITEC4621 Network Security 48 Oakley A key exchange protocol Based on Diffie-Hellman key exchange Adds features to address weaknesses cookies, groups (global parameters), nonces, DH key exchange with authentication Can use arithmetic in prime fields or elliptic curve fields ITEC4621 Network Security 49 ISAKMP Internet Security Association and Key Management Protocol provides framework for key management defines procedures and packet formats to establish, negotiate, modify, and delete SAs independent of key exchange protocol, encryption alg, & authentication method Initial version of ISAKMP deploys Oakley as its key exchange protocol Alternatively, Oakley protocol operates on top of ISAKMP protocol ITEC4621 Network Security 50 ISAKMP ITEC4621 Network Security 51 IPSec vs Firewalls Allow traffic on UDP port 500 (ISAKMP) to and from the IPSec device If using IPSec in ESP mode, allow IP protocol 50 (ipv6-crypt) to and from the IPSec device If using IPSec in AH mode, allow IP protocol 51 (ipv6-auth) to and from the IPSec device ITEC4621 Network Security 52 Testing IPSec Using traceroute Host-to-host: traceroute should show display only one hop: the other end of the VPN Network-to-network: traceroute should show only gateways and the host in the internet network. Using Telnet Sniffing telnet connection should not be able to read username and password ITEC4621 Network Security 53 Roadmap Motivation IPSec Architecture How IPSec Works IPSec Security Protocols IPSec Modes Combining Security Associations IPSec Key Exchange and Management Protocol IPSec benefits and limitations ITEC4621 Network Security 54 Benefits of IPSec Enable business to rely heavily on the Internet and reduce its need for private networks saving costs & network management Provide secure network access over the Internet An end-user whose system is equipped with IPSec can make a local call to ISP and gain secure access to her/his company Provide secure communications between organisations by ensuring authentication and confidentiality IPSec can be used to create secure tunnel through untrusted (especially the Internet) networks Sites connected by these tunnels form Virtual Private Networks (VPN) ITEC4621 Network Security 55 Benefits of IPSec (cont.) Packet authentication makes various attacks harder Address masquerading Address spoofing IPSec tunnels can be very useful for secure remote administration In a non-end-to-end service, IPSec can ensure that messages between a pair or a group of sites are encrypted ITEC4621 Network Security 56 Some Limitations of IPSec IPSec cannot provide end-to-end security as systems work at higher levels if you need emails encrypted from the sender’s desktop and decrypt them at the receiver’s site) Cannot choose what email to by encrypted and not to be encrypted Specific applications have particular security requirements and IPSec does not provide all security services: IPSec cannot provide total security for credit card payment systems ITEC4621 Network Security 57 Is IPSec Everything You Need? Cryptography alone is not enough IPSec alone is not enough E.g: IPSec cannot provide digital signature services Many factors affect system security. OS security Data management Key management Correctness of implementation of algorithms Proper system management Human factors ITEC4621 Network Security 58 Questions?