Download module_70

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
Document related concepts

Computer security wikipedia , lookup

Mobile security wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

Web of trust wikipedia , lookup

Wireless security wikipedia , lookup

Transport Layer Security wikipedia , lookup

Unix security wikipedia , lookup

Deep packet inspection wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Diffie–Hellman key exchange wikipedia , lookup

Certificate authority wikipedia , lookup

Proxy server wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Distributed firewall wikipedia , lookup

Transcript 
Chapter 31
Security in
the Internet
K. Salah
1
Figure 31.5



Transport Layer Security (TLS) was designed to provide security at
the transport layer.
TLS was derived from a security protocol called Secure Sockets
Layer (SSL). TLS is a non-proprietary version of SSL.
For transactions on Internet, a browser needs:




Make sure that server belongs to the actual vendor
Contents of message are not modified during transition
Make sure that the impostor doe not interpret sensitive information.
TLS has two protocols: Handshake and data exchange protocol.


K. Salah
Position of TLS
Handshake: Responsible for negotiating security, authenticating the
server to the browser, and (optionally) defining other communication
parameters.
Data exchange (record) protocol uses the secret key to encrypt the
data for secrecy and to encrypt the message digest for integrity.
2
Figure 31.6





K. Salah
Handshake protocol
Browser sends a hello message that includes
TLS version and some preferences
Server sends a certificate message that
includes the public key of the server. The
public key is certified by some certification
authority, which means that the public key is
encrypted by a CA private key. Browser has a
list of CAs and their public keys. It uses the
corresponding key to decrypt the certification
and finds the server public key. This also
authenticates the server because the public
key is certified by the CA.
Browser sends a secret key, encrypts it with
the server public key, and sends it to the
server.
Browser sends a message, encrypted by the
secret key, to inform the server that
handshaking is terminating from the browser
key.
Server decrypts the secret key using it
private key and decrypts the message using
the secret key. It then sends a message,
encrypted by the secret key, to inform the
browser that handshaking is terminating
from the server side.
3
Figure 31.9



K. Salah
Firewall
Firewall is a device (usually a router or a computer)
installed between the internal network of an
organization and the rest of the Internet.
It is designed to forward some packets and filter (not
forward) others.
A firewall can be used to deny access to a specific host
or a specific service in the organization.
4
Figure 31.10




K. Salah
Packet-filter firewall (stateless)
A firewall can be used as a packet
filter. It can forward or block
packets based on the information
in the network layer and transport
layer headers: source and
destination port addresses, and
type of protocol (TCP or UDP).
Incoming packets from network
131.34.0.0 are blocked. ‘*’ means
any.
Incoming packets destined for any
internal TELNET server (port 23)
are blocked.
Stateful Firewall: A firewall that keeps track of the state of connection and
filters packets accordingly. The connection usually has multiple phases, e.g.
authentication, known ports, and then exchange of data using ephemeral ports.
5
Figure 31.11 Proxy firewall




K. Salah
Filter based on information available at the message itself.
A proxy firewall filters at the application layer
Install a proxy computer (sometimes called an application gateway),
which stands between the customer (user client) computer and the
corporation computer.
When the user client process sends a message, the proxy firewall runs
a server process to receive the request. The server opens the packet at
the application level and finds out if the request is legitimate. If it is,
the server acts as a client process and sends the message to the real
server in the corporation. If it is not, the message is dropped and an
error message is sent to the external user.
6
SOCKS

Socks Proxy Server



Why socks





K. Salah
When an application client needs to connect to an application server, the
client connects to a SOCKS proxy server. The proxy server connects to the
application server on behalf of the client, and relays data between the client
and the application server. For the application server, the proxy server is the
client.
Uses TCP/UDP port 1080
Transparent network access across multiple proxy servers
Easy deployment of authentication and encryption methods
Rapid deployment of new network applications
Simple network security policy management
http://www.socks.permeo.com/AboutSOCKS/SOCKSOverview.asp
7
SOCKS Control Flow
K. Salah
8
By Passing Firewalls

Same concept as SOCKS, but place the
server on the other end of the firewall


K. Salah
CGI servers
Anaymous servers
9
Figure 31.12


K. Salah
Private network
LANs at different sites can be connected to each
other using routes and leased lines. An internet can
be made up of private LANs and private WANs.
If an internet is private for an organization, it can use
any IP address without consulting the Internet
authorities.
10
Figure 31.13


K. Salah
Hybrid network
Privacy within intraorganization but still connected to
global Internet.
Intra-organization data are routed through the
private internet; inter-organization data are routed
through the global Internet.
11
Figure 31.14 Virtual private network



Private and hybrid networks are costlier.
Best solution is to use global Internet for both private
and public communications.
VPN creates a network that is private but virtual.



K. Salah
It is private but it guarantees privacy inside the organization.
It is virtual because it does not use real private WANs; the
network is physically public but virtually private.
VPN uses IPSec in tunnel mode to provide
authentication, integrity and privacy.
12
Figure 31.15 Addressing in a VPN



K. Salah
Each IP datagram destined for private use in the organization is
encapsulated in another datagram.
To use IPSec in the tunneling mode, the VPNs need to use two
sets of addressing.
The public network (Internet) is responsible for carrying the packet
from R1 to R2. Outsiders cannot decipher the contents of the
packet or the source and destination addresses. Deciphering takes
place at R2, which finds the destination address of the packet and
delivers it.
13
Related documents
Firewall Configuration
Firewall Configuration
Cisco Discovery 1 Module 08 Quiz Picture Descriptions
Cisco Discovery 1 Module 08 Quiz Picture Descriptions
Selena Martinez - Boone County Schools
Selena Martinez - Boone County Schools
Read more
Read more
homework 8
homework 8
Latihan Pertemuan 5 (Network Defenses) Subnetting . splits the
Latihan Pertemuan 5 (Network Defenses) Subnetting . splits the
Slide 1
Slide 1
Network Security
Network Security
Abstract View of System Components
Abstract View of System Components
Understanding and Installing Firewalls
Understanding and Installing Firewalls
Types of Encryption Algorithms
Types of Encryption Algorithms
Module 1.0: Introduction
Module 1.0: Introduction