Download Presentation6 - University Of Worcester

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
Document related concepts

Next-Generation Secure Computing Base wikipedia , lookup

Proxy server wikipedia , lookup

Information privacy law wikipedia , lookup

Mobile security wikipedia , lookup

Unix security wikipedia , lookup

Data remanence wikipedia , lookup

Security-focused operating system wikipedia , lookup

Computer security wikipedia , lookup

Wireless security wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Distributed firewall wikipedia , lookup

Deep packet inspection wikipedia , lookup

Secure multi-party computation wikipedia , lookup

3-D Secure wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
COMP3371
Cyber Security
Richard Henson
University of Worcester
November 2015
Week 6: Securing LAN–LAN
data using Firewalls, VPNs,
etc.

Objectives:
 Relate Internet security to the TCP/IP protocol
stack
 Explain principles of firewalling
 Explain what a Proxy Service is, and why it can be
a more flexible solution than a firewall
 Explain Internet security solutions that use the
principles of a VPN
Security and the OSI layers


Simplified TCP/IP
Leaves out level 1 (physical) level 2 (data
link), and combines levels 5/6/7)
TELNET
FTP
SMTP
NFS
DNS
UDP
TCP
IP (network)
SNMP
TCP/IP and the Seven Layers
screen

 upper layers interface with TCP to
produce the screen display
TCP
 lower layers required to interface with
IP to create/convert electrical signals
IP

hardware
TCP (Transport Control Protocol)
and IP (Internet Protocol) only
make up part (layers 3 & 4) of the
seven layers
Each layer interface represents a
potential security problem (!)
Intranet

Misunderstood term
 achieved by organisations using http to share
data internally in a www-compatible format
 Many still call a protected file structure on its
own an Intranet… (technically incorrect!)
uses secure user authentication
uses secure data transmission system

Implemented as EITHER:
 single LAN (domain) with a web server
 several interconnected LANs (trusted domains)
» cover a larger geographic area
Extranet

An extension of the Intranet to cover selected trusted
“links”
 e.g. for an organisation the “trusted” links might be to
customers and business partners
 uses the public Internet as its transmission system
 requires authentication to gain access

Can provide TCP/IP access to:




paid research
current inventories
internal databases
OR virtually any information that is private and not published
for everyone
Issues in creating an Extranet

Public networks…
 Security handled through appropriate use of secure
authentication & transmission technologies…

If using the Internet…
 client-server web applications across different sites
 BUT security issues need resolving

Private leased lines between sites do not
need to use http, etc.
 more secure, but expensive (BALANCE)
Securing Authentication
through Extranets

Kerberos and trusted domains…
Windows networks…

BUT…
several TCP ports used for authentication
when establishing a session…

Solution:
firewall configured to allow relevant ports
to be opened only for “trusted” hosts
Securing Sharing of Data
through Extranets

Extranet client uses the web server &
browser for user interaction
 standard http protocol to display html data

Raw HTML data will pass through the firewall
(port 80) to the Internet
 could be “sensitive data” for the organisation…

Under IETF guidance, Netscape ~ SSL with
secure version of http…
 standardised as http-s (secure http) on port 443
The Internet generally uses IP
- HOW can data be secured?
2015: more than a billion hosts!
Securing the Extranet

Problem:
 IP protocol sends packets off in different directions according to:
» destination IP address
» routing data
 packets can be intercepted/redirected

One solution:
» secure level 7 application layer www protocols developed


https: ensure that pages are only available to authenticated users
ssh : secure download of files
» secure level 4 transport (TLS) protocol to restrict use of IP navigation to
only include secure sites

What about penetration through other protocols, working
at different OSI layers?
Other Secure level 7 protocols

Telnet and FTP:
can use authentication
BUT DO NOT use encrypted text…

SSH (Secure Shell)
 SSH-1 1995, University of Helsinki, secure file transfer
» uses TCP port 22
» runs on a variety of platforms
 Enhanced version SSH-2
» using the PKI
» including digital certificates
» RFC 4252 – recent, 2006
Unsecured LAN-Internet
Connection: Router Only
INTERNET/EXTERNAL NETWORK
ROUTER – no packet filtering
Internal
Network
...
An Unsecured LAN-Internet
Connection via Router
Layer 3
Layer 2
Layer 3
Data
through
unchanged
Layer 1
Layer 2
Layer 1
router
Lower OSI layers security
(Stage 1)

Simple Firewall…
use packet filtering
IP address-based
» Fooled by “IP spoofing”
Creating a “Secure Site”?

To put it bluntly…
 secure site is a LAN that provides formidable
obstacles to potential hackers
 keeps a physical barrier between local server and
the internet

Physical barrier linked through an
intermediate computer called a Firewall or
Proxy Server
 may place unnecessary restrictions on access
 security could be provided at one of the seven
layers of the TCP/IP stack
Unsecured LAN-Internet
Connection: Firewall
INTERNET/EXTERNAL NETWORK
FIREWALL – packet filtering
Internal
Network
...
An Unsecured LAN-Internet
Connection via Firewall

IP filtering will slow down packet flow…

Also…
 request by a LAN client for Internet data across a router
reveals the client IP address
» generally a desired effect….


“local” IP address must be recorded on the remote server
picks up required data & returns it via the router and server to the local IP address
» problem – could be intercepted, and future data to that IP
address may not be so harmless…
An Unsecured LAN-Internet
Connection via Router

Another problem: wrath of IANA
 IP address awarding & controlling body
 big penalties if ANY internal LAN IP address
conflicts with an existing Internet IP address they
allocated…

Safeguard:
 use DHCP (dynamic host configuration protocol)
 allocate client IP from within a fixed range
allocated to that domain by IANA
A LAN-Internet connection
via Gateway
INTERNET/EXTERNAL NETWORK
e.g. TCP/IP
GATEWAY – packet conversion
local protocol
Internal
Network
...
A LAN-Internet connection
via Gateway

At a gateway, processing can be at higher
OSI levels:
 >= level 4

Local packets converted into other formats…
 remote network does not have direct access to the
local machine
 IP packets only recreated at the desktop
 local client IP addresses therefore do not need to
comply with IANA allocations
A LAN-Internet connection
via Proxy Server
INTERNET/EXTERNAL NETWORK
e.g. TCP/IP
Proxy Server – local IP addresses
local protocol
Internal
Network
...
The Proxy Server

Acts like a Gateway in some respects:
provides physical block between external
and internal networks

But can still use the same protocol (e.g.
TCP/IP), and can cache web pages for
improved performance
Firewall Configuration

Blocks data via TCP port (logical)
used by each application protocol connects
to TCP
all ports blocked… no data gets through

Configuration
includes which ports to block as well as
which IP addresses to block…
Includes auditing of packets
VPNs: OSI levels 1-3: restricted
use of the Physical Internet
VPN shown in green
VPNs
(Virtual Private Networks)

Two pronged defence:
 physically keeping the data away from unsecured
servers…
» several protocols available for sending packets along a
pre-defined route
 data encapsulated and encrypted so it appears to
travel as if on a point-point link but is still secure
even if intercepted

Whichever protocol is used, the result is a
secure system with pre-determined pathways
for all packets
Principles of VPN protocols

The tunnel - where the private data is
encapsulated

The VPN connection - where the private
data is encrypted
Principles of VPN protocols

To emulate a point-to-point link:
 data encapsulated, or wrapped, with a header
» provides routing information
» allows packets to traverse the shared public network to its
endpoint

To emulate a private link:
 data encrypted for confidentiality

Any packets intercepted on the shared
public network are indecipherable without
the encryption keys…
Potential weakness of the VPN


Once the data is encrypted and in the tunnel it is very secure
BUT
 to be secure, it MUST be encrypted and tunnelled throughout its
whole journey
 if any part of that journey is outside the tunnel…
» e.g. network path to an outsourced VPN provider
» obvious scope for security breaches
Using a VPN as part of an
Extranet
Using a VPN for point-to-point
Using a VPN to connect a
remote computer to a Secured
Network
VPN-related protocols offering
even greater Internet security

Two possibilities are available for
creating a secure VPN:
Layer 3:
» IPsec – fixed point routing protocol
Layer 2 “tunnelling” protocols
» encapsulate the data within other data before
converting it to binary data:


PPTP (Point-point tunnelling protocol)
L2TP (Layer 2 tunnelling protocol)
IPsec

First VPN system
 defined by IETF RFC 2401
 uses ESP (encapsulating security protocol) at the IP
packet level

IPsec provides security services at the IP layer
by:
 enabling a system to select required security protocols
(ESP possible with a number of encryption protocols)
 determining the algorithm(s) to use for the chosen
service(s)
 putting in place any cryptographic keys required to
provide the requested services
More about IPSec in practice

Depends on PKI for authentication
 both ends must be IPSec compliant, but not the
various network systems that may be between
them…

Can therefore be used to protect paths
between
 a pair of hosts
 a pair of security gateways
 a security gateway and a host

Can work with IPv4 and IPv6
Layer 2 Security: L2TP

Microsoft hybrid of:
 their own PPTP
 CISCO’s L2F (layer 2 forwarding)

With L2TP, IPSec is optional:
 like PPTP:
» it can use PPP authentication and access controls (PAP
and CHAP!)
» It uses NCP to handle remote address assignment of
remote client
 as no IPSec, no overhead of reliance on PKI
Related documents
Mullvad Barnprogram
Mullvad Barnprogram
TCP/IP Configuration
TCP/IP Configuration
web server
web server
CLIENT SERVER ARCHITECTURE
CLIENT SERVER ARCHITECTURE
web page
web page
Proposed Differentiated Services on the Internet
Proposed Differentiated Services on the Internet
Basic Internet Terms
Basic Internet Terms
Firewall Configuration
Firewall Configuration
Drivers of Intranet & Extranet
Drivers of Intranet & Extranet
The University of Oklahoma Virtual Private Network
The University of Oklahoma Virtual Private Network
Internet Protocols - Keira High School
Internet Protocols - Keira High School
Local-area network
Local-area network
Computer network
Computer network
How the Internet Works
How the Internet Works