* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Presentation6 - University Of Worcester
Survey
Document related concepts
Next-Generation Secure Computing Base wikipedia , lookup
Proxy server wikipedia , lookup
Information privacy law wikipedia , lookup
Mobile security wikipedia , lookup
Unix security wikipedia , lookup
Data remanence wikipedia , lookup
Security-focused operating system wikipedia , lookup
Computer security wikipedia , lookup
Wireless security wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Distributed firewall wikipedia , lookup
Deep packet inspection wikipedia , lookup
Secure multi-party computation wikipedia , lookup
Transcript
COMP3371 Cyber Security Richard Henson University of Worcester November 2015 Week 6: Securing LAN–LAN data using Firewalls, VPNs, etc. Objectives: Relate Internet security to the TCP/IP protocol stack Explain principles of firewalling Explain what a Proxy Service is, and why it can be a more flexible solution than a firewall Explain Internet security solutions that use the principles of a VPN Security and the OSI layers Simplified TCP/IP Leaves out level 1 (physical) level 2 (data link), and combines levels 5/6/7) TELNET FTP SMTP NFS DNS UDP TCP IP (network) SNMP TCP/IP and the Seven Layers screen upper layers interface with TCP to produce the screen display TCP lower layers required to interface with IP to create/convert electrical signals IP hardware TCP (Transport Control Protocol) and IP (Internet Protocol) only make up part (layers 3 & 4) of the seven layers Each layer interface represents a potential security problem (!) Intranet Misunderstood term achieved by organisations using http to share data internally in a www-compatible format Many still call a protected file structure on its own an Intranet… (technically incorrect!) uses secure user authentication uses secure data transmission system Implemented as EITHER: single LAN (domain) with a web server several interconnected LANs (trusted domains) » cover a larger geographic area Extranet An extension of the Intranet to cover selected trusted “links” e.g. for an organisation the “trusted” links might be to customers and business partners uses the public Internet as its transmission system requires authentication to gain access Can provide TCP/IP access to: paid research current inventories internal databases OR virtually any information that is private and not published for everyone Issues in creating an Extranet Public networks… Security handled through appropriate use of secure authentication & transmission technologies… If using the Internet… client-server web applications across different sites BUT security issues need resolving Private leased lines between sites do not need to use http, etc. more secure, but expensive (BALANCE) Securing Authentication through Extranets Kerberos and trusted domains… Windows networks… BUT… several TCP ports used for authentication when establishing a session… Solution: firewall configured to allow relevant ports to be opened only for “trusted” hosts Securing Sharing of Data through Extranets Extranet client uses the web server & browser for user interaction standard http protocol to display html data Raw HTML data will pass through the firewall (port 80) to the Internet could be “sensitive data” for the organisation… Under IETF guidance, Netscape ~ SSL with secure version of http… standardised as http-s (secure http) on port 443 The Internet generally uses IP - HOW can data be secured? 2015: more than a billion hosts! Securing the Extranet Problem: IP protocol sends packets off in different directions according to: » destination IP address » routing data packets can be intercepted/redirected One solution: » secure level 7 application layer www protocols developed https: ensure that pages are only available to authenticated users ssh : secure download of files » secure level 4 transport (TLS) protocol to restrict use of IP navigation to only include secure sites What about penetration through other protocols, working at different OSI layers? Other Secure level 7 protocols Telnet and FTP: can use authentication BUT DO NOT use encrypted text… SSH (Secure Shell) SSH-1 1995, University of Helsinki, secure file transfer » uses TCP port 22 » runs on a variety of platforms Enhanced version SSH-2 » using the PKI » including digital certificates » RFC 4252 – recent, 2006 Unsecured LAN-Internet Connection: Router Only INTERNET/EXTERNAL NETWORK ROUTER – no packet filtering Internal Network ... An Unsecured LAN-Internet Connection via Router Layer 3 Layer 2 Layer 3 Data through unchanged Layer 1 Layer 2 Layer 1 router Lower OSI layers security (Stage 1) Simple Firewall… use packet filtering IP address-based » Fooled by “IP spoofing” Creating a “Secure Site”? To put it bluntly… secure site is a LAN that provides formidable obstacles to potential hackers keeps a physical barrier between local server and the internet Physical barrier linked through an intermediate computer called a Firewall or Proxy Server may place unnecessary restrictions on access security could be provided at one of the seven layers of the TCP/IP stack Unsecured LAN-Internet Connection: Firewall INTERNET/EXTERNAL NETWORK FIREWALL – packet filtering Internal Network ... An Unsecured LAN-Internet Connection via Firewall IP filtering will slow down packet flow… Also… request by a LAN client for Internet data across a router reveals the client IP address » generally a desired effect…. “local” IP address must be recorded on the remote server picks up required data & returns it via the router and server to the local IP address » problem – could be intercepted, and future data to that IP address may not be so harmless… An Unsecured LAN-Internet Connection via Router Another problem: wrath of IANA IP address awarding & controlling body big penalties if ANY internal LAN IP address conflicts with an existing Internet IP address they allocated… Safeguard: use DHCP (dynamic host configuration protocol) allocate client IP from within a fixed range allocated to that domain by IANA A LAN-Internet connection via Gateway INTERNET/EXTERNAL NETWORK e.g. TCP/IP GATEWAY – packet conversion local protocol Internal Network ... A LAN-Internet connection via Gateway At a gateway, processing can be at higher OSI levels: >= level 4 Local packets converted into other formats… remote network does not have direct access to the local machine IP packets only recreated at the desktop local client IP addresses therefore do not need to comply with IANA allocations A LAN-Internet connection via Proxy Server INTERNET/EXTERNAL NETWORK e.g. TCP/IP Proxy Server – local IP addresses local protocol Internal Network ... The Proxy Server Acts like a Gateway in some respects: provides physical block between external and internal networks But can still use the same protocol (e.g. TCP/IP), and can cache web pages for improved performance Firewall Configuration Blocks data via TCP port (logical) used by each application protocol connects to TCP all ports blocked… no data gets through Configuration includes which ports to block as well as which IP addresses to block… Includes auditing of packets VPNs: OSI levels 1-3: restricted use of the Physical Internet VPN shown in green VPNs (Virtual Private Networks) Two pronged defence: physically keeping the data away from unsecured servers… » several protocols available for sending packets along a pre-defined route data encapsulated and encrypted so it appears to travel as if on a point-point link but is still secure even if intercepted Whichever protocol is used, the result is a secure system with pre-determined pathways for all packets Principles of VPN protocols The tunnel - where the private data is encapsulated The VPN connection - where the private data is encrypted Principles of VPN protocols To emulate a point-to-point link: data encapsulated, or wrapped, with a header » provides routing information » allows packets to traverse the shared public network to its endpoint To emulate a private link: data encrypted for confidentiality Any packets intercepted on the shared public network are indecipherable without the encryption keys… Potential weakness of the VPN Once the data is encrypted and in the tunnel it is very secure BUT to be secure, it MUST be encrypted and tunnelled throughout its whole journey if any part of that journey is outside the tunnel… » e.g. network path to an outsourced VPN provider » obvious scope for security breaches Using a VPN as part of an Extranet Using a VPN for point-to-point Using a VPN to connect a remote computer to a Secured Network VPN-related protocols offering even greater Internet security Two possibilities are available for creating a secure VPN: Layer 3: » IPsec – fixed point routing protocol Layer 2 “tunnelling” protocols » encapsulate the data within other data before converting it to binary data: PPTP (Point-point tunnelling protocol) L2TP (Layer 2 tunnelling protocol) IPsec First VPN system defined by IETF RFC 2401 uses ESP (encapsulating security protocol) at the IP packet level IPsec provides security services at the IP layer by: enabling a system to select required security protocols (ESP possible with a number of encryption protocols) determining the algorithm(s) to use for the chosen service(s) putting in place any cryptographic keys required to provide the requested services More about IPSec in practice Depends on PKI for authentication both ends must be IPSec compliant, but not the various network systems that may be between them… Can therefore be used to protect paths between a pair of hosts a pair of security gateways a security gateway and a host Can work with IPv4 and IPv6 Layer 2 Security: L2TP Microsoft hybrid of: their own PPTP CISCO’s L2F (layer 2 forwarding) With L2TP, IPSec is optional: like PPTP: » it can use PPP authentication and access controls (PAP and CHAP!) » It uses NCP to handle remote address assignment of remote client as no IPSec, no overhead of reliance on PKI