lecture 05 ip security
Post on 02-Jan-2016
88 Views
Preview:
DESCRIPTION
TRANSCRIPT
NETE0519-ITEC4614 2
Motivation IPSec Architecture How IPSec Works IPSec Security Protocols IPSec Modes Combining Security Associations IPSec Key Exchange and Management Protocol IPSec benefits and limitations
Outline
NETE0519-ITEC4614 3
Originally authentication and confidentiality were not enforced at the IP level Source/Destination IP address spoofing Inspection of IP payload Replay
Motivations
NETE0519-ITEC4614 4
a.b.c.100NFS server
x.y.z.200 - shutdownFor maintenance
x.y.x.201 -> x.y.x.200Authorized NFS clientMasquerading as authorisedclient
router
a.b.c.100NFS server
x.y.z.200Authorized NFS client
x.y.x.201UNAuthorized NFS client
router
IP Spoofing Attack
NETE0519-ITEC4614 5
Ping Of Death Attack
ICMP, an integral part of IP, is utilized to report network errors.
PING (Packet InterNet Grouper) utilizes ICMP echo request and reply packets to test host reachability.
ICMP messages normally consist of the IP Header and enclosed ICMP data with a default size of 64 bytes. If the Hacker sends an ICMP Echo request that is
greater than 65,536 bytes, this can crash or reboot the system.
A newer attack method modifies the header to indicate that there is more data in the packet than there actually is.
NETE0519-ITEC4614 6
Smurf Attack
Hacker sends an ICMP echo request to the target network with a destination broadcast address and a spoofed source address of the target
The network serves as a "bounce site" and returns an echo reply packet for each station on the network The network serves to multiply the effect of the "ping". The echo
request packet could be sent to multiple networks
NETE0519-ITEC4614 7
Why look for security at IP level?
Below Transport Layer Not specific to network applications no need to change software at Application Layer
Transparent to users no need to train users
Enhance security when used with higher-level applications Enhance security of firewalls
Easily identify authorised access to the network
NETE0519-ITEC4614 8
What can be done at IP Layer?
Authentication: Allows the receiver to validate the identity of a sender,
client/server machine or process. Integrity:
Provides assurance to the receiver that the transmitted data has not been changed.
Confidentiality: Preventing the unwanted disclosure of information during
transit.
NETE0519-ITEC4614 9
SSL, TLS
IPSec
Kerboros, HTTPS, S/MIME, PGP… Application
Transport(TCP, UDP)
Data Link
Physical
Network (IP)
TCP/IP & Possible Security Enhancement
NETE0519-ITEC4614 10
IPSec
A type of VPN (Virtual Private Network) Types of VPNs
VPN over SSH (Secure Shell) and PPP (Point-to-point Protocol)
VPN over SSL/TLS (Secure Socket Layer/Transport Layer Security) and PPP
IPSec PPTP (Point-to-point Tunneling Protocol) etc.
NETE0519-ITEC4614 11
Motivation IPSec Architecture How IPSec Works IPSec Security Protocols IPSec Modes Combining Security Associations IPSec Key Exchange and Management Protocol IPSec benefits and limitations
Roadmap
NETE0519-ITEC4614 13
Applications of IPSec
Secure branch office connectivity over the Internet Save cost no need to have leased line
Secure remote access over the Internet Establishing extranet and intranet connectivity with partners Enhancing electronic commerce security
Extranet enables B2B ecommerce transactions among business partners
NETE0519-ITEC4614 15
IP Security Architecture (cont.) Architecture:
general concepts, requirements, definitions, and mechanisms defining IPSec technology
Encapsulating Security Payload (ESP) Generally provide encryption to IP Payload (data) and optionally provide authentication
Authentication Header (AH) Provide authentication to IP headers
Encryption algorithm Describe encryption algo used for ESP
Authentication algorithm Describe authentication algo. For AH and ESP
Key Management Involve determination and distribution of secret keys
Domain of interpretation (DOI) Contains identifiers for approved encryption and authentication algorithms, key lifetime
parameters, etc.
NETE0519-ITEC4614 16
Motivation IPSec Architecture How IPSec Works IPSec Modes IPSec Security Protocols Combining Security Associations IPSec Key Exchange and Management Protocol IPSec benefits and limitations
Roadmap
NETE0519-ITEC4614 17
Security Associations
a one-way relationship between sender & receiver that affords security for traffic flow A party who wants to send and receive data needs 2 SAs
defined by 3 parameters: Security Parameters Index (SPI) IP Destination Address Security Protocol Identifier (AH or ESP)
has a number of other parameters seq no, AH & ESP info, lifetime etc
have a database of Security Associations (SADs) Security services are afforded to an SA for the use of AH or ESP,
but not both
NETE0519-ITEC4614 18
SAD Example
Incoming packet contains SPI, dest IP, security protocol used to refer to an entry in SAD
Can configure to specific app. E.g. http traffic
192.168.1.1
NETE0519-ITEC4614 19
Security Policy Database (SPD)
Make higher-level decision on what to do with IP packet SPD enforces protection policy, whereas SAD supplies the
necessary parameters and makes it possible.
NETE0519-ITEC4614 20
How IPSec Works
SPD
SAD
SAD
SPD
IPSec needed? If so, pass to SAD
If so, check header to see how IPSec is implemented
Check header to see if IPSec packet is receivedRemove IPSec header
Decide to allow or drop incoming packet
Sender
Recipient
How IPSec Works (cont.)
Outbound Traffic: Send packet out to the network IPSec checks Security Policy Database (SPD) to decide to
Let the packet go through without IPSec protected Drop packet Protect packet using IPSec
21NETE0519-ITEC4614
NETE0519-ITEC4614 22
How IPSec Works (cont.)
Inbound Traffic: Incoming packet from the network1. System determines Security Association (SA) for the packet.
SA is composed of: Security Parameters Index (SPI): served as an index in Security
Association Database (SAD) Destination IP Address IPSec Data Manipulation Protocol (Authentication Header (AH) or
Encapsulation Security Payload (ESP))
2. Determine appropriate SA, then perform authentication/decryption to extract data from IPSec data
3. Once original header is extract, look up SPD rules to see if it matches any rule or not.
Example: Outbound Traffic
SPD
SAD
NETE0519-ITEC4614 23
Rule#
Src IP Dst IP Src Port
Dst Port
Action IPSec Protocol
Mode Outbound SA Index
1 192.168.1.1 192.168.2.1 Any 80 IPSec AH Tunnel 400
2 192.168.1.23 192.168.2.5 Any 22 Accept - - 8500
SPI Src IP Dst IP Src Port
Dst Port
Parameter Type Pointer to SPD
400 192.168.1.1 192.168.2.1 Any 80 ..... Outbound 1
8500 192.168.1.23 192.168.2.5 Any 22 - - 2
NETE0519-ITEC4614 24
Motivation IPSec Architecture How IPSec Works IPSec Security Protocols IPSec Modes Combining Security Associations IPSec Key Exchange and Management Protocol IPSec benefits and limitations
Roadmap
NETE0519-ITEC4614 25
Authentication Header (AH)
provides support for data integrity & authentication of IP packets end system/router can authenticate user/app prevents address spoofing attacks by tracking sequence
numbers based on use of a MAC
HMAC-MD5-96 or HMAC-SHA-1-96 parties must share a secret key
AH Frame
NETE0519-ITEC4614 27
Mutable fields: fields that can be changed during transmission e.g. TTLImmutable fields: source address, header length, destination address, upper-layer protocol data e.g. TCP or UDP segments
NETE0519-ITEC4614 28
Encapsulating Security Payload (ESP)
provides message content confidentiality & limited traffic flow confidentiality
can optionally provide the same authentication services as AH supports range of ciphers, modes, padding
incl. DES, Triple-DES, RC5, IDEA, CAST etc CBC & other modes padding needed to fill blocksize, fields, for traffic flow Current specs supports CBC-DES encryption
NETE0519-ITEC4614 31
Motivation IPSec Architecture How IPSec Works IPSec Modes IPSec Security Protocols Combining Security Associations IPSec Key Exchange and Management Protocol IPSec benefits and limitations
Roadmap
NETE0519-ITEC4614 32
Typically used in peer-to-peer communications, especially for internal networks
Data packet is encrypted but the IP header is not. IP Payload and parts of IP header are authenticated No modification of original IP header. Only
authentication can be provided at header
Transport Mode
NETE0519-ITEC4614 35
Tunnel Mode
Used for remote access and site-to-site security Entire packet (header & payload) is encrypted and treated
as a Payload Then a new header is added to establish a “tunnel” for
original IP datagram Generally used between firewalls or gateways -> hosts in
network do not need to implement IPSec ESP encrypts entire inner IP datagram AH authenticates entire inner datagram and parts of outer
IP header
NETE0519-ITEC4614 37
Transport VS Tunnel ESP
Transport ESP mode is used to encrypt & optionally authenticate IP data Data is protected but header is left in clear Can do traffic analysis but is efficient Good for ESP host-to-host traffic
Tunnel ESP mode encrypts the entire IP packet Add new header for next hop Good for VPNs, gateway-to-gateway security
NETE0519-ITEC4614 38
Transport Mode and Tunnel Mode Functionality
Inner IP -> hostOuter IP -> gateway
NETE0519-ITEC4614 39
Transport & Tunnel Modes
Transport: end-to-endTunnel: end-to-intermediate or intermediate-to-intermediate
NETE0519-ITEC4614 40
Motivation IPSec Architecture How IPSec Works IPSec Security Protocols IPSec Modes Combining Security Associations IPSec Key Exchange and Management Protocol IPSec benefits and limitations
Roadmap
NETE0519-ITEC4614 41
Security Association Bundles
SAs can implement either AH or ESP To implement both, we need to combine SA’s
Form a security association (SA) bundle May terminate at different or same endpoints Combined by
Transport adjacency Iterated tunneling
issue of authentication & encryption order Authentication before encryption or encryption before
authentication?
NETE0519-ITEC4614 42
Transport Adjacency
Applying more than one security protocol to the same IP packet.
Combining AH & ESP -> performing at only one IPSec instance
NETE0519-ITEC4614 43
Transport Adjacency (cont.)
Use two bundled transport SAs Inner SA ESP without authentication option
Payload is encrypted Outer SA AH
Authentication covers header + ESP
However, need two SAs comparing to one SA
NETE0519-ITEC4614 44
Iterated Tunneling
Allow multiple levels of nesting Each tunnel can originate or terminate at different
IPSec site along the path
NETE0519-ITEC4614 46
Combining Security AssociationsEnd-to-end IPSec connection
Added confidentiality btw gateways from Case2
Simple VPN
Remote access to host through firewall
NETE0519-ITEC4614 47
Motivation IPSec Architecture How IPSec Works IPSec Security Protocols IPSec Modes Combining Security Associations IPSec Key Exchange and Management Protocol IPSec benefits and limitations
Roadmap
NETE0519-ITEC4614 48
Key Management
Handles key generation & distribution Typically need 2 pairs of shared keys
2 per direction for AH & ESP Manual key management
System admin manually configures every system Automated key management
Automated system for on demand creation of keys for SA’s in large distribution systems
Has Oakley & ISAKMP elements
NETE0519-ITEC4614 49
Oakley
A key exchange protocol Based on Diffie-Hellman key exchange Adds features to address weaknesses
cookies, groups (global parameters), nonces, DH key exchange with authentication
Can use arithmetic in prime fields or elliptic curve fields
NETE0519-ITEC4614 50
ISAKMP
Internet Security Association and Key Management Protocol provides framework for key management defines procedures and packet formats to establish, negotiate,
modify, and delete SAs independent of key exchange protocol, encryption alg, &
authentication method Initial version of ISAKMP deploys Oakley as its key exchange protocol Alternatively, Oakley protocol operates on top of ISAKMP protocol
NETE0519-ITEC4614 52
IPSec vs Firewalls
Allow traffic on UDP port 500 (ISAKMP) to and from the IPSec device
If using IPSec in ESP mode, allow IP protocol 50 (ipv6-crypt) to and from the IPSec device
If using IPSec in AH mode, allow IP protocol 51 (ipv6-auth) to and from the IPSec device
NETE0519-ITEC4614 53
Testing IPSec
Using traceroute Host-to-host: traceroute should show display only one hop: the
other end of the VPN Network-to-network: traceroute should show only gateways
and the host in the internet network. Using Telnet
Sniffing telnet connection should not be able to read username and password
NETE0519-ITEC4614 54
Motivation IPSec Architecture How IPSec Works IPSec Security Protocols IPSec Modes Combining Security Associations IPSec Key Exchange and Management Protocol IPSec benefits and limitations
Roadmap
NETE0519-ITEC4614 55
Benefits of IPSec Enable business to rely heavily on the Internet and reduce its need
for private networks saving costs & network management
Provide secure network access over the Internet An end-user whose system is equipped with IPSec can make a
local call to ISP and gain secure access to her/his company Provide secure communications between organisations by ensuring
authentication and confidentiality IPSec can be used to create secure tunnel through untrusted
(especially the Internet) networks Sites connected by these tunnels form Virtual Private Networks
(VPN)
NETE0519-ITEC4614 56
Benefits of IPSec (cont.)
Packet authentication makes various attacks harder Address masquerading Address spoofing
IPSec tunnels can be very useful for secure remote administration In a non-end-to-end service, IPSec can ensure that messages
between a pair or a group of sites are encrypted
NETE0519-ITEC4614 57
IPSec cannot provide end-to-end security as systems work at higher levels if you need emails encrypted from the sender’s desktop and decrypt
them at the receiver’s site) Cannot choose what email to by encrypted and not to be encrypted
Specific applications have particular security requirements and IPSec does not provide all security services: IPSec cannot provide total security for credit card payment systems
Some Limitations of IPSec
NETE0519-ITEC4614 58
Cryptography alone is not enough IPSec alone is not enough
E.g: IPSec cannot provide digital signature services
Many factors affect system security. OS security Data management Key management Correctness of implementation
of algorithms Proper system management Human factors
Is IPSec Everything You Need?
top related