2G /Internetteknikriod 4
Maguire .fm5 Total pages: [email protected]
© 1998, 1999, 2000,2002, 2003, 2005 G.QAll rights reserved. No part of this course hotocopying, recording, or otherwise, without written permission of the author.
Last modified: 2005.05.19:01:49
c, VPNs, Firewalls, NAT
of G. Q. Maguire Jr.
CP/IP Protocol Suite, by Edition, McGraw-Hill.
26 and 28
1305 InternetworkingSpring 2005, Pe
Internet_Security_VPNs_NAT 2005.05.19
.Maguire Jr. . may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, p
Module 12: IPSeand
Lecture notes
For use in conjunction with TBehrouz A. Forouzan, 3rd
For this lecture: Chapters
IPSec, VPNs, Firewalls, and NAT 667 of 697Internetworking/Internetteknik
Maguire Lecture 6: [email protected] 2005.05.19
Lecture 6: Outline• IPSec, VPN, …• Firewalls & NAT• Private networks
IPSec, VPNs, Firewalls, and NAT 668 of 697Internetworking/Internetteknik
ited set of users (generally those
rivate networkrivate network)
rganization
ditional users from outside the
Maguire Private [email protected] 2005.05.19
Private networksPrivate Networks are designed to be used by a liminside an organization)
Addresses for Private IP networks
• these should never be routed to outside the p• they should never be advertised (outside the p• allocated (reserved ) addresses:
Intranet a private network - access limited to those in an o
Extranet intranet + limited access to some resource by adorganization
Range Total addresses
10.0.0.0 to 10.255.255.255 224
172.16.0.0 to 172.31.255.255 220
192.168.0.0 to 192.168.255.255 216
IPSec, VPNs, Firewalls, and NAT 669 of 697Internetworking/Internetteknik
(VPNs)
Maguire Virtual Private networks (VPNs)[email protected] 2005.05.19
Virtual Private networks
Figure 112: Private network
Figure 113: Hybrid network
Figure 114: Virtual Private network
leased line
SiteA SiteB
leased line
SiteA SiteB
Internet
SiteA SiteB
Internet
tunnel
IPSec, VPNs, Firewalls, and NAT 670 of 697Internetworking/Internetteknik
, etc. Interface (GSS-API)
Security
MIME), PGP/MIME, and
ET)
ttp://www.freeradius.org/
Maguire Security Protocols, APIs, [email protected] 2005.05.19
Security Protocols, APIs• Generic Security Services App. Programming• Network layer security
• Internet Protocol Security Protocol (IPSEC)
• Secured Socket Layer (SSL)/Transport Layer • transport layer security• Secured HyperText Transport Protocol (S-HTTP)
• Application layer security• Pretty Good Privacy (PGP) [129]• Privacy-Enhanced Electronic Mail (PEM), S/MIME (signed
OpenPGP, … [130]• MasterCard and Visa’s Secured Electronic Transaction (S
• Authentication• Remote Authentication Dial-In User Services (RADIUS)
http://www.gnu.org/software/radius/radius.html , FreeRADIUS h
• DIAMETER http://www.diameter.org/
• …
IPSec, VPNs, Firewalls, and NAT 671 of 697Internetworking/Internetteknik
ing Interface (GSS-API)
security services for use
hanisms and
chanism for security contextn, or through negotiation.
C 2078[115]bindings", RFC 2744
Maguire [email protected] 2005.05.19
GSS-APIGeneric Security Services Application Programm
• provides an abstract interface which provides in distributed applications
• but isolates callers from specific security mecimplementations.
GSS-API peers establish a common security meestablishment either through administrative actio
GSS-API is specified in:
• J. Linn, "Generic Security Service API v2", RF• J. Wray, "Generic Security Service API v2: C-
[116].
IPSec, VPNs, Firewalls, and NAT 672 of 697Internetworking/Internetteknik
encryption or IP
tion method, androtocol (ISAKMP)n senders and recipients
Maguire [email protected] 2005.05.19
IPSecIPSec in three parts:
• encapsulating security payload (ESP) definespayloads,
• authentication header (AH) defines authentica• the IP security association key management p
manages the exchange of secret keys betweeof ESP or AH packets.
IPSec, VPNs, Firewalls, and NAT 673 of 697Internetworking/Internetteknik
ters Index (SPI) and a IP address unqiuely
’s original packet. It may cryptographication vector (IV)). Integrity Check Valueity of the packet.
ES, Triple DES, …
ad (ESP)[109]
Maguire ESP [email protected] 2005.05.19
ESP packetConsists of:
• a control header - contains a Security Paramesequence number field (the SPI + destinationidentifies the Security Association (SA)).
• a data payload - encrypted version of the useralso contain control information needed by thealgorithms (for example DES needs an initializ
• an optional authentication trailer - contains an(ICV) - which is used to validate the authentic
ESP could use any one of several algorithms: D
See: RFC 2406: IP Encapsulating Security Paylo
IPSec, VPNs, Firewalls, and NAT 674 of 697Internetworking/Internetteknik
tion code), or
Maguire AH [email protected] 2005.05.19
AH headerFor authentication purposes only contains:
• an SPI,• a sequence number, and• an authentication value.
AH uses either:
• Message Digest 5 (MD5) algorithm,• Secure Hash Algorithm 1 (SHA-1),• truncated HMAC (hashed message authentica• …
For further information see:
• IP Authentication Header - RFC 2402 [110]
IPSec, VPNs, Firewalls, and NAT 675 of 697Internetworking/Internetteknik
ange protocol; it assumes the
quency,
ment Protocol (ISAKMP)
ion for ISAKMP -
FC 2412 [113] [114]
Maguire [email protected] 2005.05.19
ISAKMPISAKMP is based on the Diffie-Hellman key exchidentities of the two parties are known.
Using ISAKMP you can:
• control the level of trust in the keys,• force SPIs to be changed at an appropriate fre• identify keyholders via digital certificates
[requires using a certificate authority (CA)]
For further information see:
• Internet Security Association and Key Manage- RFC 2408 [111]
• The Internet IP Security Domain of InterpretatRFC 2407 [112]
• The OAKLEY Key Determination Protocol - R• The Internet Key Exchange (IKE) - RFC 2409
IPSec, VPNs, Firewalls, and NAT 676 of 697Internetworking/Internetteknik
Sec?
l IP header
ers and all-placed within another packet
r packet] destination address information
re
AS5
AS4
Maguire Where can you run [email protected] 2005.05.19
Where can you run IP
Mode Where it runs Payload
Transport end-systems payload data follows the norma
Tunnelling internetworkingdevice: e.g., router,firewall, or VPNgateway
• end-user’s entire packet-IP headwith ESP or AH fields[thus it is encapsulated in anothe
• can hide the original source and
Figure 115: IPSec usagered = secure, black = unsecu
AS1
AS2
AS3tunnel
IPSec, VPNs, Firewalls, and NAT 677 of 697Internetworking/Internetteknik
g of packets coming into theecide which packets should bedport (or even deeper
ateway
tranet )
Maguire [email protected] 2005.05.19
Firewalls
The firewall can provide packet by packet filterinintranet or leaving the intranet. The firewall can dforwarded based onsource, destination addresses, anexamination) using an explicitly definedpolicy.
Figure 116: Firewall an internet g
interior (often anInexterior
IPSec, VPNs, Firewalls, and NAT 678 of 697Internetworking/Internetteknik
ux systems called “ipfwadm”:
,ppears to come from the
rs, “holes” may be reroute traffic to/from
Maguire Linux [email protected] 2005.05.19
Linux firewallFor example, for the software firewall used in Lin
• all ports are typically closed for inbound traffic• all outbound traffic is “IP masqueraded”, i.e., a
gateway machine; and• For bi-directional services required by the use
punched through the firewall - these holes canparticular ports:• to specific users or• the most recent workstation to request a service.
IPSec, VPNs, Firewalls, and NAT 679 of 697Internetworking/Internetteknik
ialize servers)
ewall for all security
eakest link
ep the pipes full - i.e., a firewalls the connection to the external
Maguire Firewall [email protected] 2005.05.19
Firewall Designapply basics of security:
• least privilege:• don’t make hosts do more than they have to (implies: spec• use minimum privileges for the task in hand
• fail safe• even if things break it should not leave anything open
• defence in depth• use several discrete barriers - don’t depend on a single fir
• weakest links• know the limitations of your defences - understand your w
Firewalls should have sufficient performance to keshould not limit the amount of traffic flowing acrosnetwork, onlywhat flows across it!
IPSec, VPNs, Firewalls, and NAT 680 of 697Internetworking/Internetteknik
Firewall
y undertand details of theealAudio’s streaming audio.
ateway
interior
Intranet
Maguire Proxy Access Through A [email protected] 2005.05.19
Proxy Access Through A
Often you need application level proxies (i.e., theapplication protocol) -- an example is to proxy R
Figure 117: Firewall and internet g
exterior
Internetmanually enabled bypass
Proxy Server
Bastion host
IPSec, VPNs, Firewalls, and NAT 681 of 697Internetworking/Internetteknik
cks.nec.com/
to those within the
ebpage, the request is sent to theto the real destination. When data address) the returned data and
sed external services
ateway
Intranet
Maguire [email protected] 2005.05.19
SOCKsPermeo Technologies, Inc.’s SOCKShttp://www.so
In order to bridge a firewall we can use a proxy:
• the proxy will appear to be all external hostsfirewall• for example, If a user attached to the intranet requests a w
proxy host where the same request is duplicated and sentis returned the proxy readdresses (with the user’s intranetsends it to the user.
• widely used to provide proxies for commonly u(such as Telnet, FTP, and HTTP).
See: [123] and [124]
Figure 118: Firewall and internet g
Internet
Socks (Proxy) Serverinteriorexterior
hole
IPSec, VPNs, Firewalls, and NAT 682 of 697Internetworking/Internetteknik
service on thersion is primarily fortistics on the average
is up, rather than using ICMP.
Maguire [email protected] 2005.05.19
Newpinghttp://ftp.cerias.purdue.edu/pub/tools/dos/socks.cstc/util/newping.c
• a “ping” for SOCKS• it depends on the target host not blocking the
appropriate port (in this case “time ”). This vechecking “Is it alive?” rather than gathering staresponse time of several echo requests.
• Uses the “time ” TCP port to verify that a hostICMP ⇒ usable through a firewall that blocks
IPSec, VPNs, Firewalls, and NAT 683 of 697Internetworking/Internetteknik
alls
osts to transmit through
)ulticast group’s traffic
lticast routing daemon.
ateway
Intranet
join
Maguire MBONE through [email protected] 2005.05.19
MBONE through firewhttp://www.cs.virginia.edu/~mngroup/projects/firewalls/
Their firewall features:
• Source host checking (allowing only certain hthe firewall, or denying specific hosts)
• Destination port checking• Packet contents (unwrapping encapsulated IP• Regulating bandwidth allocated to a specific m
Their Mbone gateway is based on a modified mu
Figure 119: Firewall and internet g
MBONEhole
SOCKS+Mrouted-gwjoin
join
IPSec, VPNs, Firewalls, and NAT 684 of 697Internetworking/Internetteknik
stfix)ve to the widely-used Sendmail
endmail
nse to protect the localx daemon can run in ao direct path from theprograms - an intruderfirst. Postfix does not
, or the contents of itscing sender-provided. Last but not least, no
Maguire Secure Mailer (aka Postfix)[email protected] 2005.05.19
Secure Mailer (aka PoWietse Venema’s attempt to provide an alternatiprogram
70% of all mail sent via the Internet is sent via S
“Security. Postfix uses multiple layers of defesystem against intruders. Almost every Postfichroot jail with fixed low privileges. There is nnetwork to the security-sensitive local deliveryhas to break through several other programseven trust the contents of its own queue filesown IPC messages. Postfix avoids plainformation into shell environment variablesPostfix program is set-uid.” [125]
26] IPSec, VPNs, Firewalls, and NAT 685 ofInternetworking/Internetteknik
ity Tools [126]orks (SATAN ), networkd Wietse Venema; scansexistence of well known,ity Auditor’s Research
s through an access
d, ftpd, rexecd,login, and- enabling better auditing
to allow all packets to beaddress, or any other
om, and recvmsg
Maguire U.S. DOE CIAC’s Network Security Tools [[email protected] 2005.05.19
U.S. DOE CIAC’s Network Secur• System Administrator Tool for Analyzing Netw
security analyzer designed by Dan Farmer ansystems connected to the network noting the often exploited vulnerabilities. (see also SecurAssistant (SARA))
• ipacl - forces all TCP and UDP packets to pascontrol list facility
• logdaemon - modified versions of rshd, rlogintelnetd that log significantly more information -of problems via the logfiles
• improved versions of: portmap, rpcbind,• screend - a daemon and kernel modifications
filtered based on source address, destination byte or set of bytes in the packet
• securelib - new versions of the accept, recvfrnetworking system calls
26] IPSec, VPNs, Firewalls, and NAT 686 ofInternetworking/Internetteknik
l over who connects to aGIN, FINGER, ands can be controlled and
ts access control basede of access + provides
Maguire U.S. DOE CIAC’s Network Security Tools [[email protected] 2005.05.19
• TCP Wrappers - allows monitoring and controhost’s TFTP, EXEC, FTP, RSH, TELNET, RLOSYSTAT ports + a library so that other programmonitored in the same fashion
• xinetd - a replacement for inetd which supporon the address of the remote host and the timextensive logging capabilities
IPSec, VPNs, Firewalls, and NAT 687 of 697Internetworking/Internetteknik
MAP)ure.org/nmap/
work, are offered,y are running,
nk to “Remote OS” by Fyodor
r 18, 1998 - a means ofg its TCP/IP behavior.
Maguire The Network Mapper (NMAP)[email protected] 2005.05.19
The Network Mapper (NNetwork Mapper (NMAP) http://www.insec
• (cleverly) uses raw IP packets• determine what hosts are available on the net• what services (application name and version)• what operating systems (and OS versions) the• what type of packet filters/firewalls are in use,• …
http://www.insecure.org/nmap/nmap_documentation.html also has a lidetection via TCP/IP Stack FingerPrinting<[email protected]> (www.insecure.org), Octobeidentifying which OS the host is running by notin
IPSec, VPNs, Firewalls, and NAT 688 of 697Internetworking/Internetteknik
lation
ore addresses on the outside and [137]
ith NAT
tely this breaks manybecause they use an IPnside the their data.
interior
192.168.0.x
192.168.0.1
Intranet
Maguire Network Address [email protected] 2005.05.19
Network Address Trans
NAT maps IP addresses on the inside to one or mvice versa. See RFC 3022 [136] and RFC2766
Figure 120: Example of a Firewall w
Advantages: Disadvantage
✔ save IPv4 addresses ✘ Unfortunaservices address i✔ hides internal node structure from outside
nodes
✔ the intranet does not have to be renumberedwhen you connect to another ISP
exterior
Proxy Server
NATy.y.y.y (.. z.z.z.z)
(provided by the ISP)
Internetmanually enabled bypass
IPSec, VPNs, Firewalls, and NAT 689 of 697Internetworking/Internetteknik
MZ)
ferent DMZ (see for example
ith a DMZ
interior
Intranet
er
Maguire Demilitarized zone (DMZ)[email protected] 2005.05.19
Demilitarized zone (D
Note that the various services may also be in diffogure 4 page 90 of [127]
Figure 121: Example of a Firewall w
exterior
Internet
ftpserver
webserver
DNSserv
e-mailserver
DMZ
IPSec, VPNs, Firewalls, and NAT 690 of 697Internetworking/Internetteknik
cisesovindan at USC’s ISI for
58/netsec/index.html
ese exercises, but I think you
Maguire Network Security [email protected] 2005.05.19
Network Security ExerYou will find a nice set of exercises by Ramesh GKerberos, S/Key, and firewalls at:http://www.isi.edu/~govindan/cs5
Note that you shouldnot use their machines for thwill find this useful reading.
IPSec, VPNs, Firewalls, and NAT 691 of 697Internetworking/Internetteknik
ompaniesordination Center [117]
m [121]
entcentrum (SITIC)ental de Réponse et de
A), CNCERT/CC [121],
sponse Team Network
s (FIRST),now: 170 members[118]
, Swedish Defense Material[120], …
Maguire Security Organizations and [email protected] 2005.05.19
Security Organizations and CComputer Emergency Response Team (CERT®) Co
• 1988 - Computer Emergency Response Team• 2003 - Computer Emergency Readiness Tea
Addionally, there are numerous other CERTs:
• CanCERT™, GOVCERT.NL, Sveriges IT-incidhttp://www.sitic.se/ , Centre d’Expertise GouvernemTraitement des Attaques informatiques (CERT…
• The European Computer Security Incident Rehttp://www.ecsirt.net/
Forum of Incident Response and Security Team
NIST Computer Security Resource Center [119]Administration, Electronics Systems Directorate
IPSec, VPNs, Firewalls, and NAT 692 of 697Internetworking/Internetteknik
Maguire [email protected] 2005.05.19
SummaryThis lecture we have discussed:
• Private networks• IPSec• Firewalls
IPSec, VPNs, Firewalls, and NAT 693 of 697Internetworking/Internetteknik
Security Payload (ESP)”, IETF
Header”, IETF RFC 2402,
nd J. Turner, “Internet Security (ISAKMP)”, IETF RFC 2408,
f Interpretation for ISAKMP”,2407.txt
n Protocol”, IETF RFC 2412,
Exchange (IKE)”, IETF
Maguire Further [email protected] 2005.05.19
Further information[108]IETF Security Areahttp://sec.ietf.org/
[109]S. Kent and R. Atkinson, “IP EncapsulatingRFC 2406, November 1998http://www.ietf.org/rfc/rfc2406.txt
[110]S. Kent and R. Atkinson, “IP AuthenticationNovember 1998http://www.ietf.org/rfc/rfc2402.txt
[111]D. Maughan, M. Schertler, M. Schneider, aAssociation and Key Management ProtocolNovember 1998http://www.ietf.org/rfc/rfc2408.txt
[112] D. Piper, “The Internet IP Security Domain oIETF RFC 2407, November 1998http://www.ietf.org/rfc/rfc
[113] H. Orman, “The OAKLEY Key DeterminatioNovember 1998http://www.ietf.org/rfc/rfc2412.txt
[114]D. Harkins and D. Carrel, “The Internet Key
IPSec, VPNs, Firewalls, and NAT 694 of 697Internetworking/Internetteknik
n Program Interface, Versionrfc2078.txt
sion 2 : C-bindings”, IETF
t.org/
eamshttp://www.first.org/
chnology (NIST), Computerrce Centerhttp://csrc.nist.gov/
w.fmv.se/
What R the new CERTS?”,ponse technicalRT/CC) 2005 Annual05
Maguire Further [email protected] 2005.05.19
RFC 2409,November 1998http://www.ietf.org/rfc/rfc2409.txt
[115]J. Linn, “Generic Security Service Applicatio2”, IETF RFC 2078, January 1997,http://www.ietf.org/rfc/
[116]J. Wray, “Generic Security Service API VerRFC 2744, January 2000http://www.ietf.org/rfc/rfc2744.txt
[117] Computer Emergency Response Teamhttp://www.cer
[118]Forum of Incident Response and Security T
[119]U. S. National Institute of Standards and TeSecurity Division, Computer Security Resou
[120]Swedish Defense Material Administrationhttp://ww
[121]David Crochemore, “Response/Readiness:National Computer network Emergency ResTeam/Coordination Center of China (CNCEConference, Guilin, P.R.China, 30 March 20
IPSec, VPNs, Firewalls, and NAT 695 of 697Internetworking/Internetteknik
avidCrochemore-NGCERTOI.
onse et de Traitement desv.fr/
blas, and L. Jones, “SOCKS1996
hod for SOCKS Version 5”,
pability
t Academy Press,02-5
Maguire Further [email protected] 2005.05.19
http://www.cert.org.cn/upload/2005AnnualConferenceCNCERT/1MainConference/10.D
[122]Centre d’Expertise Gouvernemental de RépAttaques informatiques (CERTA)http://www.certa.ssi.gou
[123]M. Leech, M. Ganis, Y. Lee, R. Kuris, D. KoProtocol Version 5”, IETF RFC 1928, Marchhttp://www.ietf.org/rfc/rfc1928.txt
[124]P. McMahon, “GSS-API Authentication MetIETF RFC 1961, June 1996http://www.ietf.org/rfc/rfc1961.txt
[125] Postfixhttp://www.postfix.org
[126]U.S. DOE’s Computer Incident Advisory Cahttp://ciac.llnl.gov/ciac/ToolsUnixNetSec.html
[127]Robert Malmgren,Praktisk nätsäkerhet, InterneStockholm, Sweden, 2003, ISBN 91-85035-
IPSec, VPNs, Firewalls, and NAT 696 of 697Internetworking/Internetteknik
e Speciner,Network Security:entice-Hall, 1995, ISBN
’Reilly & Associates, 1995
nPGP”, Oct 15, 2004
d Internet Security:994,ISBN: 0-201-63357-4
ing Internet Firewalls,
etwork Administrators
Maguire Further [email protected] 2005.05.19
[128]Charlier Kaufman, Radia Perlman, and MikPrivate Communication in a PUBLIC World, Pr0-13-061466-1
[129]Simson Garfinkel,PGP: Pretty Good Privacy, OISBN 1-56592-098-8
[130]Internet Mail Consortium, “S/MIME and Opehttp://www.imc.org/smime-pgpmime.html
Firewalls
[131]Bill Cheswick and Steve Bellovin, Firewalls anRepelling the Wily Hacker, Addison Wesley, 1
[132]D. Brent Chapman and Elizabeth Zwicky,BuildO’Reilly, 1995,ISBN: 1-56592-124-0
[133]Tony Mancill,Linux Routers: A Primer for N Prentice-Hall, 2001, ISBN 0-13-086113-8.
IPSec, VPNs, Firewalls, and NAT 697 of 697Internetworking/Internetteknik
m/
IP Network Address Translatory 2001
ess Translation - Protocolbruary 2000
Maguire Further [email protected] 2005.05.19
[134]Firewalls mailing listhttp://www.isc.org/index.pl?/ops/lists/firewalls/
[135]Computer Security Institute (CSI) athttp://www.gocsi.co
NAT
[136] P. Srisuresh and K. Egevang, “Traditional (Traditional NAT)”, IETF RFC 3022, Januarhttp://www.ietf.org/rfc/rfc3022.txt
[137]G. Tsirtsis and P. Srisuresh, “Network AddrTranslation (NAT-PT)”, IETF RFC 2766, Fehttp://www.ietf.org/rfc/rfc2766.txt