ip security – part 1cscvjc/spring06/slides/... · security course, csc290a 1 network security ip...
TRANSCRIPT
![Page 1: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/1.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 1
Network Security
IP Security – Part 1
![Page 2: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/2.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 2
IP Security Overview
1994 – RFC1636, “Security in the Internet Architecture”Identified key needs:
Secure network infrastructure from unauthorized monitoringControl network trafficSecure end-to-end user traffic using encryption and authentication
![Page 3: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/3.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 3
IP Security Overview
CERT – most serious attacks are IP spoofing and eavesdropping/packet sniffingNext generation IP includes authentication and encryptionIPv6IPSec ⊂ IPv6Available with IPv4
![Page 4: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/4.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 4
Application of IPSec
Secure branch office connectivity over the InternetSecure remote access over the InternetEstablish extranet and intranet connectivity with partnersEnhance electronic commerce security
![Page 5: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/5.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 5
Application of IP Security
![Page 6: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/6.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 6
Benefits of IPSec
Strong security for all traffic when crossing the perimeter (assuming it is implemented in a firewall or router)IPSec in a firewall is resistant to bypassBelow the transport layer (TCP, UDP) and transparent to applicationsTransparent to the end userProvides security for individual users – offsite workers, VPN
![Page 7: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/7.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 7
Routing & IPSec
Router advertisement comes from an authorized routerNeighbor advertisement comes from an authorized routerRedirect comes from router to which initial packet was sentRouting updates are not forgedPrevents disruption and diversion of traffic
![Page 8: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/8.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 8
Network Security
Basic Networking – Part A
![Page 9: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/9.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 9
Protocols in a Simplified Architecture
![Page 10: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/10.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 10
Protocol Data Units
![Page 11: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/11.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 11
Operation of a Protocol Architecture
![Page 12: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/12.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 12
TCP and UDP Headers
![Page 13: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/13.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 13
IP Headers
128-bit field
32-bit field
QoS
max # allowable hops
![Page 14: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/14.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 14
TP/IP Concepts
![Page 15: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/15.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 15
PDUs in TCP/IP
TCPHeader
User Data
IPHeader
User Data
NetworkHeader
User Data
User Data
Application Byte Stream
TCPSegment
IP Datagram
Network-level Packet
![Page 16: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/16.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 16
Some TCP/IP Protocols
![Page 17: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/17.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 17
Assigned Port Numbers
Sun NFS2049kerberos88radiusauth1812http80rip2520DNS53isakmp500rip39https443smtp25ldap389telnet23ntp123ftp21nntp119ftp-data20pop3110echo7ServicePortServicePort
![Page 18: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/18.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 18
Configuration of TCP/IP
![Page 19: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/19.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 19
Alternate Routing Diagram
![Page 20: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/20.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 20
Network Security
IP Security – Part 1
![Page 21: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/21.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 21
IPSec Documents November - 1998
RFC 2401 – Overview RFC 2402 – Packet Authentication
Extension RFC 2406 – Packet Encryption Extension RFC 2408 – Key Management Capabilities
Implemented as extension headers that follow the main header: Authentication Header (AH) Encapsulating Security Payload
Header (ESP)
![Page 22: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/22.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 22
IPSec Documents
packet format
Domain of Interpretationrelation between documents(identifiers and parameters)
![Page 23: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/23.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 23
IPSec ServicesProvides security services at the IP layerEnables a system to:
Select Required Security ProtocolsDetermine Algorithms To UseSetup Needed Keys
![Page 24: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/24.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 24
IPSec Services – 2 ProtocolsAuthentication protocol – designated by the authentication header (AH)Encryption/Authentication protocol – designated by the format of the packet, Encapsulating Security Payload (ESP); it is a mechanism for providing integrity and confidentiality to IP datagramsAH and ESP are vehicles for access control
![Page 25: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/25.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 25
IPSec Services
two cases
![Page 26: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/26.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 26
Security Associations
Key Concept:Security Association (SA) – is a one-way relationship between a sender and a receiver that defines the security services that are provided to a userRequirements are stored in two databases: security policy database (SPD) and security association database (SAD)
![Page 27: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/27.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 27
Security AssociationsUniquely identified by:
Destination IP address – address of the destination endpoint of the SA (end user system or firewall/router)Security protocol – whether association is AH or ESP. Defines key size, lifetime and crypto algorithms (transforms)Security parameter index (SPI) – bit string that provides the receiving device with info on how to process the incoming traffic
![Page 28: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/28.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 28
Security Associations
IP Secure Tunnel
SA SA
A B
1. Destination IP address2. Security Protocol3. Secret keys4. Encapsulation mode5. SPI
![Page 29: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/29.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 29
Security AssociationsSA is unidirectionalIt defines the operations that occur in the transmission in one direction onlyBi-directional transport of traffic requires a pair of SAs (e.g., secure tunnel)Two SAs use the same meta-characteristics but employ different keys
![Page 30: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/30.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 30
Security Association Database
Each IPSec implementation has a Security Association Database (SAD)SAD defines the parameters association (SPI) with each SASAD stores pairs of SA, since SAs are unidirectional
![Page 31: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/31.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 31
Security Association Database
Sequence number counterSequence counter overflowAnti-replay windowAH informationESP informationLifetime of this SAIPSec protocol mode – tunnel, transport, wildcardPath MTU
![Page 32: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/32.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 32
Security Policy Database
Provides considerable flexibility in way IPSec services are applied to IP trafficCan discriminate between traffic that is afforded IPSec protection and traffic allowed to bypass IPSecThe Security Policy Database (SPD) is the means by which IP traffic is related to specific SAs
![Page 33: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/33.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 33
Security Policy Database
Each entry defines a subset of IP traffic and points to an SA for that trafficThese selectors are used to filter outgoing traffic in order to map it into a particular SA
![Page 34: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/34.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 34
Security Policy Database
Destination IP addressSource IP addressUser IDData sensitivity level – secret or unclassifiedTransport layer protocolIPSec protocol – AH or ESP or AH/ESPSource and destination portsIPv6 classIPv6 flow labelIPv4 type of service (TOS)
![Page 35: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/35.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 35
Security Policy Database
Outbound processing of packet:1)Compare fields in the packet to find a matching SPD entry
2)Determine the SA and its associated SPI
3)Do the required IPSec processing
![Page 36: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/36.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 36
Transport and Tunnel Modes
SA supports two modes:
Transport – protection for the upper layer protocols
Tunnel – protection for the entire IP packet
![Page 37: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/37.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 37
Transport ModeProtection extends to the payload of an IP packetPrimarily for upper layer protocols – TCP, UDP, ICMPMostly used for end-to-end communicationFor AH or ESP the payload is the data following the IP header (IPv4) and IPv6 extensionsEncrypts and/or authenticates the payload, but not the IP header
![Page 38: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/38.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 38
Tunnel Mode
Protection for the entire packetAdd new outer IP packet with a new outer headerAH or ESP fields are added to the IP packet and entire packet is treated as payload of the outer packetPacket travels through a tunnel from point to point in the network
![Page 39: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/39.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 39
Tunnel and Transport Mode
![Page 40: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/40.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 40
Transport vs Tunnel Mode
![Page 41: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/41.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 41
Authentication Header
![Page 42: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/42.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 42
Authentication HeaderProvides support for data integrity and authentication of IP packetsUndetected modification in transit is impossibleAuthenticate the user or application and filters traffic accordinglyPrevents address spoofing attacksGuards against replay attacksBased on the use of a message authentication code (MAC) so two parties must share a key
![Page 43: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/43.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 43
IPSec Authentication Header
![Page 44: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/44.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 44
Authentication HeaderNext header – type of header followingPayload length – length of AHReserved – future useSecurity Parameters Index – idents SASequence Number – 32bit counterAuthentication data – variable field that contains the Integrity Check Value (ICV), or MAC
![Page 45: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/45.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 45
Anti-Replay Service
Replay Attack: Obtain a copy of authenticated packet and later transmit to the intended destinationMainly disrupts serviceSequence number is designed to prevent this type of attack
![Page 46: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/46.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 46
Anti-Replay Service
Sender initializes seq num counter to 0 and increments as each packet is sentSeq num < 232; otherwise new SAIP is connectionless, unreliable serviceReceiver implements window of WRight edge of window is highest seq num, N, received so far
![Page 47: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/47.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 47
Anti-Replay ServiceReceived packet within window & new, check MAC, if authenticated mark slotPacket to the right of window, do check/mark & advance window to new seq num which is the new right edgePacket to the left, or authentication fails, discard packet, & flag event
![Page 48: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/48.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 48
Anti-Replay Mechanism
W = 64N = 104
![Page 49: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/49.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 49
Integrity Check ValueHeld in the Authentication Data fieldICV is a Message Authentication Code (MAC)Truncated version of a code produced by a MAC algorithmHMAC value is calculated but only first 96 bits are used
HMAC-MD5-96HMAC-SHA-1-96
MAC is calculated over an immutable field, e.g., source address in IPv4
![Page 50: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/50.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 50
End-to-end Authentication
tunnel
transport
Two Ways To Use IPSec Authentication Service
![Page 51: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/51.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 51
AH Tunnel and Transport Modes
Considerations are different for IPv4 and IPv6Authentication covers the entire packetMutable fields are set to 0 for MAC calculation
What’s a mutable field?
![Page 52: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/52.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 52
Scope of AH Authentication
![Page 53: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/53.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 53
Scope of AH Authentication
![Page 54: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/54.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 54
Important URLswww.rfc-editor.org - Search for RFC 1636, Security in the Internet Architecture, and other RFCs related to IPSec
http://en.wikipedia.org/wiki/IPV6 - Great info and links related to IPv6
http://www.ipv6tf.org/ - This portal has lots of news and info about IPv6
![Page 55: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/55.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 55
Important URLs
http://www.ipv6.org/Includes introductory material, news on recent IPv6 product developments, and related links.
www.redbooks.ibm.com/pubs/pdfs/redbooks/gg243376.pdf Very good TCP/IP Tutorial from IBM Redbook Series with a good section (chap. 5) on security
![Page 56: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/56.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 56
Homework
Read Chapter Six, Sections 6.1-6.3Mid-Term Exam (take home) will be given next class Submit topic for term paper
![Page 57: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/57.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 57
Assignment 2
Obtain PGP software and install itSend me an email ([email protected]) and your public key
![Page 58: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/58.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 58
Have A Good Week
![Page 59: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/59.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 59
Network Security
IP Security – Part 2
![Page 60: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/60.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 60
Encapsulating Security Payload
Provides confidentiality servicesConfidentiality of message contents and limited traffic flow confidentialityESP can also provide the same authentication services as AH
![Page 61: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/61.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 61
Encapsulating Security Payload
![Page 62: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/62.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 62
Encapsulating Security Payload
Security Parameters Index – idents SASequence Number – 32bit counterPayload Data – variable field protected by encryptionPadding – 0 to 255 bytesPad Length – number of bytes in precedingNext header – type of header followingAuthentication data – variable field that contains the Integrity Check Value (ICV)
![Page 63: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/63.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 63
IPSec ESP Format
![Page 64: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/64.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 64
ESP and AH AlgorithmsImplementation must support DES in cipher block chaining (CBC) modeOther algorithms have been assigned identifiers in the DOI documentOthers:3DES, PC5, IDA, 3IDEA, CAST, BlowfishESP support use of a 96bit MAC similar to AH
![Page 65: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/65.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 65
ESP Padding
Algorithm may require plaintext to be a multiple of some number of bytesPad Length and Next Header must be right alignedAdditional padding may be used to conceal actual length of the payload
![Page 66: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/66.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 66
Transport vs Tunnel Mode
transport mode
tunnel mode
![Page 67: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/67.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 67
Scope of ESP Encryption
![Page 68: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/68.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 68
Combining SAs
SA can implement either AH or ESP protocol, but not bothTraffic flow may require separate IPSec services between hostsSecurity Association Bundle refers to a sequence of SAsSAs in a bundle may terminate at different end points
![Page 69: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/69.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 69
Combining SAsSAs many combine into bundles in
two ways:Transport adjacency – applying more than one security protocol to the same IP packet without invoking tunneling; only one level of combination, no nestingIterated tunneling – application of mutltiple layers of security protocols effected through IP tunneling; multiple layers of nesting
![Page 70: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/70.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 70
Authentication + Encryption
Several approaches to combining authentication and confidentialityESP with Authentication Option
First apply ESP then append the authentication data fieldAuthentication applies to ciphertext rather than plaintext
![Page 71: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/71.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 71
Authentication + Encryption
ESP with Authentication Option
Transport Mode
Tunnel Mode
![Page 72: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/72.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 72
Authentication + Encryption
Transport AdjacencyUse two bundled transport SAsInner being an ESP SA; outer being an AH SAAuthentication covers the ESP plus the original IP headerAdvantage: authentication covers more fields, including source and destination IP addresses
![Page 73: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/73.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 73
Authentication + Encryption
Transport-Tunnel BundleFirst apply authentication, then encryptionAuthenticated data is protected and easier to store and retrieveUse a bundle consisting of an inner AH transport SA and an outer ESP tunnel SAAdvantage: entire authenticated inner packet is encrypted and a new outer IP header is added
![Page 74: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/74.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 74
Basic Combinations
IPSec architecture lists four examples that must be supported in an implementationFigures represent the logical and physical connectivityEach SA can be either AH or ESPHost-to-host SAs are either transport or tunnel, otherwise it must be tunnel mode
![Page 75: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/75.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 75
Basic Combinations – Case 1
All security is provided between end systems that implement IPSec
Possible combinationsa. AH in transport modeb. ESP in transport modec. AH followed by ESP in transport mode (an AH
SA inside an ESP SA)d. Any one of a, b, or c inside and AH or ESP in
tunnel mode
![Page 76: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/76.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 76
Basic Combinations – Case 1
![Page 77: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/77.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 77
Basic Combinations – Case 2
Security is provided only between gateways and no hosts implement IPSec
VPN – Virtual Private Network Only single tunnel needed (support
AH, ESP or ESP w/auth)
![Page 78: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/78.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 78
Basic Combinations – Case 2
![Page 79: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/79.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 79
Basic Combinations – Case 3
Builds on Case 2 by adding end-to-end security
Gateway-to-gateway tunnel is ESP Individual hosts can implement
additional IPSec services via end-to-end SAs
![Page 80: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/80.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 80
Basic Combinations – Case 3
![Page 81: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/81.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 81
Basic Combinations – Case 4
Provides support for a remote host using the Internet and reaching behind a firewall
Only tunnel mode is required between the remote host and the firewall
One or two SAs may be used between the remote host and the local host
![Page 82: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/82.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 82
Basic Combinations – Case 4
![Page 83: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/83.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 83
Key Management
Determination and distribution of secret keysFour keys for communication between two applications:xmit and receive pairs for both AH & ESP
Two modes: manual and automatedTwo protocols:
Oakley Key Determination ProtocolInternet Security Association and Key Management Protocol (ISAKMP)
![Page 84: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/84.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 84
Oakley Key Determination Protocol
Refinement of the Diffe-Hellman key exchange algorithmTwo users A and B agree on two global parameters: q, a large prime number and α, a primitive root of q (see p.68)Secret keys created only when neededExchange requires no preexisting infrastructureDisadvantage: Subject to MITM attack
![Page 85: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/85.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 85
Features of Oakley
Employs cookies to thwart clogging attacksTwo parties can negotiate a group (modular exponentiation or elliptic curves)Uses nonces to ensure against replay attacksEnables the exchange of Diffie-Hellman public key valuesAuthenticates the Diffie-Hellman exchange to thwart MITM attacks
![Page 86: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/86.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 86
Aggressive Oakley Key Exchange
![Page 87: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/87.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 87
ISAKMP
Defines procedures and packet formats to establish, negotiate, modify and delete SAsDefines payloads for exchanging key generation and authentication dataNow called IKE
![Page 88: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/88.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 88
ISAKMP Formats
![Page 89: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/89.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 89
ISAKMP Payload Types
![Page 90: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/90.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 90
ISAKMP Exchanges
Provides a framework for message exchangePayload type serves as the building blocksFive default exchange types specifiedSA refers to an SA payload with associated Protocol and Transform payloads
![Page 91: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/91.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 91
ISAKMP Exchange Types
![Page 92: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/92.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 92
Internet Key Exchange
IKE is now at Ver 2 – defined in RFC4306, 12/05
It works within ISAKMP framework
Uses Oakley and Skeme protocols for authenticating keys and rapid key refreshment
![Page 93: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/93.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 93
Network Security
Basic Networking – Part B
![Page 94: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/94.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 94
IPv6
1995 – RFC 1752 IPng1998 – RFC 2460 IPv6Functional enhancements for a mix of data streams (graphic and video)Driving force was address depletion128-bit addressesStarted in Solaris 2.8, Windows 2000
![Page 95: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/95.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 95
IPv6 Packet w/Extension Headers
![Page 96: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/96.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 96
OSI Layers
![Page 97: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/97.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 97
OSI Environment
![Page 98: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/98.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 98
OSI-TCP/IP Comparison
![Page 99: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/99.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 99
Network Security
IP Security – Part 2
![Page 100: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/100.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 100
EtherealEthereal is a free network protocol analyzer for Unix and WindowsPacket Sniffer - data can be captured "off the wire" from a live network connectionwww.ethereal.com - Everything you ever wanted to know about etherealwiki.ethereal.com - This is the “User's Manual;” also has has a nice “References” section
![Page 101: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/101.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 101
cookie is captured
getting a quote
business.nytimes.com
dns query
ACK
![Page 102: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/102.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 102
Ethereal Etiquette
Be careful when and where you use this tool
It makes people nervous
Use prudence with the information you collect
When in doubt, seek permission!
![Page 103: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/103.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 103
Other Sniffing ToolsEttercap is an open source software tool for computer network protocol analysis and security cracking. It can be used to intercept traffic on a network segment, capture passwords, and conduct man-in-the-middle attacks against a number of common protocols.
dSniff is a packet sniffer and set of traffic analysis tools. Unlike tcpdump and other low-level packet sniffers, dSniff also includes tools that decode information (passwords, most infamously) sent across the network, rather than simply capturing and printing the raw data, as do generic sniffers like Ethereal and tcpdump.
AiroPeek was the first Wi-Fi (IEEE 802.11) packet analyzer, or packet sniffer, that provides network engineers with a view of the data traversing a Wireless LAN network. AiroPeek was created in 2001 and its interface was based closely on EtherPeek, another product from WildPackets, Inc. They also have some “free” utilities.
![Page 104: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/104.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 104
Important URLswww.insecure.org/tools.htmlSite has the top 50 security toolsNmap is a free software port scanner. It is used to evaluate the security of computers, and to discover services or servers on a computer network.EtherApe is a graphical network monitor for Unix. Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display.Be judicious in the use of these tools!
![Page 105: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/105.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 105
Homework
Read rest of Chapter SixMid-Term Exam (take home) is due next class No late submissions
![Page 106: IP Security – Part 1cscvjc/Spring06/Slides/... · Security Course, CSC290A 1 Network Security IP Security – Part 1. 04/02/06 ... 23 telnet 389 ldap 21 ftp 123 ntp 20 ftp-data](https://reader034.vdocuments.us/reader034/viewer/2022042909/5f3dc671bf3afc099909c12d/html5/thumbnails/106.jpg)
04/02/06Hofstra University – Network Security Course, CSC290A 106
Spring Fever – Enjoy It!