vpns ietf developing ipsec security standards ip securityip security at the internet layerat the...
Post on 18-Dec-2015
212 views
TRANSCRIPT
VPNsVPNs IETF developing IETF developing IPsecIPsec security security
standardsstandards• IP securityIP security• At the internet layerAt the internet layer• Protects all messages at the transport Protects all messages at the transport
and application layersand application layers
IPsec
TCP UDP
E-Mail, WWW, Database, etc.
VPNsVPNs IPsec Transport ModeIPsec Transport Mode
• End-to-end security for hostsEnd-to-end security for hosts
LocalNetwork
Internet LocalNetwork
Secure Communication
VPNsVPNs IPsec Tunnel ModeIPsec Tunnel Mode
• IPsec server at each siteIPsec server at each site• Secure communication between sitesSecure communication between sites
LocalNetwork
Internet LocalNetwork
Secure Communication
IPsecServer
VPNsVPNs IPsec Modes Can be CombinedIPsec Modes Can be Combined
• End-to-end transport mode connectionEnd-to-end transport mode connection• Within site-to-site tunnel connectionWithin site-to-site tunnel connection
LocalNetwork
Internet LocalNetwork
Tunnel Mode Transport Mode
VPNsVPNs
Another Security System for VPNs Another Security System for VPNs is the Point-to-Point Tunneling is the Point-to-Point Tunneling Protocol (PPTP)Protocol (PPTP)• For dial-up connections, based on PPPFor dial-up connections, based on PPP• Connects user with securely to a Connects user with securely to a
remote access server at a siteremote access server at a siteInternet Local
Network
Remote Access Server
Dial-UpConnection
PPTP Connection
PKIsPKIs
To use public key methods, an To use public key methods, an organization must establish a organization must establish a comprehensive comprehensive Public Key Public Key Infrastructure (PKI)Infrastructure (PKI)• A PKI automates most aspects of using A PKI automates most aspects of using
public key encryption and public key encryption and authenticationauthentication
• Uses a Uses a PKI ServerPKI ServerPKI
Server
PKIsPKIs PKI Server Creates Public Key-Private PKI Server Creates Public Key-Private
Key PairsKey Pairs• Distributes private keys to applicants Distributes private keys to applicants
securelysecurely• Often, private keys are embedded in Often, private keys are embedded in
delivered softwaredelivered software
PKIServer
Private Key
PKIsPKIs PKI Server Provides CRL ChecksPKI Server Provides CRL Checks
• Distributes digital certificates to Distributes digital certificates to verifiersverifiers
• Checks certificate revocation list before Checks certificate revocation list before sending digital certificatessending digital certificates
PKIServer
Digital Certificate
PKIsPKIs CRL CRL (Certificate Revocation List)(Certificate Revocation List) Checks Checks
• If applicant gives verifier a digital If applicant gives verifier a digital certificate,certificate,
• The verifier must check the certificate The verifier must check the certificate revocation listrevocation list
PKIServer
OK?
OK or Revoked
CRL
Integrated Security SystemIntegrated Security System
When two parties communicate …When two parties communicate …
• Their software usually handles the detailsTheir software usually handles the details
• First, negotiate security methodsFirst, negotiate security methods
• Then, authenticate one anotherThen, authenticate one another
• Then, exchange symmetric session keyThen, exchange symmetric session key
• Then can communicate securely using Then can communicate securely using symmetric session key and message-by-symmetric session key and message-by-message authenticationmessage authentication
SSL Integrated Security SystemSSL Integrated Security System
SSLSSL• Secure Sockets LayerSecure Sockets Layer• Developed by NetscapeDeveloped by Netscape
TLS (now)TLS (now)• Netscape gave IETF control over SSLNetscape gave IETF control over SSL• IETF renamed it TLS (Transport Layer Security)IETF renamed it TLS (Transport Layer Security)• Usually still called SSLUsually still called SSL
Location of SSLLocation of SSL
Below the Application LayerBelow the Application Layer• IETF views it at the transport layerIETF views it at the transport layer• Protects all application exchangesProtects all application exchanges• Not limited to any single applicationNot limited to any single application
WWW transactions, e-mail, etc.WWW transactions, e-mail, etc.
SSL SSL
E-Mail WWW E-Mail WWW
SSL OperationSSL Operation
Browser & Webserver Software Browser & Webserver Software Implement SSLImplement SSL• User can be unawareUser can be unaware
SSL OperationSSL Operation SSL ISS ProcessSSL ISS Process
• Two sides negotiate security Two sides negotiate security parametersparameters
• Webserver authenticates itselfWebserver authenticates itself
• Browser may authenticate itself but Browser may authenticate itself but rarely doesrarely does
• Browser selects a symmetric session Browser selects a symmetric session key, sends to webserverkey, sends to webserver
• Adds a digital signature and encrypts all Adds a digital signature and encrypts all messages with the symmetric keymessages with the symmetric key
Importance of SSLImportance of SSL
Supported by Almost All BrowsersSupported by Almost All Browsers• De facto standard for Internet application De facto standard for Internet application
securitysecurity ProblemsProblems
• Relatively weak securityRelatively weak security
• Does not involve security on merchant Does not involve security on merchant serverserver
• Does not validate credit card numbersDoes not validate credit card numbers
• Viewed as an available but temporary Viewed as an available but temporary approach to consumer securityapproach to consumer security
Other ISSsOther ISSs
SSL is merely an example integrated SSL is merely an example integrated security systemsecurity system
Many other ISSs existMany other ISSs exist• IPsec IPsec • PPP and PPTPPPP and PPTP• Etc.Etc.
Other ISSsOther ISSs
All ISSs have the same general stepsAll ISSs have the same general steps
• Negotiate security parametersNegotiate security parameters
• Authenticate the partnersAuthenticate the partners
• Exchange a session keyExchange a session key
• Communicate with message-by-Communicate with message-by-message privacy, authentication, and message privacy, authentication, and message integritymessage integrity