Your SlideShare is downloading. ×
p7
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

p7

298
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
298
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • We talk about octets and not bytes. Internet is used by computers with different word sizes than multiples of 8. Numbers 0 and 255 are always reserved. The Internet numbering scheme is very wasteful. The A networks don’t use nearly the 16 million numbers they have allocated to them. B networks also do not use their 64516 numbers. The TUE is a B network (131.155) but only has 3500 employees and around 6000 students. It will use only 10000 to 15000 IP numbers. It is currently almost impossible to get a B network (and absolutely impossible to allocate an A network). The numbering scheme is important because the IP numbers reveal the size of the network. A large organization has a B network and is probably more interesting to try to penetrate than an organization with only a C network.
  • Through the sequence number the receiving end can detect missing datagrams or datagrams that arrive in the wrong order. It can request a retransmission of missing or corrupted datagrams.
  • The time to live is decremented each time the datagram passes through a site. When the counter reaches zero the datagram is discarded. This method ensures that should the routing result in a loop no datagram will be in the loop forever.
  • Routing is a strong and a weak point: A strong point is that the redundant paths allow the network to continue functioning when some gateways go down. A theoretical strong point for security, but in reality pretty weak, is that the data for a single connection may flow through different gateways and is then hard to intercept. Unfortunately, this flow seldom happens. In most cases routing is pretty straightforward. Datagrams are all sent over the same line and in the same order they were sent in, thus making it easy to intercept them. A weak path is that by creating a fast gateway one can teach other gateways to send data through that gateways, which can then intercept all data. The only thing that makes this approach difficult is that creating such a fast gateway has become prohibitively expensive.
  • The translation is both a strong and weak point. It is strong because there are redundant servers (although there really are master servers). It is weak because a server can temporarily start giving out false addresses. The root server that was also the server for the “com” domain has failed some time ago, and caused major problems in reaching Internet sites.
  • Text-based protocols are a security risk because it is very easy to read information that is passing by using a packet sniffer.
  • Snooping is easier on a local network than on Internet, because on the local net one can be assured about packets passing by a certain machine. Snooping does not require great skill: network diagnostic software already provides basic snooping facilities. Snooping can be defeated at the hardware level by means of a switched ethernet (with star geometry).
  • Spoofing requires more skill than snooping. It requires you to understand the network topology. The likelihood of getting caught is greater than with snooping. Spoofing can be defeated by networks with static routes . Network traffic cannot be diverted through a spoofing machine.
  • This technique is even more difficult to implement, but it reduces the risk of getting caught. Most of the work in keeping up the appearance of being the real server is done by the real server. Communication is only altered when the spoofing machine considers it interesting.
  • Three can keep a secret if two of them are dead. (Which is the weak point in secret key encryption.)
  • Simply encrypting each subsequent 64-bit block with the same DES key is not very safe. A more secure approach is “CBC”, cipher block chaining. Each 64 bit plaintext block is bitwise exclusive-ORed with the previous ciphertext block before being encrypted with the DES key. Thus, the encryption of each block depends on the previous blocks and the same 64 bit plaintext block can encrypt to different ciphertext blocks depending on its context in the overall message.
  • There is also Secure HTTP for secure Web communication. The problem with Secure HTTP is that it is restricted to HTTP communication. SSL is a more general approach.
  • A potential weakness in SSL is the fact that the client generates a master key. There was a problem in some version of Netscape Navigator that the generated master keys were not sufficiently random. The security depends on the impossibility to guess the master key.
  • Information about IPsec at http://www.ietf.org/html.charters/ipsec-charter.html Later viewgraphs will explain more about IPsec!
  • A packet filter or a dual-homed host (acting as a packet filter) can be used to make sure Intranet computers cannot reach Internet directly.
  • A screening router is generally simpler than a bastion host, thus easier to defend. One cannot try to break into the router to gain access to the software that performs the proxy services because they are not in the router.
  • The bastion may offer more services to hosts on the Intranet than on Internet. A site on Internet could forge its address to pretend that it’s on the Intranet. In the screened host setup this could lead to a situation where that site gets more services. In the screened subnet setup this would not work because the forged address would be blocked by the exterior router.
  • An essential property of PPTP is that the communication between client and its dial-up gateway is really tunneled, so anyone tapping into the communication cannot see IP headers or data. But further communication towards Internet (from the gateway on) is of course no longer tunneled using PPTP.
  • Note that when IPsec is used between a pair of security gateways the communication between hosts and the gateway on their respective sides is not secured.
  • Traffic flow confidentiality means that the real source and destination (beyond the secured connection) are hidden. Access control depends on the distribution of cryptographic keys and the management of traffic flows relative to the security protocols. Each protocol can be used in transport mode or tunnel mode . In transport mode they concentrate on protecting upper layer protocols (i.e. they do not hide IP headers but only higher level headers); in tunnel mode the protocols are applied to tunneled IP packets (i.e. they hide the complete packets including headers).
  • Creating a separate encrypted tunnel for each TCP connection can be prohibitively expensive when used in combination with HTTP (1.0). Public-key cryptography is normally used to communicate a secret key. But if public-key cryptography has to be used for each HTTP request it becomes very expensive. (Example: Jim’s Bloomberg incident)
  • Proxy packages include Wingate and Sygate. Windows 98 and Windows 2000 include “internet connection sharing” possibilities.
  • Transcript

    • 1. Information Security Internet, Intranet, Extranet Prof. dr. P.M.E. De Bra Department of Computing Science Eindhoven University of Technology
    • 2. Parts / Topics / Issues
      • Basics of Internet technology / Organization
      • Application of encryption in networks
      • Principles of Firewalls / Virtual Private Networks.
      • Financial transactions over Internet
      • Basics of World Wide Web technology
      • Server-side security issues
      • Client-side security issues
      • Accessing databases through the Web
    • 3. What is Internet?
      • A network of networks based on the TCP/IP protocols.
      • A community of people who use and develop those networks.
      • A collection of resources that can be reached from those networks.
      • Internet standards are defined in RFCs.
      • Informal definition of Internet is rfc 1462:
      • http://www. normos .org/ ietf / rfc /rfc1462.txt
    • 4. Layered Internet protocols
      • Hardware-level protocol (wire without protocol, ethernet protocol, X.25, ATM, ...).
      • IP (lowest level Internet Protocol).
      • TCP, UDP, ICMP: TCP is used most, provides reliable connections.
      • SMTP, FTP, Telnet, ...: Application-level protocols (mostly on top of TCP/IP).
      • We look at 1) TCP, 2) IP, 3) UDP and ICMP,
      • 4) Application-level protocols, 5) Ethernet
    • 5. Internet Basics: Addressing
      • Every computer has a 32 bit (4 octet) address: e.g. 131.155.70.196. Addresses reveal something about the associated network:
        • First octet 1..126: A networks, very large. (Arpanet is one of these 126 networks.)
        • First two octets 128.1 .. 191.254: B networks, maximum of 64516 computers in each network.
        • First three octets 192.1.1 .. 223.254.254: C networks, maximum of 254 computers in each.
        • Addresses above 224.1.1 are reserved for the future, for still undefined D and E networks.
    • 6. Internet Basics: Addressing
      • Some addresses are never used. They can be used behind firewalls on company Intranets:
        • 10.0.0.0 to 10.255.255.255 can be used for an A class Intranet.
        • 172.16.0.0 to 172.16.255.255 can be used for a B class Intranet.
        • 192.168.0.0 to 192.168.255.255 can be used for C class Intranets.
        • First octet 127 is not used on Internet or Intranets. (127.0.0.1 is the “loopback” on every machine.)
    • 7. Internet Basics: TCP protocol
      • Provides connections of connectionless IP protocol, through the use of ports .
        • A connection is defined by a source and destination IP address and a source and destination port. (A TCP header contains ports, the IP header the IP addresses.)
        • “ Standard” servers “listen” to predefined (privileged) ports, with numbers below 1024.
        • Clients use unprivileged ports.
        • One computer can have many simultaneous connections to many other computers. All connections between a pair of computers must use different source or destination port numbers.
    • 8. Internet Basics: TCP protocol
      • Data to be transmitted is divided in (a sequence of) datagrams.
        • TCP software on both ends says how large a datagram may be. The smaller size is chosen. Each datagram consists of a header and data.
        • Each datagram gets a sequence number . Each received datagram is acknowledged by returning a datagram with an acknowledgement number .
        • The acknowledgement contains a window size, indicating how many datagrams may be sent before the sender has to stop.
        • Every datagram gets a checksum to verify that the contents has arrived correctly.
    • 9. Internet Basics: IP
      • IP sends datagrams from a source IP address to a destination IP address. (It may also split the datagram when needed.)
        • Each datagram contains an IP header, with a checksum (of the header only).
        • The header contains a protocol (code) to indicate whether it is a TCP, UDP or ICMP datagram.
        • Each datagram is routed separately.
        • Some datagrams may arrive faster than others.
        • Some datagrams may be lost. Each header has a time to live to indicate how much longer (number of hops) the datagram may live.
    • 10. Internet Basics: Routing
      • Routing is the task of finding how to get a datagram to its destination.
        • Each machine can send datagrams directly to some other machines on a local network.
        • Each machine knows a gateway machine it can send datagrams to.
        • A gateway has connections to a number of networks and maintains a routing table of which connection to use for which destination.
        • A gateway can respond to a request with “I’m not the best gateway for this destination”.
    • 11. Internet Basics: Domain Names
      • Most applications and users use domain names instead of IP numbers. A redundant hierarchy of name servers provides translation of names to numbers.
        • Name to reach: pcnov290.win.tue.nl
        • Ask a root server for an nl server.
        • Ask a server for the nl domain for a tue server.
        • Ask a server for the tue domain for a win server.
        • Ask a server for the win domain for the address of pcnov290.
    • 12. Internet Basics: UDP and ICMP
      • UDP: User Datagram Protocol
        • Provides port numbers like TCP.
        • Provides a checksum for header + data.
        • Does not split data into separate datagrams.
        • Does not put sequences of datagrams together.
        • Does not keep track of lost datagrams, for retransmission.
      • ICMP: Internet Control Message Protocol
        • Used for messages (that fit into a single datagram).
        • Interpreted by IP itself. There are no port numbers.
    • 13. Application level Protocols
      • Many TCP/IP protocols are text-based so that humans can easily interpret them:
      • Example: Mail dialog between client and server
      • svis01: 220 svis01.win.tue.nl ESMTP Sendmail 8.8.7/1.45 ready at Fri, 5 Feb 1999 23:28:31 +0100 (MET)
      • pcnov290: HELO pcnov290.win.tue.nl
      • svis01: 250 svis01.win.tue.nl Hello pcnov290 [131.155.71.147], pleased to meet you
      • pcnov290: MAIL From: debra@win.tue.nl
      • svis01: 250 debra@win.tue.nl... Sender ok
      • ...
    • 14. Application level Protocols
      • Telnet: allows to log in on any other computer on the network (on which you have an account). It requires an interactive login. (Username and Password are transmitted without encryption.)
      • Rlogin: allows to remote log in as a specific user. It is possible to log in without password, based on domain name. (Insecure).
      • Ssh: “ secure shell”, allows remote log in, using encrypted channel, with or without password. (public/private keys used between computers.)
    • 15. Application level Protocols
      • Ftp: File Transfer Protocol. Used in anonymous mode to access public file servers, and with passwords to copy to and from machines. Ftp uses separate “channel” for commands and for data transfer.
      • Rcp: Remote copy, allowed based on domain name / user name combination. Insecure.
      • Scp: Secure copy, allowed based on domain name / user name combination and public/private key encryption. Uses encrypted channel to avoid snooping.
    • 16. Application level Protocols
      • SMTP: Simple Mail Transfer Protocol
      • NNTP: Network News Transfer Protocol
      • RPC: There are different varieties of protocols for remote execution. (Remote shell, remote procedure call, etc.)
      • NFS: Network File System. Introduced by Sun Microsystems. Uses UDP, not TCP.
      • Remote Printing
      • ...
    • 17. Ethernet
      • Each ethernet board has a unique 48 bit address. (16 bits are assigned to a vendor, 32 bits can be used by the vendor).
      • Every ethernet packet contains a source address and destination address .
      • Every ethernet packet contains a checksum at the end.
      • Ethernet interfaces automatically listen to packets with their address as destination. It is possible to cheat (to listen to everything).
    • 18. Ethernet
      • An ARP request is used to find out which ethernet address corresponds to an IP number.
      • ARP is needed to talk to Internet hosts on the local ethernet.
      • (Local) ethernet routers can block packets that originate from machines with an unknown ethernet address. (It is easier to pretend to have a different IP number than to pretend to have a different ethernet number.)
    • 19. Internet security: Issues
      • How to achieve secure (secret and reliable) communication over an insecure network. (Which encryption techniques fit which purpose.)
      • How to prevent unauthorized access to services while allowing authorized access to other services.
      • How to isolate a company network from Internet, while allowing the use of Internet by computers in the company.
    • 20. Internet communication threats
      • Snooping: Any computer on Internet can intercept passing datagrams. One can easily filter out the data belonging to a single connection.
    • 21. Internet communication threats
      • Spoofing: A computer can pretend to be another one (by using the other’s IP number) and thus steal its traffic.
    • 22. Internet communication threats
      • Spoofing: Man in the middle variation Spoofing machine talks to the “real” owner of IP number, to pass on corrupted data.
    • 23. Secure communication
      • Four requirements:
        • Confidentiality: others cannot eavesdrop on an information exchange.
        • Integrity: the messages cannot be tampered with (without that being detected).
        • Authenticity: the identity of the sender of a message can be verified (through a digital signature).
        • Non-Repudiability: there must be a record of the information exchange so that sender and receiver cannot deny that the exchange took place.
    • 24. Encryption Techniques
      • Secret key encryption: Two parties exchanging information need to know the same secret key. It is used for encryption and decryption of a message.
      • Public key encryption: Two keys work together: a public and a private key. A message encrypted with either key can be decrypted with the other key. One key is published, the other is kept secret.
    • 25. Encryption Standards
      • DES: Data Encryption Standard, developed by IBM. (certified by NIST as FIPS 46-1, and also known as ANSI standard X9.32)
        • Uses 64-bit block size and 56-bit key (plus 8 parity bits).
        • Symmetric cryptosystem, built around a 16 round Feistel cipher.
        • Originally designed for implementation in hardware.
        • Not approved for export outside the USA.
        • DES can be broken, at considerable cost.
    • 26. Encryption Standards
      • Triple-DES: Variation of DES where each message is encrypted three times. There are three variations:
        • DES-EEE3: three DES encryptions with three different keys.
        • DES-EDE3: encrypt, decrypt, encrypt with three different keys.
        • DES-EEE2 and DES-EDE2: same as before but the first and third operations use the same key.
        • Multiple encryption does not necessarily make
        • encryption harder to break.
    • 27. Encryption Standards
      • RC2: variable key-size block cipher (designed by Ron Rivest, leading to the name “Ron’s Code” or “Rivest Cipher”.)
        • Symmetric cryptosystem.
        • Can be made more secure or less secure by using different key sizes.
        • Uses a block size of 64 bits.
        • Twice as fast as DES.
        • Approved for US export with 40-bit key.
    • 28. Encryption Standards
      • RC4: variable key-size stream cipher with byte-oriented operations.
        • Symmetric cryptosystem.
        • Can be made more secure or less secure by using different key sizes.
        • Can be implemented efficiently.
        • Approved for US export with 40-bit keys.
      • RC5: variable block-size, variable key-size, variable number of rounds. (Patent by RSA)
        • Symmetric cryptosystem.
        • Can be implemented efficiently.
    • 29. Encryption Standards
      • IDEA: (International Data Encryption Algorithm) is a 64 bit iterative block cipher with a 128 bit key.
        • Symmetric cryptosystem.
        • Can be implemented efficiently in hardware and software.
        • Widely published about, and thus not subject to export restrictions.
    • 30. Encryption Standards
      • RSA: public-key cryptosystem. Used for encryption and for digital signatures:
        • Asymmetric cryptosystem. Uses pairs of keys, one public, one private.
        • At least 100 times slower than DES, thus not suitable for encrypting large messages or data streams.
    • 31. Encryption Standards
      • Practical use of RSA (or other public-key cryptosystems): supposes A wishes to send a secret, signed message to B.
        • 1. A applies a hash function to the message to create a message digest , a digital fingerprint of the message.
        • 2. A encrypts the digest with her private key.
        • 3. A encrypts the message and digest with B’s public key and sends that to B.
        • 4. B decrypts the message and digest with B’s private key.
        • 5. B decrypts the digest with A’s public key.
        • 6. B performs the hash function on the message and compares it to the digest.
    • 32. Secure Hash Functions
      • SHA: Secure Hash Algorithm (NIST FIPS PUB 180) produces a 160-bit message digest.
      • MD2: Hash algorithm for 8 bit machines.
      • MD4, MD5: Hash algorithms for 32 bit machines. They produce a 64-bit message digest.
    • 33. Secure Sockets Layer
      • Introduced by Netscape Communication to enable secure communication between a Web browser and servers.
      • Extra layer between application and TCP/IP.
      • Is application independent. Applications see an (unencrypted) data channel.
      • Performs
        • Encryption of communication.
        • Server validation.
        • Optional client validation.
    • 34. Secure Sockets Layer
      • Supported encryption techniques:
        • RC2:
        • RC4:
        • IDEA:
        • DES:
        • Triple-DES:
      • Supported message digest technique:
        • MD5
    • 35. Secure Sockets Layer
      • 1. Client opens a channel to the server.
      • 2. Server sends its certificate and cipher preferences.
      • 3. Client generates a master key, encrypts it with the server’s public key, and sends it to the server.
      • 4. Server decrypts the master key, and authenticates itself by returning a message to the client, encrypted using the master key.
      • 5. The server may send a challenge to the client.
      • 6. The client authenticates itself by returning the client’s digital signature on the challenge and its public key certificate.
    • 36. Encryption at the IP level
      • S/WAN (Secure Wide Area Network) promotes the deployment of Internet-based Virtual Private Networks (VPNs).
        • Standard specification for implementing IPsec.
        • Possibly lower level security than SSL.
        • S/WAN uses RC5 encryption with keys ranging from 40 to 128 bits.
        • Protocol formats for Authentication Header and Encapsulating Security Payload are independent of cryptographic algorithm.
        • Host-to-host, subnet-to-subnet and host-to-subnet secure communication.
    • 37. Secure Shell
      • Protocol for secure remote access from one computer to another.
        • Can be used for secure login on a server, or for setting up a virtual private network.
        • Ssh can be configured to forward X11 connections over the encrypted “tunnel”.
        • Other TCP/IP connections can also be tunneled through ssh to the server to give secure access to mail, web, file systems, ftp, etc.
        • info: http://www. ssh . fi /
    • 38. Kerberos
      • Authentication service, part of Project Athena at MIT.
        • Uses secret key encryption (originally DES).
        • Designed to authenticate requests for network resources, not authorship of documents.
        • A server performs centralized key management. It contains the secret keys for all users. This creates a single point of failure.
        • Considered adequate for local networks or networks within one administrative domain.
    • 39. PGP: Pretty Good Privacy
      • Software package that provides cryptographic routines for e-mail and file storage.
        • Provides message encryption, digital signatures, data compression and e-mail compatibility.
        • RSA and Diffie Hellman for key transport.
        • CAST and Triple-DES for message encryption.
        • RSA or DSA for signing. (export restrictions!)
        • MD5, RIPEMD-160 or SHA-1 for computing message digests.
        • Compression through the ZIP program.
    • 40. S/MIME
      • Secure/Multipurpose Internet Mail Extensions.
        • Adds digital signatures and encryption to MIME.
        • (MIME standards, see rfc1521 and rfc822)
        • Endorsed by many messaging vendors, including Microsoft, Lotus, Wollongong, Banyan, NCD, VeriSign, Netscape and Novell.
        • Uses hierarchies of trusted third parties to verify the authenticity of the keys provided by users (or servers).
        • Secret key algorithms DES, Triple-DES, RC2.
        • Private key algorithm: RSA.
    • 41. Host (or Subnet) Security
      • Any technical solution for security must be used as a means of implementing a chosen security policy:
        • What are we protecting?
        • How important is it?
        • How likely is it that it will be attacked?
        • What should happen if an attack is successful?
        • What is permitted, by whom and for what purpose?
        • What Internet connectivity is needed from the host or subnet?
    • 42. Firewalls: background
      • A firewall provides security for an Intranet by controlling what and how can be communicated with Internet. Firewalls cannot protect against:
        • Attacks that do not go through the firewall (hand carried tapes/disks, modem connections).
        • Data-driven attacks: something (malicious) is uploaded or copied through a legitimate channel, and then executed.
        • Denial of service attacks that overload the data connection between Intranet and Internet.
    • 43. Firewall architectures
      • Approaches:
        • packet filtering: allow only datagrams with certain properties to pass.
        • proxy services: application-level gateways that forward datagrams and hide the Intranet.
      • Architectures:
        • dual-homed host: one host with two network interfaces, one for Intranet, one for Internet.
        • screened host: packet filter combined with bastion host providing gateway/proxy services.
        • screened subnet: trusted/untrusted subnets.
    • 44. Packet filtering (screening router)
    • 45. Packet filtering (screening router)
      • Selectively blocks or lets through packets between the Intranet and Internet, based on:
        • Source IP address
        • Destination IP address
        • Protocol (TCP, UDP)
        • Source port
        • Destination port
      • For each combination one can configure the filter to allow or deny all values, certain ranges, or single values.
    • 46. Proxy Services
    • 47. Proxy Services
      • Specialized services (application-level gateways) take a request from an Intranet computer and forward it to Internet.
        • Proxies are most useful when Intranet computers can only reach Internet through the proxy.
        • Many applications can be configured to use proxies. SOCKS is a proxy construction toolkit used to modify clients for proxy operation.
        • To the Internet hosts all Intranet requests appear to come from the proxy server. A proxy is sometimes used to hide where a request came from.
    • 48. Dual-Homed Hosts
    • 49. Dual-Homed (Bastion) Hosts
      • Requires a host with two network interfaces.
        • High level of control, but possibly also a high workload on the bastion host.
        • All traffic must pass through the bastion host.
        • The bastion host offers proxy services.
        • The IP addresses of the Intranet computers are invisible on Internet. Special ranges are reserved for this: 10.x, 172.16 and 192.168.
        • The bastion host should off as few services as possible. It should not have user accounts.
    • 50. Screened Host
    • 51. Screened Host
      • Requires a screening router and a bastion host .
        • The router blocks all traffic to and from the Intranet except to and from the bastion host.
        • The bastion host offers proxy services just like the dual-homed host, but needs no second network interface.
        • Combination of router and bastion host may offer better protection than dual-homed host.
        • Internal network is vulnerable for denial of service attacks.
    • 52. Screened Subnet
    • 53. Screened Subnet
      • Extra layer of security by adding a perimeter network .
        • Vulnerable bastion host is isolated from the internal network.
        • Prevents possibility of snooping on the Intranet after breaking in to the bastion host.
        • Services from bastion host to Internet may differ from services from bastion host to Intranet.
        • There may be several hosts on the perimeter network: for e-mail, ftp server, WWW server, DNS server, etc.
    • 54. Screened Subnet
      • Interior router:
        • Allows selected services outbound to Internet, and only through the bastion host (proxies).
        • Limits services between bastion host and Intranet (in case bastion is broken into).
      • Exterior router:
        • Protects perimeter and Intranet.
        • Allows most outbound services.
        • Allows only incoming and outgoing services needed by bastion host.
        • Blocks packets with forged Intranet addresses.
    • 55. Variation: sub-Intranets
    • 56. Variation: sub-Intranets
      • Firewalls can be used to protect parts of internal networks from each other.
        • Test or demonstration networks with less security.
        • Highly confidential networks with more security.
      • Different configurations are possible, with more connections to Internet and between internal networks.
    • 57. Internet Tunneling: Extranets
    • 58. Internet Tunneling: Extranets
    • 59. Internet Tunneling: Extranets
      • Encapsulating data in wrapper packets . Not only TCP/IP traffic can be tunneled, also Novell IPX or other protocols.
        • Source and destination do not notice the tunneling. No modifications to applications.
        • Encryption can be done for the whole group-to-group connection or on a point-to-point basis.
        • PPTP Point-to-Point Tunneling Protocol is embedded in operating systems such as Windows 95 and Windows-NT.
        • There are many proprietary tunneling protocols.
    • 60. Point to Point Tunneling Protocol
      • PPTP was developed by Microsoft. It is aimed at dial-in connections using PPP.
        • User access is first controlled through PAP (Password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol).
        • Each PPP packet is encoded with 40-bit RC4. The encryption prevents the network from reading the destination information.
        • The PPP packet is encapsulated within a GRE (Generic Routing Encapsulation) packet which includes destination information.
    • 61. IPsec
      • IPsec might be a successor/replacement for PPTP, and has much wider applications than just tunneling. It addresses authentication, integrity, access control and confidentiality.
        • Supports a variety of encryption algorithms (including a standard set to be used in the global Internet).
        • Uses two headers: AH (Authentication Header) and ESP (Encapsulating Security Payload).
        • AH verifies that the data hasn’t been altered.
        • ESP encrypts the data so it remains confidential.
    • 62. IPsec (cont.)
      • IPsec can be used to protect communication:
        • between a pair of hosts ; (i.e. these hosts do the encryption and decryption and must be trusted)
        • between a pair of security gateways ; (e.g. group-to-group tunneling between remote parts of an extranet)
        • between a security gateway and a host ; (e.g. personal-to-group tunneling in an extranet)
      • Each packet is afforded IPsec security, allowed to bypass IPsec, or discarded.
    • 63. IPsec (cont.)
      • The IP Authentication Header (AH):
        • provides connectionless integrity;
        • provides data origin authentication;
        • provides (optional) anti-replay service (i.e. a form of sequence integrity).
      • The Encapsulating Security Payload (ESP):
        • provides confidentiality (encryption);
        • provides traffic flow confidentiality;
        • may also provide connectionless integrity, data origin authentication and an anti-replay service.
      • AH and ESP can provide access control.
    • 64. IPsec (cont.)
      • The user can control granularity :
        • A single encrypted tunnel can be used to carry all the traffic between two security gateways;
        • A separate encrypted tunnel can be created for each TCP connection between each pair of hosts communicating through the gateways.
      • Note that the granularity of SSL is finer than
      • the single tunnel and coarser than the separate
      • tunnel for each TCP connection.
    • 65. Home Networks
      • To connect several computers at home (consisting of PCs):
        • Local lan consists of ethernet.
        • Connection to ISP through modem or “fixed” network (cable modem, isdn router, etc.).
        • This effectively creates a dual-homed host.
        • The internal network can use 192.168 range.
        • On the bastion host you must enable IP forwarding .
        • In the network “security” options you need to select TCP and UDP ports to enable/disable.
        • You need to setup proxy services on bastion.
        • You need to configure the other PCs to use the proxies. (e.g. through a package like Sygate.)
    • 66. Interesting URLs
      • Tutorial on TCP/IP: http://tecnet0. jcte . jcs .mil:9000/ htdocs / utl / iis / tcp .txt.html
      • Encryption-related info from RSA labs: ftp://ftp. rsa .com/pub/ labsfaq /labsfaq4. pdf
      • Virtual Private Networks (student paper): http:// amir . fullerton . edu /msis410/Projects/Group12/ vpnpaper . htm
      • Working group on IPsec: http://www. ietf .org/html.charters/ ipsec -charter.html