Your SlideShare is downloading. ×
0
Course 3: Network Security, Section 8 <ul><li>Pascal Meunier, Ph.D., M.Sc., CISSP </li></ul><ul><li>May 2004, updated July...
Course 3 Learning Plan <ul><li>Architecture </li></ul><ul><li>Physical and link layer </li></ul><ul><li>Network layer </li...
Learning objectives <ul><li>Understand how IPSEC and IPv6 are inter-related </li></ul><ul><li>Learn the IPSEC header types...
More Secure Protocols <ul><li>-IPSEC, IPv6 </li></ul><ul><ul><li>ISAKMP </li></ul></ul><ul><ul><li>IKE </li></ul></ul><ul>...
IPSEC Outline <ul><li>Goals, Services </li></ul><ul><li>Relationship to IPv6 </li></ul><ul><li>Fundamental Concept: Securi...
IPSEC Goals <ul><li>Add-on to IPv4 </li></ul><ul><li>Built into IPv6 </li></ul><ul><li>Provides, at the IP layer: </li></u...
IPSEC Services <ul><li>Access control </li></ul><ul><li>Connectionless integrity </li></ul><ul><li>Data origin authenticat...
Differences IPv6 vs IPv4 <ul><li>New ICMP architecture (ICMPv6) </li></ul><ul><li>Expanded Addressing Capabilities </li></...
Security Associations <ul><li>Channel that provides certain properties (keys, algorithms...) to the traffic between the ho...
SA Headers <ul><li>Each SA must be of type  </li></ul><ul><ul><li>AH (Authentication Header) or </li></ul></ul><ul><ul><li...
Transport Mode <ul><li>Does not hide or replace the original IP header </li></ul><ul><ul><li>AH header is used in illustra...
Tunnel Mode <ul><li>Adds a new IP header </li></ul><ul><li>Allows nesting of SAs </li></ul><ul><li>Protects the original I...
IP Authentication Header <ul><li>RFC 2402 </li></ul><ul><li>AH goals: </li></ul><ul><ul><li>connectionless integrity </li>...
Answer <ul><li>Confidentiality </li></ul>
Authentication Header Format <ul><li>0  1  2  3  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+...
Integrity <ul><li>Provided by an Integrity Check Value (ICV) </li></ul><ul><ul><li>Stored in the &quot;authentication data...
Authentication <ul><li>Hash is calculated over as much data as possible </li></ul>IP Header TCP Header TCP Payload SA Head...
AH Data Origin Authentication <ul><li>Because the HMAC secret is specific to the SA </li></ul><ul><li>Because the IP addre...
AH Anti-Replay Service <ul><li>Sender puts in a Sequence Number </li></ul><ul><ul><li>Not to be confused with the TCP sequ...
ESP <ul><li>Has service options </li></ul><ul><li>2 service types </li></ul><ul><ul><li>Confidentiality </li></ul></ul><ul...
ESP Parts <ul><li>Header </li></ul><ul><li>Trailer </li></ul><ul><ul><li>Not present in AH </li></ul></ul><ul><li>Authenti...
ESP Transport Mode <ul><li>Does not hide or replace the original IP header </li></ul>IP Header TCP Header TCP Payload IP H...
ESP Tunnel Mode <ul><li>Adds a new IP header </li></ul><ul><li>Allows nesting of SAs </li></ul><ul><li>Protects the origin...
ESP Authentication <ul><li>Uses the same idea as AH authentication </li></ul><ul><ul><li>HMAC provides integrity and data ...
ESP Coverage <ul><li>Hash is calculated over less data than AH header </li></ul>Authenticated IP Header TCP Header TCP Pay...
Question <ul><li>Why would someone prefer AH instead of ESP? a) AH is more compatible with IPv4 b) AH is significantly fas...
Question <ul><li>Why would someone prefer AH instead of ESP? a) AH is more compatible with IPv4 b) AH is significantly fas...
ISAKMP <ul><li>Internet Security Association and Key Management Protocol  </li></ul><ul><li>Aims to be &quot;a common secu...
Fundamental Basis for ISAKMP/IPSEC <ul><li>Public key cryptography </li></ul><ul><ul><li>Hosts are identified with certifi...
Certificate Payloads <ul><li>ISAKMP has the ability to carry certificate payloads </li></ul><ul><li>Where to get certifica...
ISAKMP Characteristics <ul><li>Abstract, ubiquitous framework </li></ul><ul><li>Heavy </li></ul><ul><ul><li>Hosts must fir...
ISAKMP <ul><li>Flexible </li></ul><ul><ul><li>Many negotiation options </li></ul></ul><ul><li>Complicated </li></ul><ul><u...
IKE <ul><li>Internet Key Exchange </li></ul><ul><li>RFC 2409 </li></ul><ul><li>IKE works with ISAKMP to establish and mana...
DNSSEC <ul><li>DNS Extension </li></ul><ul><li>Based on cryptographic digital signatures </li></ul><ul><li>Basic Idea: </l...
Zones <ul><li>Each zone has a public/private key pair </li></ul><ul><ul><li>RR sets are signed with the private key </li><...
DNSSEC Today <ul><li>Still not in wide use </li></ul><ul><li>Had several setbacks in specification development </li></ul><...
Question <ul><li>The AH IPSEC header provides: </li></ul><ul><li>a) Connectionless integrity, data origin authentication, ...
Question <ul><li>The AH IPSEC header provides: </li></ul><ul><li>a) Connectionless integrity, data origin authentication, ...
Question <ul><li>Which is the strong requirement for the practical, widespread deployment of IPSEC, DNSSEC and related pro...
Question <ul><li>Which is the strong requirement for the practical, widespread deployment of IPSEC, DNSSEC and related pro...
Question <ul><li>Security Associations are </li></ul><ul><li>a) Bidirectional </li></ul><ul><li>b) Multidirectional </li><...
Question <ul><li>Security Associations are </li></ul><ul><li>a) Bidirectional </li></ul><ul><li>b) Multidirectional </li><...
Question <ul><li>DNSSEC protects DNS against </li></ul><ul><li>a) Malicious DNS administrators </li></ul><ul><li>b) All ne...
Question <ul><li>DNSSEC protects DNS against </li></ul><ul><li>a) Malicious DNS administrators </li></ul><ul><li>b) All ne...
Questions or Comments?
About These Slides <ul><li>You are free to copy, distribute, display, and perform the work; and to make derivative works, ...
Pascal Meunier [email_address] <ul><li>Contributors: </li></ul><ul><li>Jared Robinson, Alan Krassowski, Craig Ozancin, Tim...
Upcoming SlideShare
Loading in...5
×

8.X Sec & I Pv6

418

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
418
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
13
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "8.X Sec & I Pv6"

  1. 1. Course 3: Network Security, Section 8 <ul><li>Pascal Meunier, Ph.D., M.Sc., CISSP </li></ul><ul><li>May 2004, updated July 30, 2004 </li></ul><ul><li>Developed thanks to the support of Symantec Corporation, </li></ul><ul><li>NSF SFS Capacity Building Program (Award Number 0113725) and the Purdue e-Enterprise Center </li></ul><ul><li>Copyright (2004) Purdue Research Foundation. All rights reserved. </li></ul>
  2. 2. Course 3 Learning Plan <ul><li>Architecture </li></ul><ul><li>Physical and link layer </li></ul><ul><li>Network layer </li></ul><ul><li>Transport layer </li></ul><ul><li>Application layer: DNS, RPC, NFS </li></ul><ul><li>Application layer: Routing </li></ul><ul><li>Wireless networks </li></ul><ul><li>More secure protocols: DNSSEC, IPSEC, IPv6 </li></ul>
  3. 3. Learning objectives <ul><li>Understand how IPSEC and IPv6 are inter-related </li></ul><ul><li>Learn the IPSEC header types and transport modes </li></ul><ul><li>Understand how ISAKMP and IKE support IPSEC </li></ul><ul><li>Understand how DNSSEC can secure some vulnerabilities in DNS </li></ul>
  4. 4. More Secure Protocols <ul><li>-IPSEC, IPv6 </li></ul><ul><ul><li>ISAKMP </li></ul></ul><ul><ul><li>IKE </li></ul></ul><ul><li>DNSSEC </li></ul>
  5. 5. IPSEC Outline <ul><li>Goals, Services </li></ul><ul><li>Relationship to IPv6 </li></ul><ul><li>Fundamental Concept: Security Associations </li></ul><ul><li>IPSEC Headers (protocols) </li></ul><ul><ul><li>Authentication Header (AH) </li></ul></ul><ul><ul><li>Encapsulating Security Payload (ESP) </li></ul></ul><ul><li>IPSEC support protocols </li></ul><ul><ul><li>IKE </li></ul></ul><ul><ul><li>ISAKMP </li></ul></ul><ul><li>Advanced topics </li></ul><ul><ul><li>Security limitations of IPSEC </li></ul></ul><ul><ul><li>NAT and IPSEC </li></ul></ul>
  6. 6. IPSEC Goals <ul><li>Add-on to IPv4 </li></ul><ul><li>Built into IPv6 </li></ul><ul><li>Provides, at the IP layer: </li></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Integrity </li></ul></ul><ul><ul><li>Confidentiality </li></ul></ul><ul><li>Does not provide solutions or solve problems for Availability </li></ul>
  7. 7. IPSEC Services <ul><li>Access control </li></ul><ul><li>Connectionless integrity </li></ul><ul><li>Data origin authentication </li></ul><ul><li>Protection against replays (a form of partial sequence integrity) </li></ul><ul><li>Encryption (confidentiality) </li></ul><ul><li>Limited traffic flow confidentiality </li></ul><ul><ul><li>e.g., Does Eve need to know that Alice and Bob are exchanging data? </li></ul></ul>
  8. 8. Differences IPv6 vs IPv4 <ul><li>New ICMP architecture (ICMPv6) </li></ul><ul><li>Expanded Addressing Capabilities </li></ul><ul><li>Header Format Simplification </li></ul><ul><li>Improved Support for Extensions and Options </li></ul><ul><li>Flow Labeling Capability (for quality of service) </li></ul><ul><li>Authentication and Privacy Capabilities </li></ul><ul><ul><li>i.e., IPSEC (RFC 2460) </li></ul></ul>
  9. 9. Security Associations <ul><li>Channel that provides certain properties (keys, algorithms...) to the traffic between the hosts </li></ul><ul><li>Directional: Host A to Host B </li></ul><ul><li>Uniquely identified by a triple: </li></ul><ul><ul><li>Security Parameter Index </li></ul></ul><ul><ul><ul><li>Some integer </li></ul></ul></ul><ul><ul><li>IP Destination Address (so far only unicast) </li></ul></ul><ul><ul><li>Protocol header identifier </li></ul></ul><ul><ul><ul><li>See header types on next slides </li></ul></ul></ul><ul><li>SAs must be established and negotiated before any data is exchanged. </li></ul>
  10. 10. SA Headers <ul><li>Each SA must be of type </li></ul><ul><ul><li>AH (Authentication Header) or </li></ul></ul><ul><ul><li>ESP (Encapsulating Security Payload) </li></ul></ul><ul><li>Two modes: </li></ul><ul><ul><li>Tunnel </li></ul></ul><ul><ul><li>Transport </li></ul></ul>{X, 192.168.1.2, ESP} 192.168.1.2 192.168.1.3 {Z, 192.168.1.3, AH}
  11. 11. Transport Mode <ul><li>Does not hide or replace the original IP header </li></ul><ul><ul><li>AH header is used in illustration </li></ul></ul>IP Header TCP Header TCP Payload IP Header TCP Header TCP Payload SA Header Packet transformation for SA transport
  12. 12. Tunnel Mode <ul><li>Adds a new IP header </li></ul><ul><li>Allows nesting of SAs </li></ul><ul><li>Protects the original IP header </li></ul>IP Header TCP Header TCP Payload IP Header TCP Header TCP Payload SA Header Packet transformation for SA tunnel IP Header Note: The illustration applies to a AH header
  13. 13. IP Authentication Header <ul><li>RFC 2402 </li></ul><ul><li>AH goals: </li></ul><ul><ul><li>connectionless integrity </li></ul></ul><ul><ul><li>data origin authentication </li></ul></ul><ul><ul><li>optional anti-replay service </li></ul></ul><ul><li>Which IPSEC service doesn’t AH provide? </li></ul>
  14. 14. Answer <ul><li>Confidentiality </li></ul>
  15. 15. Authentication Header Format <ul><li>0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Header | Payload Len | RESERVED | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Security Parameters Index (SPI) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number Field | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Authentication Data (variable) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ </li></ul>
  16. 16. Integrity <ul><li>Provided by an Integrity Check Value (ICV) </li></ul><ul><ul><li>Stored in the &quot;authentication data&quot; field </li></ul></ul><ul><li>Calculation method: HMAC with either of: </li></ul><ul><ul><li>MD5 </li></ul></ul><ul><ul><li>SHA-1 </li></ul></ul><ul><li>Uses a secret key exchanged during SA negotiation </li></ul>
  17. 17. Authentication <ul><li>Hash is calculated over as much data as possible </li></ul>IP Header TCP Header TCP Payload SA Header Authenticated except for mutable fields IP Header TCP Header TCP Payload SA Header IP Header
  18. 18. AH Data Origin Authentication <ul><li>Because the HMAC secret is specific to the SA </li></ul><ul><li>Because the IP addresses are included in the HMAC calculation </li></ul>
  19. 19. AH Anti-Replay Service <ul><li>Sender puts in a Sequence Number </li></ul><ul><ul><li>Not to be confused with the TCP sequence number </li></ul></ul><ul><ul><li>SAs become void when the sequence number overflows </li></ul></ul><ul><li>Receiver must verify it </li></ul><ul><ul><li>optional </li></ul></ul><ul><li>HMAC calculation guarantees that nobody could alter the sequence number or inject malicious packets with the correct sequence number </li></ul><ul><ul><li>So it doesn't matter if the sequence number is predictable </li></ul></ul>
  20. 20. ESP <ul><li>Has service options </li></ul><ul><li>2 service types </li></ul><ul><ul><li>Confidentiality </li></ul></ul><ul><ul><ul><li>Confidentiality through encryption </li></ul></ul></ul><ul><ul><ul><li>Limited traffic flow confidentiality </li></ul></ul></ul><ul><ul><ul><ul><li>Requires tunnel mode so that the original IP header is encrypted </li></ul></ul></ul></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><ul><li>Connectionless integrity </li></ul></ul></ul><ul><ul><ul><li>Data origin authentication </li></ul></ul></ul><ul><ul><ul><li>Optional anti-replay service </li></ul></ul></ul><ul><ul><ul><ul><li>Can be selected only if data origin authentication was selected </li></ul></ul></ul></ul><ul><li>Both types can be present at the same time </li></ul><ul><li>Described in RFC 2406 </li></ul>
  21. 21. ESP Parts <ul><li>Header </li></ul><ul><li>Trailer </li></ul><ul><ul><li>Not present in AH </li></ul></ul><ul><li>Authentication </li></ul><ul><ul><li>Part of the AH header </li></ul></ul>
  22. 22. ESP Transport Mode <ul><li>Does not hide or replace the original IP header </li></ul>IP Header TCP Header TCP Payload IP Header TCP Header TCP Payload ESP Header Packet transformation for ESP transport ESP Trailer ESP Auth
  23. 23. ESP Tunnel Mode <ul><li>Adds a new IP header </li></ul><ul><li>Allows nesting of SAs </li></ul><ul><li>Protects the original IP header </li></ul>IP Header TCP Header TCP Payload IP Header TCP Header TCP Payload ESP Header Packet transformation for ESP tunnel IP Header ESP Trailer ESP Auth
  24. 24. ESP Authentication <ul><li>Uses the same idea as AH authentication </li></ul><ul><ul><li>HMAC provides integrity and data origin authentication </li></ul></ul><ul><ul><ul><li>Sequence number provides optional protection from replay attacks </li></ul></ul></ul><ul><li>ESP authentication does not protect the IP header in transport mode </li></ul><ul><ul><li>AH header protects the IP header as much as possible </li></ul></ul>
  25. 25. ESP Coverage <ul><li>Hash is calculated over less data than AH header </li></ul>Authenticated IP Header TCP Header TCP Payload ESP Header ESP Trailer ESP Auth IP Header TCP Header TCP Payload ESP Header IP Header ESP Trailer ESP Auth Encrypted
  26. 26. Question <ul><li>Why would someone prefer AH instead of ESP? a) AH is more compatible with IPv4 b) AH is significantly faster c) ESP can’t authenticate d) AH authenticates the headers e) no reason </li></ul>
  27. 27. Question <ul><li>Why would someone prefer AH instead of ESP? a) AH is more compatible with IPv4 b) AH is significantly faster c) ESP can’t authenticate d) AH authenticates the headers e) no reason </li></ul>
  28. 28. ISAKMP <ul><li>Internet Security Association and Key Management Protocol </li></ul><ul><li>Aims to be &quot;a common security establishment protocol&quot; </li></ul><ul><ul><li>Means it helps setup security associations </li></ul></ul><ul><li>Problem statement: How do you </li></ul><ul><ul><li>Perform initial authentication of peers </li></ul></ul><ul><ul><li>Create, manage and delete associations </li></ul></ul><ul><ul><ul><li>Specify AH or ESP </li></ul></ul></ul><ul><ul><li>Decide which encryption algorithm to use </li></ul></ul><ul><ul><li>Decide which authentication algorithm to use </li></ul></ul><ul><li>Described in RFC 2408 </li></ul><ul><ul><li>Rides on top of UDP </li></ul></ul>
  29. 29. Fundamental Basis for ISAKMP/IPSEC <ul><li>Public key cryptography </li></ul><ul><ul><li>Hosts are identified with certificates signed by a Certificate Authority </li></ul></ul><ul><ul><ul><li>Including public key </li></ul></ul></ul><ul><li>Need for Public Key Infrastructure (PKI) </li></ul><ul><li>Internet Policy Registration Authority (IPRA) </li></ul><ul><ul><li>Policy Certification Authorities (PCA) </li></ul></ul><ul><ul><ul><li>Certificate Authorities (CAs) </li></ul></ul></ul>
  30. 30. Certificate Payloads <ul><li>ISAKMP has the ability to carry certificate payloads </li></ul><ul><li>Where to get certificates? </li></ul><ul><ul><li>DNSSEC or equivalent </li></ul></ul><ul><ul><li>Certificate Payloads (ISAKMP) </li></ul></ul><ul><ul><ul><li>PKCS #7 wrapped X.509 certificate </li></ul></ul></ul><ul><ul><ul><li>PGP certificate </li></ul></ul></ul><ul><ul><ul><li>X.509 </li></ul></ul></ul><ul><ul><ul><li>Kerberos Tokens </li></ul></ul></ul><ul><ul><ul><li>DNS signed key </li></ul></ul></ul>
  31. 31. ISAKMP Characteristics <ul><li>Abstract, ubiquitous framework </li></ul><ul><li>Heavy </li></ul><ul><ul><li>Hosts must first establish an SA for ISAKMP exchanges </li></ul></ul><ul><ul><li>Then the needed SAs can be established </li></ul></ul><ul><ul><ul><li>Many fields or messages to negotiate </li></ul></ul></ul><ul><ul><ul><li>Implements reliability </li></ul></ul></ul><ul><ul><ul><ul><li>Timers, resending of packets </li></ul></ul></ul></ul>
  32. 32. ISAKMP <ul><li>Flexible </li></ul><ul><ul><li>Many negotiation options </li></ul></ul><ul><li>Complicated </li></ul><ul><ul><li>The negotiation options have various advantages and disadvantages </li></ul></ul><ul><ul><li>The security implications of the choices, and which one is optimal for a given task, are not obvious </li></ul></ul><ul><li>Does not perform the actual key generation and exchange </li></ul><ul><ul><li>Need to use IKE (see next slide) </li></ul></ul>
  33. 33. IKE <ul><li>Internet Key Exchange </li></ul><ul><li>RFC 2409 </li></ul><ul><li>IKE works with ISAKMP to establish and manage SAs to provide IPSEC services. </li></ul><ul><li>Key exchange can be done manually and IPSEC still works; IKE automates it. </li></ul><ul><li>Details out of the scope of this presentation </li></ul>
  34. 34. DNSSEC <ul><li>DNS Extension </li></ul><ul><li>Based on cryptographic digital signatures </li></ul><ul><li>Basic Idea: </li></ul><ul><ul><li>Store public keys in DNS records </li></ul></ul><ul><ul><ul><li>&quot;KEY&quot; resource record </li></ul></ul></ul><ul><ul><ul><li>Associated with a name </li></ul></ul></ul><ul><ul><li>Use those to authenticate DNS transactions </li></ul></ul><ul><li>Provides: </li></ul><ul><ul><li>Data integrity </li></ul></ul><ul><ul><li>Authentication </li></ul></ul>
  35. 35. Zones <ul><li>Each zone has a public/private key pair </li></ul><ul><ul><li>RR sets are signed with the private key </li></ul></ul><ul><ul><li>Resolvers can verify the signature with a public key </li></ul></ul><ul><ul><ul><li>Initial public key must be seeded securely somehow </li></ul></ul></ul><ul><ul><ul><li>From that key, a chain of trust is created to other zones </li></ul></ul></ul><ul><li>Guarantees integrity and authenticity </li></ul><ul><li>No cache poisoning </li></ul><ul><li>IN-ADDR.ARPA domain information still controlled by possibly untrustworthy sources </li></ul><ul><ul><li>Even if the data is signed, it may be malicious </li></ul></ul><ul><ul><li>Inconsistencies between the two DNS trees are not resolved </li></ul></ul>
  36. 36. DNSSEC Today <ul><li>Still not in wide use </li></ul><ul><li>Had several setbacks in specification development </li></ul><ul><li>Doesn't solve all problems </li></ul><ul><ul><li>However an incremental improvement is better than status quo </li></ul></ul><ul><li>Meetings and plans to establish the deployment roadmap (2004) </li></ul>
  37. 37. Question <ul><li>The AH IPSEC header provides: </li></ul><ul><li>a) Connectionless integrity, data origin authentication, and an optional anti-replay service </li></ul><ul><li>b) Confidentiality (encryption) and limited traffic flow confidentiality </li></ul>
  38. 38. Question <ul><li>The AH IPSEC header provides: </li></ul><ul><li>a) Connectionless integrity, data origin authentication, and an optional anti-replay service </li></ul><ul><li>b) Confidentiality (encryption) and limited traffic flow confidentiality </li></ul>
  39. 39. Question <ul><li>Which is the strong requirement for the practical, widespread deployment of IPSEC, DNSSEC and related protocols? </li></ul><ul><li>a) Better keyed hash algorithms </li></ul><ul><li>b) Larger cryptographic key sizes </li></ul><ul><li>c) A mass adoption and transition to IPv6 </li></ul><ul><li>d) A cheap, deployed public key infrastructure (PKI) </li></ul><ul><li>e) Greater, cheaper internet bandwidth </li></ul>
  40. 40. Question <ul><li>Which is the strong requirement for the practical, widespread deployment of IPSEC, DNSSEC and related protocols? </li></ul><ul><li>a) Better keyed hash algorithms </li></ul><ul><li>b) Larger cryptographic key sizes </li></ul><ul><li>c) A mass adoption and transition to IPv6 </li></ul><ul><li>d) A cheap, deployed public key infrastructure (PKI) </li></ul><ul><li>e) Greater, cheaper internet bandwidth </li></ul>
  41. 41. Question <ul><li>Security Associations are </li></ul><ul><li>a) Bidirectional </li></ul><ul><li>b) Multidirectional </li></ul><ul><li>c) Special interest groups </li></ul><ul><li>d) Unidirectional </li></ul>
  42. 42. Question <ul><li>Security Associations are </li></ul><ul><li>a) Bidirectional </li></ul><ul><li>b) Multidirectional </li></ul><ul><li>c) Special interest groups </li></ul><ul><li>d) Unidirectional </li></ul>
  43. 43. Question <ul><li>DNSSEC protects DNS against </li></ul><ul><li>a) Malicious DNS administrators </li></ul><ul><li>b) All networking protocol attacks </li></ul><ul><li>c) Malicious web sites </li></ul><ul><li>d) DNS cache poisoning </li></ul>
  44. 44. Question <ul><li>DNSSEC protects DNS against </li></ul><ul><li>a) Malicious DNS administrators </li></ul><ul><li>b) All networking protocol attacks </li></ul><ul><li>c) Malicious web sites </li></ul><ul><li>d) DNS cache poisoning </li></ul>
  45. 45. Questions or Comments?
  46. 46. About These Slides <ul><li>You are free to copy, distribute, display, and perform the work; and to make derivative works, under the following conditions. </li></ul><ul><ul><li>You must give the original author and other contributors credit </li></ul></ul><ul><ul><li>The work will be used for personal or non-commercial educational uses only, and not for commercial activities and purposes </li></ul></ul><ul><ul><li>For any reuse or distribution, you must make clear to others the terms of use for this work </li></ul></ul><ul><ul><li>Derivative works must retain and be subject to the same conditions, and contain a note identifying the new contributor(s) and date of modification </li></ul></ul><ul><ul><li>For other uses please contact the Purdue Office of Technology Commercialization. </li></ul></ul><ul><li>Developed thanks to the support of Symantec Corporation </li></ul>
  47. 47. Pascal Meunier [email_address] <ul><li>Contributors: </li></ul><ul><li>Jared Robinson, Alan Krassowski, Craig Ozancin, Tim Brown, Wes Higaki, Melissa Dark, Chris Clifton, Gustavo Rodriguez-Rivera </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×