2. slide 2
Network Security
All defense mechanisms must work correctly and securely
Cryptographic primitives
Protocols and policies
Implementations
RSA, DES, AES, SHA-1…
TLS, IPsec, access control…
Firewalls, intrusion detection…
End uses Password managers, company policies…
3. ❑ VPN is a network that uses a public telecommunication infrastructure, such as the
Internet, to provide remote offices or individual users with secure access to their
organization's network.
Virtual Private Network (VPN)
❑ A tunnel is a virtual path across a network that delivers packets that are encapsulated
and possibly encrypted.
4. Internet Security Protocols
❑ Security provides at Network
layer with IPSec.
❑ Security provides at Transport
layer with Secure Socket Layer.
NIC
❑ Security Provided at application
layer with Pretty Good Privacy
for email security
Application
Transport
Network
link
Physical
SSL OS
User
IPSec
PGP
✓ IPSec used in VPN applications (secure tunnel)
5. ❑ IPSec a set of protocol and algorithm used to secure IP data and network layer.
❑ IPSec implemented by the network for all applications
❑ IPSec inbuild in IPv6 and compatible with IPv4.
❑ IPSec provides cryptographic security services that allow for authentication, integrity, access
control, and confidentiality.
❑ IPSec is completely transparent to the applications (no need to have any knowledge of IPSec to be
able to use it).
❑ IPSec is employed to establish virtual private networks (VPNs) among networks across the
Internet. IPSec Implemented on end hosts and gateways.
IPSec (Internet Protocol Security)
6. ❑ IPSec provides Authentication services (verify the source of IP packet) by using Digital
Signature or Pre-Shared keys.
❑ IPSec prevent replay of old IP packets (also called as "man-in-the-middle attacks").
❑ IPSec protect integrity of IP packets by using Hashing algorithms.
❑ IPSec provides Data Confidentiality to Data by Encrypting).
Goals of IPSec
7. 7
Components of IPSec
1. Internet Key Exchange (IKE) Protocol: Internet Key Exchange is used to establish
Security Association (SA) between two communicating IPSec devices.
2. Encapsulating Security Payload (ESP): IPSec uses ESP to provide Data Integrity,
Encryption, Authentication, and Anti-Replay functions for IPSec VPN.
▪ Cisco IPSec implementations uses DES, 3DES and AES for Data encryption.
3. Authentication Header (AH): IPSec uses AH to provide Data Integrity, Authentication,
and Anti-Replay functions for IPSec VPN.
▪ Authentication Header: It is the authenticating protocol does not provide any
Data Encryption.
8. A Security Association (SA) database
❑ A Security Association (SA) is one of the most important concepts in IPSec, defined in RFC
1825. A Security Associations represents a specification of the security services offered to
traffic carried through a unidirectional channel from one node to another. A SA are one way, a
minimum of two SAs are required for a single IPSec connection.
❑ A Security Associations can offer either the AH or the ESP service, but not both. Two security
associations are necessary to provide both types of services simultaneously. A total of four SAs
are required for bi-directional traffic using both AH and ESP.
9. A Security Association (SA) database cont.
❑ Keying information for IPsec security services is maintained in security association
databases (SADBs). SAs contain parameters including:
▪ Authentication algorithm and algorithm mode
▪ Encryption algorithm and algorithm mode
▪ Key(s) used with the authentication/encryption algorithm(s)
▪ Lifetime of the key
▪ Lifetime of the SA
▪ Source Address(es) of the SA
▪ Sensitivity level (ie Secret or Unclassified)
10. The Security Policy Database (SPD)
❑ The Security Policy Database contains a set of rules that determines whether a
packet is subject to IPsec processing and governs the processing details. The SPD
contains destination IP address, source IP address, UserID, Data Sensitivity Level,
transport layer protocol, source and destination port. Each entry in the SPD
represents a policy that defines how the set of traffic will be processing. Any
inbound or outbound packet is processed in one of three ways: discard, perform
IPsec processing, or bypass IPsec processing
11. ❑ An organization maintains LANs at dispersed locations
❑ Non secure IP traffic is conducted on each LAN.
❑ IPSec protocols are used
❑ These protocols operate in networking devices that connect each LAN to the outside
world. (router, firewall )
❑ The IPSec networking device will typically encrypt and compress all traffic going into
the WAN, and decrypt and decompress traffic coming from the WAN
Scenario of IPSec usage
13. SAD and SPD Example
❑ Consider this example: It’s required to protect the Post Office Protocol v3 (POP3)
traffic between a mail client node A and a mail server node B. The traffic exchanged
between node A and node B need be encrypted. In order to apply IPsec to the traffic
between the nodes, the SPD and the SAD on both node A and node B need to be set.
Two SP entries for the bi-directional exchange between A and B. The SP entries on
node A are described by the entries listed in the following Table
14. Direction Outbound Inbound
Source Address Node A POP server B
Destination Address POP server B Node A
Upper Layer Protocol TCP TCP
Upper Layer Source Port Any Port POP3
Upper Layer Destination Port POP3 Any
IPsec Protocol ESP ESP
Mode Transport Transport
Security Policy Database for Node A
15. Security Policy Database for Node B
Direction Outbound Inbound
Source Address POP server B Node A
Destination Address Node A POP server B
Upper Layer Protocol TCP TCP
Upper Layer Source Port POP3 Any
Upper Layer Destination Port Any Port POP3
IPsec Protocol ESP ESP
Mode Transport Transport
16. Security Association Database for Node A
Direction Outbound Inbound
SPI 1000 1001
Destination Address POP server B Node A
IPsec Protocol ESP ESP
Algorithm 3DES-CBC 3DES-CBC
Key
The secret key from A
to B
The secret key
from B to A
Mode Transport Transport
Security parameter index A unique identifier generated by the creator of the SA, used to
distinguish among the SAs of the IPsec protocol terminating at the same destination node.
17. Security Association Database for Node B
Direction Outbound Inbound
SPI 1001 1000
Destination Address Node A POP server B
IPsec Protocol ESP ESP
Algorithm 3DES-CBC 3DES-CBC
Key
The secret key from B
to A
The secret key
from A to B
Mode Transport Transport
18. ❑ IPSec can work in one of two modes:
➢ Transport mode, in which the payload of the message is protected
➢ Tunnel mode, in which the payload and the routing and header information are
protected.
IPSec (Internet Protocol Security)
20. 20
Fields of the IP Packet
❑ Version: the version number of the protocol. Version = 4 for IPv4.
❑ Header length: the length of the header in 4 byte words. Header length = 5 if
options are not used.
❑ Service type: 3 bits of precedence (rarely used) 4 bits QoS representing delay,
throughput, reliability, and Jitter.
❑ Total length: length in bytes of the header plus data. Maximum size is 65,535
bytes.
❑ Identification, flags, fragment offset: used for fragmentation and reassembly (offset in 8
byte chunks)
❑ Time to live (TTL): Originally seconds, now usually hop count. Source sets it (often
30 used). Each router must decrement by at least 1, when 0 packet
discarded.
21. 21
Protocol Field Values
❑ Protocol = 1, ICMP, Internet Control Message Protocol
❑ Protocol = 6, TCP
❑ Protocol = 17, UDP
❑ Protocol = 4, IP in IP encapsulation
❑ Protocol = 8, EGP, Exterior Gateway Protocol
❑ Protocol = 9, IGRP, Interior Gateway Routing Protocol
❑ Protocol =89, OSPF, Open Shortest Path First Routing P.
❑ Protocol = 50, ESP, Encapsulating Security Payload
❑ Protocol = 51, AH, Authentication Header
• ………………..more protocols