The document provides an overview of internet security, focusing on the IP and TCP/IP protocol stack, and the significance of the network layer in ensuring data integrity and confidentiality. It explains the role of IPsec in securing network communications through methods like authentication headers and encapsulating security payloads, as well as the establishment of security associations. Key elements such as the Internet Key Exchange (IKE) protocol and the function of virtual private networks (VPNs) for secure connections over the internet are also discussed.

1. Internet Security
Internet Security
IP
IPs
sec
ec

2. 2
TCP/IP Protocol Stack
TCP/IP Protocol Stack
Application Layer
Transport Layer
Network Layer
Data Link Layer

3. 3
Network Layer
Network Layer
 Provides connectionless service
 Routing (routers): determine the path a path has to traverse to
reach its destination
 Defines addressing mechanism
– Hosts should conform to the addressing mechanism

4. 4
Communication Between Layers
Communication Between Layers
Transport layer
Network layer
Data Link layer
Network layer
Data Link layer
Network layer
Data Link layer Data Link layer
Network layer
Transport layer
Application layer
Application layer
Application Data
Transport payload
Network
Payload
Data Link
Payload
Host A Router Router Host B

5. 5
Network Layer and Security
Network Layer and Security
In most network architecture and corresponding
communication protocol stack: network layer protocol
data units are transmitted in the clear:
 Easy to inspect the data content
 Easy to forge source or destination address
 Easy to modify content
 Easy to replay data
Need network layer security protocol

6. 6
IPsec
IPsec
 IPSecurity (IPSec) is a collection of protocols designed by
the Internet Engineering Task Force (IETF) to provide
security for a packet at the network level.
 Provides security for IP and upper layer protocols
 Suit of algorithms:
– Mandatory-to-implement
– Assures interoperability
– Easy to add new algorithms

7. 7
IP Security Overview
IP Security Overview
IPSec: method of protecting IP datagrams
– Data origin authentication
– Connectionless data integrity authentication
– Data content confidentiality
– Anti-replay protection
– Limited traffic flow confidentiality

8. 8
TCP/IP protocol suite and IPSec

9. 9
Transport mode and tunnel modes of IPSec protocol
Note:
•IPSec in the transport mode does not protect the IP header;
•It only protects the information coming from the transport
layer.

10. 10
Transport mode in action
 Transport mode: protect upper layer protocols
– IPSec header is inserted between the IP header and the upper-
layer protocol header
– Communication endpoints must be cryptographic endpoints

11. 11
Tunnel mode in action:
Tunnel mode: protect entire IP datagram
– Entire IP packet to be protected is encapsulated in another IP
datagram and an IPsec header is inserted between the outer and
inner IP headers
Note:
IPSec in tunnel mode protects the original IP header.

12. CSCE813 - Farkas 12
IPSec Security Protocols:
 Authentication Header (AH)
 Encapsulating Security Payload (ESP)

13. 13
Authentication Header (AH) Protocol in transport mode:
Note:
•The AH Protocol provides source authentication and data
integrity, but not privacy.

14. 14
 Does NOT provide confidentiality
 Provides:
– Data origin authentication
– Connectionless data integrity
 May provide:
– Non-repudiation (depends on cryptographic alg.)
– Anti-replay protection
 Precision of authentication: granularity of SA
 Protocol number: 51
Authentication Header (AH) Protocol in transport mode:
AH Protected IP packet
AH Protected IP packet
Protected data
AH header
IP header
authenticated

15. 15
Encapsulating Security Payload (ESP) Protocol in transport mode:
Note:
•ESP provides source authentication, data integrity, and privacy.

16. 16
Encapsulating Security Payload (ESP):
Encapsulating Security Payload (ESP):
 Provides:
– Confidentiality
– Authentication (not as strong as AH: IP headers below ESP are not protected)
– Limited traffic flow confidentiality
– Anti-replay protection
 Protocol number: 50
ESP Protected IP packet:
ESP Protected IP packet:
ESP Trailer
Protected
data
ESP header
IP header
authenticated
encrypted

17. 17
ESP header and trailer:
ESP header and trailer:
 ESP packet processing:
1. Verify sequence number
2. Verify integrity
3. Decrypt
 ESP header: not encrypted
– Contains: SPI and sequence number
 ESP trailer: partially encrypted
– Contains: padding, length of padding, next protocol,
authentication data

18. 18
IPSec services

19. 19
IP Security Architecture
IP Security Architecture
IPsec module 1 IPsec module 2
SPD
SAD
SAD
SPD
IKE IKE
IPsec IPsec
SA

20. 20
Security Association
Security Association
 Associates security services and keys with the traffic to be protected
– Identified by Security Parameter Index (SPI)  retrieve correct
SA parameters from Security Association Database (SAD)
– Ipsec protocol identifier
– Destination address (direction)
 Simplex connection  need to establish two SAs for secure
bidirectional communication

21. 21
Security Association
Security Association
 Defines security services and mechanisms between two
end points (or IPsec modules):
– Hosts
– Network security gateways (e.g., routers, application gateways)
– Hosts and security gateways
 Security service, parameters, mode of operation, and
initialization vector
– e.g., Confidentiality using ESP with DES in CBC mode with IV
(initialization vector).

22. 22
Security Association
Security Association
 May use either Authentication Header (AH) or
Encapsulating Security Payload (ESP) but not both.
 If both AH and ESP are applied, need two SAs.
 Bundle: set of SAs through which traffic must be
processed

23. 23
SA - Lifetime
SA - Lifetime
Amount of traffic protected by a key and time
frame the same key is used
– Manual creation: no lifetime
– Dynamic creation: may have a lifetime

24. 24
SA -- Security Granularity
SA -- Security Granularity
User (SSO) specified
 Host-oriented keying
– All users on one host share the same session key
– Not recommended!
 User-oriented keying
– Each user on one host have one or of more unique session keys
 Session-unique keying
– Single session key is assigned to a give IP address, upper-layer
protocol, and port number

25. 25
Security Policy Database (SPD)
Security Policy Database (SPD)
 Defines:
– What traffic to be protected
– How to protect
– With whom the protection is shared
 For each packet entering or leaving an IPsec implementation SPD
is used to determine security mechanism to be applied
 Actions:
– Discard: do not let packet in or out
– Bypass: do not apply or expect security services
– Protect: apply/expect security services on packets

26. IKE
IKE
 Internet Key Exchange (IKE) is a secure key management protocol that is used to
set up a secure, authenticated communications channel between two devices.
 It's a protocol that establishes and manages Virtual Private Network (VPN). VPN
connections, ensuring data confidentiality and integrity.
 IKE employs a combination of encryption algorithms, key exchange methods,
and security policies to authenticate and secure network connections.
 A critical role of IKE is negotiating security associations (SAs) for IP Security (
IPsec).
 SAs are security policies defined for communication between two or more
entities.
 A set of algorithms and mutually agreed-upon keys are used and represented by
both parties when attempting to establish a VPN tunnel or connection. 26

27. 27
Virtual Private Network
• It is used to Establish a secure and reliable connection over
unsecure network(Internet).
• It will encrypt the data and provide confidentiality.
• The encrypted connection helps ensure that sensitive data is
safely transmitted.
• Creates a secure tunnel over a public network
– Client to firewall
– Router to router
– Firewall to firewal

28. 28

29. 29
 Use case:
 SSL/TLS is used for securing communication over the internet and other TCP/IP based
networks.
 It provides encryption, authentication and data integrity for application such as wb browsing,
email and messaging.
 Implementation: SSl/TLS operates at the transport layer(Layer 4) of the OSI model and is
typically implemented as a part of application protocol such as HTTP, SMTP and IMAP.
 It uses a client-server handshake to establish a secure connection.
 Features:
 SST/TLS supports various cryptographic algorithm for encryption(e.g. AES, DES),
authentication (e,g, RSA, ECDSA), and key exchange (e.g. Diffie-Hellman).
 It provides secure communication channels through protocols like HTTPS, SMTPS and
FTPS.
 Usage:
 SST/TLS is used extensively on the internet for securingwebsites (HTTPS), email
communication (SMTPS, IMAPS), VPNs (SSL, VPNs) and other secure applications

30. CSCE813 - Farkas 30

31. CSCE813 - Farkas 31

32. CSCE813 - Farkas 32

33. CSCE813 - Farkas 33

34. CSCE813 - Farkas 34

35. CSCE813 - Farkas 35

36. CSCE813 - Farkas 36