SlideShare a Scribd company logo

Ch6-Computer Security

Attaporn Ninsuwan
Attaporn Ninsuwan

Computer Security

Education
1 of 19
Download to read offline
1 241-427-SV-2-2553-COE-PSU 1 241-427 Computer Security Chapter VI: Network Security Dr. Sangsuree Vasupongayya 241-427-SV-2-2553-COE-PSU 2 Outline o Attacks n Diffing n Sniffing n Session Hijacking n Spoofing o Protocols n SSL n TLS n IPsec o VPN 241-427-SV-2-2553-COE-PSU 3 Diffing o Practice of comparing two things for differences especially after some change has been made o To determine the portion of the file or the memory location of the item of interest E.g., finding a portion of the file containing information of interests o Decoding information rather than changing it o Example commands n Fc n Diff n Hex editors n Hackman
2 241-427-SV-2-2553-COE-PSU 4 Sniffing o Program or tool that passively monitors a computer network for key information that the attacker is interested in n Authentication information e.g., usernames & passwords o E.g., protocols that have been reported n Telnet (port 23), FTP (port 21), HTTP (port 80), POP (port 110), IMAP (port 143) o E.g., sniffing tools n TCPDump, dsniff, esniff, wireshark 241-427-SV-2-2553-COE-PSU 5 Protection under sniffing o Encryption o Secure Shell (SSH) n Secure replacement for Telnet, rlogin, rsh, rcp o Detection n Checking whether a network interface is running in promiscuous mode n Network detections o Latency in the host’s response o Network monitoring 241-427-SV-2-2553-COE-PSU 6 Session Hijacking o The act of taking over a connection of some sort (or one that is in the process of being set up) o To steal trust o How it works n Jump into a middle of the conversation n Get your packet to the host before the legitimate one n ACK storm: o the real host gets duplicate packet o the original sender keeps sending packages o Protection n Encryption (e.g., SSL) n Storm watchers
3 241-427-SV-2-2553-COE-PSU 7 Spoofing o Providing false information about a principal’s identity to obtain unauthorized access to systems and their services o Sending a message that is not what it claims to be o Operate at all layers in between the client and the server o No content-level spoofing is taking place, although the falsified headers are clearly representing a spoof of their own o Spoofing is always intentional 241-427-SV-2-2553-COE-PSU 8 Attacks on Server o Denial of Service n Reduce the usefulness of the server o How the remote user can gain access to the system n Daemon/service: OS provides network services e.g., mail services, Web servers, name servers, remote access services n Program interaction: vulnerability caused by the unintentional modify n Flaws in the protocols or programs o How to preventDoS n Defined the goal n Auditing system (log) n IDSs 241-427-SV-2-2553-COE-PSU 9 Attacks on Clients o Vulnerability: n errors or unintended behavior in programs acting as a client n any program that can receive data from an outside sources o How to secure your clients n Minimize use n Anti-Virus software n Limiting trust n Client configuration
4 241-427-SV-2-2553-COE-PSU 10 Security at the Transport Layer o Provides end-to-end security services E.g., transaction on the internet n Entity authentication: the customer needs to be sure that the server belongs to the actual vendor n Message integrity: the contents of the message are not modified during transmission n Confidentiality: no one can intercept sensitive information o SSL & TLS are the two protocols n SSL: Secure Sockets Layer Protocol n TLS: Transport Layer Security Protocol 241-427-SV-2-2553-COE-PSU 11 Secure Sockets Layer Protocol o Designed to provide security and compression services to data generated from the application layer (usually HTTP) o The data is compressed (optional), signed, and encrypted and then passed to a reliable transport layer protocol such as TCP 241-427-SV-2-2553-COE-PSU 12 Sessions vs connections
5 241-427-SV-2-2553-COE-PSU 13 Sessions vs Connections o Client – server o To create a new session a negotiation process must be done o A session can consist of many connections o Both parties have common information o Defined by a session state parameter o Peer-peer o To create a new connection (resume a session), the two parties can skip part of the negotiation process o Defined by a connection state parameter 241-427-SV-2-2553-COE-PSU 14 SSL defines 4 protocols 241-427-SV-2-2553-COE-PSU 15 SSL defines 4 protocols (cont) o The record protocol carries message from 3 other protocols as well as the data coming from the application layer o The handshake protocol provides security parameters by establishing a cipher set and providing keys and authenticating o The ChangeCipherSpec for signaling the readiness of cryptographic secrets o The Alert protocol to report abnormal conditions
6 241-427-SV-2-2553-COE-PSU 16 Handshake Protocol 241-427-SV-2-2553-COE-PSU 17 Handshake Protocol: Phase I 241-427-SV-2-2553-COE-PSU 18 Handshake Protocol: Phase II
7 241-427-SV-2-2553-COE-PSU 19 Handshake Protocol: Phase III 241-427-SV-2-2553-COE-PSU 20 Handshake Protocol: Phase IV 241-427-SV-2-2553-COE-PSU 21 SSL actions o Fragmentation: divides the data into block of 214 bytes or less o Compression (option): using one of the lossless compression methods negotiated between the client and server o Message integrity: uses keyed-hash function to create a MAC o Confidentiality: the data & MAC are encrypted using symmetric-key o Framing: a header is added to the payload before passed to TCP
8 241-427-SV-2-2553-COE-PSU 22 Algorithms in SSL o 8-byte initialization vector (IV) except 20-byte IV is used in Fortezza 241-427-SV-2-2553-COE-PSU 23 Key-exchange in SSL 241-427-SV-2-2553-COE-PSU 24 SSL message formats Record Protocol header ChangeCipherSpec Protocol Alert Protocol Generic header for Handshake Protocol
9 241-427-SV-2-2553-COE-PSU 25 Types of Handshake message 241-427-SV-2-2553-COE-PSU 26 Transport Layer Security o TLS does not supportFortezza o Generation of Cryptographic secrets n More complex than SSL n Data-expansion o To expand a secret into a longer one o To make some dependency, the second seed is the output of the first n Pseudorandom function 241-427-SV-2-2553-COE-PSU 27 Data-expansion
10 241-427-SV-2-2553-COE-PSU 28 Pseudorandom function 241-427-SV-2-2553-COE-PSU 29 Master secret generation o Pre-master secret same as SSL o Use Pseudorandom function to create master secret 241-427-SV-2-2553-COE-PSU 30 Key materials o Generated by Pseudorandom function
11 241-427-SV-2-2553-COE-PSU 31 Alert Protocol o Support all in SSL exceptNoCertificate o Additional alerts 241-427-SV-2-2553-COE-PSU 32 Handshake Protocol CertificateVerify message Finished message 241-427-SV-2-2553-COE-PSU 33 Record Protocol
12 241-427-SV-2-2553-COE-PSU 34 Security at the Network Layer Security at the above layers may not be enough o Not all client/server programs are protected at the application layer o Not all client/server programs at the application layer use the service of TCP to be protected by SSL or TLS n E.g., UDP o Many application such as routing protocols directly use the service of IP n Security at IP layer is needed 241-427-SV-2-2553-COE-PSU 35 IPSec o A collection of protocols designed by the Internet Engineering Task Force to provide security for a packet at the network level o Create authenticated and confidential packets for the IP layer 241-427-SV-2-2553-COE-PSU 36 IPSec o Has two modes n Transport mode n Tunnel mode o Has two security protocols n Authentication header (AH) protocol n Encapsulating security payload (ESP)
13 241-427-SV-2-2553-COE-PSU 37 IPSec: transport mode o IPSec protects what is delivered from the transport layer to the network layer o The IP header does not protect under the transport mode o The IPSec header (and trailer) are added to the information o It only protects the packet from the transport layer o Use when we need host-to-host (end-to-end) protection of data 241-427-SV-2-2553-COE-PSU 38 IPSec: transport mode 241-427-SV-2-2553-COE-PSU 39 IPSec: tunnel mode o IPSec protects the entire IP packet o A new IP header is added (different information than the original IP header) o Use between two routers or host to router or router to host
14 241-427-SV-2-2553-COE-PSU 40 IPSec: tunnel mode 241-427-SV-2-2553-COE-PSU 41 Comparison of the two modes 241-427-SV-2-2553-COE-PSU 42 Authentication Header Protocol
15 241-427-SV-2-2553-COE-PSU 43 Authentication Header Protocol o Purpose n To authenticate the source host n To ensure the integrity of the payload carried in the IP packet o Action n Uses a hash function and a symmetric key to create a message digest n The digest is inserted in the authentication header n The AH is then placed in the appropriate location based on the mode 241-427-SV-2-2553-COE-PSU 44 Encapsulating Security Payload (ESP) o Purpose n Provides source authentication, integrity, privacy 241-427-SV-2-2553-COE-PSU 45 Encapsulating Security Payload (ESP) o Action: ESP adds a header and a trailer 1 . ESP trailer is added to the payload 2 . The payload and the trailer are encrypted 3 . The ESP header is added 4 . The ESP header, payload, and ESP trailer are used to create the authentication data 5 . The authentication data are added to the end of the ESP trailer 6 . the IP header is added after changing the protocol value to 50
16 241-427-SV-2-2553-COE-PSU 46 Remarks o IPv4 and IPv6 n IPSec supports both IPv4 and IPv6 (AH & ESP are parts of the Extension header) o Why do we need AH? n ESP was designed after AH was already included in some commercial products o IPSec services n Access control n Message integrity n Entity authentication n Confidentiality (except AH) n Replay attack protection 241-427-SV-2-2553-COE-PSU 47 Security Association (SA) o is a logical relationship between two hosts o is an aspect of IPSec Idea: n SA is a contact between two hosts (one inbound SA and one outbound SA) n SA can be very complex, when the party wants to communicate with many people (a database of a set of SAs) 241-427-SV-2-2553-COE-PSU 48 Typical SA parameters
17 241-427-SV-2-2553-COE-PSU 49 Security Policy (SP) o Is an aspect of IPSec o Defines the type of security applied to a packet when it is to be sent or when it has arrived o Security policy database (SPD) n Each host that is using the IPSec protocol needs to keep a SPD (inbound, outbound). n Each entry in the SPD can be accessed using a sixtuple index < source address, destination address, name, protocol, source port, and destination port> 241-427-SV-2-2553-COE-PSU 50 Security policy database (SPD) o Address (unicast, multicast, wildcard) o Name (defines a DNS entity) o Protocol (AH, ESP) 241-427-SV-2-2553-COE-PSU 51 Outbound processing
18 241-427-SV-2-2553-COE-PSU 52 Outbound processing o Drop: packet cannot be sent o Bypass: packet is sent w/o security because there is no policy for the packet o Apply n Case 1: outbound SA is already established the packet is transmitted accordingly n Case 2: outbound SA is not established the Internet Key Exchange (IKE) is called to create an outbound and an inbound SA 241-427-SV-2-2553-COE-PSU 53 Inbound processing 241-427-SV-2-2553-COE-PSU 54 Inbound processing o Discard: packet is dropped o Bypass: the packet is delivered to the transport layer w/o security o Apply n Case 1: inbound SA is already established the packet is processed accordingly n Case 2: inbound SA is not established the packet must be discarded
19 241-427-SV-2-2553-COE-PSU 55 Virtual Private Networks (VPN) o A mechanism of employing encryption, authentication and integrity protection o Offers high amount of security o No require any special cabling o Combine advantages of n a public network o Cheap o Easily available n A private network o Secure o Reliable o A mechanism to simulate a private network over a public network such as the Internet o Connections made up of packets and are temporary 241-427-SV-2-2553-COE-PSU 56 Network Address Translation (NAT) 1 2 NATClient From 172.47.9.6, Port 59789 From 60.168.34.2, Port 63472 Internet Server Host IP Addr 172.47.9.6 … Port 59789 … IP Addr 60.168.34.2 … Port 63472 … Internal ExternalTranslation Table 241-427-SV-2-2553-COE-PSU 57 Network Address Translation (NAT) 4 3NATClient Internet Server Host To 172.47.9.6, Port 59789 To 60.168.34.2, Port 63472 Translation Table IP Addr 172.47.9.6 … Port 59789 … IP Addr 60.168.34.2 … Port 63472 … Internal External

Recommended

Ch06b-Computer Security
Ch06b-Computer SecurityCh06b-Computer Security
Ch06b-Computer SecurityAttaporn Ninsuwan
 
openssh portforwarding and linux firewall
openssh portforwarding and linux firewallopenssh portforwarding and linux firewall
openssh portforwarding and linux firewallKhubaib Mahar
 
Securing the tunnel with Raccoon
Securing the tunnel with RaccoonSecuring the tunnel with Raccoon
Securing the tunnel with RaccoonGloria Stoilova
 
Introduction to SSH & PGP
Introduction to SSH & PGPIntroduction to SSH & PGP
Introduction to SSH & PGPSarang Ananda Rao
 
FLOSS UK DEVOPS Spring 2015 Enhancing ssh config
FLOSS UK DEVOPS Spring 2015 Enhancing ssh configFLOSS UK DEVOPS Spring 2015 Enhancing ssh config
FLOSS UK DEVOPS Spring 2015 Enhancing ssh configdmp1304
 
SSH Tunneling Recipes
SSH Tunneling RecipesSSH Tunneling Recipes
SSH Tunneling RecipesOSOCO
 
Meeting 5.2 : ssh
Meeting 5.2 : sshMeeting 5.2 : ssh
Meeting 5.2 : sshSyaiful Ahdan
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSHHemant Shah
 

Recommended

Ch06b-Computer Security
Ch06b-Computer SecurityCh06b-Computer Security
Ch06b-Computer SecurityAttaporn Ninsuwan
 
openssh portforwarding and linux firewall
openssh portforwarding and linux firewallopenssh portforwarding and linux firewall
openssh portforwarding and linux firewallKhubaib Mahar
 
Securing the tunnel with Raccoon
Securing the tunnel with RaccoonSecuring the tunnel with Raccoon
Securing the tunnel with RaccoonGloria Stoilova
 
Introduction to SSH & PGP
Introduction to SSH & PGPIntroduction to SSH & PGP
Introduction to SSH & PGPSarang Ananda Rao
 
FLOSS UK DEVOPS Spring 2015 Enhancing ssh config
FLOSS UK DEVOPS Spring 2015 Enhancing ssh configFLOSS UK DEVOPS Spring 2015 Enhancing ssh config
FLOSS UK DEVOPS Spring 2015 Enhancing ssh configdmp1304
 
SSH Tunneling Recipes
SSH Tunneling RecipesSSH Tunneling Recipes
SSH Tunneling RecipesOSOCO
 
Meeting 5.2 : ssh
Meeting 5.2 : sshMeeting 5.2 : ssh
Meeting 5.2 : sshSyaiful Ahdan
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSHHemant Shah
 
Ch5-Computer Security
Ch5-Computer SecurityCh5-Computer Security
Ch5-Computer SecurityAttaporn Ninsuwan
 
Secure shell protocol
Secure shell protocolSecure shell protocol
Secure shell protocolBaspally Sai Anirudh
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure ShellPeter R. Egli
 
An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSHnussbauml
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)Pina Parmar
 
Net prog
Net progNet prog
Net progKunal Dawn
 
Ssh
SshSsh
SshRaghu nath
 
Secure SHell
Secure SHellSecure SHell
Secure SHellÇağrı Çakır
 
Secure shell
Secure shellSecure shell
Secure shellArjun Aj
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell pptsravya raju
 
OpenSSH tricks
OpenSSH tricksOpenSSH tricks
OpenSSH tricksAssem CHELLI
 
05 06 ike
05 06 ike05 06 ike
05 06 ikeBabaa Naya
 
introduction to security
introduction to securityintroduction to security
introduction to securityahmad amiruddin
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)Mehedi Farazi
 
Intro to SSH
Intro to SSHIntro to SSH
Intro to SSHJP Bourget
 
Ssh that wonderful thing
Ssh that wonderful thingSsh that wonderful thing
Ssh that wonderful thingMarc Cluet
 
SSH
SSHSSH
SSHZach Dennis
 
Sockets
Sockets Sockets
Sockets babu4b4u
 
Ssh And Rlogin
Ssh And RloginSsh And Rlogin
Ssh And RloginSourav Roy
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS NetProtocol Xpert
 
Ch8-Computer Security
Ch8-Computer SecurityCh8-Computer Security
Ch8-Computer SecurityAttaporn Ninsuwan
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer SecuritySanjeev Kumar Jaiswal
 

More Related Content

What's hot

An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSHnussbauml
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)Pina Parmar
 
Secure shell
Secure shellSecure shell
Secure shellArjun Aj
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell pptsravya raju
 
introduction to security
introduction to securityintroduction to security
introduction to securityahmad amiruddin
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)Mehedi Farazi
 
Ssh that wonderful thing
Ssh that wonderful thingSsh that wonderful thing
Ssh that wonderful thingMarc Cluet
 
Ssh And Rlogin
Ssh And RloginSsh And Rlogin
Ssh And RloginSourav Roy
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS NetProtocol Xpert
 

What's hot (20)

Ch5-Computer Security
Ch5-Computer SecurityCh5-Computer Security
Ch5-Computer Security
 
Secure shell protocol
Secure shell protocolSecure shell protocol
Secure shell protocol
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
 
An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSH
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)
 
Net prog
Net progNet prog
Net prog
 
Ssh
SshSsh
Ssh
 
Secure SHell
Secure SHellSecure SHell
Secure SHell
 
Secure shell
Secure shellSecure shell
Secure shell
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell ppt
 
OpenSSH tricks
OpenSSH tricksOpenSSH tricks
OpenSSH tricks
 
05 06 ike
05 06 ike05 06 ike
05 06 ike
 
introduction to security
introduction to securityintroduction to security
introduction to security
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)
 
Intro to SSH
Intro to SSHIntro to SSH
Intro to SSH
 
Ssh that wonderful thing
Ssh that wonderful thingSsh that wonderful thing
Ssh that wonderful thing
 
SSH
SSHSSH
SSH
 
Sockets
Sockets Sockets
Sockets
 
Ssh And Rlogin
Ssh And RloginSsh And Rlogin
Ssh And Rlogin
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
 

Similar to Ch6-Computer Security

presentation_4102_1493726768.pdf
presentation_4102_1493726768.pdfpresentation_4102_1493726768.pdf
presentation_4102_1493726768.pdfssuserf0e32f
 
Secure Sockets Layer (SSL)
Secure Sockets Layer (SSL)Secure Sockets Layer (SSL)
Secure Sockets Layer (SSL)BGSBU Rajouri
 
ITERA Paper - IPSec L2TP Vulnerability
ITERA Paper - IPSec L2TP VulnerabilityITERA Paper - IPSec L2TP Vulnerability
ITERA Paper - IPSec L2TP VulnerabilityKunal Sharma
 
CN_UNIT4.ppt ytutuim jykhjl fjghkhj gjjj
CN_UNIT4.ppt ytutuim jykhjl fjghkhj gjjjCN_UNIT4.ppt ytutuim jykhjl fjghkhj gjjj
CN_UNIT4.ppt ytutuim jykhjl fjghkhj gjjjPRADEEPERUKULLA2
 
1643129870-internet-security.pptx
1643129870-internet-security.pptx1643129870-internet-security.pptx
1643129870-internet-security.pptxMARIA401634
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layerAhmed Elnaggar
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...Andrejs Vorobjovs
 
Site to-multi site open vpn solution. with active directory auth
Site to-multi site open vpn solution. with active directory authSite to-multi site open vpn solution. with active directory auth
Site to-multi site open vpn solution. with active directory authChanaka Lasantha
 
CN_UNIT4.ppt notre knxckvj bjbDJKVHFL jb
CN_UNIT4.ppt notre knxckvj bjbDJKVHFL jbCN_UNIT4.ppt notre knxckvj bjbDJKVHFL jb
CN_UNIT4.ppt notre knxckvj bjbDJKVHFL jbPRADEEPERUKULLA2
 
IWAN Lab Guide
IWAN Lab GuideIWAN Lab Guide
IWAN Lab Guidejww330015
 
Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Yongyoon Shin
 
Site to-multi site open vpn solution-latest
Site to-multi site open vpn solution-latestSite to-multi site open vpn solution-latest
Site to-multi site open vpn solution-latestChanaka Lasantha
 

Similar to Ch6-Computer Security (20)

Ch8-Computer Security
Ch8-Computer SecurityCh8-Computer Security
Ch8-Computer Security
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
 
WLAN and IP security
WLAN and IP securityWLAN and IP security
WLAN and IP security
 
presentation_4102_1493726768.pdf
presentation_4102_1493726768.pdfpresentation_4102_1493726768.pdf
presentation_4102_1493726768.pdf
 
Secure Sockets Layer (SSL)
Secure Sockets Layer (SSL)Secure Sockets Layer (SSL)
Secure Sockets Layer (SSL)
 
Openvpn
OpenvpnOpenvpn
Openvpn
 
IS - SSL
IS - SSLIS - SSL
IS - SSL
 
ITERA Paper - IPSec L2TP Vulnerability
ITERA Paper - IPSec L2TP VulnerabilityITERA Paper - IPSec L2TP Vulnerability
ITERA Paper - IPSec L2TP Vulnerability
 
Ch7-Computer Security
Ch7-Computer SecurityCh7-Computer Security
Ch7-Computer Security
 
CN_UNIT4.ppt ytutuim jykhjl fjghkhj gjjj
CN_UNIT4.ppt ytutuim jykhjl fjghkhj gjjjCN_UNIT4.ppt ytutuim jykhjl fjghkhj gjjj
CN_UNIT4.ppt ytutuim jykhjl fjghkhj gjjj
 
1643129870-internet-security.pptx
1643129870-internet-security.pptx1643129870-internet-security.pptx
1643129870-internet-security.pptx
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
 
Site to-multi site open vpn solution. with active directory auth
Site to-multi site open vpn solution. with active directory authSite to-multi site open vpn solution. with active directory auth
Site to-multi site open vpn solution. with active directory auth
 
CN_UNIT4.ppt notre knxckvj bjbDJKVHFL jb
CN_UNIT4.ppt notre knxckvj bjbDJKVHFL jbCN_UNIT4.ppt notre knxckvj bjbDJKVHFL jb
CN_UNIT4.ppt notre knxckvj bjbDJKVHFL jb
 
IWAN Lab Guide
IWAN Lab GuideIWAN Lab Guide
IWAN Lab Guide
 
VPN presentation - moeshesh
VPN presentation - moesheshVPN presentation - moeshesh
VPN presentation - moeshesh
 
Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1
 
BuildingSDNmanageableswitch.pdf
BuildingSDNmanageableswitch.pdfBuildingSDNmanageableswitch.pdf
BuildingSDNmanageableswitch.pdf
 
Site to-multi site open vpn solution-latest
Site to-multi site open vpn solution-latestSite to-multi site open vpn solution-latest
Site to-multi site open vpn solution-latest
 

More from Attaporn Ninsuwan

Chapter 12 - Computer Forensics
Chapter 12 - Computer ForensicsChapter 12 - Computer Forensics
Chapter 12 - Computer ForensicsAttaporn Ninsuwan
 
Techniques for data hiding p
Techniques for data hiding pTechniques for data hiding p
Techniques for data hiding pAttaporn Ninsuwan
 
Stop badware infected_sites_report_062408
Stop badware infected_sites_report_062408Stop badware infected_sites_report_062408
Stop badware infected_sites_report_062408Attaporn Ninsuwan
 
Steganography past-present-future 552
Steganography past-present-future 552Steganography past-present-future 552
Steganography past-present-future 552Attaporn Ninsuwan
 
Chapter5 - The Discrete-Time Fourier Transform
Chapter5 - The Discrete-Time Fourier TransformChapter5 - The Discrete-Time Fourier Transform
Chapter5 - The Discrete-Time Fourier TransformAttaporn Ninsuwan
 
Chapter4 - The Continuous-Time Fourier Transform
Chapter4 - The Continuous-Time Fourier TransformChapter4 - The Continuous-Time Fourier Transform
Chapter4 - The Continuous-Time Fourier TransformAttaporn Ninsuwan
 
Chapter3 - Fourier Series Representation of Periodic Signals
Chapter3 - Fourier Series Representation of Periodic SignalsChapter3 - Fourier Series Representation of Periodic Signals
Chapter3 - Fourier Series Representation of Periodic SignalsAttaporn Ninsuwan
 
Chapter2 - Linear Time-Invariant System
Chapter2 - Linear Time-Invariant SystemChapter2 - Linear Time-Invariant System
Chapter2 - Linear Time-Invariant SystemAttaporn Ninsuwan
 
Chapter1 - Signal and System
Chapter1 - Signal and SystemChapter1 - Signal and System
Chapter1 - Signal and SystemAttaporn Ninsuwan
 
15955 state-of-the-art-post-exploitation-in-hardened-php-environments
15955 state-of-the-art-post-exploitation-in-hardened-php-environments15955 state-of-the-art-post-exploitation-in-hardened-php-environments
15955 state-of-the-art-post-exploitation-in-hardened-php-environmentsAttaporn Ninsuwan
 
47300 php-web-backdoor-decode
47300 php-web-backdoor-decode47300 php-web-backdoor-decode
47300 php-web-backdoor-decodeAttaporn Ninsuwan
 
45965 php-source-code-analysis
45965 php-source-code-analysis45965 php-source-code-analysis
45965 php-source-code-analysisAttaporn Ninsuwan
 

More from Attaporn Ninsuwan (20)

J query fundamentals
J query fundamentalsJ query fundamentals
J query fundamentals
 
Jquery enlightenment
Jquery enlightenmentJquery enlightenment
Jquery enlightenment
 
Jquery-Begining
Jquery-BeginingJquery-Begining
Jquery-Begining
 
Br ainfocom94
Br ainfocom94Br ainfocom94
Br ainfocom94
 
Chapter 12 - Computer Forensics
Chapter 12 - Computer ForensicsChapter 12 - Computer Forensics
Chapter 12 - Computer Forensics
 
Techniques for data hiding p
Techniques for data hiding pTechniques for data hiding p
Techniques for data hiding p
 
Stop badware infected_sites_report_062408
Stop badware infected_sites_report_062408Stop badware infected_sites_report_062408
Stop badware infected_sites_report_062408
 
Steganography past-present-future 552
Steganography past-present-future 552Steganography past-present-future 552
Steganography past-present-future 552
 
Ch03-Computer Security
Ch03-Computer SecurityCh03-Computer Security
Ch03-Computer Security
 
Ch02-Computer Security
Ch02-Computer SecurityCh02-Computer Security
Ch02-Computer Security
 
Ch01-Computer Security
Ch01-Computer SecurityCh01-Computer Security
Ch01-Computer Security
 
Ch04-Computer Security
Ch04-Computer SecurityCh04-Computer Security
Ch04-Computer Security
 
Chapter5 - The Discrete-Time Fourier Transform
Chapter5 - The Discrete-Time Fourier TransformChapter5 - The Discrete-Time Fourier Transform
Chapter5 - The Discrete-Time Fourier Transform
 
Chapter4 - The Continuous-Time Fourier Transform
Chapter4 - The Continuous-Time Fourier TransformChapter4 - The Continuous-Time Fourier Transform
Chapter4 - The Continuous-Time Fourier Transform
 
Chapter3 - Fourier Series Representation of Periodic Signals
Chapter3 - Fourier Series Representation of Periodic SignalsChapter3 - Fourier Series Representation of Periodic Signals
Chapter3 - Fourier Series Representation of Periodic Signals
 
Chapter2 - Linear Time-Invariant System
Chapter2 - Linear Time-Invariant SystemChapter2 - Linear Time-Invariant System
Chapter2 - Linear Time-Invariant System
 
Chapter1 - Signal and System
Chapter1 - Signal and SystemChapter1 - Signal and System
Chapter1 - Signal and System
 
15955 state-of-the-art-post-exploitation-in-hardened-php-environments
15955 state-of-the-art-post-exploitation-in-hardened-php-environments15955 state-of-the-art-post-exploitation-in-hardened-php-environments
15955 state-of-the-art-post-exploitation-in-hardened-php-environments
 
47300 php-web-backdoor-decode
47300 php-web-backdoor-decode47300 php-web-backdoor-decode
47300 php-web-backdoor-decode
 
45965 php-source-code-analysis
45965 php-source-code-analysis45965 php-source-code-analysis
45965 php-source-code-analysis
 

Recently uploaded

Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfMahmoud M. Sallam
 
Capitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitolTechU
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfSumit Tiwari
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementmkooblal
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentInMediaRes1
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 

Recently uploaded (20)

9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdf
 
Capitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptx
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of management
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media Component
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)
 

Ch6-Computer Security

  • 1. 1 241-427-SV-2-2553-COE-PSU 1 241-427 Computer Security Chapter VI: Network Security Dr. Sangsuree Vasupongayya 241-427-SV-2-2553-COE-PSU 2 Outline o Attacks n Diffing n Sniffing n Session Hijacking n Spoofing o Protocols n SSL n TLS n IPsec o VPN 241-427-SV-2-2553-COE-PSU 3 Diffing o Practice of comparing two things for differences especially after some change has been made o To determine the portion of the file or the memory location of the item of interest E.g., finding a portion of the file containing information of interests o Decoding information rather than changing it o Example commands n Fc n Diff n Hex editors n Hackman
  • 2. 2 241-427-SV-2-2553-COE-PSU 4 Sniffing o Program or tool that passively monitors a computer network for key information that the attacker is interested in n Authentication information e.g., usernames & passwords o E.g., protocols that have been reported n Telnet (port 23), FTP (port 21), HTTP (port 80), POP (port 110), IMAP (port 143) o E.g., sniffing tools n TCPDump, dsniff, esniff, wireshark 241-427-SV-2-2553-COE-PSU 5 Protection under sniffing o Encryption o Secure Shell (SSH) n Secure replacement for Telnet, rlogin, rsh, rcp o Detection n Checking whether a network interface is running in promiscuous mode n Network detections o Latency in the host’s response o Network monitoring 241-427-SV-2-2553-COE-PSU 6 Session Hijacking o The act of taking over a connection of some sort (or one that is in the process of being set up) o To steal trust o How it works n Jump into a middle of the conversation n Get your packet to the host before the legitimate one n ACK storm: o the real host gets duplicate packet o the original sender keeps sending packages o Protection n Encryption (e.g., SSL) n Storm watchers
  • 3. 3 241-427-SV-2-2553-COE-PSU 7 Spoofing o Providing false information about a principal’s identity to obtain unauthorized access to systems and their services o Sending a message that is not what it claims to be o Operate at all layers in between the client and the server o No content-level spoofing is taking place, although the falsified headers are clearly representing a spoof of their own o Spoofing is always intentional 241-427-SV-2-2553-COE-PSU 8 Attacks on Server o Denial of Service n Reduce the usefulness of the server o How the remote user can gain access to the system n Daemon/service: OS provides network services e.g., mail services, Web servers, name servers, remote access services n Program interaction: vulnerability caused by the unintentional modify n Flaws in the protocols or programs o How to preventDoS n Defined the goal n Auditing system (log) n IDSs 241-427-SV-2-2553-COE-PSU 9 Attacks on Clients o Vulnerability: n errors or unintended behavior in programs acting as a client n any program that can receive data from an outside sources o How to secure your clients n Minimize use n Anti-Virus software n Limiting trust n Client configuration
  • 4. 4 241-427-SV-2-2553-COE-PSU 10 Security at the Transport Layer o Provides end-to-end security services E.g., transaction on the internet n Entity authentication: the customer needs to be sure that the server belongs to the actual vendor n Message integrity: the contents of the message are not modified during transmission n Confidentiality: no one can intercept sensitive information o SSL & TLS are the two protocols n SSL: Secure Sockets Layer Protocol n TLS: Transport Layer Security Protocol 241-427-SV-2-2553-COE-PSU 11 Secure Sockets Layer Protocol o Designed to provide security and compression services to data generated from the application layer (usually HTTP) o The data is compressed (optional), signed, and encrypted and then passed to a reliable transport layer protocol such as TCP 241-427-SV-2-2553-COE-PSU 12 Sessions vs connections
  • 5. 5 241-427-SV-2-2553-COE-PSU 13 Sessions vs Connections o Client – server o To create a new session a negotiation process must be done o A session can consist of many connections o Both parties have common information o Defined by a session state parameter o Peer-peer o To create a new connection (resume a session), the two parties can skip part of the negotiation process o Defined by a connection state parameter 241-427-SV-2-2553-COE-PSU 14 SSL defines 4 protocols 241-427-SV-2-2553-COE-PSU 15 SSL defines 4 protocols (cont) o The record protocol carries message from 3 other protocols as well as the data coming from the application layer o The handshake protocol provides security parameters by establishing a cipher set and providing keys and authenticating o The ChangeCipherSpec for signaling the readiness of cryptographic secrets o The Alert protocol to report abnormal conditions
  • 6. 6 241-427-SV-2-2553-COE-PSU 16 Handshake Protocol 241-427-SV-2-2553-COE-PSU 17 Handshake Protocol: Phase I 241-427-SV-2-2553-COE-PSU 18 Handshake Protocol: Phase II
  • 7. 7 241-427-SV-2-2553-COE-PSU 19 Handshake Protocol: Phase III 241-427-SV-2-2553-COE-PSU 20 Handshake Protocol: Phase IV 241-427-SV-2-2553-COE-PSU 21 SSL actions o Fragmentation: divides the data into block of 214 bytes or less o Compression (option): using one of the lossless compression methods negotiated between the client and server o Message integrity: uses keyed-hash function to create a MAC o Confidentiality: the data & MAC are encrypted using symmetric-key o Framing: a header is added to the payload before passed to TCP
  • 8. 8 241-427-SV-2-2553-COE-PSU 22 Algorithms in SSL o 8-byte initialization vector (IV) except 20-byte IV is used in Fortezza 241-427-SV-2-2553-COE-PSU 23 Key-exchange in SSL 241-427-SV-2-2553-COE-PSU 24 SSL message formats Record Protocol header ChangeCipherSpec Protocol Alert Protocol Generic header for Handshake Protocol
  • 9. 9 241-427-SV-2-2553-COE-PSU 25 Types of Handshake message 241-427-SV-2-2553-COE-PSU 26 Transport Layer Security o TLS does not supportFortezza o Generation of Cryptographic secrets n More complex than SSL n Data-expansion o To expand a secret into a longer one o To make some dependency, the second seed is the output of the first n Pseudorandom function 241-427-SV-2-2553-COE-PSU 27 Data-expansion
  • 10. 10 241-427-SV-2-2553-COE-PSU 28 Pseudorandom function 241-427-SV-2-2553-COE-PSU 29 Master secret generation o Pre-master secret same as SSL o Use Pseudorandom function to create master secret 241-427-SV-2-2553-COE-PSU 30 Key materials o Generated by Pseudorandom function
  • 11. 11 241-427-SV-2-2553-COE-PSU 31 Alert Protocol o Support all in SSL exceptNoCertificate o Additional alerts 241-427-SV-2-2553-COE-PSU 32 Handshake Protocol CertificateVerify message Finished message 241-427-SV-2-2553-COE-PSU 33 Record Protocol
  • 12. 12 241-427-SV-2-2553-COE-PSU 34 Security at the Network Layer Security at the above layers may not be enough o Not all client/server programs are protected at the application layer o Not all client/server programs at the application layer use the service of TCP to be protected by SSL or TLS n E.g., UDP o Many application such as routing protocols directly use the service of IP n Security at IP layer is needed 241-427-SV-2-2553-COE-PSU 35 IPSec o A collection of protocols designed by the Internet Engineering Task Force to provide security for a packet at the network level o Create authenticated and confidential packets for the IP layer 241-427-SV-2-2553-COE-PSU 36 IPSec o Has two modes n Transport mode n Tunnel mode o Has two security protocols n Authentication header (AH) protocol n Encapsulating security payload (ESP)
  • 13. 13 241-427-SV-2-2553-COE-PSU 37 IPSec: transport mode o IPSec protects what is delivered from the transport layer to the network layer o The IP header does not protect under the transport mode o The IPSec header (and trailer) are added to the information o It only protects the packet from the transport layer o Use when we need host-to-host (end-to-end) protection of data 241-427-SV-2-2553-COE-PSU 38 IPSec: transport mode 241-427-SV-2-2553-COE-PSU 39 IPSec: tunnel mode o IPSec protects the entire IP packet o A new IP header is added (different information than the original IP header) o Use between two routers or host to router or router to host
  • 14. 14 241-427-SV-2-2553-COE-PSU 40 IPSec: tunnel mode 241-427-SV-2-2553-COE-PSU 41 Comparison of the two modes 241-427-SV-2-2553-COE-PSU 42 Authentication Header Protocol
  • 15. 15 241-427-SV-2-2553-COE-PSU 43 Authentication Header Protocol o Purpose n To authenticate the source host n To ensure the integrity of the payload carried in the IP packet o Action n Uses a hash function and a symmetric key to create a message digest n The digest is inserted in the authentication header n The AH is then placed in the appropriate location based on the mode 241-427-SV-2-2553-COE-PSU 44 Encapsulating Security Payload (ESP) o Purpose n Provides source authentication, integrity, privacy 241-427-SV-2-2553-COE-PSU 45 Encapsulating Security Payload (ESP) o Action: ESP adds a header and a trailer 1 . ESP trailer is added to the payload 2 . The payload and the trailer are encrypted 3 . The ESP header is added 4 . The ESP header, payload, and ESP trailer are used to create the authentication data 5 . The authentication data are added to the end of the ESP trailer 6 . the IP header is added after changing the protocol value to 50
  • 16. 16 241-427-SV-2-2553-COE-PSU 46 Remarks o IPv4 and IPv6 n IPSec supports both IPv4 and IPv6 (AH & ESP are parts of the Extension header) o Why do we need AH? n ESP was designed after AH was already included in some commercial products o IPSec services n Access control n Message integrity n Entity authentication n Confidentiality (except AH) n Replay attack protection 241-427-SV-2-2553-COE-PSU 47 Security Association (SA) o is a logical relationship between two hosts o is an aspect of IPSec Idea: n SA is a contact between two hosts (one inbound SA and one outbound SA) n SA can be very complex, when the party wants to communicate with many people (a database of a set of SAs) 241-427-SV-2-2553-COE-PSU 48 Typical SA parameters
  • 17. 17 241-427-SV-2-2553-COE-PSU 49 Security Policy (SP) o Is an aspect of IPSec o Defines the type of security applied to a packet when it is to be sent or when it has arrived o Security policy database (SPD) n Each host that is using the IPSec protocol needs to keep a SPD (inbound, outbound). n Each entry in the SPD can be accessed using a sixtuple index < source address, destination address, name, protocol, source port, and destination port> 241-427-SV-2-2553-COE-PSU 50 Security policy database (SPD) o Address (unicast, multicast, wildcard) o Name (defines a DNS entity) o Protocol (AH, ESP) 241-427-SV-2-2553-COE-PSU 51 Outbound processing
  • 18. 18 241-427-SV-2-2553-COE-PSU 52 Outbound processing o Drop: packet cannot be sent o Bypass: packet is sent w/o security because there is no policy for the packet o Apply n Case 1: outbound SA is already established the packet is transmitted accordingly n Case 2: outbound SA is not established the Internet Key Exchange (IKE) is called to create an outbound and an inbound SA 241-427-SV-2-2553-COE-PSU 53 Inbound processing 241-427-SV-2-2553-COE-PSU 54 Inbound processing o Discard: packet is dropped o Bypass: the packet is delivered to the transport layer w/o security o Apply n Case 1: inbound SA is already established the packet is processed accordingly n Case 2: inbound SA is not established the packet must be discarded
  • 19. 19 241-427-SV-2-2553-COE-PSU 55 Virtual Private Networks (VPN) o A mechanism of employing encryption, authentication and integrity protection o Offers high amount of security o No require any special cabling o Combine advantages of n a public network o Cheap o Easily available n A private network o Secure o Reliable o A mechanism to simulate a private network over a public network such as the Internet o Connections made up of packets and are temporary 241-427-SV-2-2553-COE-PSU 56 Network Address Translation (NAT) 1 2 NATClient From 172.47.9.6, Port 59789 From 60.168.34.2, Port 63472 Internet Server Host IP Addr 172.47.9.6 … Port 59789 … IP Addr 60.168.34.2 … Port 63472 … Internal ExternalTranslation Table 241-427-SV-2-2553-COE-PSU 57 Network Address Translation (NAT) 4 3NATClient Internet Server Host To 172.47.9.6, Port 59789 To 60.168.34.2, Port 63472 Translation Table IP Addr 172.47.9.6 … Port 59789 … IP Addr 60.168.34.2 … Port 63472 … Internal External