CNS UNIT-VI.pptx

UNIT – VI Network Security –II Topics: Security at Network Layer IPSec System Security DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

IP Security IP SECURITY OVERVIEW IP SECURITY ARCHITECTURE AUTHENTICATION HEADER ENCAPSULATING SECURITY PAYLOAD COMBINING SECURITY ASSOCIATIONS KEY MANAGEMENT DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

IP Security Overview The standard Internet communication protocol is completely unprotected, allowing hosts to inspect or modify data in transit . Adding IPSec to the system will resolve this limitation by providing strong encryption , integrity, authentication and replay protection. DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

What Security Problem? Today's Internet is primarily comprised of : Public Un-trusted Unreliable IP networks Because of this inherent lack of security , the Internet is subject to various types of threats… DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Internet Threats Data integrity The contents of a packet can be accidentally or deliberately modified. Identity spoofing The origin of an IP packet can be forged. Anti-reply attacks Unauthorized data can be retransmitted. Loss of privacy The contents of a packet can be examined in transit. DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Security at What Level? Application Layer Transport Layer Network Layer Data Link Layer PGP, Kerberos, SSH, etc. Transport Layer Security (TLS) IP Security Hardware encryption DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

IP SECURITY IP-level security encompasses three functional areas: Authentication Confidentiality Key management DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

IP SECURITY Authentication - The authentication mechanism ensures that the received packet was sent by the identified source. It also assures that the packet has not been altered in transit. Confidentiality - The confidentiality facility enables communicating nodes to encrypt messages to prevent eavesdopping by third parties. Key management- It is concerned with secure exchange of keys DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

IP Security Scenario DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Applications of IP Security Secure branch office connectivity over the Internet. Secure remote access over the Internet. Establishing extranet and intranet connectivity with partners. Enhancing electronic commerce security. DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Benefits of IPsec Provides strong security when implemented in a firewall or router that can be applied to all traffic crossing the perimeter. IPsec is resistant to bypass if all traffic from the outside must use IP and the firewall is the only way of entrance from the Internet into the organization. Is below transport layer, hence transparent to applications. Can be transparent to end users. Can provide security for individual users if needed. DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

IPsec Documents Architecture – Covers the general concept security requirements, definitions, and mechanisms defining IPsec technology. Authentication Header(AH)- An extension header to provide message authentication. Current specification is RFC 4302. Encapsulating Security Payload - Consists of an encapsulating header and trailer used to provide encryption or combined encryption/authentication. Current specification is RFC 4303. Internet Key Exchange(IKE)- A collection of documents describing the key management schemes for use with IPsec. Cryptographic algorithms- Includes a large set of documents that define and describe cryptographic algorithms for encryption, message authentication, pseudo random functions, and cryptographic key exchange. Domain of Interpretation- Contains values needed for the other documents to relate to each other. These include identifiers for approved encryption and authentication algorithms, as well as operational parameters such as key lifetime DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

IPSec Document Overview DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

IPSec Security Services Connectionless integrity Assurance that received traffic has not been modified. Integrity includes anti-reply defenses. Data origin authentication Assurance that traffic is sent by legitimate party or parties. Confidentiality (encryption) Assurance that user’s traffic is not examined by non-authorized parties. Access control Prevention of unauthorized use of a resource. Limited traffic flow confidentiality DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Security Associations A one-way relationship between a sender and a receiver that affords security services to the traffic carried on it . A security association is uniquely identified by three parameters: Security Parameters Index (SPI): A bit string assigned to this SA and having local significance only. The SPI is carried in AH and ESP headers to enable the receiving system to select the SA under which a received packet will be processed. IP Destination Address: Currently, only unicast addresses are allowed; this is the address of the destination endpoint of the SA, which may be an end user system or a network system such as a firewall or router. Security Protocol Identifier: This indicates whether the association is an AH or ESP security association DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Security Association Parameters Security Association Database defines the parameters associated with each SA. A security association is normally defined by the following parameters: Sequence Number Counter : A 32-bit value used to generate the Sequence Number field in AH or ESP headers. Sequence Counter Overflow : A flag indicating whether overflow of the Sequence Number Counter should generate an auditable event and prevent further transmission of packets on this SA (required for all implementations). Anti-Replay Window : Used to determine whether an inbound AH or ESP packet is a replay. AH Information : Authentication algorithm, keys, key lifetimes, and related parameters being used with AH (required for AH implementations). DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Security Association Parameters ESP Information : Encryption and authentication algorithm, keys, initialization values, key lifetimes , and related parameters being used with ESP (required for ESP implementations). Lifetime of This Security Association : A time interval or byte count after which an SA must be replaced with a new SA (and new SPI) or terminated, plus an indication of which of these actions should occur (required for all implementations). IPSec Protocol Mode : Tunnel, transport, or wildcard (required for all implementations). Path MTU : Any observed path maximum transmission unit (maximum size of a packet that can be transmitted without fragmentation) and aging variables (required for all implementations). DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Security Association Selectors The means by which IP traffic is related to specific SAs (or no SA in the case of traffic allowed to bypass IPSec) is the nominal Security Policy Database (SPD). The following selectors determine an SPD entry: Destination IP Address : This may be a single IP address, an enumerated list or range of addresses, or a wildcard (mask) address. The latter two are required to support more than one destination system sharing the same SA (e.g., behind a firewall). Source IP Address : This may be a single IP address, an enumerated list or range of addresses, or a wildcard (mask) address. The latter two are required to support more than one source system sharing the same SA (e.g., behind a firewall). UserID : A user identifier from the operating system. This is not a field in the IP or upper-layer headers but is available if IPSec is running on the same operating system as the user. DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Security Association Selectors Data Sensitivity Level : Used for systems providing information flow security (e.g., Secret or Unclassified). Transport Layer Protocol : Obtained from the IPv4 Protocol or IPv6 Next Header field. This may be an individual protocol number, a list of protocol numbers, or a range of protocol numbers. Source and Destination Ports : These may be individual TCP or UDP port values, an enumerated list of ports, or a wildcard port. DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

IPSec Modes of Operation Both AH and ESP supports two modes of use: Transport mode –Provides protection primarily for upper layer protocols.ESP in transport mode encrypts and optionally authenticates the IP payload but not the IP header. AH authenticates the IP payload and selected portions of the IP header. Tunnel mode - Provides protection to the entire IP packet. After the AH or ESP fields are added to the IP packet, the entire packet plus security fields is treated as payload of new outer packet with a new outer IP header. DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

IPSec Modes of Operation IP Header TCP Header Data IP Header IPSec H ea d er TCP Header Data New IP Header IPSec Header Original IP Header TCP Header Data Transport Mode: protect the upper layer protocols Original IP Datagram Transport Mode protected packet p ro t ected Tun nel Mode: protect the entire IP payload Tunnel Mode protected packet p ro t ected DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Transport mode vs. Tunnel mode functionalities Transport Mode SA Tunnel Mode SA AH Authenticates IP payload and selected portions of IP header and IPv6 extension headers Authenticates entire inner IP packet plus selected portions of outer IP header ESP Encrypts IP payload and any IPv6 extesion header Encrypts inner IP packet ESP with aut h entic a tion Encrypts IP payload and any IPv6 extesion header. Authenticates IP payload but no IP header Encrypts inner IP packet. Authenticates inner IP packet. DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Authentication Header Provides support for data integrity and authentication of IP packets. Authentication is based on the use of a message authentication code (MAC), hence the two parties must share a secret key. DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Authentication Header The Authentication Header consists of the following fields : Next Header (8 bits ): Identifies the type of header immediately following this header. Payload Length (8 bits): Length of Authentication Header in 32-bit words, minus 2. Reserved (16 bits): For future use. Security Parameters Index (32 bits): Identifies a security association. Sequence Number (32 bits): A monotonically increasing counter value Authentication Data (variable): A variable-length field (must be an integral number of 32-bit words) that contains the Integrity Check Value (ICV), or MAC DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Authentication Header Fig: Authentication Header DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Encapsulating Security Payload (ESP) provides message content confidentiality & limited traffic flow confidentiality can optionally provide the same authentication services as AH Because message authentication is provided by ESP, the use of AH is deprecated supports range of ciphers, modes, padding incl. DES, Triple-DES, RC5, IDEA, CAST etc CBC & other modes padding needed to fill blocksize, fields, for traffic flow DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Encapsulating Security Payload Fig ESP Format DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Encapsulating Security Payload Security Parameters Index (32 bits): Identifies a security association Sequence Number (32 bits): A monotonically increasing counter value; this provides an anti-replay function Payload Data (variable): This is a transport-level segment (transport mode) or IP packet (tunnel mode) that is protected by encryption Padding (0–255 bytes): for various reasons Pad Length (8 bits): Indicates the number of pad bytes immediately preceding this field Next Header (8 bits): Identifies the type of data contained in the payload data field by identifying the first header in that payload Integrity Check Value (variable): A variable-length field that contains the Integrity Check Value computed over the ESP packet minus the Authentication Data field DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Transport vs Tunnel Mode ESP transport mode is used to encrypt & optionally authenticate IP data data protected but header left in clear can do traffic analysis but is efficient good for ESP host to host traffic tunnel mode encrypts entire IP packet add new header for next hop good for VPNs, gateway to gateway security DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Transport vs Tunnel Mode ESP Fig : Transport-Mode vs. Tunnel-Mode Encryption DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Transport vs Tunnel Mode ESP Fig : Scope of ESP Encryption and Authentication DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Combining Security Associations SA’s can implement either AH or ESP to implement both need to combine SA’s form a security association bundle may terminate at different or same endpoints combined by transport adjacency iterated tunneling issue of authentication & encryption order DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Authentication Plus Confidentiality Transmitting IP packet that has both confidentiality and authentication between hosts ESP with Authentication Option: Authentication after encryption using Transport mode ESP or Tunnel mode ESP. Transport Adjacency: Another way to apply Authentication after encryption Use two bundled transport SAs, with the inner being an ESP SA and the outer being an AH SA. Here ESP is used without authentication option. Advantage: Authentication covers more fields, including the source and destination IP addresses. Disadvantage: Overhead of two SAs vs one SA. 3) Transport-Tunnel Bundle: Authentication before encryption Use a bundle consisting of an inner AH transport SA and an outer ESP tunnel SA. Advantages: Impossible to intercept the message and alter the authentication data without detection. Authentication information with the message may be stored at the destination for later references. DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Basic Combinations of Security Associations Fig : Basic Combinations of Security Associations DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Key Management handles key generation & distribution typically need 2 pairs of keys 2 per direction for AH & ESP ma nual key management System administrator manually configures every system auto mated key management automated system for on demand creation of keys for SA’s in large systems has Oakley & ISAKMP elements DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Internet Security Association and Key Management Protocol (ISAKMP ) ISAKMP provides a framework for Internet key management and provides the specific protocol. support, including formats, for negotiation of security attributes. DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

ISAKMP Header Format An ISAKMP message consists of an ISAKMP header followed by one or more payloads. All of this is carried in a transport protocol. The specification dictates that implementations must support the use of UDP for the transport protocol . DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

ISAKMP consists of the following fields: Initiator Cookie (64 bits): Cookie of entity that initiated SA establishment, SA notification, or SA deletion. Responder Cookie (64 bits): Cookie of responding entity; null in first message from initiator. Next Payload (8 bits): Indicates the type of the first payload in the message Major Version (4 bits): Indicates major version of ISAKMP in use. Minor Version (4 bits): Indicates minor version in use. Exchange Type (8 bits): Indicates the type of exchange. Flags (8 bits): Indicates specific options set for this ISAKMP exchange. Message ID (32 bits):Unique ID for this message. Length (32 bits): Length of total message (header plus all payloads) in octets . DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Objective type questions The ……………. is used to provide integrity check, authentication, and encryption to IP datagram. A) SSL B) ESP C) TSL D) PSL B) ESP In ……………………. mode, a common technique in packet-switched networks consist of wrapping a packet in a new one. A) Tunneling B) Encapsulation C) Both A and B D) None of the above C) Both A and B The …………………………. is a collection of protocols designed by Internet Engineering Task Force(IETF) to provide security for a packet at the Network level. A) Ipsec B) Netsec C) Packetsec D) Protocolsec A) IPsec DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

…………….. mode is used whenever either end of a security the association is the gateway. A) Tunnel B) Encapsulating C) Transport D) Gateway A) Tunnel IPSec defines two protocols: _______ and ________. A) AH; SSL B) PGP; ESP C) AH; ESP D) all of the above A) AH; SSL In the ______ mode, IPSec protects information delivered from the transport layer to the network layer. A ) transport B) tunnel C) either (a) or (b) D) neither (a) nor (b) A) transport DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

An _________ is a network that allows authorized access from outside users. A) intranet B) internet C) extranet D) none of the above C) extranet _________ is a collection of protocols designed by the IETF (Internet Engineering Task Force) to provide security for a packet at the network level. A) IPSec B) SSL C) PGP D) none of the above A) IPSec IPSec uses a set of SAs called the ________. A) SAD B) SAB C) SADB D) none of the above C) SADB IPSec in the ______ mode does not protect the IP header. A) transport B) tunnel C) either (a) or (b) D) neither (a) nor (b) A) transport DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

________ provides privacy, integrity, and authentication in e-mail. A) IPSec B) SSL C) PGP D) none of the above C) PGP ______ provides authentication at the IP level. A) AH B) ESP C) PGP D) SSL A) AH ______ is designed to provide security and compression services to data generated from the application layer. A) SSL B) TLS C) either (a) or (b) D) both (a) and (b) D) both (a) and (b) In the _______ mode, IPSec protects the whole IP packet, including the original IP header. A) transport B) tunnel C) either (a) or (b) D) neither (a) nor (b) B) tunnel DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

IPSec is designed to provide security at the _________ a) Transport layer b ) Network layer c) Application layer d ) Session layer b) Network layer In tunnel mode, IPSec protects the ______ a) Entire IP packet b ) IP header c) IP payload d ) IP trailer a) Entire IP packet Which component is included in IP security? a) Authentication Header ( AH) b ) Encapsulating Security Payload (ESP) c) Internet key Exchange ( IKE) d ) All of the mentioned d) All of the mentioned An attempt to make a computer resource unavailable to its intended users is called ______ a) Denial-of-service attack b ) Virus attack c) Worms attack d ) Botnet process a) Denial-of-service attack DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

_________ is a collection of protocols designed by the IETF (Internet Engineering Task Force) to provide security for a packet at the network level. A)IPSec B)SSL PGP D)none of the above A)IPSec _________ operates in the transport mode or the tunnel mode. A)IPSec B)SSL C)PGP D)none of the above A)IPSec In the ______ mode, IPSec protects information delivered from the transport layer to the network layer . A) Transport B) tunnel C) either (a) or (b ) D) neither (a) nor (b ) A)Transport DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

IPSec in the ______ mode does not protect the IP header . A) transport B) tunnel C) either (a) or (b ) D) neither (a) nor (b ) A)transport In the _______ mode, IPSec protects the whole IP packet, including the original IP header . A) Transport B) tunnel C) either (a) or (b ) D) neither (a) nor (b ) B)tunnel IPSec defines two protocols: _______ and ________. A) AH ; SSL B) PGP ; ESP C) AH ; ESP D) none of the above C)AH ; ESP ______ provides either authentication or encryption, or both, for packets at the IP level . A) AH B) ESP C) PGP D) SSL B)ESP DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Previous Questions Illustrate the services provided by IPSec. [3] Oct/Nov - 2018 Write short note on tunnel mode in IP security. [3] Oct/Nov - 2018 What is Internet key management in IPSec? [3] Oct/Nov - 2018 Write about ESP? [3] Oct/Nov - 2018 Draw the IP security authentication header and describe the functions of each field. [8] Oct/Nov - 2018 What is transport mode and tunnel mode authentication in IP? Describe how ESP is applied to both these modes. [8] Oct/Nov - 2018 Describe IP security Architecture. [8] Oct/Nov - 2018

8. Define security policy and explain its purpose with relation to IPsec . [3] Oct/Nov - 2019 9. Distinguish two modes of IPsec . [2] Oct/Nov - 2019 10. What is IPSec? Explain the operation of IPSec in transport mode and tunnel mode. [7] Explain ISAKMP protocol. [7] Oct/Nov - 2019 11. What is IPSec? Explain AH and ESP protocols of IPsec . [14] Oct/Nov - 2019 12. Explain Authentication Header protocol of IPSec. [7] Oct/Nov - 2019 13. Explain Security Policy of IPSec. [7] Oct/Nov - 2019 14. Explain ESP protocol and compare the services provided by IPSec in AH and ESP. [10] Oct/Nov - 2019

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

CNS UNIT-VI.pptx

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Pray For The Peace Of Jerusalem and You Will Prosper

Don_t_Waste_Your_Life_God.....powerpoint

VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf

Fertility awareness methods for women in the society

Chapter 5 Arithmetic Functions Computer Organisation and Architecture

syakira bhasa inggris (1) (1).pptx.......