SlideShare a Scribd company logo

Lecture14..pdf

A
AlaaElhaddad3

Network Security Course Spring 2022 Lecture 14 discusses VPNs, Internet security protocols like IPSec and SSL, and the components of IPSec including IKE, ESP, and AH. It provides examples of how IPSec establishes security associations and security policies to encrypt and authenticate traffic between nodes according to defined rules. IPSec can operate in transport or tunnel mode to protect packet payloads and routing information.

Engineering
1 of 21
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Network Security Course Spring 2022 Lecture 14 Department of Computer Engineering Dr Shubat Owhida 1
slide 2 Network Security All defense mechanisms must work correctly and securely Cryptographic primitives Protocols and policies Implementations RSA, DES, AES, SHA-1… TLS, IPsec, access control… Firewalls, intrusion detection… End uses Password managers, company policies…
❑ VPN is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. Virtual Private Network (VPN) ❑ A tunnel is a virtual path across a network that delivers packets that are encapsulated and possibly encrypted.
Internet Security Protocols ❑ Security provides at Network layer with IPSec. ❑ Security provides at Transport layer with Secure Socket Layer. NIC ❑ Security Provided at application layer with Pretty Good Privacy for email security Application Transport Network link Physical SSL OS User IPSec PGP ✓ IPSec used in VPN applications (secure tunnel)
❑ IPSec a set of protocol and algorithm used to secure IP data and network layer. ❑ IPSec implemented by the network for all applications ❑ IPSec inbuild in IPv6 and compatible with IPv4. ❑ IPSec provides cryptographic security services that allow for authentication, integrity, access control, and confidentiality. ❑ IPSec is completely transparent to the applications (no need to have any knowledge of IPSec to be able to use it). ❑ IPSec is employed to establish virtual private networks (VPNs) among networks across the Internet. IPSec Implemented on end hosts and gateways. IPSec (Internet Protocol Security)
❑ IPSec provides Authentication services (verify the source of IP packet) by using Digital Signature or Pre-Shared keys. ❑ IPSec prevent replay of old IP packets (also called as "man-in-the-middle attacks"). ❑ IPSec protect integrity of IP packets by using Hashing algorithms. ❑ IPSec provides Data Confidentiality to Data by Encrypting). Goals of IPSec
7 Components of IPSec 1. Internet Key Exchange (IKE) Protocol: Internet Key Exchange is used to establish Security Association (SA) between two communicating IPSec devices. 2. Encapsulating Security Payload (ESP): IPSec uses ESP to provide Data Integrity, Encryption, Authentication, and Anti-Replay functions for IPSec VPN. ▪ Cisco IPSec implementations uses DES, 3DES and AES for Data encryption. 3. Authentication Header (AH): IPSec uses AH to provide Data Integrity, Authentication, and Anti-Replay functions for IPSec VPN. ▪ Authentication Header: It is the authenticating protocol does not provide any Data Encryption.
A Security Association (SA) database ❑ A Security Association (SA) is one of the most important concepts in IPSec, defined in RFC 1825. A Security Associations represents a specification of the security services offered to traffic carried through a unidirectional channel from one node to another. A SA are one way, a minimum of two SAs are required for a single IPSec connection. ❑ A Security Associations can offer either the AH or the ESP service, but not both. Two security associations are necessary to provide both types of services simultaneously. A total of four SAs are required for bi-directional traffic using both AH and ESP.
A Security Association (SA) database cont. ❑ Keying information for IPsec security services is maintained in security association databases (SADBs). SAs contain parameters including: ▪ Authentication algorithm and algorithm mode ▪ Encryption algorithm and algorithm mode ▪ Key(s) used with the authentication/encryption algorithm(s) ▪ Lifetime of the key ▪ Lifetime of the SA ▪ Source Address(es) of the SA ▪ Sensitivity level (ie Secret or Unclassified)
The Security Policy Database (SPD) ❑ The Security Policy Database contains a set of rules that determines whether a packet is subject to IPsec processing and governs the processing details. The SPD contains destination IP address, source IP address, UserID, Data Sensitivity Level, transport layer protocol, source and destination port. Each entry in the SPD represents a policy that defines how the set of traffic will be processing. Any inbound or outbound packet is processed in one of three ways: discard, perform IPsec processing, or bypass IPsec processing
❑ An organization maintains LANs at dispersed locations ❑ Non secure IP traffic is conducted on each LAN. ❑ IPSec protocols are used ❑ These protocols operate in networking devices that connect each LAN to the outside world. (router, firewall ) ❑ The IPSec networking device will typically encrypt and compress all traffic going into the WAN, and decrypt and decompress traffic coming from the WAN Scenario of IPSec usage
IP security scenario
SAD and SPD Example ❑ Consider this example: It’s required to protect the Post Office Protocol v3 (POP3) traffic between a mail client node A and a mail server node B. The traffic exchanged between node A and node B need be encrypted. In order to apply IPsec to the traffic between the nodes, the SPD and the SAD on both node A and node B need to be set. Two SP entries for the bi-directional exchange between A and B. The SP entries on node A are described by the entries listed in the following Table
Direction Outbound Inbound Source Address Node A POP server B Destination Address POP server B Node A Upper Layer Protocol TCP TCP Upper Layer Source Port Any Port POP3 Upper Layer Destination Port POP3 Any IPsec Protocol ESP ESP Mode Transport Transport Security Policy Database for Node A
Security Policy Database for Node B Direction Outbound Inbound Source Address POP server B Node A Destination Address Node A POP server B Upper Layer Protocol TCP TCP Upper Layer Source Port POP3 Any Upper Layer Destination Port Any Port POP3 IPsec Protocol ESP ESP Mode Transport Transport
Security Association Database for Node A Direction Outbound Inbound SPI 1000 1001 Destination Address POP server B Node A IPsec Protocol ESP ESP Algorithm 3DES-CBC 3DES-CBC Key The secret key from A to B The secret key from B to A Mode Transport Transport Security parameter index A unique identifier generated by the creator of the SA, used to distinguish among the SAs of the IPsec protocol terminating at the same destination node.
Security Association Database for Node B Direction Outbound Inbound SPI 1001 1000 Destination Address Node A POP server B IPsec Protocol ESP ESP Algorithm 3DES-CBC 3DES-CBC Key The secret key from B to A The secret key from A to B Mode Transport Transport
❑ IPSec can work in one of two modes: ➢ Transport mode, in which the payload of the message is protected ➢ Tunnel mode, in which the payload and the routing and header information are protected. IPSec (Internet Protocol Security)
Internet Protocol (IP) Review IP header: IP header Data IP datagram is of form 19
20 Fields of the IP Packet ❑ Version: the version number of the protocol. Version = 4 for IPv4. ❑ Header length: the length of the header in 4 byte words. Header length = 5 if options are not used. ❑ Service type: 3 bits of precedence (rarely used) 4 bits QoS representing delay, throughput, reliability, and Jitter. ❑ Total length: length in bytes of the header plus data. Maximum size is 65,535 bytes. ❑ Identification, flags, fragment offset: used for fragmentation and reassembly (offset in 8 byte chunks) ❑ Time to live (TTL): Originally seconds, now usually hop count. Source sets it (often 30 used). Each router must decrement by at least 1, when 0 packet discarded.
21 Protocol Field Values ❑ Protocol = 1, ICMP, Internet Control Message Protocol ❑ Protocol = 6, TCP ❑ Protocol = 17, UDP ❑ Protocol = 4, IP in IP encapsulation ❑ Protocol = 8, EGP, Exterior Gateway Protocol ❑ Protocol = 9, IGRP, Interior Gateway Routing Protocol ❑ Protocol =89, OSPF, Open Shortest Path First Routing P. ❑ Protocol = 50, ESP, Encapsulating Security Payload ❑ Protocol = 51, AH, Authentication Header • ………………..more protocols

More Related Content

PPT
Chapter_4_InternetSecurity.pptChapter_4_InternetSecurity.pptChapter_4_Interne...
namrataparopate
 
PPT
Chapter_4_InternetSecurity.pptChapter_4_InternetSecurity.pptChapter_4_Interne...
namrataparopate
 
PPTX
IP Security
Keshab Nath
 
PPT
The Security layer
Swetha S
 
PDF
IP Security
Dr.Florence Dayana
 
PPT
Ipsec vpn v0.1
Sankaranarayanan Subramanian
 
PPTX
IP SEC.ptx
MamoonKhan40
 
PPTX
chAPTER 19 INTERNET PROTOCOL SECURITY PRESENTATION
PragyanshuParadkar1
 
Chapter_4_InternetSecurity.pptChapter_4_InternetSecurity.pptChapter_4_Interne...
namrataparopate
 
Chapter_4_InternetSecurity.pptChapter_4_InternetSecurity.pptChapter_4_Interne...
namrataparopate
 
IP Security
Keshab Nath
 
The Security layer
Swetha S
 
IP Security
Dr.Florence Dayana
 
Ipsec vpn v0.1
Sankaranarayanan Subramanian
 
IP SEC.ptx
MamoonKhan40
 
chAPTER 19 INTERNET PROTOCOL SECURITY PRESENTATION
PragyanshuParadkar1
 

Similar to Lecture14..pdf (20)

PPT
IS Unit-4 .ppt
NamanRockzz
 
DOC
Ip sec
Shiva Krishna Chandra Shekar
 
PPT
ESP.ppt
ShineStar21
 
PPTX
ahmed hossam EltokhyEltokhyEltokhy2.pptx
FutureTechnologies3
 
PDF
IP Security One problem with Internet protocol (IP) is that it has.pdf
solimankellymattwe60
 
PPTX
Unit 6
KRAMANJANEYULU1
 
PPTX
Ipsecurity
Chinmay Patel
 
PPT
Ip security
Dr.K.Sreenivas Rao
 
PPTX
EOC MODULE 3 IP security - SR.pptx engineering college
komalsingh2444
 
PDF
Network Security_3rd Module_Dr. Shivashankar
Dr. Shivashankar
 
PPTX
Ip security
Naveen Dubey
 
PDF
BAIT1103 Chapter 6
limsh
 
PPT
Ipsec
Baidyanath Dutta
 
PPT
2800967 for internet and networkings.ppt
allfather027
 
DOCX
[removed]Cryptography and Network Security Principles a.docx
hanneloremccaffery
 
PDF
IPsec for IMS
Hossein Yavari
 
PDF
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
 
PPT
Ip sec talk
anoean
 
PDF
Network IP Security.pdf
georgejustymirobi1
 
PPTX
Cyber forensics
Gopal Karthik
 
IS Unit-4 .ppt
NamanRockzz
 
Ip sec
Shiva Krishna Chandra Shekar
 
ESP.ppt
ShineStar21
 
ahmed hossam EltokhyEltokhyEltokhy2.pptx
FutureTechnologies3
 
IP Security One problem with Internet protocol (IP) is that it has.pdf
solimankellymattwe60
 
Unit 6
KRAMANJANEYULU1
 
Ipsecurity
Chinmay Patel
 
Ip security
Dr.K.Sreenivas Rao
 
EOC MODULE 3 IP security - SR.pptx engineering college
komalsingh2444
 
Network Security_3rd Module_Dr. Shivashankar
Dr. Shivashankar
 
Ip security
Naveen Dubey
 
BAIT1103 Chapter 6
limsh
 
Ipsec
Baidyanath Dutta
 
2800967 for internet and networkings.ppt
allfather027
 
[removed]Cryptography and Network Security Principles a.docx
hanneloremccaffery
 
IPsec for IMS
Hossein Yavari
 
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
 
Ip sec talk
anoean
 
Network IP Security.pdf
georgejustymirobi1
 
Cyber forensics
Gopal Karthik
 
Ad

Recently uploaded (20)

PPTX
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
PPTX
KTU 2019 -S7-MCN 401 MODULE 2-VINAY.pptx
VinayB68
 
PPTX
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
PPTX
Sustainable Sites - Green Building Construction
mhdumerali
 
PDF
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
PDF
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
PDF
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
PPTX
Lecture Notes Electrical Wiring System Components
eedgecbhojpur
 
DOCX
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
PDF
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
PDF
PPT on Performance Review to get promotions
prashant593122
 
PPTX
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
PPTX
Welding lecture in detail for understanding
sahilpoonia10
 
PPTX
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
PDF
composite construction of structures.pdf
AinieButt1
 
PPTX
UNIT-1 - COAL BASED THERMAL POWER PLANTS
Chandra Kumar S
 
PPTX
Internet of Things (IOT) - A guide to understanding
Davies Chacko
 
PPTX
Recipes for Real Time Voice AI WebRTC, SLMs and Open Source Software.pptx
Alberto González Trastoy
 
PPTX
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
PDF
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
KTU 2019 -S7-MCN 401 MODULE 2-VINAY.pptx
VinayB68
 
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
Sustainable Sites - Green Building Construction
mhdumerali
 
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
Lecture Notes Electrical Wiring System Components
eedgecbhojpur
 
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
PPT on Performance Review to get promotions
prashant593122
 
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
Welding lecture in detail for understanding
sahilpoonia10
 
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
composite construction of structures.pdf
AinieButt1
 
UNIT-1 - COAL BASED THERMAL POWER PLANTS
Chandra Kumar S
 
Internet of Things (IOT) - A guide to understanding
Davies Chacko
 
Recipes for Real Time Voice AI WebRTC, SLMs and Open Source Software.pptx
Alberto González Trastoy
 
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 
Ad

Lecture14..pdf

  • 1. Network Security Course Spring 2022 Lecture 14 Department of Computer Engineering Dr Shubat Owhida 1
  • 2. slide 2 Network Security All defense mechanisms must work correctly and securely Cryptographic primitives Protocols and policies Implementations RSA, DES, AES, SHA-1… TLS, IPsec, access control… Firewalls, intrusion detection… End uses Password managers, company policies…
  • 3. ❑ VPN is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. Virtual Private Network (VPN) ❑ A tunnel is a virtual path across a network that delivers packets that are encapsulated and possibly encrypted.
  • 4. Internet Security Protocols ❑ Security provides at Network layer with IPSec. ❑ Security provides at Transport layer with Secure Socket Layer. NIC ❑ Security Provided at application layer with Pretty Good Privacy for email security Application Transport Network link Physical SSL OS User IPSec PGP ✓ IPSec used in VPN applications (secure tunnel)
  • 5. ❑ IPSec a set of protocol and algorithm used to secure IP data and network layer. ❑ IPSec implemented by the network for all applications ❑ IPSec inbuild in IPv6 and compatible with IPv4. ❑ IPSec provides cryptographic security services that allow for authentication, integrity, access control, and confidentiality. ❑ IPSec is completely transparent to the applications (no need to have any knowledge of IPSec to be able to use it). ❑ IPSec is employed to establish virtual private networks (VPNs) among networks across the Internet. IPSec Implemented on end hosts and gateways. IPSec (Internet Protocol Security)
  • 6. ❑ IPSec provides Authentication services (verify the source of IP packet) by using Digital Signature or Pre-Shared keys. ❑ IPSec prevent replay of old IP packets (also called as "man-in-the-middle attacks"). ❑ IPSec protect integrity of IP packets by using Hashing algorithms. ❑ IPSec provides Data Confidentiality to Data by Encrypting). Goals of IPSec
  • 7. 7 Components of IPSec 1. Internet Key Exchange (IKE) Protocol: Internet Key Exchange is used to establish Security Association (SA) between two communicating IPSec devices. 2. Encapsulating Security Payload (ESP): IPSec uses ESP to provide Data Integrity, Encryption, Authentication, and Anti-Replay functions for IPSec VPN. ▪ Cisco IPSec implementations uses DES, 3DES and AES for Data encryption. 3. Authentication Header (AH): IPSec uses AH to provide Data Integrity, Authentication, and Anti-Replay functions for IPSec VPN. ▪ Authentication Header: It is the authenticating protocol does not provide any Data Encryption.
  • 8. A Security Association (SA) database ❑ A Security Association (SA) is one of the most important concepts in IPSec, defined in RFC 1825. A Security Associations represents a specification of the security services offered to traffic carried through a unidirectional channel from one node to another. A SA are one way, a minimum of two SAs are required for a single IPSec connection. ❑ A Security Associations can offer either the AH or the ESP service, but not both. Two security associations are necessary to provide both types of services simultaneously. A total of four SAs are required for bi-directional traffic using both AH and ESP.
  • 9. A Security Association (SA) database cont. ❑ Keying information for IPsec security services is maintained in security association databases (SADBs). SAs contain parameters including: ▪ Authentication algorithm and algorithm mode ▪ Encryption algorithm and algorithm mode ▪ Key(s) used with the authentication/encryption algorithm(s) ▪ Lifetime of the key ▪ Lifetime of the SA ▪ Source Address(es) of the SA ▪ Sensitivity level (ie Secret or Unclassified)
  • 10. The Security Policy Database (SPD) ❑ The Security Policy Database contains a set of rules that determines whether a packet is subject to IPsec processing and governs the processing details. The SPD contains destination IP address, source IP address, UserID, Data Sensitivity Level, transport layer protocol, source and destination port. Each entry in the SPD represents a policy that defines how the set of traffic will be processing. Any inbound or outbound packet is processed in one of three ways: discard, perform IPsec processing, or bypass IPsec processing
  • 11. ❑ An organization maintains LANs at dispersed locations ❑ Non secure IP traffic is conducted on each LAN. ❑ IPSec protocols are used ❑ These protocols operate in networking devices that connect each LAN to the outside world. (router, firewall ) ❑ The IPSec networking device will typically encrypt and compress all traffic going into the WAN, and decrypt and decompress traffic coming from the WAN Scenario of IPSec usage
  • 13. SAD and SPD Example ❑ Consider this example: It’s required to protect the Post Office Protocol v3 (POP3) traffic between a mail client node A and a mail server node B. The traffic exchanged between node A and node B need be encrypted. In order to apply IPsec to the traffic between the nodes, the SPD and the SAD on both node A and node B need to be set. Two SP entries for the bi-directional exchange between A and B. The SP entries on node A are described by the entries listed in the following Table
  • 14. Direction Outbound Inbound Source Address Node A POP server B Destination Address POP server B Node A Upper Layer Protocol TCP TCP Upper Layer Source Port Any Port POP3 Upper Layer Destination Port POP3 Any IPsec Protocol ESP ESP Mode Transport Transport Security Policy Database for Node A
  • 15. Security Policy Database for Node B Direction Outbound Inbound Source Address POP server B Node A Destination Address Node A POP server B Upper Layer Protocol TCP TCP Upper Layer Source Port POP3 Any Upper Layer Destination Port Any Port POP3 IPsec Protocol ESP ESP Mode Transport Transport
  • 16. Security Association Database for Node A Direction Outbound Inbound SPI 1000 1001 Destination Address POP server B Node A IPsec Protocol ESP ESP Algorithm 3DES-CBC 3DES-CBC Key The secret key from A to B The secret key from B to A Mode Transport Transport Security parameter index A unique identifier generated by the creator of the SA, used to distinguish among the SAs of the IPsec protocol terminating at the same destination node.
  • 17. Security Association Database for Node B Direction Outbound Inbound SPI 1001 1000 Destination Address Node A POP server B IPsec Protocol ESP ESP Algorithm 3DES-CBC 3DES-CBC Key The secret key from B to A The secret key from A to B Mode Transport Transport
  • 18. ❑ IPSec can work in one of two modes: ➢ Transport mode, in which the payload of the message is protected ➢ Tunnel mode, in which the payload and the routing and header information are protected. IPSec (Internet Protocol Security)
  • 19. Internet Protocol (IP) Review IP header: IP header Data IP datagram is of form 19
  • 20. 20 Fields of the IP Packet ❑ Version: the version number of the protocol. Version = 4 for IPv4. ❑ Header length: the length of the header in 4 byte words. Header length = 5 if options are not used. ❑ Service type: 3 bits of precedence (rarely used) 4 bits QoS representing delay, throughput, reliability, and Jitter. ❑ Total length: length in bytes of the header plus data. Maximum size is 65,535 bytes. ❑ Identification, flags, fragment offset: used for fragmentation and reassembly (offset in 8 byte chunks) ❑ Time to live (TTL): Originally seconds, now usually hop count. Source sets it (often 30 used). Each router must decrement by at least 1, when 0 packet discarded.
  • 21. 21 Protocol Field Values ❑ Protocol = 1, ICMP, Internet Control Message Protocol ❑ Protocol = 6, TCP ❑ Protocol = 17, UDP ❑ Protocol = 4, IP in IP encapsulation ❑ Protocol = 8, EGP, Exterior Gateway Protocol ❑ Protocol = 9, IGRP, Interior Gateway Routing Protocol ❑ Protocol =89, OSPF, Open Shortest Path First Routing P. ❑ Protocol = 50, ESP, Encapsulating Security Payload ❑ Protocol = 51, AH, Authentication Header • ………………..more protocols