1 / 36

COMP3371 Cyber Security

COMP3371 Cyber Security. Richard Henson University of Worcester November 2016. Week 6: Securing LAN data using Firewalls, VPNs, etc. Objectives: Relate Internet security issues to the TCP/IP protocol stack Explain principles of firewalling

buckm
Download Presentation

COMP3371 Cyber Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COMP3371 Cyber Security Richard Henson University of Worcester November2016

  2. Week 6: Securing LAN data using Firewalls, VPNs, etc. • Objectives: • Relate Internet security issues to the TCP/IP protocol stack • Explain principles of firewalling • Explain what a Proxy Service is, and why it can be a more flexible solution than a firewall • Explain Internet security solutions that use the principles of a VPN

  3. Security and the OSI layers • Simplified TCP/IP model… • Levels 1/2/3 combined as network • Levels 5/6/7 combined as application FTP SMTP NFS DNS SNMP HTTP UDP TCP IP (network)

  4. TCP/IP and the Seven Layers screen app vulnerab… • TCP (Transport Control Protocol) and IP (Internet Protocol) only make up part (layers 3 & 4) of the seven layers • upper layers interface with TCP to produce the screen display • lower layer packets required to interface with hardware to create/convert electrical signals • Each layer represents a potential security vulnerability (!) port vulnerab… TCP IP network vulnerab… hardware

  5. Intranet • Misunderstood term • achieved by organisations using http to share data internally in a www-compatible format • Many still call a protected file structure on its own an Intranet… (technically incorrect!) • uses secure user authentication • uses secure data transmission system • Implemented as EITHER: • single LAN (domain) with a web server (see diagram) • several interconnected LANs (trusted domains) • cover a larger geographic area

  6. Extranet • An extension of the Intranet beyond organisation boundary to cover selected trusted “links” • e.g. customers and business partners • uses the public Internet as its transmission system • requires authentication to gain access • Can provide secure TCP/IP access to: • paid research • current inventories • internal databases • any unpublished • information

  7. Securing Authentication through Extranets • Connected Windows networks? • Use Kerberos… ? VPN? • BUT… • several TCP ports used for authentication when establishing a session… • Solution: • firewall configuration • allows relevant ports to be opened only for “trusted” hosts

  8. Issues in creating an Extranet • Public networks… • Security handled through appropriate use of secure authentication & transmission technologies… • If using the Internet… • client-server web applications across different sites • BUT security issues need resolving • Could use a VPN (Virtual Private Network) • Private leased lines between sites do not need to use http, etc. • more secure, but expensive (BALANCE)

  9. Unsecured LAN-Internet Connection: Router Only INTERNET/EXTERNAL NETWORK ROUTER – packet navigation, no filtering Internal Network ...

  10. An Unsecured LAN-Internet Connection via Router Layer 3 Layer 3 Data through Unchanged Routed by IP address tables Layer 2 Layer 2 Layer 1 Layer 1 router

  11. Securing Sharing of Datathrough Extranets • One solution: Extranet client uses the web server & browser for user interaction • secure level 7 application layer www protocols developed • https: ensure that pages are only available to authenticated users • Ssh (secure shell) : secure download of files • secure level 4 transport (TLS) protocol to restrict use of IP navigation to only include secure sites • Relevant firewall ports should be opened • Port 22 if SSH data • Port 443 if TCP data sent using http-s (secure http) • Port 1723 if data sent as packets using VPN (later…)

  12. The Internet generally uses IP - HOW can data be secured? 2016: more than a billion hosts!

  13. Securing the Extranet • Problem: • IP protocol sends packets off in different directions according to: • destination IP address • routing data • packets can be intercepted/redirected • What about penetration through other protocols, working at different OSI layers? • VPN controls the path of packets • routed through IP addresses of secure servers

  14. Other Secure level 7 protocols • More about SSH • SSH-1 1995, University of Helsinki, secure file transfer • uses TCP port 22 • runs on a variety of platforms • Enhanced version SSH-2 • using the PKI • including digital certificates • RFC 4252 – recent, 2006

  15. Creating a “Secure Site”? • To put it bluntly… • a LAN that provides formidable obstacles to potential hackers • keeps a physical barrier between local server and the internet • linked through an intermediate computer called a Firewall or Proxy Server • Restrictions on access • security provided by authentication between level 4 & 7

  16. Lower OSI layers security(Stage 1) • Simple Firewall… • packet filtering by header IP address • fooled by “IP spoofing” • TCP port filtering – data associated with blocked ports filtered out • TCP port also held in packet header

  17. Unsecured LAN-Internet Connection: Firewall INTERNET/EXTERNAL NETWORK FIREWALL – packet filtering Internal Network ...

  18. Firewall Configuration • Firewall blocks data via TCP port (logical) • used by each application protocol connects to TCP • all ports blocked… no data gets through • unless (lol!) … https://www.youtube.com/watch?v=doAnB5_eDnw • Configuration… • includes which ports to block as well as which IP addresses to block… • Includes auditing of packets

  19. An Unsecured LAN-Internet Connection via Firewall • IP filtering slows down packet flow… • may not be necessary? Risk? • Also… • request by a LAN client for Internet data across a router reveals the client IP address • generally a desired effect…. • “local” IP address must be recorded on the remote server • picks up required data & returns it via the router and server to the local IP address • problem – could be intercepted, and future data to that IP address may not be so harmless…

  20. An Unsecured LAN-Internet Connection via Router • Another problem: wrath of IANA • IP address awarding & controlling body • big penalties if ANY internal LAN IP address conflicts with an existing Internet IP address they allocated… • Safeguard: • use DHCP (dynamic host configuration protocol) • allocate client IP from within a fixed range allocated to that domain by IANA

  21. A LAN-Internet connection via Gateway INTERNET/EXTERNAL NETWORK e.g. TCP/IP GATEWAY – packet conversion local protocol Internal Network ...

  22. A LAN-Internet connection via Gateway • At a gateway, processing can be at higher OSI levels: • >= level 4 • Local packets converted into other formats… • remote network does not have direct access to the local machine • IP packets only recreated at the desktop • local client IP addresses therefore do not need to comply with IANA allocations

  23. A LAN-Internet connection via Proxy Server INTERNET/EXTERNAL NETWORK e.g. TCP/IP Proxy Server – local IP addresses local protocol Internal Network ...

  24. The Proxy Server • Acts like a Gateway in some respects: • provides physical block between external and internal networks • But can still use the same protocol (e.g. TCP/IP), and can cache web pages for improved performance

  25. VPNs (Virtual Private Networks) • Two pronged defence: • physically keeping the data away from unsecured servers… • several protocols available for sending packets along a pre-defined route • data encapsulated and encrypted so it appears to travel as if on a point-point link but is still secure even if intercepted • Result: secure system with pre-determined pathways for all packets

  26. VPNs: OSI levels 1-3: restricted use of the Physical Internet VPN shown in green

  27. Principles of VPN protocols • The tunnel - where the private data is encapsulated (or ”wrapped”) • The VPN connection interfaces - where the private data is encrypted before entering the tunnel (and vice versa)

  28. Principles of VPN protocols • Emulate a point-to-point link: • data encapsulated • with header • provides routing information • allows packets to traverse the shared public network to its endpoint • To emulate a private link: • data encrypted for confidentiality • Any packets intercepted on the shared public network are indecipherable without the encryption keys…

  29. Using a VPN as part of an Extranet

  30. Using a VPN for point-to-point

  31. Using a VPN to connect a remote computer to a Secured Network

  32. Potential weakness of the VPN • Once the data is encrypted and in the tunnel it is very secure • BUT watch for gaps… • if any part of that journey is outside the tunnel… • e.g. network path to an outsourced VPN provider • scope for security breaches

  33. VPN-related protocols offering even greater Internet security • Two possibilities are available for creating a secure VPN: • Layer 3: • IPsec – fixed point routing protocol • Layer 2 “tunnelling” protocols • encapsulate the data within other data before converting it to binary data: • PPTP (Point-point tunnelling protocol) • L2TP (Layer 2 tunnelling protocol)

  34. IPsec • First VPN system • defined by IETF RFC 2401 • uses ESP (encapsulating security protocol) at the IP packet level • IPsec provides security services at the IP layer by: • enabling a system to select required security protocols (ESP possible with a number of encryption protocols) • determining the algorithm(s) to use for the chosen service(s) • putting in place any cryptographic keys required to provide the requested services

  35. More about IPSec in practice • Depends on PKI for authentication • both ends must be IPSec compliant, but not the various network systems that may be between them… • Can therefore be used to protect pathsbetween • a pair of hosts • a pair of security gateways • a security gateway and a host • Can work with IPv4 and IPv6

  36. Layer 2 Security: PPTP, L2TP • Microsoft: PPTP • CISCO L2F (layer 2 forwarding) • Combine to create L2TP • IPSec optional: • Adv of L2TP: • can use PPP authentication and access controls (PAP and CHAP!) • uses NCP to handle remote address assignment of remote client • no IPSec, no overhead of reliance on PKI

More Related