360 likes | 367 Views
COMP3371 Cyber Security. Richard Henson University of Worcester November 2016. Week 6: Securing LAN data using Firewalls, VPNs, etc. Objectives: Relate Internet security issues to the TCP/IP protocol stack Explain principles of firewalling
E N D
COMP3371 Cyber Security Richard Henson University of Worcester November2016
Week 6: Securing LAN data using Firewalls, VPNs, etc. • Objectives: • Relate Internet security issues to the TCP/IP protocol stack • Explain principles of firewalling • Explain what a Proxy Service is, and why it can be a more flexible solution than a firewall • Explain Internet security solutions that use the principles of a VPN
Security and the OSI layers • Simplified TCP/IP model… • Levels 1/2/3 combined as network • Levels 5/6/7 combined as application FTP SMTP NFS DNS SNMP HTTP UDP TCP IP (network)
TCP/IP and the Seven Layers screen app vulnerab… • TCP (Transport Control Protocol) and IP (Internet Protocol) only make up part (layers 3 & 4) of the seven layers • upper layers interface with TCP to produce the screen display • lower layer packets required to interface with hardware to create/convert electrical signals • Each layer represents a potential security vulnerability (!) port vulnerab… TCP IP network vulnerab… hardware
Intranet • Misunderstood term • achieved by organisations using http to share data internally in a www-compatible format • Many still call a protected file structure on its own an Intranet… (technically incorrect!) • uses secure user authentication • uses secure data transmission system • Implemented as EITHER: • single LAN (domain) with a web server (see diagram) • several interconnected LANs (trusted domains) • cover a larger geographic area
Extranet • An extension of the Intranet beyond organisation boundary to cover selected trusted “links” • e.g. customers and business partners • uses the public Internet as its transmission system • requires authentication to gain access • Can provide secure TCP/IP access to: • paid research • current inventories • internal databases • any unpublished • information
Securing Authentication through Extranets • Connected Windows networks? • Use Kerberos… ? VPN? • BUT… • several TCP ports used for authentication when establishing a session… • Solution: • firewall configuration • allows relevant ports to be opened only for “trusted” hosts
Issues in creating an Extranet • Public networks… • Security handled through appropriate use of secure authentication & transmission technologies… • If using the Internet… • client-server web applications across different sites • BUT security issues need resolving • Could use a VPN (Virtual Private Network) • Private leased lines between sites do not need to use http, etc. • more secure, but expensive (BALANCE)
Unsecured LAN-Internet Connection: Router Only INTERNET/EXTERNAL NETWORK ROUTER – packet navigation, no filtering Internal Network ...
An Unsecured LAN-Internet Connection via Router Layer 3 Layer 3 Data through Unchanged Routed by IP address tables Layer 2 Layer 2 Layer 1 Layer 1 router
Securing Sharing of Datathrough Extranets • One solution: Extranet client uses the web server & browser for user interaction • secure level 7 application layer www protocols developed • https: ensure that pages are only available to authenticated users • Ssh (secure shell) : secure download of files • secure level 4 transport (TLS) protocol to restrict use of IP navigation to only include secure sites • Relevant firewall ports should be opened • Port 22 if SSH data • Port 443 if TCP data sent using http-s (secure http) • Port 1723 if data sent as packets using VPN (later…)
The Internet generally uses IP - HOW can data be secured? 2016: more than a billion hosts!
Securing the Extranet • Problem: • IP protocol sends packets off in different directions according to: • destination IP address • routing data • packets can be intercepted/redirected • What about penetration through other protocols, working at different OSI layers? • VPN controls the path of packets • routed through IP addresses of secure servers
Other Secure level 7 protocols • More about SSH • SSH-1 1995, University of Helsinki, secure file transfer • uses TCP port 22 • runs on a variety of platforms • Enhanced version SSH-2 • using the PKI • including digital certificates • RFC 4252 – recent, 2006
Creating a “Secure Site”? • To put it bluntly… • a LAN that provides formidable obstacles to potential hackers • keeps a physical barrier between local server and the internet • linked through an intermediate computer called a Firewall or Proxy Server • Restrictions on access • security provided by authentication between level 4 & 7
Lower OSI layers security(Stage 1) • Simple Firewall… • packet filtering by header IP address • fooled by “IP spoofing” • TCP port filtering – data associated with blocked ports filtered out • TCP port also held in packet header
Unsecured LAN-Internet Connection: Firewall INTERNET/EXTERNAL NETWORK FIREWALL – packet filtering Internal Network ...
Firewall Configuration • Firewall blocks data via TCP port (logical) • used by each application protocol connects to TCP • all ports blocked… no data gets through • unless (lol!) … https://www.youtube.com/watch?v=doAnB5_eDnw • Configuration… • includes which ports to block as well as which IP addresses to block… • Includes auditing of packets
An Unsecured LAN-Internet Connection via Firewall • IP filtering slows down packet flow… • may not be necessary? Risk? • Also… • request by a LAN client for Internet data across a router reveals the client IP address • generally a desired effect…. • “local” IP address must be recorded on the remote server • picks up required data & returns it via the router and server to the local IP address • problem – could be intercepted, and future data to that IP address may not be so harmless…
An Unsecured LAN-Internet Connection via Router • Another problem: wrath of IANA • IP address awarding & controlling body • big penalties if ANY internal LAN IP address conflicts with an existing Internet IP address they allocated… • Safeguard: • use DHCP (dynamic host configuration protocol) • allocate client IP from within a fixed range allocated to that domain by IANA
A LAN-Internet connection via Gateway INTERNET/EXTERNAL NETWORK e.g. TCP/IP GATEWAY – packet conversion local protocol Internal Network ...
A LAN-Internet connection via Gateway • At a gateway, processing can be at higher OSI levels: • >= level 4 • Local packets converted into other formats… • remote network does not have direct access to the local machine • IP packets only recreated at the desktop • local client IP addresses therefore do not need to comply with IANA allocations
A LAN-Internet connection via Proxy Server INTERNET/EXTERNAL NETWORK e.g. TCP/IP Proxy Server – local IP addresses local protocol Internal Network ...
The Proxy Server • Acts like a Gateway in some respects: • provides physical block between external and internal networks • But can still use the same protocol (e.g. TCP/IP), and can cache web pages for improved performance
VPNs (Virtual Private Networks) • Two pronged defence: • physically keeping the data away from unsecured servers… • several protocols available for sending packets along a pre-defined route • data encapsulated and encrypted so it appears to travel as if on a point-point link but is still secure even if intercepted • Result: secure system with pre-determined pathways for all packets
VPNs: OSI levels 1-3: restricted use of the Physical Internet VPN shown in green
Principles of VPN protocols • The tunnel - where the private data is encapsulated (or ”wrapped”) • The VPN connection interfaces - where the private data is encrypted before entering the tunnel (and vice versa)
Principles of VPN protocols • Emulate a point-to-point link: • data encapsulated • with header • provides routing information • allows packets to traverse the shared public network to its endpoint • To emulate a private link: • data encrypted for confidentiality • Any packets intercepted on the shared public network are indecipherable without the encryption keys…
Using a VPN to connect a remote computer to a Secured Network
Potential weakness of the VPN • Once the data is encrypted and in the tunnel it is very secure • BUT watch for gaps… • if any part of that journey is outside the tunnel… • e.g. network path to an outsourced VPN provider • scope for security breaches
VPN-related protocols offering even greater Internet security • Two possibilities are available for creating a secure VPN: • Layer 3: • IPsec – fixed point routing protocol • Layer 2 “tunnelling” protocols • encapsulate the data within other data before converting it to binary data: • PPTP (Point-point tunnelling protocol) • L2TP (Layer 2 tunnelling protocol)
IPsec • First VPN system • defined by IETF RFC 2401 • uses ESP (encapsulating security protocol) at the IP packet level • IPsec provides security services at the IP layer by: • enabling a system to select required security protocols (ESP possible with a number of encryption protocols) • determining the algorithm(s) to use for the chosen service(s) • putting in place any cryptographic keys required to provide the requested services
More about IPSec in practice • Depends on PKI for authentication • both ends must be IPSec compliant, but not the various network systems that may be between them… • Can therefore be used to protect pathsbetween • a pair of hosts • a pair of security gateways • a security gateway and a host • Can work with IPv4 and IPv6
Layer 2 Security: PPTP, L2TP • Microsoft: PPTP • CISCO L2F (layer 2 forwarding) • Combine to create L2TP • IPSec optional: • Adv of L2TP: • can use PPP authentication and access controls (PAP and CHAP!) • uses NCP to handle remote address assignment of remote client • no IPSec, no overhead of reliance on PKI