330 likes | 546 Views
IP Security. IPSec Firewall Design Security - Understanding when and how users, computers, services, networks can trust one another 2 fundamental techniques Perimeter security Encryption. Security.
E N D
IP Security IPSec Firewall Design Security - Understanding when and how users, computers, services, networks can trust one another 2 fundamental techniques Perimeter security Encryption CS 428 Computer Networking
Security Perimeter security - allows organization to determine services and networks it will make available to outsiders Encryption handles most other aspects CS 428 Computer Networking
Security Security implies safety, assurance of data integrity, freedom from unauthorized access, freedom from snooping or wiretapping, freedom from disruption of service Physical security is as important as protecting abstract resources CS 428 Computer Networking
Aspects of Protection Data Integrity - Protect from unauthorized change Data Availability - Outsiders cannot prevent legitimate access to data Confidentiality Authorization - to only data as required Replay Avoidance - Capture copies of packets by outsiders CS 428 Computer Networking
Information Policy “Before an organization can enforce network security, it must assess risks and develop a clear policy regarding information access and protection.” An information policy begins with people - most susceptible point in any security scheme CS 428 Computer Networking
Internet Security Datagrams can be intercepted or compromised - the contents cannot be trusted Example Server attempts source authentication Examine source IP address Source authentication is weak Stronger authentication requires encryption CS 428 Computer Networking
IPSec A set of protocols that provide secure Internet comm. Valid for IPv4 and IPv6 IPSec is flexible and extensible Can use authentication or encryption Asymmetric choices ok Does not demand a specific authentication or encryption algorithm Includes a set of encryption algorithms that all implementations must recognize CS 428 Computer Networking
IPSec AH Authentication Header See figures 32.1 and 2 on pages 584 and 585 Inserts AH after IP header and before transport header PROTOCOL field in IP header changed to value 51 PROTOCOL field is changed so how does receiver determine type? CS 428 Computer Networking
IPSec AH AH has NEXT HEADER field. Original PROTOCOL values written into here PAYLOAD LEN - Length of AH SEQUENCE NUMBER - starts at 0 and increases monotonically SECURITY PARAMETER INDEX - specifies Security Association (SA) AUTHENTICATION DATA - based upon security scheme CS 428 Computer Networking
Security Association Security scheme includes authentication algorithm key(s) key lifetime algorithm lifetime for destination authorized source addresses Information cannot fit into header Each receiver collects all details about security scheme into an abstraction call Security Assoc. CS 428 Computer Networking
Security Association Each SA given a number aka a security parameters index Before sender can use IPSec to communicate with a receiver, sender must know index value of a SA on receiver Index values owned by destinations, not globally known! SAs can have lifetimes reusing index values CS 428 Computer Networking
IPSec ESP Privacy plus Authentication Encapsulating Security Protocol Value 50 in PROTOCOL field See figures on 586 and 587 3 additional areas ESP HEADER ESP TRAILER ESP AUTH - variable size CS 428 Computer Networking
IPSec ESP Uses many of same items as AH but reorders them ESP HEADER 8 octets for SPI and SEQ Number ESP TRAILER Optional padding Padding Length NEXT HEADER ESP AUTH data CS 428 Computer Networking
IPSec ESP Padding may be present for 3 reasons Some decryption algorithms require zeros following encrypted message NEXT HEADER is right justified within 4 octet field. IPSec requires that AITH data that follows trailer start on 4 octet boundary Random padding to throw off sniffers CS 428 Computer Networking
Mutable Fields IPSec Authentication designed to assure arriving datagram identical to that sent by source Intermediate routers decrement TTL fields and re-compute CKSUMs Mutable fields = IP header fields that can change IPSec only authenticates immutable fields CS 428 Computer Networking
IPSec Tunneling Standard defines both AH and ESP tunnels See figure 32.4 on page 588 Required security algorithms See figure 32.5 on page 588 Secure Sockets Layer (SSL) Originated by Netscape Dual authentication, negotiate for encryption algorithm Secure connection, not formally adopted by IETF but defacto standard CS 428 Computer Networking
Firewalls Place firewall at connection to external internet Inside and outside regions Intranet can have several external connections Strong as weakest link All firewalls must be configured to use same access restrictions CS 428 Computer Networking
Firewalls In theory, a firewall simply blocks all communication between the organization and the outside In practice, need more that this Firewalls need to be tailored to specific organization Must be have hardware and software to handle a potentially busy interface CS 428 Computer Networking
Packet-Level Filters High speed filtering mechanism Manager configures filter in router Filter(block) all datagrams form a specific source or those used by specific application Does not keep record of filtering Packet filters are free from TCP/IP standards CS 428 Computer Networking
See figure 32.6 on page 591 Block incoming datagrams destined for well-known services Block outgoing datagrams for any 16 bit prefix from 128.5.0.0 to remote e-mail server (TCP port 25) Packet Filters CS 428 Computer Networking
Previous example does not work well for firewall Number of well-known ports is large Much traffic on an internet does not travel on well-known ports Programmers can choose Remote Procedure Call assigns dynamic port numbers Listing ports leaves the firewall open for tunneling Packet Filters CS 428 Computer Networking
Tunneling can circumvent security Host on inside agrees to accept encapsulated datagrams from host on outside Remove one layer and then forward to internal service Must reverse idea of filtering Instead of identifying what datagrams should be filtered(blocked), block everything! Firewalls CS 428 Computer Networking
Allow those only for approved networks, hosts, and ports Examine organizations information policy then enable certain funtionality Many packet filter use this approach Solves many problems and has interesting consequence Prevents inside user from accessing outside resources Firewalls CS 428 Computer Networking
Servers may operate on well-known ports but clients do not Clients may send data out but won’t get data back in Packet filter will block client’s returning datagram Not all organizations configure to block all internal unknown port numbers Firewalls CS 428 Computer Networking
Secure Firewalls Users on the inside need to access resources on the outside Can only provide safe access through a secure computer Install one secure computer with each firewall and install a set of application gateways on that computer Bastion Host Proxy Access CS 428 Computer Networking
See figure 32.7 on page 593 Outer barrier Blocks all incoming traffic except for datagrams destined for services on bastion that organization chooses to expose externally clients on the bastion host Inner barrier Blocks incoming traffic except those coming from bastion Manual bypass Secure Gateway CS 428 Computer Networking
Web access example Firewall prevents user computer from receiving datagrams User cannot use browser for direct access Arrange proxy server on bastion host Inside, each browser configured to use the proxy Proxy contacts URL, receives information and returns it transparently to user inside firewall Secure Firewalls CS 428 Computer Networking
Each barrier requires router with packet filter Network connections between the routers and bastion host See figure 32.8 on page 594 R2 = outer barrier H = bastion host R1 = inner barrier Safety of firewall depends on safety of bastion host (software and hardware) Firewall Implementation CS 428 Computer Networking
Previous example known as stub network Stub network isolates organization May be considered unnecessary See figure 32.9 on page 595 for alternative firewall permitting many external connections One router per connection - All external connections also mistrust one another Stub Network CS 428 Computer Networking
Monitoring Active - Firewall notifies whenever there is an incident Passive - Firewall records activity in logs Firewalls CS 428 Computer Networking