1 / 11

IP Security Creating Secure Intranets over the Internet

IP Security Creating Secure Intranets over the Internet. Authors : GRsoft. ABSTRACT.

silvio
Download Presentation

IP Security Creating Secure Intranets over the Internet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IP Security Creating Secure Intranets over the Internet Authors: GRsoft

  2. ABSTRACT • Secure intranets over the internet is an intriguing , cost – saving solution to replace high – cost leased lines or frame relay services, while at the same time increasing the security of the traffic • An intranet is a private network inside a corporation using the internet as the underlying medium. This concept is not new, but is just now becoming possible. The enablers for this technology have been the commercialization of the internet backbone, the proliferation of World Wide Web (WWW) and Internet Protocol (IP) security. • Now that every company needs a WWW connection to the Internet, it is logical to overlap that use with other office-to-office traffic, especially when that network is significantly cheaper than leased or even frame relay services.

  3. IP security is another enabler for the intranet. The Internet is a scary free-for-all that allows any to any connectivity. If you are building a network specialized to carry private company information, the last thing you want is any-to-any connectivity where the “any” can be your competitors. In addition to keeping the competitors out, you also need to make sure that the company’s proprietary data are indeed unreadable to your competition when they are being transferred over the Internet. • The IP security standards suite uses encryption technology. Encryption is more than just the scrambling of bits so that the data cannot be seen. Encryption technology , as envisioned by the IP sec working group, includes the capability to create private transmissions, to provide authentication of parties to a conversation, and to provide data integrity so that you know that the traffic was from the original sender and was not modified in transmit by an attacker. These mathematical transformations can be implemented at several places in an IP network and can be used to protect data from host to host, site to site, or any other combination.

  4. The IP sec Oakley key management protocol provides the ability to privately negotiate a key while also ensuring that the key you negotiated was indeed to the intended source. The authentication of the initial source and the creation of (two-party) shared secret keys is the prime motivation. • The ISA/KMP protocol allows keys and traffic parameters to be negotiated before they are needed • Finally ,there is yet another protocol defined by the DNS sec working group. DNSsec can send the authenticated credentials to validate that end points are who they say they are. • These mathematical transformations can be implemented at several places IP networks with or with out firewalls. • Packet formats for IPsec compatible encapsulation will be shown, as well as future challenges such as public key certificates.

  5. Capabilities of encryption • Encryption is a set of mathematical transformations. It is a tool. This tool can be used to create several important capabilities when applied to the protection of private data on public networks. • Technically an integrity, key exchange, and authentication are not encryption per se, they do, however, use the same properties of irreversibility that make encryption possible. • Privacy : Privacy is the ability to keep data private on networks where others may be listening. This is where the common “symmetric ciphers” such as DES, 3DES (pronounced triple-DES), CDMF (40 bit DES), IDEA, RC4, and others that can be used. The IP sec standard is mandating a conservative standard of DES. DES is a well understood and royalty-free algorithm, and has successfully withstood 20 years of public scrutiny.

  6. Integrity : Integrity is the method of ensuring that the data has not been modified in transmit from the source to the destination. Typically, in networks and on computer disks, the protection used to ensure that data is not modified uses cyclic redundancy checks (CRCs). These are very good at catching random events, but to the attackers, CRCs are very predictable and easily reversed. In addition, the size of CRCs—16, 32, or 64 bits – are all too small to stop a attack. • The integrity function is usually performed by a hashing function. The two currently in use today are MD5 and SHA. Hashing algorithms can be used to create authenticated hashes. These are used to both ensure that the data has not been changed and that it is from the correct source. IP sec uses both MD% and a keyed variant of MD5, HMAC. • Replay Prevention :This capability ensures that data is received once, and never again. In an IP network, traffic is not guaranteed to arrive in order and is not guaranteed to arrive at all. Replay prevention provides a means of ensuring that data, once received, cannot be recoded and played back later. Replay attacks can be useful even if the data is never decrypted.

  7. There are two basic algorithms Diffie-Hellman and elliptical curves. The mathematics of Diffie-Hellman are simple and easy to follow. • First , an x is chosen from random bits. The sender then calculates g^x and sends that to the other side. In the mean time the receiver chooses its own y and calculates g^y and sends it to the other side. The sender then calculates(g^y)^x and the receiver calculates (g^x)^y. in both cases, they have calculated G^(xy).(All of these calculations are performed using modular arithmetic). What makes this elegant is that even if the eavesdroppers listen to the conversations, and knows g,g^x and g^y , unless they can perform discrete algorithm over a finite field, then G^(xy) will remain a mystery. If the numbers are large enough, the reversal is not possible. • Another aspect of Diffie-Hellam is that , if the bits are calculated new and not reused in any way, the keys generated will be completely unrelated. If one key is cracked , the attacker knows nothing about any other keys that have been used or will be used in the future.

  8. Authentication : Authentication is the method of ensuring that the data received is from the expected source. While it is possible to create a key with some one and use it , there is a possibility that the caller is not who they say they are. To solve this authentication, protocols and algorithms are used. Most privacy systems use RSA to authenticate a party to a conversation. RSA has the ability to publish your public key; if you keep your private key private, it is theoretically impossible to impersonate you. • These public keys , when combined with a certification authority , provides means of not only storing and sending out public keys to callers, but also provides for the integrity of the keys , as well as allowing the certifying authority to revoke a key so that if a key is lost, it can be made useless. • IP sec : IP sec is a family of RFCs that can be used to create secure communications. They are the data encapsulation, key exchange frame work. These RFCs represent the minimum implementation that can be called IP sec.

  9. Draft-ietf-ipsec-arch-02.txt This is the overall architecture. This can be used to define the various encapsulations. • Draft-ieft-ipsec-esp-hmac-md5-00.txt This contains the certain of a secure keyed MD% operation. This allows the MD5 packet integrity check to be keyed so that the source can authenticate its packet. • Draft-ieft-ipsec-esp-des-md5-00.txt This is the actual implementation of the tunnel. This transform contains privacy (DES) integrity, authentication (HMAC), and replay protection. • Draft-ieft-ipsec-oakley-00.txt This is a key management protocol that is going to be used to both exchange keys and authentication.

  10. Draft-ieft-ipsec-isakmp-04.txt This is the frame work that the key management protocols work under. • Others There are several other RFCs and many more to come • Status Many vendors are working toward these standards, but the current sticking point is the wide deployment of the key management and the integration of the key management system with DNS sec or other certificate servers.

  11. Conclusion This paper has discussed the networking, security, and standards aspects of creating a secure intranet over the internet. In fact, the security capabilities of the latest Internet and intranet technologies enable companies to control the availability of information and the authenticity of that information better than ever before. The increasing sophistication of both server and client software means that this unprecedented level of security can be provided without requiring users to undergo complex and bureaucratic procedures to gain legitimate access to sites.

More Related