Security in The Internet
Security in The Internet
Security in The Internet
1
12/17/2021
Security in The Internet
32.1
Figure 32.1 Common structure of three security
protocols
32.3
32.4
32-1 introduction to IP Security (IPSec)
32.5
IP Security (IPSec(
◼ IPSec operates in one of two different modes: the transport
mode or the tunnel mode as shown in Figure
❖ IPSec protects what is delivered from the transport layer to the network
layer. The transport mode protects the network layer payload, the payload
to be encapsulated in the network layer.
❖ The transport mode does not protect the IP header .The transport mode
does not protect the whole IP packet; it protects only the packet from the
transport layer (the IP layer payload). In this mode, the IPSec header and
trailer are added to the information coming from the transport layer. The IP
header is added later.
32.7
Not
❖e IPSec in the transport mode does not protect the IP header; it only
protects the information coming from the transport layer.
32.8
IP Security (IPSec): Tunnel Mode
32.10
1. Authentication Header (AH)
32.11
32.13
32.14
2- Encapsulating Security Payload (ESP)
The fields for the header and trailer are as follows:
❖ Security parameter index: The 32-bit security parameter index field is similar
to that defined for the AH Protocol.
❖ Sequence number: The 32-bit sequence number field is similar to that defined
for the AH Protocol.
❖ Padding: This variable-length field (0 to 255 bytes) of Os serves as padding.
The value is between 0 and 255; the maximum value is rare.
❖ Next header: The 8-bit next-header field is similar to that defined in the AH
Protocol. It serves the same purpose as the protocol field in the IP header
before encapsulation.
❖ Authentication data: The authentication data field is the result of applying an
authentication scheme to parts of the datagram.
Note :
✓ The difference between the authentication data in AH and ESP. In AH, part of the IP header
is included in the calculation of the authentication data; in ESP, it is not.
✓ IPSec supports both IPv4 and IPv6. In IPv6, AH and ESP are part of the extension header.
32.15
IPSec Services
32.16
Security Association
32.17
Security Association
A Simple Example
A security association is a very complex set of pieces of information. However, we can
show the simplest case in which Alice wants to have an association with Bob for use in a
two-way communication. Alice can have an outbound association (for datagrams to
Bob) and an inbound association (for datagrams from Bob). Bob can have the same. In
this case, the security associations are reduced to two small tables for both Alice and
Bob as shown in Figure 32.8.
The figure shows that when Alice needs to send a datagram to Bob, she uses the ESP
Protocol of IPSec. Authentication is done by using SHA-l with key x. The encryption is
done by using DES with key y. When Bob needs to send a datagram to Alice, he uses the
AH Protocol of IPSec. Authentication is done by using MD5 with key z. Note that the
inbound association for Bob is the same as the outbound association for Alice, and
vice versa.
32.18
Figure 32.8 Simple inbound and outbound security
associations
32.19
A virtual private network (VPN) extends a private network across a public network and
enables users to send and receive data across shared or public networks as if their
computing devices were directly connected to the private network. Applications running
across a VPN may therefore benefit from the functionality, security, and management of
the private network. Encryption is a common, although not an inherent, part of a VPN
connection.
❖ It uses the IPSec Protocol to apply security
❖Internet users may secure their connections with a VPN to circumvent
geo-blocking and censorship
❖Internal IP addresses from your on-premises networks are hidden from
external users.
❖The entire communication between the on-premises network and
public networks is encrypted, significantly lowering the chances of
information theft
32.20
Virtual private network (VPN)
Note: VPN technology uses IPSec in the tunnel mode to provide authentication,
integrity, and privacy.
Two protocols are dominant today for providing security at the transport
layer:
the Secure Sockets Layer (SSL) Protocol and the Transport Layer
Security (TLS) Protocol. The latter is actually an IETF version of the
former.
❖ A transport layer security provides end-to-end security services for applications
that use a reliable transport layer protocol such as TCP. The idea is to provide
security services for transactions on the Internet.
32.22
Figure 32.14 Location of SSL and TLS in the Internet
model
32.23
24
SSL Services
◦ Fragmentation
First, SSL divides the data into blocks of 214 bytes or less.
◦ Compression
Each fragment of data is compressed by using one of the lossless
compression methods negotiated between the client and server. This
service is optional.
◦ Message Integrity
To preserve the integrity of data, SSL uses a keyed-hash function to
create a MAC.
◦ Confidentiality
To provide confidentiality, the original data and the MAC are encrypted
using symmetric-key cryptography.
◦ Framing
A header is added to the encrypted payload. The •payload is then passed
to a reliable transport layer protocol.
25
It is the IETF standard version of SSL. The two are very similar, with
slight differences. We highlight the differences below:
Version: The SSLv3.0 discussed in this section is compatible with
TLSvl.0.
Cipher Suite: TLS cipher suite does not support Fortezza.
Cryptography Secret: There are several differences in the
generation of cryptographic secrets. TLS uses a pseudorandom
function (PRF) to create the master key and the key materials.
Alert Protocol: TLS deletes some alert messages and adds some
new ones.
26
12/17/2021 Security in The Internet
Transport Layer Security TLS
27
12/17/2021 Security in The Internet
32.28
PGP Services
PGP Services
30
12/17/2021 Security in The Internet
32-4 FIREWALLS
32.31
32.32
Figure 32.23 Packet-filter
firewall
❖ A firewall can be used as a packet filter.
❖ It can forward or block packets based on the information in the network layer and
transport layer headers: source and destination IP addresses, source and destination
port addresses, and type of protocol (TCP or UDP).
❖ A packet-filter firewall is a router that uses a filtering table to decide which packets
must be discarded (not forwarded).
32.33
Proxy firewall
❖ When the user client process sends a message, the proxy firewall runs a
server process to receive the request.
❖ The server opens the packet at the application level and finds out if the
request is legitimate.
❖ If it is, the server acts as a client process and sends the message to the real
server in the corporation.
❖ If it is not, the message is dropped and an error message is sent to the
external user.
❖ In this way, the requests of the external users are filtered based on the
contents at the application layer.
Note : A proxy firewall filters at the application layer.
32.35