Network Layer Security Network Systems Security Mort Anvari... Security in Network Layer Implementing security in application layer provides flexibility in security policy and key manag
Trang 1Network Layer Security
Network Systems Security
Mort Anvari
Trang 2Security in Network Layer
Implementing security in application layer provides flexibility in security policy and key management
Problem is need to implement security
mechanism in every application
individually
To reduce the overhead, implement security
in network layer to provide security for all
Trang 3 Two protocols
Authentication Header (AH)
Encasulating Security Payload (ESP)
Provide general security services for IP
Authentication
Confidentiality
Anti-replay
Key management
Applicable to use over LANs, across
public and private WANs, and for the
Internet
Trang 4Scenario of IPSec Uses
Trang 5Benefits of IPSec
Provide strong security to all traffic
crossing the perimeter if installed in a
firewall/router
Resistant to bypass
IPSec is below transport layer, hence
transparent to applications
Can be transparent to end users
Can provide security for individual users if desired
Trang 6IP Security Architecture
Specification is quite complex
Defined in numerous RFC’s
RFC 2401/2402/2406/2408
many others, grouped by category
Mandatory in IPv6, optional in IPv4
Trang 7Security Association (SA)
A unidirectional relationship between
sender and receiver that affords
security for traffic flow
Each IPSec computer maintains a
Trang 8SA Parameters
Sequence Number Counter
Sequence Number Overflow
Trang 9 prevent address spoofing attacks by
tracking sequence numbers
Based on use of a MAC
HMAC-MD5-96 or HMAC-SHA-1-96
Parties must share a secret key
Trang 10Authentication Header
Trang 11End vs
End-to-Intermediate Authentication
Trang 12Scope of AH
Authentication
Trang 14Encapsulating Security
Payload
Trang 15Transport vs Tunnel Mode ESP
Transport mode is used to encrypt and optionally authenticate IP data
data protected but header left in clear
can do traffic analysis but is efficient
good for ESP host to host traffic
Tunnel mode encrypts entire IP packet
add new header for next hop
good for VPNs, gateway to gateway security
Trang 16Scope of ESP Encryption and
Authentication
Trang 17Combining Security
Associations
SAs can implement either AH or ESP,
but each SA can implement only one
To implement both, need to combine
SAs
form a security bundle
Have 4 cases
Trang 18Combining Security
Associations
Trang 19Key Management
Handle key generation and distribution
Typically need 2 pairs of keys
2 per direction for AH & ESP
Manual key management
sysadmin manually configures every system
Automated key management
automated system for on demand creation
of keys for SA’s in large systems
Oakley and ISAKMP
Trang 20 A key exchange protocol
Based on Diffie-Hellman key exchange
Add features to address weaknesses of Diffie-Hellman
cookies to counter clogging attacks
nonces to counter replay attacks
key exchange authentication to counter
man-in-the-middle attacks
Can use arithmetic in prime fields or
Trang 21Usage of Cookies
Three basic requirements
Must depend on specific parties
Impossible for anyone other than issuing entity
to generate cookies that will be accepted by
issuing party
Cookie generation and verification must be fast
To create a cookie, perform a fast hash over src and dst IP addresses, src and dst ports, and a locally generated secret value
Trang 22 Internet Security Association and Key
Management Protocol
Provide framework for key management
Define procedures and packet formats to establish, negotiate, modify, and delete SAs
Independent of key exchange protocol, encryption algorithm, and authentication
Trang 23ISAKMP
Trang 24Next Class
Denial-of-Service (DoS) attack
Hop Integrity