Chapter 5
Chapter 5
Network Security
security in practice:
firewalls and intrusion detection systems
security in application, transport, network, link
layers
Alice Bob
data, control
channel
messages
Trudy
Network Security 8-4
There are bad guys (and girls) out
there!
Q: What can a “bad guy” do?
A: a lot!
eavesdrop: intercept messages
actively insert messages into connection
impersonation: can fake (spoof) source
address in packet (or any field in packet)
hijacking: “take over” ongoing connection
by removing sender or receiver, inserting
himself in place
denial of service: prevent service from
being used by others (e.g., by overloading
resources)
more on this later ……
Network Security 8-5
Message Integrity
Bob receives msg from Alice, wants to
ensure:
message originally came from Alice
message not changed since sent by Alice
Cryptographic Hash:
takes input m, produces fixed length value, H(m)
e.g., as in Internet checksum
(message) H(.)
m H(m+s) m
public
m append compare
Internet
H(m+s)
H(m+s)
H(.)
s
(shared secret)
2. Key Derivation:
Alice, Bob use shared secret (MS) to generate 4
keys:
EB: Bob->Alice data encryption key
EA: Alice->Bob data encryption key
MB: Bob->Alice MAC key
MA: Alice->Bob MAC key
encryption and MAC algorithms negotiable
between Bob, Alice
d H(d) EB
.
H( ) SSL
encrypt d,
MAC, SSL
seq. #
seq. #
d H(d)
SSL record
format Type Ver d H(d)
Len
unencryptedencrypted using EB
Network Security 8-14
IPsec: Network Layer Security
network-layer secrecy:
for both AH and ESP,
sending host encrypts the
data in IP datagram source, destination
TCP and UDP segments; handshake:
create network-layer
ICMP and SNMP
messages. logical channel called a
network-layer authentication security association (SA)
destination host can each SA unidirectional.
authenticate source IP uniquely determined by:
address security protocol (AH or
two principal protocols:
ESP)
authentication header source IP address
(AH) protocol 32-bit connection ID
encapsulation security
payload (ESP) protocol
authenticated
encrypted
ESP ESP ESP
IP header TCP/UDP segment
header trailer authent
.
1 Discovery of
security capabilities
wired
network
EAP TLS
EAP
EAP over LAN (EAPoL) RADIUS
IEEE 802.11 UDP/IP
Network Security 8-20
Firewalls
firewall
isolates organization’s internal net from larger
Internet, allowing some packets to pass,
blocking others.
administered public
network Internet
firewall
Prevent your network from Drop all outgoing ICMP TTL expired
being tracerouted traffic
outside of
allow 222.22/16 UDP > 1023 53 ---
222.22/16
as on IP/TCP/UDP fields.
example: allow select
internal users to telnet
outside.
application firewall
gateway
Internet
internal
network Web
IDS server DNS
sensors server
FTP
server demilitarized
zone
Network Security 8-32
Thank You