Introduction Computer and Network Security.

  Network Security

Idea : 

•  Why don’t we just integrate some of these neat crypto tricks directly into the IP protocol stack?

– Integrated directly into protocol stack

– Defined as an extension to the network layer 

– Transparent to the above layers and application

– confidentiality 

– integrity 

– authenticity 

– replay protection

– DOS protection

• Transport mode 

– default mode of IPsec -- protects transport layer packet 

– end-to-end encapsulation of data 

– useful when both endpoints are configured to use/manage IPsec 

• Tunnel mode 

– encapsulates all of the IP data over a new IP level packet 

– useful when the device applying IPsec to the packet is not the originating host, e.g., at a gateway 

– Also known as, “ip over ip” 

• IPsec provides the mechanism, you provide the policy

IPsec Processing

• Built on of ISAKMP framework 
• Two phase protocol used to establish parameters and keys for session

• ISAKMP keys 

– Phase 2: Establish a security association (SA) 

• SA keys used to process user traffic
• The details are unimaginably complex 
• The SA defines algorithms, keys, and policy used to secure the session

IPsec Implementation

•  User: ISAKMP framework 
• Kernel: IPsec processing

Authentication Header (AH)

• Authenticity and integrity

– via HMAC 

– over IP headers and and data

– it gets a little complicated with mutable fields, which are supposed to be altered by network as 

packet traverses the network 

– some fields a immutable, and are protected

• Confidentiality of data is not preserved 
• Replay protection via AH sequence numbers

– note that this replicates some features of TCP (good?)

Authentication Header (AH)

• Modifications to the packet format

IPsec Authentication

• SPI: (spy) identifies the security association for this packet

– Type of crypto checksum, how large it is, and how it is computed 

– Really the policy for the packe 

– Hash of packet contents include IP header as as specified by SPI 

– Treat transient fields (TTL, header checksum) as zero 

• Keyed MD5 Hash is default

Encapsulating Security Payload (ESP)

• Confidentiality, authenticity and integrity

– via encryption and HMAC 

– over IP payload (data)

– TCP packet is fully secured 

– simplifies processing

– good: better security, less is known about traffic 

– bad: impossible for FW to filter/traffic based on port

• Cost: can require many more resources than AH

Encapsulating Security Payload (ESP)

• Modifications to packet format

Is AH necessary?

Some argue that AH is subsumed by ESP 

– Header protection can be achieved by tunnel mode ESP 

– Protection of header has limited utility 

– e.g., filter on ports 

– exposes a lot of information

• In practice, the protocol AH is generally not used.

IPsec Tunnel Mode

• Encapsulate IP packet

Practical Issues and Limitations

• IPsec implementations

– Often not compatible (ungh.) 

– Large footprint

– Slow to adopt new technologies

– IPsec tries to be “everything for everybody at all times” 

– Policy infrastructure has not emerged 

 – Large-scale management tools are limited (e.g., CISCO) 

– Often not used securely (common pre-shared keys)

– E.g., a virtual security perimeter over physical network 

– Hosts work as if they are isolated from malicious hosts

– Create virtual network topology over physical network 

– Use communications security protocol suites to secure virtual links “tunneling” 

– Manage networks as if they are physically separate 

– Hosts can route traffic to regular networks (split-tunneling

VPN Example: RW/Telecommuter

VPN Example: Hub and Spoke

VPN Example: Mesh

Virtual LANs (VLANs)

• VPNs build with hardware 

– No encryption – none needed 

– “wire based isolation” 

– Switches increasingly support VLANs 

– Allows networks to be reorganized without rewiring 

– Each office is associated with department 

– Configuring the network switch gives physical isolation 

– Note: often used to ensure QoS