This action might not be possible to undo. Are you sure you want to continue?
Review of IP Security concerns at IP level What can be done at IP level IP Sec architecture How IP Sec works
What is the role of IP ? TCP/ IP Layers Protocols Attacks Security Vulnerabilities
ISO Layers ± TCP/IP Layers
presentation Session Transport Network Data Link Physical IP
Logical Link Control (LLC) and Media Access Control (MAC)
6 . performs network routing functions and report delivery errors. while maintaining the quality of service requested by the Transport layer.Network Layer provides the functional and procedural means of transferring variable length data sequences from a source to a destination via one or more networks. This is a logical addressing scheme ± values are chosen by the network engineer. Routers operate at this layer²sending data throughout the layer² extended network and making the Internet possible. The best-known example of a layer 3 protocol is the bestInternet Protocol (IP).
IPv4 Header 7 .
IP header details: Version: 4 bits. in bytes. such as prioritized delivery. Identification: This field contains a 16-bit value that is common to each of the fragments belonging to a particular message. Total Length (TL): Specifies the total length of the IP datagram. Flags: Three control flags two of which is used to manage fragmentation and one is reserved 8 . for IP datagrams. Internet Header Length (IHL): 4 bits. Identifies the version of IP used to generate the datagram. Specifies the length of the IP header. Type Of Service (TOS): A field designed to carry information to provide quality of service features.
this field specifies the offset. and the number of bits used for them is not a multiple of 32. enough zero bits are added to ³pad out´ the header to a multiple of 32 bits (4 bytes). Time To Live (TTL): Short version: Specifies how long the datagram is allowed to ³live´ on the network. in the overall message where the data in this fragment goes. Protocol: Identifies the higher layer protocol .) Header Checksum: A checksum computed over the header to provide basic protection against corruption in transmission Options: One or more of several types of options may be included after the standard headers in certain IP datagrams.(Generally Transport layer Protocol/encapsulated network layer protocol. 9 . in terms of router hops.(how IP handles datagrams ) Padding: If one or more options are included. or position.IP header details: Fragment Offset: When fragmentation of a message occurs.
Internet Protocol Version 4 (IPv4) Datagram Format 10 .
11 . providing reliable data transfer services to the upper layers. The best known examples are the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). This means that the transport layer can keep track of the segments and retransmit those that fail. segmentation/desegmentation/desegmentation.Transport Layer It provides transparent transfer of data between end users. Some protocols are state and connection oriented. and error control. This layer controls the reliability of a given link through flow control.
Segment 2 shows the server responding with a SYN segment of 181521 and ACKknowledging the clients ISN with ISN + 1. Segment 4 Segment 5 shows an ACKnowledgement of the clients sequence number + 1 and will complete the closing of this one-half of the connection. This is called an Active Open. The ISN is randomly generated. Four-way Close Segment 5 Segment 6 Segment 7 Segment 6 shows the server sending a FIN segment with an ACKnowledgement of the clients sequence number + 1. Segment 3 shows the client responding by ACKnowledging the servers ISN with ISN + 1.. 12 .Initial sequence number ACK ± acknowledgement for the ISN CLIENT Segment 1 Handshake in TCP SERVER THREE-WAY CONNECTION Segment 1 shows the client sending a SYN segment with an Initial Sequence Number of 141521. Segment 7 shows the client ACKnowledging the server's sequence number + 1 and completing the closing of this one-half of the connection. This is called a Passive Open. Three-way Open Segment 2 Segment 3 Data can now be transmitted.SYN ± synchronize request ISN . FOUR-WAY TERMINATION Segment 4 shows the client sending a FIN segment with an ACKnowledgement of the server's sequence number + 1. This is called a Passive Close and starts the closure of this one-half of the connection. This is called an Active Close and will start closing one-half the connection. The field win 4096 shows the advertised window size of the sending station while the field <mss 1024> shows the receiving maximum segment size specified by the sender.
COMMON TCP PORT NUMBERS Port Application Description 9 19 20 21 23 25 79 80 88 110 119 179 513 514 Discard Chargen FTP-Data FTP-CMD Telnet SMTP Finger HTTP Kerberos POP3 NNTP BGP Rlogin Rexec Discard all incoming data port Exchange streams of data port File transfer data port File transfer command port Telnet remote login port Simple Mail Transfer Protocol port Obtains information about active users Hypertext Transfer Protocol port Authentication Protocol PC Mail retrieval service port Network news access port Border Gateway Protocol Remote Login In Remote Execute 13 .
IP Vulnerabilities and Attacks IP Spoofing ± host rename (LAN) ± DNS(Domain Name System ) Domain ± source routing ± TCP sequence number guessing / splicing Session hijacking Denial of service ± ICMP bombing. redirects. unreachable ± TCP SYN flooding 14 .
IP Vulnerabilities and Attacks What kind of attacks can occur ? Interruption: Denial of Service ? Interception ? Replay ? Masquerading ? MITM? 15 .
16 . The security weakness are: Authentication issues Message replay Message alteration Message delay and denial Etc.Security at IP layer Security at the IP layer is related to the layer¶s function of end-to-end end-todatagram delivery.
Reasons Authentication and confidentiality were not enforced at the IP level IP address from IP header can be forged by opponents => cannot ensure that a received packet was transmitted by the party identified as the source in the packet header Contents of a packet can be inspected when in transit Old IP packets can be replayed 17 .
1.3 Security Attacks passive attacks: Reveals what Bob is saying to Alice 18 .
Relatively hard to do in TCP 20 .
Active attacks: 21 .
IP source address spoofing ±easy to do 22 .
200 .200 Authorized NFS client Masquerading as authorised client 23 .b.y.x.g) router a.b.shutdown For maintenance x.z.c.z.y.100 NSF server x.201 UNAuthorized NFS client router a.Address Masquerading attack (e.x.y.y.201 -> x.100 NSF server x.200 Authorized NFS client x.y.c.x.
Relatively hard to do in TCP 24 .
TCP connection hijacking 25 .
³SYN FLOODING´ ± easy to do in TCP 26 .
If the Hacker sends an ICMP Echo request that is greater than 65. PING (Packet InterNet Grouper) utilizes ICMP Echo and Reply packets to test host reachability.ICMP ECHO Request Attack (e.g) Ping o' Death Attack ICMP is a user of IP. and is utilized to report network errors. ICMP messages normally consist of the IP Header and enclosed ICMP data with a default size of 64 bytes. Countermeasure Router updates that check the size of the ICMP packet. 27 . crash or reboot the system. A newer attack method modifies the header to indicate that there is more data in the packet than there actually is. Block PING (ICMP) traffic at the Firewall.536 this can freeze.
Countermeasures: Disable IP-directed broadcasts at your router. IP Configure the workstation to not respond to an IP broadcast packet.ICMP ECHO Flooding (e. 28 . The network serves to multiply the effect of the "ping". The network serves as a "bounce site" and returns an Echo Reply for each station on the network. The Echo Request could be sent to multiple networks.g) SMURF Attack The Hacker sends an ICMP Echo request to the target network with a destination broadcast address and a spoofed source address of the target.
Why look for security at IP level? It is below Transport Layer => no need to change software at Application Layer It is transparent to users => no need to train users Can be used to enhance security when used with higher-level applications higher Can provide better security for communications via untrusted networks Can enhance security of firewalls 29 .
client process or server process Integrity: Provides assurance to the receiver that the transmitted data has not been changed Confidentiality: Preventing the unwanted disclosure of information during transmission 30 .What can be done to improve IP security ? Authentication: Allows the receiver to validate the identity of a sender.
TCP/IP & Possible Security Enhancement Kerboros. TLS Application Transport (TCP. PGP« SSL. SHTTP. SMINE. UDP) Network (IP) Data Link Physical IP Sec 31 .
IPSec: Security Association (SA) SA is a contract between two nodes on keys. ISAKMP(Internet ISAKMP(Internet Security Association and Key Management Protocol ) ISAKMP typically utilizes IKE for key exchange 32 . etc. algorithms. It forms the basis for IPSec operations There are protocols for negotiating about keys: IKE(Internet Key Exchange ).
Identified by three parameters: Security Parameter Index (SPI) IP Destination address Security Protocol Identifier 33 .Security Associations (SA) A one way relationship between a sender and a receiver.
IPSec Architecture (borrowed from Stallings) 34 .
determines the authentication algorithm to be used Encapsulating Security Payload (ESP) ESP makes it possible to authenticate the sender and ensure confidentiality determines the encryption algorithm to be used Policy: determines if two entities will be able to communicate with each other DOI (Domain of Interpretation): Contains identifiers for approved encryption and authentication algorithms. guarantees connectionless integrity and data origin authentication of IP packets. key lifetime parameters. etc. Key management: involves the determination and distribution of secret keys 35 .IPSec Architecture Authentication Header (AH) AH makes it possible to authenticate the sender of IP packets.
etc) to generate cipher text that is inserted into the Payload Data field of ESP(Encapsulating security Payload) 36 . IDEA.How does IPSec work? Authentication is done by using a Secure Hash Algorithm (or message Digest ± MD5) to generate authentication data that is inserted into AH Encryption is done using some encryption algorithm (3D.
37 . and optionally encrypts them (generates ESP). then transmits the secured packets to B IPSec B checks the packets for integrity and decrypts their contents if necessary. then A begins security negotiation with B using either IKE(Internet Key Exchange (IKE) IKE(Internet (IKE) Protocol) or ISAKMP(Internet Security Association and Key ISAKMP(Internet Management Protocol ) The negotiation establishes two SAs with specific security methods and keys IPSec A signs the outgoing packets for integrity (generates AH).g) An application on computer A generates outbound packets to send to computer B IPSec A checks if the packets need to be secured If the packets need to be secured.How does IPSec work? (e.
IP Security Scenario 38 .
Tunnel mode: is used for remote access and site-to-site site-tosecurity the entire packet (header & payload) is encrypted 39 . especially for internal networks the data packet is encrypted but the IP header is not.IPSec modes Transport mode: is typically used in peer-to-peer peer-tocommunications.
ESP ESP with authentication 40 .Transport Mode Tunnel Mode SA SA AH Authenticates IP payload and selected portions of IP header and IPv6 extension headers Encrypts IP payload and any IPv6 extesion header Encrypts IP payload and any IPv6 extesion header. Authenticates IP payload but no IP header Authenticates entire inner IP packet plus selected portions of outer IP header Encrypts inner IP packet ± data + header Encrypts inner IP packet. Authenticates inner IP packet.
IPSec Applications Secure branch office connectivity over the Internet Secure remote access over the Internet Establishing extranet and intranet connectivity with partners Enhancing electronic commerce security 41 .
IPSec Details IPSec can be used with IPv4 or IPv6 IPSec is a set of protocols It provides a set of security algorithms plus a general framework that allows parties to use appropriate algorithms 42 .
Encryption and Authentication Algorithms Encryption: ThreeThree-key triple DES RC5 IDEA ThreeThree-key triple IDEA CAST Blowfish Authentication: HMAC-MD5-96 HMAC-MD5 HMAC-SHA-1-96 HMAC-SHA- 43 .
Authentication with AH Before applying AH Borrowed from Stallings 44 .
Authentication with AH After applying AH Transport mode Borrowed from Stallings 45 .
Authentication with AH After applying AH Tunnel mode Borrowed from Stallings 46 .
ESP Encryption and Authentication 47 .
ESP Encryption and Authentication 48 .
Advantages of IPSec IPSec is the most general way to provide security services to the Internet with less constraints Higher-level security services are less Highergeneral and protect some single protocol (e. in general.g: PGP protects mail) Lowever-level services protect single Lowevermedium (eg: a pair of encryption chips on the end of a line) IPSec can. protect any medium used below IP level and any protocol running above IP level 49 .
Benefits of IPSec Enable business to rely heavily on the Internet and reduce its need for private networks => saving costs & network management Provide secure network access over the Internet An end-user whose system is equipped with endIPSec can make a local call to ISP and gain secure access to her/his company Provide secure communications between organisations by ensuring authentication and confidentiality IPSec can be used to create secure tunnel through untrusted (especially the Internet) networks Sites connected by these tunnels form Virtual Private Networks (VPN) 50 .
IPSec can non-end-toensure that messages between a pair or a group of sites are encrypted 51 .Benefits of IPSec Packet authentication makes various attacks harder address masquerading address spoofing replay IPSec tunnels can be very useful for secure remote administration In a non-end-to-end service.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.