SlideShare a Scribd company logo

BAIT1103 Chapter 6

L
limsh
Education
1 of 31
Chapter 9 IP Security “If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death, together with the man to whom the secret was told.” —The Art of War, Sun Tzu
objectives • Present an overview of IP security (IPsec). • Understand the concept of security association. • Explain the difference between transport mode and tunnel mode. • Discuss the alternatives for combining security associations. • Present an overview of Internet Key Exchange.
IP Security Overview • RFC 1636 • “Security in the Internet Architecture” • Issued in 1994 by the Internet Architecture Board (IAB) • Identifies key areas for security mechanisms • Need to secure the network infrastructure from unauthorized monitoring and control of network traffic • Need to secure end-user-to-end-user traffic using authentication and encryption mechanisms • IAB included authentication and encryption as necessary security features in the next generation IP (IPv6) • The IPsec specification now exists as a set of Internet standards
• IPsec provides the capability to secure communications across a LAN, private and public WANs, and the Internet • Principal feature of IPsec is that it can encrypt and/or authenticate all traffic at the IP level • Thus all distributed applications (remote logon, client/server, email, file transfer, Web access) can be secured
Applications of IPsec Examples of IPsec applications include: • Secure branch office connectivity over the Internet: A company can build a secure virtual private network over the Internet or over a public WAN. This enables a business to rely heavily on the Internet and reduce its need for private networks, saving costs and network management overhead. • Secure remote access over the Internet: An end user whose system is equipped with IP security protocols can make a local call to an Internet Service Provider (ISP) and gain secure access to a company network. This reduces the cost of toll charges for traveling employees and telecommuters. • Establishing extranet and intranet connectivity with partners: IPsec can be used to secure communication with other organizations, ensuring authentication and confidentiality and providing a key exchange mechanism. • Enhancing electronic commerce security: Even though some Web and electronic commerce applications have built-in security protocols, the use of IPsec enhances that security. IPsec guarantees that all traffic designated by the network administrator is both encrypted and authenticated, adding an additional layer of security to whatever is provided at the application layer.
Benefits of IPSec • Some of the benefits of IPsec: • When IPsec is implemented in a firewall or router, it provides strong security that can be applied to all traffic crossing the perimeter • Traffic within a company or workgroup does not incur the overhead of securityrelated processing • IPsec in a firewall is resistant to bypass if all traffic from the outside must use IP and the firewall is the only means of entrance from the Internet into the organization • IPsec is below the transport layer (TCP, UDP) and so is transparent to applications • There is no need to change software on a user or server system when IPsec is implemented in the firewall or router • IPsec can be transparent to end users • There is no need to train users on security mechanisms, issue keying material on a per-user basis, or revoke keying material when users leave the organization • IPsec can provide security for individual users if needed • This is useful for offsite workers and for setting up a secure virtual subnetwork within an organization for sensitive applications
Routing Applications • IPsec can play a vital role in the routing architecture required for internetworking IPsec can assure that: A router advertisement comes from an authorized router A router seeking to establish or maintain a neighbor relationship with a router in another routing domain is an authorized router A redirect message comes from the router to which the initial IP packet was sent A routing update is not forged
Confidentiality Encapsulating Security Payload (ESP) • Consists of an encapsulating header and trailer used to provide encryption or combined encryption/authentication • The current specification is RFC 4303, IP Encapsulating Security Payload (ESP) Internet Key Exchange (IKE) • A collection of documents describing the key management schemes for use with IPsec • The main specification is RFC 5996, Internet Key Exchange (IKEv2) Protocol, but there are a number of related RFCs Key Management Authentication Authentication Header (AH) • An extension header to provide message authentication • The current specification is RFC 4302, IP Authentication Header Architecture • Covers the general concepts, security requirements, definitions, and mechanisms defining IPsec technology • The current specification is RFC4301, Security Architecture for the Internet Protocol IPsec Documents Cryptographic algorithms • This category encompasses a large set of documents that define and describe cryptographic algorithms for encryption, message authentication, pseudorandom functions (PRFs), and cryptographic key exchange Other • There are a variety of other IPsec-related RFCs, including those dealing with security policy and management information base (MIB) content
IPsec Services • IPsec provides security services at the IP layer by enabling a system to: • Select required security protocols • Determine the algorithm(s) to use for the service(s) • Put in place any cryptographic keys required to provide the requested services • RFC 4301 lists the following services: • • • • • • Access control Connectionless integrity Data origin authentication Rejection of replayed packets (a form of partial sequence integrity) Confidentiality (encryption) Limited traffic flow confidentiality
IPSec Services Authentication Header Encapsulating Security Payload
Security Association (SA) • A one-way logical connection between a sender and a receiver that affords security services to the traffic carried on it • In any IP packet, the SA is uniquely identified by the Destination Address in the IPv4 or IPv6 header and the SPI in the enclosed extension header (AH or ESP) Uniquely identified by three parameters: Security Parameters Index (SPI) • A 32-bit unsigned integer assigned to this SA and having local significance only Security protocol identifier • Indicates whether the association is an AH or ESP security association IP Destination Address • Address of the destination endpoint of the SA, which may be an end-user system or a network system such as a firewall or router
Transport and Tunnel Modes Transport Mode • Provides protection primarily for upper-layer protocols • Examples include a TCP or UDP segment or an ICMP packet • Typically used for end-to-end communication between two hosts • ESP in transport mode encrypts and optionally authenticates the IP payload but not the IP header • AH in transport mode authenticates the IP payload and selected portions of the IP header Both AH and ESP support two modes of use: transport and tunnel mode. Tunnel Mode • Provides protection to the entire IP packet • Used when one or both ends of a security association (SA) are a security gateway • A number of hosts on networks behind firewalls may engage in secure communications without implementing IPsec • ESP in tunnel mode encrypts and optionally authenticates the entire inner IP packet, including the inner IP header • AH in tunnel mode authenticates the entire inner IP packet and selected portions of the outer IP header
Transport and Tunnel Mode Protocols
Tunnel Mode and Transport Mode Functionality
Authentication header (ah) • Provides support for data integrity and authentication (MAC code) of IP packets. • Guards against replay attacks.
Before Applying AH
Transport Mode (AH Authentication) Tunnel Mode (AH Authentication)
Encapsulating security payload (ESP) • ESP provides confidentiality services. • Encryption: • • • • • • Three-key triple DES RC5 IDEA Three-key triple IDEA CAST Blowfish • Authentication: • HMAC-MD5-96 • HMAC-SHA-1-96
Transport Mode (ESP Encryption & Authentication) Tunnel Mode (ESP Encryption & Authentication)
End-to-end vs end-to-intermediate authentication Transport Mode SA Transport Mode SA Tunnel Mode SA
Combining Security Associations • An individual SA can implement either the AH or ESP protocol but not both • Security association bundle • Refers to a sequence of SAs through which traffic must be processed to provide a desired set of IPsec services • The SAs in a bundle may terminate at different endpoints or at the same endpoint • May be combined into bundles in two ways: Transport adjacency • Refers to applying more than one security protocol to the same IP packet without invoking tunneling • This approach allows for only one level of combination Iterated tunneling • Refers to the application of multiple layers of security protocols effected through IP tunneling • This approach allows for multiple levels of nesting
Combining Security Associations Possible combinations: a) AH in transport mode. b) ESP in transport mode. c) ESP followed by AH in transport mode. (ESP SA inside AH SA) d) Any a,b or c inside AH or ESP in tunnel mode.
Combining Security Associations • Security is provided only between gateways (routers, firewalls, etc.) and no hosts implement IPsec. • Simple VPN support • Tunnel could support AH, ESP or ESP with authentication option
Combining Security Associations • • • • Combination of case 1 and case 2 The gateway-to-gateway tunnel provides either authentication, confidentiality, or both for all traffic between end systems. When gateway-to-gateway tunnel is ESP, it also provides limited form of traffic confidentiality. Individual hosts can implement any additional IPsec services required for given applications or given users by means of end-to-end SAs.
Combining Security Associations • Combination of case 1 and case 2 • Provides support for a remote host that uses the Internet to reach an organization’s firewall and then to gain access to some server or workstation behind the firewall. • Only tunnel mode is required between the remote host and the firewall.
Internet Key Exchange The IPsec Architecture document mandates • The key management support for two types of key management: portion of IPsec • A system administrator involves the manually configures each determination and system with its own keys and distribution of secret with the keys of other communicating systems keys • This is practical for small, • A typical requirement is four keys for communication between two applications • Transmit and receive pairs for both integrity and confidentiality relatively static environments Manual Automated • Enables the on-demand creation of keys for SAs and facilitates the use of keys in a large distributed system with an evolving configuration
ISAKMP/Oakley • The default automated key management protocol of IPsec • Consists of: • Oakley Key Determination Protocol • A key exchange protocol based on the Diffie-Hellman algorithm but providing added security • Generic in that it does not dictate specific formats • Internet Security Association and Key Management Protocol (ISAKMP) • Provides a framework for Internet key management and provides the specific protocol support, including formats, for negotiation of security attributes • Consists of a set of message types that enable the use of a variety of key exchange algorithms
ISAKMP/Oakley • ISAKMP does not dictate a specific key exchange algorithm; rather ISAKMP consists of a set of message types that enable the use of a variety of key exchange algorithms. • Oakley is the specific key exchange algorithm mandated for use with the initial version of ISAKMP. • Three authentication methods can be used with Oakley: • Digital signatures • Public-key encryption • Symmetric-key encryption
Summary • IP security overview • • • • • • • Applications of IPsec Benefits of IPsec Routing applications IPsec documents IPsec services Security associations Transport and tunnel modes • Authentication Header (AH) • Encapsulating Security Payload (ESP) • Combining security associations • Authentication plus confidentiality • Basic combinations of security associations • Internet key exchange • ISAKMP/Oakley • IKE Formats

Recommended

S/MIME
S/MIMES/MIME
S/MIMEmaria azam
 
IP Security
IP SecurityIP Security
IP SecurityKeshab Nath
 
IP Security
IP SecurityIP Security
IP SecurityAmbo University
 
AES-Advanced Encryption Standard
AES-Advanced Encryption StandardAES-Advanced Encryption Standard
AES-Advanced Encryption StandardPrince Rachit
 
Message digest 5
Message digest 5Message digest 5
Message digest 5Tirthika Bandi
 
Email security
Email securityEmail security
Email securityIndrajit Sreemany
 
PGP S/MIME
PGP S/MIMEPGP S/MIME
PGP S/MIMESou Jana
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacyPawan Arya
 

Recommended

S/MIME
S/MIMES/MIME
S/MIMEmaria azam
 
IP Security
IP SecurityIP Security
IP SecurityKeshab Nath
 
IP Security
IP SecurityIP Security
IP SecurityAmbo University
 
AES-Advanced Encryption Standard
AES-Advanced Encryption StandardAES-Advanced Encryption Standard
AES-Advanced Encryption StandardPrince Rachit
 
Message digest 5
Message digest 5Message digest 5
Message digest 5Tirthika Bandi
 
Email security
Email securityEmail security
Email securityIndrajit Sreemany
 
PGP S/MIME
PGP S/MIMEPGP S/MIME
PGP S/MIMESou Jana
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacyPawan Arya
 
MD-5 : Algorithm
MD-5 : AlgorithmMD-5 : Algorithm
MD-5 : AlgorithmSahil Kureel
 
kerberos
kerberoskerberos
kerberossameer farooq
 
Secure Hash Algorithm
Secure Hash AlgorithmSecure Hash Algorithm
Secure Hash AlgorithmVishakha Agarwal
 
Internet control message protocol
Internet control message protocolInternet control message protocol
Internet control message protocolasimnawaz54
 
Principles of public key cryptography and its Uses
Principles of public key cryptography and its UsesPrinciples of public key cryptography and its Uses
Principles of public key cryptography and its UsesMohsin Ali
 
Aes
AesAes
AesMuhammad Asif
 
E-mail Security in Network Security NS5
E-mail Security in Network Security NS5E-mail Security in Network Security NS5
E-mail Security in Network Security NS5koolkampus
 
Hash Function
Hash FunctionHash Function
Hash FunctionSiddharth Srivastava
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distributionRiya Choudhary
 
Email security
Email securityEmail security
Email securityBaliram Yadav
 
Key management
Key managementKey management
Key managementSujata Regoti
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Samip jain
 
Web Security
Web SecurityWeb Security
Web SecurityDr.Florence Dayana
 
Ip security
Ip security Ip security
Ip security Naveen Dubey
 
Ip security
Ip security Ip security
Ip security Dr.K.Sreenivas Rao
 
Multicast Routing Protocols
Multicast Routing ProtocolsMulticast Routing Protocols
Multicast Routing ProtocolsRam Dutt Shukla
 
Kerberos : An Authentication Application
Kerberos : An Authentication ApplicationKerberos : An Authentication Application
Kerberos : An Authentication ApplicationVidulatiwari
 
Network Security Applications
Network Security ApplicationsNetwork Security Applications
Network Security ApplicationsHatem Mahmoud
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security ArchitectureBharathiKrishna6
 
Kerberos
KerberosKerberos
KerberosRahul Pundir
 
IP Security
IP SecurityIP Security
IP SecurityDr.Florence Dayana
 
IP SEC.ptx
IP SEC.ptxIP SEC.ptx
IP SEC.ptxMamoonKhan40
 

More Related Content

What's hot

Internet control message protocol
Internet control message protocolInternet control message protocol
Internet control message protocolasimnawaz54
 
Principles of public key cryptography and its Uses
Principles of public key cryptography and its UsesPrinciples of public key cryptography and its Uses
Principles of public key cryptography and its UsesMohsin Ali
 
E-mail Security in Network Security NS5
E-mail Security in Network Security NS5E-mail Security in Network Security NS5
E-mail Security in Network Security NS5koolkampus
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distributionRiya Choudhary
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Samip jain
 
Multicast Routing Protocols
Multicast Routing ProtocolsMulticast Routing Protocols
Multicast Routing ProtocolsRam Dutt Shukla
 
Kerberos : An Authentication Application
Kerberos : An Authentication ApplicationKerberos : An Authentication Application
Kerberos : An Authentication ApplicationVidulatiwari
 
Network Security Applications
Network Security ApplicationsNetwork Security Applications
Network Security ApplicationsHatem Mahmoud
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security ArchitectureBharathiKrishna6
 

What's hot (20)

MD-5 : Algorithm
MD-5 : AlgorithmMD-5 : Algorithm
MD-5 : Algorithm
 
kerberos
kerberoskerberos
kerberos
 
Secure Hash Algorithm
Secure Hash AlgorithmSecure Hash Algorithm
Secure Hash Algorithm
 
Internet control message protocol
Internet control message protocolInternet control message protocol
Internet control message protocol
 
Principles of public key cryptography and its Uses
Principles of public key cryptography and its UsesPrinciples of public key cryptography and its Uses
Principles of public key cryptography and its Uses
 
Aes
AesAes
Aes
 
E-mail Security in Network Security NS5
E-mail Security in Network Security NS5E-mail Security in Network Security NS5
E-mail Security in Network Security NS5
 
Hash Function
Hash FunctionHash Function
Hash Function
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distribution
 
Email security
Email securityEmail security
Email security
 
Key management
Key managementKey management
Key management
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
Web Security
Web SecurityWeb Security
Web Security
 
Ip security
Ip security Ip security
Ip security
 
Ip security
Ip security Ip security
Ip security
 
Multicast Routing Protocols
Multicast Routing ProtocolsMulticast Routing Protocols
Multicast Routing Protocols
 
Kerberos : An Authentication Application
Kerberos : An Authentication ApplicationKerberos : An Authentication Application
Kerberos : An Authentication Application
 
Network Security Applications
Network Security ApplicationsNetwork Security Applications
Network Security Applications
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security Architecture
 
Kerberos
KerberosKerberos
Kerberos
 

Similar to BAIT1103 Chapter 6

Network Security_3rd Module_Dr. Shivashankar
Network Security_3rd Module_Dr. ShivashankarNetwork Security_3rd Module_Dr. Shivashankar
Network Security_3rd Module_Dr. ShivashankarDr. Shivashankar
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
Chapter 6 (1).ppt
Chapter 6 (1).pptChapter 6 (1).ppt
Chapter 6 (1).pptDivyaSek
 
Module 8 - Ccna - Pre.pptx
Module 8 - Ccna - Pre.pptxModule 8 - Ccna - Pre.pptx
Module 8 - Ccna - Pre.pptxAliMohamed855266
 
IP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfIP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfsolimankellymattwe60
 
ICS PPT Unit 4.ppt
ICS PPT Unit 4.pptICS PPT Unit 4.ppt
ICS PPT Unit 4.pptDEEPAK948083
 
The Security layer
The Security layerThe Security layer
The Security layerSwetha S
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securityPriyadharshiniVS
 
IP security and VPN presentation
IP security and VPN presentation IP security and VPN presentation
IP security and VPN presentation KishoreTs3
 
[removed]Cryptography and Network Security Principles a.docx
[removed]Cryptography and Network Security Principles a.docx[removed]Cryptography and Network Security Principles a.docx
[removed]Cryptography and Network Security Principles a.docxhanneloremccaffery
 

Similar to BAIT1103 Chapter 6 (20)

IP Security
IP SecurityIP Security
IP Security
 
IP SEC.ptx
IP SEC.ptxIP SEC.ptx
IP SEC.ptx
 
Network Security_3rd Module_Dr. Shivashankar
Network Security_3rd Module_Dr. ShivashankarNetwork Security_3rd Module_Dr. Shivashankar
Network Security_3rd Module_Dr. Shivashankar
 
IS Unit-4 .ppt
IS Unit-4 .pptIS Unit-4 .ppt
IS Unit-4 .ppt
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
Ip sec
Ip secIp sec
Ip sec
 
Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8
 
Chapter 6.ppt
Chapter 6.pptChapter 6.ppt
Chapter 6.ppt
 
Chapter 6 (1).ppt
Chapter 6 (1).pptChapter 6 (1).ppt
Chapter 6 (1).ppt
 
Chapter 6 (1).ppt
Chapter 6 (1).pptChapter 6 (1).ppt
Chapter 6 (1).ppt
 
Module 8 - Ccna - Pre.pptx
Module 8 - Ccna - Pre.pptxModule 8 - Ccna - Pre.pptx
Module 8 - Ccna - Pre.pptx
 
IP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfIP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdf
 
ICS PPT Unit 4.ppt
ICS PPT Unit 4.pptICS PPT Unit 4.ppt
ICS PPT Unit 4.ppt
 
The Security layer
The Security layerThe Security layer
The Security layer
 
Lec 9.pptx
Lec 9.pptxLec 9.pptx
Lec 9.pptx
 
Lecture14..pdf
Lecture14..pdfLecture14..pdf
Lecture14..pdf
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
 
Ip sec
Ip secIp sec
Ip sec
 
IP security and VPN presentation
IP security and VPN presentation IP security and VPN presentation
IP security and VPN presentation
 
[removed]Cryptography and Network Security Principles a.docx
[removed]Cryptography and Network Security Principles a.docx[removed]Cryptography and Network Security Principles a.docx
[removed]Cryptography and Network Security Principles a.docx
 

More from limsh

BAIT2164 Topics for Revision
BAIT2164 Topics for RevisionBAIT2164 Topics for Revision
BAIT2164 Topics for Revisionlimsh
 
BAIT2164 Tutorial 9
BAIT2164 Tutorial 9BAIT2164 Tutorial 9
BAIT2164 Tutorial 9limsh
 
BAIT2164 Tutorial 8
BAIT2164 Tutorial 8BAIT2164 Tutorial 8
BAIT2164 Tutorial 8limsh
 
BAIT2164 Tutorial 6 (Part 2)
BAIT2164 Tutorial 6 (Part 2)BAIT2164 Tutorial 6 (Part 2)
BAIT2164 Tutorial 6 (Part 2)limsh
 
BAIT2164 Tutorial 6 (Part 1)
BAIT2164 Tutorial 6 (Part 1)BAIT2164 Tutorial 6 (Part 1)
BAIT2164 Tutorial 6 (Part 1)limsh
 
BAIT2164 Tutorial 5
BAIT2164 Tutorial 5BAIT2164 Tutorial 5
BAIT2164 Tutorial 5limsh
 
BAIT2164 Tutorial 4
BAIT2164 Tutorial 4BAIT2164 Tutorial 4
BAIT2164 Tutorial 4limsh
 
BAIT2164 Tutorial 3
BAIT2164 Tutorial 3BAIT2164 Tutorial 3
BAIT2164 Tutorial 3limsh
 
BAIT2164 Tutorial 2
BAIT2164 Tutorial 2BAIT2164 Tutorial 2
BAIT2164 Tutorial 2limsh
 
BAIT2164 Tutorial 1
BAIT2164 Tutorial 1BAIT2164 Tutorial 1
BAIT2164 Tutorial 1limsh
 
BAIT1103 Assignment Presentation
BAIT1103 Assignment PresentationBAIT1103 Assignment Presentation
BAIT1103 Assignment Presentationlimsh
 
BAIT1103 Tutorial 8
BAIT1103 Tutorial 8BAIT1103 Tutorial 8
BAIT1103 Tutorial 8limsh
 
BAIT1103 Chapter 8
BAIT1103 Chapter 8BAIT1103 Chapter 8
BAIT1103 Chapter 8limsh
 
BAIT1103 Tutorial 7
BAIT1103 Tutorial 7BAIT1103 Tutorial 7
BAIT1103 Tutorial 7limsh
 
BAIT1103 Chapter 7
BAIT1103 Chapter 7BAIT1103 Chapter 7
BAIT1103 Chapter 7limsh
 
BAIT1103 Tutorial 6
BAIT1103 Tutorial 6BAIT1103 Tutorial 6
BAIT1103 Tutorial 6limsh
 
BAIT1103 Tutorial 5
BAIT1103 Tutorial 5BAIT1103 Tutorial 5
BAIT1103 Tutorial 5limsh
 
BAIT1103 Chapter 5
BAIT1103 Chapter 5BAIT1103 Chapter 5
BAIT1103 Chapter 5limsh
 
BAIT1103 Tutorial 4
BAIT1103 Tutorial 4BAIT1103 Tutorial 4
BAIT1103 Tutorial 4limsh
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4limsh
 

More from limsh (20)

BAIT2164 Topics for Revision
BAIT2164 Topics for RevisionBAIT2164 Topics for Revision
BAIT2164 Topics for Revision
 
BAIT2164 Tutorial 9
BAIT2164 Tutorial 9BAIT2164 Tutorial 9
BAIT2164 Tutorial 9
 
BAIT2164 Tutorial 8
BAIT2164 Tutorial 8BAIT2164 Tutorial 8
BAIT2164 Tutorial 8
 
BAIT2164 Tutorial 6 (Part 2)
BAIT2164 Tutorial 6 (Part 2)BAIT2164 Tutorial 6 (Part 2)
BAIT2164 Tutorial 6 (Part 2)
 
BAIT2164 Tutorial 6 (Part 1)
BAIT2164 Tutorial 6 (Part 1)BAIT2164 Tutorial 6 (Part 1)
BAIT2164 Tutorial 6 (Part 1)
 
BAIT2164 Tutorial 5
BAIT2164 Tutorial 5BAIT2164 Tutorial 5
BAIT2164 Tutorial 5
 
BAIT2164 Tutorial 4
BAIT2164 Tutorial 4BAIT2164 Tutorial 4
BAIT2164 Tutorial 4
 
BAIT2164 Tutorial 3
BAIT2164 Tutorial 3BAIT2164 Tutorial 3
BAIT2164 Tutorial 3
 
BAIT2164 Tutorial 2
BAIT2164 Tutorial 2BAIT2164 Tutorial 2
BAIT2164 Tutorial 2
 
BAIT2164 Tutorial 1
BAIT2164 Tutorial 1BAIT2164 Tutorial 1
BAIT2164 Tutorial 1
 
BAIT1103 Assignment Presentation
BAIT1103 Assignment PresentationBAIT1103 Assignment Presentation
BAIT1103 Assignment Presentation
 
BAIT1103 Tutorial 8
BAIT1103 Tutorial 8BAIT1103 Tutorial 8
BAIT1103 Tutorial 8
 
BAIT1103 Chapter 8
BAIT1103 Chapter 8BAIT1103 Chapter 8
BAIT1103 Chapter 8
 
BAIT1103 Tutorial 7
BAIT1103 Tutorial 7BAIT1103 Tutorial 7
BAIT1103 Tutorial 7
 
BAIT1103 Chapter 7
BAIT1103 Chapter 7BAIT1103 Chapter 7
BAIT1103 Chapter 7
 
BAIT1103 Tutorial 6
BAIT1103 Tutorial 6BAIT1103 Tutorial 6
BAIT1103 Tutorial 6
 
BAIT1103 Tutorial 5
BAIT1103 Tutorial 5BAIT1103 Tutorial 5
BAIT1103 Tutorial 5
 
BAIT1103 Chapter 5
BAIT1103 Chapter 5BAIT1103 Chapter 5
BAIT1103 Chapter 5
 
BAIT1103 Tutorial 4
BAIT1103 Tutorial 4BAIT1103 Tutorial 4
BAIT1103 Tutorial 4
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4
 

Recently uploaded

The Contemporary World: The Globalization of World Politics
The Contemporary World: The Globalization of World PoliticsThe Contemporary World: The Globalization of World Politics
The Contemporary World: The Globalization of World PoliticsRommel Regala
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptshraddhaparab530
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4JOYLYNSAMANIEGO
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 
Measures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped dataMeasures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped dataBabyAnnMotar
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
Expanded definition: technical and operational
Expanded definition: technical and operationalExpanded definition: technical and operational
Expanded definition: technical and operationalssuser3e220a
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...JojoEDelaCruz
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17Celine George
 

Recently uploaded (20)

Paradigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTAParadigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTA
 
The Contemporary World: The Globalization of World Politics
The Contemporary World: The Globalization of World PoliticsThe Contemporary World: The Globalization of World Politics
The Contemporary World: The Globalization of World Politics
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.ppt
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 
Measures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped dataMeasures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped data
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
Expanded definition: technical and operational
Expanded definition: technical and operationalExpanded definition: technical and operational
Expanded definition: technical and operational
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17
 

BAIT1103 Chapter 6

  • 1. Chapter 9 IP Security “If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death, together with the man to whom the secret was told.” —The Art of War, Sun Tzu
  • 2. objectives • Present an overview of IP security (IPsec). • Understand the concept of security association. • Explain the difference between transport mode and tunnel mode. • Discuss the alternatives for combining security associations. • Present an overview of Internet Key Exchange.
  • 3. IP Security Overview • RFC 1636 • “Security in the Internet Architecture” • Issued in 1994 by the Internet Architecture Board (IAB) • Identifies key areas for security mechanisms • Need to secure the network infrastructure from unauthorized monitoring and control of network traffic • Need to secure end-user-to-end-user traffic using authentication and encryption mechanisms • IAB included authentication and encryption as necessary security features in the next generation IP (IPv6) • The IPsec specification now exists as a set of Internet standards
  • 4. • IPsec provides the capability to secure communications across a LAN, private and public WANs, and the Internet • Principal feature of IPsec is that it can encrypt and/or authenticate all traffic at the IP level • Thus all distributed applications (remote logon, client/server, email, file transfer, Web access) can be secured
  • 5. Applications of IPsec Examples of IPsec applications include: • Secure branch office connectivity over the Internet: A company can build a secure virtual private network over the Internet or over a public WAN. This enables a business to rely heavily on the Internet and reduce its need for private networks, saving costs and network management overhead. • Secure remote access over the Internet: An end user whose system is equipped with IP security protocols can make a local call to an Internet Service Provider (ISP) and gain secure access to a company network. This reduces the cost of toll charges for traveling employees and telecommuters. • Establishing extranet and intranet connectivity with partners: IPsec can be used to secure communication with other organizations, ensuring authentication and confidentiality and providing a key exchange mechanism. • Enhancing electronic commerce security: Even though some Web and electronic commerce applications have built-in security protocols, the use of IPsec enhances that security. IPsec guarantees that all traffic designated by the network administrator is both encrypted and authenticated, adding an additional layer of security to whatever is provided at the application layer.
  • 6. Benefits of IPSec • Some of the benefits of IPsec: • When IPsec is implemented in a firewall or router, it provides strong security that can be applied to all traffic crossing the perimeter • Traffic within a company or workgroup does not incur the overhead of securityrelated processing • IPsec in a firewall is resistant to bypass if all traffic from the outside must use IP and the firewall is the only means of entrance from the Internet into the organization • IPsec is below the transport layer (TCP, UDP) and so is transparent to applications • There is no need to change software on a user or server system when IPsec is implemented in the firewall or router • IPsec can be transparent to end users • There is no need to train users on security mechanisms, issue keying material on a per-user basis, or revoke keying material when users leave the organization • IPsec can provide security for individual users if needed • This is useful for offsite workers and for setting up a secure virtual subnetwork within an organization for sensitive applications
  • 7. Routing Applications • IPsec can play a vital role in the routing architecture required for internetworking IPsec can assure that: A router advertisement comes from an authorized router A router seeking to establish or maintain a neighbor relationship with a router in another routing domain is an authorized router A redirect message comes from the router to which the initial IP packet was sent A routing update is not forged
  • 8. Confidentiality Encapsulating Security Payload (ESP) • Consists of an encapsulating header and trailer used to provide encryption or combined encryption/authentication • The current specification is RFC 4303, IP Encapsulating Security Payload (ESP) Internet Key Exchange (IKE) • A collection of documents describing the key management schemes for use with IPsec • The main specification is RFC 5996, Internet Key Exchange (IKEv2) Protocol, but there are a number of related RFCs Key Management Authentication Authentication Header (AH) • An extension header to provide message authentication • The current specification is RFC 4302, IP Authentication Header Architecture • Covers the general concepts, security requirements, definitions, and mechanisms defining IPsec technology • The current specification is RFC4301, Security Architecture for the Internet Protocol IPsec Documents Cryptographic algorithms • This category encompasses a large set of documents that define and describe cryptographic algorithms for encryption, message authentication, pseudorandom functions (PRFs), and cryptographic key exchange Other • There are a variety of other IPsec-related RFCs, including those dealing with security policy and management information base (MIB) content
  • 9. IPsec Services • IPsec provides security services at the IP layer by enabling a system to: • Select required security protocols • Determine the algorithm(s) to use for the service(s) • Put in place any cryptographic keys required to provide the requested services • RFC 4301 lists the following services: • • • • • • Access control Connectionless integrity Data origin authentication Rejection of replayed packets (a form of partial sequence integrity) Confidentiality (encryption) Limited traffic flow confidentiality
  • 11. Security Association (SA) • A one-way logical connection between a sender and a receiver that affords security services to the traffic carried on it • In any IP packet, the SA is uniquely identified by the Destination Address in the IPv4 or IPv6 header and the SPI in the enclosed extension header (AH or ESP) Uniquely identified by three parameters: Security Parameters Index (SPI) • A 32-bit unsigned integer assigned to this SA and having local significance only Security protocol identifier • Indicates whether the association is an AH or ESP security association IP Destination Address • Address of the destination endpoint of the SA, which may be an end-user system or a network system such as a firewall or router
  • 12. Transport and Tunnel Modes Transport Mode • Provides protection primarily for upper-layer protocols • Examples include a TCP or UDP segment or an ICMP packet • Typically used for end-to-end communication between two hosts • ESP in transport mode encrypts and optionally authenticates the IP payload but not the IP header • AH in transport mode authenticates the IP payload and selected portions of the IP header Both AH and ESP support two modes of use: transport and tunnel mode. Tunnel Mode • Provides protection to the entire IP packet • Used when one or both ends of a security association (SA) are a security gateway • A number of hosts on networks behind firewalls may engage in secure communications without implementing IPsec • ESP in tunnel mode encrypts and optionally authenticates the entire inner IP packet, including the inner IP header • AH in tunnel mode authenticates the entire inner IP packet and selected portions of the outer IP header
  • 13.
  • 15. Tunnel Mode and Transport Mode Functionality
  • 16. Authentication header (ah) • Provides support for data integrity and authentication (MAC code) of IP packets. • Guards against replay attacks.
  • 18. Transport Mode (AH Authentication) Tunnel Mode (AH Authentication)
  • 19. Encapsulating security payload (ESP) • ESP provides confidentiality services. • Encryption: • • • • • • Three-key triple DES RC5 IDEA Three-key triple IDEA CAST Blowfish • Authentication: • HMAC-MD5-96 • HMAC-SHA-1-96
  • 20. Transport Mode (ESP Encryption & Authentication) Tunnel Mode (ESP Encryption & Authentication)
  • 21. End-to-end vs end-to-intermediate authentication Transport Mode SA Transport Mode SA Tunnel Mode SA
  • 22. Combining Security Associations • An individual SA can implement either the AH or ESP protocol but not both • Security association bundle • Refers to a sequence of SAs through which traffic must be processed to provide a desired set of IPsec services • The SAs in a bundle may terminate at different endpoints or at the same endpoint • May be combined into bundles in two ways: Transport adjacency • Refers to applying more than one security protocol to the same IP packet without invoking tunneling • This approach allows for only one level of combination Iterated tunneling • Refers to the application of multiple layers of security protocols effected through IP tunneling • This approach allows for multiple levels of nesting
  • 23. Combining Security Associations Possible combinations: a) AH in transport mode. b) ESP in transport mode. c) ESP followed by AH in transport mode. (ESP SA inside AH SA) d) Any a,b or c inside AH or ESP in tunnel mode.
  • 24. Combining Security Associations • Security is provided only between gateways (routers, firewalls, etc.) and no hosts implement IPsec. • Simple VPN support • Tunnel could support AH, ESP or ESP with authentication option
  • 25. Combining Security Associations • • • • Combination of case 1 and case 2 The gateway-to-gateway tunnel provides either authentication, confidentiality, or both for all traffic between end systems. When gateway-to-gateway tunnel is ESP, it also provides limited form of traffic confidentiality. Individual hosts can implement any additional IPsec services required for given applications or given users by means of end-to-end SAs.
  • 26. Combining Security Associations • Combination of case 1 and case 2 • Provides support for a remote host that uses the Internet to reach an organization’s firewall and then to gain access to some server or workstation behind the firewall. • Only tunnel mode is required between the remote host and the firewall.
  • 27. Internet Key Exchange The IPsec Architecture document mandates • The key management support for two types of key management: portion of IPsec • A system administrator involves the manually configures each determination and system with its own keys and distribution of secret with the keys of other communicating systems keys • This is practical for small, • A typical requirement is four keys for communication between two applications • Transmit and receive pairs for both integrity and confidentiality relatively static environments Manual Automated • Enables the on-demand creation of keys for SAs and facilitates the use of keys in a large distributed system with an evolving configuration
  • 28. ISAKMP/Oakley • The default automated key management protocol of IPsec • Consists of: • Oakley Key Determination Protocol • A key exchange protocol based on the Diffie-Hellman algorithm but providing added security • Generic in that it does not dictate specific formats • Internet Security Association and Key Management Protocol (ISAKMP) • Provides a framework for Internet key management and provides the specific protocol support, including formats, for negotiation of security attributes • Consists of a set of message types that enable the use of a variety of key exchange algorithms
  • 29. ISAKMP/Oakley • ISAKMP does not dictate a specific key exchange algorithm; rather ISAKMP consists of a set of message types that enable the use of a variety of key exchange algorithms. • Oakley is the specific key exchange algorithm mandated for use with the initial version of ISAKMP. • Three authentication methods can be used with Oakley: • Digital signatures • Public-key encryption • Symmetric-key encryption
  • 30.
  • 31. Summary • IP security overview • • • • • • • Applications of IPsec Benefits of IPsec Routing applications IPsec documents IPsec services Security associations Transport and tunnel modes • Authentication Header (AH) • Encapsulating Security Payload (ESP) • Combining security associations • Authentication plus confidentiality • Basic combinations of security associations • Internet key exchange • ISAKMP/Oakley • IKE Formats