IP Security

 IPSec
 Firewall Design

 Security - Understanding when and how

users, computers, services, networks can
trust one another
 2 fundamental techniques
 Perimetersecurity
 Encryption
© MMII JW Ryder CS 428 Computer Networking 1
Security
 Perimeter security - allows organization to
determine services and networks it will make
available to outsiders
 Encryption handles most other aspects

© MMII JW Ryder CS 428 Computer Networking 2

Security
 Security implies safety, assurance of data
integrity, freedom from unauthorized access,
freedom from snooping or wiretapping,
freedom from disruption of service
 Physical security is as important as protecting
abstract resources

© MMII JW Ryder CS 428 Computer Networking 3

Aspects of Protection
 Data Integrity - Protect from unauthorized
change
 Data Availability - Outsiders cannot prevent
legitimate access to data
 Confidentiality

 Authorization - to only data as required

 Replay Avoidance - Capture copies of

packets by outsiders
© MMII JW Ryder CS 428 Computer Networking 4
Information Policy
 “Before an organization can enforce network
security, it must assess risks and develop a
clear policy regarding information access and
protection.”
 An information policy begins with people -
most susceptible point in any security scheme

© MMII JW Ryder CS 428 Computer Networking 5

Internet Security
 Datagrams can be intercepted or
compromised - the contents cannot be
trusted
 Example
 Serverattempts source authentication
 Examine source IP address
 Source authentication is weak

 Stronger authentication requires encryption

© MMII JW Ryder CS 428 Computer Networking 6
IPSec
 A set of protocols that provide secure Internet comm.
 Valid for IPv4 and IPv6
 IPSec is flexible and extensible
 Can use authentication or encryption
 Asymmetric choices ok
 Does not demand a specific authentication or
encryption algorithm
 Includes a set of encryption algorithms that all
implementations must recognize
© MMII JW Ryder CS 428 Computer Networking 7
IPSec AH
 Authentication Header
 See figures 32.1 and 2 on pages 584 and 585

 Inserts AH after IP header and before transport

header
 PROTOCOL field in IP header changed to
value 51
 PROTOCOL field is changed so how does
receiver determine type?
© MMII JW Ryder CS 428 Computer Networking 8
IPSec AH
 AH has NEXT HEADER field. Original PROTOCOL
values written into here
 PAYLOAD LEN - Length of AH
 SEQUENCE NUMBER - starts at 0 and increases
monotonically
 SECURITY PARAMETER INDEX - specifies
Security Association (SA)
 AUTHENTICATION DATA - based upon security
scheme
© MMII JW Ryder CS 428 Computer Networking 9
Security Association
 Security scheme includes
 authentication algorithm
 key(s)
 key lifetime
 algorithm lifetime for destination
 authorized source addresses
 Information cannot fit into header
 Each receiver collects all details about security
scheme into an abstraction call Security Assoc.
© MMII JW Ryder CS 428 Computer Networking 10
Security Association
 Each SA given a number aka a security
parameters index
 Before sender can use IPSec to
communicate with a receiver, sender must
know index value of a SA on receiver
 Index values owned by destinations, not
globally known!
 SAs can have lifetimes reusing index values
© MMII JW Ryder CS 428 Computer Networking 11
IPSec ESP
 Privacy plus Authentication
 Encapsulating Security Protocol

 Value 50 in PROTOCOL field

 See figures on 586 and 587

 3 additional areas
 ESP HEADER
 ESP TRAILER
 ESP AUTH - variable size
© MMII JW Ryder CS 428 Computer Networking 12
IPSec ESP
 Uses many of same items as AH but reorders them
 ESP HEADER
 8 octets for SPI and SEQ Number
 ESP TRAILER
 Optional padding
 Padding Length
 NEXT HEADER
 ESP AUTH data

© MMII JW Ryder CS 428 Computer Networking 13

IPSec ESP
 Padding may be present for 3 reasons
 Some decryption algorithms require zeros
following encrypted message
 NEXT HEADER is right justified within 4
octet field. IPSec requires that AITH data that
follows trailer start on 4 octet boundary
 Random padding to throw off sniffers

© MMII JW Ryder CS 428 Computer Networking 14

Mutable Fields
 IPSec Authentication designed to assure
arriving datagram identical to that sent by
source
 Intermediate routers decrement TTL fields
and re-compute CKSUMs
 Mutable fields = IP header fields that can
change
 IPSec only authenticates immutable fields
© MMII JW Ryder CS 428 Computer Networking 15
IPSec Tunneling
 Standard defines both AH and ESP tunnels
 See figure 32.4 on page 588
 Required security algorithms
 See figure 32.5 on page 588
 Secure Sockets Layer (SSL)
 Originated by Netscape
 Dual authentication, negotiate for encryption algorithm
 Secure connection, not formally adopted by IETF but
defacto standard
© MMII JW Ryder CS 428 Computer Networking 16
Firewalls
 Place firewall at connection to external
internet
 Inside and outside regions

 Intranet can have several external connections

 Strong as weakest link
 All firewalls must be configured to use same
access restrictions

© MMII JW Ryder CS 428 Computer Networking 17

Firewalls
 In theory, a firewall simply blocks all
communication between the organization
and the outside
 In practice, need more that this

 Firewalls need to be tailored to specific

organization
 Must be have hardware and software to
handle a potentially busy interface
© MMII JW Ryder CS 428 Computer Networking 18
 Packet-Level Filters
 High speed filtering mechanism
 Manager configures filter in router

 Filter(block) all datagrams form a specific

source or those used by specific application
 Does not keep record of filtering

 Packet filters are free from TCP/IP

standards
© MMII JW Ryder CS 428 Computer Networking 19
Packet Filters
 See figure 32.6 on page 591
 Block incoming datagrams destined for well-
known services
 Block outgoing datagrams for any 16 bit prefix
from 128.5.0.0 to remote e-mail server (TCP
port 25)

© MMII JW Ryder CS 428 Computer Networking 20

Packet Filters
 Previous example does not work well for
firewall
 Number of well-known ports is large
 Much traffic on an internet does not travel on well-
known ports
 Programmers can choose
 Remote Procedure Call assigns dynamic port numbers

 Listing ports leaves the firewall open for tunneling

© MMII JW Ryder CS 428 Computer Networking 21

Firewalls
 Tunneling can circumvent security
 Host on inside agrees to accept encapsulated
datagrams from host on outside
 Remove one layer and then forward to internal
service
 Must reverse idea of filtering
 Instead of identifying what datagrams should
be filtered(blocked), block everything!
© MMII JW Ryder CS 428 Computer Networking 22
Firewalls
 Allow those only for approved networks, hosts, and
ports
 Examine organizations information policy then enable
certain funtionality
 Many packet filter use this approach
 Solves many problems and has interesting consequence
 Prevents inside user from accessing outside
resources
© MMII JW Ryder CS 428 Computer Networking 23
Firewalls
 Servers may operate on well-known ports but
clients do not
 Clients may send data out but won’t get data
back in
 Packet filter will block client’s returning
datagram
 Not all organizations configure to block all
internal unknown port numbers
© MMII JW Ryder CS 428 Computer Networking 24
Proxy Access
 Secure Firewalls
 Users on the inside need to access resources on the
outside
 Can only provide safe access through a secure
computer
 Install one secure computer with each firewall and
install a set of application gateways on that computer
 Bastion Host

© MMII JW Ryder CS 428 Computer Networking 25

Secure Gateway
 See figure 32.7 on page 593
 Outer barrier
 Blocks all incoming traffic except for datagrams destined
for
 services on bastion that organization chooses to expose

externally
 clients on the bastion host

 Inner barrier
 Blocks incoming traffic except those coming from bastion
 Manual bypass
© MMII JW Ryder CS 428 Computer Networking 26
Secure Firewalls
 Web access example
 Firewall prevents user computer from receiving
datagrams
 User cannot use browser for direct access
 Arrange proxy server on bastion host
 Inside, each browser configured to use the proxy
 Proxy contacts URL, receives information and
returns it transparently to user inside firewall
© MMII JW Ryder CS 428 Computer Networking 27
Firewall Implementation
 Each barrier requires router with packet filter
 Network connections between the routers and bastion
host
 See figure 32.8 on page 594
 R2 = outer barrier
 H = bastion host
 R1 = inner barrier
 Safety of firewall depends on safety of bastion host
(software and hardware)
© MMII JW Ryder CS 428 Computer Networking 28
Stub Network
 Previous example known as stub network
 Stub network isolates organization

 May be considered unnecessary

 See figure 32.9 on page 595 for alternative

firewall permitting many external
connections
 One router per connection - All external
connections also mistrust one another
© MMII JW Ryder CS 428 Computer Networking 29
Firewalls
 Monitoring
 Active - Firewall notifies whenever there is an
incident
 Passive - Firewall records activity in logs

© MMII JW Ryder CS 428 Computer Networking 30