Computer Security CSE 543
Popular in Course
Popular in Computer Science and Engineering
This 0 page Class Notes was uploaded by Libby Kuhlman on Sunday November 1, 2015. The Class Notes belongs to CSE 543 at Pennsylvania State University taught by Staff in Fall. Since its upload, it has received 27 views. For similar materials see /class/233115/cse-543-pennsylvania-state-university in Computer Science and Engineering at Pennsylvania State University.
Reviews for Computer Security
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 11/01/15
CSE 543 Computer Security Fall 2006 Lecture 17 Network Security November 2 2005 URL httpwwwcseIosuedutiaeqercse543f06 PENNSTATE Communications Security o A host wants to establish a secure channel to remote hosts over an untrusted network 0 Not Login endusers may not even be aware that protections in place 0 Remote hosts may be internal or external 0 The protection service must 0 Authenticate the endpoints each other 0 Negotiate what security is necessary and how 0 Establish a secure channel 0 Process the traffic between the end points PENNSTATE lPsec not lPi iec 0 Host level protection service 0 lPlayer security below TCPUDP 0 Defacto standard for host level security 0 Developed by the IETF over many years 0 Now available in most operating systems 0 Eg Available in XP 08 X Linux BSD 0 Implements a wide range of protocols and cryptographic algorithms 0 Provides 0 Confidentiality integrity authenticity replay protection DOS protection I l PENNSTATE lPsec Protocols and the stack o lPsec puts the two main protocols in between IP and HTTP FTP SMTP the other protocols 0 AH authentication header 0 ESP encapsulating security payload o Tunnel vs transport 0 Key managementauthentication 0 Policy 0 Other function provided by external protocols and architectures I l PENNSTATE Tunneling 0 IP over IP 0 Networklevel packets are encapsulated Allows traffic to avoid firewalls CSE543 Computer and Network Security Fall 2006 Professor Jaeger 6 IPsec Protocol Suite PENNSTATE Policy Con guration Key Packet Managent Management Processing SI Squot 251 D quot Manna Encapsulaolng AH An en ijcnolon lis bd Internet Key Exchange IKE o Built on of ISAKMP framework 0 Two phase protocol used to establish parameters and keys for session 0 Phase 1 negotiate parameters authenticate peers establish secure channel 0 Phase 2 Establish a security association SA 0 The details are unimaginably complex 0 The SA defines algorithms keys and policy used to secure the session PENNSTATE IPseC Packet Handling Bump 1P Protocol Staclltgt Applicatio 1 Presentatio 1 See ioi T Transport lt I SADB Network 1P IPsec quot 39 as Authentication Header AH PM Authenticity and integrity via HMAC over IP headers and data Advantage the authenticity of data and IP header information is protected it gets a little complicated with mutable fields which are supposed to be altered by network as packet traverses the network some fields a immutable and are protected Confidentiality of data is not preserved Replay protection via AH sequence numbers note that this replicates some features of TCP good I l IPsec AH Packet Format A Header Format PENNSTATE Authentication Header AH Modifications to the packet format 39 r Payload Payload AH Packet E3 Authenticated Iii Encrypted PENNSTATE IPsec Authentication SPI spy identi es the security association for this packet Type of crypto checksum how large it is and how it is computed Really the policy for the packet Authentication data Hash of packet contents include lP header as as speci ed by SPI Treat transient elds TTL header checksum as zero Keyed MD5 Hash is default MD5 Hash Secret KeVI Key I Headers and data being sent I Key I Encapsulating Security Payload ESP PENNTE Confidentiality authenticity and integrity via encryption and HMAC over IP payload data Advantage the security manipulations are done solely on user data TCP packet is fully secured simplifies processing Use null encryption to get authenticityintegrity only Note that the TCP ports are hidden when encrypted good better security less is known about traffic bad impossible for FW to filtertraffic based on port Cost can require many more resources than AH I l IPsec ESP Packet Format IPv4 ESP Packet Format Unencr ted p Encr ESP Header Format Parameters Index InitializationVector Prevention Field Data Authe ntication checksum I l PENNSTATE Encapsulating Security Payload ESP Modifications to packet format 39 Payload Payload ESPTraiier ESP Packet DIE Authenticated ED Encrypted D PENNSTATE Practical Issues and Limitations o lPsec implementations 0 Often not compatible ungh 0 Large footprint 0 resource poor devices are in trouble 0 New standards to simplify eg JFK IKE2 0 Slow to adopt new technologies 0 Issues 0 lPsec tries to be everything for everybody at all times 0 Massive complicated and unwieldy 0 Policy infrastructure has not emerged 0 Largescale management tools are limited eg CISCO 0 Often not used securely common preshared keys I l o Countermeasure to physically separate the devicesenvironment from maIintent PENNSTATE Network Isolation VPNs o Idea I want to create a collection of hosts which operate in a coordinated way 0 Eg a virtual security perimeter over physical network 0 Hosts work as ifthey are isolated from malicious hosts 0 Solution Virtual Private Networks 0 Create virtual network topology over physical network 0 Use communications security protocol suites to secure virtual links tunneling 0 Manage networks as ifthey are physically separate 0 Hosts can route traffic to regular networks splittunneling PENNSTATE Pg VPN Example RWTelecommuter network edge were Internet FL E El Physical Link Logical Link IPsec CSE543 Computer and Network Security Fall 2006 Professor Ja g VPN Example Hub and Spoke network edge Cl ID Physical Link Logical Link IPsec CSE543 Computer and Network Security Fall 2006 Professor Jaeger VPN Example Mesh Physical Link Logical Link IPsec CSE543 Computer and Network Security Fall 2006 Professor Jaeger PENNSTATE Virtual LANs VLANs o VPNs build with hardware 0 No encryption none needed 0 wire based isolation 0 Switches increasingly support VLANs 0 Allows networks to be reorganized without rewiring 0 Example usage two departments in same hallway 0 Each office is associated with department 0 Configuring the network switch gives physical isolation 0 Note often used to ensure QoS
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'