Post on 13-Dec-2015
Chapter 32
Internet Security
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Chapter 32: Outline
32.1 32.1 NETWORK-LAYER SECURITYNETWORK-LAYER SECURITY
32.2 32.2 TRANSPORT-LAYER SECURITYTRANSPORT-LAYER SECURITY
32.3 32.3 APPLICATION-LAYER SECURITYAPPLICATION-LAYER SECURITY
32.4 32.4 FIREWALLSFIREWALLS
Chapter 32: Objective
The first section discusses security at the network layer, IPSec. The section explains the two modes of IPSec: transport mode and tunnel mode. It then describes the two versions of the protocol: AS and ESP.
The second section discusses one of the security protocols at the transport layer, SSL (the other protocol, TLS, is similar). The section first describes the SSL architecture: services, algorithms, and parameter generation. It then explains the four protocols that SSL is made of: Handshake, ChangeCipherSpec, Alert, and Record.
Chapter 32: Objective
The third section discusses security at the application layer. At this layer, security is provided only for the e-mail application; other applications can use the security at the transport layer, but e-mail, because of its one-way communication, cannot do so. We first describe Pretty Good Privacy (PGP), which provides e-mail security mostly for personal use. The section then describes S/MIME, a secured version of the MIME protocol that provides security mostly for an enterprise.
The fourth section discusses firewalls, a technology that can protect an enterprise from the malicious intension of an intruder. The section describes two versions: packet-filter firewalls and proxy firewalls. The first gives protection only at the network layer; the second can provide protection at the application layer.
32.5
32-1 NETWORK-LAYER SECURITY32-1 NETWORK-LAYER SECURITY
We start this chapter with the discussion of security at the network layer. At the network layer, security is applied between two hosts, two routers, or a host and a router. The purpose of network-layer security is to protect those applications that use the service of the network layer directly.
32.6
32.32.1 Two Modes32.32.1 Two Modes
IPSec operates in one of two different modes: transport mode or tunnel mode.
32.7
Figure 332.1: IPSec in transport mode
32.8
Figure 32.2: Transport mode in action
32.9
Figure 32.3: IPSec in tunnel mode
32.10
Figure 32.5: Tunnel mode in action
32.11
32.32.2 Two Security Protocols32.32.2 Two Security Protocols
IPSec defines two protocols, the Authentication IPSec defines two protocols, the Authentication Header (AH) Protocol and the Encapsulating Header (AH) Protocol and the Encapsulating Security Payload (ESP) Protocol, to provide Security Payload (ESP) Protocol, to provide authentication and/or encryption for packets at authentication and/or encryption for packets at the IP level.the IP level.
32.12
Figure 32.6: Transport mode versus tunnel mode
32.13
Figure 32.7: Authentication Header (AH) protocol
32.14
Figure 32.7: Encapsulating Security Payload (ESP)
32.15
32.32.4 Security Association32.32.4 Security Association
Security Association is a very important aspect of IPSec. IPSec requires a logical relationship, called a Security Association (SA), between two hosts. The security association changes the connectionless service provided by IP to a connection-oriented service upon which we can apply security. This section first discusses the idea and then shows how it is used in IPSec.
Table 32.1: IPSec services
32.16
32.17
Figure 32.8: Simple SA
32.18
Figure 32.9: SAD
32.19
Figure 32.10: Security Policy Database
32.20
Figure 32.11: Outbound processing
32.21
Figure 32.12: Inbound processing
32.22
32.32.5 Internet Key Exchange (IKE)32.32.5 Internet Key Exchange (IKE)
The Internet Key Exchange (IKE) is a protocol designed to create both inbound and outbound Security Associations. As we discussed in the previous section, when a peer needs to send an IP packet, it consults the Security Policy Database (SPD) to see if there is an SA for that type of traffic. If there is no SA, IKE is called to establishone.
32.23
Figure 32.13: IKE components
32.24
32.32.6 Virtual Private Network (VPN)32.32.6 Virtual Private Network (VPN)
One of the applications of IPSec is in virtual private networks. A virtual private network (VPN) is a technology that is gaining popularity among large organizations that use the global Internet for both intra- and inter-organization communication, but require
32.25
Figure 32.14: Virtual private network
32.26
32-2 TRANSPORT-LAYER SECURITY32-2 TRANSPORT-LAYER SECURITY
Security at the transport layer provides security for the application layer, which uses the services of TCP (or SCTP) as a connection-oriented protocol.
Two protocols are dominant today for providing security at the transport layer: the Secure Sockets Layer (SSL) protocol and the Transport Layer Security (TLS) protocol.
32.27
Figure 32.15: Location of SSL and TLS in the Internet model
32.28
32.2.1 SSL Architecture32.2.1 SSL Architecture
SSL is designed to provide security and compression services to data generated from the application layer. Typically, SSL can receive data from any application-layer protocol, but usually the protocol is HTTP. The data received from the application is compressed (optional), signed, and encrypted. The data is then passed to a reliable transport-layer protocol such as TCP. Netscape developed SSL in 1994. Versions 2 and 3 were released in 1995. In this section, we discuss SSLv3.
32.29
Figure 32.16: Calculation of master secret from pre-master secret
32.30
Figure 32.17: Calculation of key material from master secret
32.31
Figure 32.18: Extractions of cryptographic secrets from key material
32.32
32.2.2 Four Protocols32.2.2 Four Protocols
We have discussed the idea of SSL without showing how SSL accomplishes its tasks. SSL defines four protocols in two layers, as shown in Figure 32.19.
32.33
Figure 32.19: Four SSL protocols
32.34
Figure 13.20: Handshake Protocol
32.35
Figure 32.21: Processing done by the Record Protocol
32.36
32-3 APPLICATION-LAYER SECURITY32-3 APPLICATION-LAYER SECURITY
This section discusses two protocols providing security services for e-mails: Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extension (S/MIME).
32.37
32.3.1 E-mail Security32.3.1 E-mail Security
Sending an e-mail is a one-time activity. The nature of this activity is different from those we saw in the two previous sections: SSL or IPSec. In those protocols, we assume that the two parties create a session between themselves and exchange data in both directions. In e-mail, there is no session. Alice and Bob cannot create a session. Alice sends a message to Bob; sometime later, Bob reads the message and may or may not send a reply.
32.38
32.3.2 Pretty Good Privacy (PGP)32.3.2 Pretty Good Privacy (PGP)
The first protocol discussed in this section is called Pretty Good Privacy (PGP). PGP was invented by Phil Zimmermann to provide e-mail with privacy, integrity, and authentication. PGP can be used to create secure e-mail messages.
32.39
Figure 32.22: A plaintext message
32.40
Figure 32.23: An authenticated message
32.41
Figure 13.24: A compressed message
32.42
Figure 32.25: A confidential message
32.43
Figure 32.26: Key rings in PGP
32.44
Figure 32.27: Trust model
32.45
Figure 32.28: Signed-data content type
32.46
32.3.3 S/MIME32.3.3 S/MIME
Another security service designed for electronic mail is Secure/Multipurpose Internet Mail Extension (S/MIME). The protocol is an enhancement of the Multipurpose Internet Mail Extension (MIME) protocol we discussed in Chapter 26.
32.47
Figure 32.29: Enveloped-data content type
32.48
Figure 32,30: Digested-data content type
32.49
Figure 32.31: Authenticated-data content type
Example 32.1
The following shows an example of an enveloped-data in which a small message is encrypted using triple DES..
32.50
32.51
32-4 FIREWALLS32-4 FIREWALLS
All previous security measures cannot prevent Eve from sending a harmful message to a system. To control access to a system we need firewalls. A firewall is a device (usually a router or a computer) installed between the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter (not forward) others.
32.52
Figure 32.32: Firewall
32.53
32.4.1 Packet-Filter Firewalls32.4.1 Packet-Filter Firewalls
A firewall can be used as a packet filter. It can forward or block packets based on the information in the network-layer and transport-layer headers: source and destination IP addresses, source and destination port addresses, and type of protocol (TCP or UDP). A packet-filter firewall is a router that uses a filtering table to decide which packets must be discarded (not forwarded). Figure 32.33 shows an example of a filtering table for this kind of a firewall.
32.54
Figure 32.33: Packet-filter firewall
32.55
32.4.2 Proxy Firewall32.4.2 Proxy Firewall
The packet-filter firewall is based on the information available in the network layer and transport layer headers (IP and TCP/UDP). However, sometimes we need to filter a message based on the information available in the message itself (at the application layer). As an example, assume that an organization wants to implement the following
32.56
Figure 32.34: Proxy firewall