Please enable JavaScript.
Coggle requires JavaScript to display documents.
Network Security 5.1 - 5.3 - Network Security (Layer 3 Security (Lower…
Network Security 5.1 - 5.3 - Network Security
IP
what ip offers
provides connectionsless and best-effort service
basically does not give you any guarantees for the delivery of packets
ip datagrams have no inherent security
ip source can be spoofed
content of IP datagrams can be sniffed
content of op datagrams can be modified
ip datagrams can be replayed
Layer 3 Security
Lower Layer 3 Security
security services
Confidentiality
data origin authentication
connectionless or connection-oriented integrity
access control
significant network technology dependent
Upper Layer 3 Security
no network technology dependent
moderate protocol suite dependent
security services
confidentiality
data origin authentication
connectionless and partial sequence integrity
access control
Summary
Security measures on network layer
can offer ent-to-end security
sender encrypts/authenticate packets
receiver decrypts/verifies packets
doeas not require changes in every apllication
are usually used to set up virtual private networks
secure data exchange via insecure public networks
solves rogue packet problem
IP Security (IPSec)
IPSec specification
Architecture
Authentication Header (AH)
Integrity + Authentication
offers message integrity and source authentication but not message confidentiality
contains an encrypted hash of the whole packet
allows the receiver to verify the authenticity of the adresses and the integrity of the payload
authenticates
IP Header
itself
IP Payload
uses HMAC for authentication
Encapsulating Security Payload (ESP)
Confidentiality + Integrity protection
offers source authentication, message integrity and confidentiality
guarantees integrity and/or confidentiality of the original datagram and combining a secure hash and encrpyting the ip payload or the whole ip packet
authenticates
itself
payload
ESP trailers
encrypts
ip payload
esp trailer
via symmetric encryption
can be combined with authentication header
Internet Key Exchange (IKE)
Key Exchange
security services
Connectionsless integrity
data origin authentication
Confidentiality (Encrpytion)
Rejection of payload packets
limited traffic flow confindentiality
Access control
protocol
extra header between layer 3 and 4 (IP and TCP) to give destination enaugh information ot identify the "security association"
2 modes
Transport Mode: host-beased end-to-end (host-to-host) security
set up a secure end-to-end connection between 2 hosts
keeps original header
can be used for encapsulating security payload
can be used for A and ESP
to get encryption together with authenticated IP header
Tunnel mode: security bettwenn network border (gateway-to-gateway or host-to-gateway)
VPN
set up a secure end-to-end communication between 2 networks
introduces additional ip header
can be used for AH, EPS and both
4 combinations
Transport mode with AH
Transport mode with ESP
Tunnel mode with AH
Tunnel mode with ESP
most common and most important
IPsec Operations
Implementations
Host Implementation
provides end-to-end security servides
provision of security services on a per-flow basis
abnility to implement all modes of IPsec
2 main integrations alternatives
OS integrated
BITS - "Bump" in the stack
Router / Gateway Implementation
ability to secure ip packets flowing between two networks over a public network
VPN in Tunnel Mode
no need to integrate IPsec in every end system
ability to authenticate and authorize IP traffic from remote users
2 main implementation alternatives
Router integrated
"Bump" in the wire (BITW)
IPsec Databases
Security Associations (SA)
abstractoin of an IPsec connection
consists of a triplet
Security Parameter index (SPI)
IP destination adress
Security Protocol: AH or ESP
two kinds of SAs
IKE_SA: master
long term validity
CHILD_SA: session
used for data transmission
SPI + Dest IP adress + IPsec protocoll (AH or ESP) uniquely identifies a SA
Security Association Databases (SAD)
holds parameter for each SA
lifetime of this SA
AH and ESP information
Tunnel or Transport mode
every host or gateway in pisec has their own SA database
Security Policy Database (SPD)
SPD manages SA
what traffic to protect?
ordered list of access control entries -> firewalls
each entry specifies
DISCARD
BAYPASS
PROTECT
Peer Authorization Database (PAD)
provides the link between SPD an SA protocl like IKE
cirical functions
identifies peers or groups that are authorized to communicate with IPsec entity
specifies the protocol and method used to authenticate each peer
provides the authentication data for each peer
constrains the tyoes and values of IDs that can be asserted by a peer with regard to child SA creation
peer gateway location info: IP adresses, dns names
IPsec Key Management
IKE - Internet Key Exchange Protocol
based on Diffie-Hellman
sets up IPsec Security Associations
consists of 2 phases
set up secure control channel
set up security association
modes
Agressive
6 messages
4 ok, 6 unnormal
Normal
3 messages
Quick
3 messages
fragmentation attack
runs on top of UDP
IPSec vs. NAT
AH
safeguard against spoofing an man-in-the-middle attacks that changes the source/destination IPs
The hash includes source/destination IPs which are modified by the NAT server
Verification of the hash fails on tunnel or transport mode
incompatible with NAT
ESP in Tunnel Mode
Full IP pacler ciphered and signed but transmitted inside another packet
modification of the outer packers IP address does not alter the inner packets content
compatible with NAT
IPsec vs. SSL
SSL in Application
IPsec in OS
protects all Apps
IPsec is suspectable to a DoS attack