Computer Networks (CS3623)

decisioncrunchNetworking and Communications

Nov 20, 2013 (3 years and 4 months ago)

73 views

Computer Networks

(CS3623)

#
22

|

Network Security #2

AUTHENTICATION PROTOCOL

Public
-
key AP: no
-
sync



Symmetric AP:
Kerberos

SECURE SYSTEMS

Pretty Good
Privacy (PGP)

Secure Shell (SSH)


SSH version 2:

1.
SSH
-
TRANS, a transport layer protocol;

2.
SSH
-
AUTH, an authentication protocol;

3.
SSH
-
CONN, a connection protocol.

Transport Layer Security (TLS)


TCP port 443



Handshake protocol


Data integrity hash


Symmetric
-
key cipher


Session
-
key establishment


Record protocol


Confidentiality


integrity

IP Security (
IPsec
)


optional in IPv4 but mandatory in IPv6


Parts:


Security services:


Authentication Header (AH)


Encapsulating Security Payload (ESP)


Internet Security Association and Key
Management Protocol (ISAKMP)


Security Association (SA)


the “binder”


Mode: transport, tunnel

http://www.unixwiz.net/techtips/iguide
-
ipsec.html

http://www.unixwiz.net/techtips/iguide
-
ipsec.html

http://www.unixwiz.net/techtips/iguide
-
ipsec.html

http://www.unixwiz.net/techtips/iguide
-
ipsec.html

http://www.unixwiz.net/techtips/iguide
-
ipsec.html

http://www.unixwiz.net/techtips/iguide
-
ipsec.html

FIREWALLS

access control


forwards messages that are allowed, and
filters out messages that are disallowed

zones of trust

1.
the internal network

2.
the demilitarized zone (DMZ)


Used to hold services such as DNS and email
servers that need to be accessible to the outside

3.
the rest of the Internet



Both the internal network and the outside
world can access the DMZ, but hosts in the
DMZ cannot access the internal network

Filtering


Example #1: discard


(192.12.13.14, 1234, 128.7.6.5, 80)


(*, *, 128.7.6.5, 80)


Example #2: allow


(*, *, 128.19.20.21, 25)


Problem: port dynamic assignment


“allow an arbitrary server’s response packet
but disallow a similar packet for which there
was no client request”



stateless firewall


not possible


stateful

firewall


keeps track of the state of
each connection.

Proxy
-
based firewall


Problem: complex policy


Example: web server





Solution: proxy





Design: transparent vs. classical


Limitations: attacks from within, malware


Company net
Web
server
Random
external
user
Remote
company
user
Internet
Firewall
Firewall
External
client
External HTTP/TCP connection
Proxy
Internal HTTP/TCP connection
Local
server