Chapter 5: Virtual Networks
Download
Report
Transcript Chapter 5: Virtual Networks
Chapter 5: Virtual Networks
5.1 Security in
networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalysis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems
5.2 Virtual Private
Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area
Networks, VLAN
Virtual Networks
1
Chapter 5: Virtual Networks
5.1 Security in
networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalysis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems
5.2 Virtual Private
Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area
Networks, VLAN
Virtual Networks
2
Introduction
Secure channel:
Properties:
Confidentiality
Integrity
Authenticity
Non-repudiation
Secure channel?
Receiver
Sender
Virtual Networks
3
Introduction
Confidentiality:
Transmitted info in an insecure channel can only
be understood by desired destination/s
It must stay unintelligible for the rest
Ways of protection:
Dedicated physical links
High cost
Difficult maintenance
Cipher
Attack e.g.: obtaining data from sender
Virtual Networks
4
Introduction
Integrity:
Ensures that transmitted info was not modified
during the communication process
Message in destination must be the same as in
source
Ways of protection:
Digital signature
Attack e.g.: modifying the destination address
in a product bought on the internet
Virtual Networks
5
Introduction
Authenticity:
Ensures the source of the info
Avoids impersonation
Ways of protection:
Digital signature
Challenge
Human authentication
Biometric (fingerprint, retina, facial recognition, etc.)
Attack e.g.: user impersonation in bank transaction
Virtual Networks
6
Introduction
Non-repudiation:
Avoid sender’s denial
Avoid receiver’s denial
Ways of protection:
Digital signature
Attack e.g.: loss of an application form
Virtual Networks
7
Introduction
Insecure channel:
Non-reliable
Attacks: Violation of channel security
Types
Passive
Active
Categories
Interception
Interruption
Modification
Fabrication
Virtual Networks
8
Introduction
Passive attacks:
Attacker does not change the content of the
transmitted information
Objectives:
Entity identification
Traffic control
Traffic analysis
Usual data exchange time detection
Difficult to detect
Easy to avoid -> encryption
Virtual Networks
9
Introduction
Active attacks:
Attacker does change the content of the transmitted
information
Types:
Masked (impostor)
Repetitive (intercepted msg, repeated later)
Msg modification
Service denial
Difficult to prevent
Easy to detect -> detection & recovery
Virtual Networks
10
Introduction
Interception:
Confidentiality attack
Passive
A non-authorized intruder achieves the access to a non-shared
resource
E.g:
Traffic capture
Obtaining copies of files or programs
Receiver
Transmitter
Intruder
Virtual Networks
11
Introduction
Interruption:
Destruction of a shared resource
Active
E.g:
Destruction of hardware
Communication breakdown
Receiver
Transmitter
Intruder
Virtual Networks
12
Introduction
Modification:
A non-shared resource is intercepted & modified by a nonauthorized host before arriving to its final destination
Active
E.g:
Change in sent data
Receiver
Transmitter
Intruder
Virtual Networks
13
Introduction
Fabrication:
Authenticity attack
Active
Non-authorized host (impostor) generates a resource that
arrives to the final destination
E.g:
Fraud information
Receiver
Transmitter
Intruder
Virtual Networks
14
Chapter 5: Virtual Networks
5.1 Security in
networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalisis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems
5.2 Virtual Private
Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area
Networks, VLAN
Virtual Networks
15
Cryptography
Introduction:
Why?
Way of protecting information against intruders
(encryption & digital signatures)
Definition
Science of secret writing, for hiding information from
third parties
Principle
Keeping privacy between two or more communication
elements
Virtual Networks
16
Cryptography
Introduction:
Functioning basis
Altering original msg to avoid the access to the
information of any non-authorized party
E.g
Original msg: “This lecture is boring”
Altered msg: “Wklv ohfwxuh lv erulqj”
Caesar cipher (K=3)
Virtual Networks
17
Cryptography
Cipher:
Mechanism that
converts a plain msg in
an incomprehensible one
Cipher algorithm needs a
key
Decipher:
Mechanism that
converts an
incomprehensible msg in
the original one
Necessary to know the
used cipher algorithm
and the key
Virtual Networks
18
Cryptography
Introduction:
Functioning scheme
Receiver
Transmitter
cipher
decipher
Virtual Networks
19
Chapter 5: Virtual Networks
5.1 Security in
networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalisis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems
5.2 Virtual Private
Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area
Networks, VLAN
Virtual Networks
20
Cryptanalysis
Introduction:
Definition
Set of methods used to guess the key used by the
elements of communication
Objective
Reveal the secret of communication
Attacks
Brute force attack (most common)
Types:
Ciphertext-Only Attack
Known Plaintext Attack
Chosen Plaintext Attack
Virtual Networks
21
Chapter 5: Virtual Networks
5.1 Security in
networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalisis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems
5.2 Virtual Private
Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area
Networks, VLAN
Virtual Networks
22
Symmetric Key
Features:
Private key
Transmitter & Receiver share the same key
Receiver
Transmitter
cipher
decipher
Virtual Networks
23
Symmetric Key
Algorithms:
DES, 3DES, RC5, IDEA, AES
Requirements:
Neither plaintext nor the key may be extracted from
the msg
The cost in time & money of obtaining the information
must be higher than the value of the obtained
information
Algorithm strength:
Internal complexity
Key length
Virtual Networks
24
Symmetric Key
Accomplished objectives:
Confidentiality
Integrity
Authentication
Non repudiation
Depending on the number of parties sharing the secret key
Virtual Networks
25
Symmetric Key
Advantages:
Algorithm execution rate
Best method to cipher great pieces of information
Disadvantages:
Distribution of private key
Key management
The number of used keys is proportional to the
number of used secure channels
Virtual Networks
26
Chapter 5: Virtual Networks
5.1 Security in
networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalisis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems
5.2 Virtual Private
Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area
Networks, VLAN
Virtual Networks
27
Asymmetric Key
Tx private
Tx public
Rx private
Features:
Rx public
Public Key
Every party has got a pair of keys (private-public)
Receiver
Transmitter
cipher
decipher
Virtual Networks
28
Asymmetric Key
Algorithms:
Diffie-Hellman, RSA, DSA
Requirements:
Neither plaintext nor the key may be extracted from
the msg
The cost in time & money of obtaining the information
must be higher than the value of the obtained
information
For an public-key encrypted text, there must be only
a private key capable of decrypt it, and viceversa
Virtual Networks
29
Asymmetric Key
Accomplished objectives:
Confidentiality
Integrity
Authentication
Offers very good mechanisms
Non repudiation
Offers very good mechanisms
Virtual Networks
30
Asymmetric Key
Advantages:
No problems for key distribution -> public key
In case of the steal of a user’s private key, only
the msgs sent to that user are involved
Better authentication mechanisms than
symmetric systems
Disadvantages:
Algorithm execution rate
Virtual Networks
31
Asymmetric Key
Authentication:
Challenge-response
Digital signature
Digital certificate
Non repudiation:
Digital signature
Digital certificate
Virtual Networks
32
Tx private
Asymmetric Key
Tx public
Rx private
Rx public
Challenge-response:
Send of a challenge in clear text. Its response is only known by
the transmitter
The transmitter sends a private-key ciphered response
Receiver
Transmitter
cipher
decipher
Virtual Networks
33
Asymmetric Key
Tx private
Tx public
Rx private
Digital signature:
Rx public
Verifies source authenticity
Parts
Signature (transmitter)
Signature verification (receiver)
Receiver
Transmitter
Signature
verification
Virtual Networks
34
Asymmetric Key
Tx private
Tx public
Rx private
Digital signature:
Problem: Process is slow
Use of fingerprint
Rx public
Receiver
Transmitter
Virtual Networks
35
Asymmetric Key
Digital signature - fingerprint:
Reduces encryption time
Hash function
Turns a variable length set of data in a summary or
fingerprint. A fingerprint has a fixed length and it is
illegible and nonsense
Irreversible
Algorithms SHA-1, MD5
Requirements
Capability of turning variable length data in fixed length
blocks
Easy to use and implement
Impossible to obtain the original fingerprint text
Different texts must generate different fingerprints
Problem: Key management
Virtual Networks
36
Asymmetric Key
Digital certificate:
Information unit containing a pair of public-private keys,
together with the necessary information to allow the
owner for secure communications
Contents:
Public key
Private key (if owner)
Owner information
Useful information (algorithms, allowed functions, ...)
Valid-from
Certificate Authority signatures
Revocation is possible
Virtual Networks
37
Chapter 5: Virtual Networks
5.1 Security in
networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalisis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems
5.2 Virtual Private
Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area
Networks, VLAN
Virtual Networks
38
Mixed systems
Tx private
Tx public
Rx private
Session keys:
Rx public
Session key
Process
Session Key distribution (asymmetric)
Secure communication (symmetric)
Receiver
Transmitter
Virtual Networks
39
Mixed systems
Tx private
Tx public
Rx private
Session keys:
Rx public
Session key
Process
Session Key distribution (asymmetric)
Secure communication (symmetric)
Receiver
Transmitter
Virtual Networks
40
Mixed systems
Accomplished objectives:
Confidentiality
Integrity
Authentication
Non repudiation
Use of digital signatures & certificates
Virtual Networks
41
Mixed systems
Advantages:
No problems for key distribution -> public key
Improbable to guess session key
May use public key authentication & nonrepudiation mechanisms
Algorithm execution rate
Virtual Networks
42
Chapter 5: Virtual Networks
5.1 Security in
networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalisis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems
5.2 Virtual Private
Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area
Networks, VLAN
Virtual Networks
43
Virtual Private Networks
Introduction:
Interconnection of users & entities
Dedicated line (intranets)
Expensive
Difficult to manage
Use os public access network
Security risks
LAN
Public
network
Virtual Networks
44
Virtual Private Networks
Concept:
VPN: Private data channel implemented upon a public
communication network
Objectives:
Linking remote subnetworks
Linking subnetworks & remote users
Use of virtual tunnel with encryption
Virtual tunnel
Public
network
LAN
Virtual Networks
45
Virtual Private Networks
Requirements:
Authentication & identity verification
Virtual IP address range management
Data cipher
Management of digital certificates and public
and private keys
Support for many protocols
Virtual Networks
46
Virtual Private Networks
Types:
Hardware-based systems
optimized specific designs
Very secure and simple
High performance
High cost
Additional services (firewalls, intruder detectors,
antivirus, etc.)
Cisco, Stonesoft, Juniper, Nokia, Panda Security
Software-based systems
Virtual Networks
47
Virtual Private Networks
Advantages:
Security & confidentiality
Cost reduction
Scalability
Simple management
Compatibility with wireless links
Virtual Networks
48
Virtual Private Networks
Elements:
Local or private networks
Restricted access LAN with pvt IP address range
Insecure networks
VPN tunnels
Servers
Routers
Remote users (road warriors)
Remote offices (gateways)
Virtual Networks
49
Virtual Private Networks
Scenarios:
P2P
LAN - LAN
LAN – remote user
LAN
LAN
LAN
Virtual Networks
50
Chapter 5: Virtual Networks
5.1 Security in
networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalisis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems
5.2 Virtual Private
Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area
Networks, VLAN
Virtual Networks
51
PPTP
Features:
Peer to Peer Tunnel Protocol (PPTP)
Designed & developed by 3Com, Microsoft
Corporation, Ascend Communications y ECI
Telematics; defined IETF (RFC 2637)
Used for secure virtual access of remote users to a
private network
Use of tunnel mechanisms for the send of data from
client to server
Use of a private or public IP network
Virtual Networks
52
PPTP
Functioning:
PPTP server configured to distribute private LAN IP
addresses
Server acts as a bridge
192.168.1.30 192.168.1.31
67.187.11.25
PPTP server
192.168.1.1
LAN
Remote
user
192.168.1.100 - 120
Virtual Networks
192.168.1.32
53
PPTP
Phases:
PPP Connection establishment with ISP
PPTP connection control
TCP connection
Control msgs exchange
Data transmission
GRE Protocol
Cipher
Virtual Networks
54
PPTP
PPP:
Point-to-Point Protocol (RFC 1661)
Data link layer
Used for the connection to ISP by means of a telephony line
(modem) or PSTN
Versions for broadband access (PPPoE y PPPoA)
Functions:
Establishing, maintaining and finishing peer-to-peer connection
User authentication (PAP y CHAP)
Creation of encrypted frames
PPP
IP
Data
Virtual Networks
55
PPTP
PPTP connection control:
Specifies session control messages:
PPTP_START_SESSION_REQUEST: session start request
PPTP_START_SESSION_REPLY: session start response
PPTP_ECHO_REQUEST: session keepalive request
PPTP_ECHO_REPLY: session keepalive response
PPTP_WAN_ERROR_NOTIFY: error notification
PPTP_SET_LINK_INFO: client-server connection
configuration
PPTP_STOP_SESSION_REQUEST: session stop request
PPTP_STOP_SESSION_REPLY: session stop reply
Virtual Networks
56
PPTP
PPTP authentication:
Uses the same mechanisms as PPP:
PAP (Password Authentication Protocol)
Very simple: send of name and passwd in plaintext
CHAP (Challenge Handshake Authentication Protocol)
Challenge-response mechanism
Client generates a fingerprint from the received challenge
(MD5)
Shared secret key
Send of challenge to renew identity
Virtual Networks
57
PPTP
PPTP authentication:
Two new mechanisms:
SPAP (Shiva Password Authentication Protocol)
PAP with the send of an encrypted client passwd
MS-CHAP (Microsoft Challenge Handshake Authentication
Protocol)
Proprietary CHAP-based-Algorithm by Microsoft
Mutual authentication process (client & server)
Due to a security failure in Windows NT, MS-CHAP v2 was
created
Virtual Networks
58
PPTP
Data transmission:
Uses a modification of GRE (Generic Routing
Encapsulation) protocol: RFC 1701 y 1702
Establishes a functional division in three protocols:
Passenger Protocol
Carrier Protocol
Transport Protocol
Transport
Carrier
Protocol
Virtual Networks
59
PPTP
Data transmission:
Send of PPP frames -> encapsulated in IP datagrams
TCP
IP
MAC
IP
GRE
PPP
Virtual Networks
Data
Data
60
PPTP
Encryption:
MPPE (Microsoft Point-To-Point Encryption)
RFC 3078
uses RSA RC4 algorithm-> Session key from a client pvt key
Only with CHAP or MS-CHAP
Allows non-encrypted tunneling (PAP or SPAP) -> No
VPN
Virtual Networks
61
PPTP
Advantages:
Implementation low cost (uses public network)
No limit for the number of tunnels due to server
physical interfaces (but more resources are
necessary in the server for every tunnel)
Disadvantages:
Very vulnerable
Non-authenticated TCP connection control
Weakness of MS-CHAP protocol in NT systems
Weakness of MPPE protocol
Use of pvt passwd
Virtual Networks
62
Chapter 5: Virtual Networks
5.1 Security in
networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalisis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems
5.2 Virtual Private
Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area
Networks, VLAN
Virtual Networks
63
L2TP
Features:
Layer 2 tunneling protocol (RFC 2661) - PPP
L2TP v3 (RFC 3931) - multiprotocol
Based in 2 network protocols to carry de red PPP
frames:
PPTP
L2F (Layer Two Forwarding)
Used together with IPSec to offer more security
(L2TP/IPSec, RFC 3193)
Virtual Networks
64
L2TP
Functioning:
LAC: L2TP Access Concentrator
LNS: L2TP Network Server
Server acts as a bridge
L2TP Server
(LNS)
192.168.1.1
67.187.11.25
ISP
Remote
user
Compulsory
192.168.1.31
LAN
192.168.1.32
192.168.1.100 - 120
LAC
Voluntary
Virtual Networks
65
L2TP
Voluntary:
1)
Remote users is
User starts a PPP connection
connected to ISP
with ISP
2) L2TP client starts L2TP
ISP accepts connection & PPP
tunnel to LNS
link
3) If LNS accepts, LAC
ISP requests authentication
encapsulates PPP with
LAC starts L2TP tunnel to LNS
L2TP and sends through
If LNS accepts, LAC
tunnel
encapsulates PPP with L2TP and
4) LNS accepts frames &
sends frames
process them as if they
LNS accepts L2TP frames &
were PPP frames
process them as if they were
PPP frames
5) LNS authenticates PPP
LNS authenticates PPP valid
valid user -> assigns IP
user -> assigns IP addr
addr
Types of tunnels:
Compulsory:
1)
2)
3)
4)
5)
6)
7)
Virtual Networks
66
L2TP
Messages:
Two types:
Control
Used during the establishment, keepalive & termination of the
tunnel
Reliable control channel (guarantees msg delivery)
Data
Encapsulates information into PPP frame
Uses UDP port 1701
Virtual Networks
67
L2TP
Control msgs:
Connection keepalive:
Start-Control-Connection-Request: Session start request
Start-Control-Connection-Reply: Session start response
Start-Control-Connection-Connected: Established session
Start-Control-Connection-Notification: Session end
Hello: sent during inactivity periods
Virtual Networks
68
L2TP
Control msgs:
‘Call’ keepalive:
Outgoing-Call-Request: start of outgoing call
Outgoing-Call-Reply: start of outgoing call response
Outgoing-Call-Connected: outgoing call established
Incoming-Call-Request: start of incoming call
Incoming-Call-Reply: start of incoming call response
Incoming-Call-Connected: incoming call established
Call-Disconnect-Notify: call stop
Virtual Networks
69
L2TP
Control msgs:
Error notification:
WAN-Error-Notify
PPP Control session:
Set-Link-Info: configures client-server connection
Virtual Networks
70
L2TP
Advantages:
Implementation low cost
Multiprotocol support
Disadvantages:
Only the two terminals in the tunnel are identified
(possible impersonation attacks)
No support for integrity (possible service denial
attack)
Does not develop confidentiality
Does not offer encryption, though PPP may be
encrypted (no mechanism for automatic key
generation)
Virtual Networks
71
Chapter 5: Virtual Networks
5.1 Security in
networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalisis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems
5.2 Virtual Private
Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area
Networks, VLAN
Virtual Networks
72
IPSec
Features:
Internet Protocol Security
Offers security services for the network layer
Allows linking different networks (remote offices)
Allows a remote user to access the pvt resources in a
network
IETF (Internet Engineering Task Force) Standard
Integrated in IPv4; default included in IPv6
IPSec is connection oriented
Virtual Networks
73
IPSec
Features:
Services:
Data integrity
Source authentication
Confidentiality
Replay attack prevention
Functioning modes:
Transport mode
Tunnel mode
Virtual Networks
74
IPSec
Security association:
Definition (SA):
“Unidirectional agreement between the parties in an IPSec
connection according to the methods & parameters used for
the tunnel structure. They must guarantee transmitted data
security”
An entity must store:
Used security algorithms and keys
Functioning mode
Key management methods
Valid time for the established connection
Database with SA
Virtual Networks
75
IPSec
Security association:
Example:
SPI: 12345
Source IP: 200.168.1.100
Dest IP: 193.68.2.23
Protocol: ESP
Encryption algorithm: 3DES-cbc
HMAC algorithm: MD5
Encryption key: 0x7aeaca…
HMAC key:0xc0291f…
Methods for key distribution & management:
Manual: personal delivery
Automatic: AutoKey IKE
Virtual Networks
76
IPSec
IKE Protocol:
Internet Key Exchange Protocol (IKE)
Defined in IETF
key distribution & management
SA establishment
Standard is not only limited to IPSec (OSPF or RIP)
Hybrid protocol:
ISAKMP (Internet Security Association and Key
Management Protocol)
Define msg syntax
Necessary proceedings for SA establishment, negotiation,
modification and deletion
Oakley
Specifies the logic for the secure key exchange
Virtual Networks
77
IPSec
IKE – IPSec tunnel negotiation:
Two phases:
Phase 1: Establishment of a secure bidirectional
communication channel (IKE SA)
IKE SA different to IPSec SA
Called ISAKMP SA
Phase 2: Agreements about cipher and authentication
algorithms -> IPSec SA
Uses ISAKMP to generate IPSec SA
The precursor offers different possibilities
The other entity accepts the first configuration according to
its limitations
They inform each other about the type of traffic
Virtual Networks
78
IPSec
Advantages:
Allows remote access in a secure way
Best option for e-commerce (secure infrastructure
for electronic transactions)
Allows secure corporate networks (extranets) over
public networks
Virtual Networks
79
IPSec
Protocols:
Authentication Header Protocol (AH)
Encapsulated Secure Payload (ESP)
Virtual Networks
80
IPSec
AH Protocol:
Network layer Protocol field: 51
Provided services:
Integrity
Authentication
Does not guarantee confidentiality (no data encryption)
HMAC (Hash Message Authentication Codes)
Generation of digital fingerprint (SHA or MD5)
Encryption of digital fingerprint with shared secret
Virtual Networks
81
IPSec
AH Protocol:
HMAC
Receiver
Transmitter
HMAC
IP
AH
DATA
IP
AH
Virtual Networks
DATA
HMAC
82
IPSec
AH Protocol:
Format
32 bits
IP header
Payload
Next
Reserved
header length
Security Parameters Index (SPI)
Sequence number
AH header
Authentication data
Data
Virtual Networks
83
IPSec
AH Protocol:
Format:
Next header: superior layer protocol
Payload length: Data field length (32 bits)
Security Parameters Index (SPI): SA identifier
Sequence number
Authentication data: Variable length HMAC
Virtual Networks
84
IPSec
ESP Protocol:
Network layer Protocol field: 50
Supported services:
Integrity (optional)
Authentication (optional)
Confidentiality (data encryption)
Symmetric key encryption algorithm Algoritmo de
(DES, 3DES, Blowfish)
Usually block encryption (padding)
Requires a secure mechanism for key distribution (IKE)
Virtual Networks
85
IPSec
ESP Protocol:
Receiver
Transmitter
IP
ESP
DATA
ESP
IP
ESP
DATA
Virtual Networks
ESP
86
IPSec
ESP Protocol:
Formato
32 bits
IP header
Security Parameters Index (SPI)
Sequence number
ESP
Datos
Encryption
Pad
length
Authentication data
Padding
Next
header
Virtual Networks
87
IPSec
ESP Protocol:
Format:
Security Parameters Index (SPI): SA Identifier
Sequence number
Padding
Pad length: padding length (bytes)
Next header: Superior layer protocol
Authentication data: Variable length HMAC
Virtual Networks
88
IPSec
Modes of operation:
Applicable to AH & ESP
Transport Mode
using AH
Transport Mode
using ESP
Tunnel Mode
using AH
Tunnel Mode
using ESP
Most used
Virtual Networks
89
IPSec
Transport Mode:
Data are encapsulated in an AH or ESP datagram
Ensures end-to-end communication
client-client scheme (both ends must understand
IPSec)
Used to connect remote users
IPSec host
IPSec host
IP 1
IP 2
IP 2
IP 1
IPSec
Data
Virtual Networks
90
IPSec
Transport mode:
AH: Next header = Protocol in IP header
Original IP AH
header
header
Data
Authentication
ESP: Next header = Protocol in IP header
Original IP ESP
header
header
Data
Encryption
Authentication
Virtual Networks
91
IPSec
Tunnel mode:
Data are encapsulated in a whole IP datagram
A new IP header is generated
Used when the final destination is not the IPSec end
(gateways)
Host without
IPSec
gateway using IPSec
gateway using IPSec
IP 1
IP A
IP B
IP 2
Host without
IPSec
IP B
IP A
IPSec
IP 2
IP 1
Virtual Networks
Data
92
IPSec
Tunnel mode :
AH: New IP header Protocol = 51 & Next header = 4
New
IP header
AH
header
Original IP
Header
Data
Authentication
ESP: New IP header Protocol = 50 & Next header = 4
New
IP header
ESP
Header
Original IP
Header
Data
Encryption
Authentication
Virtual Networks
93
Chapter 5: Virtual Networks
5.1 Security in
networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalisis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems
5.2 Virtual Private
Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area
Networks, VLAN
Virtual Networks
94
SSL
Project OpenVPN:
Implementation of VPN based on SSL (OpenSSL)
Free software (GPL)
Reason: Limitations of IPSec
Features:
Driver is in charge of building a tunnel & encapsulating pkts
through a virtual link
Allows authentication & encryption
All communications using TCP or UDP port (default 1194)
Multiplatform
Allows compression
Virtual Networks
95
SSL
Project OpenVPN:
Features:
Client-server model (version 2.0)
Self-install packages and graphic interfaces
Allows remote management
Great flexibility (many script formats)
Virtual Networks
96
SSL: Secure Sockets Layer
Widely deployed security protocol
SSL
TCP
TLS: transport layer security, RFC
2246
Provides
Confidentiality
Integrity
Authentication
SSL provides application
programming interface (API) to
applications
C and Java SSL libraries/classes
readily available
Application
Number of variations:
Supported by almost all browsers
and web servers
https
Originally designed by Netscape in
1993
IP
Application
with SSL
Virtual Networks
97
SSL: general features
Handshake: use of certificates and private
keys to authenticate each other and
exchange shared secret
Key Derivation: use of shared secret to
derive set of keys
Data Transfer: Data to be transferred is
broken up into a series of records
Connection Closure: Special messages to
securely close connection
Virtual Networks
98
SSL handshake and key derivation
Host A
Host B
MS = master secret
EMS = encrypted master secret
Virtual Networks
99
Key derivation
Use different keys for message authentication
code (MAC) and encryption
Four keys:
Kc = encryption key for data sent from client to server
Mc = MAC key for data sent from client to server
Ks = encryption key for data sent from server to client
Ms = MAC key for data sent from server to client
Takes master secret and (possibly) some
additional random data and creates the keys
Virtual Networks
100
Data Transfer and closure
SSL breaks stream in series of records
Each record carries a MAC
Receiver can act on each record as it arrives
length
data
MAC
sequence number into MAC:
MAC = MAC(Mx, sequence||data)
Note: no sequence number field
Use of random numbers
record types, with one type for closure
type 0 for data; type 1 for closure
Virtual Networks
101
SSL Record Format
1 byte
content
type
2 bytes
3 bytes
length
SSL version
data
MAC
Data and MAC encrypted
Virtual Networks
102
Real
Connection
Host A
Host B
Everything
henceforth
is encrypted
TCP Fin follow
Virtual Networks
103
Chapter 5: Virtual Networks
5.1 Security in
networks
5.1.1 Introduction
5.1.2 Cryptography
5.1.3 Cryptanalisis
5.1.4 Symmetric key
5.1.5 Asymmetric key
5.1.6 Mixed systems
5.2 Virtual Private
Networks, VPN
5.2.1 Introduction
5.2.2 PPTP
5.2.3 L2TP
5.2.4 IPsec
5.2.5 SSL
5.3 Virtual Local Area
Networks, VLAN
Virtual Networks
104
VLAN
Introduction:
Las LANs institucionales modernas suelen presentar
topología jerárquica
Cada grupo de trabajo posee su propia LAN
conmutada
Las LANs conmutadas pueden interconectarse entre
sí mediante una jerarquía de conmutadores
S4
S1
S2
A
B
S3
C
F
D
E
I
G
Virtual Networks
H
105
VLAN
Inconvenientes:
Falta de aislamiento del tráfico
Tráfico de difusión
Limitar tráfico por razones de seguridad y confidencialidad
Uso ineficiente de los conmutadores
Gestión de los usuarios
Virtual Networks
106
VLAN
VLAN:
VLAN basada en puertos
A
División de puertos del conmutador en grupos
Cada grupo constituye una VLAN
Cada VLAN es un dominio de difusión
Gestión de usuario -> Cambio de configuración del
conmutador
B
C
D
E
F
G
Virtual Networks
H
I
107
VLAN
VLAN:
¿Cómo enviar información entre grupos?
A
Conectar puerto del conmutador VLAN a router externo
Configurar dicho puerto como miembro de ambos grupos
Configuración lógica -> conmutadores separados conectados
mediante un router
Normalmente los fabricantes incluyen en un único dispositivo
conmutador VLAN y router
B
C
D
E
F
G
Virtual Networks
H
I
108
VLAN
VLAN:
Localización diferente
A
Miembros de un grupo se encuentran en edificios diferentes
Necesario varios conmutadores
Conectar puertos de grupos entre conmutadores -> No escalable
B
D
E
G
C
Virtual Networks
I
H
F
109
VLAN
VLAN:
Localización diferente
Troncalización VLAN (VLAN Trunking)
Puerto troncal pertenece a todas las VLANs
¿VLAN Destino de la trama? -> formato de trama 802.1Q
Enlace
troncal
A
B
D
E
G
C
Virtual Networks
I
H
F
110
VLAN
IEEE 802.1Q:
IEEE 802.3 (Ethernet)
Preambulo
Dir.
Destino
Dir.
Origen
Tipo
Datos
CRC
IEEE 802.1Q
Preambulo
Dir.
Destino
Dir.
Origen
TPID TCI Tipo
Datos
CRC
nuevo
Información de control de etiquetado
Identificador de protocolo de etiquetado
Virtual Networks
111
VLAN
VLAN:
VLAN basada en MAC (nivel 2)
El administrador de red crea grupos VLAN basados en
rangos de direcciones MAC
El puerto del conmutador se conecta a la VLAN
correspondiente con la dirección MAC del equipo asociado
VLAN nivel 3
Basada en direcciones de red IPv4 o IPv6
Basada en protocolos de red (Appletalk, IPX, TCP/IP)
Virtual Networks
112