Chapter 4: Virtual Networks

Download Report

Transcript Chapter 4: Virtual Networks

Chapter 4: Virtual Networks
 4.1 Security in
networks






4.1.1 Introduction
4.1.2 Cryptography
4.1.3 Cryptanalysis
4.1.4 Symmetric key
4.1.5 Asymmetric key
4.1.6 Mixed systems
 4.2 Virtual Private
Networks, VPN





4.2.1 Introduction
4.2.2 PPTP
4.2.3 L2TP
4.2.4 IPsec
4.2.5 SSL
 4.3 Virtual Local Area
Networks, VLAN
Virtual Networks
1
Chapter 4: Virtual Networks
 4.1 Security in
networks






4.1.1 Introduction
4.1.2 Cryptography
4.1.3 Cryptanalysis
4.1.4 Symmetric key
4.1.5 Asymmetric key
4.1.6 Mixed systems
 4.2 Virtual Private
Networks, VPN





4.2.1 Introduction
4.2.2 PPTP
4.2.3 L2TP
4.2.4 IPsec
4.2.5 SSL
 4.3 Virtual Local Area
Networks, VLAN
Virtual Networks
2
Introduction
Secure channel:
 Properties:




Confidentiality
Integrity
Authenticity
Non-repudiation
Secure channel?
Receiver
Sender
Virtual Networks
3
Introduction
Confidentiality:
 Transmitted info in an insecure channel can only
be understood by desired destination/s
 It must stay unintelligible for the rest
 Ways of protection:

Dedicated physical links
 High cost
 Difficult maintenance

Cipher
 Attack e.g.: obtaining data from sender
Virtual Networks
4
Introduction
Integrity:
 Ensures that transmitted info was not modified
during the communication process
 Message in destination must be the same as in
source
 Ways of protection:

Digital signature
 Attack e.g.: modifying the destination address
in a product bought on the internet
Virtual Networks
5
Introduction
Authenticity:
 Ensures the source of the info
 Avoids impersonation
 Ways of protection:



Digital signature
Challenge
Human authentication
 Biometric (fingerprint, retina, facial recognition, etc.)
 Attack e.g.: user impersonation in bank transaction
Virtual Networks
6
Introduction
Non-repudiation:
 Avoid sender’s denial
 Avoid receiver’s denial
 Ways of protection:

Digital signature
 Attack e.g.: loss of an application form
Virtual Networks
7
Introduction
Insecure channel:
 Non-reliable
 Attacks: Violation of channel security

Types
 Passive
 Active

Categories
 Interception
 Interruption
 Modification
 Fabrication
Virtual Networks
8
Introduction
Passive attacks:
 Attacker does not change the content of the
transmitted information
 Objectives:




Entity identification
Traffic control
Traffic analysis
Usual data exchange time detection
 Difficult to detect
 Easy to avoid -> encryption
Virtual Networks
9
Introduction
Active attacks:
 Attacker does change the content of the transmitted
information
 Types:




Masked (impostor)
Repetitive (intercepted msg, repeated later)
Msg modification
Service denial
 Difficult to prevent
 Easy to detect -> detection & recovery
Virtual Networks
10
Introduction
Interception:
 Confidentiality attack
 Passive
 A non-authorized intruder achieves the access to a non-shared
resource
 E.g:


Traffic capture
Obtaining copies of files or programs
Receiver
Transmitter
Intruder
Virtual Networks
11
Introduction
Interruption:
 Destruction of a shared resource
 Active
 E.g:


Destruction of hardware
Communication breakdown
Receiver
Transmitter
Intruder
Virtual Networks
12
Introduction
Modification:
 A non-shared resource is intercepted & modified by a nonauthorized host before arriving to its final destination
 Active
 E.g:

Change in sent data
Receiver
Transmitter
Intruder
Virtual Networks
13
Introduction
Fabrication:
 Authenticity attack
 Active
 Non-authorized host (impostor) generates a resource that
arrives to the final destination
 E.g:

Fraud information
Receiver
Transmitter
Intruder
Virtual Networks
14
Chapter 4: Virtual Networks
 4.1 Security in
networks






4.1.1 Introduction
4.1.2 Cryptography
4.1.3 Cryptanalisis
4.1.4 Symmetric key
4.1.5 Asymmetric key
4.1.6 Mixed systems
 4.2 Virtual Private
Networks, VPN





4.2.1 Introduction
4.2.2 PPTP
4.2.3 L2TP
4.2.4 IPsec
4.2.5 SSL
 4.3 Virtual Local Area
Networks, VLAN
Virtual Networks
15
Cryptography
Introduction:
 Why?

Way of protecting information against intruders
(encryption & digital signatures)
 Definition
 Science of secret writing, for hiding information from
third parties
 Principle
 Keeping privacy between two or more communication
elements
Virtual Networks
16
Cryptography
Introduction:
 Functioning basis

Altering original msg to avoid the access to the
information of any non-authorized party
 E.g
 Original msg: “This lecture is boring”
 Altered msg: “Wklv ohfwxuh lv erulqj”
 Caesar cipher (K=3)
Virtual Networks
17
Cryptography
Cipher:
 Mechanism that
converts a plain msg in
an incomprehensible one
 Cipher algorithm needs a
key
Decipher:
 Mechanism that
converts an
incomprehensible msg in
the original one
 Necessary to know the
used cipher algorithm
and the key
Virtual Networks
18
Cryptography
Introduction:
 Functioning scheme
Receiver
Transmitter
cipher
decipher
Virtual Networks
19
Chapter 4: Virtual Networks
 4.1 Security in
networks






4.1.1 Introduction
4.1.2 Cryptography
4.1.3 Cryptanalisis
4.1.4 Symmetric key
4.1.5 Asymmetric key
4.1.6 Mixed systems
 4.2 Virtual Private
Networks, VPN





4.2.1 Introduction
4.2.2 PPTP
4.2.3 L2TP
4.2.4 IPsec
4.2.5 SSL
 4.3 Virtual Local Area
Networks, VLAN
Virtual Networks
20
Cryptanalysis
Introduction:
 Definition

Set of methods used to guess the key used by the
elements of communication
 Objective
 Reveal the secret of communication
 Attacks
 Brute force attack (most common)
 Types:
 Ciphertext-Only Attack
 Known Plaintext Attack
 Chosen Plaintext Attack
Virtual Networks
21
Chapter 4: Virtual Networks
 4.1 Security in
networks






4.1.1 Introduction
4.1.2 Cryptography
4.1.3 Cryptanalisis
4.1.4 Symmetric key
4.1.5 Asymmetric key
4.1.6 Mixed systems
 4.2 Virtual Private
Networks, VPN





4.2.1 Introduction
4.2.2 PPTP
4.2.3 L2TP
4.2.4 IPsec
4.2.5 SSL
 4.3 Virtual Local Area
Networks, VLAN
Virtual Networks
22
Symmetric Key
Features:
 Private key
 Transmitter & Receiver share the same key
Receiver
Transmitter
cipher
decipher
Virtual Networks
23
Symmetric Key
Algorithms:
 DES, 3DES, RC5, IDEA, AES
 Requirements:


Neither plaintext nor the key may be extracted from
the msg
The cost in time & money of obtaining the information
must be higher than the value of the obtained
information
 Algorithm strength:
 Internal complexity
 Key length
Virtual Networks
24
Symmetric Key
Accomplished objectives:
 Confidentiality
 Integrity
 Authentication
 Non repudiation

Depending on the number of parties sharing the secret key
Virtual Networks
25
Symmetric Key
Advantages:
 Algorithm execution rate

Best method to cipher great pieces of information
Disadvantages:
 Distribution of private key
 Key management

The number of used keys is proportional to the
number of used secure channels
Virtual Networks
26
Chapter 4: Virtual Networks
 4.1 Security in
networks






4.1.1 Introduction
4.1.2 Cryptography
4.1.3 Cryptanalisis
4.1.4 Symmetric key
4.1.5 Asymmetric key
4.1.6 Mixed systems
 4.2 Virtual Private
Networks, VPN





4.2.1 Introduction
4.2.2 PPTP
4.2.3 L2TP
4.2.4 IPsec
4.2.5 SSL
 4.3 Virtual Local Area
Networks, VLAN
Virtual Networks
27
Asymmetric Key
Tx private
Tx public
Rx private
Features:
Rx public
 Public Key
 Every party has got a pair of keys (private-public)
Receiver
Transmitter
cipher
decipher
Virtual Networks
28
Asymmetric Key
Algorithms:
 Diffie-Hellman, RSA, DSA
 Requirements:



Neither plaintext nor the key may be extracted from
the msg
The cost in time & money of obtaining the information
must be higher than the value of the obtained
information
For an public-key encrypted text, there must be only
a private key capable of decrypt it, and viceversa
Virtual Networks
29
Asymmetric Key
Accomplished objectives:
 Confidentiality
 Integrity
 Authentication

Offers very good mechanisms
 Non repudiation
 Offers very good mechanisms
Virtual Networks
30
Asymmetric Key
Advantages:
 No problems for key distribution -> public key
 In case of the steal of a user’s private key, only
the msgs sent to that user are involved
 Better authentication mechanisms than
symmetric systems
Disadvantages:
 Algorithm execution rate
Virtual Networks
31
Asymmetric Key
Authentication:
 Challenge-response
 Digital signature
 Digital certificate
Non repudiation:
 Digital signature
 Digital certificate
Virtual Networks
32
Tx private
Asymmetric Key
Tx public
Rx private
Rx public
Challenge-response:
 Send of a challenge in clear text. Its response is only known by
the transmitter
 The transmitter sends a private-key ciphered response
Receiver
Transmitter
cipher
decipher
Virtual Networks
33
Asymmetric Key
Tx private
Tx public
Rx private
Digital signature:
Rx public
 Verifies source authenticity
 Parts


Signature (transmitter)
Signature verification (receiver)
Receiver
Transmitter
Signature
verification
Virtual Networks
34
Asymmetric Key
Tx private
Tx public
Rx private
Digital signature:
 Problem: Process is slow
 Use of fingerprint
Rx public
Receiver
Transmitter
Virtual Networks
35
Asymmetric Key
Digital signature - fingerprint:
 Reduces encryption time
 Hash function


Turns a variable length set of data in a summary or
fingerprint. A fingerprint has a fixed length and it is
illegible and nonsense
Irreversible
 Algorithms SHA-1, MD5
 Requirements




Capability of turning variable length data in fixed length
blocks
Easy to use and implement
Impossible to obtain the original fingerprint text
Different texts must generate different fingerprints
 Problem: Key management
Virtual Networks
36
Asymmetric Key
Digital certificate:
 Information unit containing a pair of public-private keys,
together with the necessary information to allow the
owner for secure communications
 Contents:
 Public key
 Private key (if owner)
 Owner information
 Useful information (algorithms, allowed functions, ...)
 Valid-from
 Certificate Authority signatures
 Revocation is possible
Virtual Networks
37
Chapter 4: Virtual Networks
 4.1 Security in
networks






4.1.1 Introduction
4.1.2 Cryptography
4.1.3 Cryptanalisis
4.1.4 Symmetric key
4.1.5 Asymmetric key
4.1.6 Mixed systems
 4.2 Virtual Private
Networks, VPN





4.2.1 Introduction
4.2.2 PPTP
4.2.3 L2TP
4.2.4 IPsec
4.2.5 SSL
 4.3 Virtual Local Area
Networks, VLAN
Virtual Networks
38
Mixed systems
Tx private
Tx public
Rx private
Session keys:
Rx public
Session key
 Process


Session Key distribution (asymmetric)
Secure communication (symmetric)
Receiver
Transmitter
Virtual Networks
39
Mixed systems
Tx private
Tx public
Rx private
Session keys:
Rx public
Session key
 Process


Session Key distribution (asymmetric)
Secure communication (symmetric)
Receiver
Transmitter
Virtual Networks
40
Mixed systems
Accomplished objectives:
 Confidentiality
 Integrity
 Authentication
 Non repudiation

Use of digital signatures & certificates
Virtual Networks
41
Mixed systems
Advantages:
 No problems for key distribution -> public key
 Improbable to guess session key
 May use public key authentication & nonrepudiation mechanisms
 Algorithm execution rate
Virtual Networks
42
Chapter 4: Virtual Networks
 4.1 Security in
networks






4.1.1 Introduction
4.1.2 Cryptography
4.1.3 Cryptanalisis
4.1.4 Symmetric key
4.1.5 Asymmetric key
4.1.6 Mixed systems
 4.2 Virtual Private
Networks, VPN





4.2.1 Introduction
4.2.2 PPTP
4.2.3 L2TP
4.2.4 IPsec
4.2.5 SSL
 4.3 Virtual Local Area
Networks, VLAN
Virtual Networks
43
Virtual Private Networks
Introduction:
 Interconnection of users & entities

Dedicated line (intranets)
 Expensive
 Difficult to manage

Use os public access network
 Security risks
LAN
Public
network
Virtual Networks
44
Virtual Private Networks
Concept:
 VPN: Private data channel implemented upon a public
communication network
 Objectives:


Linking remote subnetworks
Linking subnetworks & remote users
 Use of virtual tunnel with encryption
Virtual tunnel
Public
network
LAN
Virtual Networks
45
Virtual Private Networks
Requirements:
 Authentication & identity verification
 Virtual IP address range management
 Data cipher
 Management of digital certificates and public
and private keys
 Support for many protocols
Virtual Networks
46
Virtual Private Networks
Types:
 Hardware-based systems






optimized specific designs
Very secure and simple
High performance
High cost
Additional services (firewalls, intruder detectors,
antivirus, etc.)
Cisco, Stonesoft, Juniper, Nokia, Panda Security
 Software-based systems
Virtual Networks
47
Virtual Private Networks
Advantages:
 Security & confidentiality
 Cost reduction
 Scalability
 Simple management
 Compatibility with wireless links
Virtual Networks
48
Virtual Private Networks
Elements:
 Local or private networks

Restricted access LAN with pvt IP address range
 Insecure networks
 VPN tunnels
 Servers
 Routers
 Remote users (road warriors)
 Remote offices (gateways)
Virtual Networks
49
Virtual Private Networks
Scenarios:
 P2P
 LAN - LAN
 LAN – remote user
LAN
LAN
LAN
Virtual Networks
50
Chapter 4: Virtual Networks
 4.1 Security in
networks






4.1.1 Introduction
4.1.2 Cryptography
4.1.3 Cryptanalisis
4.1.4 Symmetric key
4.1.5 Asymmetric key
4.1.6 Mixed systems
 4.2 Virtual Private
Networks, VPN





4.2.1 Introduction
4.2.2 PPTP
4.2.3 L2TP
4.2.4 IPsec
4.2.5 SSL
 4.3 Virtual Local Area
Networks, VLAN
Virtual Networks
51
PPTP
Features:
 Peer to Peer Tunnel Protocol (PPTP)
 Designed & developed by 3Com, Microsoft
Corporation, Ascend Communications y ECI
Telematics; defined IETF (RFC 2637)
 Used for secure virtual access of remote users to a
private network
 Use of tunnel mechanisms for the send of data from
client to server
 Use of a private or public IP network
Virtual Networks
52
PPTP
Functioning:
 PPTP server configured to distribute private LAN IP
addresses
 Server acts as a bridge
192.168.1.30 192.168.1.31
67.187.11.25
PPTP server
192.168.1.1
LAN
Remote
user
192.168.1.100 - 120
Virtual Networks
192.168.1.32
53
PPTP
Phases:
 PPP Connection establishment with ISP
 PPTP connection control


TCP connection
Control msgs exchange
 Data transmission
 GRE Protocol
 Cipher
Virtual Networks
54
PPTP
PPP:
 Point-to-Point Protocol (RFC 1661)




Data link layer
Used for the connection to ISP by means of a telephony line
(modem) or PSTN
Versions for broadband access (PPPoE y PPPoA)
Functions:
 Establishing, maintaining and finishing peer-to-peer connection
 User authentication (PAP y CHAP)
 Creation of encrypted frames
PPP
IP
Data
Virtual Networks
55
PPTP
PPTP connection control:
 Specifies session control messages:








PPTP_START_SESSION_REQUEST: session start request
PPTP_START_SESSION_REPLY: session start response
PPTP_ECHO_REQUEST: session keepalive request
PPTP_ECHO_REPLY: session keepalive response
PPTP_WAN_ERROR_NOTIFY: error notification
PPTP_SET_LINK_INFO: client-server connection
configuration
PPTP_STOP_SESSION_REQUEST: session stop request
PPTP_STOP_SESSION_REPLY: session stop reply
Virtual Networks
56
PPTP
PPTP authentication:
 Uses the same mechanisms as PPP:

PAP (Password Authentication Protocol)
 Very simple: send of name and passwd in plaintext

CHAP (Challenge Handshake Authentication Protocol)
 Challenge-response mechanism
 Client generates a fingerprint from the received challenge
(MD5)
 Shared secret key
 Send of challenge to renew identity
Virtual Networks
57
PPTP
PPTP authentication:
 Two new mechanisms:

SPAP (Shiva Password Authentication Protocol)
 PAP with the send of an encrypted client passwd

MS-CHAP (Microsoft Challenge Handshake Authentication
Protocol)
 Proprietary CHAP-based-Algorithm by Microsoft
 Mutual authentication process (client & server)
 Due to a security failure in Windows NT, MS-CHAP v2 was
created
Virtual Networks
58
PPTP
Data transmission:
 Uses a modification of GRE (Generic Routing
Encapsulation) protocol: RFC 1701 y 1702

Establishes a functional division in three protocols:
 Passenger Protocol
 Carrier Protocol
 Transport Protocol
Transport
Carrier
Protocol
Virtual Networks
59
PPTP
Data transmission:
 Send of PPP frames -> encapsulated in IP datagrams
TCP
IP
MAC
IP
GRE
PPP
Virtual Networks
Data
Data
60
PPTP
Encryption:
 MPPE (Microsoft Point-To-Point Encryption)



RFC 3078
uses RSA RC4 algorithm-> Session key from a client pvt key
Only with CHAP or MS-CHAP
 Allows non-encrypted tunneling (PAP or SPAP) -> No
VPN
Virtual Networks
61
PPTP
Advantages:
 Implementation low cost (uses public network)
 No limit for the number of tunnels due to server
physical interfaces (but more resources are
necessary in the server for every tunnel)
Disadvantages:
 Very vulnerable



Non-authenticated TCP connection control
Weakness of MS-CHAP protocol in NT systems
Weakness of MPPE protocol
 Use of pvt passwd
Virtual Networks
62
Chapter 4: Virtual Networks
 4.1 Security in
networks






4.1.1 Introduction
4.1.2 Cryptography
4.1.3 Cryptanalisis
4.1.4 Symmetric key
4.1.5 Asymmetric key
4.1.6 Mixed systems
 4.2 Virtual Private
Networks, VPN





4.2.1 Introduction
4.2.2 PPTP
4.2.3 L2TP
4.2.4 IPsec
4.2.5 SSL
 4.3 Virtual Local Area
Networks, VLAN
Virtual Networks
63
L2TP
Features:
 Layer 2 tunneling protocol (RFC 2661) - PPP
 L2TP v3 (RFC 3931) - multiprotocol
 Based in 2 network protocols to carry de red PPP
frames:


PPTP
L2F (Layer Two Forwarding)
 Used together with IPSec to offer more security
(L2TP/IPSec, RFC 3193)
Virtual Networks
64
L2TP
Functioning:
 LAC: L2TP Access Concentrator
 LNS: L2TP Network Server
 Server acts as a bridge
L2TP Server
(LNS)
192.168.1.1
67.187.11.25
ISP
Remote
user
Compulsory
192.168.1.31
LAN
192.168.1.32
192.168.1.100 - 120
LAC
Voluntary
Virtual Networks
65
L2TP
 Voluntary:
1)
Remote users is
User starts a PPP connection
connected to ISP
with ISP
2) L2TP client starts L2TP
ISP accepts connection & PPP
tunnel to LNS
link
3) If LNS accepts, LAC
ISP requests authentication
encapsulates PPP with
LAC starts L2TP tunnel to LNS
L2TP and sends through
If LNS accepts, LAC
tunnel
encapsulates PPP with L2TP and
4) LNS accepts frames &
sends frames
process them as if they
LNS accepts L2TP frames &
were PPP frames
process them as if they were
PPP frames
5) LNS authenticates PPP
LNS authenticates PPP valid
valid user -> assigns IP
user -> assigns IP addr
addr
Types of tunnels:
 Compulsory:
1)
2)
3)
4)
5)
6)
7)
Virtual Networks
66
L2TP
Messages:
 Two types:

Control
 Used during the establishment, keepalive & termination of the
tunnel
 Reliable control channel (guarantees msg delivery)

Data
 Encapsulates information into PPP frame
 Uses UDP port 1701
Virtual Networks
67
L2TP
Control msgs:
 Connection keepalive:





Start-Control-Connection-Request: Session start request
Start-Control-Connection-Reply: Session start response
Start-Control-Connection-Connected: Established session
Start-Control-Connection-Notification: Session end
Hello: sent during inactivity periods
Virtual Networks
68
L2TP
Control msgs:
 ‘Call’ keepalive:







Outgoing-Call-Request: start of outgoing call
Outgoing-Call-Reply: start of outgoing call response
Outgoing-Call-Connected: outgoing call established
Incoming-Call-Request: start of incoming call
Incoming-Call-Reply: start of incoming call response
Incoming-Call-Connected: incoming call established
Call-Disconnect-Notify: call stop
Virtual Networks
69
L2TP
Control msgs:
 Error notification:

WAN-Error-Notify
 PPP Control session:
 Set-Link-Info: configures client-server connection
Virtual Networks
70
L2TP
Advantages:
 Implementation low cost
 Multiprotocol support
Disadvantages:
 Only the two terminals in the tunnel are identified
(possible impersonation attacks)
 No support for integrity (possible service denial
attack)
 Does not develop confidentiality
 Does not offer encryption, though PPP may be
encrypted (no mechanism for automatic key
generation)
Virtual Networks
71
Chapter 4: Virtual Networks
 4.1 Security in
networks






4.1.1 Introduction
4.1.2 Cryptography
4.1.3 Cryptanalisis
4.1.4 Symmetric key
4.1.5 Asymmetric key
4.1.6 Mixed systems
 4.2 Virtual Private
Networks, VPN





4.2.1 Introduction
4.2.2 PPTP
4.2.3 L2TP
4.2.4 IPsec
4.2.5 SSL
 4.3 Virtual Local Area
Networks, VLAN
Virtual Networks
72
IPSec
Features:
 Internet Protocol Security
 Offers security services for the network layer
 Allows linking different networks (remote offices)
 Allows a remote user to access the pvt resources in a
network
 IETF (Internet Engineering Task Force) Standard
 Integrated in IPv4; default included in IPv6
 IPSec is connection oriented
Virtual Networks
73
IPSec
Features:
 Services:




Data integrity
Source authentication
Confidentiality
Replay attack prevention
 Functioning modes:
 Transport mode
 Tunnel mode
Virtual Networks
74
IPSec
Security association:
 Definition (SA):
“Unidirectional agreement between the parties in an IPSec
connection according to the methods & parameters used for
the tunnel structure. They must guarantee transmitted data
security”
 An entity must store:
 Used security algorithms and keys
 Functioning mode
 Key management methods
 Valid time for the established connection
 Database with SA
Virtual Networks
75
IPSec
Security association:
 Example:
SPI: 12345
Source IP: 200.168.1.100
Dest IP: 193.68.2.23
Protocol: ESP
Encryption algorithm: 3DES-cbc
HMAC algorithm: MD5
Encryption key: 0x7aeaca…
HMAC key:0xc0291f…
 Methods for key distribution & management:
 Manual: personal delivery
 Automatic: AutoKey IKE
Virtual Networks
76
IPSec
IKE Protocol:
 Internet Key Exchange Protocol (IKE)
 Defined in IETF


key distribution & management
SA establishment
 Standard is not only limited to IPSec (OSPF or RIP)
 Hybrid protocol:
 ISAKMP (Internet Security Association and Key
Management Protocol)
 Define msg syntax
 Necessary proceedings for SA establishment, negotiation,
modification and deletion

Oakley
 Specifies the logic for the secure key exchange
Virtual Networks
77
IPSec
IKE – IPSec tunnel negotiation:
 Two phases:

Phase 1: Establishment of a secure bidirectional
communication channel (IKE SA)
 IKE SA different to IPSec SA
 Called ISAKMP SA

Phase 2: Agreements about cipher and authentication
algorithms -> IPSec SA
 Uses ISAKMP to generate IPSec SA
 The precursor offers different possibilities
 The other entity accepts the first configuration according to
its limitations
 They inform each other about the type of traffic
Virtual Networks
78
IPSec
Advantages:
 Allows remote access in a secure way
 Best option for e-commerce (secure infrastructure
for electronic transactions)
 Allows secure corporate networks (extranets) over
public networks
Virtual Networks
79
IPSec
Protocols:
 Authentication Header Protocol (AH)
 Encapsulated Secure Payload (ESP)
Virtual Networks
80
IPSec
AH Protocol:
 Network layer Protocol field: 51
 Provided services:



Integrity
Authentication
Does not guarantee confidentiality (no data encryption)
 HMAC (Hash Message Authentication Codes)
 Generation of digital fingerprint (SHA or MD5)
 Encryption of digital fingerprint with shared secret
Virtual Networks
81
IPSec
AH Protocol:
 HMAC
Receiver
Transmitter
HMAC
IP
AH
DATA
IP
AH
Virtual Networks
DATA
HMAC
82
IPSec
AH Protocol:
 Format
32 bits
IP header
Payload
Next
Reserved
header length
Security Parameters Index (SPI)
Sequence number
AH header
Authentication data
Data
Virtual Networks
83
IPSec
AH Protocol:
 Format:





Next header: superior layer protocol
Payload length: Data field length (32 bits)
Security Parameters Index (SPI): SA identifier
Sequence number
Authentication data: Variable length HMAC
Virtual Networks
84
IPSec
ESP Protocol:
 Network layer Protocol field: 50
 Supported services:



Integrity (optional)
Authentication (optional)
Confidentiality (data encryption)
 Symmetric key encryption algorithm Algoritmo de
(DES, 3DES, Blowfish)


Usually block encryption (padding)
Requires a secure mechanism for key distribution (IKE)
Virtual Networks
85
IPSec
ESP Protocol:
Receiver
Transmitter
IP
ESP
DATA
ESP
IP
ESP
DATA
Virtual Networks
ESP
86
IPSec
ESP Protocol:
 Formato
32 bits
IP header
Security Parameters Index (SPI)
Sequence number
ESP
Datos
Encryption
Pad
length
Authentication data
Padding
Next
header
Virtual Networks
87
IPSec
ESP Protocol:
 Format:






Security Parameters Index (SPI): SA Identifier
Sequence number
Padding
Pad length: padding length (bytes)
Next header: Superior layer protocol
Authentication data: Variable length HMAC
Virtual Networks
88
IPSec
Modes of operation:
 Applicable to AH & ESP
Transport Mode
using AH
Transport Mode
using ESP
Tunnel Mode
using AH
Tunnel Mode
using ESP
Most used
Virtual Networks
89
IPSec
Transport Mode:
 Data are encapsulated in an AH or ESP datagram
 Ensures end-to-end communication
 client-client scheme (both ends must understand
IPSec)
 Used to connect remote users
IPSec host
IPSec host
IP 1
IP 2
IP 2
IP 1
IPSec
Data
Virtual Networks
90
IPSec
Transport mode:

AH: Next header = Protocol in IP header
Original IP AH
header
header
Data
Authentication

ESP: Next header = Protocol in IP header
Original IP ESP
header
header
Data
Encryption
Authentication
Virtual Networks
91
IPSec
Tunnel mode:
 Data are encapsulated in a whole IP datagram
 A new IP header is generated
 Used when the final destination is not the IPSec end
(gateways)
Host without
IPSec
gateway using IPSec
gateway using IPSec
IP 1
IP A
IP B
IP 2
Host without
IPSec
IP B
IP A
IPSec
IP 2
IP 1
Virtual Networks
Data
92
IPSec
Tunnel mode :

AH: New IP header Protocol = 51 & Next header = 4
New
IP header
AH
header
Original IP
Header
Data
Authentication

ESP: New IP header Protocol = 50 & Next header = 4
New
IP header
ESP
Header
Original IP
Header
Data
Encryption
Authentication
Virtual Networks
93
Chapter 4: Virtual Networks
 4.1 Security in
networks






4.1.1 Introduction
4.1.2 Cryptography
4.1.3 Cryptanalisis
4.1.4 Symmetric key
4.1.5 Asymmetric key
4.1.6 Mixed systems
 4.2 Virtual Private
Networks, VPN





4.2.1 Introduction
4.2.2 PPTP
4.2.3 L2TP
4.2.4 IPsec
4.2.5 SSL
 4.3 Virtual Local Area
Networks, VLAN
Virtual Networks
94
SSL
Project OpenVPN:
 Implementation of VPN based on SSL (OpenSSL)
 Free software (GPL)
 Reason: Limitations of IPSec
 Features:





Driver is in charge of building a tunnel & encapsulating pkts
through a virtual link
Allows authentication & encryption
All communications using TCP or UDP port (default 1194)
Multiplatform
Allows compression
Virtual Networks
95
SSL
Project OpenVPN:
 Features:




Client-server model (version 2.0)
Self-install packages and graphic interfaces
Allows remote management
Great flexibility (many script formats)
Virtual Networks
96
Chapter 4: Virtual Networks
 4.1 Security in
networks






4.1.1 Introduction
4.1.2 Cryptography
4.1.3 Cryptanalisis
4.1.4 Symmetric key
4.1.5 Asymmetric key
4.1.6 Mixed systems
 4.2 Virtual Private
Networks, VPN





4.2.1 Introduction
4.2.2 PPTP
4.2.3 L2TP
4.2.4 IPsec
4.2.5 SSL
 4.3 Virtual Local Area
Networks, VLAN
Virtual Networks
97
VLAN
Introduction:
 Las LANs institucionales modernas suelen presentar
topología jerárquica
 Cada grupo de trabajo posee su propia LAN
conmutada
 Las LANs conmutadas pueden interconectarse entre
sí mediante una jerarquía de conmutadores
S4
S1
S2
A
B
S3
C
F
D
E
I
G
Virtual Networks
H
98
VLAN
Inconvenientes:
 Falta de aislamiento del tráfico


Tráfico de difusión
Limitar tráfico por razones de seguridad y confidencialidad
 Uso ineficiente de los conmutadores
 Gestión de los usuarios
Virtual Networks
99
VLAN
VLAN:
 VLAN basada en puertos




A
División de puertos del conmutador en grupos
Cada grupo constituye una VLAN
Cada VLAN es un dominio de difusión
Gestión de usuario -> Cambio de configuración del
conmutador
B
C
D
E
F
G
Virtual Networks
H
I
100
VLAN
VLAN:
 ¿Cómo enviar información entre grupos?




A
Conectar puerto del conmutador VLAN a router externo
Configurar dicho puerto como miembro de ambos grupos
Configuración lógica -> conmutadores separados conectados
mediante un router
Normalmente los fabricantes incluyen en un único dispositivo
conmutador VLAN y router
B
C
D
E
F
G
Virtual Networks
H
I
101
VLAN
VLAN:
 Localización diferente



A
Miembros de un grupo se encuentran en edificios diferentes
Necesario varios conmutadores
Conectar puertos de grupos entre conmutadores -> No escalable
B
D
E
G
C
Virtual Networks
I
H
F
102
VLAN
VLAN:
 Localización diferente



Troncalización VLAN (VLAN Trunking)
Puerto troncal pertenece a todas las VLANs
¿VLAN Destino de la trama? -> formato de trama 802.1Q
Enlace
troncal
A
B
D
E
G
C
Virtual Networks
I
H
F
103
VLAN
IEEE 802.1Q:

IEEE 802.3 (Ethernet)
Preambulo

Dir.
Destino
Dir.
Origen
Tipo
Datos
CRC
IEEE 802.1Q
Preambulo
Dir.
Destino
Dir.
Origen
TPID TCI Tipo
Datos
CRC
nuevo
Información de control de etiquetado
Identificador de protocolo de etiquetado
Virtual Networks
104
VLAN
VLAN:
 VLAN basada en MAC (nivel 2)


El administrador de red crea grupos VLAN basados en
rangos de direcciones MAC
El puerto del conmutador se conecta a la VLAN
correspondiente con la dirección MAC del equipo asociado
 VLAN nivel 3
 Basada en direcciones de red IPv4 o IPv6
 Basada en protocolos de red (Appletalk, IPX, TCP/IP)
Virtual Networks
105