ch8

Download Report

Transcript ch8 

E-Commerce:
Fundamentals and Applications
Chapter 8 : Internet Security
_______________________________________________________________________________________________________________
E-Commerce: Fundamentals and Applications
1
 Wiley and the book authors, 2001
Outline








IPSec protocol
The authentication header (AH) service
The encapsulating security payload (ESP) service
Application of IPSec : Virtual private network
Firewalls
Different types of firewalls
Examples of firewall systems
Secure socket layer (SSL)
_______________________________________________________________________________________________________________
E-Commerce: Fundamentals and Applications
2
 Wiley and the book authors, 2001
IPSec Service
IPSec-enabled host/gateway
Protected IP packet
SPD
and
SAD
Upper
Layer
Data
IPSec
Processor
IPSec
IP
Header Header
IPSec-enabled
host or gateway
SA
Protected IP packet through
tunneling
Unprotected IP packet
Non-IPSec enabled
host
Upper
Layer
Data
IP
Header
Upper
Layer
Data
IPSec-enabled
gateway
IP
Header
IPSec
Header
Gateway’s
IP
Header
SA
_______________________________________________________________________________________________________________
E-Commerce: Fundamentals and Applications
3
 Wiley and the book authors, 2001
AH Service (Transport Mode)
Unprotected IP packet
Protected IP packet
(AH transport mode)
IP Header
Upper Layer Data
IP Header
AH
Upper Layer Data
Authenticated (for immutable fields in the IP Packet)
_______________________________________________________________________________________________________________
E-Commerce: Fundamentals and Applications
4
 Wiley and the book authors, 2001
AH Service (Tunnel Mode)
Unprotected IP packet
Protected IP packet
(AH tunnel mode)
Upper Layer Data
IP Header
New IP Header *
Upper Layer Data
AH
IP Header
IP Header
Authenticated (for immutable fields in the IP packet)
* typically with gateway’s IP address
_______________________________________________________________________________________________________________
E-Commerce: Fundamentals and Applications
5
 Wiley and the book authors, 2001
ESP Service (Transport Mode)
Unprotected IP
packet
Protected IP Packet
(ESP transport mode)
Upper Layer
Data
IP Header
IP Header
ESP
Header
Upper Layer
Data
ESP
Trailer
ESP
Auth
Authenticated
Encrypted
_______________________________________________________________________________________________________________
E-Commerce: Fundamentals and Applications
6
 Wiley and the book authors, 2001
ESP Service (Tunnel Mode)
Unprotected IP
packet
Protected IP packet
(ESP tunnel mode)
IP Header
New IP
Header *
Upper Layer
Data
ESP
Header
IP Header
Upper Layer
Data
ESP
Trailer
ESP
Auth
Authenticated
Encrypted
* with gateway’s IP address
_______________________________________________________________________________________________________________
E-Commerce: Fundamentals and Applications
7
 Wiley and the book authors, 2001
Virtual Private Network
IP Tunnel
Non- IPSec
enabled host
Internet
Intranet
IPSec
enabled
gateway
IPSec
enabled host
Intranet
Non- IPSec
enabled host
IPSec
enabled
gateway
IP Tunnel
IPSec
enabled host
End-to-end SA
_______________________________________________________________________________________________________________
E-Commerce: Fundamentals and Applications
8
 Wiley and the book authors, 2001
Firewall
Internet
Intranet
Firewall
Insecure
Secure
_______________________________________________________________________________________________________________
E-Commerce: Fundamentals and Applications
9
 Wiley and the book authors, 2001
Types of Firewalls



Packet Filtering Router
Application Level Gateway
Circuit Level Gateway
_______________________________________________________________________________________________________________
E-Commerce: Fundamentals and Applications
10
 Wiley and the book authors, 2001
Firewall Example
Public server
(e.g. web server)
Private server
b
Internet
Intranet
P
R filtering
PR: Packet
router
a
Bastion host
(application gateway)
Hosts
Hosts
Reference : Semeria, C., Internet Firewalls and Security, http://www.3com.com/technology/tech_net/white_papers/500619s.html, 1996
Illustrative filtering rules for the packet filtering router
Source IP
Address
Source Port
Destination IP
address
Destination Port
Action
(allow/ deny)
*
Allow
(inbound only)
*
*
b
b
*
*
*
Allow
(outbound only)
*
*
a
*
Allow
(inbound only)
a
*
*
*
Allow
(outbound only)
*
*
*
*
Deny
Remarks
Allow internet hosts to communicate with
the public server.
Allow the public server to communicate
with internet hosts.
Allow internet hosts to communicate with
the intranet through the bastion host.
Allow intranet hosts to communicate with
the Internet through the bastion host.
Deny all other packets.
(Note _______________________________________________________________________________________________________________
: Each small letter represents an IP address. * means any value. A specific port may also be set)
E-Commerce: Fundamentals and Applications
11
 Wiley and the book authors, 2001
Firewall Example
Modem
pools
Public server
(e.g. web
server)
b
Private
server
DMZ
Internet
OP
R
IPR: Inside packet filtering
router
a
OPR: Outside packet filtering
Bastion host
router
Hosts
(application gateway)
IP
R
Intranet
Hosts
Reference : Semeria, C., Internet Firewalls and Security, http://www.3com.com/technology/tech_net/white_papers/500619s.html, 1996
Key filtering rules for the inside packet filtering router
Source IP
Address
Source Port
Destination IP
address
Destination Port
Action
(allow/ deny)
Remarks
*
*
a
*
Allow
(inbound only)
Allow internet hosts to communicate with
the bastion host.
*
*
b
*
(inbound only)
Allow internet hosts to communicate with
the public server directly.
a
*
*
*
Allow
(outbound only)
Allow intranet hosts to communicate with
the internet through the bastion host.
b
*
*
*
Allow
(outbound only)
Allow the public server to communicate
with internet hosts.
*
*
*
*
Deny
Deny all other packets.
(Note _______________________________________________________________________________________________________________
: Each small letter represents an IP address. * means any value. A specific port may also be set.)
E-Commerce: Fundamentals and Applications
12
 Wiley and the book authors, 2001
Firewall Example (Cont’)
Illustrative filtering rules for the inside packet filtering router
Source IP
Address
Source Port
Destination IP
address
Destination
Port
Action
a
*
*
*
Allow
Allow internet hosts to communicate
with the intranet through the bastion host.
(from the DMZ to the intranet only)
*
*
a
*
Allow
Allow intranet hosts to communicate with
the internet through the bastion host.
(from the intranet to the DMZ only)
*
*
*
*
Deny
Deny all other packets.
Remarks
(Note : Each small letter represents an IP address. * means any value. A specific port may also be set.)
_______________________________________________________________________________________________________________
E-Commerce: Fundamentals and Applications
13
 Wiley and the book authors, 2001
Secure socket layer (SSL)





SSL was invented by Netscape to make use of TCP to provide an
end-to-end secure data transport service e.g., for HTTP
A socket connection is set up to port 443 instead of port 80 of the
Web server.
In the URL, “https” instead of “http” is used.
Visit:
 http://home.netscape.com/eng/ssl3/draft302.txt
A TLS working group has been formed within the IETF to develop a
common standard.
_______________________________________________________________________________________________________________
E-Commerce: Fundamentals and Applications
14
 Wiley and the book authors, 2001
Functions of the SSL sub-protocols

SSL handshake protocol


SSL change cipher spec protocol


Change/update the cipher suite
SSL alert protocol


Allow the server and the client to agree the security parameters
for subsequent data transfer
Send an alert message to the other side
SSL record protocol

Provide secure data transport service using the agreed security
parameters
_______________________________________________________________________________________________________________
E-Commerce: Fundamentals and Applications
15
 Wiley and the book authors, 2001
Handshake Protocol
Client
Server
Client
Server
(1) Send ClientHello
(1) Send ClientHello
(2) Return ServerHello
(2) Return ServerHello
(3) Send Digital Certificates(if required)
(3) Send ChangeCipherSpec
(4) Send ServerKeyExchange(if required)
(4) Send Finished
(5) Send CertificateRequest(if required)
(5) Send ChangeCipherSpec
(6) Send ServerHelloDone
(6) Send Finished
(7) Send Digital Certificates(if required)
(8) Send ClientKeyExchange
(b) Resuming a previous session
(9) Send CertificateVerify (if required)
(10) Send ChangeCipherSpec
(11) Send Finished
(12) Send ChangeCipherSpec
(13) Send Finished
(a) Full version
_______________________________________________________________________________________________________________
E-Commerce: Fundamentals and Applications
16
 Wiley and the book authors, 2001
Secure System for The VBS
Firewall
Business
partners (e.g.
publishers)
IP tunnel
Public
SSL
VBS
Intranet
Internet
Private
Network
Other
systems
IP tunnel
Branch
Offices
_______________________________________________________________________________________________________________
E-Commerce: Fundamentals and Applications
17
 Wiley and the book authors, 2001