Transcript Presentation6 - University Of Worcester

COMP3371
Cyber Security
Richard Henson
University of Worcester
November 2015
Week 6: Securing LAN–LAN
data using Firewalls, VPNs,
etc.

Objectives:
 Relate Internet security to the TCP/IP protocol
stack
 Explain principles of firewalling
 Explain what a Proxy Service is, and why it can be
a more flexible solution than a firewall
 Explain Internet security solutions that use the
principles of a VPN
Security and the OSI layers


Simplified TCP/IP
Leaves out level 1 (physical) level 2 (data
link), and combines levels 5/6/7)
TELNET
FTP
SMTP
NFS
DNS
UDP
TCP
IP (network)
SNMP
TCP/IP and the Seven Layers
screen

 upper layers interface with TCP to
produce the screen display
TCP
 lower layers required to interface with
IP to create/convert electrical signals
IP

hardware
TCP (Transport Control Protocol)
and IP (Internet Protocol) only
make up part (layers 3 & 4) of the
seven layers
Each layer interface represents a
potential security problem (!)
Intranet

Misunderstood term
 achieved by organisations using http to share
data internally in a www-compatible format
 Many still call a protected file structure on its
own an Intranet… (technically incorrect!)
uses secure user authentication
uses secure data transmission system

Implemented as EITHER:
 single LAN (domain) with a web server
 several interconnected LANs (trusted domains)
» cover a larger geographic area
Extranet

An extension of the Intranet to cover selected trusted
“links”
 e.g. for an organisation the “trusted” links might be to
customers and business partners
 uses the public Internet as its transmission system
 requires authentication to gain access

Can provide TCP/IP access to:




paid research
current inventories
internal databases
OR virtually any information that is private and not published
for everyone
Issues in creating an Extranet

Public networks…
 Security handled through appropriate use of secure
authentication & transmission technologies…

If using the Internet…
 client-server web applications across different sites
 BUT security issues need resolving

Private leased lines between sites do not
need to use http, etc.
 more secure, but expensive (BALANCE)
Securing Authentication
through Extranets

Kerberos and trusted domains…
Windows networks…

BUT…
several TCP ports used for authentication
when establishing a session…

Solution:
firewall configured to allow relevant ports
to be opened only for “trusted” hosts
Securing Sharing of Data
through Extranets

Extranet client uses the web server &
browser for user interaction
 standard http protocol to display html data

Raw HTML data will pass through the firewall
(port 80) to the Internet
 could be “sensitive data” for the organisation…

Under IETF guidance, Netscape ~ SSL with
secure version of http…
 standardised as http-s (secure http) on port 443
The Internet generally uses IP
- HOW can data be secured?
2015: more than a billion hosts!
Securing the Extranet

Problem:
 IP protocol sends packets off in different directions according to:
» destination IP address
» routing data
 packets can be intercepted/redirected

One solution:
» secure level 7 application layer www protocols developed


https: ensure that pages are only available to authenticated users
ssh : secure download of files
» secure level 4 transport (TLS) protocol to restrict use of IP navigation to
only include secure sites

What about penetration through other protocols, working
at different OSI layers?
Other Secure level 7 protocols

Telnet and FTP:
can use authentication
BUT DO NOT use encrypted text…

SSH (Secure Shell)
 SSH-1 1995, University of Helsinki, secure file transfer
» uses TCP port 22
» runs on a variety of platforms
 Enhanced version SSH-2
» using the PKI
» including digital certificates
» RFC 4252 – recent, 2006
Unsecured LAN-Internet
Connection: Router Only
INTERNET/EXTERNAL NETWORK
ROUTER – no packet filtering
Internal
Network
...
An Unsecured LAN-Internet
Connection via Router
Layer 3
Layer 2
Layer 3
Data
through
unchanged
Layer 1
Layer 2
Layer 1
router
Lower OSI layers security
(Stage 1)

Simple Firewall…
use packet filtering
IP address-based
» Fooled by “IP spoofing”
Creating a “Secure Site”?

To put it bluntly…
 secure site is a LAN that provides formidable
obstacles to potential hackers
 keeps a physical barrier between local server and
the internet

Physical barrier linked through an
intermediate computer called a Firewall or
Proxy Server
 may place unnecessary restrictions on access
 security could be provided at one of the seven
layers of the TCP/IP stack
Unsecured LAN-Internet
Connection: Firewall
INTERNET/EXTERNAL NETWORK
FIREWALL – packet filtering
Internal
Network
...
An Unsecured LAN-Internet
Connection via Firewall

IP filtering will slow down packet flow…

Also…
 request by a LAN client for Internet data across a router
reveals the client IP address
» generally a desired effect….


“local” IP address must be recorded on the remote server
picks up required data & returns it via the router and server to the local IP address
» problem – could be intercepted, and future data to that IP
address may not be so harmless…
An Unsecured LAN-Internet
Connection via Router

Another problem: wrath of IANA
 IP address awarding & controlling body
 big penalties if ANY internal LAN IP address
conflicts with an existing Internet IP address they
allocated…

Safeguard:
 use DHCP (dynamic host configuration protocol)
 allocate client IP from within a fixed range
allocated to that domain by IANA
A LAN-Internet connection
via Gateway
INTERNET/EXTERNAL NETWORK
e.g. TCP/IP
GATEWAY – packet conversion
local protocol
Internal
Network
...
A LAN-Internet connection
via Gateway

At a gateway, processing can be at higher
OSI levels:
 >= level 4

Local packets converted into other formats…
 remote network does not have direct access to the
local machine
 IP packets only recreated at the desktop
 local client IP addresses therefore do not need to
comply with IANA allocations
A LAN-Internet connection
via Proxy Server
INTERNET/EXTERNAL NETWORK
e.g. TCP/IP
Proxy Server – local IP addresses
local protocol
Internal
Network
...
The Proxy Server

Acts like a Gateway in some respects:
provides physical block between external
and internal networks

But can still use the same protocol (e.g.
TCP/IP), and can cache web pages for
improved performance
Firewall Configuration

Blocks data via TCP port (logical)
used by each application protocol connects
to TCP
all ports blocked… no data gets through

Configuration
includes which ports to block as well as
which IP addresses to block…
Includes auditing of packets
VPNs: OSI levels 1-3: restricted
use of the Physical Internet
VPN shown in green
VPNs
(Virtual Private Networks)

Two pronged defence:
 physically keeping the data away from unsecured
servers…
» several protocols available for sending packets along a
pre-defined route
 data encapsulated and encrypted so it appears to
travel as if on a point-point link but is still secure
even if intercepted

Whichever protocol is used, the result is a
secure system with pre-determined pathways
for all packets
Principles of VPN protocols

The tunnel - where the private data is
encapsulated

The VPN connection - where the private
data is encrypted
Principles of VPN protocols

To emulate a point-to-point link:
 data encapsulated, or wrapped, with a header
» provides routing information
» allows packets to traverse the shared public network to its
endpoint

To emulate a private link:
 data encrypted for confidentiality

Any packets intercepted on the shared
public network are indecipherable without
the encryption keys…
Potential weakness of the VPN


Once the data is encrypted and in the tunnel it is very secure
BUT
 to be secure, it MUST be encrypted and tunnelled throughout its
whole journey
 if any part of that journey is outside the tunnel…
» e.g. network path to an outsourced VPN provider
» obvious scope for security breaches
Using a VPN as part of an
Extranet
Using a VPN for point-to-point
Using a VPN to connect a
remote computer to a Secured
Network
VPN-related protocols offering
even greater Internet security

Two possibilities are available for
creating a secure VPN:
Layer 3:
» IPsec – fixed point routing protocol
Layer 2 “tunnelling” protocols
» encapsulate the data within other data before
converting it to binary data:


PPTP (Point-point tunnelling protocol)
L2TP (Layer 2 tunnelling protocol)
IPsec

First VPN system
 defined by IETF RFC 2401
 uses ESP (encapsulating security protocol) at the IP
packet level

IPsec provides security services at the IP layer
by:
 enabling a system to select required security protocols
(ESP possible with a number of encryption protocols)
 determining the algorithm(s) to use for the chosen
service(s)
 putting in place any cryptographic keys required to
provide the requested services
More about IPSec in practice

Depends on PKI for authentication
 both ends must be IPSec compliant, but not the
various network systems that may be between
them…

Can therefore be used to protect paths
between
 a pair of hosts
 a pair of security gateways
 a security gateway and a host

Can work with IPv4 and IPv6
Layer 2 Security: L2TP

Microsoft hybrid of:
 their own PPTP
 CISCO’s L2F (layer 2 forwarding)

With L2TP, IPSec is optional:
 like PPTP:
» it can use PPP authentication and access controls (PAP
and CHAP!)
» It uses NCP to handle remote address assignment of
remote client
 as no IPSec, no overhead of reliance on PKI