Internet Access - University of St. Thomas
Download
Report
Transcript Internet Access - University of St. Thomas
CISC 210 - Class Today
•
•
•
•
•
Homework Reminders
Recap
Finish up Public Key Crypto
Firewalls
Firewall Lab
March 2005
R. Smith - University of St Thomas - Minnesota
1
Homework Reminders
• DUE TODAY: Lab and Diagrams
• DUE Monday: Project Outline
– Requirements/Grading Rubric are posted on the Web
• DUE Following Monday: A10 Lab (Firewall)
March 2005
R. Smith - University of St Thomas - Minnesota
2
Recap: IP Security Protocol – IPSEC
• Security protection that’s IP routable
• We authenticate the IP addresses
• We encrypt everything inside the IP header
March 2005
R. Smith - University of St Thomas - Minnesota
3
Recap: Public Key Encryption
• Uses a pair of keys: the Private Key and the
Public Key
• Usually, one key of the pair decrypts what
the other key encrypts, and vice versa
• “Asymmetric Encryption”
Clear
Text
March 2005
Private
Key
Public
Key
Encryption
Procedure
Cipher
Text
Decryption
Procedure
R. Smith - University of St Thomas - Minnesota
Clear
Text
4
Public Key cryptography
• First successful version: Diffie Hellman
• ‘Distributive property’ of exponents
– (BX)Y = (BY)X
• Or, in Diffie-Hellman:
– (BX mod M)Y mod M = (BY mod M)X mod M
– (x) is Private Key; (BX mod M) is Public Key
• Why is it secure? Because…
– (BX mod M) * (BY mod M) mod M ! = (BY mod M)X mod M
– Modulus makes it impractical to reverse
March 2005
R. Smith - University of St Thomas - Minnesota
5
RSA
• More flexible variant
– Basic Math: Given M, My = Ciphertext; M = (My)-y
– y = Public Key; -y = Private Key (inverse of public key)
– RSA uses “Modular Inverse” instead of simple inverse
• Multiply two primes P x Q
– Product is the Modulus, part of the published key,
– 2 other numbers form rest of the key
• “Public” exponent “E” (often 3 or 65537)
• “Private” inverse “D” (computed from P, Q, and E)
• Works in both directions – encrypt and decrypt
March 2005
R. Smith - University of St Thomas - Minnesota
6
Using Public Key
• Diffie Hellman
– I can share one secret with another D-H user
• I use the other user’s PUBLIC key with my PRIVATE key
• RSA
– If I have a user’s PUBLIC key, I can send them a secret
• I encrypt the secret with THEIR public key
• They decrypt with their own private key
– I can use my PRIVATE key to “sign” things
• I encrypt a hash (checksum) with my PRIVATE key
• Others can check the result with my PUBLIC key
March 2005
R. Smith - University of St Thomas - Minnesota
7
IKE – Internet Key Exchange
• Sets Up “Security Associations” for IPSEC
– Assigns SPIs to connections between crypto
– Negotiates crypto selection and establishes secret keys
March 2005
R. Smith - University of St Thomas - Minnesota
8
How IKE Works
• Phase 1: Establish a shared secret (Diffie
Hellman)
– Set up the shared secret
– Authenticate each other
• How? Shared secrets or public keys
• “Challenge Response” protocols (next slide)
• Phase 2: Negotiate or update an association
–
–
–
–
One asks for an association, specifying an SPI
The other says what crypto it supports
They agree on crypto to use
One provides a shared secret from which they produce keys
March 2005
R. Smith - University of St Thomas - Minnesota
9
Challenge Response Protocols
•
•
•
•
Bob says “I’m Bob”
Alice says, “Prove it with this nonce: 1928”
Bob encrypts it
Alice verifies the encrypted nonce
• Crypto alternatives
– Use a shared secret
– Use public/private key pairs
March 2005
R. Smith - University of St Thomas - Minnesota
10
Firewalls
• Objectives
• Types of firewall traffic control
• Firewall Filtering
• Network Address Translation
• The Lab
March 2005
R. Smith - University of St Thomas - Minnesota
11
Firewall objectives
• Provide outbound Internet access
• Restrict/forbid inbound connections
• Detect and block malicious traffic
March 2005
R. Smith - University of St Thomas - Minnesota
12
Types of firewall traffic control
• Service control (allow specific protocols)
– Block unauthorized protocols
– Permit authorized ones
– Actually very hard to do
• Direction control (in/out)
– Allow outbound browsing
– Restrict access to internal servers
• User control (source/destination)
– User authorization, or perhaps subnet filtering
• Behavior control
– bandwidth, application specific cases
– Look in e-mail for malware
– Filter access to Web sites (China, Saudi, …)
March 2005
R. Smith - University of St Thomas - Minnesota
13
Network Access Architectures
Routers
Internal
Network
Router
Internet
Screened Subnet (Basic)
Screened Subnet
Internet
Router
Router
Internal
Network
Bastion
Host
Dual-Homed Gateway (Sophisticated)
Internet
Oct 2001
Router
DualHomed
Firewall
Router
Internal
Network
14
Types of Firewall Filtering
Packet Filtering: based on packet header (Unsophisticated)
IP Header
TCP Data
Circuit Filtering: restricts connections (Common)
TCP Header
Application Data
+ Connection state
Application Proxy: restricts based on general policy (Refined)
Appl. Header
User Data
+ Connection state + application state
Oct 2001
15
Firewalls in Different Strengths
INTERNET
Application
IP
TCP/UDP
Link
IP
Packet Filter
• Control Based on Source /
Destination Internet
Addresses
TCP/UDP
IP
Link
Link
Application Gateway
• Control Based on Application
Type and Content
Circuit Gateway
• Hides Internal Network Details
Oct 2001
16
Proxies . . . . for the Application Gateway
M. A. Proxy
Proxies are small ( less than 2000 lines of code),
“minimal and modular”
Oct 2001
17
Proxies . . . for the Application Gateway.
User’s requests
CLIENT
Oct 2001
M. A. Proxy
SERVER
18
Proxies . . . for the Application Gateway.
User’s requests
forwarded
User’s requests
Application
output
CLIENT
Oct 2001
M. A. Proxy
SERVER
19
Proxies . . . for the Application Gateway.
CLIENT
User’s requests
User’s requests
forwarded
Application
output forwarded
Application
output
M. A. Proxy
SERVER
Logs maintained
Oct 2001
20
Internet Firewall
Application Level Gateway
Ethernet Card
Private
Network
http proxy
Public
nntp proxy
Network
smtp proxy
ftp proxy
telnet proxy
rlogin proxy
snmp proxy
X11 proxy
Ethernet Card
Router
Oct 2001
Audit
Logs
21
Issues with using Firewalls
• All firewalls are NOT created equal
– Type and rigor of controls
– OS security
• Correct configuration is critical for any Firewall
– Many attacks exploit insecure default configurations
• Firewalls, even when functioning correctly,
open BIG holes in the security perimeter
– World-Wide Web (HTTP)
– Active content (Java, Java-Script, ActiveX)
Oct 2001
22
Network Address Translation
• Original purpose: more hosts & addresses
– Let “insiders” use restricted addresses
– Translate them on the way out
• A ‘multiplexing’ mechanism
– Users share a “real” Internet address
March 2005
R. Smith - University of St Thomas - Minnesota
23
Firewalls and LAN support
• Provide a few standard LAN services
–Router connection
–DHCP
–Network Address Translation
March 2005
R. Smith - University of St Thomas - Minnesota
24
Firewall Lab
• Overview
–
–
–
–
Rewire the lab to use the firewall
Map the rewired lab
Demonstrate host blocking through the firewall
Demonstrate NAT through the firewall
March 2005
R. Smith - University of St Thomas - Minnesota
25
That’s it
• Questions?
Creative Commons License
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United
States License. To view a copy of this license, visit
http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative
Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.
March 2005
R. Smith - University of St Thomas - Minnesota
26