2G /Internetteknikriod 4

Maguire .fm5 Total pages: 697maguire@it.kth.se

© 1998, 1999, 2000,2002, 2003, 2005 G.QAll rights reserved. No part of this course hotocopying, recording, or otherwise, without written permission of the author.

Last modified: 2005.05.19:01:49

c, VPNs, Firewalls, NAT

of G. Q. Maguire Jr.

CP/IP Protocol Suite, by Edition, McGraw-Hill.

26 and 28

1305 InternetworkingSpring 2005, Pe

Internet_Security_VPNs_NAT 2005.05.19

.Maguire Jr. . may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, p

Module 12: IPSeand

Lecture notes

For use in conjunction with TBehrouz A. Forouzan, 3rd

For this lecture: Chapters

IPSec, VPNs, Firewalls, and NAT 667 of 697Internetworking/Internetteknik

Maguire Lecture 6: Outlinemaguire@it.kth.se 2005.05.19

Lecture 6: Outline• IPSec, VPN, …• Firewalls & NAT• Private networks

IPSec, VPNs, Firewalls, and NAT 668 of 697Internetworking/Internetteknik

ited set of users (generally those

rivate networkrivate network)

rganization

ditional users from outside the

Maguire Private networksmaguire@it.kth.se 2005.05.19

Private networksPrivate Networks are designed to be used by a liminside an organization)

Addresses for Private IP networks

• these should never be routed to outside the p• they should never be advertised (outside the p• allocated (reserved ) addresses:

Intranet a private network - access limited to those in an o

Extranet intranet + limited access to some resource by adorganization

Range Total addresses

10.0.0.0 to 10.255.255.255 224

172.16.0.0 to 172.31.255.255 220

192.168.0.0 to 192.168.255.255 216

IPSec, VPNs, Firewalls, and NAT 669 of 697Internetworking/Internetteknik

(VPNs)

Maguire Virtual Private networks (VPNs)maguire@it.kth.se 2005.05.19

Virtual Private networks

Figure 112: Private network

Figure 113: Hybrid network

Figure 114: Virtual Private network

leased line

SiteA SiteB

leased line

SiteA SiteB

Internet

SiteA SiteB

Internet

tunnel

IPSec, VPNs, Firewalls, and NAT 670 of 697Internetworking/Internetteknik

, etc. Interface (GSS-API)

Security

MIME), PGP/MIME, and

ET)

ttp://www.freeradius.org/

Maguire Security Protocols, APIs, etc.maguire@it.kth.se 2005.05.19

Security Protocols, APIs• Generic Security Services App. Programming• Network layer security

• Internet Protocol Security Protocol (IPSEC)

• Secured Socket Layer (SSL)/Transport Layer • transport layer security• Secured HyperText Transport Protocol (S-HTTP)

• Application layer security• Pretty Good Privacy (PGP) [129]• Privacy-Enhanced Electronic Mail (PEM), S/MIME (signed

OpenPGP, … [130]• MasterCard and Visa’s Secured Electronic Transaction (S

• Authentication• Remote Authentication Dial-In User Services (RADIUS)

http://www.gnu.org/software/radius/radius.html , FreeRADIUS h

• DIAMETER http://www.diameter.org/

• …

IPSec, VPNs, Firewalls, and NAT 671 of 697Internetworking/Internetteknik

ing Interface (GSS-API)

security services for use

hanisms and

chanism for security contextn, or through negotiation.

C 2078[115]bindings", RFC 2744

Maguire GSS-APImaguire@it.kth.se 2005.05.19

GSS-APIGeneric Security Services Application Programm

• provides an abstract interface which provides in distributed applications

• but isolates callers from specific security mecimplementations.

GSS-API peers establish a common security meestablishment either through administrative actio

GSS-API is specified in:

• J. Linn, "Generic Security Service API v2", RF• J. Wray, "Generic Security Service API v2: C-

[116].

IPSec, VPNs, Firewalls, and NAT 672 of 697Internetworking/Internetteknik

encryption or IP

tion method, androtocol (ISAKMP)n senders and recipients

Maguire IPSecmaguire@it.kth.se 2005.05.19

IPSecIPSec in three parts:

• encapsulating security payload (ESP) definespayloads,

• authentication header (AH) defines authentica• the IP security association key management p

manages the exchange of secret keys betweeof ESP or AH packets.

IPSec, VPNs, Firewalls, and NAT 673 of 697Internetworking/Internetteknik

ters Index (SPI) and a IP address unqiuely

’s original packet. It may cryptographication vector (IV)). Integrity Check Valueity of the packet.

ES, Triple DES, …

ad (ESP)[109]

Maguire ESP packetmaguire@it.kth.se 2005.05.19

ESP packetConsists of:

• a control header - contains a Security Paramesequence number field (the SPI + destinationidentifies the Security Association (SA)).

• a data payload - encrypted version of the useralso contain control information needed by thealgorithms (for example DES needs an initializ

• an optional authentication trailer - contains an(ICV) - which is used to validate the authentic

ESP could use any one of several algorithms: D

See: RFC 2406: IP Encapsulating Security Paylo

IPSec, VPNs, Firewalls, and NAT 674 of 697Internetworking/Internetteknik

tion code), or

Maguire AH headermaguire@it.kth.se 2005.05.19

AH headerFor authentication purposes only contains:

• an SPI,• a sequence number, and• an authentication value.

AH uses either:

• Message Digest 5 (MD5) algorithm,• Secure Hash Algorithm 1 (SHA-1),• truncated HMAC (hashed message authentica• …

For further information see:

• IP Authentication Header - RFC 2402 [110]

IPSec, VPNs, Firewalls, and NAT 675 of 697Internetworking/Internetteknik

ange protocol; it assumes the

quency,

ment Protocol (ISAKMP)

ion for ISAKMP -

FC 2412 [113] [114]

Maguire ISAKMPmaguire@it.kth.se 2005.05.19

ISAKMPISAKMP is based on the Diffie-Hellman key exchidentities of the two parties are known.

Using ISAKMP you can:

• control the level of trust in the keys,• force SPIs to be changed at an appropriate fre• identify keyholders via digital certificates

[requires using a certificate authority (CA)]

For further information see:

• Internet Security Association and Key Manage- RFC 2408 [111]

• The Internet IP Security Domain of InterpretatRFC 2407 [112]

• The OAKLEY Key Determination Protocol - R• The Internet Key Exchange (IKE) - RFC 2409

IPSec, VPNs, Firewalls, and NAT 676 of 697Internetworking/Internetteknik

Sec?

l IP header

ers and all-placed within another packet

r packet] destination address information

re

AS5

AS4

Maguire Where can you run IPSec?maguire@it.kth.se 2005.05.19

Where can you run IP

Mode Where it runs Payload

Transport end-systems payload data follows the norma

Tunnelling internetworkingdevice: e.g., router,firewall, or VPNgateway

• end-user’s entire packet-IP headwith ESP or AH fields[thus it is encapsulated in anothe

• can hide the original source and

Figure 115: IPSec usagered = secure, black = unsecu

AS1

AS2

AS3tunnel

IPSec, VPNs, Firewalls, and NAT 677 of 697Internetworking/Internetteknik

g of packets coming into theecide which packets should bedport (or even deeper

ateway

tranet )

Maguire Firewallsmaguire@it.kth.se 2005.05.19

Firewalls

The firewall can provide packet by packet filterinintranet or leaving the intranet. The firewall can dforwarded based onsource, destination addresses, anexamination) using an explicitly definedpolicy.

Figure 116: Firewall an internet g

interior (often anInexterior

IPSec, VPNs, Firewalls, and NAT 678 of 697Internetworking/Internetteknik

ux systems called “ipfwadm”:

,ppears to come from the

rs, “holes” may be reroute traffic to/from

Maguire Linux firewallmaguire@it.kth.se 2005.05.19

Linux firewallFor example, for the software firewall used in Lin

• all ports are typically closed for inbound traffic• all outbound traffic is “IP masqueraded”, i.e., a

gateway machine; and• For bi-directional services required by the use

punched through the firewall - these holes canparticular ports:• to specific users or• the most recent workstation to request a service.

IPSec, VPNs, Firewalls, and NAT 679 of 697Internetworking/Internetteknik

ialize servers)

ewall for all security

eakest link

ep the pipes full - i.e., a firewalls the connection to the external

Maguire Firewall Designmaguire@it.kth.se 2005.05.19

Firewall Designapply basics of security:

• least privilege:• don’t make hosts do more than they have to (implies: spec• use minimum privileges for the task in hand

• fail safe• even if things break it should not leave anything open

• defence in depth• use several discrete barriers - don’t depend on a single fir

• weakest links• know the limitations of your defences - understand your w

Firewalls should have sufficient performance to keshould not limit the amount of traffic flowing acrosnetwork, onlywhat flows across it!

IPSec, VPNs, Firewalls, and NAT 680 of 697Internetworking/Internetteknik

Firewall

y undertand details of theealAudio’s streaming audio.

ateway

interior

Intranet

Maguire Proxy Access Through A Firewallmaguire@it.kth.se 2005.05.19

Proxy Access Through A

Often you need application level proxies (i.e., theapplication protocol) -- an example is to proxy R

Figure 117: Firewall and internet g

exterior

Internetmanually enabled bypass

Proxy Server

Bastion host

IPSec, VPNs, Firewalls, and NAT 681 of 697Internetworking/Internetteknik

cks.nec.com/

to those within the

ebpage, the request is sent to theto the real destination. When data address) the returned data and

sed external services

ateway

Intranet

Maguire SOCKsmaguire@it.kth.se 2005.05.19

SOCKsPermeo Technologies, Inc.’s SOCKShttp://www.so

In order to bridge a firewall we can use a proxy:

• the proxy will appear to be all external hostsfirewall• for example, If a user attached to the intranet requests a w

proxy host where the same request is duplicated and sentis returned the proxy readdresses (with the user’s intranetsends it to the user.

• widely used to provide proxies for commonly u(such as Telnet, FTP, and HTTP).

See: [123] and [124]

Figure 118: Firewall and internet g

Internet

Socks (Proxy) Serverinteriorexterior

hole

IPSec, VPNs, Firewalls, and NAT 682 of 697Internetworking/Internetteknik

service on thersion is primarily fortistics on the average

is up, rather than using ICMP.

Maguire Newpingmaguire@it.kth.se 2005.05.19

Newpinghttp://ftp.cerias.purdue.edu/pub/tools/dos/socks.cstc/util/newping.c

• a “ping” for SOCKS• it depends on the target host not blocking the

appropriate port (in this case “time ”). This vechecking “Is it alive?” rather than gathering staresponse time of several echo requests.

• Uses the “time ” TCP port to verify that a hostICMP ⇒ usable through a firewall that blocks

IPSec, VPNs, Firewalls, and NAT 683 of 697Internetworking/Internetteknik

alls

osts to transmit through

)ulticast group’s traffic

lticast routing daemon.

ateway

Intranet

join

Maguire MBONE through firewallsmaguire@it.kth.se 2005.05.19

MBONE through firewhttp://www.cs.virginia.edu/~mngroup/projects/firewalls/

Their firewall features:

• Source host checking (allowing only certain hthe firewall, or denying specific hosts)

• Destination port checking• Packet contents (unwrapping encapsulated IP• Regulating bandwidth allocated to a specific m

Their Mbone gateway is based on a modified mu

Figure 119: Firewall and internet g

MBONEhole

SOCKS+Mrouted-gwjoin

join

IPSec, VPNs, Firewalls, and NAT 684 of 697Internetworking/Internetteknik

stfix)ve to the widely-used Sendmail

endmail

nse to protect the localx daemon can run in ao direct path from theprograms - an intruderfirst. Postfix does not

, or the contents of itscing sender-provided. Last but not least, no

Maguire Secure Mailer (aka Postfix)maguire@it.kth.se 2005.05.19

Secure Mailer (aka PoWietse Venema’s attempt to provide an alternatiprogram

70% of all mail sent via the Internet is sent via S

“Security. Postfix uses multiple layers of defesystem against intruders. Almost every Postfichroot jail with fixed low privileges. There is nnetwork to the security-sensitive local deliveryhas to break through several other programseven trust the contents of its own queue filesown IPC messages. Postfix avoids plainformation into shell environment variablesPostfix program is set-uid.” [125]

26] IPSec, VPNs, Firewalls, and NAT 685 ofInternetworking/Internetteknik

ity Tools [126]orks (SATAN ), networkd Wietse Venema; scansexistence of well known,ity Auditor’s Research

s through an access

d, ftpd, rexecd,login, and- enabling better auditing

to allow all packets to beaddress, or any other

om, and recvmsg

Maguire U.S. DOE CIAC’s Network Security Tools [1maguire@it.kth.se 2005.05.19

U.S. DOE CIAC’s Network Secur• System Administrator Tool for Analyzing Netw

security analyzer designed by Dan Farmer ansystems connected to the network noting the often exploited vulnerabilities. (see also SecurAssistant (SARA))

• ipacl - forces all TCP and UDP packets to pascontrol list facility

• logdaemon - modified versions of rshd, rlogintelnetd that log significantly more information -of problems via the logfiles

• improved versions of: portmap, rpcbind,• screend - a daemon and kernel modifications

filtered based on source address, destination byte or set of bytes in the packet

• securelib - new versions of the accept, recvfrnetworking system calls

26] IPSec, VPNs, Firewalls, and NAT 686 ofInternetworking/Internetteknik

l over who connects to aGIN, FINGER, ands can be controlled and

ts access control basede of access + provides

Maguire U.S. DOE CIAC’s Network Security Tools [1maguire@it.kth.se 2005.05.19

• TCP Wrappers - allows monitoring and controhost’s TFTP, EXEC, FTP, RSH, TELNET, RLOSYSTAT ports + a library so that other programmonitored in the same fashion

• xinetd - a replacement for inetd which supporon the address of the remote host and the timextensive logging capabilities

IPSec, VPNs, Firewalls, and NAT 687 of 697Internetworking/Internetteknik

MAP)ure.org/nmap/

work, are offered,y are running,

nk to “Remote OS” by Fyodor

r 18, 1998 - a means ofg its TCP/IP behavior.

Maguire The Network Mapper (NMAP)maguire@it.kth.se 2005.05.19

The Network Mapper (NNetwork Mapper (NMAP) http://www.insec

• (cleverly) uses raw IP packets• determine what hosts are available on the net• what services (application name and version)• what operating systems (and OS versions) the• what type of packet filters/firewalls are in use,• …

http://www.insecure.org/nmap/nmap_documentation.html also has a lidetection via TCP/IP Stack FingerPrinting<fyodor@dhp.com> (www.insecure.org), Octobeidentifying which OS the host is running by notin

IPSec, VPNs, Firewalls, and NAT 688 of 697Internetworking/Internetteknik

lation

ore addresses on the outside and [137]

ith NAT

tely this breaks manybecause they use an IPnside the their data.

interior

192.168.0.x

192.168.0.1

Intranet

Maguire Network Address Translationmaguire@it.kth.se 2005.05.19

Network Address Trans

NAT maps IP addresses on the inside to one or mvice versa. See RFC 3022 [136] and RFC2766

Figure 120: Example of a Firewall w

Advantages: Disadvantage

✔ save IPv4 addresses ✘ Unfortunaservices address i✔ hides internal node structure from outside

nodes

✔ the intranet does not have to be renumberedwhen you connect to another ISP

exterior

Proxy Server

NATy.y.y.y (.. z.z.z.z)

(provided by the ISP)

Internetmanually enabled bypass

IPSec, VPNs, Firewalls, and NAT 689 of 697Internetworking/Internetteknik

MZ)

ferent DMZ (see for example

ith a DMZ

interior

Intranet

er

Maguire Demilitarized zone (DMZ)maguire@it.kth.se 2005.05.19

Demilitarized zone (D

Note that the various services may also be in diffogure 4 page 90 of [127]

Figure 121: Example of a Firewall w

exterior

Internet

ftpserver

webserver

DNSserv

e-mailserver

DMZ

IPSec, VPNs, Firewalls, and NAT 690 of 697Internetworking/Internetteknik

cisesovindan at USC’s ISI for

58/netsec/index.html

ese exercises, but I think you

Maguire Network Security Exercisesmaguire@it.kth.se 2005.05.19

Network Security ExerYou will find a nice set of exercises by Ramesh GKerberos, S/Key, and firewalls at:http://www.isi.edu/~govindan/cs5

Note that you shouldnot use their machines for thwill find this useful reading.

IPSec, VPNs, Firewalls, and NAT 691 of 697Internetworking/Internetteknik

ompaniesordination Center [117]

m [121]

entcentrum (SITIC)ental de Réponse et de

A), CNCERT/CC [121],

sponse Team Network

s (FIRST),now: 170 members[118]

, Swedish Defense Material[120], …

Maguire Security Organizations and Companiesmaguire@it.kth.se 2005.05.19

Security Organizations and CComputer Emergency Response Team (CERT®) Co

• 1988 - Computer Emergency Response Team• 2003 - Computer Emergency Readiness Tea

Addionally, there are numerous other CERTs:

• CanCERT™, GOVCERT.NL, Sveriges IT-incidhttp://www.sitic.se/ , Centre d’Expertise GouvernemTraitement des Attaques informatiques (CERT…

• The European Computer Security Incident Rehttp://www.ecsirt.net/

Forum of Incident Response and Security Team

NIST Computer Security Resource Center [119]Administration, Electronics Systems Directorate

IPSec, VPNs, Firewalls, and NAT 692 of 697Internetworking/Internetteknik

Maguire Summarymaguire@it.kth.se 2005.05.19

SummaryThis lecture we have discussed:

• Private networks• IPSec• Firewalls

IPSec, VPNs, Firewalls, and NAT 693 of 697Internetworking/Internetteknik

Security Payload (ESP)”, IETF

Header”, IETF RFC 2402,

nd J. Turner, “Internet Security (ISAKMP)”, IETF RFC 2408,

f Interpretation for ISAKMP”,2407.txt

n Protocol”, IETF RFC 2412,

Exchange (IKE)”, IETF

Maguire Further informationmaguire@it.kth.se 2005.05.19

Further information[108]IETF Security Areahttp://sec.ietf.org/

[109]S. Kent and R. Atkinson, “IP EncapsulatingRFC 2406, November 1998http://www.ietf.org/rfc/rfc2406.txt

[110]S. Kent and R. Atkinson, “IP AuthenticationNovember 1998http://www.ietf.org/rfc/rfc2402.txt

[111]D. Maughan, M. Schertler, M. Schneider, aAssociation and Key Management ProtocolNovember 1998http://www.ietf.org/rfc/rfc2408.txt

[112] D. Piper, “The Internet IP Security Domain oIETF RFC 2407, November 1998http://www.ietf.org/rfc/rfc

[113] H. Orman, “The OAKLEY Key DeterminatioNovember 1998http://www.ietf.org/rfc/rfc2412.txt

[114]D. Harkins and D. Carrel, “The Internet Key

IPSec, VPNs, Firewalls, and NAT 694 of 697Internetworking/Internetteknik

n Program Interface, Versionrfc2078.txt

sion 2 : C-bindings”, IETF

t.org/

eamshttp://www.first.org/

chnology (NIST), Computerrce Centerhttp://csrc.nist.gov/

w.fmv.se/

What R the new CERTS?”,ponse technicalRT/CC) 2005 Annual05

Maguire Further informationmaguire@it.kth.se 2005.05.19

RFC 2409,November 1998http://www.ietf.org/rfc/rfc2409.txt

[115]J. Linn, “Generic Security Service Applicatio2”, IETF RFC 2078, January 1997,http://www.ietf.org/rfc/

[116]J. Wray, “Generic Security Service API VerRFC 2744, January 2000http://www.ietf.org/rfc/rfc2744.txt

[117] Computer Emergency Response Teamhttp://www.cer

[118]Forum of Incident Response and Security T

[119]U. S. National Institute of Standards and TeSecurity Division, Computer Security Resou

[120]Swedish Defense Material Administrationhttp://ww

[121]David Crochemore, “Response/Readiness:National Computer network Emergency ResTeam/Coordination Center of China (CNCEConference, Guilin, P.R.China, 30 March 20

IPSec, VPNs, Firewalls, and NAT 695 of 697Internetworking/Internetteknik

avidCrochemore-NGCERTOI.

onse et de Traitement desv.fr/

blas, and L. Jones, “SOCKS1996

hod for SOCKS Version 5”,

pability

t Academy Press,02-5

Maguire Further informationmaguire@it.kth.se 2005.05.19

http://www.cert.org.cn/upload/2005AnnualConferenceCNCERT/1MainConference/10.D

pdf

[122]Centre d’Expertise Gouvernemental de RépAttaques informatiques (CERTA)http://www.certa.ssi.gou

[123]M. Leech, M. Ganis, Y. Lee, R. Kuris, D. KoProtocol Version 5”, IETF RFC 1928, Marchhttp://www.ietf.org/rfc/rfc1928.txt

[124]P. McMahon, “GSS-API Authentication MetIETF RFC 1961, June 1996http://www.ietf.org/rfc/rfc1961.txt

[125] Postfixhttp://www.postfix.org

[126]U.S. DOE’s Computer Incident Advisory Cahttp://ciac.llnl.gov/ciac/ToolsUnixNetSec.html

[127]Robert Malmgren,Praktisk nätsäkerhet, InterneStockholm, Sweden, 2003, ISBN 91-85035-

IPSec, VPNs, Firewalls, and NAT 696 of 697Internetworking/Internetteknik

e Speciner,Network Security:entice-Hall, 1995, ISBN

’Reilly & Associates, 1995

nPGP”, Oct 15, 2004

d Internet Security:994,ISBN: 0-201-63357-4

ing Internet Firewalls,

etwork Administrators

Maguire Further informationmaguire@it.kth.se 2005.05.19

[128]Charlier Kaufman, Radia Perlman, and MikPrivate Communication in a PUBLIC World, Pr0-13-061466-1

[129]Simson Garfinkel,PGP: Pretty Good Privacy, OISBN 1-56592-098-8

[130]Internet Mail Consortium, “S/MIME and Opehttp://www.imc.org/smime-pgpmime.html

Firewalls

[131]Bill Cheswick and Steve Bellovin, Firewalls anRepelling the Wily Hacker, Addison Wesley, 1

[132]D. Brent Chapman and Elizabeth Zwicky,BuildO’Reilly, 1995,ISBN: 1-56592-124-0

[133]Tony Mancill,Linux Routers: A Primer for N Prentice-Hall, 2001, ISBN 0-13-086113-8.

IPSec, VPNs, Firewalls, and NAT 697 of 697Internetworking/Internetteknik

m/

IP Network Address Translatory 2001

ess Translation - Protocolbruary 2000

Maguire Further informationmaguire@it.kth.se 2005.05.19

[134]Firewalls mailing listhttp://www.isc.org/index.pl?/ops/lists/firewalls/

[135]Computer Security Institute (CSI) athttp://www.gocsi.co

NAT

[136] P. Srisuresh and K. Egevang, “Traditional (Traditional NAT)”, IETF RFC 3022, Januarhttp://www.ietf.org/rfc/rfc3022.txt

[137]G. Tsirtsis and P. Srisuresh, “Network AddrTranslation (NAT-PT)”, IETF RFC 2766, Fehttp://www.ietf.org/rfc/rfc2766.txt