chapter 32 security in the internet: ipsec, ssl/tls, pgp ...plw/dccn/presentation/ch32.pdf ·...
TRANSCRIPT
Chapter 32
Security in the Internet:IPSec, SSL/TLS, PGP,
VPN and FirewallsVPN, and Firewalls
32.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Figure 32.1 Common structure of three security protocols
32.2
3232--1 1 IPSecurity (IPSec)IPSecurity (IPSec)y ( )y ( )
IPSecurityIPSecurity (IPSec)(IPSec) isis aa collectioncollection ofof protocolsprotocols designeddesignedbyby thethe InternetInternet EngineeringEngineering TaskTask ForceForce (IETF)(IETF) totoprovideprovide securitysecurity forfor aa packetpacket atat thethe networknetwork levellevel..
Topics discussed in this section:Topics discussed in this section:Two ModesTwo Security ProtocolsSecurity AssociationInternet Key Exchange (IKE)Virtual Private Network
32.3
Virtual Private Network
Figure 32.2 TCP/IP protocol suite and IPSec
32.4
Figure 32.3 Transport mode and tunnel modes of IPSec protocol
32.5
N t
IPSec in the transport mode does not
Note
IPSec in the transport mode does not protect the IP header; it only protects
h i f i i f hthe information coming from the transport layer.p y
32.6
Figure 32.4 Transport mode in action
32.7
Figure 32.5 Tunnel mode in action
32.8
Note
IPSec in tunnel mode protects the i i l IP h doriginal IP header.
32.9
Figure 32.6 Authentication Header (AH) Protocol in transport mode
32.10
Note
The AH Protocol provides source th ti ti d d t i t itauthentication and data integrity,
but not privacy.
32.11
Figure 32.7 Encapsulating Security Payload (ESP) Protocol in transport mode
32.12
Note
ESP provides source authentication, d t i t it d idata integrity, and privacy.
32.13
Table 32.1 IPSec services
32.14
Figure 32.8 Simple inbound and outbound security associations
32.15
N t
IKE creates SAs for IPSec
Note
IKE creates SAs for IPSec.
32.16
Figure 32.9 IKE components
32.17
Table 32.2 Addresses for private networks
32.18
Figure 32.10 Private network
32.19
Figure 32.11 Hybrid network
32.20
Figure 32.12 Virtual private network
32.21
Figure 32.13 Addressing in a VPN
32.22
3232--2 2 SSL/TLSSSL/TLS
TwoTwo protocolsprotocols areare dominantdominant todaytoday forfor providingprovidingTwoTwo protocolsprotocols areare dominantdominant todaytoday forfor providingprovidingsecuritysecurity atat thethe transporttransport layerlayer:: thethe SecureSecure SocketsSocketsLayerLayer (SSL)(SSL) ProtocolProtocol andand thethe TransportTransport LayerLayerLayerLayer (SSL)(SSL) ProtocolProtocol andand thethe TransportTransport LayerLayerSecuritySecurity (TLS)(TLS) ProtocolProtocol.. TheThe latterlatter isis actuallyactually ananIETFIETF versionversion ofof thethe formerformerIETFIETF versionversion ofof thethe formerformer..
Topics discussed in this section:Topics discussed in this section:SSL ServicesSecurity ParametersSessions and ConnectionsFour ProtocolsTransport Layer Security
32.23
Transport Layer Security
Figure 32.14 Location of SSL and TLS in the Internet model
32.24
Table 32.3 SSL cipher suite listTable 32.3 SSL cipher suite list
32.25
T bl 32 3 SS i h i li ( i d)Table 32.3 SSL cipher suite list (continued)
32.26
Note
The client and the server have six diff t t h tdifferent cryptography secrets.
32.27
Figure 32.15 Creation of cryptographic secrets in SSL
32.28
Figure 32.16 Four SSL protocols
32.29
Figure 32.17 Handshake Protocol
32.30
Figure 32.18 Processing done by the Record Protocol
32.31
3232--3 3 PGPPGP
OneOne ofof thethe protocolsprotocols toto provideprovide securitysecurity atat thetheOneOne ofof thethe protocolsprotocols toto provideprovide securitysecurity atat thetheapplicationapplication layerlayer isis PrettyPretty GoodGood PrivacyPrivacy (PGP)(PGP).. PGPPGP isisdesigneddesigned toto createcreate authenticatedauthenticated andand confidentialconfidentialdesigneddesigned toto createcreate authenticatedauthenticated andand confidentialconfidentialee--mailsmails..
Security ParametersTopics discussed in this section:Topics discussed in this section:Security ParametersServicesA ScenarioPGP AlgorithmsKey RingsPGP C tifi t
32.32
PGP Certificates
Figure 32.19 Position of PGP in the TCP/IP protocol suite
32.33
Note
In PGP, the sender of the message needs to include the identifiers of theneeds to include the identifiers of the
algorithms used in the message as well as the values of the keysas the values of the keys.
32.34
Figure 32.20 A scenario in which an e-mail message is authenticated and encryptedauthenticated and encrypted
32.35
Table 32.4 PGP Algorithms
32.36
Figure 32.21 Rings
32.37
Note
In PGP, there can be multiple paths from G , t e e ca be u t p e pat s ofully or partially trusted authorities to
any subjectany subject.
32.38
3232--4 4 FIREWALLSFIREWALLS
AllAll previousprevious securitysecurity measuresmeasures cannotcannot preventprevent EveEveAllAll previousprevious securitysecurity measuresmeasures cannotcannot preventprevent EveEvefromfrom sendingsending aa harmfulharmful messagemessage toto aa systemsystem.. ToTocontrolcontrol accessaccess toto aa systemsystem wewe needneed firewallsfirewalls AA firewallfirewallcontrolcontrol accessaccess toto aa system,system, wewe needneed firewallsfirewalls.. AA firewallfirewallisis aa devicedevice installedinstalled betweenbetween thethe internalinternal networknetwork ofof ananorganizationorganization andand thethe restrest ofof thethe InternetInternet ItIt isis designeddesignedorganizationorganization andand thethe restrest ofof thethe InternetInternet.. ItIt isis designeddesignedtoto forwardforward somesome packetspackets andand filterfilter (not(not forward)forward)othersothersothersothers..
Topics discussed in this section:Topics discussed in this section:Packet-Filter FirewallProxy Firewall
pp
32.39
Figure 32.22 Firewall
32.40
Figure 32.23 Packet-filter firewall
32.41
Note
A packet-filter firewall filters at the t k t t lnetwork or transport layer.
32.42
Figure 32.24 Proxy firewall
32.43
Note
A proxy firewall filters at the li ti lapplication layer.
32.44