Network Security Protocols - USALearning
Network Security ProtocolsTable of ContentsNetwork Security Protocols -1 . 2Network Security Protocols -2 . 3PPTP and L2F . 5IPSec and GRE . 6IPSec -1 . 8IPSec -2 . 10Telnet, SSH, and SSL/TLS . 13S-RPC and DNSSEC . 16Notices . 17Page 1 of 17
Network Security Protocols -1Network Security Protocols -1The original concept for the Internet had minimal security.Various protocols have been created over the years toaddress the notion of security.These protocols have been stacked into the OSI and TCP/IPmodel depending on what they protect and how they do it.147**147 Some network securityprotocols that we need to payattention to. So, remember, originallynone of this stuff needed to worryabout security. We said well we justwant to actually get it up andrunning. We have to look at thesesecurity protocols to help us protect.So, you've heard about the regularprotocols.Now let's make them secure.Page 2 of 17
Network Security Protocols -2Network Security Protocols -2Layer 1None, but physical security controls can be implemented and types ofcabling used can make a differenceLayer 2PPTP, Layer 2 Forwarding, Layer 2 Tunneling Protocol, wirelessnetwork security, MPLSLayer 3GRE, IPSecLayer 4SSL, TLS, WTLS, SSH, SOCKSLayer 5 Application dependent, S-RPC, DNSSEC, S-HTTP148**148 At layer one we really say none.What we say here is it's none, butreally what the answer is that we dophysical security protections. We doconduit, those kinds of things.Layer two we could use encryptionlike PPTP, or some sort of wirelessnetwork security. Now L2TP doesn'thave any security in it. But it is atunneling protocol that helps us. Andit supports IPsec.Or we could use MPLS. Now,standard MPLS is not a securityprotocol in and of itself. But it hassome authentication mechanisms in itthat we can use.Page 3 of 17
At layer three, general routeencapsulation or IPsec. We'll talkabout IPsec in more detail.In layer four, this is where everythingreally happens. We use SSL or TLS.Those are our primary two protocols.But we could use others.And at layer five, well we've got aweb protocol HTTP. And what we useis a lower level protocol to bolt on toit. Normally, it's HTTPS. But here isalso another protocol. There isanother. It is SHTTP. That is a realprotocol. It is a different protocolthan HTTPS on the other end,separate protocol.Page 4 of 17
PPTP and L2FPPTP and L2FPPTP – Point to point tunneling protocol PPTP PPP IP encapsulation for TCP/IP, IPX, and NetBEUINo encryption, but extended with RC4, PAP, CHAP, and EAPSingle-factor authentication; weak implementationNearly all Windows based; obsoleted by L2TP and IPSecL2F – Layer 2 forwarding Tunnels at, surprise, layer 2Not IP dependent, supports ATM and frame relayRelies on PPP for authentication (designed to tunnel PPP traffic)Used for VPNsNo encryption by itself149**149 Let's talk PPTP and layer twoforwarding. PPTP is relatively old atthis point. It encapsulated any kindof IP traffic. It didn't matter whatwas above it. And we used point topoint tunneling protocol along withpoint to point protocol tocommunicate. There wasn't anyencryption. But what we did is we didauthentication with point to pointtunneling protocol. And that workedpretty well for a long period of time.It's pretty much obsolete at thispoint.Now, specific to a particular vendor islayer two forwarding. Cisco came upwith this concept. It tunnels at layerPage 5 of 17
two. It even says two in the thing.But it's not used that often. It is usedfor VPNs, but not that often. I mean,we're going to live and die by IPsec.IPSec and GREIPSec and GREIPSec – Internet protocol security Encapsulates at Layer 3Mutual node authenticationCan authenticate users, but requires L2TPCrypto implementation agnosticClient-to-client, or node-to-node (bulk)Mandatory for IPv6 implementationDoes not work with NAT, unless NAT-Transversal (NAT-T) is usedGRE – Generic Route Encapsulation Encapsulates layer 3 packets in IP tunnelUsed to secure VPNsCreates a virtual point-to-point link with destinationSupports multicast protocols – IPSec doesn’t!150**150 Okay, here's IPsec. IPsec, itencapsulates layer three. So, is it alayer two protocol? Well, not it's kindof a shim protocol that fits inbetween layer two and layer three.It's above the IP address in mostcases unless we decide to abstractthe IP address. We'll get into that alittle bit later.We can use user authentication. Itcan use L2TP. That depends on thePage 6 of 17
implementation. Some Ciscoimplementations don't. And someMicrosoft implementations do. Checkyour local operating system for theconfiguration near you.It can be done client to client tothat's host to host. Or we can do itnetwork to network using routerconfigurations or remote accesshosts. And we'll get into those lateron.Now, it is mandatory for V6 in thatthere is a next header for it. But it'snot required that you have IPsec forIP6. You have the next headeroption. You can bolt it on. But it's notlike everything is encrypted for IPv6.Next is generic route encapsulation.And this encapsulates layer threepackets in an IP tunnel. It is used tosecure VPNs. It creates those virtualpoint to point links.One of the things that it does thatIPsec doesn't do is it supportsmulticast protocols. But what I willask you is is when you are doingmulticast protocols and encryption atthe same time? Usually, we do asingle point to point. Now, there area whole bunch of otherimplementations from vendors outthere that use combinations of IPsecand GRE and point to point and layertwo tunneling protocol. And you needto talk to those vendors.And one of the problems that we runinto is those vendor specific protocolswork really well if you're using all thePage 7 of 17
same gear. But when you startmixing and matching gear, thingskind of blow up in your face. So, beaware of that.IPSec -1IPSec -1Authentication Header (AH) – prove identity of source node(host) and provide integrity, through hashing packet data andpre-shared secret keyEncapsulating Security Payload (ESP) – encrypts packets,contains fields for header, payload, trailer (optional), andauthentication (optional)Security Association (SA) – describes protocols in use,algorithms, keys, and mode of operation; stored in SecurityAssociation Databases (SADs), one required for eachcommunication direction151**151 Let's talk a little more aboutIPsec. It has two major protocolswithin it, AH and ESP. AH isauthenticated header. And all thisgives us is integrity. There is noencryption here. But what we do iswe get integrity of the packet. Andthat's a nice thing if we need it as faras our communication is concerned.Most of the time, we don't turn onAH. But it's there if we need it.Page 8 of 17
What do we use most of the time?Well, we usually use ESP.Encapsulated security payload isencryption. That's really what wewant out of a good IPsec tunnel.That's really what we care about.Along with that, we have the abilityto configure. And the way weconfigure is in simplex connectionsthrough something called a securityassociation.So, let's talk about simplexconnections through securityassociations. I demand that we usethe strongest, most impossibleencryption that's ever possible. Andhe says, "I just need a little bit ofencryption here. That's all I reallycare about." So, when I talk to him,and I communicate to his network, Ijust use a little bit of encryption. Butwhen he talks to me, he uses a lot ofencryption.So, in security associations, we cancreate what are called simplexconnections. When you talk to meinbound, I require this. When I talkto you outbound, you require this.And I can change those. Now, whatthat did was that really messed witha lot of people when they were doingIPsec implementations. And it justdrove them just crazy.So, what ends up happening is thatwe end up saying let's all use really,really super-duper encryption, whichis not a bad thing, except for if he'sgot a really small enterprise overPage 9 of 17
there. And he can't afford all thatCPU utilization.IPSec -2IPSec -2Mode – transport or tunnel Transport – IP payload is protected (usually client to server) Tunnel – IP payload and header are protected (usually network tonetwork, like remote office to home office)Internet Key Exchange – negotiates key materials for SADs IKMP – Internet key management protocol; builds on ISAKMP andOakley implementations IPSP – IP Security Policy, establishes source, destination and typeof traffic that is permitted Phase 1 – end-point authenticate to each other using a pre-sharedsecret, public keys, or a “revised” public key method Phase 2 – establishes a Security Association and a tunnel to securethe rest of the key exchanges152**152 Now, there are two differentways that you can communicate viaIPsec, transport mode and tunnelmode. In transport mode, we gofrom host to host. Now, at this point,the payload is protected, but mysource IP address and your source IPaddress are known to ouradversaries. So, that might beinappropriate.What happens if you've got yournetwork, and I've got my network?And my host really can't figure outPage 10 of 17
how to do all this IPsec configurationstuff. But we want to have privacybetween us. So, what we'll say is allyour people can talk to your VPNconcentrator. And all my people willtalk to my VPN concentrator. Andthen from my network to yournetwork, we'll make sure that weencrypt all that traffic.What does the IP addressing schemelook like to the rest of the world? Mylive source IP address, your livesource IP address, and then thisencryption that goes around it.What about their IP address, andyour IP address back there? Itdoesn't know anything about it. Andthat's what's beautiful about tunnelmode. We can go from network tonetwork.Now, one thing is is what happenswhen we go from a single host onthe Internet to a VPN concentrator?Well, since there's one host involved,we only go transport mode. How youcan remember, its tunnel mode isfrom network to network is there'stwo Ns in tunnel. So, therefore, Nsand networks fit together.Now, we can go beyond thatconfiguration. And we can starttalking about the Internet keyexchange, what we call IKE, orInternet Key Management Protocol.And in this case, what we can do iswe can start playing with theconfigurations.Page 11 of 17
How far can we carry this? Well,what's amazing to me in Internet keyexchange is we can say I want torekey every X number of seconds.So, if an adversary is listening, andthey're working on the first key of ourcommunication, and they decryptthat one piece of our conversationthinking they can jump into ourstream, by then we've moved on to anew key. So, we can, in Internet keyexchange, rekey very often.We can also choose the type of keysthat we use for setting things up. Itcould be a pre-shared secret where Icall you up on the phone, and I saythe password is password. Or it couldbe that we're in the same Kerberosrealm. And we can use Kerberostickets between us, which is in ourKerberos servers. That's if we are onthe same Kerberos realm. From oneMicrosoft Active Directory to anotheror to a UNIX Kerberos network, that'sbetween realms. And that won'twork.We could use something this isuniversal for us all. And that's publickey infrastructure. We could use PKIcertificates to exchange. And wecould set up those PKI keys and thengenerate keys from there. So, there'sall these configurations in IPsec tomake it so that we can make itsuper-uper crazy secure. And that'sreally what we want.Page 12 of 17
Telnet, SSH, and SSL/TLSTelnet, SSH, and SSL/TLSTelnet – TCP/IP Terminal Emulation Protocol (T:23) Plain text terminal program, running over TCP port 23 Basic authentication onlySSH – Secure shell (T:22) Creates tunnels that other applications can use (encapsulation) Provides server and client authentication and encryption Replaced TelnetSSL – Secure Sockets Layer / TLS – Transport Layer Security Encrypts client-server communicationUsed by protocols (e.g., HTTPS) for securityServer authentication to client mandatoryClient authentication to server optionalSSL/TLS Handshake includes Encryption negotiation Identification of server and/orclient Key exchange153**153 Let's switch into some littleeasier protocols.Well, enter Secure Shell. The opensource free tool on the client side forSecure Shell is called Putty. One theserver side, we use open SSH if we'redoing on it Linux. And then there'sone for every one of the platformsout there. Secure Shell literallycreates a secure shell on yourmachine. It gives me terminal accessto you if you're got it set up that way.What we could use is terminalemulation on port 23. The problem isis that that's clear text. It's plain textterminal, basic authentication, clearPage 13 of 17
text. And we don't want to useTelnet. So, what we do is we saywe'll set up a secure shell, and thenwe'll do Telnet inside of that. Andthat will work out for us.Now, the other protocol besidesIPsec that you really want to investsome time in is Secure Sockets Layeror what is now known as TransportLayer Security, or TLS. It's using theencryption of PKI certificates toactually establish communicationsback and forth. This is exactly whatthe S in HTTPS is for. A lot ofprotocols, when you see the S boltedonto the end, it more than likelymeans that they took the originalprotocol and added TLS or SSL to it.When we talk about clientauthentication, there are two ways todo this. The first way is always indone in ecommerce. What happens isyou all come to my website. And Isay if you want to communicatesecurely with me, here is my publickey certificate. Validate it on yourend, and then use to encrypt anycommunications that you're going tosend back to me. On your side, youpick up that certificate. You checkyour list of keys that you have oryour root certificates to see if I'm inthe root certificates list.And then what you do is you encryptthe communications coming back tome using my public key. Since I'mthe only one with the private key,then that means that I'm the onlyone that can decrypt thatcommunication with you.Page 14 of 17
What do you send me? Do you justkeep on encrypting with the privatekey? No because that's tooexpensive? What we do, and againwe'll talk about this in cryptology,what we do is we transmit back asession key that's going to be usedfor the rest of our communications.What you should be doing whenyou're doing this as a VPN, is youshould also be sending me yourcertificate that you've created andthat is through a valid registrar all theway at the top of your food chain. Ifyou do that, and you send it back tome, I should validate it on my side.Ecommerce-wise, it doesn't matterwhat you send me. Yeah, do youwant to buy my stuff? I'm notvalidating this. And that's exactlywhat happens. You gave mesomething encrypted, the session keythat we're going to use, and wetransmit back and forth using thatsession key for all of our encryptedtransactions. And there you go. Youget to buy your Kewpie doll. There.It's done.See, the problem is that you didn'tvalidate my certificate. You justasked for it. And I didn't validate yourcertificate. So, we are susceptible toman-in-the-middle unless you'recreating real certificates and workingwith a real VPN. All ecommerceservers go hmph. And the throwaway your certificate. So, it doesn'tmatter.Page 15 of 17
S-RPC and DNSSECS-RPC and DNSSECS-RPC – Secure Remote Procedure Call Based on DES encryption algorithm Uses public key scheme for encryption Vendor specificDNSSEC – Domain Name System Security Provide authentication and integrity of DNS answers Designed to protect against cache poisoning Uses public key scheme, but does not do encryption154**154 There are two other protocolsin here that we want to pay attentionto, secure RPC and DNSsec. Now,secure remote procedure call isvendor specific. It's only for Sun. It issecure. But it's based on the Sunplatform. It uses the data encryptionalgorithm. So, that's a little bit datedat this point. And it uses public keyschemes for encryption of that deskey that's being transmitted. Wedon't use it that often. But from anoption, this would be a possibility ifyou were talking Sun to Sun. there'snothing wrong with that.In DNSsec, what we're doing is iswe're staying the integrity of thePage 16 of 17
response of the servers that sends usback a resolution for fully qualifieddomain names to IP addresses isinsufficient. The integrity of thisresponse is in question. So,therefore, what we will do is we willupgrade to DNSsec which has anintegrity of response.It is not encrypted DNScommunications. It is integrity DNScommunications. It uses public keysthat are attacked and signed by rootcertificate-- by DNS roots as it goesdown to each one of the daughtersor sons underneath of that particularDNS root server.NoticesNotices 2015 Carnegie Mellon UniversityThis material is distributed by the Software Engineering Institute (SEI) only to course attendees for theirown individual study.Except for the U.S. government purposes described below, this material SHALL NOT be reproduced orused in any other manner without requesting formal permission from the Software Engineering Institute atpermission@sei.cmu.edu.This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally fundedresearch and development center. The U.S. government's rights to use, modify, reproduce, release,perform, display, or disclose this material are restricted by the Rights in Technical Data-NoncommercialItems clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identifiedcontract. Any reproduction of this material or portions thereof marked with this legend must also reproducethe disclaimers contained on this slide.Although the rights granted by contract do not require course attendance to use this material for U.S.government purposes, the SEI recommends attendance to ensure proper understanding.THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY ANDALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OFFITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL,MERCHANTABILITY, AND/OR NON-INFRINGEMENT).CERT is a registered mark owned by Carnegie Mellon University.2Page 17 of 17
Network Security Protocols -1 . 147. Network Security Protocols -1. The original concept for the Internet had minimal security. Various protocols have been created over the years to address the notion of security. These protocols have been stacked into the OSI and TCP/IP model dependin
Security Analysis Methodology Security Protocols NS,Kerberos,etc. ①Specifies the security protocols to be verified as input ②Specifies the desired security properties as requirement ③Use Attacker Model to model adversary ④The protocol analysis tool analyzes the input protocols using formal methods
St. Anthony Hospital Protocols Operational Protocols 1 Revised 02/14/2018 SYSTEM PROTOCOLS The "Denver Metro Prehospital Protocols" have been implemented for all levels of EMTs, AEMTs, EMT-Is and Paramedics. Any reference in these protocols to the medical acts
configuration of the High-Speed Networks: Network Tools and Protocols v1.0 pod on the NETLAB VE system. 1.1 Introducing the High-Speed Networks: Network Tools and Protocols v1.0 Pod The High-Speed Networks: Network Tools and Protocols v1.0 pod is a 100% virtual machine pod consisting of a single virtual machine. Linked together through virtual
SECURE NETWORK PROTOCOLS 4 Introduction This ebook explores how secure network protocols work. It will explain key concepts such as encryption, cryptographic hashes and public key encryption. The two most popular secure network protocols, SSL/TLS and SSH, will be examined, and their secure file transfer counterparts, FTPS and
security in application, transport, network, link layers Network Security 8-3 Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing e-mail 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7 Securing wireless LANs 8.8 Operational security
NAP uses underlying standards-based protocols for network access. 1.1 Conceptual Overview The Windows client/server operating systems implement a set of NAP protocols. These protocols are used when a client attempts to gain access to an enterprise network, such as an enterprise-based
84. Opioid Research: Methods and Protocols, edited by Zhizhong Z. Pan, 2003 83. Diabetes Mellitus: Methods and Protocols, edited by Sabire Özcan, 2003 82. Hemoglobin Disorders: Molecular Methods and Protocols, edited by Ronald L. Nagel, 2003 81. Prostate Cancer Methods and Protocols, edited by Pamela J. Russell, Paul Jackson, and Elizabeth A .
Instructional Topics . 1 : 1: Building a Reading Life . Topic 1: Making Reading Lives Topic 2: Making Texts Matter Topic 3: Responding to Our Reading Through Writing . 2: Nonficti
