Chapter 32 Internet Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Chapter 32

Internet Security

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Chapter 32: Outline

32.1 32.1 NETWORK-LAYER SECURITYNETWORK-LAYER SECURITY

32.2 32.2 TRANSPORT-LAYER SECURITYTRANSPORT-LAYER SECURITY

32.3 32.3 APPLICATION-LAYER SECURITYAPPLICATION-LAYER SECURITY

32.4 32.4 FIREWALLSFIREWALLS

Chapter 32: Objective

The first section discusses security at the network layer, IPSec. The section explains the two modes of IPSec: transport mode and tunnel mode. It then describes the two versions of the protocol: AS and ESP.

The second section discusses one of the security protocols at the transport layer, SSL (the other protocol, TLS, is similar). The section first describes the SSL architecture: services, algorithms, and parameter generation. It then explains the four protocols that SSL is made of: Handshake, ChangeCipherSpec, Alert, and Record.

Chapter 32: Objective

The third section discusses security at the application layer. At this layer, security is provided only for the e-mail application; other applications can use the security at the transport layer, but e-mail, because of its one-way communication, cannot do so. We first describe Pretty Good Privacy (PGP), which provides e-mail security mostly for personal use. The section then describes S/MIME, a secured version of the MIME protocol that provides security mostly for an enterprise.

The fourth section discusses firewalls, a technology that can protect an enterprise from the malicious intension of an intruder. The section describes two versions: packet-filter firewalls and proxy firewalls. The first gives protection only at the network layer; the second can provide protection at the application layer.

32.5

32-1 NETWORK-LAYER SECURITY32-1 NETWORK-LAYER SECURITY

We start this chapter with the discussion of security at the network layer. At the network layer, security is applied between two hosts, two routers, or a host and a router. The purpose of network-layer security is to protect those applications that use the service of the network layer directly.

32.6

32.32.1 Two Modes32.32.1 Two Modes

IPSec operates in one of two different modes: transport mode or tunnel mode.

32.7

Figure 332.1: IPSec in transport mode

32.8

Figure 32.2: Transport mode in action

32.9

Figure 32.3: IPSec in tunnel mode

32.10

Figure 32.5: Tunnel mode in action

32.11

32.32.2 Two Security Protocols32.32.2 Two Security Protocols

IPSec defines two protocols, the Authentication IPSec defines two protocols, the Authentication Header (AH) Protocol and the Encapsulating Header (AH) Protocol and the Encapsulating Security Payload (ESP) Protocol, to provide Security Payload (ESP) Protocol, to provide authentication and/or encryption for packets at authentication and/or encryption for packets at the IP level.the IP level.

32.12

Figure 32.6: Transport mode versus tunnel mode

32.13

Figure 32.7: Authentication Header (AH) protocol

32.14

Figure 32.7: Encapsulating Security Payload (ESP)

32.15

32.32.4 Security Association32.32.4 Security Association

Security Association is a very important aspect of IPSec. IPSec requires a logical relationship, called a Security Association (SA), between two hosts. The security association changes the connectionless service provided by IP to a connection-oriented service upon which we can apply security. This section first discusses the idea and then shows how it is used in IPSec.

Table 32.1: IPSec services

32.16

32.17

Figure 32.8: Simple SA

32.18

Figure 32.9: SAD

32.19

Figure 32.10: Security Policy Database

32.20

Figure 32.11: Outbound processing

32.21

Figure 32.12: Inbound processing

32.22

32.32.5 Internet Key Exchange (IKE)32.32.5 Internet Key Exchange (IKE)

The Internet Key Exchange (IKE) is a protocol designed to create both inbound and outbound Security Associations. As we discussed in the previous section, when a peer needs to send an IP packet, it consults the Security Policy Database (SPD) to see if there is an SA for that type of traffic. If there is no SA, IKE is called to establishone.

32.23

Figure 32.13: IKE components

32.24

32.32.6 Virtual Private Network (VPN)32.32.6 Virtual Private Network (VPN)

One of the applications of IPSec is in virtual private networks. A virtual private network (VPN) is a technology that is gaining popularity among large organizations that use the global Internet for both intra- and inter-organization communication, but require

32.25

Figure 32.14: Virtual private network

32.26

32-2 TRANSPORT-LAYER SECURITY32-2 TRANSPORT-LAYER SECURITY

Security at the transport layer provides security for the application layer, which uses the services of TCP (or SCTP) as a connection-oriented protocol.

Two protocols are dominant today for providing security at the transport layer: the Secure Sockets Layer (SSL) protocol and the Transport Layer Security (TLS) protocol.

32.27

Figure 32.15: Location of SSL and TLS in the Internet model

32.28

32.2.1 SSL Architecture32.2.1 SSL Architecture

SSL is designed to provide security and compression services to data generated from the application layer. Typically, SSL can receive data from any application-layer protocol, but usually the protocol is HTTP. The data received from the application is compressed (optional), signed, and encrypted. The data is then passed to a reliable transport-layer protocol such as TCP. Netscape developed SSL in 1994. Versions 2 and 3 were released in 1995. In this section, we discuss SSLv3.

32.29

Figure 32.16: Calculation of master secret from pre-master secret

32.30

Figure 32.17: Calculation of key material from master secret

32.31

Figure 32.18: Extractions of cryptographic secrets from key material

32.32

32.2.2 Four Protocols32.2.2 Four Protocols

We have discussed the idea of SSL without showing how SSL accomplishes its tasks. SSL defines four protocols in two layers, as shown in Figure 32.19.

32.33

Figure 32.19: Four SSL protocols

32.34

Figure 13.20: Handshake Protocol

32.35

Figure 32.21: Processing done by the Record Protocol

32.36

32-3 APPLICATION-LAYER SECURITY32-3 APPLICATION-LAYER SECURITY

This section discusses two protocols providing security services for e-mails: Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extension (S/MIME).

32.37

32.3.1 E-mail Security32.3.1 E-mail Security

Sending an e-mail is a one-time activity. The nature of this activity is different from those we saw in the two previous sections: SSL or IPSec. In those protocols, we assume that the two parties create a session between themselves and exchange data in both directions. In e-mail, there is no session. Alice and Bob cannot create a session. Alice sends a message to Bob; sometime later, Bob reads the message and may or may not send a reply.

32.38

32.3.2 Pretty Good Privacy (PGP)32.3.2 Pretty Good Privacy (PGP)

The first protocol discussed in this section is called Pretty Good Privacy (PGP). PGP was invented by Phil Zimmermann to provide e-mail with privacy, integrity, and authentication. PGP can be used to create secure e-mail messages.

32.39

Figure 32.22: A plaintext message

32.40

Figure 32.23: An authenticated message

32.41

Figure 13.24: A compressed message

32.42

Figure 32.25: A confidential message

32.43

Figure 32.26: Key rings in PGP

32.44

Figure 32.27: Trust model

32.45

Figure 32.28: Signed-data content type

32.46

32.3.3 S/MIME32.3.3 S/MIME

Another security service designed for electronic mail is Secure/Multipurpose Internet Mail Extension (S/MIME). The protocol is an enhancement of the Multipurpose Internet Mail Extension (MIME) protocol we discussed in Chapter 26.

32.47

Figure 32.29: Enveloped-data content type

32.48

Figure 32,30: Digested-data content type

32.49

Figure 32.31: Authenticated-data content type

Example 32.1

The following shows an example of an enveloped-data in which a small message is encrypted using triple DES..

32.50

32.51

32-4 FIREWALLS32-4 FIREWALLS

All previous security measures cannot prevent Eve from sending a harmful message to a system. To control access to a system we need firewalls. A firewall is a device (usually a router or a computer) installed between the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter (not forward) others.

32.52

Figure 32.32: Firewall

32.53

32.4.1 Packet-Filter Firewalls32.4.1 Packet-Filter Firewalls

A firewall can be used as a packet filter. It can forward or block packets based on the information in the network-layer and transport-layer headers: source and destination IP addresses, source and destination port addresses, and type of protocol (TCP or UDP). A packet-filter firewall is a router that uses a filtering table to decide which packets must be discarded (not forwarded). Figure 32.33 shows an example of a filtering table for this kind of a firewall.

32.54

Figure 32.33: Packet-filter firewall

32.55

32.4.2 Proxy Firewall32.4.2 Proxy Firewall

The packet-filter firewall is based on the information available in the network layer and transport layer headers (IP and TCP/UDP). However, sometimes we need to filter a message based on the information available in the message itself (at the application layer). As an example, assume that an organization wants to implement the following

32.56

Figure 32.34: Proxy firewall