comp3371 cyber security richard henson university of worcester november 2015
TRANSCRIPT
COMP3371 COMP3371 Cyber SecurityCyber Security
Richard HensonRichard Henson
University of WorcesterUniversity of Worcester
NovemberNovember 20152015
Week 6: Securing LAN–LAN Week 6: Securing LAN–LAN data using Firewalls, VPNs, data using Firewalls, VPNs,
etc.etc. Objectives:Objectives:
Relate Internet security to the TCP/IP protocol Relate Internet security to the TCP/IP protocol stackstack
Explain principles of firewallingExplain principles of firewalling Explain what a Proxy Service is, and why it can be Explain what a Proxy Service is, and why it can be
a more flexible solution than a firewalla more flexible solution than a firewall Explain Internet security solutions that use the Explain Internet security solutions that use the
principles of a VPNprinciples of a VPN
Security and the OSI layersSecurity and the OSI layers Simplified TCP/IP Simplified TCP/IP Leaves out level 1 (physical) level 2 (data link), Leaves out level 1 (physical) level 2 (data link),
and combines levels 5/6/7)and combines levels 5/6/7)
TELNET FTP NFS DNS SNMP
TCP UDP
IP (network)
SMTP
TCP/IP and the Seven LayersTCP/IP and the Seven Layers
TCP (Transport Control Protocol) TCP (Transport Control Protocol) and IP (Internet Protocol) only and IP (Internet Protocol) only make up part (layers 3 & 4) of the make up part (layers 3 & 4) of the seven layersseven layers upper layers upper layers interface with TCP to interface with TCP to
produce the screen displayproduce the screen display
lower layers lower layers required to interface with required to interface with IP to create/convert electrical signalsIP to create/convert electrical signals
Each layer interface represents a Each layer interface represents a potential security problem (!)potential security problem (!)
IP
hardware
screen
TCP
IntranetIntranet Misunderstood termMisunderstood term
achieved by organisations using http to share achieved by organisations using http to share data internally in a www-compatible formatdata internally in a www-compatible format
Many still call a protected file structure on its Many still call a protected file structure on its own an Intranet… (technically incorrect!)own an Intranet… (technically incorrect!)
uses secure user authenticationuses secure user authenticationuses secure data transmission systemuses secure data transmission system
Implemented as EITHER:Implemented as EITHER: single LAN (domain) with a web serversingle LAN (domain) with a web server several interconnected LANs (trusted domains)several interconnected LANs (trusted domains)
» cover a larger geographic areacover a larger geographic area
ExtranetExtranet An extension of the Intranet to cover selected trusted An extension of the Intranet to cover selected trusted
“links” “links” e.g. for an organisation the “trusted” links might be to e.g. for an organisation the “trusted” links might be to
customers and business partnerscustomers and business partners uses the public Internet as its transmission systemuses the public Internet as its transmission system requires authentication to gain accessrequires authentication to gain access
Can provide TCP/IP access to:Can provide TCP/IP access to: paid researchpaid research current inventoriescurrent inventories internal databasesinternal databases OR virtually any information that is private and not published OR virtually any information that is private and not published
for everyonefor everyone
Issues in creating an ExtranetIssues in creating an Extranet Public networks…Public networks…
Security handled through appropriate use of secure Security handled through appropriate use of secure authentication & transmission technologies…authentication & transmission technologies…
If using the Internet…If using the Internet… client-server web applications across different sitesclient-server web applications across different sites BUT security issues need resolvingBUT security issues need resolving
Private leased linesPrivate leased lines between sites do not between sites do not need to use http, etc.need to use http, etc. more secure, but expensive (BALANCE)more secure, but expensive (BALANCE)
Securing Authentication Securing Authentication through Extranetsthrough Extranets
Kerberos and trusted domains…Kerberos and trusted domains…Windows networks…Windows networks…
BUT…BUT…several TCP ports used for authentication several TCP ports used for authentication
when establishing a session…when establishing a session… Solution:Solution:
firewall configured to allow relevant ports firewall configured to allow relevant ports to be opened only for “trusted” hoststo be opened only for “trusted” hosts
Securing Sharing of DataSecuring Sharing of Datathrough Extranetsthrough Extranets
Extranet client uses the web server & Extranet client uses the web server & browser for user interactionbrowser for user interaction standard http protocol to display html datastandard http protocol to display html data
Raw HTML data will pass through the firewall Raw HTML data will pass through the firewall (port 80) to the Internet(port 80) to the Internet could be “sensitive data” for the organisation…could be “sensitive data” for the organisation…
Under IETF guidance, Netscape ~ SSL with Under IETF guidance, Netscape ~ SSL with secure version of http…secure version of http… standardised as http-s (secure http) on port 443standardised as http-s (secure http) on port 443
The Internet generally uses IP The Internet generally uses IP - HOW can data be secured?- HOW can data be secured?
2015: more than a billion hosts!
Securing the ExtranetSecuring the Extranet Problem: Problem:
IP protocol sends packets off in different directions according to:IP protocol sends packets off in different directions according to:» destination IP addressdestination IP address» routing datarouting data
packets can be intercepted/redirectedpackets can be intercepted/redirected One solution:One solution:
» secure level 7 application layer www protocols developedsecure level 7 application layer www protocols developed https: ensure that pages are only available to authenticated usershttps: ensure that pages are only available to authenticated users ssh : secure download of filesssh : secure download of files
» secure level 4 transport (TLS) protocol to restrict use of IP secure level 4 transport (TLS) protocol to restrict use of IP navigation to only include secure sitesnavigation to only include secure sites
What about penetration through other protocols, working What about penetration through other protocols, working at different OSI layers?at different OSI layers?
Other Secure level 7 protocolsOther Secure level 7 protocols Telnet and FTP:Telnet and FTP:
cancan use authentication use authenticationBUT DO NOT use encrypted text…BUT DO NOT use encrypted text…
SSH (Secure Shell)SSH (Secure Shell) SSH-1 1995, University of Helsinki, secure file transfer SSH-1 1995, University of Helsinki, secure file transfer
» uses TCP port 22uses TCP port 22
» runs on a variety of platformsruns on a variety of platforms
Enhanced version SSH-2Enhanced version SSH-2» using the PKI using the PKI » including digital certificatesincluding digital certificates» RFC 4252 – recent, 2006RFC 4252 – recent, 2006
...
ROUTER – no packet filtering
INTERNET/EXTERNAL NETWORK
InternalNetwork
Unsecured LAN-Internet Unsecured LAN-Internet Connection: Router OnlyConnection: Router Only
An Unsecured LAN-Internet An Unsecured LAN-Internet Connection via RouterConnection via Router
router
Layer 3
Layer 1
Layer 2
Layer 3
Layer 2
Layer 1
Data through unchanged
Lower OSI layers securityLower OSI layers security(Stage 1)(Stage 1)
Simple Firewall…Simple Firewall…use packet filteringuse packet filteringIP address-basedIP address-based
» Fooled by “IP spoofing”Fooled by “IP spoofing”
Creating a “Secure Site”?Creating a “Secure Site”? To put it bluntly…To put it bluntly…
secure site is a LAN that provides secure site is a LAN that provides formidable formidable obstaclesobstacles to potential hackers to potential hackers
keeps a physical barrier between local server and keeps a physical barrier between local server and the internetthe internet
Physical barrier linked through an intermediate Physical barrier linked through an intermediate computer called a Firewall or Proxy Servercomputer called a Firewall or Proxy Server may place unnecessary restrictions on accessmay place unnecessary restrictions on access security could be provided at one of the seven security could be provided at one of the seven
layers of the TCP/IP stacklayers of the TCP/IP stack
...
FIREWALL – packet filtering
INTERNET/EXTERNAL NETWORK
InternalNetwork
Unsecured LAN-Internet Unsecured LAN-Internet Connection: FirewallConnection: Firewall
An Unsecured LAN-Internet An Unsecured LAN-Internet Connection via FirewallConnection via Firewall
IP filtering will slow down packet flow…IP filtering will slow down packet flow…
Also…Also… request by a LAN client for Internet data across a router request by a LAN client for Internet data across a router
reveals the client IP addressreveals the client IP address
» generally a desired effect….generally a desired effect…. ““local” IP address must be recorded on the remote server local” IP address must be recorded on the remote server picks up required data & returns it via the router and server to the local IP addresspicks up required data & returns it via the router and server to the local IP address
» problem – could be intercepted, and future data to that problem – could be intercepted, and future data to that IP address may not be so harmless…IP address may not be so harmless…
An Unsecured LAN-Internet An Unsecured LAN-Internet Connection via RouterConnection via Router
Another problem: wrath of IANAAnother problem: wrath of IANA IP address awarding & controlling bodyIP address awarding & controlling body big penalties if ANY internal LAN IP address big penalties if ANY internal LAN IP address
conflicts with an existing Internet IP address they conflicts with an existing Internet IP address they allocated…allocated…
Safeguard:Safeguard: use DHCP (dynamic host configuration protocol)use DHCP (dynamic host configuration protocol) allocate client IP from within a fixed range allocate client IP from within a fixed range
allocated to that domain by IANAallocated to that domain by IANA
...
GATEWAY – packet conversion
INTERNET/EXTERNAL NETWORK
InternalNetwork
A LAN-Internet connection A LAN-Internet connection via Gatewayvia Gateway
e.g. TCP/IP
local protocol
A LAN-Internet connection A LAN-Internet connection via Gatewayvia Gateway
At a gateway, processing can be at higher At a gateway, processing can be at higher OSI levels:OSI levels: >= level 4>= level 4
Local packets converted into other formats…Local packets converted into other formats… remote network does not have direct access to the remote network does not have direct access to the
local machinelocal machine IP packets only recreated at the desktopIP packets only recreated at the desktop local client IP addresses therefore do not need to local client IP addresses therefore do not need to
comply with IANA allocationscomply with IANA allocations
...
Proxy Server – local IP addresses
INTERNET/EXTERNAL NETWORK
InternalNetwork
A LAN-Internet connection A LAN-Internet connection via Proxy Servervia Proxy Server
e.g. TCP/IP
local protocol
The Proxy ServerThe Proxy Server
Acts like a Gateway in some respects:Acts like a Gateway in some respects:provides physical block between external provides physical block between external
and internal networksand internal networks
But can still use the same protocol (e.g. But can still use the same protocol (e.g. TCP/IP), and can cache web pages for TCP/IP), and can cache web pages for improved performanceimproved performance
Firewall ConfigurationFirewall Configuration
Blocks data via TCP port (logical)Blocks data via TCP port (logical)used by each application protocol connects used by each application protocol connects
to TCPto TCPall ports blocked… no data gets throughall ports blocked… no data gets through
ConfigurationConfigurationincludes which ports to block as well as includes which ports to block as well as
which IP addresses to block…which IP addresses to block…Includes auditing of packetsIncludes auditing of packets
VPNs: OSI levels 1-3: restricted VPNs: OSI levels 1-3: restricted use of the use of the PhysicalPhysical Internet Internet
VPN shown in green
VPNs VPNs (Virtual Private Networks)(Virtual Private Networks)
Two pronged defence:Two pronged defence: physically keeping the data away from unsecured physically keeping the data away from unsecured
servers…servers…» several protocols available for sending packets several protocols available for sending packets
along a pre-defined routealong a pre-defined route
data encapsulated and encrypted so it appears to data encapsulated and encrypted so it appears to travel as if on a point-point link but is still secure travel as if on a point-point link but is still secure even if interceptedeven if intercepted
Whichever protocol is used, the result is a Whichever protocol is used, the result is a secure system with pre-determined pathways secure system with pre-determined pathways for all packetsfor all packets
Principles of VPN protocolsPrinciples of VPN protocols The The tunnel tunnel - where the private data is the private data is
encapsulatedencapsulated
The The VPN connectionVPN connection - where - where the private the private data is encrypteddata is encrypted
Principles of VPN protocolsPrinciples of VPN protocols To emulate a point-to-point linkTo emulate a point-to-point link::
data data encapsulatedencapsulated, or wrapped, with a header, or wrapped, with a header» provides routing informationprovides routing information» allows packets to traverse the shared allows packets to traverse the shared public public
network to its endpointnetwork to its endpoint
To emulate a private linkTo emulate a private link:: data data encrypted encrypted for confidentialityfor confidentiality
Any pAny packets intercepted on the shared ackets intercepted on the shared public network are indecipherable without public network are indecipherable without the encryption keys…the encryption keys…
Potential weakness of the VPNPotential weakness of the VPN Once the data is encrypted and in the tunnel it is very secureOnce the data is encrypted and in the tunnel it is very secure BUTBUT
to be secure, it MUST be encrypted and tunnelled throughout its to be secure, it MUST be encrypted and tunnelled throughout its wholewhole journey journey
if any part of that journey is outside the tunnel… if any part of that journey is outside the tunnel… » e.g. network path to an outsourced VPN provider e.g. network path to an outsourced VPN provider » obvious scope for security breachesobvious scope for security breaches
Using a VPN as part of an Using a VPN as part of an ExtranetExtranet
Using a VPN for point-to-pointUsing a VPN for point-to-point
Using a VPN to connect a Using a VPN to connect a remote computer to a Secured remote computer to a Secured
NetworkNetwork
VPN-related protocols offering VPN-related protocols offering even greater Internet securityeven greater Internet security Two possibilities are available for Two possibilities are available for
creating a secure VPN:creating a secure VPN:Layer 3:Layer 3:
» IPsec – fixed point routing protocol IPsec – fixed point routing protocol
Layer 2 “tunnelling” protocolsLayer 2 “tunnelling” protocols» encapsulate the data within other data encapsulate the data within other data
before converting it to binary data:before converting it to binary data: PPTP (Point-point tunnelling protocol)PPTP (Point-point tunnelling protocol) L2TP (Layer 2 tunnelling protocol)L2TP (Layer 2 tunnelling protocol)
IPsecIPsec First VPN systemFirst VPN system
defined by IETF RFC 2401defined by IETF RFC 2401 uses ESP (encapsulating security protocol) at the IP uses ESP (encapsulating security protocol) at the IP
packet levelpacket level IPsec provides security services at the IP IPsec provides security services at the IP
layer bylayer by:: enabling a system to select required security enabling a system to select required security
protocolsprotocols (ESP possible with a number of (ESP possible with a number of encryption protocols)encryption protocols)
determindetermininging the algorithm(s) to use for the the algorithm(s) to use for the chosen chosen service(s)service(s)
putputtingting in place any cryptographic keys required in place any cryptographic keys required to provide the requested servicesto provide the requested services
More about IPSec in More about IPSec in practicepractice
Depends on PKI for authenticationDepends on PKI for authentication both ends must be IPSec compliant, but not both ends must be IPSec compliant, but not
the various network systems that may be the various network systems that may be between them…between them…
CCanan therefore therefore be used to protect paths be used to protect paths betweenbetween a a pair of hostspair of hosts a pair of security gatewaysa pair of security gateways a security gateway and a hosta security gateway and a host
Can work with IPv4 and IPv6Can work with IPv4 and IPv6
Layer 2 Security: L2TPLayer 2 Security: L2TP Microsoft hybrid of:Microsoft hybrid of:
their own PPTPtheir own PPTP CISCO’s L2F (layer 2 forwarding)CISCO’s L2F (layer 2 forwarding)
With L2TP, IPSec is optional:With L2TP, IPSec is optional: like PPTP:like PPTP:
» it can use PPP authentication and access controls it can use PPP authentication and access controls (PAP and CHAP!)(PAP and CHAP!)
» It uses NCP to handle remote address assignment It uses NCP to handle remote address assignment of remote clientof remote client
as no IPSec, no overhead of reliance on PKIas no IPSec, no overhead of reliance on PKI