Contents

LECTURE x
1. IPSecurity (IPSec) , VPN
Internet Security
2. SSL/TLS
3. PGP
4. Firewalls
5. HTTPS
Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN,
and Firewalls
(Forouzan, Data Communications and Networking, 4th Edition)

1 2

Security in the Internet 32-1 IPSecurity (IPSec)

Figure 32.1 Common structure of three security protocols

IPSecurity (IPSec) is a collection of protocols designed

by the Internet Engineering Task Force (IETF) to
provide security for a packet at the network level.

Topics discussed in this section:

• We will look at application of security to Two Modes
Network, Transport, and Application layers Two Security Protocols
—All are based on Message Authentication Code (MAC) Security Association
and encryption Internet Key Exchange (IKE)
Virtual Private Network
3 4
Figure 32.2 TCP/IP protocol suite and IPSec Figure 32.3 Transport mode and tunnel modes of IPSec protocol

Protect payload from transport layer Protect payload at the network layer
(suitable for end-to-end) (suitable for router-to-router)

IPSec in the transport mode does not protect the IP header; it

5 only protects the information coming from the transport layer. 6

Figure 32.4 Transport mode in action Figure 32.5 Tunnel mode in action

IPSec in tunnel mode protects the original IP header.

7 8
Figure 32.6 Authentication Header (AH) Protocol in transport mode
• Use hash and
symmetric key
— Of the total packet
• IP’s protocol field =
51 (AH)
• Next header =
Original payload type
(TCP, UDP, etc.)
The AH Protocol provides source authentication and
data integrity, but not privacy. 9 10
Authentication Header
• Payload length: length of AH in 4-byte unit
— Exclude the first 8 bytes
• Security parameter index: Virtual circuit identifier
— Same for all packets sent during session association
• Sequence number prevents playback
— Not repeated with retransmission
— Not wrap around, new connection must be created
• Authentication data is calculated over the entire packet
— Except fields that change from hop to hop (TTL)
— Calculated assuming digest = 0’s

Figure 32.7 Encapsulating Security Payload (ESP) Protocol in transport mode Table 32.1 IPSec services

4
2
5
6 3
1

ESP provides source authentication, data integrity, and privacy.

• IP’s protocol field = 50 (ESP) • Entity authentication via keyed-hash digest
• Pad length = length of padding
— Depend on encryption algorithm and key size
• AH and ESP are part of the IPv6 extension header
— IPv4 version is a new protocol type (50 & 51) 11 12
 Figure 32.8 Simple inbound and outbound security associations Figure 32.9 IKE components

Security Association
Database (SADB)

Security Parameter Index (SPI) • Oakley: key creation protocol

• SKEME: key exchange protocol
• ISAKMP: Implementation that define packets, protocols, and
parameters
• Security Association
— Establishment of security parameters (At first message to a receiver) IKE creates security association for IPSec.
• Authentication = SHA-1 with key = x 13 14

Virtual Private Network (VPN) Figure 32.10 Private network

• Intranet: Private network inside an organization

—Can use a set of private IP addresses

• Consists of private LAN + private WAN

• Extranet: Intranet that allow access from a
specific group of outsiders

15 16
Figure 32.11 Hybrid network Figure 32.12 Virtual private network

• Use global Internet for both private and public

communications
• Most common — Private communication is encrypted using IPsec tunneling
• Allow both intra-organization and inter-organization
communications
• Still use global IP address 17 18

Figure 32.13 Addressing in a VPN 32-2 SSL/TLS

Two protocols are dominant today for providing

security at the transport layer: the Secure Sockets
Layer (SSL) Protocol and the Transport Layer
Security (TLS) Protocol. The latter is actually an
IETF version of the former.
Topics discussed in this section:
SSL Services
Security Parameters
• Stations on the Internet cannot even see the source and Sessions and Connections
destination addresses Four Protocols
Transport Layer Security
19 20
Figure 32.14 Location of SSL and TLS in the Internet model Table 32.3 SSL cipher suite list

• Transport layer security provides end-to-end security to

TCP applications
• SSL provides compression, authentication, and encryption
— Authentication is based on keyed-hash and MAC
— Encryption is based on symmetric key • Cipher suite is a combination of three algorithms
• SSL rely on Cipher suite and Cryptographic secret
— Instead of security association 21 22

Figure 32.15 Creation of

Table 32.3 SSL cipher suite list (continued) cryptographic secrets in SSL

• IV is needed for block

encryption

The client and the server have six different

23 cryptography secrets (4 keys and 2 Initiation vectors). 24
Figure 32.16 Four SSL protocols Figure 32.17 Handshake Protocol

• Record protocol: Fragmentation and compression

• Handshake protocol: Setup cipher suite and cryptographic
secrets
• Alert protocol: Reporting error
25 26

Figure 32.18 Processing done by the Record Protocol 32-3 PGP

One of the protocols to provide security at the
application layer is Pretty Good Privacy (PGP). PGP is
designed to create authenticated and confidential
e-mails.

Topics discussed in this section:

Security Parameters
Services
A Scenario
PGP Algorithms
Key Rings
PGP Certificates
27 28
 Figure 32.20 A scenario in which an e-mail message is
Figure 32.19 Position of PGP in the TCP/IP protocol suite authenticated and encrypted

• Assuming that public keys are

known

In PGP, the sender of the message

needs to include the identifiers of
the algorithms used in the message 2b
as well as the values of the keys. 3
2a 1

• Email requires uni-directional security

— No negotiation, no session setup
• PGP provides services for plaintext, authentication, Session key
compression, confidentiality with one-time session key,
code conversion, and segmentation 29 30

Table 32.4 PGP Algorithms Figure 32.21 Rings

• PGP also support multiple keys per person and

31 multiple recipients per message 32
 32-4 FIREWALLS
PGP Certificates
• Public key can come from CA’s certificates or
PGP’s own certificate system All previous security measures cannot prevent Eve from
sending a harmful message to a system. To control
• Distributed architecture
access to a system, we need firewalls. A firewall is a
—Bob introduces Alice to the web-of-trust
device installed between the internal network of an
—Everyone determine the trust level of each member
organization and the rest of the Internet. It is designed to
forward some packets and filter (not forward) others.

Topics discussed in this section:

Packet-Filter Firewall
In PGP, there can be multiple paths from fully or Proxy Firewall
partially trusted authorities to any subject.
33 34

Figure 32.22 Firewall Figure 32.23 Packet-filter firewall

• Packet
meeting
these rules
are blocked

• Firewall can deny access to a specific host or

specific service in the organization
(TELNET)
(Internal server)
* 80 (No web browsing
allowed)

A packet-filter firewall filters at the network or

35 transport layer. 36
Figure 32.24 Proxy firewall
• Used when filtering decision must be done at the
application layer
— E.g., Based on message or request type
— Block web browsing to a specific website
— Allow access from a certain user

A proxy firewall filters at

the application layer. 37