Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internet Security CSCE 813 Network Access Layer Security Protocols.

Published byJasmin Welch Modified over 9 years ago

Similar presentations

Presentation on theme: "Internet Security CSCE 813 Network Access Layer Security Protocols."— Presentation transcript:

1 Internet Security CSCE 813 Network Access Layer Security Protocols

2 CSCE 813 - Farkas2 Reading Frequently Asked Questions -- Microsoft's PPTP Implementation, http://www.schneier.com/pptp- faq.htmlhttp://www.schneier.com/pptp- faq.html CISCO, How Virtual Private Networks Work, http://www.cisco.com/en/US/tech/tk583/tk372/tec hnologies_tech_note09186a0080094865.shtml http://www.cisco.com/en/US/tech/tk583/tk372/tec hnologies_tech_note09186a0080094865.shtml

3 CSCE 813 - Farkas3 TCP/IP Protocol Stack Application Layer Transport Layer Internetwork Layer Network Access Layer Each layer interacts with neighboring layers above and below Each layer can be defined independently Complexity of the networking is hidden from the application

4 Network Access Layer Roughly corresponds to OSI Physical and Data Link layers Least uniform of TCP/IP layers Services and functionalities to prepare data for he physical network – Interfacing with computer network adapter, coordinating data transmission, formatting data, checking for errors acknowledging receipts, etc. LAN technologies: ethernet and token ring Diverse, complex, invisible CSCE 813 - Farkas4

5 5 Security -- At What Level? Secure traffic at various levels in the network Where to implement security? -- Depends on the security requirements of the application and the user

6 CSCE 813 - Farkas6 Security at Network Access Layer Dedicated link between hosts/routers  hardware devices for encryption Advantages: – Speed Disadvantages: – Not scaleable – Works well only on dedicates links – Two hardware devices need to be physically connected

7 CSCE 813 - Farkas7 SILS 1980s: IEEE security for LAN and MAN Standard for Interoperable LAN/MAN Security (compatible with IEEE 802 and OSI specifications) Has not been commercially successful Recent work on secure dial-up connections using PPP

8 CSCE 813 - Farkas8 Virtual Private Network (VPN) Private network, constructed within the pubic Internet Goals: – Connect private networks, using public infrastructure – Simplify distributed network creation Requirements: – Security (confidentiality, authentication, integrity) – Quality of Service

9 Without VPN CSCE 813 - Farkas9 ClientMain office Internet PSTN/ISDN to set up PPP connection RAS Security?

10 CSCE 813 - Farkas10 With VPN ClientMain office Internet L2TP Tunnel PSTN LAC LNS

11 Virtual Private Network L2TP: combines Layer 2 Forwarding (L2F) and Point-to-Point Tunneling Protocol (PPTP) Terms: – CHAP: Challenge Handshake Authentication protocol – L2TP Access Concentrator (LAC) – L2TP Network Server (LNS) – Virtual Private Dial Network (VPDN) CSCE 813 - Farkas11

12 CSCE 813 - Farkas12 Security Support Message confidentiality – Encryption supported by IPSec, PPTP/MPPE, or L2TP/IPSec protocols Message integrity – Integrity verification in IPSec, origin authentication Data origin authentication

13 Security Support Anti Replay Traffic flow Confidentiality – Data tunneling to hide traffic Non-repudiation AAA: Authentication, Authorization and accountability Key management CSCE 813 - Farkas13

14 CSCE 813 - Farkas14 Secure Dial-Up Connection Copyright: Oppliger, eSecurity

15 CSCE 813 - Farkas15 Network Services Tunneling and Encapsulation – Tunneling uses encapsulation where data transfer units of one protocol are enclosed inside a different kind of protocol – Advantage: Allows transmission of incompatible frames over existing network Allows cryptographic protection – Disadvantage: Need extra software to allow encapsulation  slower performance

16 CSCE 813 - Farkas16 L2TP - Terminology Remote system (dial-up client): computer system that is either the initiator or recipient of the a layer 2 tunnel L2TP Access Concentrator (LAC): node that acts as one side of the layer 2 tunnel an peer to the L2TP server L2TP Network server (LNS): node that acts as one side of the layer 2 tunnel an peer to the LAC

17 CSCE 813 - Farkas17 Tunneling Establishment Voluntary tunneling: – Tunnel is created by the client (user) – User sends packets encapsulated in the tunneling protocol (L2TP, PPTP) Compulsory tunneling: – Tunnel is created without any action from the client – Client sends PPP packets to LAC (e.g., ISP), which encapsulates them in the tunneling protocol (L2TP, PPTP) Level of protection of the packets differ!

18 CSCE 813 - Farkas18 Layer 2 Tunneling Protocol (L2TP) Goal: Tunnel PPP frames between remote system (LAC client) and LNS located at LAN. Encapsulate a given network layer protocol (e.g., IP, IPX) inside PPP to cryptographically protect the PPP frames (L2TP) and to encapsulate the data inside a tunneling protocol (e.g., IP) Most popular Applicable over the internet IPXPPP L2TP IP

19 CSCE 813 - Farkas19 L2TP Protocol Tunnel components – Control channel (reliable): control sessions and tunnel – Data channel (unreliable): created for each call Multiple tunnels may exist been LAC-LNS pair to support different QoS needs Control Session 1 (Call ID 1) Session 2 (Call ID 2) LACLNS Copyright: G. Chaffee, UCA/Berkley

20 CSCE 813 - Farkas20 L2TP Protocol Structure PPP Frames L2TP Data Messages L2TP Data channel (unreliable) L2TP Control channel (reliable) L2TP Contr. msgs Packet Transport (IP,UDP, ATM, etc.)

21 CSCE 813 - Farkas21 Control Messages Establishment, maintenance and clearing of tunnels and calls Utilize a reliable Control Channel within L2TP to guarantee delivery Control message types: – Control Connection Management – Call Management – Error Reporting – PPP Session Control

22 CSCE 813 - Farkas22 Data Messages Encapsulate PPP frames being carried over the tunnel Not retransmitted when packet loss occurs Sequence numbers (optional): – Optional data message sequencing – May be used to detect lost packets No fragmentation avoidance

23 CSCE 813 - Farkas23 Security Considerations Tunnel Endpoint Security Endpoints may optionally perform an authentication procedure of one another during tunnel establishment (CHAP) Reasonable protection against replay and snooping Designed to provide authentication for tunnel establishment only LAC and LNS MUST share a single secret key Each side uses this same secret when acting as authenticate as well as authenticator

24 CSCE 813 - Farkas24 Security Considerations Packet Level Security L2TP requires that the underlying transport make available encryption, integrity and authentication services for all L2TP traffic Secure transport operates on the entire L2TP packet and is functionally independent of PPP and the protocol being carried by PPP L2TP is only concerned with confidentiality, authenticity, and integrity of the L2TP packets between tunnel endpoints

25 CSCE 813 - Farkas25 Security Considerations End to End Security Secure transport in tunnel protects the data within the tunneled PPP packets while transported from the LAC to the LNS Need: security between communicating hosts or applications (IPSec)

26 CSCE 813 - Farkas26 L2TP and IPSec Attacks to consider: Packet snooping: discover user identity Packet modification (both control and data messages) Denial of Service by terminating PPP connections or L2TP tunnels Disrupt L2TP tunnel establishment

27 CSCE 813 - Farkas27 PPTP Designed to create and maintain VNP tunnels over public TCP/IP networks using PPP Joint effort of Microsoft and product vendors Server in Windows NT 4.0 Clients for Win 95, NT 4.0 Copyright: G. Chaffee, UCA/Berkley

28 CSCE 813 - Farkas28 Copyright: Oppliger, eSecurity

29 CSCE 813 - Farkas29 PPTP Data channel: – Encapsulates PPP over IP using Generic Routing Encapsulation (GRE) – Encapsulates link layer (PPP), communicates at network layer (IP) IPPPP GRE IP Media spec. header

30 CSCE 813 - Farkas30 PPTP Signaling (control) channel: – Uses TCP connection for signaling – Query status and convey signaling information between LAC and LNS – Always initiated by the PPTP client to the PPTP server via port 1723 – Bidirectional

31 CSCE 813 - Farkas31 Copyright: Oppliger, eSecurity

32 CSCE 813 - Farkas32 Authentication – MS-PPTP Three methods: – Clear password: client authenticates to the server – Hashed password: client authenticates to the server – Challenge-response: client and server authenticate each other

33 CSCE 813 - Farkas33 Hashed authentication LAN manager: DES encryption – Password is turned into a 14 character string – All converted to upper case – String is splint into two 7-character strings and used as the key to encrypt a fixed constant  two 8-byte strings – Concatenate strings  16-byte string = hash value Windows NT hash function: MD4 hash – Password converted to unicode – Hashed using MD4  16 byte hash value

34 CSCE 813 - Farkas34 Security Problems with Hashed Authentication Dictionary attack – LAN Manager is easier to break – Windows NT: better (mixed case) Neither supports password salt Both hash values are sent together

35 CSCE 813 - Farkas35 Encryption Assume existence of secret key shared between client and server RC4 stream cipher: encrypt data traffic Need key agreement: – Diffie-Hellman key exchange – Generate deterministically from LAN Manager’s hash value (NOT SECURE!)

36 Summary of L2TP Not secure without the support of IPSec CSCE 813 - Farkas36

37 Next Class Transport layer security CSCE 813 - Farkas37

Download ppt "Internet Security CSCE 813 Network Access Layer Security Protocols."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
VPN: Virtual Private Network Presented by: Germaine Bacon Lizzi Beduya Betty Huang Jun Mitsuoka Juliet Polintan.

VPN: Virtual Private Network Presented by: Germaine Bacon Lizzi Beduya Betty Huang Jun Mitsuoka Juliet Polintan.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Layer 2 Tunneling Protocol (L2TP)

Layer 2 Tunneling Protocol (L2TP)
Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.

Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
WAN Technologies Dial-up modem connections Cheap Slow

WAN Technologies Dial-up modem connections Cheap Slow
Virtual Private Networks and IPSec

Virtual Private Networks and IPSec
Cryptanalysis of Microsoft’s Point-to-Point Tunneling Protocol 6 Mar. 2007 Amit Golander.

Cryptanalysis of Microsoft’s Point-to-Point Tunneling Protocol 6 Mar Amit Golander.
Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.

Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.
OSI Model.

OSI Model.
VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.

VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.
VPN – Virtual Private Networking. VPN A Virtual Private Network (VPN) connects the components of one network over another network. VPNs accomplish this.

VPN – Virtual Private Networking. VPN A Virtual Private Network (VPN) connects the components of one network over another network. VPNs accomplish this.
Remote Networking Architectures

Remote Networking Architectures
 The Open Systems Interconnection model (OSI model) is a product of the Open Systems Interconnection effort at the International Organization for Standardization.

 The Open Systems Interconnection model (OSI model) is a product of the Open Systems Interconnection effort at the International Organization for Standardization.
Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.

Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.
Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-20111 Module 12 Module 12 Virtual Private Networks  MModified by :Ahmad Al Ghoul  PPhiladelphia.

Network Security Philadelphia UniversitylAhmad Al-Ghoul Module 12 Module 12 Virtual Private Networks  MModified by :Ahmad Al Ghoul  PPhiladelphia.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Similar presentations

Ads by Google