Presentation is loading. Please wait.

Presentation is loading. Please wait.

Richard Henson University of Worcester November 2016

Published byDortha Waters Modified over 6 years ago

Similar presentations

Presentation on theme: "Richard Henson University of Worcester November 2016"— Presentation transcript:

1 Richard Henson University of Worcester November 2016
COMP3371 Cyber Security Richard Henson University of Worcester November 2016

2 Week 6: Securing LAN data using Firewalls, VPNs, etc.
Objectives: Relate Internet security issues to the TCP/IP protocol stack Explain principles of firewalling Explain what a Proxy Service is, and why it can be a more flexible solution than a firewall Explain Internet security solutions that use the principles of a VPN

3 Security and the OSI layers
Simplified TCP/IP model… Levels 1/2/3 combined as network Levels 5/6/7 combined as application HTTP FTP SMTP NFS DNS SNMP TCP UDP IP (network)

4 TCP/IP and the Seven Layers
screen TCP (Transport Control Protocol) and IP (Internet Protocol) only make up part (layers 3 & 4) of the seven layers upper layers interface with TCP to produce the screen display lower layer packets required to interface with hardware to create/convert electrical signals Each layer represents a potential security vulnerability (!) app vulnerab… port vulnerab… TCP IP network vulnerab… hardware

5 Intranet Misunderstood term uses secure user authentication
achieved by organisations using http to share data internally in a www-compatible format Many still call a protected file structure on its own an Intranet… (technically incorrect!) uses secure user authentication uses secure data transmission system Implemented as EITHER: single LAN (domain) with a web server (see diagram) several interconnected LANs (trusted domains) cover a larger geographic area

6 Extranet An extension of the Intranet beyond organisation boundary to cover selected trusted “links” e.g. customers and business partners uses the public Internet as its transmission system requires authentication to gain access Can provide secure TCP/IP access to: paid research current inventories internal databases any unpublished information

7 Securing Authentication through Extranets
Connected Windows networks? Use Kerberos… ? VPN? BUT… several TCP ports used for authentication when establishing a session… Solution: firewall configuration allows relevant ports to be opened only for “trusted” hosts

8 Issues in creating an Extranet
Public networks… Security handled through appropriate use of secure authentication & transmission technologies… If using the Internet… client-server web applications across different sites BUT security issues need resolving Could use a VPN (Virtual Private Network) Private leased lines between sites do not need to use http, etc. more secure, but expensive (BALANCE)

9 Unsecured LAN-Internet Connection: Router Only
INTERNET/EXTERNAL NETWORK ROUTER – packet navigation, no filtering Internal Network ...

10 An Unsecured LAN-Internet Connection via Router
Layer 3 Layer 3 Data through Unchanged Routed by IP address tables Layer 2 Layer 2 Layer 1 Layer 1 router

11 Securing Sharing of Data through Extranets
One solution: Extranet client uses the web server & browser for user interaction secure level 7 application layer www protocols developed https: ensure that pages are only available to authenticated users Ssh (secure shell) : secure download of files secure level 4 transport (TLS) protocol to restrict use of IP navigation to only include secure sites Relevant firewall ports should be opened Port 22 if SSH data Port 443 if TCP data sent using http-s (secure http) Port 1723 if data sent as packets using VPN (later…)

12 The Internet generally uses IP - HOW can data be secured?
2016: more than a billion hosts!

13 Securing the Extranet Problem:
IP protocol sends packets off in different directions according to: destination IP address routing data packets can be intercepted/redirected What about penetration through other protocols, working at different OSI layers? VPN controls the path of packets routed through IP addresses of secure servers

14 Other Secure level 7 protocols
More about SSH SSH , University of Helsinki, secure file transfer uses TCP port 22 runs on a variety of platforms Enhanced version SSH-2 using the PKI including digital certificates RFC 4252 – recent, 2006

15 Creating a “Secure Site”?
To put it bluntly… a LAN that provides formidable obstacles to potential hackers keeps a physical barrier between local server and the internet linked through an intermediate computer called a Firewall or Proxy Server Restrictions on access security provided by authentication between level 4 & 7

16 Lower OSI layers security (Stage 1)
Simple Firewall… packet filtering by header IP address fooled by “IP spoofing” TCP port filtering – data associated with blocked ports filtered out TCP port also held in packet header

17 Unsecured LAN-Internet Connection: Firewall
INTERNET/EXTERNAL NETWORK FIREWALL – packet filtering Internal Network ...

18 Firewall Configuration
Firewall blocks data via TCP port (logical) used by each application protocol connects to TCP all ports blocked… no data gets through unless (lol!) … Configuration… includes which ports to block as well as which IP addresses to block… Includes auditing of packets

19 An Unsecured LAN-Internet Connection via Firewall
IP filtering slows down packet flow… may not be necessary? Risk? Also… request by a LAN client for Internet data across a router reveals the client IP address generally a desired effect…. “local” IP address must be recorded on the remote server picks up required data & returns it via the router and server to the local IP address problem – could be intercepted, and future data to that IP address may not be so harmless…

20 An Unsecured LAN-Internet Connection via Router
Another problem: wrath of IANA IP address awarding & controlling body big penalties if ANY internal LAN IP address conflicts with an existing Internet IP address they allocated… Safeguard: use DHCP (dynamic host configuration protocol) allocate client IP from within a fixed range allocated to that domain by IANA

21 A LAN-Internet connection via Gateway
INTERNET/EXTERNAL NETWORK e.g. TCP/IP GATEWAY – packet conversion local protocol Internal Network ...

22 A LAN-Internet connection via Gateway
At a gateway, processing can be at higher OSI levels: >= level 4 Local packets converted into other formats… remote network does not have direct access to the local machine IP packets only recreated at the desktop local client IP addresses therefore do not need to comply with IANA allocations

23 A LAN-Internet connection via Proxy Server
INTERNET/EXTERNAL NETWORK e.g. TCP/IP Proxy Server – local IP addresses local protocol Internal Network ...

24 The Proxy Server Acts like a Gateway in some respects:
provides physical block between external and internal networks But can still use the same protocol (e.g. TCP/IP), and can cache web pages for improved performance

25 VPNs (Virtual Private Networks)
Two pronged defence: physically keeping the data away from unsecured servers… several protocols available for sending packets along a pre-defined route data encapsulated and encrypted so it appears to travel as if on a point-point link but is still secure even if intercepted Result: secure system with pre-determined pathways for all packets

26 VPNs: OSI levels 1-3: restricted use of the Physical Internet
VPN shown in green

27 Principles of VPN protocols
The tunnel - where the private data is encapsulated (or ”wrapped”) The VPN connection interfaces - where the private data is encrypted before entering the tunnel (and vice versa)

28 Principles of VPN protocols
Emulate a point-to-point link: data encapsulated with header provides routing information allows packets to traverse the shared public network to its endpoint To emulate a private link: data encrypted for confidentiality Any packets intercepted on the shared public network are indecipherable without the encryption keys…

29 Using a VPN as part of an Extranet

30 Using a VPN for point-to-point

31 Using a VPN to connect a remote computer to a Secured Network

32 Potential weakness of the VPN
Once the data is encrypted and in the tunnel it is very secure BUT watch for gaps… if any part of that journey is outside the tunnel… e.g. network path to an outsourced VPN provider scope for security breaches

33 VPN-related protocols offering even greater Internet security
Two possibilities are available for creating a secure VPN: Layer 3: IPsec – fixed point routing protocol Layer 2 “tunnelling” protocols encapsulate the data within other data before converting it to binary data: PPTP (Point-point tunnelling protocol) L2TP (Layer 2 tunnelling protocol)

34 IPsec First VPN system defined by IETF RFC 2401 uses ESP (encapsulating security protocol) at the IP packet level IPsec provides security services at the IP layer by: enabling a system to select required security protocols (ESP possible with a number of encryption protocols) determining the algorithm(s) to use for the chosen service(s) putting in place any cryptographic keys required to provide the requested services

35 More about IPSec in practice
Depends on PKI for authentication both ends must be IPSec compliant, but not the various network systems that may be between them… Can therefore be used to protect paths between a pair of hosts a pair of security gateways a security gateway and a host Can work with IPv4 and IPv6

36 Layer 2 Security: PPTP, L2TP
Microsoft: PPTP CISCO L2F (layer 2 forwarding) Combine to create L2TP IPSec optional: Adv of L2TP: can use PPP authentication and access controls (PAP and CHAP!) uses NCP to handle remote address assignment of remote client no IPSec, no overhead of reliance on PKI

Download ppt "Richard Henson University of Worcester November 2016"

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.

Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.

Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.
Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.

Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
1 © J. Liebeherr, All rights reserved Virtual Private Networks.

1 © J. Liebeherr, All rights reserved Virtual Private Networks.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
Guide to Operating System Security Chapter 9 Web, Remote Access, and VPN Security.

Guide to Operating System Security Chapter 9 Web, Remote Access, and VPN Security.
Intranet, Extranet, Firewall. Intranet and Extranet.

Intranet, Extranet, Firewall. Intranet and Extranet.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.

12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Network Services Networking for Home and Small Businesses – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Network Services Networking for Home and Small Businesses – Chapter.
Chapter 13 – Network Security

Chapter 13 – Network Security
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Similar presentations

Ads by Google