Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Insecure Networks SSL/TLS & IPSec. 4-1: Cryptographic System Copyright Pearson Prentice-Hall 2010 2.

Published byAlberta Evans Modified over 8 years ago

Similar presentations

Presentation on theme: "Securing Insecure Networks SSL/TLS & IPSec. 4-1: Cryptographic System Copyright Pearson Prentice-Hall 2010 2."— Presentation transcript:

1 Securing Insecure Networks SSL/TLS & IPSec

2 4-1: Cryptographic System Copyright Pearson Prentice-Hall 2010 2

3 Cryptographic System Standards  Transmission across Un-trusted Networks  Internet, Wireless LAN’s, etc.  Companies will (should) apply Cryptographic Systems  Virtual Private Network (VPN)  SSL/TLS  Secure Socket Layer/Transport Layer Security  Non-Transparent, doesn’t automatically protect application messages.  Only messages from applications that are SSL/TSL aware  Web Browsers/Web Servers; Many email  But there’s a problem But there’s a problem  IPsec  Operates on the Internet layer  Everything in IP packet data file is protected  Transparent protection – applications and transport layer are protected (see Module A) Copyright Pearson Prentice-Hall 2010 3 LayerHybrid TCP/IP-OSI Application InternetTransport (TCP, UDP) IP Single NetworkData Link Physical

4 4-2: Virtual Private Networks (VPNs) Copyright Pearson Prentice-Hall 2010 4

5 Host-to-Host VPNs  Connect one Client to one Server Copyright Pearson Prentice-Hall 2010 5

6 4-3: Host-to-Host SSL/TLS VPN Copyright Pearson Prentice-Hall 2010 6

7 Remote Access VPNs  Connects a single Client to a Network  Connection is to a VPN Gateway  Used for Authentication and Access Control  Depending on Access Authorization connection can be to multiple computers on the network.  Uses SSL/TSL between Browser and Gateway  The Gateway is a WebServer to SSL/TSL  SSL/TSL protects messages between client and Gateway  Gateway authenticates with the client via Public Key Authentication Copyright Pearson Prentice-Hall 2010 7

8 Types of Remote Access Connections  Web server  Database server  Gateway translates browser requests to Queries to database  Gateway translates database response to web pages “webifies”  Router  Connection to subnet of network Copyright Pearson Prentice-Hall 2010 8

9 4-5: SSL/TLS and Remote Access VPN Using a Gateway Copyright Pearson Prentice-Hall 2010 9

10 4-4: SSL/TLS Handshaking Phase Copyright Pearson Prentice-Hall 2010 10 StepSenderName of Message Semantics (Meaning) 1ClientClient HelloClient requests secure connection. Client lists cipher suites it supports. 2ServerServer HelloServer indicates willingness to proceed. Selects a cipher suite to use in the session. 3ServerCertificateServer sends its digital certificate containing its public key. (Client should check the certificate’s validity.) 4ServerServerHelloDoneServer indicates that its part in the initial introduction is finished. Stage 1 Stage 2 & 3 ???

11 4-4: SSL/TLS Handshaking Phase Copyright Pearson Prentice-Hall 2010 11 StepSenderName of Message Semantics (Meaning) 5ClientClientKey Exchange Client generates a random symmetric session key. Encrypts it with the server’s public key. It sends this encrypted key to the server. Only the server can decrypt the key, using the server’s own private key. The server decrypts the session key. Both sides now have the session key. 6ClientChangeCipher Spec* Client changes selected cipher suite from pending to active. 7ClientFinishClient indicates that its part in the initial introduction is finished. *Not cipher suite. Key Exchange using public key encryption for confidentiality Key Exchange using public key encryption for confidentiality Stage 2 & 3

12 4-4: SSL/TLS Handshaking Phase Copyright Pearson Prentice-Hall 2010 12 StepSenderName of MessageSemantics (Meaning) 8ServerChangeCipherSpec*Server changes selected cipher suite from pending to active. 9ServerFinishServer indicates that its role in selecting options is finished. 10Ongoing communication stage begins *Not cipher suite.

13 Copyright Pearson Prentice-Hall 201013

14 Site-to-Site VPNs  Protects all traffic between two sites  VPN Gateway on both ends of transmission  VPN Gateway’s encrypt/decrypt messages Copyright Pearson Prentice-Hall 2010 14

15 IPsec Modes  Transport (Host-to-Host)  Protects messages from host-to-host  Over the internet and Internet  Requires installing IPsec on each client/server (not built into browser)  Costly  Eliminates ability of Firewall to filter content as it is encrypted  Tunnel (Site-to-Site)  Protects messages between VPN Gateways over the Internet  Less Costly than Transport  Firewall can filter content Copyright Pearson Prentice-Hall 2010 15

16 IPsec Operation: Transport Mode Copyright Pearson Prentice-Hall 2010 16 1. End-to-End Security (Good) 1. End-to-End Security (Good) 2. Security in Site Network (Good) 2. Security in Site Network (Good) 3. Setup Cost On Each Host (Costly) 3. Setup Cost On Each Host (Costly)

17 IPsec Operation: Tunnel Mode Copyright Pearson Prentice-Hall 2010 17 2. No Security in Site Network (Bad) 2. No Security in Site Network (Bad) 3. No Setup Cost On Each Host (Good) 3. No Setup Cost On Each Host (Good)

18 4-8: Comparing IPsec Transport and Tunnel Modes Copyright Pearson Prentice-Hall 2010 18 CharacteristicTransport ModeTunnel Mode Uses an IPsec VPN Gateway? NoYes Cryptographic Protection All the way from the source host to the destination host, including the Internet and the two site networks. Only over the Internet between the IPsec gateways. Not within the two site networks. Setup CostsHigh. Setup requires the creation of a digital certificate for each client and significant configuration work. Low. Only the IPsec gateways must implement IPsec, so only they need digital certificates and need to be configured.

19 4-8: Comparing IPsec Transport and Tunnel Modes Copyright Pearson Prentice-Hall 2010 19 CharacteristicTransport ModeTunnel Mode Firewall FriendlinessBad. A firewall at the border to a site cannot filter packets because the content is encrypted. Good. Each packet is decrypted by the IPsec gateway. A border firewall after the IPsec gateway can filter the decrypted packet. The “Bottom Line”End-to-end security at high cost. Low cost and protects the packet over the most dangerous part of its journey.

20 4-6: IP Security (IPsec) versus SSL/TLS Copyright Pearson Prentice-Hall 2010 20 SSL/TLSIPsec Cryptographic security standardYes Cryptographic security protectionsGoodGold Standard Supports central managementNoYes Complexity and expenseLowerHigher Layer of operationTransportInternet Transparently protects all higher-layer traffic NoYes Works with IPv4 and IPv6NAYes Modes of operationNATransport, Tunnel

21 4-9: IPsec Security Associations Copyright Pearson Prentice-Hall 2010 21 Kind of like a cipher suite

Download ppt "Securing Insecure Networks SSL/TLS & IPSec. 4-1: Cryptographic System Copyright Pearson Prentice-Hall 2010 2."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Cryptography and Network Security

Cryptography and Network Security
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.

VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
Final Presentation Topics 1) Firewalls 1) Firewalls 2) Virtual Private Networks 2) Virtual Private Networks 3) Secure Socket Layer 3) Secure Socket Layer.

Final Presentation Topics 1) Firewalls 1) Firewalls 2) Virtual Private Networks 2) Virtual Private Networks 3) Secure Socket Layer 3) Secure Socket Layer.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Virtual Private Networks and IPSec

Virtual Private Networks and IPSec
Lecture 22 Internet Security Protocols and Standards

Lecture 22 Internet Security Protocols and Standards

Similar presentations

Ads by Google