This document provides an overview of several internet security protocols: - IPSec is a collection of protocols that provide security at the network level by using two modes (transport and tunnel) and two security protocols. It is designed by IETF. - SSL/TLS provides security at the transport layer and are the dominant protocols, with TLS being an IETF version of SSL. They use cryptography to establish secure sessions. - PGP provides security at the application layer to create encrypted and authenticated emails. It uses public-key cryptography and key rings to establish trust between parties. - Firewalls are devices that control access to a system by filtering packets between the internal network and the internet, using either packet-filter

1. 32.1
Chapter 32
Security in the Internet:
IPSec, SSL/TLS, PGP,
VPN, and Firewalls
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

2. 32.2
Figure 32.1 Common structure of three security protocols

3. 32.3
32-1 IPSecurity (IPSec)32-1 IPSecurity (IPSec)
IPSecurity (IPSec) is a collection of protocols designedIPSecurity (IPSec) is a collection of protocols designed
by the Internet Engineering Task Force (IETF) toby the Internet Engineering Task Force (IETF) to
provide security for a packet at the network level.provide security for a packet at the network level.
Two Modes
Two Security Protocols
Security Association
Internet Key Exchange (IKE)
Virtual Private Network
Topics discussed in this section:Topics discussed in this section:

4. 32.4
Figure 32.2 TCP/IP protocol suite and IPSec

5. 32.5
Figure 32.3 Transport mode and tunnel modes of IPSec protocol

6. 32.6
IPSec in the transport mode does not
protect the IP header; it only protects
the information coming from the
transport layer.
Note

7. 32.7
Figure 32.4 Transport mode in action

8. 32.8
Figure 32.5 Tunnel mode in action

9. 32.9
IPSec in tunnel mode protects the
original IP header.
Note

10. 32.10
Figure 32.6 Authentication Header (AH) Protocol in transport mode

11. 32.11
The AH Protocol provides source
authentication and data integrity,
but not privacy.
Note

12. 32.12
Figure 32.7 Encapsulating Security Payload (ESP) Protocol in transport mode

13. 32.13
ESP provides source authentication,
data integrity, and privacy.
Note

14. 32.14
Table 32.1 IPSec services

15. 32.15
Figure 32.8 Simple inbound and outbound security associations

16. 32.16
IKE creates SAs for IPSec.
Note

17. 32.17
Figure 32.9 IKE components

18. 32.18
Table 32.2 Addresses for private networks

19. 32.19
Figure 32.10 Private network

20. 32.20
Figure 32.11 Hybrid network

21. 32.21
Figure 32.12 Virtual private network

22. 32.22
Figure 32.13 Addressing in a VPN

23. 32.23
32-2 SSL/TLS32-2 SSL/TLS
Two protocols are dominant today for providingTwo protocols are dominant today for providing
security at the transport layer: the Secure Socketssecurity at the transport layer: the Secure Sockets
Layer (SSL) Protocol and the Transport LayerLayer (SSL) Protocol and the Transport Layer
Security (TLS) Protocol. The latter is actually anSecurity (TLS) Protocol. The latter is actually an
IETF version of the former.IETF version of the former.
SSL Services
Security Parameters
Sessions and Connections
Four Protocols
Transport Layer Security
Topics discussed in this section:Topics discussed in this section:

24. 32.24
Figure 32.14 Location of SSL and TLS in the Internet model

25. 32.25
Table 32.3 SSL cipher suite list

26. 32.26
Table 32.3 SSL cipher suite list (continued)

27. 32.27
The client and the server have six
different cryptography secrets.
Note

28. 32.28
Figure 32.15 Creation of cryptographic secrets in SSL

29. 32.29
Figure 32.16 Four SSL protocols

30. 32.30
Figure 32.17 Handshake Protocol

31. 32.31
Figure 32.18 Processing done by the Record Protocol

32. 32.32
32-3 PGP32-3 PGP
One of the protocols to provide security at theOne of the protocols to provide security at the
application layer is Pretty Good Privacy (PGP). PGP isapplication layer is Pretty Good Privacy (PGP). PGP is
designed to create authenticated and confidentialdesigned to create authenticated and confidential
e-mails.e-mails.
Security Parameters
Services
A Scenario
PGP Algorithms
Key Rings
PGP Certificates
Topics discussed in this section:Topics discussed in this section:

33. 32.33
Figure 32.19 Position of PGP in the TCP/IP protocol suite

34. 32.34
In PGP, the sender of the message
needs to include the identifiers of the
algorithms used in the message as well
as the values of the keys.
Note

35. 32.35
Figure 32.20 A scenario in which an e-mail message is
authenticated and encrypted

36. 32.36
Table 32.4 PGP Algorithms

37. 32.37
Figure 32.21 Rings

38. 32.38
In PGP, there can be multiple paths from
fully or partially trusted authorities to
any subject.
Note

39. 32.39
32-4 FIREWALLS32-4 FIREWALLS
All previous security measures cannot prevent EveAll previous security measures cannot prevent Eve
from sending a harmful message to a system. Tofrom sending a harmful message to a system. To
control access to a system, we need firewalls. Acontrol access to a system, we need firewalls. A
firewall is a device installed between the internalfirewall is a device installed between the internal
network of an organization and the rest of thenetwork of an organization and the rest of the
Internet. It is designed to forward some packets andInternet. It is designed to forward some packets and
filter (not forward) others.filter (not forward) others.
Packet-Filter Firewall
Proxy Firewall
Topics discussed in this section:Topics discussed in this section:

40. 32.40
Figure 32.22 Firewall

41. 32.41
Figure 32.23 Packet-filter firewall

42. 32.42
A packet-filter firewall filters at the
network or transport layer.
Note

43. 32.43
Figure 32.24 Proxy firewall

44. 32.44
A proxy firewall filters at the
application layer.
Note