SlideShare a Scribd company logo

Firewall, Trusted Systems,IP Security ,ESP Encryption and Authentication

Gopal Sakarkar
Gopal Sakarkar

Firewall, Trusted Systems,IP Security ,ESP Encryption and Authentication

Education
1 of 79
Download to read offline
Security Concept Part-3 Mr.Gopal Sakarkar Mr. Gopal Sakarkar
What is a Firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions on network services – only authorized traffic is allowed auditing and controlling access – can implement alarms for abnormal behavior implement VPNs using IPSec must be immune to penetration Mr. Gopal Sakarkar
Firewall Design Principles Centralized data processing system , with a central mainframe supporting number of directly connected terminals. LAN’s interconnected PCs and terminals to each other and the mainframe. Premises network that consisting of a number of LANs, interconnecting PCs , servers . Enterprise –wide network consisting of multiple , geographical distributed premises network interconnected by private WAN. Mr. Gopal Sakarkar
Characteristics of Firewall  All traffic from inside to outside and vice versa must pass through the firewall. Only authorize traffic as defined by the local security policy will be allowed to pass. Firewall itself is immune to penetration . Mr. Gopal Sakarkar
Firewall Techniques for control Access  Service control : the firewall may filter traffic on the basis of IP address. It determines the types of Internet services that can be accessed inbound or outbound. Direction Control: It determiner the direction in which particular service request may be initiated and allowed to flow through the firewall.  User Control : Controls access to a service according to which user is attempting to access it. It is typically applied to local user only. Behavior control : Controls how particular service are used. The firewall may filter e-mail to eliminated spam or it may enable external access to specific portion of the infromation. Mr. Gopal Sakarkar
Firewall Limitations cannot protect from attacks bypassing it cannot protect against internal threats – eg unhappy or plan employees cannot protect against transfer of all virus infected programs or files – because of huge range of O/S & file types Mr. Gopal Sakarkar
Types of Firewalls 1.Packet filtering router 2.Application level gateways 3.Circuit- level gateways Mr. Gopal Sakarkar
Firewalls – Packet Filters Mr. Gopal Sakarkar
Firewalls – Packet Filters simplest, fastest firewall component It applies a set of rule to each incoming and outgoing IP packet Examine each IP packet and permit or deny according to rules Filtering rules are for 1. Source IP address : the IP address of the system that originated the IP packet. 2. Destination IP address : the IP address of the systems that the IP packet is trying to reach Mr. Gopal Sakarkar
Firewalls – 2. Application Level Gateway (or Proxy) have application specific gateway also called a proxy server has a full access to protocol – user requests service from proxy – proxy validates request as legal – then actions request and returns result to user – can log / audit traffic at application level need separate proxies for each service – some services naturally support proxying Eg. Feedback Application, online examination Application ,MIS etc Mr. Gopal Sakarkar
Firewalls – 2. Application Level Gateway (or Proxy) Application level gateways tend to be more secure than packet filters because it scrutinize a few allowable applications. Mr. Gopal Sakarkar
Firewalls – 3.Circuit Level Gateway This is for a stand-alone system. Imposes security by limiting which such connections are allowed. once created, usually relays traffic without examining contents. Typically used by trust internal users for allowing general outbound Mr. Gopal Sakarkar connections
Firewalls – 3.Circuit Level Gateway It has two TCP connection , one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host. Mr. Gopal Sakarkar
Data Access Control • Through the user access control procedure (log on), a user can be identified to the system • There can be a profile that specifies permissible operations and file accesses • The operating system can enforce rules based on the user profile. Mr. Gopal Sakarkar
Data Access Control • General models of access control: – Access matrix – Access control list – Capability list Mr. Gopal Sakarkar
Data Access Control Mr. Gopal Sakarkar • Access Matrix
Data Access Control • Access Matrix: Basic elements of the model – Subject: An entity capable of accessing objects, the concept of subject associate with that of process (e.g. Application soft.) – Object: Anything to which access is controlled (e.g. files, Mr. Gopal Sakarkar programs) – Access right: The way in which an object is accessed by a subject (e.g. read, write, execute)
Data Access Control • Access Control List: Decomposition of the matrix by columns. • One process , many program. E.g. CD Writer is one process in which writing is one program and data verification of write data is second program. Mr. Gopal Sakarkar
Data Access Control • Access Control List – An access control list, lists users and their permitted access right – The list may contain a default or public entry Mr. Gopal Sakarkar
Data Access Control • Capability list: Decomposition of the matrix by rows A capability list specifies authorized objects and operations for a user. Mr. Gopal Sakarkar
Trusted Systems Mr. Gopal Sakarkar • Trusted Systems – Protection of data and resources on the basis of levels of security (e.g. military) – In military, information is categorize as unclassified , confidential , secret , top secret . – Users can be granted clearances to access certain categories of data.
Trusted Systems Mr. Gopal Sakarkar • Multilevel security – In which a subject at high level may not convey information to a subject at low level • A multilevel secure system must enforce: – No read up: A subject can only read an object of less or equal security level (Simple Security Property) – No write down: A subject can only write into an object of greater or equal security level (*-Property)
Trusted Systems • Reference Monitor Concept: Multilevel security for a data processing system Mr. Gopal Sakarkar
The Concept of Trusted Systems • Reference Monitor – Controlling element in the hardware and operating system of a computer that regulates the access of subjects to objects on basis of security parameters – The Reference monitor has access to a file (security kernel database) – The monitor enforces the security rules (no read up, no write down) Mr. Gopal Sakarkar
Trusted Systems • Properties of the Reference Monitor – Complete mediation: Security rules are enforced on every access – Isolation: The reference monitor and database are protected from unauthorized modification – Verifiability: The reference monitor’s correctness must be provable (mathematically) – i.e. it is possible to demonstrate mathematically that the reference monitor enforce the security rules and provides complete mediation and isolation. Mr. Gopal Sakarkar
Trusted Systems • A system that can provide such verifications (properties) is referred to as a trusted system Mr. Gopal Sakarkar
Summary  Data Access Control is use to control procedure by which user can be identified to the system.  Trusted Systems is a computer and operating system that can br verified to implement a given security policy. Mr. Gopal Sakarkar
Mr. Gopal Sakarkar
Outline • IP Security Overview • IP Security Architecture • Authentication Header • Encapsulating Security Payload • Combinations of Security Associations • Key Management Mr. Gopal Sakarkar
IP Security Overview IPSec is not a single protocol. Instead, IPSec provides a set of security algorithms plus a general framework that allows a pair of communicating entities to use whichever algorithms provide security appropriate for the communication. Mr. Gopal Sakarkar
IP Security Overview • Applications of IPSec – Secure branch office connectivity over the Internet – Secure remote access over the Internet – Establsihing extranet and intranet connectivity with partners – Enhancing electronic commerce security Mr. Gopal Sakarkar
IP Security Scenario Mr. Gopal Sakarkar
IP Security Overview Mr. Gopal Sakarkar • Benefits of IPSec – When IP Sec is implemented in a firewall , it provide strong security that can be applied to all traffic crossing the perimeter. – IPSec in a firewall is resistant to bypass, if all traffic from the outside must use IP. – IPSec can be transparent to end user. No need to trian user on security mechanisms. – IPSec can provide security for individual users if needed.
IP Security Architecture Mr. Gopal Sakarkar
IPSec Architecture Overview • Architecture : Cover the general concept , security requirements, definitions and mechanisms defining IPSec technology. • Encapsulating Security Payload (ESP) :Cover the packet format and general issues related to the use of the ESP. • Authentication Header (AH): Cover the packet format and general issues related to the use of AH for packet authentication. • Key management : A set of documents that describe how various authentication algorithms are used for AH. • Domain of Interpretation (DOI): Contains values needed for the document to relate to each other. Mr. Gopal Sakarkar
IPSec Services • Access Control • Connectionless integrity • Data origin authentication • Rejection of replayed packets • Confidentiality (encryption) • Limited traffic flow confidentiallity Mr. Gopal Sakarkar
Security Associations (SA) • It is a one way relationsship between a sender and a receiver that provide security services to a traffic. • Identified by three parameters: – Security Parameter Index (SPI) – Destination IP address – Security Protocol Identifier : – This indicate whether the association is an AH or ESP security Mr. Gopal Sakarkar association (SPI) is an identification tag added to the header while using IPsec for tunnelling the IP traffic. This tag helps the kernel discern between two traffic streams where different encryption rules and algorithms may be in use
Authentication Header • Provides support for data integrity and authentication (MAC code) of IP packets. • Guards against replay attacks. Mr. Gopal Sakarkar Conti…
What are replay attacks? • Replay attacks are the network attacks in which an attacker spies the conversation between the sender and receiver and takes the authenticated information e.g. sharing key and then contact to the receiver with that key. In Replay attack the attacker gives the proof of his identity and authenticity. Example: Suppose in the communication of two parties A and B; A is sharing his key to B to prove his identity but in the meanwhile Attacker C eavesdrop the conversation between them and keeps the information which are needed to prove his identity to B. Later C contacts to B and prove its authenticity. Mr. Gopal Sakarkar
Authentication Header • Next header (8bits): identifies the type of header immediately following this header. • Payload length (8bits): it is a length of Authentication Header in 32 bits words minus 2. • Reserved (16bits) : For future use. • Security parameter index(SPI) (32 bits): Identifies a security association. • Sequence Number(32bits): It is used to increase counter value. • Authentication data (Variable) : A variable length field that contain the Integrity Check Value. Mr. Gopal Sakarkar
End-to-end VS End-to-Intermediate Authentication Mr. Gopal Sakarkar
Encapsulating Security Payload • ESP provides confidentiality services • ESP provides confidentiality of message contens • ESP provide limited traffic flow confidentiality Mr. Gopal Sakarkar
Encapsulating Security Payload • Designed to provide both confidentiality and integrity protection • Everything after the IP header is encrypted • The ESP header is inserted after the IP header Mr. Gopal Sakarkar
Encryption and Authentication Algorithms Mr. Gopal Sakarkar • Encryption: – Three-key triple DES – RC5 – IDEA – Three-key triple IDEA – CAST – Blowfish • Authentication: – HMAC-MD5-96 – HMAC-SHA-1-96
TCP/IP Example Mr. Gopal Sakarkar
Basics: OSI 7-Layer RM
Congratulation for selecting papers in National Conference, Pune Mr. Gopal Sakarkar
IPv4 Header Mr. Gopal Sakarkar
IPv4 Header • Internet Protocol version 4 (IPv4) is the fourth version in the development of the Internet Protocol (IP) and the first version of the protocol to be widely deployed. • It is one of the core protocols of standards-based internetworking methods of the Internet, and routes most traffic in the Internet. • IPv4 is a connectionless protocol for use on packet-switched networks. • A connectionless protocol describes the communication between two network end points where a message is sent from one end point to another without a prior arrangement. • At one end, the device transmits data to the other before ensuring that the device on the other end is ready to use. Mr. Gopal Sakarkar
60 IPv4 Header Fields • Version: IP Version – 4 for IPv4 – 6 for IPv6 • HLen: Header Length – 32-bit words • TOS: Type of Service – Priority information 0 4 8 12 16 19 24 28 31 version HLen TOS Length Identifier Flags Offset TTL Protocol Checksum Source Address Destination Address Options (if any) Data • Length: Packet Length – Bytes (including header) • Header format can change with versions – First byte identifies version – IPv6 header are very different – will see later • Length field limits packets to 65,535 bytes – In practice, break into much smaller packets for network performance considerations
61 IPv4 Header Fields • Identifier, flags, fragment offset  used primarily for fragmentation • Time to live – Must be decremented at each router – Packets with TTL=0 are thrown away – Ensure packets exit the network • Protocol – Demultiplexing to higher layer protocols – TCP = 6, ICMP = 1, UDP = 17… • Header checksum – Ensures some degree of header integrity – Relatively weak – only 16 bits • Options – E.g. Source routing, record route, etc. – Performance issues at routers • Poorly supported or not at all 0 4 8 12 16 19 24 28 31 version HLen TOS Length Identifier Flags Offset TTL Protocol Checksum Source Address Destination Address Options (if any) Data
62 IPv4 Header Fields • Source Address – 32-bit IP address of sender • Destination Address – 32-bit IP address of destination 0 4 8 12 16 19 24 28 31 version HLen TOS Length Identifier Flags Offset TTL Protocol Checksum Source Address Destination Address Options (if any) Data
Why IPv6? • Deficiency of IPv4 • Address space exhaustion • New types of service  Integration – Multicast – Quality of Service – Security – Mobility (MIPv6) • Header and format limitations
Advantages of IPv6 over IPv4 • Larger address space • Better header format • New options • Allowance for extension • Support for resource allocation • Support for more security • Support for mobility
IPv6 Header Avoid Checksum Redundancy Fragmentation at end-to-end Mr. Gopal Sakarkar
The following list describes the function of each header field. • Version – 4-bit Version number of Internet Protocol = 6. • Traffic Class – 8-bit traffic class field. • Flow Label – 20-bit field. • Payload Length – 16-bit unsigned integer, which is the rest of the packet that follows the IPv6 header, in octets. • Next Header – 8-bit selector. Identifies the type of header that immediately follows the IPv6 header. Uses the same values as the IPv4 protocol field. • Hop Limit – 8-bit unsigned integer. Decremented by one by each node that forwards the packet. The packet is discarded if Hop Limit is decremented to zero. • Source Address – 128 bits. The address of the initial sender of the packet. • Destination Address – 128 bits. The address of the intended recipient of the packet. The intended recipient is not necessarily the recipient if an optional Routing Header is present. Mr. Gopal Sakarkar Video OSI-7 Layer
Video Lectures • Complete working of Internet • OSI Model with packets, IPs, Firewalls ect. Mr. Gopal Sakarkar
WEB Security Mr. Gopal Sakarkar
Outline • Web Security Considerations • Secure Socket Layer (SSL) and Transport Layer Security (TLS) • Secure Electronic Transaction (SET) • Recommended Reading and WEB Sites Mr. Gopal Sakarkar
Web Security Considerations • The WEB is very visible. • Complex software hide many security flaws. • Web servers are easy to configure and manage. • Users are not aware of the risks. Mr. Gopal Sakarkar
Security facilities in the TCP/IP protocol stack Mr. Gopal Sakarkar
SSL and TLS • SSL was originated by Netscape • TLS working group was formed within IETF • First version of TLS can be viewed as an SSLv3.1 Mr. Gopal Sakarkar
SSL Architecture Mr. Gopal Sakarkar
SSL Record Protocol Operation Mr. Gopal Sakarkar
SSL Record Format Mr. Gopal Sakarkar
SSL Record Protocol Payload Mr. Gopal Sakarkar
Handshake Protocol • The most complex part of SSL. • Allows the server and client to authenticate each other. • Negotiate encryption, MAC algorithm and cryptographic keys. • Used before any application data are transmitted. Mr. Gopal Sakarkar
Handshake Protocol Action Mr. Gopal Sakarkar
Transport Layer Security • The same record format as the SSL record format. • Defined in RFC 2246. • Similar to SSLv3. • Differences in the: – version number – message authentication code – pseudorandom function – alert codes – cipher suites – client certificate types – certificate_verify and finished message – cryptographic computations – padding Mr. Gopal Sakarkar
Secure Electronic Transactions • An open encryption and security specification. • Protect credit card transaction on the Internet. • Companies involved: – MasterCard, Visa, IBM, Microsoft, Netscape, RSA, Terisa and Verisign • Not a payment system. • Set of security protocols and formats. Mr. Gopal Sakarkar
SET Services • Provides a secure communication channel in a transaction. • Provides trust by the use of X.509v3 digital certificates. • Ensures privacy. Mr. Gopal Sakarkar
SET Overview • Key Features of SET: – Confidentiality of information – Integrity of data – Cardholder account authentication – Merchant authentication Mr. Gopal Sakarkar
SET Participants Mr. Gopal Sakarkar
Sequence of events for transactions 1. The customer opens an account. 2. The customer receives a certificate. 3. Merchants have their own certificates. 4. The customer places an order. 5. The merchant is verified. 6. The order and payment are sent. 7. The merchant request payment authorization. 8. The merchant confirm the order. 9. The merchant provides the goods or service. 10. The merchant requests payments. Mr. Gopal Sakarkar
Dual Signature DS E [H(H(PI ) || H(OI))] KRc  Mr. Gopal Sakarkar
Payment processing Cardholder sends Purchase Request Mr. Gopal Sakarkar
Payment processing Merchant Verifies Customer Purchase Request Mr. Gopal Sakarkar
Payment processing • Payment Authorization: – Authorization Request – Authorization Response • Payment Capture: – Capture Request – Capture Response Mr. Gopal Sakarkar
Recommended Reading and WEB sites • Drew, G. Using SET for Secure Electronic Commerce. Prentice Hall, 1999 • Garfinkel, S., and Spafford, G. Web Security & Commerce. O’Reilly and Associates, 1997 • MasterCard SET site • Visa Electronic Commerce Site • SETCo (documents and glossary of terms) Mr. Gopal Sakarkar

Recommended

Block Cipher and its Design Principles
Block Cipher and its Design PrinciplesBlock Cipher and its Design Principles
Block Cipher and its Design PrinciplesSHUBHA CHATURVEDI
 
Public key algorithm
Public key algorithmPublic key algorithm
Public key algorithmPrateek Pandey
 
Web Security
Web SecurityWeb Security
Web SecurityDr.Florence Dayana
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMACKrishna Gehlot
 
IP Security
IP SecurityIP Security
IP SecurityKeshab Nath
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distributionRiya Choudhary
 
IP Security
IP SecurityIP Security
IP SecurityDr.Florence Dayana
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHMShashank Shetty
 

More Related Content

What's hot

Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securitypatisa
 
Symmetric encryption and message confidentiality
Symmetric encryption and message confidentialitySymmetric encryption and message confidentiality
Symmetric encryption and message confidentialityCAS
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication CodesDarshanPatil82
 
Message authentication
Message authenticationMessage authentication
Message authenticationCAS
 
PGP S/MIME
PGP S/MIMEPGP S/MIME
PGP S/MIMESou Jana
 
Free Space Management, Efficiency & Performance, Recovery and NFS
Free Space Management, Efficiency & Performance, Recovery and NFSFree Space Management, Efficiency & Performance, Recovery and NFS
Free Space Management, Efficiency & Performance, Recovery and NFSUnited International University
 
SHA- Secure hashing algorithm
SHA- Secure hashing algorithmSHA- Secure hashing algorithm
SHA- Secure hashing algorithmRuchi Maurya
 
Program security
Program securityProgram security
Program securityG Prachi
 
Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanismspriya_trehan
 
Network security cryptographic hash function
Network security cryptographic hash functionNetwork security cryptographic hash function
Network security cryptographic hash functionMijanur Rahman Milon
 
Principles of public key cryptography and its Uses
Principles of public key cryptography and its UsesPrinciples of public key cryptography and its Uses
Principles of public key cryptography and its UsesMohsin Ali
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Dr. Kapil Gupta
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Topic1 substitution transposition-techniques
Topic1 substitution transposition-techniquesTopic1 substitution transposition-techniques
Topic1 substitution transposition-techniquesMdFazleRabbi18
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementationajeet singh
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 

What's hot (20)

Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
 
Symmetric encryption and message confidentiality
Symmetric encryption and message confidentialitySymmetric encryption and message confidentiality
Symmetric encryption and message confidentiality
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication Codes
 
Hash Function
Hash FunctionHash Function
Hash Function
 
Message authentication
Message authenticationMessage authentication
Message authentication
 
Trusted systems
Trusted systemsTrusted systems
Trusted systems
 
PGP S/MIME
PGP S/MIMEPGP S/MIME
PGP S/MIME
 
Free Space Management, Efficiency & Performance, Recovery and NFS
Free Space Management, Efficiency & Performance, Recovery and NFSFree Space Management, Efficiency & Performance, Recovery and NFS
Free Space Management, Efficiency & Performance, Recovery and NFS
 
SHA- Secure hashing algorithm
SHA- Secure hashing algorithmSHA- Secure hashing algorithm
SHA- Secure hashing algorithm
 
Program security
Program securityProgram security
Program security
 
Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanisms
 
Network security cryptographic hash function
Network security cryptographic hash functionNetwork security cryptographic hash function
Network security cryptographic hash function
 
Principles of public key cryptography and its Uses
Principles of public key cryptography and its UsesPrinciples of public key cryptography and its Uses
Principles of public key cryptography and its Uses
 
SHA 1 Algorithm
SHA 1 AlgorithmSHA 1 Algorithm
SHA 1 Algorithm
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
 
Cryptography
CryptographyCryptography
Cryptography
 
Topic1 substitution transposition-techniques
Topic1 substitution transposition-techniquesTopic1 substitution transposition-techniques
Topic1 substitution transposition-techniques
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
 

Viewers also liked

Arp and rarp
Arp and rarpArp and rarp
Arp and rarpMohd Arif
 
Bootp and dhcp
Bootp and dhcpBootp and dhcp
Bootp and dhcpMohd Arif
 
Smart Card Security
Smart Card SecuritySmart Card Security
Smart Card SecurityPrav_Kalyan
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensicsRahul Baghla
 
Computer Virus powerpoint presentation
Computer Virus powerpoint presentationComputer Virus powerpoint presentation
Computer Virus powerpoint presentationshohrabkhan
 
Network management
Network managementNetwork management
Network managementMohd Arif
 
ANTIVIRUS AND VIRUS Powerpoint presentation
ANTIVIRUS AND VIRUS Powerpoint presentationANTIVIRUS AND VIRUS Powerpoint presentation
ANTIVIRUS AND VIRUS Powerpoint presentationabhijit chintamani
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentationSomya Johri
 

Viewers also liked (16)

Arp and rarp
Arp and rarpArp and rarp
Arp and rarp
 
V5I3_IJERTV5IS031157
V5I3_IJERTV5IS031157V5I3_IJERTV5IS031157
V5I3_IJERTV5IS031157
 
Bootp and dhcp
Bootp and dhcpBootp and dhcp
Bootp and dhcp
 
KNIME tutorial
KNIME tutorialKNIME tutorial
KNIME tutorial
 
Cyber crime and forensic
Cyber crime and forensicCyber crime and forensic
Cyber crime and forensic
 
Smart Card Security
Smart Card SecuritySmart Card Security
Smart Card Security
 
Cybercrime investigation
Cybercrime investigationCybercrime investigation
Cybercrime investigation
 
Web Security
Web SecurityWeb Security
Web Security
 
Smart card system ppt
Smart card system ppt Smart card system ppt
Smart card system ppt
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensics
 
Smart card
Smart cardSmart card
Smart card
 
Computer Virus powerpoint presentation
Computer Virus powerpoint presentationComputer Virus powerpoint presentation
Computer Virus powerpoint presentation
 
Network management
Network managementNetwork management
Network management
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics ppt
 
ANTIVIRUS AND VIRUS Powerpoint presentation
ANTIVIRUS AND VIRUS Powerpoint presentationANTIVIRUS AND VIRUS Powerpoint presentation
ANTIVIRUS AND VIRUS Powerpoint presentation
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
 

Similar to Firewall, Trusted Systems,IP Security ,ESP Encryption and Authentication

Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewallsDivya Jyoti
 
Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Radhika Talaviya
 
Information Security (Firewall)
Information Security (Firewall)Information Security (Firewall)
Information Security (Firewall)Zara Nawaz
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgInformation Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgEric Vanderburg
 
Dncybersecurity
DncybersecurityDncybersecurity
DncybersecurityAnne Starr
 
Why Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation FirewallWhy Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation FirewallAli Kapucu
 
Network defenses
Network defensesNetwork defenses
Network defensesG Prachi
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementationajeet singh
 
Scada security webinar 2012
Scada security webinar 2012Scada security webinar 2012
Scada security webinar 2012AVEVA
 
Datasheet over privileged_users
Datasheet over privileged_usersDatasheet over privileged_users
Datasheet over privileged_usersCristian Garcia G.
 
Firewall, Router and Switch Configuration Review
Firewall, Router and Switch Configuration ReviewFirewall, Router and Switch Configuration Review
Firewall, Router and Switch Configuration ReviewChristine MacDonald
 
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskOpen and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskInductive Automation
 

Similar to Firewall, Trusted Systems,IP Security ,ESP Encryption and Authentication (20)

Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewalls
 
Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters
 
firewall.ppt
firewall.pptfirewall.ppt
firewall.ppt
 
firewall
firewallfirewall
firewall
 
Coud discovery chap 5
Coud discovery chap 5Coud discovery chap 5
Coud discovery chap 5
 
Information Security (Firewall)
Information Security (Firewall)Information Security (Firewall)
Information Security (Firewall)
 
Firewalls
FirewallsFirewalls
Firewalls
 
Firewall
FirewallFirewall
Firewall
 
Seminar
SeminarSeminar
Seminar
 
Firewall
FirewallFirewall
Firewall
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgInformation Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric Vanderburg
 
Dncybersecurity
DncybersecurityDncybersecurity
Dncybersecurity
 
Why Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation FirewallWhy Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation Firewall
 
Network defenses
Network defensesNetwork defenses
Network defenses
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
 
Scada security webinar 2012
Scada security webinar 2012Scada security webinar 2012
Scada security webinar 2012
 
Datasheet over privileged_users
Datasheet over privileged_usersDatasheet over privileged_users
Datasheet over privileged_users
 
Firewall
FirewallFirewall
Firewall
 
Firewall, Router and Switch Configuration Review
Firewall, Router and Switch Configuration ReviewFirewall, Router and Switch Configuration Review
Firewall, Router and Switch Configuration Review
 
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskOpen and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
 

Recently uploaded

Tree View Decoration Attribute in the Odoo 17
Tree View Decoration Attribute in the Odoo 17Tree View Decoration Attribute in the Odoo 17
Tree View Decoration Attribute in the Odoo 17Celine George
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQuiz Club NITW
 
Congestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationCongestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationdeepaannamalai16
 
6 ways Samsung’s Interactive Display powered by Android changes the classroom
6 ways Samsung’s Interactive Display powered by Android changes the classroom6 ways Samsung’s Interactive Display powered by Android changes the classroom
6 ways Samsung’s Interactive Display powered by Android changes the classroomSamsung Business USA
 
BÀI TẬP BỔ TRỢ TIẾNG ANH 11 THEO ĐƠN VỊ BÀI HỌC - CẢ NĂM - CÓ FILE NGHE (GLOB...
BÀI TẬP BỔ TRỢ TIẾNG ANH 11 THEO ĐƠN VỊ BÀI HỌC - CẢ NĂM - CÓ FILE NGHE (GLOB...BÀI TẬP BỔ TRỢ TIẾNG ANH 11 THEO ĐƠN VỊ BÀI HỌC - CẢ NĂM - CÓ FILE NGHE (GLOB...
BÀI TẬP BỔ TRỢ TIẾNG ANH 11 THEO ĐƠN VỊ BÀI HỌC - CẢ NĂM - CÓ FILE NGHE (GLOB...Nguyen Thanh Tu Collection
 
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...Nguyen Thanh Tu Collection
 
Mythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWMythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWQuiz Club NITW
 
Shark introduction Morphology and its behaviour characteristics
Shark introduction Morphology and its behaviour characteristicsShark introduction Morphology and its behaviour characteristics
Shark introduction Morphology and its behaviour characteristicsArubSultan
 
Healthy Minds, Flourishing Lives: A Philosophical Approach to Mental Health a...
Healthy Minds, Flourishing Lives: A Philosophical Approach to Mental Health a...Healthy Minds, Flourishing Lives: A Philosophical Approach to Mental Health a...
Healthy Minds, Flourishing Lives: A Philosophical Approach to Mental Health a...Osopher
 
DiskStorage_BasicFileStructuresandHashing.pdf
DiskStorage_BasicFileStructuresandHashing.pdfDiskStorage_BasicFileStructuresandHashing.pdf
DiskStorage_BasicFileStructuresandHashing.pdfChristalin Nelson
 
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Association for Project Management
 
Indexing Structures in Database Management system.pdf
Indexing Structures in Database Management system.pdfIndexing Structures in Database Management system.pdf
Indexing Structures in Database Management system.pdfChristalin Nelson
 
4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptx4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptxmary850239
 
physiotherapy in Acne condition.....pptx
physiotherapy in Acne condition.....pptxphysiotherapy in Acne condition.....pptx
physiotherapy in Acne condition.....pptxAneriPatwari
 
Unit :1 Basics of Professional Intelligence
Unit :1 Basics of Professional IntelligenceUnit :1 Basics of Professional Intelligence
Unit :1 Basics of Professional IntelligenceDr Vijay Vishwakarma
 
Employablity presentation and Future Career Plan.pptx
Employablity presentation and Future Career Plan.pptxEmployablity presentation and Future Career Plan.pptx
Employablity presentation and Future Career Plan.pptxryandux83rd
 
CLASSIFICATION OF ANTI - CANCER DRUGS.pptx
CLASSIFICATION OF ANTI - CANCER DRUGS.pptxCLASSIFICATION OF ANTI - CANCER DRUGS.pptx
CLASSIFICATION OF ANTI - CANCER DRUGS.pptxAnupam32727
 

Recently uploaded (20)

Tree View Decoration Attribute in the Odoo 17
Tree View Decoration Attribute in the Odoo 17Tree View Decoration Attribute in the Odoo 17
Tree View Decoration Attribute in the Odoo 17
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
 
Congestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationCongestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentation
 
6 ways Samsung’s Interactive Display powered by Android changes the classroom
6 ways Samsung’s Interactive Display powered by Android changes the classroom6 ways Samsung’s Interactive Display powered by Android changes the classroom
6 ways Samsung’s Interactive Display powered by Android changes the classroom
 
Mattingly "AI & Prompt Design" - Introduction to Machine Learning"
Mattingly "AI & Prompt Design" - Introduction to Machine Learning"Mattingly "AI & Prompt Design" - Introduction to Machine Learning"
Mattingly "AI & Prompt Design" - Introduction to Machine Learning"
 
BÀI TẬP BỔ TRỢ TIẾNG ANH 11 THEO ĐƠN VỊ BÀI HỌC - CẢ NĂM - CÓ FILE NGHE (GLOB...
BÀI TẬP BỔ TRỢ TIẾNG ANH 11 THEO ĐƠN VỊ BÀI HỌC - CẢ NĂM - CÓ FILE NGHE (GLOB...BÀI TẬP BỔ TRỢ TIẾNG ANH 11 THEO ĐƠN VỊ BÀI HỌC - CẢ NĂM - CÓ FILE NGHE (GLOB...
BÀI TẬP BỔ TRỢ TIẾNG ANH 11 THEO ĐƠN VỊ BÀI HỌC - CẢ NĂM - CÓ FILE NGHE (GLOB...
 
CARNAVAL COM MAGIA E EUFORIA _
CARNAVAL COM MAGIA E EUFORIA _CARNAVAL COM MAGIA E EUFORIA _
CARNAVAL COM MAGIA E EUFORIA _
 
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
31 ĐỀ THI THỬ VÀO LỚP 10 - TIẾNG ANH - FORM MỚI 2025 - 40 CÂU HỎI - BÙI VĂN V...
 
Mythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWMythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITW
 
Shark introduction Morphology and its behaviour characteristics
Shark introduction Morphology and its behaviour characteristicsShark introduction Morphology and its behaviour characteristics
Shark introduction Morphology and its behaviour characteristics
 
Healthy Minds, Flourishing Lives: A Philosophical Approach to Mental Health a...
Healthy Minds, Flourishing Lives: A Philosophical Approach to Mental Health a...Healthy Minds, Flourishing Lives: A Philosophical Approach to Mental Health a...
Healthy Minds, Flourishing Lives: A Philosophical Approach to Mental Health a...
 
Spearman's correlation,Formula,Advantages,
Spearman's correlation,Formula,Advantages,Spearman's correlation,Formula,Advantages,
Spearman's correlation,Formula,Advantages,
 
DiskStorage_BasicFileStructuresandHashing.pdf
DiskStorage_BasicFileStructuresandHashing.pdfDiskStorage_BasicFileStructuresandHashing.pdf
DiskStorage_BasicFileStructuresandHashing.pdf
 
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
 
Indexing Structures in Database Management system.pdf
Indexing Structures in Database Management system.pdfIndexing Structures in Database Management system.pdf
Indexing Structures in Database Management system.pdf
 
4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptx4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptx
 
physiotherapy in Acne condition.....pptx
physiotherapy in Acne condition.....pptxphysiotherapy in Acne condition.....pptx
physiotherapy in Acne condition.....pptx
 
Unit :1 Basics of Professional Intelligence
Unit :1 Basics of Professional IntelligenceUnit :1 Basics of Professional Intelligence
Unit :1 Basics of Professional Intelligence
 
Employablity presentation and Future Career Plan.pptx
Employablity presentation and Future Career Plan.pptxEmployablity presentation and Future Career Plan.pptx
Employablity presentation and Future Career Plan.pptx
 
CLASSIFICATION OF ANTI - CANCER DRUGS.pptx
CLASSIFICATION OF ANTI - CANCER DRUGS.pptxCLASSIFICATION OF ANTI - CANCER DRUGS.pptx
CLASSIFICATION OF ANTI - CANCER DRUGS.pptx
 

Firewall, Trusted Systems,IP Security ,ESP Encryption and Authentication

  • 1. Security Concept Part-3 Mr.Gopal Sakarkar Mr. Gopal Sakarkar
  • 2. What is a Firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions on network services – only authorized traffic is allowed auditing and controlling access – can implement alarms for abnormal behavior implement VPNs using IPSec must be immune to penetration Mr. Gopal Sakarkar
  • 3. Firewall Design Principles Centralized data processing system , with a central mainframe supporting number of directly connected terminals. LAN’s interconnected PCs and terminals to each other and the mainframe. Premises network that consisting of a number of LANs, interconnecting PCs , servers . Enterprise –wide network consisting of multiple , geographical distributed premises network interconnected by private WAN. Mr. Gopal Sakarkar
  • 4. Characteristics of Firewall  All traffic from inside to outside and vice versa must pass through the firewall. Only authorize traffic as defined by the local security policy will be allowed to pass. Firewall itself is immune to penetration . Mr. Gopal Sakarkar
  • 5. Firewall Techniques for control Access  Service control : the firewall may filter traffic on the basis of IP address. It determines the types of Internet services that can be accessed inbound or outbound. Direction Control: It determiner the direction in which particular service request may be initiated and allowed to flow through the firewall.  User Control : Controls access to a service according to which user is attempting to access it. It is typically applied to local user only. Behavior control : Controls how particular service are used. The firewall may filter e-mail to eliminated spam or it may enable external access to specific portion of the infromation. Mr. Gopal Sakarkar
  • 6. Firewall Limitations cannot protect from attacks bypassing it cannot protect against internal threats – eg unhappy or plan employees cannot protect against transfer of all virus infected programs or files – because of huge range of O/S & file types Mr. Gopal Sakarkar
  • 7. Types of Firewalls 1.Packet filtering router 2.Application level gateways 3.Circuit- level gateways Mr. Gopal Sakarkar
  • 8. Firewalls – Packet Filters Mr. Gopal Sakarkar
  • 9. Firewalls – Packet Filters simplest, fastest firewall component It applies a set of rule to each incoming and outgoing IP packet Examine each IP packet and permit or deny according to rules Filtering rules are for 1. Source IP address : the IP address of the system that originated the IP packet. 2. Destination IP address : the IP address of the systems that the IP packet is trying to reach Mr. Gopal Sakarkar
  • 10. Firewalls – 2. Application Level Gateway (or Proxy) have application specific gateway also called a proxy server has a full access to protocol – user requests service from proxy – proxy validates request as legal – then actions request and returns result to user – can log / audit traffic at application level need separate proxies for each service – some services naturally support proxying Eg. Feedback Application, online examination Application ,MIS etc Mr. Gopal Sakarkar
  • 11. Firewalls – 2. Application Level Gateway (or Proxy) Application level gateways tend to be more secure than packet filters because it scrutinize a few allowable applications. Mr. Gopal Sakarkar
  • 12. Firewalls – 3.Circuit Level Gateway This is for a stand-alone system. Imposes security by limiting which such connections are allowed. once created, usually relays traffic without examining contents. Typically used by trust internal users for allowing general outbound Mr. Gopal Sakarkar connections
  • 13. Firewalls – 3.Circuit Level Gateway It has two TCP connection , one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host. Mr. Gopal Sakarkar
  • 14. Data Access Control • Through the user access control procedure (log on), a user can be identified to the system • There can be a profile that specifies permissible operations and file accesses • The operating system can enforce rules based on the user profile. Mr. Gopal Sakarkar
  • 15. Data Access Control • General models of access control: – Access matrix – Access control list – Capability list Mr. Gopal Sakarkar
  • 16. Data Access Control Mr. Gopal Sakarkar • Access Matrix
  • 17. Data Access Control • Access Matrix: Basic elements of the model – Subject: An entity capable of accessing objects, the concept of subject associate with that of process (e.g. Application soft.) – Object: Anything to which access is controlled (e.g. files, Mr. Gopal Sakarkar programs) – Access right: The way in which an object is accessed by a subject (e.g. read, write, execute)
  • 18. Data Access Control • Access Control List: Decomposition of the matrix by columns. • One process , many program. E.g. CD Writer is one process in which writing is one program and data verification of write data is second program. Mr. Gopal Sakarkar
  • 19. Data Access Control • Access Control List – An access control list, lists users and their permitted access right – The list may contain a default or public entry Mr. Gopal Sakarkar
  • 20. Data Access Control • Capability list: Decomposition of the matrix by rows A capability list specifies authorized objects and operations for a user. Mr. Gopal Sakarkar
  • 21. Trusted Systems Mr. Gopal Sakarkar • Trusted Systems – Protection of data and resources on the basis of levels of security (e.g. military) – In military, information is categorize as unclassified , confidential , secret , top secret . – Users can be granted clearances to access certain categories of data.
  • 22. Trusted Systems Mr. Gopal Sakarkar • Multilevel security – In which a subject at high level may not convey information to a subject at low level • A multilevel secure system must enforce: – No read up: A subject can only read an object of less or equal security level (Simple Security Property) – No write down: A subject can only write into an object of greater or equal security level (*-Property)
  • 23. Trusted Systems • Reference Monitor Concept: Multilevel security for a data processing system Mr. Gopal Sakarkar
  • 24. The Concept of Trusted Systems • Reference Monitor – Controlling element in the hardware and operating system of a computer that regulates the access of subjects to objects on basis of security parameters – The Reference monitor has access to a file (security kernel database) – The monitor enforces the security rules (no read up, no write down) Mr. Gopal Sakarkar
  • 25. Trusted Systems • Properties of the Reference Monitor – Complete mediation: Security rules are enforced on every access – Isolation: The reference monitor and database are protected from unauthorized modification – Verifiability: The reference monitor’s correctness must be provable (mathematically) – i.e. it is possible to demonstrate mathematically that the reference monitor enforce the security rules and provides complete mediation and isolation. Mr. Gopal Sakarkar
  • 26. Trusted Systems • A system that can provide such verifications (properties) is referred to as a trusted system Mr. Gopal Sakarkar
  • 27. Summary  Data Access Control is use to control procedure by which user can be identified to the system.  Trusted Systems is a computer and operating system that can br verified to implement a given security policy. Mr. Gopal Sakarkar
  • 29. Outline • IP Security Overview • IP Security Architecture • Authentication Header • Encapsulating Security Payload • Combinations of Security Associations • Key Management Mr. Gopal Sakarkar
  • 30. IP Security Overview IPSec is not a single protocol. Instead, IPSec provides a set of security algorithms plus a general framework that allows a pair of communicating entities to use whichever algorithms provide security appropriate for the communication. Mr. Gopal Sakarkar
  • 31. IP Security Overview • Applications of IPSec – Secure branch office connectivity over the Internet – Secure remote access over the Internet – Establsihing extranet and intranet connectivity with partners – Enhancing electronic commerce security Mr. Gopal Sakarkar
  • 32. IP Security Scenario Mr. Gopal Sakarkar
  • 33. IP Security Overview Mr. Gopal Sakarkar • Benefits of IPSec – When IP Sec is implemented in a firewall , it provide strong security that can be applied to all traffic crossing the perimeter. – IPSec in a firewall is resistant to bypass, if all traffic from the outside must use IP. – IPSec can be transparent to end user. No need to trian user on security mechanisms. – IPSec can provide security for individual users if needed.
  • 34. IP Security Architecture Mr. Gopal Sakarkar
  • 35. IPSec Architecture Overview • Architecture : Cover the general concept , security requirements, definitions and mechanisms defining IPSec technology. • Encapsulating Security Payload (ESP) :Cover the packet format and general issues related to the use of the ESP. • Authentication Header (AH): Cover the packet format and general issues related to the use of AH for packet authentication. • Key management : A set of documents that describe how various authentication algorithms are used for AH. • Domain of Interpretation (DOI): Contains values needed for the document to relate to each other. Mr. Gopal Sakarkar
  • 36. IPSec Services • Access Control • Connectionless integrity • Data origin authentication • Rejection of replayed packets • Confidentiality (encryption) • Limited traffic flow confidentiallity Mr. Gopal Sakarkar
  • 37. Security Associations (SA) • It is a one way relationsship between a sender and a receiver that provide security services to a traffic. • Identified by three parameters: – Security Parameter Index (SPI) – Destination IP address – Security Protocol Identifier : – This indicate whether the association is an AH or ESP security Mr. Gopal Sakarkar association (SPI) is an identification tag added to the header while using IPsec for tunnelling the IP traffic. This tag helps the kernel discern between two traffic streams where different encryption rules and algorithms may be in use
  • 38. Authentication Header • Provides support for data integrity and authentication (MAC code) of IP packets. • Guards against replay attacks. Mr. Gopal Sakarkar Conti…
  • 39. What are replay attacks? • Replay attacks are the network attacks in which an attacker spies the conversation between the sender and receiver and takes the authenticated information e.g. sharing key and then contact to the receiver with that key. In Replay attack the attacker gives the proof of his identity and authenticity. Example: Suppose in the communication of two parties A and B; A is sharing his key to B to prove his identity but in the meanwhile Attacker C eavesdrop the conversation between them and keeps the information which are needed to prove his identity to B. Later C contacts to B and prove its authenticity. Mr. Gopal Sakarkar
  • 40. Authentication Header • Next header (8bits): identifies the type of header immediately following this header. • Payload length (8bits): it is a length of Authentication Header in 32 bits words minus 2. • Reserved (16bits) : For future use. • Security parameter index(SPI) (32 bits): Identifies a security association. • Sequence Number(32bits): It is used to increase counter value. • Authentication data (Variable) : A variable length field that contain the Integrity Check Value. Mr. Gopal Sakarkar
  • 41. End-to-end VS End-to-Intermediate Authentication Mr. Gopal Sakarkar
  • 42. Encapsulating Security Payload • ESP provides confidentiality services • ESP provides confidentiality of message contens • ESP provide limited traffic flow confidentiality Mr. Gopal Sakarkar
  • 43. Encapsulating Security Payload • Designed to provide both confidentiality and integrity protection • Everything after the IP header is encrypted • The ESP header is inserted after the IP header Mr. Gopal Sakarkar
  • 44. Encryption and Authentication Algorithms Mr. Gopal Sakarkar • Encryption: – Three-key triple DES – RC5 – IDEA – Three-key triple IDEA – CAST – Blowfish • Authentication: – HMAC-MD5-96 – HMAC-SHA-1-96
  • 45. TCP/IP Example Mr. Gopal Sakarkar
  • 47. Congratulation for selecting papers in National Conference, Pune Mr. Gopal Sakarkar
  • 48. IPv4 Header Mr. Gopal Sakarkar
  • 49. IPv4 Header • Internet Protocol version 4 (IPv4) is the fourth version in the development of the Internet Protocol (IP) and the first version of the protocol to be widely deployed. • It is one of the core protocols of standards-based internetworking methods of the Internet, and routes most traffic in the Internet. • IPv4 is a connectionless protocol for use on packet-switched networks. • A connectionless protocol describes the communication between two network end points where a message is sent from one end point to another without a prior arrangement. • At one end, the device transmits data to the other before ensuring that the device on the other end is ready to use. Mr. Gopal Sakarkar
  • 50. 60 IPv4 Header Fields • Version: IP Version – 4 for IPv4 – 6 for IPv6 • HLen: Header Length – 32-bit words • TOS: Type of Service – Priority information 0 4 8 12 16 19 24 28 31 version HLen TOS Length Identifier Flags Offset TTL Protocol Checksum Source Address Destination Address Options (if any) Data • Length: Packet Length – Bytes (including header) • Header format can change with versions – First byte identifies version – IPv6 header are very different – will see later • Length field limits packets to 65,535 bytes – In practice, break into much smaller packets for network performance considerations
  • 51. 61 IPv4 Header Fields • Identifier, flags, fragment offset  used primarily for fragmentation • Time to live – Must be decremented at each router – Packets with TTL=0 are thrown away – Ensure packets exit the network • Protocol – Demultiplexing to higher layer protocols – TCP = 6, ICMP = 1, UDP = 17… • Header checksum – Ensures some degree of header integrity – Relatively weak – only 16 bits • Options – E.g. Source routing, record route, etc. – Performance issues at routers • Poorly supported or not at all 0 4 8 12 16 19 24 28 31 version HLen TOS Length Identifier Flags Offset TTL Protocol Checksum Source Address Destination Address Options (if any) Data
  • 52. 62 IPv4 Header Fields • Source Address – 32-bit IP address of sender • Destination Address – 32-bit IP address of destination 0 4 8 12 16 19 24 28 31 version HLen TOS Length Identifier Flags Offset TTL Protocol Checksum Source Address Destination Address Options (if any) Data
  • 53. Why IPv6? • Deficiency of IPv4 • Address space exhaustion • New types of service  Integration – Multicast – Quality of Service – Security – Mobility (MIPv6) • Header and format limitations
  • 54. Advantages of IPv6 over IPv4 • Larger address space • Better header format • New options • Allowance for extension • Support for resource allocation • Support for more security • Support for mobility
  • 55. IPv6 Header Avoid Checksum Redundancy Fragmentation at end-to-end Mr. Gopal Sakarkar
  • 56. The following list describes the function of each header field. • Version – 4-bit Version number of Internet Protocol = 6. • Traffic Class – 8-bit traffic class field. • Flow Label – 20-bit field. • Payload Length – 16-bit unsigned integer, which is the rest of the packet that follows the IPv6 header, in octets. • Next Header – 8-bit selector. Identifies the type of header that immediately follows the IPv6 header. Uses the same values as the IPv4 protocol field. • Hop Limit – 8-bit unsigned integer. Decremented by one by each node that forwards the packet. The packet is discarded if Hop Limit is decremented to zero. • Source Address – 128 bits. The address of the initial sender of the packet. • Destination Address – 128 bits. The address of the intended recipient of the packet. The intended recipient is not necessarily the recipient if an optional Routing Header is present. Mr. Gopal Sakarkar Video OSI-7 Layer
  • 57. Video Lectures • Complete working of Internet • OSI Model with packets, IPs, Firewalls ect. Mr. Gopal Sakarkar
  • 58. WEB Security Mr. Gopal Sakarkar
  • 59. Outline • Web Security Considerations • Secure Socket Layer (SSL) and Transport Layer Security (TLS) • Secure Electronic Transaction (SET) • Recommended Reading and WEB Sites Mr. Gopal Sakarkar
  • 60. Web Security Considerations • The WEB is very visible. • Complex software hide many security flaws. • Web servers are easy to configure and manage. • Users are not aware of the risks. Mr. Gopal Sakarkar
  • 61. Security facilities in the TCP/IP protocol stack Mr. Gopal Sakarkar
  • 62. SSL and TLS • SSL was originated by Netscape • TLS working group was formed within IETF • First version of TLS can be viewed as an SSLv3.1 Mr. Gopal Sakarkar
  • 63. SSL Architecture Mr. Gopal Sakarkar
  • 64. SSL Record Protocol Operation Mr. Gopal Sakarkar
  • 65. SSL Record Format Mr. Gopal Sakarkar
  • 66. SSL Record Protocol Payload Mr. Gopal Sakarkar
  • 67. Handshake Protocol • The most complex part of SSL. • Allows the server and client to authenticate each other. • Negotiate encryption, MAC algorithm and cryptographic keys. • Used before any application data are transmitted. Mr. Gopal Sakarkar
  • 68. Handshake Protocol Action Mr. Gopal Sakarkar
  • 69. Transport Layer Security • The same record format as the SSL record format. • Defined in RFC 2246. • Similar to SSLv3. • Differences in the: – version number – message authentication code – pseudorandom function – alert codes – cipher suites – client certificate types – certificate_verify and finished message – cryptographic computations – padding Mr. Gopal Sakarkar
  • 70. Secure Electronic Transactions • An open encryption and security specification. • Protect credit card transaction on the Internet. • Companies involved: – MasterCard, Visa, IBM, Microsoft, Netscape, RSA, Terisa and Verisign • Not a payment system. • Set of security protocols and formats. Mr. Gopal Sakarkar
  • 71. SET Services • Provides a secure communication channel in a transaction. • Provides trust by the use of X.509v3 digital certificates. • Ensures privacy. Mr. Gopal Sakarkar
  • 72. SET Overview • Key Features of SET: – Confidentiality of information – Integrity of data – Cardholder account authentication – Merchant authentication Mr. Gopal Sakarkar
  • 73. SET Participants Mr. Gopal Sakarkar
  • 74. Sequence of events for transactions 1. The customer opens an account. 2. The customer receives a certificate. 3. Merchants have their own certificates. 4. The customer places an order. 5. The merchant is verified. 6. The order and payment are sent. 7. The merchant request payment authorization. 8. The merchant confirm the order. 9. The merchant provides the goods or service. 10. The merchant requests payments. Mr. Gopal Sakarkar
  • 75. Dual Signature DS E [H(H(PI ) || H(OI))] KRc  Mr. Gopal Sakarkar
  • 76. Payment processing Cardholder sends Purchase Request Mr. Gopal Sakarkar
  • 77. Payment processing Merchant Verifies Customer Purchase Request Mr. Gopal Sakarkar
  • 78. Payment processing • Payment Authorization: – Authorization Request – Authorization Response • Payment Capture: – Capture Request – Capture Response Mr. Gopal Sakarkar
  • 79. Recommended Reading and WEB sites • Drew, G. Using SET for Secure Electronic Commerce. Prentice Hall, 1999 • Garfinkel, S., and Spafford, G. Web Security & Commerce. O’Reilly and Associates, 1997 • MasterCard SET site • Visa Electronic Commerce Site • SETCo (documents and glossary of terms) Mr. Gopal Sakarkar