Chapter 5: Virtual Networks
advertisement
Chapter 5: Virtual Networks 5.1 Security in networks 5.1.1 Introduction 5.1.2 Cryptography 5.1.3 Cryptanalysis 5.1.4 Symmetric key 5.1.5 Asymmetric key 5.1.6 Mixed systems 5.2 Virtual Private Networks, VPN 5.2.1 Introduction 5.2.2 PPTP 5.2.3 L2TP 5.2.4 IPsec 5.2.5 SSL 5.3 Virtual Local Area Networks, VLAN Virtual Networks 1 Chapter 5: Virtual Networks 5.1 Security in networks 5.1.1 Introduction 5.1.2 Cryptography 5.1.3 Cryptanalysis 5.1.4 Symmetric key 5.1.5 Asymmetric key 5.1.6 Mixed systems 5.2 Virtual Private Networks, VPN 5.2.1 Introduction 5.2.2 PPTP 5.2.3 L2TP 5.2.4 IPsec 5.2.5 SSL 5.3 Virtual Local Area Networks, VLAN Virtual Networks 2 Introduction Secure channel: Properties: Confidentiality Integrity Authenticity Non-repudiation Secure channel? Receiver Sender Virtual Networks 3 Introduction Confidentiality: Transmitted info in an insecure channel can only be understood by desired destination/s It must stay unintelligible for the rest Ways of protection: Dedicated physical links High cost Difficult maintenance Cipher Attack e.g.: obtaining data from sender Virtual Networks 4 Introduction Integrity: Ensures that transmitted info was not modified during the communication process Message in destination must be the same as in source Ways of protection: Digital signature Attack e.g.: modifying the destination address in a product bought on the internet Virtual Networks 5 Introduction Authenticity: Ensures the source of the info Avoids impersonation Ways of protection: Digital signature Challenge Human authentication Biometric (fingerprint, retina, facial recognition, etc.) Attack e.g.: user impersonation in bank transaction Virtual Networks 6 Introduction Non-repudiation: Avoid sender’s denial Avoid receiver’s denial Ways of protection: Digital signature Attack e.g.: loss of an application form Virtual Networks 7 Introduction Insecure channel: Non-reliable Attacks: Violation of channel security Types Passive Active Categories Interception Interruption Modification Fabrication Virtual Networks 8 Introduction Passive attacks: Attacker does not change the content of the transmitted information Objectives: Entity identification Traffic control Traffic analysis Usual data exchange time detection Difficult to detect Easy to avoid -> encryption Virtual Networks 9 Introduction Active attacks: Attacker does change the content of the transmitted information Types: Masked (impostor) Repetitive (intercepted msg, repeated later) Msg modification Service denial Difficult to prevent Easy to detect -> detection & recovery Virtual Networks 10 Introduction Interception: Confidentiality attack Passive A non-authorized intruder achieves the access to a non-shared resource E.g: Traffic capture Obtaining copies of files or programs Receiver Transmitter Intruder Virtual Networks 11 Introduction Interruption: Destruction of a shared resource Active E.g: Destruction of hardware Communication breakdown Receiver Transmitter Intruder Virtual Networks 12 Introduction Modification: A non-shared resource is intercepted & modified by a nonauthorized host before arriving to its final destination Active E.g: Change in sent data Receiver Transmitter Intruder Virtual Networks 13 Introduction Fabrication: Authenticity attack Active Non-authorized host (impostor) generates a resource that arrives to the final destination E.g: Fraud information Receiver Transmitter Intruder Virtual Networks 14 Chapter 5: Virtual Networks 5.1 Security in networks 5.1.1 Introduction 5.1.2 Cryptography 5.1.3 Cryptanalisis 5.1.4 Symmetric key 5.1.5 Asymmetric key 5.1.6 Mixed systems 5.2 Virtual Private Networks, VPN 5.2.1 Introduction 5.2.2 PPTP 5.2.3 L2TP 5.2.4 IPsec 5.2.5 SSL 5.3 Virtual Local Area Networks, VLAN Virtual Networks 15 Cryptography Introduction: Why? Way of protecting information against intruders (encryption & digital signatures) Definition Science of secret writing, for hiding information from third parties Principle Keeping privacy between two or more communication elements Virtual Networks 16 Cryptography Introduction: Functioning basis Altering original msg to avoid the access to the information of any non-authorized party E.g Original msg: “This lecture is boring” Altered msg: “Wklv ohfwxuh lv erulqj” Caesar cipher (K=3) Virtual Networks 17 Cryptography Cipher: Mechanism that converts a plain msg in an incomprehensible one Cipher algorithm needs a key Decipher: Mechanism that converts an incomprehensible msg in the original one Necessary to know the used cipher algorithm and the key Virtual Networks 18 Cryptography Introduction: Functioning scheme Receiver Transmitter cipher decipher Virtual Networks 19 Chapter 5: Virtual Networks 5.1 Security in networks 5.1.1 Introduction 5.1.2 Cryptography 5.1.3 Cryptanalisis 5.1.4 Symmetric key 5.1.5 Asymmetric key 5.1.6 Mixed systems 5.2 Virtual Private Networks, VPN 5.2.1 Introduction 5.2.2 PPTP 5.2.3 L2TP 5.2.4 IPsec 5.2.5 SSL 5.3 Virtual Local Area Networks, VLAN Virtual Networks 20 Cryptanalysis Introduction: Definition Set of methods used to guess the key used by the elements of communication Objective Reveal the secret of communication Attacks Brute force attack (most common) Types: Ciphertext-Only Attack Known Plaintext Attack Chosen Plaintext Attack Virtual Networks 21 Chapter 5: Virtual Networks 5.1 Security in networks 5.1.1 Introduction 5.1.2 Cryptography 5.1.3 Cryptanalisis 5.1.4 Symmetric key 5.1.5 Asymmetric key 5.1.6 Mixed systems 5.2 Virtual Private Networks, VPN 5.2.1 Introduction 5.2.2 PPTP 5.2.3 L2TP 5.2.4 IPsec 5.2.5 SSL 5.3 Virtual Local Area Networks, VLAN Virtual Networks 22 Symmetric Key Features: Private key Transmitter & Receiver share the same key Receiver Transmitter cipher decipher Virtual Networks 23 Symmetric Key Algorithms: DES, 3DES, RC5, IDEA, AES Requirements: Neither plaintext nor the key may be extracted from the msg The cost in time & money of obtaining the information must be higher than the value of the obtained information Algorithm strength: Internal complexity Key length Virtual Networks 24 Symmetric Key Accomplished objectives: Confidentiality Integrity Authentication Non repudiation Depending on the number of parties sharing the secret key Virtual Networks 25 Symmetric Key Advantages: Algorithm execution rate Best method to cipher great pieces of information Disadvantages: Distribution of private key Key management The number of used keys is proportional to the number of used secure channels Virtual Networks 26 Chapter 5: Virtual Networks 5.1 Security in networks 5.1.1 Introduction 5.1.2 Cryptography 5.1.3 Cryptanalisis 5.1.4 Symmetric key 5.1.5 Asymmetric key 5.1.6 Mixed systems 5.2 Virtual Private Networks, VPN 5.2.1 Introduction 5.2.2 PPTP 5.2.3 L2TP 5.2.4 IPsec 5.2.5 SSL 5.3 Virtual Local Area Networks, VLAN Virtual Networks 27 Asymmetric Key Tx private Tx public Rx private Features: Rx public Public Key Every party has got a pair of keys (private-public) Receiver Transmitter cipher decipher Virtual Networks 28 Asymmetric Key Algorithms: Diffie-Hellman, RSA, DSA Requirements: Neither plaintext nor the key may be extracted from the msg The cost in time & money of obtaining the information must be higher than the value of the obtained information For an public-key encrypted text, there must be only a private key capable of decrypt it, and viceversa Virtual Networks 29 Asymmetric Key Accomplished objectives: Confidentiality Integrity Authentication Offers very good mechanisms Non repudiation Offers very good mechanisms Virtual Networks 30 Asymmetric Key Advantages: No problems for key distribution -> public key In case of the steal of a user’s private key, only the msgs sent to that user are involved Better authentication mechanisms than symmetric systems Disadvantages: Algorithm execution rate Virtual Networks 31 Asymmetric Key Authentication: Challenge-response Digital signature Digital certificate Non repudiation: Digital signature Digital certificate Virtual Networks 32 Tx private Asymmetric Key Tx public Rx private Rx public Challenge-response: Send of a challenge in clear text. Its response is only known by the transmitter The transmitter sends a private-key ciphered response Receiver Transmitter cipher decipher Virtual Networks 33 Asymmetric Key Tx private Tx public Rx private Digital signature: Rx public Verifies source authenticity Parts Signature (transmitter) Signature verification (receiver) Receiver Transmitter Signature verification Virtual Networks 34 Asymmetric Key Tx private Tx public Rx private Digital signature: Problem: Process is slow Use of fingerprint Rx public Receiver Transmitter Virtual Networks 35 Asymmetric Key Digital signature - fingerprint: Reduces encryption time Hash function Turns a variable length set of data in a summary or fingerprint. A fingerprint has a fixed length and it is illegible and nonsense Irreversible Algorithms SHA-1, MD5 Requirements Capability of turning variable length data in fixed length blocks Easy to use and implement Impossible to obtain the original fingerprint text Different texts must generate different fingerprints Problem: Key management Virtual Networks 36 Asymmetric Key Digital certificate: Information unit containing a pair of public-private keys, together with the necessary information to allow the owner for secure communications Contents: Public key Private key (if owner) Owner information Useful information (algorithms, allowed functions, ...) Valid-from Certificate Authority signatures Revocation is possible Virtual Networks 37 Chapter 5: Virtual Networks 5.1 Security in networks 5.1.1 Introduction 5.1.2 Cryptography 5.1.3 Cryptanalisis 5.1.4 Symmetric key 5.1.5 Asymmetric key 5.1.6 Mixed systems 5.2 Virtual Private Networks, VPN 5.2.1 Introduction 5.2.2 PPTP 5.2.3 L2TP 5.2.4 IPsec 5.2.5 SSL 5.3 Virtual Local Area Networks, VLAN Virtual Networks 38 Mixed systems Tx private Tx public Rx private Session keys: Rx public Session key Process Session Key distribution (asymmetric) Secure communication (symmetric) Receiver Transmitter Virtual Networks 39 Mixed systems Tx private Tx public Rx private Session keys: Rx public Session key Process Session Key distribution (asymmetric) Secure communication (symmetric) Receiver Transmitter Virtual Networks 40 Mixed systems Accomplished objectives: Confidentiality Integrity Authentication Non repudiation Use of digital signatures & certificates Virtual Networks 41 Mixed systems Advantages: No problems for key distribution -> public key Improbable to guess session key May use public key authentication & nonrepudiation mechanisms Algorithm execution rate Virtual Networks 42 Chapter 5: Virtual Networks 5.1 Security in networks 5.1.1 Introduction 5.1.2 Cryptography 5.1.3 Cryptanalisis 5.1.4 Symmetric key 5.1.5 Asymmetric key 5.1.6 Mixed systems 5.2 Virtual Private Networks, VPN 5.2.1 Introduction 5.2.2 PPTP 5.2.3 L2TP 5.2.4 IPsec 5.2.5 SSL 5.3 Virtual Local Area Networks, VLAN Virtual Networks 43 Virtual Private Networks Introduction: Interconnection of users & entities Dedicated line (intranets) Expensive Difficult to manage Use os public access network Security risks LAN Public network Virtual Networks 44 Virtual Private Networks Concept: VPN: Private data channel implemented upon a public communication network Objectives: Linking remote subnetworks Linking subnetworks & remote users Use of virtual tunnel with encryption Virtual tunnel Public network LAN Virtual Networks 45 Virtual Private Networks Requirements: Authentication & identity verification Virtual IP address range management Data cipher Management of digital certificates and public and private keys Support for many protocols Virtual Networks 46 Virtual Private Networks Types: Hardware-based systems optimized specific designs Very secure and simple High performance High cost Additional services (firewalls, intruder detectors, antivirus, etc.) Cisco, Stonesoft, Juniper, Nokia, Panda Security Software-based systems Virtual Networks 47 Virtual Private Networks Advantages: Security & confidentiality Cost reduction Scalability Simple management Compatibility with wireless links Virtual Networks 48 Virtual Private Networks Elements: Local or private networks Restricted access LAN with pvt IP address range Insecure networks VPN tunnels Servers Routers Remote users (road warriors) Remote offices (gateways) Virtual Networks 49 Virtual Private Networks Scenarios: P2P LAN - LAN LAN – remote user LAN LAN LAN Virtual Networks 50 Chapter 5: Virtual Networks 5.1 Security in networks 5.1.1 Introduction 5.1.2 Cryptography 5.1.3 Cryptanalisis 5.1.4 Symmetric key 5.1.5 Asymmetric key 5.1.6 Mixed systems 5.2 Virtual Private Networks, VPN 5.2.1 Introduction 5.2.2 PPTP 5.2.3 L2TP 5.2.4 IPsec 5.2.5 SSL 5.3 Virtual Local Area Networks, VLAN Virtual Networks 51 PPTP Features: Peer to Peer Tunnel Protocol (PPTP) Designed & developed by 3Com, Microsoft Corporation, Ascend Communications y ECI Telematics; defined IETF (RFC 2637) Used for secure virtual access of remote users to a private network Use of tunnel mechanisms for the send of data from client to server Use of a private or public IP network Virtual Networks 52 PPTP Functioning: PPTP server configured to distribute private LAN IP addresses Server acts as a bridge 192.168.1.30 192.168.1.31 67.187.11.25 PPTP server 192.168.1.1 LAN Remote user 192.168.1.100 - 120 Virtual Networks 192.168.1.32 53 PPTP Phases: PPP Connection establishment with ISP PPTP connection control TCP connection Control msgs exchange Data transmission GRE Protocol Cipher Virtual Networks 54 PPTP PPP: Point-to-Point Protocol (RFC 1661) Data link layer Used for the connection to ISP by means of a telephony line (modem) or PSTN Versions for broadband access (PPPoE y PPPoA) Functions: Establishing, maintaining and finishing peer-to-peer connection User authentication (PAP y CHAP) Creation of encrypted frames PPP IP Data Virtual Networks 55 PPTP PPTP connection control: Specifies session control messages: PPTP_START_SESSION_REQUEST: session start request PPTP_START_SESSION_REPLY: session start response PPTP_ECHO_REQUEST: session keepalive request PPTP_ECHO_REPLY: session keepalive response PPTP_WAN_ERROR_NOTIFY: error notification PPTP_SET_LINK_INFO: client-server connection configuration PPTP_STOP_SESSION_REQUEST: session stop request PPTP_STOP_SESSION_REPLY: session stop reply Virtual Networks 56 PPTP PPTP authentication: Uses the same mechanisms as PPP: PAP (Password Authentication Protocol) Very simple: send of name and passwd in plaintext CHAP (Challenge Handshake Authentication Protocol) Challenge-response mechanism Client generates a fingerprint from the received challenge (MD5) Shared secret key Send of challenge to renew identity Virtual Networks 57 PPTP PPTP authentication: Two new mechanisms: SPAP (Shiva Password Authentication Protocol) PAP with the send of an encrypted client passwd MS-CHAP (Microsoft Challenge Handshake Authentication Protocol) Proprietary CHAP-based-Algorithm by Microsoft Mutual authentication process (client & server) Due to a security failure in Windows NT, MS-CHAP v2 was created Virtual Networks 58 PPTP Data transmission: Uses a modification of GRE (Generic Routing Encapsulation) protocol: RFC 1701 y 1702 Establishes a functional division in three protocols: Passenger Protocol Carrier Protocol Transport Protocol Transport Carrier Protocol Virtual Networks 59 PPTP Data transmission: Send of PPP frames -> encapsulated in IP datagrams TCP IP MAC IP GRE PPP Virtual Networks Data Data 60 PPTP Encryption: MPPE (Microsoft Point-To-Point Encryption) RFC 3078 uses RSA RC4 algorithm-> Session key from a client pvt key Only with CHAP or MS-CHAP Allows non-encrypted tunneling (PAP or SPAP) -> No VPN Virtual Networks 61 PPTP Advantages: Implementation low cost (uses public network) No limit for the number of tunnels due to server physical interfaces (but more resources are necessary in the server for every tunnel) Disadvantages: Very vulnerable Non-authenticated TCP connection control Weakness of MS-CHAP protocol in NT systems Weakness of MPPE protocol Use of pvt passwd Virtual Networks 62 Chapter 5: Virtual Networks 5.1 Security in networks 5.1.1 Introduction 5.1.2 Cryptography 5.1.3 Cryptanalisis 5.1.4 Symmetric key 5.1.5 Asymmetric key 5.1.6 Mixed systems 5.2 Virtual Private Networks, VPN 5.2.1 Introduction 5.2.2 PPTP 5.2.3 L2TP 5.2.4 IPsec 5.2.5 SSL 5.3 Virtual Local Area Networks, VLAN Virtual Networks 63 L2TP Features: Layer 2 tunneling protocol (RFC 2661) - PPP L2TP v3 (RFC 3931) - multiprotocol Based in 2 network protocols to carry de red PPP frames: PPTP L2F (Layer Two Forwarding) Used together with IPSec to offer more security (L2TP/IPSec, RFC 3193) Virtual Networks 64 L2TP Functioning: LAC: L2TP Access Concentrator LNS: L2TP Network Server Server acts as a bridge L2TP Server (LNS) 192.168.1.1 67.187.11.25 ISP Remote user Compulsory 192.168.1.31 LAN 192.168.1.32 192.168.1.100 - 120 LAC Voluntary Virtual Networks 65 L2TP Voluntary: 1) Remote users is User starts a PPP connection connected to ISP with ISP 2) L2TP client starts L2TP ISP accepts connection & PPP tunnel to LNS link 3) If LNS accepts, LAC ISP requests authentication encapsulates PPP with LAC starts L2TP tunnel to LNS L2TP and sends through If LNS accepts, LAC tunnel encapsulates PPP with L2TP and 4) LNS accepts frames & sends frames process them as if they LNS accepts L2TP frames & were PPP frames process them as if they were PPP frames 5) LNS authenticates PPP LNS authenticates PPP valid valid user -> assigns IP user -> assigns IP addr addr Types of tunnels: Compulsory: 1) 2) 3) 4) 5) 6) 7) Virtual Networks 66 L2TP Messages: Two types: Control Used during the establishment, keepalive & termination of the tunnel Reliable control channel (guarantees msg delivery) Data Encapsulates information into PPP frame Uses UDP port 1701 Virtual Networks 67 L2TP Control msgs: Connection keepalive: Start-Control-Connection-Request: Session start request Start-Control-Connection-Reply: Session start response Start-Control-Connection-Connected: Established session Start-Control-Connection-Notification: Session end Hello: sent during inactivity periods Virtual Networks 68 L2TP Control msgs: ‘Call’ keepalive: Outgoing-Call-Request: start of outgoing call Outgoing-Call-Reply: start of outgoing call response Outgoing-Call-Connected: outgoing call established Incoming-Call-Request: start of incoming call Incoming-Call-Reply: start of incoming call response Incoming-Call-Connected: incoming call established Call-Disconnect-Notify: call stop Virtual Networks 69 L2TP Control msgs: Error notification: WAN-Error-Notify PPP Control session: Set-Link-Info: configures client-server connection Virtual Networks 70 L2TP Advantages: Implementation low cost Multiprotocol support Disadvantages: Only the two terminals in the tunnel are identified (possible impersonation attacks) No support for integrity (possible service denial attack) Does not develop confidentiality Does not offer encryption, though PPP may be encrypted (no mechanism for automatic key generation) Virtual Networks 71 Chapter 5: Virtual Networks 5.1 Security in networks 5.1.1 Introduction 5.1.2 Cryptography 5.1.3 Cryptanalisis 5.1.4 Symmetric key 5.1.5 Asymmetric key 5.1.6 Mixed systems 5.2 Virtual Private Networks, VPN 5.2.1 Introduction 5.2.2 PPTP 5.2.3 L2TP 5.2.4 IPsec 5.2.5 SSL 5.3 Virtual Local Area Networks, VLAN Virtual Networks 72 IPSec Features: Internet Protocol Security Offers security services for the network layer Allows linking different networks (remote offices) Allows a remote user to access the pvt resources in a network IETF (Internet Engineering Task Force) Standard Integrated in IPv4; default included in IPv6 IPSec is connection oriented Virtual Networks 73 IPSec Features: Services: Data integrity Source authentication Confidentiality Replay attack prevention Functioning modes: Transport mode Tunnel mode Virtual Networks 74 IPSec Security association: Definition (SA): “Unidirectional agreement between the parties in an IPSec connection according to the methods & parameters used for the tunnel structure. They must guarantee transmitted data security” An entity must store: Used security algorithms and keys Functioning mode Key management methods Valid time for the established connection Database with SA Virtual Networks 75 IPSec Security association: Example: SPI: 12345 Source IP: 200.168.1.100 Dest IP: 193.68.2.23 Protocol: ESP Encryption algorithm: 3DES-cbc HMAC algorithm: MD5 Encryption key: 0x7aeaca… HMAC key:0xc0291f… Methods for key distribution & management: Manual: personal delivery Automatic: AutoKey IKE Virtual Networks 76 IPSec IKE Protocol: Internet Key Exchange Protocol (IKE) Defined in IETF key distribution & management SA establishment Standard is not only limited to IPSec (OSPF or RIP) Hybrid protocol: ISAKMP (Internet Security Association and Key Management Protocol) Define msg syntax Necessary proceedings for SA establishment, negotiation, modification and deletion Oakley Specifies the logic for the secure key exchange Virtual Networks 77 IPSec IKE – IPSec tunnel negotiation: Two phases: Phase 1: Establishment of a secure bidirectional communication channel (IKE SA) IKE SA different to IPSec SA Called ISAKMP SA Phase 2: Agreements about cipher and authentication algorithms -> IPSec SA Uses ISAKMP to generate IPSec SA The precursor offers different possibilities The other entity accepts the first configuration according to its limitations They inform each other about the type of traffic Virtual Networks 78 IPSec Advantages: Allows remote access in a secure way Best option for e-commerce (secure infrastructure for electronic transactions) Allows secure corporate networks (extranets) over public networks Virtual Networks 79 IPSec Protocols: Authentication Header Protocol (AH) Encapsulated Secure Payload (ESP) Virtual Networks 80 IPSec AH Protocol: Network layer Protocol field: 51 Provided services: Integrity Authentication Does not guarantee confidentiality (no data encryption) HMAC (Hash Message Authentication Codes) Generation of digital fingerprint (SHA or MD5) Encryption of digital fingerprint with shared secret Virtual Networks 81 IPSec AH Protocol: HMAC Receiver Transmitter HMAC IP AH DATA IP AH Virtual Networks DATA HMAC 82 IPSec AH Protocol: Format 32 bits IP header Payload Next Reserved header length Security Parameters Index (SPI) Sequence number AH header Authentication data Data Virtual Networks 83 IPSec AH Protocol: Format: Next header: superior layer protocol Payload length: Data field length (32 bits) Security Parameters Index (SPI): SA identifier Sequence number Authentication data: Variable length HMAC Virtual Networks 84 IPSec ESP Protocol: Network layer Protocol field: 50 Supported services: Integrity (optional) Authentication (optional) Confidentiality (data encryption) Symmetric key encryption algorithm Algoritmo de (DES, 3DES, Blowfish) Usually block encryption (padding) Requires a secure mechanism for key distribution (IKE) Virtual Networks 85 IPSec ESP Protocol: Receiver Transmitter IP ESP DATA ESP IP ESP DATA Virtual Networks ESP 86 IPSec ESP Protocol: Formato 32 bits IP header Security Parameters Index (SPI) Sequence number ESP Datos Encryption Pad length Authentication data Padding Next header Virtual Networks 87 IPSec ESP Protocol: Format: Security Parameters Index (SPI): SA Identifier Sequence number Padding Pad length: padding length (bytes) Next header: Superior layer protocol Authentication data: Variable length HMAC Virtual Networks 88 IPSec Modes of operation: Applicable to AH & ESP Transport Mode using AH Transport Mode using ESP Tunnel Mode using AH Tunnel Mode using ESP Most used Virtual Networks 89 IPSec Transport Mode: Data are encapsulated in an AH or ESP datagram Ensures end-to-end communication client-client scheme (both ends must understand IPSec) Used to connect remote users IPSec host IPSec host IP 1 IP 2 IP 2 IP 1 IPSec Data Virtual Networks 90 IPSec Transport mode: AH: Next header = Protocol in IP header Original IP AH header header Data Authentication ESP: Next header = Protocol in IP header Original IP ESP header header Data Encryption Authentication Virtual Networks 91 IPSec Tunnel mode: Data are encapsulated in a whole IP datagram A new IP header is generated Used when the final destination is not the IPSec end (gateways) Host without IPSec gateway using IPSec gateway using IPSec IP 1 IP A IP B IP 2 Host without IPSec IP B IP A IPSec IP 2 IP 1 Virtual Networks Data 92 IPSec Tunnel mode : AH: New IP header Protocol = 51 & Next header = 4 New IP header AH header Original IP Header Data Authentication ESP: New IP header Protocol = 50 & Next header = 4 New IP header ESP Header Original IP Header Data Encryption Authentication Virtual Networks 93 Chapter 5: Virtual Networks 5.1 Security in networks 5.1.1 Introduction 5.1.2 Cryptography 5.1.3 Cryptanalisis 5.1.4 Symmetric key 5.1.5 Asymmetric key 5.1.6 Mixed systems 5.2 Virtual Private Networks, VPN 5.2.1 Introduction 5.2.2 PPTP 5.2.3 L2TP 5.2.4 IPsec 5.2.5 SSL 5.3 Virtual Local Area Networks, VLAN Virtual Networks 94 SSL Project OpenVPN: Implementation of VPN based on SSL (OpenSSL) Free software (GPL) Reason: Limitations of IPSec Features: Driver is in charge of building a tunnel & encapsulating pkts through a virtual link Allows authentication & encryption All communications using TCP or UDP port (default 1194) Multiplatform Allows compression Virtual Networks 95 SSL Project OpenVPN: Features: Client-server model (version 2.0) Self-install packages and graphic interfaces Allows remote management Great flexibility (many script formats) Virtual Networks 96 SSL: Secure Sockets Layer Widely deployed security protocol SSL TCP TLS: transport layer security, RFC 2246 Provides Confidentiality Integrity Authentication SSL provides application programming interface (API) to applications C and Java SSL libraries/classes readily available Application Number of variations: Supported by almost all browsers and web servers https Originally designed by Netscape in 1993 IP Application with SSL Virtual Networks 97 SSL: general features Handshake: use of certificates and private keys to authenticate each other and exchange shared secret Key Derivation: use of shared secret to derive set of keys Data Transfer: Data to be transferred is broken up into a series of records Connection Closure: Special messages to securely close connection Virtual Networks 98 SSL handshake and key derivation Host A Host B MS = master secret EMS = encrypted master secret Virtual Networks 99 Key derivation Use different keys for message authentication code (MAC) and encryption Four keys: Kc = encryption key for data sent from client to server Mc = MAC key for data sent from client to server Ks = encryption key for data sent from server to client Ms = MAC key for data sent from server to client Takes master secret and (possibly) some additional random data and creates the keys Virtual Networks 100 Data Transfer and closure SSL breaks stream in series of records Each record carries a MAC Receiver can act on each record as it arrives length data MAC sequence number into MAC: MAC = MAC(Mx, sequence||data) Note: no sequence number field Use of random numbers record types, with one type for closure type 0 for data; type 1 for closure Virtual Networks 101 SSL Record Format 1 byte content type 2 bytes 3 bytes length SSL version data MAC Data and MAC encrypted Virtual Networks 102 Real Connection Host A Host B Everything henceforth is encrypted TCP Fin follow Virtual Networks 103 Chapter 5: Virtual Networks 5.1 Security in networks 5.1.1 Introduction 5.1.2 Cryptography 5.1.3 Cryptanalisis 5.1.4 Symmetric key 5.1.5 Asymmetric key 5.1.6 Mixed systems 5.2 Virtual Private Networks, VPN 5.2.1 Introduction 5.2.2 PPTP 5.2.3 L2TP 5.2.4 IPsec 5.2.5 SSL 5.3 Virtual Local Area Networks, VLAN Virtual Networks 104 VLAN Introduction: Las LANs institucionales modernas suelen presentar topología jerárquica Cada grupo de trabajo posee su propia LAN conmutada Las LANs conmutadas pueden interconectarse entre sí mediante una jerarquía de conmutadores S4 S1 S2 A B S3 C F D E I G Virtual Networks H 105 VLAN Inconvenientes: Falta de aislamiento del tráfico Tráfico de difusión Limitar tráfico por razones de seguridad y confidencialidad Uso ineficiente de los conmutadores Gestión de los usuarios Virtual Networks 106 VLAN VLAN: VLAN basada en puertos A División de puertos del conmutador en grupos Cada grupo constituye una VLAN Cada VLAN es un dominio de difusión Gestión de usuario -> Cambio de configuración del conmutador B C D E F G Virtual Networks H I 107 VLAN VLAN: ¿Cómo enviar información entre grupos? A Conectar puerto del conmutador VLAN a router externo Configurar dicho puerto como miembro de ambos grupos Configuración lógica -> conmutadores separados conectados mediante un router Normalmente los fabricantes incluyen en un único dispositivo conmutador VLAN y router B C D E F G Virtual Networks H I 108 VLAN VLAN: Localización diferente A Miembros de un grupo se encuentran en edificios diferentes Necesario varios conmutadores Conectar puertos de grupos entre conmutadores -> No escalable B D E G C Virtual Networks I H F 109 VLAN VLAN: Localización diferente Troncalización VLAN (VLAN Trunking) Puerto troncal pertenece a todas las VLANs ¿VLAN Destino de la trama? -> formato de trama 802.1Q Enlace troncal A B D E G C Virtual Networks I H F 110 VLAN IEEE 802.1Q: IEEE 802.3 (Ethernet) Preambulo Dir. Destino Dir. Origen Tipo Datos CRC IEEE 802.1Q Preambulo Dir. Destino Dir. Origen TPID TCI Tipo Datos CRC nuevo Información de control de etiquetado Identificador de protocolo de etiquetado Virtual Networks 111 VLAN VLAN: VLAN basada en MAC (nivel 2) El administrador de red crea grupos VLAN basados en rangos de direcciones MAC El puerto del conmutador se conecta a la VLAN correspondiente con la dirección MAC del equipo asociado VLAN nivel 3 Basada en direcciones de red IPv4 o IPv6 Basada en protocolos de red (Appletalk, IPX, TCP/IP) Virtual Networks 112
