+ All Categories

Ch32

Date post: 18-Jan-2015
Category:
Upload: bitistu
View: 428 times
Download: 4 times
Share this document with a friend
Description:
 
Popular Tags:
44
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Transcript
Page 1: Ch32

32.1

Chapter 32

Security in the Internet:IPSec, SSL/TLS, PGP,

VPN, and Firewalls

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Page 2: Ch32

32.2

Figure 32.1 Common structure of three security protocols

Page 3: Ch32

32.3

32-1 IPSecurity (IPSec)32-1 IPSecurity (IPSec)

IPSecurity (IPSec) is a collection of protocols designed IPSecurity (IPSec) is a collection of protocols designed by the Internet Engineering Task Force (IETF) to by the Internet Engineering Task Force (IETF) to provide security for a packet at the network level. provide security for a packet at the network level.

Two ModesTwo Security ProtocolsSecurity AssociationInternet Key Exchange (IKE)Virtual Private Network

Topics discussed in this section:Topics discussed in this section:

Page 4: Ch32

32.4

Figure 32.2 TCP/IP protocol suite and IPSec

Page 5: Ch32

32.5

Figure 32.3 Transport mode and tunnel modes of IPSec protocol

Page 6: Ch32

32.6

IPSec in the transport mode does not protect the IP header; it only protects

the information coming from the transport layer.

Note

Page 7: Ch32

32.7

Figure 32.4 Transport mode in action

Page 8: Ch32

32.8

Figure 32.5 Tunnel mode in action

Page 9: Ch32

32.9

IPSec in tunnel mode protects the original IP header.

Note

Page 10: Ch32

32.10

Figure 32.6 Authentication Header (AH) Protocol in transport mode

Page 11: Ch32

32.11

The AH Protocol provides source authentication and data integrity,

but not privacy.

Note

Page 12: Ch32

32.12

Figure 32.7 Encapsulating Security Payload (ESP) Protocol in transport mode

Page 13: Ch32

32.13

ESP provides source authentication, data integrity, and privacy.

Note

Page 14: Ch32

32.14

Table 32.1 IPSec services

Page 15: Ch32

32.15

Figure 32.8 Simple inbound and outbound security associations

Page 16: Ch32

32.16

IKE creates SAs for IPSec.

Note

Page 17: Ch32

32.17

Figure 32.9 IKE components

Page 18: Ch32

32.18

Table 32.2 Addresses for private networks

Page 19: Ch32

32.19

Figure 32.10 Private network

Page 20: Ch32

32.20

Figure 32.11 Hybrid network

Page 21: Ch32

32.21

Figure 32.12 Virtual private network

Page 22: Ch32

32.22

Figure 32.13 Addressing in a VPN

Page 23: Ch32

32.23

32-2 SSL/TLS32-2 SSL/TLS

Two protocols are dominant today for providing Two protocols are dominant today for providing security at the transport layer: the Secure Sockets security at the transport layer: the Secure Sockets Layer (SSL) Protocol and the Transport Layer Layer (SSL) Protocol and the Transport Layer Security (TLS) Protocol. The latter is actually an Security (TLS) Protocol. The latter is actually an IETF version of the former. IETF version of the former.

SSL ServicesSecurity ParametersSessions and ConnectionsFour ProtocolsTransport Layer Security

Topics discussed in this section:Topics discussed in this section:

Page 24: Ch32

32.24

Figure 32.14 Location of SSL and TLS in the Internet model

Page 25: Ch32

32.25

Table 32.3 SSL cipher suite list

Page 26: Ch32

32.26

Table 32.3 SSL cipher suite list (continued)

Page 27: Ch32

32.27

The client and the server have six different cryptography secrets.

Note

Page 28: Ch32

32.28

Figure 32.15 Creation of cryptographic secrets in SSL

Page 29: Ch32

32.29

Figure 32.16 Four SSL protocols

Page 30: Ch32

32.30

Figure 32.17 Handshake Protocol

Page 31: Ch32

32.31

Figure 32.18 Processing done by the Record Protocol

Page 32: Ch32

32.32

32-3 PGP32-3 PGP

One of the protocols to provide security at the One of the protocols to provide security at the application layer is Pretty Good Privacy (PGP). PGP is application layer is Pretty Good Privacy (PGP). PGP is designed to create authenticated and confidential designed to create authenticated and confidential e-mails. e-mails.

Security ParametersServicesA ScenarioPGP AlgorithmsKey RingsPGP Certificates

Topics discussed in this section:Topics discussed in this section:

Page 33: Ch32

32.33

Figure 32.19 Position of PGP in the TCP/IP protocol suite

Page 34: Ch32

32.34

In PGP, the sender of the message needs to include the identifiers of the

algorithms used in the message as well as the values of the keys.

Note

Page 35: Ch32

32.35

Figure 32.20 A scenario in which an e-mail message is authenticated and encrypted

Page 36: Ch32

32.36

Table 32.4 PGP Algorithms

Page 37: Ch32

32.37

Figure 32.21 Rings

Page 38: Ch32

32.38

In PGP, there can be multiple paths from fully or partially trusted authorities to

any subject.

Note

Page 39: Ch32

32.39

32-4 FIREWALLS32-4 FIREWALLS

All previous security measures cannot prevent Eve All previous security measures cannot prevent Eve from sending a harmful message to a system. To from sending a harmful message to a system. To control access to a system, we need firewalls. A control access to a system, we need firewalls. A firewall is a device installed between the internal firewall is a device installed between the internal network of an organization and the rest of the network of an organization and the rest of the Internet. It is designed to forward some packets and Internet. It is designed to forward some packets and filter (not forward) others.filter (not forward) others.

Packet-Filter FirewallProxy Firewall

Topics discussed in this section:Topics discussed in this section:

Page 40: Ch32

32.40

Figure 32.22 Firewall

Page 41: Ch32

32.41

Figure 32.23 Packet-filter firewall

Page 42: Ch32

32.42

A packet-filter firewall filters at the network or transport layer.

Note

Page 43: Ch32

32.43

Figure 32.24 Proxy firewall

Page 44: Ch32

32.44

A proxy firewall filters at the application layer.

Note


Recommended