27/12/2019
1
GC2019-2020
Security in Computer Networks:Ipsec VPNs
1
GC2019-2020Virtual Private Networks
� Private networks can be very costly: an institution needs to purchase, install and maintain its own physical network infrastructure
� Today many companies use Virtual Private Networks (VPN) to establish secure private network connections over any other network (such as the public Internet), allowing them to reduce their communications expenses� A VPN emulates a private network
� Company’s inter-office traffic is sent over the (public) shared network• logically separate from other traffic
• encrypted before entering the shared network
� Currently, the two most common techniques used for creating Internet-based VPNs are IPsec and SSL/TLS
� IPsec VPNs are generally grouped in two categories:� Site-to-Site VPNs
� Remote User VPNs2
27/12/2019
2
GC2019-2020
� Also known as gateway-to-gateway VPNs� Used to connect two networks together� Built around the idea that the benefits provided by IPsec are not
needed from host to host, only from one site to another� All communications are authenticated and encrypted before they
enter the VPN Service Provider’s network
Site-to-Site VPNs
IPsec process
3
GC2019-2020Remote User VPNs
� Also called host-to gateway VPNs
� Usually used to link with a corporate office from remote locations
� Provide mobility and are economical
� One of the important points is to create a strong authentication
� Mobile users connect to the network using a VPN client software which encapsulates, encrypts, and signs the traffic before sending it through the Internet to the VPN gateway
IPsec process 4
27/12/2019
3
GC2019-2020
� IPsec (IP security) provides security at the network level
� Suite defined in more than a dozen RFCs
� Two main protocols:� Authentication Header (AH)
• does not provide confidentiality, only source authentication and data integrity
� Encapsulation Security Payload (ESP)• provides source authentication, data integrity and confidentiality
• more widely used than AH (therefore, we will focus exclusively on the ESP protocol)
� A network-layer logical connection, named Security Association(SA), is built is between two IPsec entities� An SA is simplex (unidirectional from source to destination)
� If both entities want to send secure datagrams to each other, then two SAs are needed, one in each direction
� IPSec operates in one of two different modes: transport mode or tunnel mode
IPsec
5
GC2019-2020IPsec transport mode
� When transport mode is used, IPsec protects only the IP payload (a TCP segment, a UDP segment or an ICMP message), not the IP header
� Transport mode is used for end-to-end communications (for example, for communications between a client and a server).
� An SA is built between two hosts
IPsec-aware IPsec-aware
A B
IP Source = AIP Destination=B
Internet
SA
IP datagram with ESP
ESP MAC
6
27/12/2019
4
GC2019-2020IPsec – tunnel mode
� In tunnel mode, IPsec protects the entire IP packet
� Tunnel mode is typically used when an SA is built is between two IPsec gateway (site-to-site VPN) or between an IPsec gateway and a host (remote user VPN)
� Tunnel mode is preferred because it allows private addressing
IPsec IPsec
Tunnel mode Gateway-to-Gateway R1 R2 BAtunnel
IP datagram with ESP
Internet
(new) (original)
IP SRC = R1IP DST=R2
IP SRC = AIP DST=B
7
GC2019-2020IPsec – tunnel mode (cont.)
IPsec IPsec
R1 R2 BAtunnelTunnel mode Host-to-Gateway
IP datagram with ESP
Internet
(new) (original)
IP SRC = AIP DST=R2
IP SRC = AIP DST=B
8
27/12/2019
5
GC2019-2020
� The endpoints maintain state information about the SA
� An IPsec entity holds SA state information for all of its SAs in Security Association Database (SAD)
� Along with SAD, the IPsec entity also maintains a Security Police Database (SPD)
� The SPD contains the rules which indicate what types of datagrams (as a function of source IP address, destination IP address, protocol type) are to be IPsec processed and which SA should be used
� For large VPNs, instead of manual configuration, an automatic mechanism can be used to create the SAs (the two IPsec entities exchange certificates, negotiate authentication and encryption algorithms, create session keys, … )
� IPsec IKE (Internet Key Exchange)
Security associations (SAs)
9
GC2019-2020SA from R1 to R2
R1 stores for the SA:� an 32-bit SA identifier: Security Parameter Index (SPI)
� the IP addresses of the origin SA interface (200.168.1.100) and of the destination SA interface (193.68.2.23)
� the type encryption used (e.g., AES)
� the encryption key
� the type of integrity check used (e.g., HMAC with MD5)
� the authentication key
193.68.2.23200.168.1.100
172.16.1/24172.16.2/24
security association
Internetheadquartersbranch office
R1R2
10
27/12/2019
6
GC2019-2020IPsec datagram
new IPheader
ESPhdr
originalIP hdr
Original IPdatagram payload
ESPtrl
ESPMAC
encrypted
“enchilada” authenticated
paddingpad
lengthnext
headerSPI Seq#
193.68.2.23200.168.1.100
172.16.1/24172.16.2/24
security association
Internetheadquartersbranch office
R1R2
� Focus on tunnel mode with ESP
11
GC2019-2020What happens?
R1 converts the original IP datagram to an IPsec datagram:
� appends to the back of the original datagram an “ESP trailer”;
� encrypts the result using the algorithm and the key specified by the SA;
� appends to the front of this encrypted quantity the “ESP header, creating the “enchilada”;
� creates the authentication MAC over the whole enchilada, using the algorithm and key specified by the SA;
� appends the MAC to the back of enchilada, forming the payload;
� creates a new IP header, with all the classic IPv4 header fields, which it appends before the payload.
12
27/12/2019
7
GC2019-2020Inside the enchilada:
� ESP trailer: � padding, for block ciphers� next header, for identifying the type of payload data
� ESP header: � SPI, so that the receiving entity knows what to do� Sequence number, to thwart replay attacks
� MAC in the ESP auth field is created with a shared secret key
new IPheader
ESPhdr
originalIP header
Original IPdatagram payload
ESPtrl
ESPMAC
encrypted
“enchilada” authenticated
paddingpad
lengthnext
headerSPISeq
#
13
GC2019-2020ESP trailer: next header
14
27/12/2019
8
GC2019-2020Split tunneling
� Typically, an SPD contains a policy that encrypts information between entities of an organization
� Instead, any traffic destined for a network outside the organization (typically the Internet) is sent unencrypted
15
� Split tunneling is a high performance solution with low bandwidth requirement
GC2019-2020
16
Split tunneling (cont.)
� Without split tunneling, instead, all traffic is encrypted and sent to the central site
� The central site decrypts the traffic and sends Internet-bound traffic back out to the Internet through the central site’s Internet edge and security solution
� This clearly increases response times, increases the crypto load on the remote router or PC, and increases bandwidth requirements
27/12/2019
9
GC2019-2020
A review on firewalls
17
GC2019-2020Firewalls
A combination of hardware and software that isolates an organization’s internal network from the Internet, allowing some packets to pass, blocking others
firewall
administerednetwork
publicInternet
firewalltrusted “good guys” untrusted “bad guys”
18
27/12/2019
10
GC2019-2020
� Internal network connected to Internet via a router firewall
� Router filters packet-by-packet
� Decisions to forward/drop packets are typically based on:
• source IP address, destination IP address
• TCP/UDP source and destination port numbers
• ICMP message type
• TCP SYN and ACK bits
Stateless packet filtering
Should the packet be allowed to pass or
should be dropped?
19
GC2019-2020
actionsource
addressdest
addressprotocol
sourceport
destport
flagbit
allow 222.22/16outside of222.22/16
TCP > 1023 80any
allow outside of222.22/16
222.22/16TCP 80 > 1023 ACK
allow 222.22/16outside of222.22/16
UDP > 1023 53 ---
allow outside of222.22/16
222.22/16UDP 53 > 1023 ----
deny all all all all all all
Access Control Lists
� Firewall rules are implemented in routers with Access Control Lists (ACLs)
� Each router interface has its own list
Rule
s ar
e ap
plie
d fro
m t
op t
o d
ow
n
20
27/12/2019
11
GC2019-2020Stateful packet filtering
� A stateless packet filter makes decisions on each packet in isolation
� admits packets that “make no sense,” e.g., dest port = 80, ACK bit set, even though no TCP connection is established:
� Is vulnerable to IP Spoofing attacks
actionsourceaddress
destaddress
protocolsource
portdestport
flagbit
allow outside of222.22/16
222.22/16TCP 80 > 1023 ACK
� Stateful packet filters track all ongoing TCP connection in a connection table
� track connection setup (SYN), teardown (FIN): determine whether incoming, outgoing packets “make sense”
21
GC2019-2020
actionsource
address
dest
addressproto
source
port
dest
port
flag
bitcheck
connection
allow 222.22/16outside of
222.22/16TCP > 1023 80
any
allow outside of
222.22/16
222.22/16TCP 80 > 1023 ACK X
allow 222.22/16outside of
222.22/16UDP > 1023 53 ---
allow outside of
222.22/16
222.22/16UDP 53 > 1023 ----
deny all all all all all all
Stateful packet filtering (cont.)
� ACL extended to indicate the need to check connection state table before admitting a packet
� Stateful packet filters don’t detect attacks at layers above the fourth one and are vulnerable to DoS attacks that saturate the state table 22
27/12/2019
12
GC2019-2020Application gateways (application firewalls)
� They filter packets on application-layer data as well as on IP/TCP/UDP fields.
� example: allow to select internal users to telnet outside.
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway router and filter
1. require all telnet users to telnet through a gateway.
2. for authorized users, the gateway sets up a telnet connection to the remote host. The gateway relays data between the two connections
3. R1 blocks all telnet connections not originating from gateway.
R1
� An application firewall is specific to each application and may be a bottleneck due to the additional processing for application-level protocols. 23
GC2019-2020Intrusion Detection Systems (IDSs)
� IDSs:� perform deep packet inspection: look at packet contents (e.g.,
check character strings in the packet against a database of known virus, attack strings)
� examine correlation among multiple packets
• port scanning
• DoS attack
• …
� generate alerts when they observe potentially malicious traffic
• IPS (Intrusion Prevention System): a device that filters out suspicious traffic
� Host-based IDS (HIDS)
� Network IDS (NIDS) 24
27/12/2019
13
GC2019-2020
Webserver FTP
server
DNSserver
Internet
DMZ (demilitarized zone)
firewall
IDS sensors
Intrusion detection systems
� Multiple Network IDSs (NIDS) are typically employed� each sensor sees only a fraction of the organization’s traffic
� different types of checking at different locations
� NIDs work in concert, sending alerts to a central IDS processor, which aggregates alerts and sends them to network administrators
internalnetwork
25
GC2019-2020Distributed Firewalls
L2 switch
L3 switch
� To deploy firewalls throughout the enterprise network in key locations
� The distributed firewall strategy helps to protect against internal threats
� New network security perimeters: between switches and back-end servers, between different departments, where a wireless LAN meets the wired network
26
27/12/2019
14
GC2019-2020
Firewall and IPsec Gateway placement for IPsecVPNs
27
GC2019-2020
� Site-to-site and remote user VPNs are combined onto the same gateway device
� Once authenticated, the IPsecVPN is trusted and granted connectivity on par with internal users
� after authentication and decryption, the traffic is passed directly to the internal network
� Additional security controls in firewalls and NIDS are not used
Trusted IPsec topology
28
27/12/2019
15
GC2019-2020Trusted IPsec topology (cont.)
� In this alternative topology the IPsec traffic is routed from a dedicated interface onto the firewall
� The firewall does not provide any added security, save one: to detect attacks against the IPsec gateway, you can audit the access control logging information
29
GC2019-2020
� Traffic is routed into a firewall after decryption
Semitrusted IPsec topology
30
27/12/2019
16
GC2019-2020Semitrusted IPsec topology (cont.)
� In this alternative topology all traffic flows into and out of two interfaces on the same firewall
� To detect attacks against the IPsec gateway, you can audit the access control logging information
31
GC2019-2020Semitrusted IPsec topology (cont.)
� The firewall functionality is integrated into the IPsec gateway
� The corporate firewall is not used for VPN users
32
27/12/2019
17
GC2019-2020Network edge design
� The redundancy has not been considered to better visualize the flows through the network
Nowadays obsolete
33
DMZ
GC2019-2020
Some examples on application security design: web and e-mail
34
27/12/2019
18
GC2019-2020
DMZ
Three-tier web design
� The web server displays the content to the user, the application server processes user input and generates the content accessing, if needed, the database server
35
� By separating the three functions, it is more difficult for the attacker to get at the applications and at the database, which is where real damage can result
GC2019-2020Three-tier web design (cont.)
36
27/12/2019
19
GC2019-2020Three-tier web design (cont.)
37
GC2019-2020Basic two-tier e-mail design
� The antivirus (AV) software can be added on the mail servers directly
� Without antivirus filtering on the e-mail servers, signatures must be updated on each and every host, increasing the risk that damage can be done before you are able to stop it
38
DMZ
27/12/2019
20
GC2019-2020Distributed two-tier e-mail design
� Dedicated servers for e-mail antivirus (AV) processing
39
DMZ
GC2019-2020References
� J. Kurose e K.W. Ross, “Computer Networking. A Top-Down Approach”, sixth edition, Pearson Addison-Wesley
� S. Convery, “Network Security Architecture”, Cisco Press
40