Networking - Security Protocols, IP Addresses

Security Protocols
IP Addresses

Security Protocols

Introduction

All the security principles and concepts discussed in the previous two chapters can be used to provide all aspects of security for the Internet model.

In particular, security measures can be applied to the network layer, transport layer, and application layer.

At the IP layer, implementation of security features is Very complicated, especially since every device must be enabled.

IP provides services not only for user applications, but also for other protocols such as OSPF, ICMP, and IGMP.

This means that implementation of security at this level is not very effective unless all devices are equipped to use it.

We discuss a protocol called IPSec that provides security at the IP level.

At the transport layer, security is even more complicated. We could modify the application or modify the transport layer for security.

Instead, we discuss a protocol that "glues" a new layer to the transport layer to provide security on behalf of the transport layer.

At the application layer, each application is responsible for providing security. The implementation of security at this level is the simplest.

It concerns two entities: the client and the server. We discuss a security method at the application layer called PGP.

A mechanism often used to ensure the integrity of an organization is a firewall. We give a brief discussion of firewalls in this chapter.

IP- Level Security: IPSEC

IP Security (IPSec) is a collection of protocols designed by the IETF (Internet Engineering Task Force) to provide security for a packet at the IP level.

IPSec does not define the use of any specific encryption or authentication method. Instead, it provides a framework and a mechanism: it leaves the selection of the encryption, authentication, and hashing methods to the user.

Security Association

IPSec requires a logical connection between two hosts using a signaling protocol, called Security Association (SA).

In other words, IPSec needs the connectionless IP protocol changed to a connection-oriented protocol before security can be applied.

An SA connection is a simplex (unidirectional) connection between a source and destination.

. If a duplex (bidirectional) connection is needed, two SA connections are required, one in each direction. An SA connection is uniquely defined by three elements:

1. A 32-bit security parameter index (SPI), which acts as a virtual circuit identifier in connection-oriented protocols such as Frame Relay or ATM.

2. The type of the protocol used for security. We will see shortly that IPSec defines two alternative protocols: AH and ESP.

3. .The source IP address.

Two Modes

IPSec operates at two different modes: transport mode and tunnel mode. The mode defines where the IPSec header is added to the IP packet.

Transport Mode

In this mode, the IPSec header is added between the IP header and the rest of the packet, as shown in Figure.

Two Security Protocols

IPSec defines two protocols: Authentication Header (AH) protocol and Encapsulating Security Payload (ESP) protocol. We discuss both of these protocols here.

Authentication Header (AH) Protocol

The Authentication Header (AH) protocol is designed to authenticate the source, host and to ensure the integrity of the payload carried by the IP packet.

The protocol calculates a message digest, using a hashing function and a symmetric key, and inserts the digest in the authentication header.

The AH is put in the appropriate location based on the mode (transport or tunnel).

Figure shows the position of the authentication header in the transport mode.

Encapsulating Security Payload

The AH protocol does not provide privacy, only source authentication and data integrity.

IPSec later defined an alternative protocol that provides source authentication, integrity, and privacy called Encapsulating Security Payload (ESP).

ESP adds a . Header and trailer. Note that ESP's authentication data are added at the end of packet which makes its calculation easier.

Figure 31.4 shows the location of the ESP header and trailer.

Transport Layer Security

Transport Layer Security (TLS) was designed to provide security at the transport layer.

TLS was derived from a security protocol called Secure Sockets Layer (SSL), designed by Netscape to provide security on the WWW.

TLS is a nonproprietary version of SSL designed by IETF. For, transactions on the Internet, a browser need the following:

1. The customer needs to be sure that the server belongs to the actual vendor, not an imposter.

. For example, ;

a customer does not want to give an imposter her credit card number. In other words, the server must be authenticated.

2. The customer needs to be sure that the contents of the message are not modified during transition.

A bill for $100 must not be changed to $1000. The integrity of the message must be preserved.

3. The customer needs to be sure that an imposter does not intercept sensitive information such as a credit card number. There is a need for privacy.

There are other optional security aspects that can be added to the above list.

For example,

the vendor may need to authenticate the customer. TLS can provide additional features to cover these aspects of security.

Position of TLS

TLS lies between the application layer and the transport layer (TCP), as shown in Figure

The application layer protocol, in this case HTTP, uses the services of TLS, and TLS uses the services of the transport layer.

Two Protocols

TLS is actually two protocols: the handshake protocol and the data exchange (sometimes called the record) protocol.

Handshake Protocol

The handshake protocol is responsible for negotiating security, authenticating the server to the browser, and (optionally) defining other communication parameters.

The handshake protocol defines the exchange of a series of messages between the browser and server.

We discuss a simplified version, as shown in Figure

1. The browser sends a hello message that includes the TLS version and some preferences.

2. The server sends a certificate message that includes the public key of the server.

The public key is certified by some certification authority, which means that the public key is encrypted by a CA private key.

The browser has a list of CAs and their public keys. It uses the corresponding key to decrypt the certificate and finds the server public key.

This also authenticates the server because the public key is certified by the CA.

3. The browser generates a secret key, encrypts it with the server public key, and sends it to the server.

4. The browser sends a message, encrypted by the secret key, to inform the server that handshaking is terminating from the browser side.

5. The server decrypts the secret key using its private key and decrypts the message using the secret key.

It then sends a message, encrypted by the secret key, to inform the browser that handshaking is terminating from the server side.

Note that handshaking uses the public key for two purposes: to authenticate the server and to encrypt the secret key, which is used in the data exchange protocol.

Data Exchange Protocol

The data exchange (record) protocol uses the secret key to encrypt the data for secrecy and to e:1crypt the message digest for integrity.

The details and specification of algorithms are agreed upon during the handshake phase.

Application Layer Security:PGP

The implementation of security at the application layer is more feasible and simpler, particularly when the Internet communication involves only two parties, as in the case of email and TELNET.

The sender and the receiver can agree to use the same protocol and to use any type of security services they desire.

In this section, we discuss one protocol used at the application layer to provide security: PGP.

Pretty Good Privacy (PGP) was invented by Phil Zimmermann to provide all four aspects of security (privacy, integrity, authentication, and nonrepudiation) in the sending of email.

PGP uses digital signature (a combination of hashing and public-key encryption) to provide integrity, authentication, and nonrepudiation.

It uses a combination of secret-key and public-key encryption to provide privacy. Specifically, it uses one hash function, one secret key, and two private-public key pairs.

The email message is hashed to create a digest. The digest is encrypted (signed) using Sender's private key. The message and the digest are encrypted using the one-time secret key created by sender.

The secret key is encrypted using receivers public key and is sent together with the encrypted combination of message and digest.

The combination of encrypted secret key and message plus digest is received.

The encrypted secret key first is decrypted (using Receiver's private key) to get the one-time secret key created by sender.

The secret key then is used to decrypt the combination of the message plus digest.

Fire Walls

All previous security measures cannot prevent Eve from sending a harmful message to a system. To control access to a system we need firewalls.

A firewall is-a device (usually a router or a computer) installed between the internal network of an organization and the rest of the Internet.

It is designed to forward some packets and filter (not forward) others.

Figure shows a firewall

For example, a firewall may filter all incoming packets destined for a specific host or a specific server such as HTIP.

A firewall can be used to deny access to a specific host or a specific service in the organization.

A firewall is usually classified as a packet-filter firewall or a proxy-based firewall.

Packet-Filter Firewall

A firewall can be used as a packet filter.

It can forward or block packets based on the information in the network layer and transport layer headers: source and destination IP addresses, source and destination port addresses, and type of protocol (TCP or IP).

A packet-filter firewall is a router that uses a filtering table to decide which packet must be discarded (not forwarded).

Proxy Firewall

The packet-filter firewall is based on the information available in the network layer and transport layer headers (IP and TCP/UDP).

However, sometimes we need to filter a message based on the information available in the message itself (at the application layer).

As an example, assume that an organization wants to implement the following policies regarding its Web pages: Only those Internet users who have previously established business relations with the company can have access; access to other users must be blocked.

In this case, a packet-filter firewall is not feasible because it cannot distinguish between different packets arriving at TCP port 80 (HTTP). Testing must be done at the application level (using URLs).

One solution is to install a proxy computer (sometimes called an application gateway), which stands between the customer computer and the corporation computer.

When the user client process sends a message, the proxy firewall runs a server process to receive the request.

The server opens the packet at the application level and finds out if the request is legitimate.

If it is, the server acts as a client process and sends the message to the real server in the corporation.

If it is not, the message is dropped and an error message is sent to the external user. In this way, the requests of the external users are filtered based on the contents at the application layer.

Figure shows a proxy firewall implementation.

Whenever proxy firewalls receive data packets from the external world it activated itself and process all HTTP packets (in case of HTTP proxy server) by sending them to HTTP proxy.

Now proxy server check the whole packet minutely and send it to the proxy firewall, if contain errors.

Summary

Security methods in a computer network can be applied in the application layer, transport layer, and IP layer.

IP security (IPSec) is a collection of protocols designed by the IETF to provide security for an internet packet.

The Authentication Header protocol provides integrity and message authentication. The Encapsulating Security Payload protocol provides integrity, message authentication and privacy

The Transport Layer Security provides security at the transport layer through its handshake protocol and data exchange protocol.

Pretty Good Privacy (PGP) provides security for the transmission of email.

A firewall ia a router installed between the internal network of an organization and the rest of the internet.

Packet-filter firewall blocks or forwards packets based on information on the network and transport layers.

A proxy firewall blocks or forwards packets based on information in the application layer.

IP Addresses

Overview

A network protocol suite such as TCP/IP (or OSI) has to have a methodology by which devices on the network can identify each other at every level of the network model.

TCP/IP provides identification at the Internet layer of the TCP/IP networking model in the form of IP addressing.

In order to send information from one component to another through a TCP/IP network the information, like our correspondence (postal address, pin code etc.), must contain the address of the recipient and the sender.

The addresses are represented by 32-bit numbers called IP addresses.

IP Addressing

IP addresses are represented by a 32-bit unsigned binary value. It is usually expressed in a dotted decimal format.

Here are some examples of IP addresses shown in dotted decimal form.

128.2.7.9

10.1.2.34

120.224.21.253

all IP addresses are 32 bits long and are comprised of four 8-bit segments known as octets.

Representing IP addresses in dotted decimal notation makes them a lot easier to read than in the machine friendly binary format.

The binary format of the IP address 128.2.7.2 is:

10000000 00000010 00000111 00000010

now you can easily decide which one is more readable and friendly.

To identify a host on the Internet, each host is assigned an address, the IP address, or in some cases, the Internet address.

When the host is attached to more than one network, it is called multi-homed and has one IP address for each network interface.

The IP address consists of a pair of numbers:

IP address = network number + host number

For example,

128.2.7.2 is an IP address with 128.2 being the network number and 7.2 being the host number.

Class Based IP Addresses

The IP address is 32 bits in length and is used to identify both the host address (Host id) and the address of the network (Net id) in which the host resides.

An address class is defined to allocate the minimum number of bits that are to be used as the network ID.

The remaining bits can be used to further subdivide the network using subnet masks and to define the host ID.

The first bits of the IP address specify how the rest of the address should be separated into its network and host part. There are five classes of IP addresses.

They are shown in Figure

Now the first question arises here is "Why are there different classes of IP addresses, and how can I use them?"

First of all, the Internet community has defined the different types of IP addresses in order to accommodate the needs of networks of different- different sizes.

A network with less than 255 devices (workstations, routers, printers, and so) can be assigned a Class C network address.

However, a large organization with up to 65,534 devices will need at least a Class B address. Second, as long as you are not connecting your internal network directly to the public Internet, you can use any valid Class A, B, or C address you want.

However, any device that is connected directly to the Internet, must be assigned a network ID from the Internet community.

For most private networks (intranets) on the border of the public Internet, IP addresses are either assigned dynamically or statically by an Internet Service Provider (ISP).

The ISP maintains responsibility for administering IP network IDs assigned by InterNIC.

Three examples of ISPs, which dynamically assign IP addresses, commonly used by individuals for dial-up access are CompuServe, America Online, and Prodigy.

Typically, a private network requiring access to the Internet will use a direct connection to an ISP through a router.

In these cases, the ISP will provide a network ID to the private network. This address will be a unique statically assigned address provided to the ISP from InterNIC

Class A addresses are assigned to networks with extremely large numbers of hosts (networked devices).

The MSB (most significant bit) is set to 0, and is combined with the remaining seven bits of the first octet to complete the network ID.

This leaves the last 3 octets, or 24 bits to be assigned to subnet masking and to hosts. This allows for 27-2 (126) networks each with 224-2 (16777214) hosts; a total of over 2 billion addresses.

Class B addresses are assigned to networks with no more than 65,534 (216-2) hosts (networked devices).

The MSBs (most significant bits) are set to 10, and are combined with the remaining 14 bits of the first two octets to complete the network ID.

This leaves the last 2 octets, or 16 bits to be assigned to subnet masking and to hosts .This allows for 214-2 (16382) networks each with 216-2 (65534) hosts; a total of over 1 billion addresses.

Class C addresses are assigned to small networks with a more limited number of hosts.

The MSBs (most significant bits) are set to 110, and are combined with the remaining 21 bits of the first three octets to complete the network ID.

This leaves the last octet available to be assigned to subnet masking and to hosts, That allows for 221-2 (2097150) networks each with 28-2 (254) hosts; a total of over half a billion addresses.

Class D addresses are reserved for multicast groups. Multicast addresses are assigned to groups of hosts that are cooperating, or are related in some manner.

Each host in a multicast group has to be configured to accept multicast packets.

The MSBs (most significant bits) of a class D address are set to 1110. The remaining bits are uniquely assigned to each group of hosts.

Class E addresses are an experimental class of IP addresses reserved for use in the future. The MSBs(most significant bits) for class E addresses are 1111.

Reserved IP Addresses

A component of an IP address with a value all bits 0 or all bits 1 has a special meaning:

. All bits 0: An address with all bits 0 in the host number portion is interpreted as this host (IP address with host address =0).

All bits zero in the network number portion is this network (IP address with network address =0).

When a host wants to communicate over a network, but does not yet know the network IP address, it may send packets with network address=0.

Other hosts on the network interpret the address as meaning this network. Their replies contain the fully qualified network address, which the sender records for future use.

All bits 1: An address with all bits 1 is interpreted as all networks or all hosts. For example, the following means all hosts on network 128.2 (class B address):

128.2.255.255

This is called a directed broadcast address because it contains both a valid network address and a broadcast host address.

. Loopback: The class A network 127.0.0.0 is defined as the loopback network. Addresses from that network are assigned to interfaces that process data within the local system. These loopback interfaces do not access a physical network.

IP Subnetting

Due to the explosive growth of the Internet, the principle of assigned IP addresses became too inflexible to allow easy changes to local network configurations. Those changes might occur when:

. A new type of physical network is installed at a location.

. Growth of the number of hosts requires splitting the local network into two or more separate networks.

. Growing distances require splitting a network into smaller networks, with gateways between them.

To avoid having to request additional IP network addresses, the concept of IP subnetting was introduced. The assignment of subnets is done locally.

The entire network still appears as one IP network to the outside world. The host number part of the IP address is subdivided into a second network number and a host number.

This second network is mentioned as subnetwork or subnet. The main network now consists of a number of subnets. The IP address is interpreted as:

The combination of subnet number and host number is often termed the local address or the local portion of the IP address.

Subnetting is implemented in a way that is transparent to remote networks. A host within a network that has subnets is aware of the subnetting structure.

A host in a different network is not. This remote host still regards the local part of the IP address as a host number.

The division of the local part of the IP address into a subnet number and host number is chosen by the local administrator.

Any bits in the local portion can be used to form the subnet. The division is done using a 32-bit subnet mask. Bits with a value of zero bits in the subnet mask indicate positions of the host number.

For example, subnetting a Class B network could use one of the following schemes:

. The first octet is the subnet number; the second octet is the host number. This gives 28-2 (254) possible subnets, each having up to 28-2 (254) hosts.

Recall that we subtract two from the possibilities to account for the all ones and all zeros cases. The subnet mask is 255.255.255.0.

. The first 12 bits are used for the subnet number and the last four for the host number.

This gives 212-2 (4094) possible subnets but only 24-2 (14) hosts per subnet. The subnet mask is 255.255.255.240.

In this example, there are several other possibilities for assigning the subnet and host portions of the address.

The number of subnets and hosts and any future requirements should be considered before defining this structure.

In the last example, the subnetted Class B network has 16 bits to be divided between the subnet number and the host number fields.

The network administrator defines either a larger number of subnets each with a small number of hosts, or a smaller number of subnets each with many hosts.

Types of subnetting

There are two types of subnetting: static and variable length. Variable length subnetting is more flexible than static.

Static subnetting

Static subnetting implies that all subnets obtained from the same network use the same subnet mask. While this is simple to implement and easy to maintain, it may waste address space in small networks.

Consider a network of four hosts using a subnet mask of 255.255.255.0. This allocation wastes 250 IP addresses. All hosts and routers are required to support static subnetting.

Variable length subnetting

When variable length subnetting is used, allocated subnets within the same network can use different subnet masks. A small subnet with only a few hosts can use a mask that accommodates this need.

A subnet with many hosts requires a different subnet mask. The ability to assign subnet masks according to the needs of the individual subnets helps conserve network addresses.

Variable length subnetting divides the network so that each subnet contains sufficient addresses to support the required number of hosts.

An existing subnet can be split into two parts by adding another bit to the subnet portion of the subnet mask. Other subnets in the network are unaffected by the change.

Mixing static and variable length subnetting

Not every IP device includes support for variable length subnetting.

Initially, it would appear that the presence of a host that only supports static subnetting prevents the use of variable length subnetting.

This is not the case. Routers interconnecting the subnets are used to hide the different masks from hosts.

Hosts continue to use basic IP routing. This offloads subnetting complexities to dedicated routers.

Domain Name System (DNS)

To identify an entity, TCP/IP protocols use the IP address, which uniquely identifies the connection of a host to the internet.

However, people prefer to use names instead of addresses. Therefore, we need a system that can map a name to an address or an address or an address to a name.

When the internet was small, mapping was done using a host file. The host files on its disk and update it periodically from a master host file.

When a program or a user wanted to map a name to an address, the host files and found the mapping.

Today, however, it is impossible to have one single host file to relate every address with a name or vice versa.

The host file would bi too large to store in every host. In addition, it would be impossible to update all the host files in the world every time there is a change.

One solution would be to store the entire host file in a single computer and allow access to this centralized information to every computer that needs mapping.

But we know that this would create a huge amount of traffic on the internet.

Another solution, the one used today, is to divide this huge amount of information into smaller parts and store each part on a different computer.

In this method, the host that needs mapping can contact the closest computer holding the needed information. This method is used by the Domain Name System (DNS).

Working of DNS

DNS is a protocol that can be used in different platform. In the internet, the domain name space is divided into three different sections: generic domains, country domains, and inverse domain.

Generic Domains

The generic domains define registered hosts according to their generic behavior. Each node in the tree defines a domain, which is an index to the domain name space database.

Country Domains

The country domains section follows the same format as the generic domains but uses two character country abbreviations at the first level.

Second level labels can be organizational, or they can be more specific, national designations. The United States, for example, uses state abbreviations as a subdivision of us

Inverse Domain

The inverse domain is used to map an address to a name. this may happen, for example , when a server has received a request from a client to do a task.

whereas the server lists only the IP address of the client . to determine if the client is on the authorized list, it can ask its resolver to send a query to the DNS server and ask for a mapping of address to name.

This type of query is called an inverse or pointer (PTR) query. To handle a pointer query, the inverse domain is added to the domain name space with the first-level node called arpa.

The second level is also one single node named in- addr (for inverse address). The rest of the domain defines IP addressed.

The servers that handle the inverse domain are also hierarchical.

This means the netid part of the address should be at a higher level than the subnetid part, and the subnetid part higher than the hostid part. In this way, a server serving the whole site is at a higher level than the servers serving each subnet.

This configuration makes the domain look inverted when compared to a generic or country domain.

To follow the convention of reading the domain labels from the bottom to the top, an IP address such as 132.34.45.121 is read as 121.45.34.132. in addr.arpa

« Previous

SHARE THIS PAGE

Networking - Security Protocols, IP Addresses

0 Comments:

Post a Comment