Security at the IP Layer Lecture 5

1
Security at the IP LayerLecture 5

2
Outline

• Security concerns at IP level
• What can be done at IP level
• IPSec architecture
• How does IPSec work?
• IPSec and other layers
• IPSec benefits and limitations

3
TCP/IP Possible Security Enhancement
Kerboros, HTTPS, S/MINE, PGP
Application
SSL, TLS
Transport (TCP, UDP)
Network (IP)
IP Sec
Data Link
Physical
4
TCP/IP Stack
FTP
TELNET
DNS
NFS
PING
Application Layer
HTTP
TCP
UDP
Transport Layer
IP
ICMP
IP packet
5
Security at IP layer

• Security at the IP layer is related to the
  layers function of end-to-end IP datagram
  delivery.
• The security concerns are
• Authentication
• Message replay
• Message alteration
• Message delay and denial
• Etc.

6
Reasons

• Originally authentication and confidentiality
  were not enforced at the IP level
• IP address from IP header can be forged by
  opponents gt cannot ensure that a received packet
  was transmitted by the party identified as the
  source in the packet header
• Contents of a packet can be inspected when in
  transit
• Old IP packets can be replayed

7
Address Masquerading attack (e.g)
router
a.b.c.100 NSF server
x.y.z.200 Authorized NFS client
x.y.x.201 UNAuthorized NFS client
router
a.b.c.100 NSF server
x.y.x.201 -gt x.y.x.200 Authorized NFS
client Masquerading as authorised client
x.y.z.200 - shutdown For maintenance
8
ICMP ECHO Request Attack (e.g)

• Ping o' Death Attack
• ICMP, an integral part of IP, is utilized to
  report network errors.
• PING (Packet InterNet Grouper) utilizes ICMP
  Echo and Reply packets to test host reachability.
  
• ICMP messages normally consist of the IP Header
  and enclosed ICMP data with a default size of 64
  bytes.
• If the Hacker sends an ICMP Echo request that
  is greater than 65,536 this can crash or reboot
  the system.
• A newer attack method modifies the header to
  indicate that there is more data in the packet
  than there actually is.
• Countermeasure
• Routers can configured to check the size of the
  ICMP packet.
• Block PING (ICMP) traffic at the Firewall.

9
ICMP ECHO Flooding (e.g)

• SMURF Attack
• The Hacker sends an ICMP Echo request to the
  target network with a destination broadcast
  address and a spoofed source address of the
  target.
• The network serves as a "bounce site" and
  returns an Echo-Reply for each station on the
  network.
• The network serves to multiply the effect of the
  "ping". The Echo-Request could be sent to
  multiple networks.
• Countermeasures
• Disable IP-directed broadcasts at your router.
• Configure the workstation to not respond to an
  IP broadcast packet.

10
Some Terms and Definitions

• Bridge
• Connect two LANs that use identical LAN protocol
• Acts as an address filter to forward packets from
  one LAN to another
• Router (internal, external)
• A router is a device or software or
  hardware/software that determines the next
  network point to which a packet should be
  forwarded toward its destination.
• Connect two networks that may not be similar
• A router is connected to at least two networks
  and decides which way to send a packet based on
  its current understanding of the state of the
  networks.

11
Some Terminology

• Gateway employs TCP/IP
• Acts between an internal network and external
  ones
• Acts as an external router to allow two
  autonomous systems to cooperate in the exchange
  of routing information
• Firewall has 4 generic types
• Packet-filtering router(1) simple use by
  monitoring incoming IP packets and then forward
  or discard them
• Application-level Gateway (2) proxy server, acts
  as a relay of application-level traffic allow
  or deny certain services (telnet, ftp, etc)
• Circuit-level Gateway(3) establishes two TCP
  connections itself inner TCP user itself
  outer TCP user. The firewall acts as a middle
  man to initially allow the outer user to talk to
  security server. It depends on if the outer user
  can negotiate with the security server or not the
  firewall will allow or deny the communication
  with the inner user
• Bastion serves as a platform for (2) (3) a
  critical security point in the network

12
Why look for security at IP level?

• It is below Transport Layer gt no need to change
  software at Application Layer
• It is transparent to users gt no need to train
  users
• Can be used to enhance security when used with
  higher-level applications
• Can enhance security of firewalls
• Can provide better security for communications
  via untrusted networks

13
What can be done at IP?

• Authentication Allows the receiver to validate
  the identity of a sender, client/server machine
  or process.
• Integrity Provides assurance to the receiver
  that the transmitted data has not been changed.
• Confidentiality Preventing the unwanted
  disclosure of information during transit.

14
IPSec Architecture
(borrowed from Stallings)
15
IPSec Architecture

• IP Sec offers two principle elements
  Authentication Header (AH) and Encapsulating
  Security Payload (ESP) protocols
• AH makes it possible to authenticate the sender
  of IP packets determines the authentication
  algorithm to be used
• ESP makes it possible to authenticate the sender
  and ensure confidentiality determines the
  encryption algorithm to be used
• Policy determines if two entities will be able
  to communicate with each other
• DOI Contains identifiers for approved encryption
  and authentication algorithms, key lifetime
  parameters, etc.
• Key management involves the determination and
  distribution of secret keys

16
AH Format
Contains data that guarantees authentication
Borrowed from Stallings
17
ESP Format
Borrowed from Stallings
18
IPSec modes

• IPSec uses the two elements (AH ESP) in two
  modes
• Transport mode
• is typically used in peer-to-peer communications,
  especially for internal networks
• the data packet is encrypted but the IP header is
  not.
• Tunnel mode
• is used for remote access and site-to-site
  security
• the entire packet (header payload) is encrypted

19
Authentication with AH
Before applying AH
Borrowed from Stallings
20
Authentication with AH
After applying AH
Transport mode
Borrowed from Stallings
21
Authentication with AH
After applying AH
Tunnel mode
Borrowed from Stallings
22
Authentication encryption with ESP

• IPSec offers encryption using ESP
• ESP can also include authentication service
• ESP may be used with or without AH
• Authentication service can also be provided

23
Authentication encryption with ESP
After applying ESP
Transport mode
Borrowed from Stallings
24
Authentication encryption with ESP
After applying ESP
Tunnel mode
Borrowed from Stallings
25
How does IPSec work? Security Association (SA)

• Two nodes must have a shared key in advance
• A system implements IPSec keeps a security
  association database (SADB) which stores Security
  Associations (SA)
• The Security Association (SA) is a contract
  between two nodes on keys, algorithms, etc. It
  forms the basis for IPSec operations
• If two hosts, A and B, are communicating using
  IPSec, both hosts will have two SAs, SA_in and
  SA_out for processing inbound and outbound
  packets respectively
• SA_in of host A and SA_out of host B will share
  the same cryptographic parameters

26
How does IPSec work? Security Association
Database (SADB)

• Any system implements IPSec has a security
  association database
• A sending system looks up its SADB before
  transmitting to an IP destination, lets say X.
• Information of X in SADB tells the system how to
  transmit to X
• i.e SPI, the key, algorithms, etc.
• When receiving an IPSec packet, the receiving
  system uses the SPI of the received IPSec packet
  to find the entry in its SADB. The entry will
  tell the system which key, algorithm, etc. to use
  to process the packet.

27
How does IPSec work?

• Two nodes exchange shared keys (either manually
  or automatically)
• IKE (Internet Key Exchange) protocol
• ISAKMP (Internet Security Association and Key
  Management Protocol)
• Authentication is done by using a Secure Hash
  Algorithm (or message Digest MD5) to generate
  authentication data that is inserted into AH
• Encryption is done using some encryption
  algorithm (3DES, IDEA, etc) to generate
  ciphertext that is inserted into the Payload Data
  field of ESP

28
IPSec and Security at Other Layers

• At levels lower than IP, data communication
  circuit or the entire network can be encrypted by
  specialised hardware
• Authentication encryption can be done at the
  level higher than IP, using
• Eg. SSH - authenticates remote logins
• Eg. PGP - encrypts and authenticates mail
  messages
• However, there are advantages to doing
  authentication encryption at IP level (see next
  slide)

29
Advantages of enhancing security at IP level

• IPSec is the most general way to provide security
  services to the Internet with less constrains
• Higher-level security services may be less
  general and hence protect some single protocol
  (e.g PGP protects mail)
• Lowever-level services protect single medium (eg
  a pair of encryption chips on the end of a line)
• IPSec can, in general, protect any medium used
  below IP level and any protocol running above IP
  level

30
Benefits of IPSec

• Enable business to rely heavily on the Internet
  and reduce its need for private networks gt
  saving costs network management
• Provide secure network access over the Internet
• An end-user whose system is equipped with IPSec
  can make a local call to ISP and gain secure
  access to her/his company
• Provide secure communications between
  organisations by ensuring authentication and
  confidentiality
• IPSec can be used to create secure tunnel through
  untrusted (especially the Internet) networks
• Sites connected by these tunnels form Virtual
  Private Networks (VPN)

31
Benefits of IPSec

• Packet authentication makes various attacks
  harder
• address masquerading
• address spoofing
• IPSec tunnels can be very useful for secure
  remote administration
• In a non-end-to-end service, IPSec can ensure
  that messages between a pair or a group of sites
  are encrypted

32
Some Limitations of IPSec

• IPSec cannot provide end-to-end security as
  systems work at higher levels
• e.g if you need emails encrypted from the
  senders desktop and decrypt them at the
  receivers site)
• Specific applications have particular
  requirements on security and IPSec does not
  provide all security services
• E.g IPSec cannot provide total security for
  credit card payment systems

33
Is IPSec everything you need?

• Cryptography alone is not enough
• IPSec alone is not enough
• E.g IPSec cannot provide digital signature
  services
• Many factors affect system security.
• OS security
• Data management
• Key management
• Correctness of implementationof algorithms
• Proper system management
• Human factors