Internet Security - Farkas1 CSCE 813 Internet Security TCP/IP

Internet Security - Farkas 1

CSCE 813CSCE 813Internet SecurityInternet Security

TCP/IPTCP/IP


Reading AssignmentReading Assignment

Reading: R. Oppliger, Internet and Intranet Security, Artech House, Google Book, http://books.google.com/books/about/Internet_and_Intranet_Security.html?id=vtyowiyW9BkC, Chapter 2Recommended Reading: CISCO: TCP/IP Technology, http://www.cisco.com/en/US/tech/tk365/technologies_white_paper09186a008014f8a9.shtml


Before the InternetBefore the Internet Isolated, local packet-switching networks

– only nodes on the same network could communicate Each network was autonomous

– different services

– different interfaces

– different protocols


Before the Internet Before the Internet (cont.)(cont.)

ARPANET: sponsored by Defense Advanced Research Projects Agency (DARPA):• 1969: interconnected 4 hosts• 1970: host-to-host protocol: Network Control Protocol (NCP)• 1972: first application: e-mail

Univ. of California at LA (UCLA)

Stanford Research Institute (SRI)

Univ. of California at Santa Barbara (UCSB)

Univ. of Utah


InternetInternetConnect Existing Networks: ARPANET, Packet Radio, and Packet Satellite NCP not sufficient Develop new protocol 1970s: Transmission Control Protocol (Kahn and Vinton)

– Based on packet switching technology– Good for file transfer and remote terminal access

Divide TCP into 2 protocols– Internet Protocol (IP): addressing and forwarding of packets– Transmission Control Protocol (TCP): sophisticated services, e.g., flow control,

recovery 1980: TCP/IP adopted as a DoD standard 1983: ARPANET protocol officially changed from NCP to TCP/IP 1985: Existing Internet technology 1995: U.S. Federal Networking Council (FNC) defines the term Internet


Goals (Clark’88)Goals (Clark’88)Connect existing networks

1. Survivability

2. Support multiple types of services

3. Must accommodate a variety of networks

4. Allow distributed management

5. Allow host attachment with a low level of effort

6. Be cost effective

7. Allow resource accountability


Internet ChallengeInternet Challenge Interconnected networks differ (protocols,

interfaces, services, etc.) Possibilities:

1. Reengineer and develop one global packet switching network standard: not economically feasible

2. Have every host implement the protocols of every network it wants to communicate with: too complex, very high engineering cost

3. Add an extra layer: internetworking layer Hosts: one higher-level protocol Network connecting use the same protocol Interface between the new protocol and network


LayeringLayering

Organize a network system into logically distinct entities– the service provided by one entity is based only

on the service provided by the lower level entity


Without LayeringWithout Layering

Each application has to be implemented for every network technology!

SMTP FTP HTTP

Coaxial cable

Fiberoptic

Application

TransmissionMedia


With LayeringWith Layering

Intermediate layer provides a unique abstraction for various network technologies

SMTP FTP

Coaxial cable

Fiberoptic

Application

TransmissionMedia

HTTP

Intermediate layer


LayeringLayering

Advantages– Modularity – protocols easier to manage and maintain– Abstract functionality –lower layers can be changed

without affecting the upper layers– Reuse – upper layers can reuse the functionality

provided by lower layers

Disadvantages– Information hiding – inefficient implementations


ISO OSI Reference ISO OSI Reference ModelModel

ISO – International Standard OrganizationOSI – Open System InterconnectionGoal: a general open standard

– allow vendors to enter the market by using their own implementation and protocols


OSI Model OSI Model ConceptsConcepts

Service – says what a layer doesInterface – says how to access the service Protocol – says how is the service

implemented– a set of rules and formats that govern the

communication between two peers


TCP/IP Protocol StackTCP/IP Protocol Stack

Application Layer

Transport Layer

Internetwork Layer

Network Access Layer

• Each layer interacts with neighboring layers above and below• Each layer can be defined independently• Complexity of the networking is hidden from the application


OSI vs. TCP/IPOSI vs. TCP/IP OSI: conceptually define: service, interface, protocol Internet: provide a successful implementation

Application

Presentation

Session

Transport

Network

Datalink

Physical

Internet

Host-to-network

Transport

Application

IP

LAN Packetradio

TCP UDP

Telnet FTP DNS


Network AccessNetwork Access Layer Layer

Responsible for packet transmission on the physical media

Transmission between two devices that are physically connected

The goal of the physical layer is to move information across one “hop”

For example: Ethernet, token ring, Asynchronous Transfer Mode (ATM)


InternInternetwork Layeretwork Layer

Provides connectionless and unreliable service

Routing (routers): determine the path a path has to traverse to reach its destination

Defines addressing mechanism– Hosts should conform to the addressing

mechanism


IP AddressesIP AddressesIP provides logical address space and a corresponding

addressing schemaIP address is a globally unique or private number

associated with a host network interfaceEvery system which will send packets directly out

across the Internet must have a unique IP addressIP addresses are based on where the hosts are connectedIP addresses are controlled by a single organization -

address ranges are assignedThey are running out of space!


Routing ProtocolsRouting Protocols

• Enable routing decisions to be made• Manage and periodically update routing tables, stored at each router •Router : “which way” to send the packet •Protocol types:

•Reachability•Distance vector


The Domain Name The Domain Name SystemSystem

Each system connected to the Internet also has one or more logical addresses.

Unlike IP addresses, the domain address have no routing information - they are organized based on administrative units

There are no limitations on the mapping from domain addresses to IP addresses


Domain Name Domain Name ResolutionResolution

Domain Name Resolution: looking up a logical name and finding a physical IP address

There is a hierarchy of domain name serversEach client system uses one domain name server

which in turn queries up and down the hierarchy to find the address

If your server does not know the address, it goes up the hierarchy possibly to the top and works its way back down


Transport LayerTransport Layer Provides services to the application layer Services:

– Connection-oriented or connectionless transport– Reliable or unreliable transport– Security (authenticity, confidentiality, integrity)

Application has to choose the services it requires from the transport layer

Limitations of combinations, e.g., connectionless and reliable transport is invalid


Application LayerApplication Layer

Provides services for an application to send and recieve data over the network, e.g., telnet (port 23), mail (port 25), finger (port 79)

Interface to the transport layer – Operating system dependent– Socket interface


Communication Between Communication Between LayersLayers

Transport layer

Network layer

Data Link layer

Network layer

Data Link layer

Network layer

Data Link layer Data Link layer

Network layer

Transport layer

Application layerApplication layerApplication Data

Transport payload

NetworkPayload

Data LinkPayload

Host A Router Router Host B


Security -- At What Security -- At What Level?Level?

Secure traffic at various levels in the network Where to implement security? -- Depends on the

security requirements of the application and the user

Basic services that need to be implemented: Key management Confidentiality Nonrepudiation Integrity/authentication Authorization


Network Access Layer Network Access Layer SecuritySecurity

Dedicated link between hosts/routers hardware devices for encryption

Advantages: – Speed

Disadvantages:– Not scaleable– Works well only on dedicates links– Two hardware devices need to be physically connected


InternInternetwork Layer etwork Layer SecuritySecurity

IP Security (IPSec) Advantages:

– Overhead involved with key negotiation decreases <-- multiple protocols can share the same key management infrastructure

– Ability to build VPN and intranet Disadvantages:

– Difficult to handle low granularity security, e.g., nonrepudation, user-based security,


Transport Layer Transport Layer SecuritySecurity

Advantages:– Does not require enhancement to each

application

Disadvantages:– Difficult to obtain user context– Implemented on an end system– Protocol specific implemented for each

protocol


Transport Layer Transport Layer SecuritySecurity

Advantages:– Does not require enhancement to each

application Disadvantages:

– Obtaining user context gets complicated– Protocol specific --> need to duplicated for

each transport protocol– Need to maintain context for connection (not

currently implemented for UDP)


Application Layer Application Layer SecuritySecurity

Advantages:– Executing in the context of the user --> easy access to user’s

credentials– Complete access to data --> easier to ensure nonrepudation– Application can be extended to provide security (do not depend on

the operating system)– Application understand data --> fine tune security

Disadvantages:– Implemented in end hosts– Security mechanisms have to be implemented for each application

--> – expensive– greated probability of making mistake


Application ExampleApplication Example

E-mail client using PGPExtended capabilities

– Ability to look up public keys of the users– Ability to provide securiy services such as

encryption/decrytion, nonrepudation, and authentication for e-mail messages

Documents

Internet Security - Farkas1 CSCE 813 Internet Security TCP/IP