chapter 32
DESCRIPTION
Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and FirewallsTRANSCRIPT
![Page 1: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/1.jpg)
32.1
Chapter 32
Security in the Internet:IPSec, SSL/TLS, PGP,
VPN, and Firewalls
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
![Page 2: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/2.jpg)
32.2
Figure 32.1 Common structure of three security protocols
![Page 3: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/3.jpg)
32.3
32-1 IPSecurity (IPSec)32-1 IPSecurity (IPSec)
IPSecurity (IPSec) is a collection of protocols designed IPSecurity (IPSec) is a collection of protocols designed by the Internet Engineering Task Force (IETF) to by the Internet Engineering Task Force (IETF) to provide security for a packet at the network level. provide security for a packet at the network level.
Two ModesTwo Security ProtocolsSecurity AssociationInternet Key Exchange (IKE)Virtual Private Network
Topics discussed in this section:Topics discussed in this section:
![Page 4: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/4.jpg)
32.4
Figure 32.2 TCP/IP protocol suite and IPSec
![Page 5: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/5.jpg)
32.5
Figure 32.3 Transport mode and tunnel modes of IPSec protocol
![Page 6: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/6.jpg)
32.6
IPSec in the transport mode does not protect the IP header; it only protects
the information coming from the transport layer.
Note
![Page 7: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/7.jpg)
32.7
Figure 32.4 Transport mode in action
![Page 8: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/8.jpg)
32.8
Figure 32.5 Tunnel mode in action
![Page 9: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/9.jpg)
32.9
IPSec in tunnel mode protects the original IP header.
Note
![Page 10: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/10.jpg)
32.10
Figure 32.6 Authentication Header (AH) Protocol in transport mode
![Page 11: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/11.jpg)
32.11
The AH Protocol provides source authentication and data integrity,
but not privacy.
Note
![Page 12: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/12.jpg)
32.12
Figure 32.7 Encapsulating Security Payload (ESP) Protocol in transport mode
![Page 13: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/13.jpg)
32.13
ESP provides source authentication, data integrity, and privacy.
Note
![Page 14: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/14.jpg)
32.14
Table 32.1 IPSec services
![Page 15: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/15.jpg)
32.15
Figure 32.8 Simple inbound and outbound security associations
![Page 16: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/16.jpg)
32.16
IKE creates SAs for IPSec.
Note
![Page 17: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/17.jpg)
32.17
Figure 32.9 IKE components
![Page 18: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/18.jpg)
32.18
Table 32.2 Addresses for private networks
![Page 19: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/19.jpg)
32.19
Figure 32.10 Private network
![Page 20: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/20.jpg)
32.20
Figure 32.11 Hybrid network
![Page 21: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/21.jpg)
32.21
Figure 32.12 Virtual private network
![Page 22: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/22.jpg)
32.22
Figure 32.13 Addressing in a VPN
![Page 23: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/23.jpg)
32.23
32-2 SSL/TLS32-2 SSL/TLS
Two protocols are dominant today for providing Two protocols are dominant today for providing security at the transport layer: the Secure Sockets security at the transport layer: the Secure Sockets Layer (SSL) Protocol and the Transport Layer Layer (SSL) Protocol and the Transport Layer Security (TLS) Protocol. The latter is actually an Security (TLS) Protocol. The latter is actually an IETF version of the former. IETF version of the former.
SSL ServicesSecurity ParametersSessions and ConnectionsFour ProtocolsTransport Layer Security
Topics discussed in this section:Topics discussed in this section:
![Page 24: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/24.jpg)
32.24
Figure 32.14 Location of SSL and TLS in the Internet model
![Page 25: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/25.jpg)
32.25
Table 32.3 SSL cipher suite list
![Page 26: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/26.jpg)
32.26
Table 32.3 SSL cipher suite list (continued)
![Page 27: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/27.jpg)
32.27
The client and the server have six different cryptography secrets.
Note
![Page 28: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/28.jpg)
32.28
Figure 32.15 Creation of cryptographic secrets in SSL
![Page 29: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/29.jpg)
32.29
Figure 32.16 Four SSL protocols
![Page 30: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/30.jpg)
32.30
Figure 32.17 Handshake Protocol
![Page 31: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/31.jpg)
32.31
Figure 32.18 Processing done by the Record Protocol
![Page 32: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/32.jpg)
32.32
32-3 PGP32-3 PGP
One of the protocols to provide security at the One of the protocols to provide security at the application layer is Pretty Good Privacy (PGP). PGP is application layer is Pretty Good Privacy (PGP). PGP is designed to create authenticated and confidential designed to create authenticated and confidential e-mails. e-mails.
Security ParametersServicesA ScenarioPGP AlgorithmsKey RingsPGP Certificates
Topics discussed in this section:Topics discussed in this section:
![Page 33: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/33.jpg)
32.33
Figure 32.19 Position of PGP in the TCP/IP protocol suite
![Page 34: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/34.jpg)
32.34
In PGP, the sender of the message needs to include the identifiers of the
algorithms used in the message as well as the values of the keys.
Note
![Page 35: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/35.jpg)
32.35
Figure 32.20 A scenario in which an e-mail message is authenticated and encrypted
![Page 36: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/36.jpg)
32.36
Table 32.4 PGP Algorithms
![Page 37: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/37.jpg)
32.37
Figure 32.21 Rings
![Page 38: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/38.jpg)
32.38
In PGP, there can be multiple paths from fully or partially trusted authorities to
any subject.
Note
![Page 39: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/39.jpg)
32.39
32-4 FIREWALLS32-4 FIREWALLS
All previous security measures cannot prevent Eve All previous security measures cannot prevent Eve from sending a harmful message to a system. To from sending a harmful message to a system. To control access to a system, we need firewalls. A control access to a system, we need firewalls. A firewall is a device installed between the internal firewall is a device installed between the internal network of an organization and the rest of the network of an organization and the rest of the Internet. It is designed to forward some packets and Internet. It is designed to forward some packets and filter (not forward) others.filter (not forward) others.
Packet-Filter FirewallProxy Firewall
Topics discussed in this section:Topics discussed in this section:
![Page 40: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/40.jpg)
32.40
Figure 32.22 Firewall
![Page 41: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/41.jpg)
32.41
Figure 32.23 Packet-filter firewall
![Page 42: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/42.jpg)
32.42
A packet-filter firewall filters at the network or transport layer.
Note
![Page 43: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/43.jpg)
32.43
Figure 32.24 Proxy firewall
![Page 44: Chapter 32](https://reader034.vdocuments.net/reader034/viewer/2022042505/556d0bdad8b42ad34f8b4cdb/html5/thumbnails/44.jpg)
32.44
A proxy firewall filters at the application layer.
Note