COMP3123 COMP3123 Internet SecurityInternet Security

Richard HensonRichard Henson

University of WorcesterUniversity of Worcester

NovemberNovember 20102010

Week 7: Communications: Week 7: Communications: Securing LAN–LAN data using Securing LAN–LAN data using

VPNs and secure protocolsVPNs and secure protocols

Objectives:Objectives: Relate Internet security problems to the TCP/IP Relate Internet security problems to the TCP/IP

protocol stackprotocol stack Explain Internet security solutions that use the Explain Internet security solutions that use the

principles of a VPNprinciples of a VPN Explain Internet security solutions at OSI levels Explain Internet security solutions at OSI levels

above IP routingabove IP routing

Security and the OSI layersSecurity and the OSI layers Actually Actually 77 layers in original OSI model… layers in original OSI model… Unix TCP/IP leaves out level 1 (physical) level 2 Unix TCP/IP leaves out level 1 (physical) level 2

(data link), and level 5 (session)(data link), and level 5 (session)

TELNET FTP NFS DNS SNMP

TCP (transport) UDP

IP (network)

SMTP

TCP/IP and the Seven LayersTCP/IP and the Seven Layers

TCP (Transport Control Protocol) TCP (Transport Control Protocol) and IP (Internet Protocol) only and IP (Internet Protocol) only make up part (layers 3 & 4) of the make up part (layers 3 & 4) of the seven layersseven layers lower layers are required to interface lower layers are required to interface

with IP to create/convert electrical with IP to create/convert electrical signalssignals

upper layers interface with TCP to upper layers interface with TCP to produce the screen displayproduce the screen display

Each layer interface represents Each layer interface represents a potential security problem…a potential security problem…

IP

hardware

screen

TCP

IntranetsIntranets Definition:Definition:

An in-house An in-house Web siteWeb site that serves the employees that serves the employees of the enterprise. Although intranet pages may of the enterprise. Although intranet pages may link to the Internet, an intranet is not a site link to the Internet, an intranet is not a site accessed by the general public.accessed by the general public.

Achieved by organisations using http to Achieved by organisations using http to share data in a www-compatible formatshare data in a www-compatible format

Implemented as:Implemented as: single LAN with a web serversingle LAN with a web server several interconnected LANsseveral interconnected LANs

» cover a larger geographic areacover a larger geographic area» use secure user authenticationuse secure user authentication» use secure data transmission systemuse secure data transmission system

ExtranetsExtranets Definition:Definition:

organisational web sites for employees and existing organisational web sites for employees and existing customers rather than the general publiccustomers rather than the general public

An extension of the Intranet to cover selected trusted An extension of the Intranet to cover selected trusted “links” “links” e.g. for an organisation the “trusted” links might be to e.g. for an organisation the “trusted” links might be to

customers and business partnerscustomers and business partners uses the public Internet as its transmission system, but uses the public Internet as its transmission system, but

requires passwords to gain accessrequires passwords to gain access Can provide access to:Can provide access to:

paid researchpaid research current inventoriescurrent inventories internal databasesinternal databases OR virtually any information that is private and not published OR virtually any information that is private and not published

for everyonefor everyone

Issues in creating an ExtranetIssues in creating an Extranet As with the Intranet, use of public networks As with the Intranet, use of public networks

means that security must be handled through means that security must be handled through the appropriate use of secure authentication the appropriate use of secure authentication and transmission technologies…and transmission technologies…

Private leased linesPrivate leased lines between sites do not between sites do not need to use http, etc.need to use http, etc. therefore more secure, but expensive (BALANCE)therefore more secure, but expensive (BALANCE)

If using the Internet…If using the Internet… can use client-server web applications across can use client-server web applications across

different sitesdifferent sites BUT security issues need resolvingBUT security issues need resolving

Securing Authentication Securing Authentication through Extranetsthrough Extranets

Kerberos and trusted domains…Kerberos and trusted domains…Windows 2000 Solution: Windows 2000 Solution:

Potential security problem…Potential security problem…several TCP ports used for e.g. Kerberos several TCP ports used for e.g. Kerberos

authentication when establishing a authentication when establishing a session…session…

Solution:Solution:firewall configured to allow relevant ports firewall configured to allow relevant ports

to be opened only for “trusted” hoststo be opened only for “trusted” hosts

Securing Sharing of DataSecuring Sharing of Datathrough Extranetsthrough Extranets

An Extranet client uses the web server & An Extranet client uses the web server & browser for user interactionbrowser for user interaction standard level 7 www protocol to display html standard level 7 www protocol to display html

datadata Raw HTML data will pass through the firewall Raw HTML data will pass through the firewall

to the Internetto the Internet could be “sensitive” for the organisation…could be “sensitive” for the organisation…

Under IETF guidance, developers came up Under IETF guidance, developers came up with RFCs for a secure version of http…with RFCs for a secure version of http… standardised as http-s (secure http)standardised as http-s (secure http)

The Internet generally uses IP The Internet generally uses IP - HOW can data be secured?- HOW can data be secured?

2010: more than 600 million hosts!

Securing the ExtranetSecuring the Extranet Problem: Problem:

IP protocol sends packets off in different directions according to:IP protocol sends packets off in different directions according to:» destination IP addressdestination IP address» routing datarouting data

packets can be intercepted/redirectedpackets can be intercepted/redirected Solution:Solution:

secure level 7 application layer www protocols developedsecure level 7 application layer www protocols developed» https: ensure that pages are only available to https: ensure that pages are only available to

authenticated usersauthenticated users» ssh : secure download of filesssh : secure download of files» sftp: as abovesftp: as above

secure level 4 transport (TLS) protocol to restrict use of IP secure level 4 transport (TLS) protocol to restrict use of IP navigation to only include secure sitesnavigation to only include secure sites

Protection against interception at lower OSI layersProtection against interception at lower OSI layers Virtual Private Networks: use of level 2 & 3Virtual Private Networks: use of level 2 & 3

SSH (Secure Shell)SSH (Secure Shell) Designed 1995, University of Helsinki, for Designed 1995, University of Helsinki, for

secure file transfer SSH-1secure file transfer SSH-1 server listens on TCP port 22server listens on TCP port 22 runs on a variety of platformsruns on a variety of platforms

Enhanced version SSH-2Enhanced version SSH-2 using the PKI using the PKI including digital certificatesincluding digital certificates RFC 4252 – recent, 2006RFC 4252 – recent, 2006

By contrast, Telnet and FTP:By contrast, Telnet and FTP: can use authenticationcan use authentication BUT DO NOT use encrypted text…BUT DO NOT use encrypted text…

Secure http (http-s)Secure http (http-s)

IETF set up WTS (Web Transaction Security) IETF set up WTS (Web Transaction Security) in 1995 to:in 1995 to: look at proposals for a secure version of httplook at proposals for a secure version of http ensure secure embedding of any emerging ensure secure embedding of any emerging

protocol with HTMLprotocol with HTML

Proposals agreed in 1999Proposals agreed in 1999 defined as:defined as:

» RFC #2659 – secure HTML documentsRFC #2659 – secure HTML documents» RFC #2660 – the secure protocol itselfRFC #2660 – the secure protocol itself

More about Secure httpMore about Secure http Modification of http:Modification of http:

works with Netscape’s SSL/TLS and the PKIworks with Netscape’s SSL/TLS and the PKI ensures security of HTML data sent through the ensures security of HTML data sent through the

InternetInternet When a browser requests a web page…When a browser requests a web page…

normally, just downloadednormally, just downloaded HOWEVER, if the page is held on a HTTP-S HOWEVER, if the page is held on a HTTP-S

server it must be downloaded using the https server it must be downloaded using the https protocolprotocol» will ONLY be downloaded and displayed if its URL will ONLY be downloaded and displayed if its URL

has been authenticated and certificatedhas been authenticated and certificated

Authentication handled by a PKI-affiliated Authentication handled by a PKI-affiliated body (e.g. Verisign)body (e.g. Verisign) therefore considered to be very securetherefore considered to be very secure

SSL SSL ((Secure Sockets LayerSecure Sockets Layer)) Developed by Netscape in 1995Developed by Netscape in 1995

so browsers could participation in secure Internet so browsers could participation in secure Internet transactionstransactions

soon became most commonly used protocol for e-soon became most commonly used protocol for e-commerce transactionscommerce transactions

still not been accessed by hackers (so far…)still not been accessed by hackers (so far…) Excellent upper layer security:Excellent upper layer security:

RSA public key RSA public key en/decryption of http packets en/decryption of http packets at at the session layer (OSI 5) before sending/after the session layer (OSI 5) before sending/after receiving receiving between Internet hostsbetween Internet hosts

PKI-compatibility means that digital certificates are PKI-compatibility means that digital certificates are supported as wellsupported as well

Extending SSLExtending SSL SSL standard submitted by Netscape to SSL standard submitted by Netscape to

IETF for further developmentIETF for further development working party set up in 1996working party set up in 1996 worked with Netscape to standardise SSL v3.0worked with Netscape to standardise SSL v3.0

» RFC draft same yearRFC draft same year agreed standard RFC #2246: TLS (Transport agreed standard RFC #2246: TLS (Transport

Layer Security)Layer Security) TLS was the result of IETF development of TLS was the result of IETF development of

components of Netscape’s SSL lower down components of Netscape’s SSL lower down the OSI layersthe OSI layers

» SSL – level 5SSL – level 5» TLS – level 4TLS – level 4

Secure HTTP, SSL and TLSSecure HTTP, SSL and TLS Together, HTTPS/SSL/TLS can provide Together, HTTPS/SSL/TLS can provide

a secure interface between TCP (level a secure interface between TCP (level 4) and HTML (level 7)4) and HTML (level 7)very secure conduit for message transfer very secure conduit for message transfer

across the Internet…across the Internet…

VPNs: restricted use of the VPNs: restricted use of the PhysicalPhysical Internet Internet

VPN shown in green

VPNs VPNs (Virtual Private Networks)(Virtual Private Networks)

Two pronged defence:Two pronged defence: physically keeping the data away from unsecured physically keeping the data away from unsecured

servers…servers…» several protocols available for sending packets several protocols available for sending packets

along a pre-defined routealong a pre-defined route

data encapsulated and encrypted so it appears to data encapsulated and encrypted so it appears to travel as if on a point-point link but is still secure travel as if on a point-point link but is still secure even if interceptedeven if intercepted

Whichever protocol is used, the result is a Whichever protocol is used, the result is a secure system with pre-determined pathways secure system with pre-determined pathways for all packetsfor all packets

Principles of VPN protocolsPrinciples of VPN protocols The The tunnel tunnel - where the private data is the private data is

encapsulatedencapsulated

The The VPN connectionVPN connection - where - where the private the private data is encrypteddata is encrypted

Principles of VPN protocolsPrinciples of VPN protocols To emulate a point-to-point linkTo emulate a point-to-point link::

data data encapsulatedencapsulated, or wrapped, with a header, or wrapped, with a header» provides routing informationprovides routing information» allows packets to traverse the shared allows packets to traverse the shared public public

network to its endpointnetwork to its endpoint

To emulate a private linkTo emulate a private link:: data data encrypted encrypted for confidentialityfor confidentiality

Any pAny packets intercepted on the shared ackets intercepted on the shared public network are indecipherable without public network are indecipherable without the encryption keys…the encryption keys…

Potential weakness of the VPNPotential weakness of the VPN Once the data is encrypted and in the tunnel it is very secureOnce the data is encrypted and in the tunnel it is very secure BUTBUT

to be secure, it MUST be encrypted and tunnelled throughout its to be secure, it MUST be encrypted and tunnelled throughout its wholewhole journey journey

if any part of that journey is outside the tunnel… if any part of that journey is outside the tunnel… » e.g. network path to an outsourced VPN provider e.g. network path to an outsourced VPN provider » obvious scope for security breachesobvious scope for security breaches

Using a VPN as part of an Using a VPN as part of an ExtranetExtranet

Using a VPN for point-to-pointUsing a VPN for point-to-point

Using a VPN to connect a Using a VPN to connect a remote computer to a Secured remote computer to a Secured

NetworkNetwork

VPN-related protocols offering VPN-related protocols offering even greater Internet securityeven greater Internet security Two possibilities are available for Two possibilities are available for

creating a secure VPN:creating a secure VPN:Layer 3:Layer 3:

» IPsec – fixed point routing protocol IPsec – fixed point routing protocol

Layer 2 “tunnelling” protocolsLayer 2 “tunnelling” protocols» encapsulate the data within other data encapsulate the data within other data

before converting it to binary data:before converting it to binary data: PPTP (Point-point tunnelling protocol)PPTP (Point-point tunnelling protocol) L2TP (Layer 2 tunnelling protocol)L2TP (Layer 2 tunnelling protocol)

IPsecIPsec First VPN systemFirst VPN system

defined by IETF RFC 2401defined by IETF RFC 2401 uses ESP (encapsulating security protocol) at the IP uses ESP (encapsulating security protocol) at the IP

packet levelpacket level IPsec provides security services at the IP IPsec provides security services at the IP

layer bylayer by:: enabling a system to select required security enabling a system to select required security

protocolsprotocols (ESP possible with a number of (ESP possible with a number of encryption protocols)encryption protocols)

determindetermininging the algorithm(s) to use for the the algorithm(s) to use for the chosen chosen service(s)service(s)

putputtingting in place any cryptographic keys required in place any cryptographic keys required to provide the requested servicesto provide the requested services

More about IPSec in More about IPSec in practicepractice

Depends on PKI for authenticationDepends on PKI for authentication both ends must be IPSec compliant, but not both ends must be IPSec compliant, but not

the various network systems that may be the various network systems that may be between them…between them…

CCanan therefore therefore be used to protect paths be used to protect paths betweenbetween a a pair of hostspair of hosts a pair of security gatewaysa pair of security gateways a security gateway and a hosta security gateway and a host

Can work with IPv4 and IPv6Can work with IPv4 and IPv6

PPTPPPTP Sponsored by MicrosoftSponsored by Microsoft

proposal submitted for consideration by IETFproposal submitted for consideration by IETF Extension of PPPExtension of PPP

Uses PPP authentication and Microsoft’s own Uses PPP authentication and Microsoft’s own encryption encryption

allow organisations to extend their own corporate allow organisations to extend their own corporate network by using private “tunnels” over public network by using private “tunnels” over public InternetInternet

effectively using WAN as a single large LANeffectively using WAN as a single large LAN Claimed to provide a secure connection over Claimed to provide a secure connection over

public networkspublic networks but not universally accepted as secure…but not universally accepted as secure…

L2TPL2TP

Microsoft hybrid of:Microsoft hybrid of: their own PPTPtheir own PPTP CISCO’s L2F (layer 2 forwarding)CISCO’s L2F (layer 2 forwarding)

With L2TP, IPSec is optional:With L2TP, IPSec is optional: like PPTP:like PPTP:

» it can use PPP authentication and access controls it can use PPP authentication and access controls (PAP and CHAP!)(PAP and CHAP!)

» It uses NCP to handle remote address assignment It uses NCP to handle remote address assignment of remote clientof remote client

as no IPSec, no overhead of reliance on PKIas no IPSec, no overhead of reliance on PKI

Implementation of Implementation of Secure HTTPSecure HTTP

Like http, http-s is a client-server protocolLike http, http-s is a client-server protocolServer end:Server end:

» PKI-compliant Web Server configured to PKI-compliant Web Server configured to provide https accessprovide https access

» valid server certificate to authenticate valid server certificate to authenticate server to clientserver to client

Client endClient end» browser needs to be able to identify & browser needs to be able to identify &

authenticate secure http traffic:authenticate secure http traffic: URL header https://URL header https:// ““lock” sign at bottom of screenlock” sign at bottom of screen

Configuring a Web Server Configuring a Web Server for https…for https…

Any properly configured web server will offer Any properly configured web server will offer unsecured links to many www pages (http)unsecured links to many www pages (http)

A secure web server can ADDITIONALLY A secure web server can ADDITIONALLY offer secure links to specified folders (https)offer secure links to specified folders (https) BUT… it must first acquire that PKI server BUT… it must first acquire that PKI server

certificate from e.g. Verisign or an affiliate…certificate from e.g. Verisign or an affiliate… the server certificate needs to be viewable by a the server certificate needs to be viewable by a

client browser to verify trust in the web page client browser to verify trust in the web page providerprovider

IIS Configuration to support IIS Configuration to support SSL and httpsSSL and https

A “wizard” drives the whole processA “wizard” drives the whole process need administrator access to IIS in “webserver” need administrator access to IIS in “webserver”

modemode access the “directory security” tabaccess the “directory security” tab click on “server certificate”…click on “server certificate”…

» and the process beginsand the process begins

Once IIS has downloaded & installed that Once IIS has downloaded & installed that server certificate, developments of a secure server certificate, developments of a secure website can begin in specific folderswebsite can begin in specific folders

Web Server Configuration Web Server Configuration for client-end httpsfor client-end https

IF the webserver is properly configured for IF the webserver is properly configured for https…https… IS username/password protectedIS username/password protected HAS a Server Certificate…HAS a Server Certificate…

» viewable by client browsers not revoked or out of viewable by client browsers not revoked or out of datedate

THEN, via username/password authenticationTHEN, via username/password authentication browser will allow https access via the webbrowser will allow https access via the web ““lock” symbol appears below the web page displaylock” symbol appears below the web page display

» click on “lock” symbol for server certificate detailsclick on “lock” symbol for server certificate details

Otherwise, a “not authorised” message will be Otherwise, a “not authorised” message will be displayeddisplayed

The Server CertificateThe Server Certificate Both encryption and identity checking require Both encryption and identity checking require

the owner of the server to obtain and install a the owner of the server to obtain and install a Digital SSL (Server) CertificateDigital SSL (Server) Certificate more expensive than a personal certificatemore expensive than a personal certificate Verisign again a suitable source…Verisign again a suitable source…

SSL Certificate has to be:SSL Certificate has to be: downloaded from source websitedownloaded from source website installed onto the relevant web serverinstalled onto the relevant web server authenticated by a named individual authenticated by a named individual

(administrator?) at the server end(administrator?) at the server end

Ways to “sign” an SSL CertificateWays to “sign” an SSL Certificate Three possibilities:Three possibilities:

CommercialCommercial» usually recognised silently by browsers, with no pop-up or usually recognised silently by browsers, with no pop-up or

alertalert Self-signingSelf-signing

» almost always produce an alert on the browser almost always produce an alert on the browser » shows the identity asserted (but not proved) by the server shows the identity asserted (but not proved) by the server

ownerowner» the user is likely to be offered the option to recognise this the user is likely to be offered the option to recognise this

certificate in future (effectively silencing the alert)certificate in future (effectively silencing the alert) Organisation-signedOrganisation-signed

» also likely to result in an alert that names the organisationalso likely to result in an alert that names the organisation» an organisation with an existing relationship with most of its an organisation with an existing relationship with most of its

users can instruct them to configure their browsers to users can instruct them to configure their browsers to silently recognise certificates signed by their own silently recognise certificates signed by their own organisationorganisation