security in the internet
TRANSCRIPT
-
8/14/2019 Security in the Internet
1/44
32.1
Chapter 32Security in the Internet:
IPSec, SSL/TLS, PGP,VPN, and Firewalls
Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
-
8/14/2019 Security in the Internet
2/44
32.2
Figure 32.1 Common structure of three security protocols
-
8/14/2019 Security in the Internet
3/44
32.3
32-1 IPSecurity (IPSec)32-1 IPSecurity (IPSec)
IPSecurity (IPSec) is a collection of protocols designePSecurity (IPSec) is a collection of protocols designe
by the Internet Engineering Task Force (IETF) toby the Internet Engineering Task Force (IETF) to
rovide securit or a acket at the network level.rovide
security for a packet at the network level.
Two Modes
Two Security Protocols
Security Association
Internet Key Exchange (IKE)
Virtual Private Network
Topics discussed in this section:
Topics discussed in this section:
-
8/14/2019 Security in the Internet
4/44
32.4
Figure 32.2 TCP/IP protocol suite and IPSec
-
8/14/2019 Security in the Internet
5/44
32.5
Figure 32.3 Transport mode and tunnel modes of IPSec protocol
-
8/14/2019 Security in the Internet
6/44
32.6
IPSec in the transport mode does not
protect the IP header; it only protectsthe information coming from the
transport layer.
Note
-
8/14/2019 Security in the Internet
7/4432.7
Figure 32.4 Transport mode in action
-
8/14/2019 Security in the Internet
8/4432.8
Figure 32.5 Tunnel mode in action
-
8/14/2019 Security in the Internet
9/4432.9
IPSec in tunnel mode protects theoriginal IP header.
Note
-
8/14/2019 Security in the Internet
10/4432.10
Figure 32.6 Authentication Header (AH) Protocol in transport mode
-
8/14/2019 Security in the Internet
11/4432.11
The AH Protocol provides sourceauthentication and data integrity,
but not privacy.
Note
-
8/14/2019 Security in the Internet
12/44
-
8/14/2019 Security in the Internet
13/4432.13
ESP provides source authentication,data integrity, and privacy.
Note
-
8/14/2019 Security in the Internet
14/4432.14
Table 32.1 IPSec services
-
8/14/2019 Security in the Internet
15/4432.15
Figure 32.8 Simple inbound and outbound security associations
-
8/14/2019 Security in the Internet
16/4432.16
IKE creates SAs for IPSec.
Note
-
8/14/2019 Security in the Internet
17/4432.17
Figure 32.9 IKE components
-
8/14/2019 Security in the Internet
18/4432.18
Table 32.2 Addresses for private networks
-
8/14/2019 Security in the Internet
19/4432.19
Figure 32.10 Private network
-
8/14/2019 Security in the Internet
20/44
-
8/14/2019 Security in the Internet
21/44
32.21
Figure 32.12 Virtual private network
-
8/14/2019 Security in the Internet
22/44
32.22
Figure 32.13 Addressing in a VPN
-
8/14/2019 Security in the Internet
23/44
32.23
32-2 SSL/TLS32-2 SSL/TLS
Two protocols are dominant today for providingTwo protocols are dominant today for providing security at the transport layer: the Secure Sockets security at the transport layer: the Secure Sockets
Layer (SSL) Protocol and the Transport Layer Layer (SSL) Protocol and the Transport Layer
Security (TLS) Protocol. The latter is actually an Security (TLS) Protocol. The latter is actually an
IETF version of the former.IETF version of the former.
SSL Services
Security ParametersSessions and Connections
Four Protocols
Transport Layer Security
Topics discussed in this section:Topics discussed in this section:
-
8/14/2019 Security in the Internet
24/44
32.24
Figure 32.14 Location of SSL and TLS in the Internet model
-
8/14/2019 Security in the Internet
25/44
-
8/14/2019 Security in the Internet
26/44
32.26
Table 32.3 SSL cipher suite list (continued)
-
8/14/2019 Security in the Internet
27/44
32.27
The client and the server have sixdifferent cryptography secrets.
Note
-
8/14/2019 Security in the Internet
28/44
32.28
Figure 32.15 Creation of cryptographic secrets in SSL
-
8/14/2019 Security in the Internet
29/44
32.29
Figure 32.16 Four SSL protocols
-
8/14/2019 Security in the Internet
30/44
32.30
Figure 32.17 Handshake Protocol
-
8/14/2019 Security in the Internet
31/44
32.31
Figure 32.18 Processing done by the Record Protocol
-
8/14/2019 Security in the Internet
32/44
32.32
32-3 PGP32-3 PGP
One of the protocols to provide security at theOne of the protocols to provide security at theapplication layer is Pretty Good Privacy (PGP). PGP isapplication layer is Pretty Good Privacy (PGP). PGP is
designed to create authenticated and confidentialdesigned to create authenticated and confidential
e-mails.e-mails.
Security Parameters
Services
A Scenario
PGP Algorithms
Key Rings
PGP Certificates
Topics discussed in this section:Topics discussed in this section:
-
8/14/2019 Security in the Internet
33/44
32.33
Figure 32.19 Position of PGP in the TCP/IP protocol suite
-
8/14/2019 Security in the Internet
34/44
32.34
In PGP, the sender of the message
needs to include the identifiers of thealgorithms used in the message as well
as the values of the keys.
Note
-
8/14/2019 Security in the Internet
35/44
32.35
Figure 32.20 A scenario in which an e-mail message isauthenticated and encrypted
-
8/14/2019 Security in the Internet
36/44
-
8/14/2019 Security in the Internet
37/44
32.37
Figure 32.21 Rings
-
8/14/2019 Security in the Internet
38/44
32.38
In PGP, there can be multiple paths fromfully or partially trusted authorities to
any subject.
Note
-
8/14/2019 Security in the Internet
39/44
32.39
32-4 FIREWALLS32-4 FIREWALLS
All previous security measures cannot prevent Eve All previous security measures cannot prevent Eve from sending a harmful message to a system. To from sending a harmful message to a system. To
control access to a system, we need firewalls. Acontrol access to a system, we need firewalls. A
firewall is a device installed between the internal firewall is a device installed between the internal
network of an organization and the rest of thenetwork of an organization and the rest of the
Internet. It is designed to forward some packets and Internet. It is designed to forward some packets and
filter (not forward) others.filter (not forward) others.
Packet-Filter Firewall
Proxy Firewall
Topics discussed in this section:Topics discussed in this section:
-
8/14/2019 Security in the Internet
40/44
32.40
Figure 32.22 Firewall
-
8/14/2019 Security in the Internet
41/44
32.41
Figure 32.23 Packet-filter firewall
-
8/14/2019 Security in the Internet
42/44
32.42
A packet-filter firewall filters at thenetwork or transport layer.
Note
-
8/14/2019 Security in the Internet
43/44
32.43
Figure 32.24 Proxy firewall
-
8/14/2019 Security in the Internet
44/44
A proxy firewall filters at theapplication layer.
Note