lecture 7 - IPSec SSL

lecture 7 - IPSec SSL - Network Security CS 6823 Lecture 5...

Info iconThis preview shows pages 1–18. Sign up to view the full content.

View Full Document Right Arrow Icon
CS 6823 - Network Security 1 Network Security CS 6823 – Lecture 5 IPSec/SSL VPNs Keith O’Brien keith@keithobrien.org
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CS 6823 - Network Security IPSec 2
Background image of page 2
CS 6823 - Network Security IP Security IP Datagrams have no inherent security - IP Source address can be spoofed - Content of IP datagrams can be sniffed - Content of IP datagrams can be modified - IP datagrams can be replayed IPSec is a method for protecting IP datagrams - Standardized by IETF: dozens of RFCs - Only sender and receiver have to be IPsec compliant 3
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CS 6823 - Network Security IPSec Services Confidentiality Data integrity Origin authentication Anti-replay protection 4
Background image of page 4
CS 6823 - Network Security Confidentiality at the Network Layer Between two network entities - Sending entity encrypts the payload of datagrams. Payload could be: - TCP segment, UDP segment, ICMP message, OSPF message, etc. All data sent from one entity to the other would be hidden - Web pages, email, P2P file transfers, TCP SYN packets, etc. 5
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CS 6823 - Network Security Virtual Private Networks (VPNs) Institutions often want private networks for security - Traditional methods are costly. Separate routers, links, service With a VPN the institutions inter-office traffic is sent over public Internet instead - Inter-office traffic is encrypted before entering public Internet 6
Background image of page 6
CS 6823 - Network Security 7 VPNs •IPSec acts at the network layer authenticating and protecting IP Packets •Open Standard •Provides data confidentiality, data integrity, and origin authentication
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CS 6823 - Network Security IPSec Security Protocols Authentication Header - The Authentication Header provides for both Authentication and Integrity of the payload. The payload it self is not encrypted. Encapsulating Security Payload - The Encapsulating Security Payload provides for Encryption, Authentication and Integrity. Payload is encrypted. This is the most commonly implemented form of IPSec. 8
Background image of page 8
CS 6823 - Network Security Authentication Header Ensures data integrity Provides origin authentication Uses keyed-hash mechanism Does not provide confidentiality (no encryption) Provides anti-replay protection 9
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CS 6823 - Network Security AH Authentication and Integrity 10
Background image of page 10
CS 6823 - Network Security ESP Data confidentiality (encryption) Data integrity Data origin authentication Anti-replay protection 11
Background image of page 11

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CS 6823 - Network Security ESP Protocol 12
Background image of page 12
CS 6823 - Network Security Tunnel Mode vs. Transport Mode 13
Background image of page 13

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CS 6823 - Network Security Tunnel Mode 14
Background image of page 14
CS 6823 - Network Security IPSec Protocol Framework 15 Framework CHOICES IPSEC Protocol ESP ESP+AH AH Encryption DES 3DES AES Authentication MD5 SHA Diffie-Hellman DH1 DH2
Background image of page 15

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CS 6823 - Network Security IKE Overview Threat Mitigation - Denial of Service - Replay - Man in Middle - Perfect Forward Secrecy (PFS) 16
Background image of page 16
CS 6823 - Network Security Perfect Forward Secrecy If a key is compromised, only the specific session it 
Background image of page 17

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 18
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 11/02/2010 for the course CS 393 taught by Professor Staff during the Spring '08 term at NYU Poly.

Page1 / 96

lecture 7 - IPSec SSL - Network Security CS 6823 Lecture 5...

This preview shows document pages 1 - 18. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online