Upload
jean
View
59
Download
1
Tags:
Embed Size (px)
DESCRIPTION
CSCE 813 Internet Security TCP/IP. Reading Assignment. Reading: R. Oppliger, Internet and Intranet Security, Artech House, Google Book, http://books.google.com/books/about/Internet_and_Intranet_Security.html?id=vtyowiyW9BkC , Chapter 2 Recommended Reading: - PowerPoint PPT Presentation
Citation preview
Internet Security - Farkas 1
CSCE 813CSCE 813Internet SecurityInternet Security
TCP/IPTCP/IP
Internet Security - Farkas 2
Reading AssignmentReading Assignment
Reading: R. Oppliger, Internet and Intranet Security, Artech House, Google Book, http://books.google.com/books/about/Internet_and_Intranet_Security.html?id=vtyowiyW9BkC, Chapter 2Recommended Reading: CISCO: TCP/IP Technology, http://www.cisco.com/en/US/tech/tk365/technologies_white_paper09186a008014f8a9.shtml
Internet Security - Farkas 3
Before the InternetBefore the Internet Isolated, local packet-switching networks
– only nodes on the same network could communicate Each network was autonomous
– different services
– different interfaces
– different protocols
Internet Security - Farkas 4
Before the Internet Before the Internet (cont.)(cont.)
ARPANET: sponsored by Defense Advanced Research Projects Agency (DARPA):• 1969: interconnected 4 hosts• 1970: host-to-host protocol: Network Control Protocol (NCP)• 1972: first application: e-mail
Univ. of California at LA (UCLA)
Stanford Research Institute (SRI)
Univ. of California at Santa Barbara (UCSB)
Univ. of Utah
Internet Security - Farkas 5
InternetInternetConnect Existing Networks: ARPANET, Packet Radio, and Packet Satellite NCP not sufficient Develop new protocol 1970s: Transmission Control Protocol (Kahn and Vinton)
– Based on packet switching technology– Good for file transfer and remote terminal access
Divide TCP into 2 protocols– Internet Protocol (IP): addressing and forwarding of packets– Transmission Control Protocol (TCP): sophisticated services, e.g., flow control,
recovery 1980: TCP/IP adopted as a DoD standard 1983: ARPANET protocol officially changed from NCP to TCP/IP 1985: Existing Internet technology 1995: U.S. Federal Networking Council (FNC) defines the term Internet
Internet Security - Farkas 6
Goals (Clark’88)Goals (Clark’88)Connect existing networks
1. Survivability
2. Support multiple types of services
3. Must accommodate a variety of networks
4. Allow distributed management
5. Allow host attachment with a low level of effort
6. Be cost effective
7. Allow resource accountability
Internet Security - Farkas 7
Internet ChallengeInternet Challenge Interconnected networks differ (protocols,
interfaces, services, etc.) Possibilities:
1. Reengineer and develop one global packet switching network standard: not economically feasible
2. Have every host implement the protocols of every network it wants to communicate with: too complex, very high engineering cost
3. Add an extra layer: internetworking layer Hosts: one higher-level protocol Network connecting use the same protocol Interface between the new protocol and network
Internet Security - Farkas 8
LayeringLayering
Organize a network system into logically distinct entities– the service provided by one entity is based only
on the service provided by the lower level entity
Internet Security - Farkas 9
Without LayeringWithout Layering
Each application has to be implemented for every network technology!
SMTP FTP HTTP
Coaxial cable
Fiberoptic
Application
TransmissionMedia
Internet Security - Farkas 10
With LayeringWith Layering
Intermediate layer provides a unique abstraction for various network technologies
SMTP FTP
Coaxial cable
Fiberoptic
Application
TransmissionMedia
HTTP
Intermediate layer
Internet Security - Farkas 11
LayeringLayering
Advantages– Modularity – protocols easier to manage and maintain– Abstract functionality –lower layers can be changed
without affecting the upper layers– Reuse – upper layers can reuse the functionality
provided by lower layers
Disadvantages– Information hiding – inefficient implementations
Internet Security - Farkas 12
ISO OSI Reference ISO OSI Reference ModelModel
ISO – International Standard OrganizationOSI – Open System InterconnectionGoal: a general open standard
– allow vendors to enter the market by using their own implementation and protocols
Internet Security - Farkas 13
OSI Model OSI Model ConceptsConcepts
Service – says what a layer doesInterface – says how to access the service Protocol – says how is the service
implemented– a set of rules and formats that govern the
communication between two peers
Internet Security - Farkas 14
TCP/IP Protocol StackTCP/IP Protocol Stack
Application Layer
Transport Layer
Internetwork Layer
Network Access Layer
• Each layer interacts with neighboring layers above and below• Each layer can be defined independently• Complexity of the networking is hidden from the application
Internet Security - Farkas 15
OSI vs. TCP/IPOSI vs. TCP/IP OSI: conceptually define: service, interface, protocol Internet: provide a successful implementation
Application
Presentation
Session
Transport
Network
Datalink
Physical
Internet
Host-to-network
Transport
Application
IP
LAN Packetradio
TCP UDP
Telnet FTP DNS
Internet Security - Farkas 16
Network AccessNetwork Access Layer Layer
Responsible for packet transmission on the physical media
Transmission between two devices that are physically connected
The goal of the physical layer is to move information across one “hop”
For example: Ethernet, token ring, Asynchronous Transfer Mode (ATM)
Internet Security - Farkas 17
InternInternetwork Layeretwork Layer
Provides connectionless and unreliable service
Routing (routers): determine the path a path has to traverse to reach its destination
Defines addressing mechanism– Hosts should conform to the addressing
mechanism
Internet Security - Farkas 18
IP AddressesIP AddressesIP provides logical address space and a corresponding
addressing schemaIP address is a globally unique or private number
associated with a host network interfaceEvery system which will send packets directly out
across the Internet must have a unique IP addressIP addresses are based on where the hosts are connectedIP addresses are controlled by a single organization -
address ranges are assignedThey are running out of space!
Internet Security - Farkas 19
Routing ProtocolsRouting Protocols
• Enable routing decisions to be made• Manage and periodically update routing tables, stored at each router •Router : “which way” to send the packet •Protocol types:
•Reachability•Distance vector
Internet Security - Farkas 20
The Domain Name The Domain Name SystemSystem
Each system connected to the Internet also has one or more logical addresses.
Unlike IP addresses, the domain address have no routing information - they are organized based on administrative units
There are no limitations on the mapping from domain addresses to IP addresses
Internet Security - Farkas 21
Domain Name Domain Name ResolutionResolution
Domain Name Resolution: looking up a logical name and finding a physical IP address
There is a hierarchy of domain name serversEach client system uses one domain name server
which in turn queries up and down the hierarchy to find the address
If your server does not know the address, it goes up the hierarchy possibly to the top and works its way back down
Internet Security - Farkas 22
Transport LayerTransport Layer Provides services to the application layer Services:
– Connection-oriented or connectionless transport– Reliable or unreliable transport– Security (authenticity, confidentiality, integrity)
Application has to choose the services it requires from the transport layer
Limitations of combinations, e.g., connectionless and reliable transport is invalid
Internet Security - Farkas 23
Application LayerApplication Layer
Provides services for an application to send and recieve data over the network, e.g., telnet (port 23), mail (port 25), finger (port 79)
Interface to the transport layer – Operating system dependent– Socket interface
Internet Security - Farkas 24
Communication Between Communication Between LayersLayers
Transport layer
Network layer
Data Link layer
Network layer
Data Link layer
Network layer
Data Link layer Data Link layer
Network layer
Transport layer
Application layerApplication layerApplication Data
Transport payload
NetworkPayload
Data LinkPayload
Host A Router Router Host B
Internet Security - Farkas 25
Security -- At What Security -- At What Level?Level?
Secure traffic at various levels in the network Where to implement security? -- Depends on the
security requirements of the application and the user
Basic services that need to be implemented: Key management Confidentiality Nonrepudiation Integrity/authentication Authorization
Internet Security - Farkas 26
Network Access Layer Network Access Layer SecuritySecurity
Dedicated link between hosts/routers hardware devices for encryption
Advantages: – Speed
Disadvantages:– Not scaleable– Works well only on dedicates links– Two hardware devices need to be physically connected
Internet Security - Farkas 27
InternInternetwork Layer etwork Layer SecuritySecurity
IP Security (IPSec) Advantages:
– Overhead involved with key negotiation decreases <-- multiple protocols can share the same key management infrastructure
– Ability to build VPN and intranet Disadvantages:
– Difficult to handle low granularity security, e.g., nonrepudation, user-based security,
Internet Security - Farkas 28
Transport Layer Transport Layer SecuritySecurity
Advantages:– Does not require enhancement to each
application
Disadvantages:– Difficult to obtain user context– Implemented on an end system– Protocol specific implemented for each
protocol
Internet Security - Farkas 29
Transport Layer Transport Layer SecuritySecurity
Advantages:– Does not require enhancement to each
application Disadvantages:
– Obtaining user context gets complicated– Protocol specific --> need to duplicated for
each transport protocol– Need to maintain context for connection (not
currently implemented for UDP)
Internet Security - Farkas 30
Application Layer Application Layer SecuritySecurity
Advantages:– Executing in the context of the user --> easy access to user’s
credentials– Complete access to data --> easier to ensure nonrepudation– Application can be extended to provide security (do not depend on
the operating system)– Application understand data --> fine tune security
Disadvantages:– Implemented in end hosts– Security mechanisms have to be implemented for each application
--> – expensive– greated probability of making mistake
Internet Security - Farkas 31
Application ExampleApplication Example
E-mail client using PGPExtended capabilities
– Ability to look up public keys of the users– Ability to provide securiy services such as
encryption/decrytion, nonrepudation, and authentication for e-mail messages