Analyze how a VPN is used for telework and how it helps to keep data safe? Please make sure to write 250 words in APA format with in-text citation. also you must use at least one scholarl

11 Oct Analyze how a VPN is used for telework and how it helps to keep data safe? Please make sure to write 250 words in APA format with in-text citation. also you must use at least one scholarl

Posted at 20:00h in Information Systems by

Analyze how a VPN is used for telework and how it helps to keep data safe? Please make sure to write 250 words in APA format with in-text citation. also you must use at least one scholarly resource. See attached document for reference.

Cryptography_fullppt_Chapter-20.pdf

Cryptography and Network Security:

Principles and Practice Eighth Edition

Chapter 20

IP Security

IP Security Overview

• RFC 1636

– “Security in the Internet Architecture”

– Issued in 1994 by the Internet Architecture Board (I A B)

– Identifies key areas for security mechanisms

▪ Need to secure the network infrastructure from

unauthorized monitoring and control of network traffic

▪ Need to secure end-user-to-end-user traffic using

authentication and encryption mechanisms

– I A B included authentication and encryption as necessary

security features in the next generation I P (I P v 6)

▪ The IPsec specification now exists as a set of Internet

standards

IPsec Documents (1 of 2)

• IPsec Documents

– Architecture

▪ Covers the general concepts, security requirements,

definitions, and mechanisms defining IPsec technology

▪ The current specification is RFC4301, Security Architecture for

the Internet Protocol

– Authentication Header (AH)

▪ An extension header to provide message authentication

▪ The current specification is RFC 4302, IP Authentication

Header

– Encapsulating Security Payload (ESP)

▪ Consists of an encapsulating header and trailer used to

provide encryption or combined encryption/authentication

▪ The current specification is RFC 4303, IP Encapsulating

Security Payload (ESP)

IPsec Documents (2 of 2)

– Internet Key Exchange (IKE)

▪ A collection of documents describing the key management

schemes for use with IPsec

▪ The main specification is RFC 7296, Internet Key Exchange

(IKEv2) Protocol, but there are a number of related RFCs

– Cryptographic algorithms

▪ This category encompasses a large set of documents that

define and describe cryptographic algorithms for encryption,

message authentication, pseudorandom functions (PRFs), and

cryptographic key exchange

– Other

▪ There are a variety of other IPsec-related RFCs, including

those dealing with security policy and management information

base (MIB) content

Applications of IPsec

• IPsec provides the capability to secure communications across

a L A N, private and public W A N s, and the Internet

• Examples include:

– Secure branch office connectivity over the Internet

– Secure remote access over the Internet

– Establishing extranet and intranet connectivity with partners

– Enhancing electronic commerce security

• Principal feature of I Psec is that it can encrypt and/or

authenticate all traffic at the I P level

– Thus all distributed applications (remote logon, client/server,

e-mail, file transfer, Web access) can be secured

I Psec Services

• IPsec provides security services at the IP layer by enabling a system to:

– Select required security protocols

– Determine the algorithm(s) to use for the service(s)

– Put in place any cryptographic keys required to provide the requested

services

• RFC 4301 lists the following services:

– Access control

– Connectionless integrity

– Data origin authentication

– Rejection of replayed packets (a form of partial sequence integrity)

– Confidentiality (encryption)

– Limited traffic flow confidentiality

Figure 20.1 IPsec Architecture

Security Association (S A)

• A one-way logical connection between a sender and a receiver that affords security services to the traffic carried on it

• In any I P packet, the S A is uniquely identified by the Destination Address in the I P v 4 or I P v 6 header and the S P I in the enclosed extension header (A H or E S P)

Uniquely identified by three parameters:

• Security Parameters Index (SPI)

– A 32-bit unsigned integer assigned to this SA and having local

significance only

• IP Destination Address

– Address of the destination endpoint of the SA, which may be an end-user system or a network system such as a firewall or router

• Security protocol identifier

– Indicates whether the association is an AH or ESP security association

Security Association Database (S A D) • Defines the parameters associated with each S A

• Normally defined by the following parameters in a S A D entry:

– Security parameter index

– Sequence number counter

– Sequence counter overflow

– Anti-replay window

– A H information

– E S P information

– Lifetime of this security association

– I Psec protocol mode

– Path M T U

Security Policy Database (S P D)

• The means by which I P traffic is related to specific S A s

– Contains entries, each of which defines a subset of I P

traffic and points to an S A for that traffic

• In more complex environments, there may be multiple

entries that potentially relate to a single S A or multiple SAs

associated with a single S P D entry

– Each S P D entry is defined by a set of I P and upper-

layer protocol field values called selectors

– These are used to filter outgoing traffic in order to map

it into a particular S A

SPD Entries (1 of 2)

• The following selectors determine an SPD entry:

• Remote IP address

– This may be a single IP address, an enumerated list or

range of addresses, or a wildcard (mask) address

– The latter two are required to support more than one

destination system sharing the same SA

• Local IP address

– This may be a single IP address, an enumerated list or

range of addresses, or a wildcard (mask) address

– The latter two are required to support more than one

source system sharing the same SA

SPD Entries (2 of 2)

• Next layer protocol

– The IP protocol header includes a field that designates

the protocol operating over IP

• Name

– A user identifier from the operating system

– Not a field in the IP or upper-layer headers but is

available if IPsec is running on the same operating

system as the user

• Local and remote ports

– These may be individual TCP or UDP port values, an

enumerated list of ports, or a wildcard port

Table 20.1 Host S P D Example

Protocol Local IP Port Remote IP Port Action Comment

UDP 1.2.3.101 500 * 500 BYPASS IKE

ICMP 1.2.3.101 * * * BYPASS Error

messages

* 1.2.3.101 * 1.2.3.0/24 * PROTECT: ESP

intransport-mode

Encrypt

intranet

traffic

TCP 1.2.3.101 * 1.2.4.10 80 PROTECT: ESP

intransport-mode

Encrypt to

server

TCP 1.2.3.101 * 1.2.4.10 443 BYPASS TLS: avoid

double

encryption

* 1.2.3.101 * 1.2.4.0/24 * DISCARD Others in

DMZ

* 1.2.3.101 * * * BYPASS Internet

Figure 20.2 Processing Model for

Outbound Packets

Figure 20.3 Processing Model for

Inbound Packets

Figure 20.4 E S P Packet Format

Encapsulating Security Payload (E S P) (1 of 2)

• Used to encrypt the Payload Data, Padding, Pad Length, and

Next Header fields

– If the algorithm requires cryptographic synchronization data

then these data may be carried explicitly at the beginning of

the Payload Data field

• An optional I C V field is present only if the integrity service is

selected and is provided by either a separate integrity algorithm

or a combined mode algorithm that uses an I C V

– I C V is computed after the encryption is performed

– This order of processing facilitates reducing the impact of

DoS attacks

– Because the I C V is not protected by encryption, a keyed

integrity algorithm must be employed to compute the I C V

Encapsulating Security Payload (E S P) (2 of 2)

• The Padding field serves several purposes:

– If an encryption algorithm requires the plaintext to be a

multiple of some number of bytes, the Padding field is

used to expand the plaintext to the required length

– Used to assure alignment of Pad Length and Next

Header fields

– Additional padding may be added to provide partial

traffic-flow confidentiality by concealing the actual

length of the payload

Figure 20.5 Anti-replay Mechanism

Figure 20.6 Scope of ESP Encryption

and Authentication

Figure 20.7 End-to-end IPsec

Transport-Mode Encryption

Transport Mode (1 of 2)

• Transport mode operation may be summarized as follows:

– At the source, the block of data consisting of the E S P trailer plus the entire transport-layer segment is encrypted and the plaintext of this block is replaced with its ciphertext to form the I P packet for transmission. Authentication is added if this option is selected

– The packet is then routed to the destination. Each intermediate router needs to examine and process the I P header plus any plaintext I P extension headers but does not need to examine the ciphertext

– The destination node examines and processes the I P header plus any plaintext I P extension headers. Then, on the basis of the S P I in the E S P header, the destination node decrypts the remainder of the packet to recover the plaintext transport-layer segment

Transport Mode (2 of 2)

• Transport mode operation provides confidentiality for any

application that uses it, thus avoiding the need to

implement confidentiality in every individual application

• One drawback to this mode is that it is possible to do traffic

analysis on the transmitted packets

Tunnel Mode (1 of 3)

• Tunnel mode provides protection to the I P packet

– To achieve this, after the A H or E S P fields are added

to the I P packet, the entire packet plus security fields is

treated as the payload of new outer I P packet with a

new outer I P header

– The entire original, inner, packet travels through a

tunnel from one point of an I P network to another; no

routers along the way are able to examine the inner I P

header

– Because the original packet is encapsulated, the new,

larger packet may have totally different source and

destination addresses, adding to the security

Tunnel Mode (2 of 3)

– Tunnel mode is used when one or both ends of a

security association (S A) are a security gateway, such

as a firewall or router that implements I Psec

– With tunnel mode, a number of hosts on networks

behind firewalls may engage in secure communications

without implementing IPsec

– The unprotected packets generated by such hosts are

tunneled through external networks by tunnel mode S

As set up by the IPsec software in the firewall or

secure router at the boundary of the local network

Tunnel Mode (3 of 3)

• Tunnel mode is useful in a configuration that includes a

firewall or other sort of security gateway that protects a

trusted network from external networks

• Encryption occurs only between an external host and the

security gateway or between two security gateways

– This relieves hosts on the internal network of the processing burden of encryption and simplifies the key distribution task by reducing the number of needed keys

– It thwarts traffic analysis based on ultimate destination

V P N

• Tunnel mode can be used to implement a secure virtual private

network

– A virtual private network (V P N) is a private network that is

configured within a public network in order to take advantage of

the economies of scale and management facilities of large

networks

▪ V P N s are widely used by enterprises to create wide area

networks that span large geographic areas, to provide site-to-

site connections to branch offices, and to allow mobile users to

dial up their company L A N s

▪ The pubic network facility is shared by many customers, with

the traffic of each customer segregated from other traffic

▪ Traffic designated as V P N traffic can only go from a V P N

source to a destination in the same V P N

▪ It is often the case that encryption and authentication facilities

are provided for the V P N

Figure 20.8 Example of Virtual Private

Network Implemented with IPsec

Tunnel Mode

Table 20.2 Tunnel Mode and

Transport Mode Functionality

Blank Transport Mode S A Tunnel Mode S A

A H Authenticates I P payload

and selected portions of I P

header and IPv6 extension

headers.

Authenticates entire inner I P

packet (inner header plus I P

payload) plus selected

portions of outer I P header

and outer I P v 6 extension headers.

E S P Encrypts I P payload and any

IPv6 extension headers

following the ESP header.

Encrypts entire inner I P

packet.

E S P with

Authentication

Encrypts I P payload and any

IPv6 extension headers

following the E S P header.

Authenticates I P payload but

not I P header.

Encrypts entire inner I P

packet. Authenticates inner I P

packet.

Figure 20.9 Protocol Operation for E S P

Combining Security Associations • An individual SA can implement either the AH or ESP protocol but not both

• Security association bundle

– Refers to a sequence of SAs through which traffic must be processed to

provide a desired set of IPsec services

– The SAs in a bundle may terminate at different endpoints or at the same endpoint

• May be combined into bundles in two ways:

• Transport adjacency

– Refers to applying more than one security protocol to the same IP packet

without invoking tunneling

– This approach allows for only one level of combination

• Iterated tunneling

– Refers to the application of multiple layers of security protocols effected

through IP tunneling

– This approach allows for multiple levels of nesting

E S P with Authentication Option

• In this approach, the first user applies E S P to the data to be

protected and then appends the authentication data field

• Transport mode E S P

– Authentication and encryption apply to the I P payload

delivered to the host, but the I P header is not protected

• Tunnel mode E S P

– Authentication applies to the entire I P packet delivered to

the outer I P destination address and authentication is

performed at that destination

– The entire inner I P packet is protected by the privacy

mechanism for delivery to the inner I P destination

• For both cases authentication applies to the ciphertext rather

than the plaintext

Transport Adjacency

• Another way to apply authentication after encryption is to use

two bundled transport S A s, with the inner being an E S P S A and

the outer being an A H S A

– In this case E S P is used without its authentication option

– Encryption is applied to the I P payload

– A H is then applied in transport mode

– Advantage of this approach is that the authentication covers

more fields

– Disadvantage is the overhead of two S A s versus one S A

Transport-Tunnel Bundle

• The use of authentication prior to encryption might be preferable

for several reasons:

– It is impossible for anyone to intercept the message and

alter the authentication data without detection

– It may be desirable to store the authentication information

with the message at the destination for later reference

• One approach is to use a bundle consisting of an inner A H

transport S A and an outer E S P tunnel S A

– Authentication is applied to the I P payload plus the I P

header

– The resulting I P packet is then processed in tunnel mode by

E S P

▪ The result is that the entire authenticated inner packet is

encrypted and a new outer I P header is added

Figure 20.10 Basic Combinations of

Security Associations

Internet Key Exchange

• The key management portion of I Psec involves the determination and distribution of secret keys

– A typical requirement is four keys for communication between two applications

▪ Transmit and receive pairs for both integrity and confidentiality

• The I Psec Architecture document mandates support for two types of key management:

• Manual

– A system administrator manually configures each system with its own keys and with the keys of other communicating systems

– This is practical for small, relatively static environments

• Automated

– Enables the on-demand creation of keys for S A s and facilitates the use of keys in a large distributed system with an evolving configuration

I S A K M P/Oakley

• The default automated key management protocol of IPsec

• Consists of:

– Oakley Key Determination Protocol

▪ A key exchange protocol based on the Diffie-Hellman

algorithm but providing added security

▪ Generic in that it does not dictate specific formats

– Internet Security Association and Key Management Protocol

(I S A K M P)

▪ Provides a framework for Internet key management and

provides the specific protocol support, including formats,

for negotiation of security attributes

▪ Consists of a set of message types that enable the use

of a variety of key exchange algorithms

Features of I K E Key Determination

• Algorithm is characterized by five important features:

– It employs a mechanism known as cookies to thwart clogging

attacks

– It enables the two parties to negotiate a group; this, in essence,

specifies the global parameters of the Diffie-Hellman key

exchange

– It uses nonces to ensure against replay attacks

– It enables the exchange of Diffie-Hellman public key values

– It authenticates the Diffie-Hellman exchange to thwart man-in-the-

middle-attacks

Figure 20.11 IKEv2 Exchanges

Figure 20.12 I K E Formats

Table 20.3 IKE Payload Types Type Parameters

Security Association Proposals

Key Exchange DH Group #, Key Exchange Data

Identification ID Type, ID Data

Certificate Cert Encoding, Certificate Data

Certificate Request Cert Encoding, Certification Authority

Authentication Auth Method, Authentication Data

Nonce Nonce Data

Notify Protocol-ID, SPI Size, Notify Message Type, SPI, Notification Data

Delete Protocol-ID, SPI Size, # of SPIs, SPI (one or more)

Vendor ID Vendor ID

11 Oct Analyze how a VPN is used for telework and how it helps to keep data safe? Please make sure to write 250 words in APA format with in-text citation. also you must use at least one scholarl

Related Tags

Who We Are

Some Categories

More Links

We Accept