0 MODE FOR BACKWARDS COMPATIBILITY. SSL AND TLS PROVIDE SECURITY FOR...
3.0 mode for backwards compatibility. SSL and TLS provide security for a
single TCP session.
SSL and TLS provide a connection between a client and a server, over
which any amount of data can be sent securely. Server and browser must
be SSL or TLS enabled to facilitate secure Web connections. Applications
must be SSL- or TLS-enabled to allow their use of the secure connection.
Figure 1.10 shows the relative location in the protocol stack of the SSL and
TLS protocols.
Figure 1.10 The Secure Sockets Layer.
HTTP
SMTP
FTP
DNS
Application
SSL-TLS
Transport
TCP
UDP
ICMP
IP
ARP
Network
MAC
LLC
Data Link
Media
Physical
https://traloihay.net
For the browser and server to communicate securely, each needs to
have the shared session key. SSL/TLS use public key encryption to
exchange session keys during communication initialization. When a
browser is installed on a workstation, it generates a unique private/public
key pair.
Secure Shell (SSH)
Secure shell protocol is specified in a set of Internet draft documents. SSH
provides secure remote login and other secure network services over an
insecure network. SSH is being promoted free to colleges and universities
as a means for reducing cleartext passwords on networks. Middle and
high-end Cisco routers support SSH, but only SSH version 1. SSH version
2 is completely rewritten to use different security protocols and has added
public key cryptography.
The SSH protocol provides channels for establishing secure, interactive
shell sessions and tunnelling other TCP applications. There are three
major components to SSH:
Transport Layer Protocolprovides authentication, confidentiality, and
integrity for the server. It can also compress the data stream. The SSH
transport runs on top of TCP. The transport protocol negotiates key
exchange method, public key, symmetric encryption, authentication, and
hash algorithms.
User Authentication Protocolauthenticates the user-level client to the
server and runs on top of SSH transport layer. It assumes that the trans-
port layer provides integrity and confidentiality. The method of authentica-
tion is negotiated between the server and the client.
Connection Protocolmultiplexes an encrypted tunnel into several chan-
nels. It is run on top of SSH transport and authentication protocols. The
two ends negotiate the channel, window size, and type of data. The connec-
tion protocol can tunnel X11 or any arbitrary TCP port traffic.
Filtering
Packet filters can be implemented on routers and layer 3 devices to control
the packets that will be blocked or forwarded at each interface. Routing
decisions about whether to forward or drop the packet are made based on
the rules in the access list. Standard access lists cannot filter on transport
layer information. Only extended access lists can specify a protocol, and a
parameter related to that protocol. TCP filtering options include established
connections, port numbers or ranges of port numbers, and type of service
values. UDP filter options only specify port numbers, since it is not a con-
nection-oriented protocol.
Introduction to IP Network Security • Chapter 1 31Network Layer Security
Network layer security can be applied to secure traffic for all applications
or transport protocols in the above layers. Applications do not need to be
modified since they communicate with the transport layer above.
IP Security Protocols (IPSec)
IPSec protocols can supply access control, authentication, data integrity,
and confidentiality for each IP packet between two participating network
nodes. IPSec can be used between two hosts (including clients), a gateway
and a host, or two gateways. No modification of network hardware or soft-
ware is required to route IPSec. Applications and upper level protocols can
be used unchanged.
IPSec adds two security protocols to IP, Authentication Header (AH) and
Encapsulating Security Payload (ESP). AH provides connectionless
integrity, data origin authentication, and anti-replay service for the IP
packet. AH does not encrypt the data, but any modification of the data
would be detected. ESP provides confidentiality through the encryption of
the payload. Access control is provided through the use and management
of keys to control participation in traffic flows.
IPSec was designed to be flexible, so different security needs could be
accommodated. The security services can be tailored to the particular
needs of each connection by using AH or ESP separately for their indi-
vidual functions, or combining the protocols to provide the full range of
protection offered by IPSec. Multiple cryptographic algorithms are sup-
ported. The algorithms that must be present in any implementation of
IPSec follow. The null algorithms provide no protection, but are used for
consistent negotiation by the protocols. AH and ESP cannot both be null at
the same time.
■
DES in CBC (Cipher Block Chaining) mode
■
HMAC (Hash Message Authentication Code) with MD5
■
HMAC with SHA
■
Null Authentication Algorithm
■