0 MODE FOR BACKWARDS COMPATIBILITY. SSL AND TLS PROVIDE SECURITY FOR...

3. - Syngress Managing Cisco Network Security 3. - Syngress Managing Cisco Network Security 3. - Syngress Managing Cisco Network Security 3. - Syngress Managing Cisco Network Security
Syngress Managing Cisco Network Security

3.0 mode for backwards compatibility. SSL and TLS provide security for a

single TCP session.

SSL and TLS provide a connection between a client and a server, over

which any amount of data can be sent securely. Server and browser must

be SSL or TLS enabled to facilitate secure Web connections. Applications

must be SSL- or TLS-enabled to allow their use of the secure connection.

Figure 1.10 shows the relative location in the protocol stack of the SSL and

TLS protocols.

Figure 1.10 The Secure Sockets Layer.

HTTP

SMTP

FTP

DNS

Application

SSL-TLS

Transport

TCP

UDP

ICMP

IP

ARP

Network

MAC

LLC

Data Link

Media

Physical

https://traloihay.net

For the browser and server to communicate securely, each needs to

have the shared session key. SSL/TLS use public key encryption to

exchange session keys during communication initialization. When a

browser is installed on a workstation, it generates a unique private/public

key pair.

Secure Shell (SSH)

Secure shell protocol is specified in a set of Internet draft documents. SSH

provides secure remote login and other secure network services over an

insecure network. SSH is being promoted free to colleges and universities

as a means for reducing cleartext passwords on networks. Middle and

high-end Cisco routers support SSH, but only SSH version 1. SSH version

2 is completely rewritten to use different security protocols and has added

public key cryptography.

The SSH protocol provides channels for establishing secure, interactive

shell sessions and tunnelling other TCP applications. There are three

major components to SSH:

Transport Layer Protocol

provides authentication, confidentiality, and

integrity for the server. It can also compress the data stream. The SSH

transport runs on top of TCP. The transport protocol negotiates key

exchange method, public key, symmetric encryption, authentication, and

hash algorithms.

User Authentication Protocol

authenticates the user-level client to the

server and runs on top of SSH transport layer. It assumes that the trans-

port layer provides integrity and confidentiality. The method of authentica-

tion is negotiated between the server and the client.

Connection Protocol

multiplexes an encrypted tunnel into several chan-

nels. It is run on top of SSH transport and authentication protocols. The

two ends negotiate the channel, window size, and type of data. The connec-

tion protocol can tunnel X11 or any arbitrary TCP port traffic.

Filtering

Packet filters can be implemented on routers and layer 3 devices to control

the packets that will be blocked or forwarded at each interface. Routing

decisions about whether to forward or drop the packet are made based on

the rules in the access list. Standard access lists cannot filter on transport

layer information. Only extended access lists can specify a protocol, and a

parameter related to that protocol. TCP filtering options include established

connections, port numbers or ranges of port numbers, and type of service

values. UDP filter options only specify port numbers, since it is not a con-

nection-oriented protocol.

Introduction to IP Network Security • Chapter 1 31

Network Layer Security

Network layer security can be applied to secure traffic for all applications

or transport protocols in the above layers. Applications do not need to be

modified since they communicate with the transport layer above.

IP Security Protocols (IPSec)

IPSec protocols can supply access control, authentication, data integrity,

and confidentiality for each IP packet between two participating network

nodes. IPSec can be used between two hosts (including clients), a gateway

and a host, or two gateways. No modification of network hardware or soft-

ware is required to route IPSec. Applications and upper level protocols can

be used unchanged.

IPSec adds two security protocols to IP, Authentication Header (AH) and

Encapsulating Security Payload (ESP). AH provides connectionless

integrity, data origin authentication, and anti-replay service for the IP

packet. AH does not encrypt the data, but any modification of the data

would be detected. ESP provides confidentiality through the encryption of

the payload. Access control is provided through the use and management

of keys to control participation in traffic flows.

IPSec was designed to be flexible, so different security needs could be

accommodated. The security services can be tailored to the particular

needs of each connection by using AH or ESP separately for their indi-

vidual functions, or combining the protocols to provide the full range of

protection offered by IPSec. Multiple cryptographic algorithms are sup-

ported. The algorithms that must be present in any implementation of

IPSec follow. The null algorithms provide no protection, but are used for

consistent negotiation by the protocols. AH and ESP cannot both be null at

the same time.

DES in CBC (Cipher Block Chaining) mode

HMAC (Hash Message Authentication Code) with MD5

HMAC with SHA

Null Authentication Algorithm

Null Encryption Algorithm

A Security Association (SA) forms an agreement between two systems

participating in an IPSec connection. An SA represents a simplex connec-

tion to provide a security service using a selected policy and keys, between

two nodes. A Security Parameter Index (SPI), an IP destination address,

and a protocol identifier are used to identify a particular SA. The SPI is an

arbitrary 32-bit value selected by the destination system that uniquely

identifies a particular Security Association among several associations that

may exist on a particular node. The protocol identifier can indicate either

AH or ESP, but not both. Separate SAs are created for each protocol, and

for each direction between systems. If two systems were using AH and ESP

in both directions, then they would form four SAs.

Each protocol supports a transport mode and a tunnel mode of opera-

tion. The transport mode is between two hosts. These hosts are the end-

points for the cryptographic functions being used. Tunnel mode is an IP

tunnel, and is used whenever either end of the SA is a security gateway. A

security gateway is an intermediate system, such as a router or firewall,

that implements IPSec protocols. A Security Association between a host

and a security gateway must use tunnel mode. If the connection traffic is

destined for the gateway itself, such as management traffic, then the

gateway is treated as a host, because it is the endpoint of the communica-

tion.

In transport mode, the AH or ESP header are inserted after the IP

header, but before any upper layer protocol headers. As shown in Figure