Lesson 11: Securing TCP/IP
Network+ Objectives:
+ clasisfy apps, devices, and protocols related to the OSI layers for encryption devices
+ common networking protocols: HTTPS, NTP, SNMP 2/3. SSH
+ given a scenario, use appropriate networking monitoring resource to analyze traffic SNMP, SNMPv2, SNMPv3
+ explain methods of network access security: IPsec, ISAKMP, TLS, TLS2.0, PP, SSH
+ explain methods of user authentication: PKI, Kerbebos, AAA, networkign access control, CHAP, MS-CHAP, EAP
Making TCP/IP Secure
The four areas of security are:
1. encryption
2. nonrepudiation
3. authentication
4. authorization
encryption = scrambled up data
nonrepudiation = guarantees the purity, “sameness” of data. (ie, is the data the same before and after it was sent)
authentication = verify identity of the user that want to use the data
authorization = what a user can do with the data, once the user has been authenticated (permission levels)
I. Encryption
- “plaintext” or cleartext file — easily view in standard format, can also be a binary file like a photograph or a .exe file
- cipher = series of complex, hard to reverse algorithm
- complete algorithm = could mean both the cipher and the implementation of that cipher
- binary XOR (exclusive OR) cipher — has a key like “10101010”, and convert clear text string of binary to new encrypted data
1. Symmetric-Key Algorithmn
- uses the same key for both encryption and decryption
- block ciphers — “chunks” of data, usu in 128-bit chunkcs, encrypted by each block
- Data Encryption Standard (DES) was symmetric, invented in the 70s by the US govt
- DES used 64-bit blocks, and 56-bit keys
- the newer, stronger DES descendants: 3DES, IDEA (International Data Encryption Algorithm), and Blowfish
- stream ciphers = single bit at a time, on-the-fly encryption, usu common in wireless data and cellphones
- Rivest Cipher 4 (RC4) is an example of a stream cipher
- back in the days, Ron Rivest wrote the RC4, which was used in most TCP/IP apps
- we don’t use RC4 for TCP/IP anymore. Most TCP/IP apps moved to Advanced Encryption Standard (AES)
- AES is a block cipher created in teh 1990s
- 128-bit block size
- 128-, 192-, or 256- bit key size
- secure, fast
- AES is used in file encryption to wireless networking
2. Asymmetric-Key Algorithm Standards
- sym key alg = weak, one key can encrypt or decrypt
- we have to send the key to another person one way or another (possible for hackers to intercept)
- public-key cryptography — by Diffie, Hellman, and Merkle
- also called the Diffie-Hellman method
- Rivest improves their algorithmn to create:
- Rivest Shamir Adleman (RSA) to anable secure digital signatures
- we generate two keys: a public and private key
- the public key is sent to the recipient
- the algorithmn works by encrypting data with the public key and decrypting the data with the private key
3. Encryption & the OSI Model
Layer1: none
Layer2: common place for encryption using proprietary encryption devices such as the Ethernet frame, place for on-the-fly stream cipher
Layer3: only one common protocol here — the IPsec protocol
IPsec is done via software that takes the IP packet and encrypts everything inside the packet (the payload), leaving the IP addr and a few other fields unencrypted
Layer4: none, neither TCP or IP offers encryption here
Layer5–6: not common
Layer7: many apps use their own encryption at this level, for example SSL/TLS
Overall, pay attention to L2 (data link), L3 (internet/network), and L7 (application) for encryption.
II. Nonrepudiation
- the receiver of the data has high degree of confidence that th esender truly is who she says she is
A. Hashes
- hashes — mathematical function that you run on a string of binary digits of any length that results in a vlue of some fixed length called “checksum” or “digest”
- hashes are one-way function, irreversible
- creates one unique checksum for any two diff input streams
- ex: Message Digest ALgorithm (MD5)
- Secure Hash Algorithmn (SHA)
- SHA-1, SHA-2
- Challenge-Response Authentication Mechanism Message Digest-5 (CRAM-MD5)
- use for SMTP servers as a tool for server authentication
B. Digital Signatures
- digital signatures — another binary string that can be generated by the sender
- do something to the message and the private key
- the person with matching public-key does something to the digital sign. usign the public key to verify that the dig.sign. comes from teh actual sender
1. Public Key Infrastructure (PKI)
- certificates — standardized type of digial signature that includes digit sign of a third party
- ex: ebay sites have their certificate registered to a third party company like VeriSign
- the PKI has a root such as VeriSign, and other intermediate certificate authority under the root
- PGP — pretty good privacy encryption program, uses the trust model
III. Authentication
pw and username are common, will be discussed under security standards section below
IV. Authorization
- different lv of access to each resource
- Network Access Control (NAC) — combines traditional functions and protections
- prevents computer lacking anti-malware and patches from accessing the network
- create policies that define what individual systems can do on the network
A. Access Control List (ACL)
ACL is alist of permissions to what an authenticated user may perform on a shared resource.
There are three ACL models:
- Mandatory Access Control
+ MAC security model
+ every resource is assigned a label
+ the oldest and least common model
+ ex: define what priviledge programs have to other programs stored in RAM - Discretionary Access Control
+ DAC security model
+ the user who created the resource assigns lv of control - Role-based Access Control
+ RBAC security model
+ most popular model in filesharing
+ based on the roles user plays in the network
+ leads to the creation of groups in a network
TCP/IP Security Standars
. I. Authentication Standards
- oldest used, predates the Internet
- ex: dial up, using telephone lines
Point-to-Point (PPP)
- enables pt-to-pt devices to connect, authenticate w/ username and pw
- negociate the network protocol the two devices will use
- ppp and dial-up DOES NOT MEAN Ethernet, but it can support TCP/IP
Five Distinct Phases to a PPP connection
- link dead — modem off
- link establishment — the Link Control Protocol (LCP) talks with other LCP, determine good link
- authentication — usually username and pw
- network layer protocol — ppp works with layer3 network protocol
- ppp still support NetWave IPX/SPX, Microsoft NetBEUI
- LCP uses Network Control Protocol here
- shutdown means LCP init a …
- termination = two ends of ppp sends e/o term. packet and closes