TCP/IP and Internet Security - PowerPoint PPT Presentation

1 / 33
About This Presentation
Title:

TCP/IP and Internet Security

Description:

Garfinkel and Spafford, 1996, Practical UNIX and Internet Security, O'Reilly, ... 3DES, Blowfish, Twofish, CAST-128, IDEA, ARCFOUR. Port Forwarding ... – PowerPoint PPT presentation

Number of Views:35
Avg rating:3.0/5.0
Slides: 34
Provided by: harry8
Category:

less

Transcript and Presenter's Notes

Title: TCP/IP and Internet Security


1
TCP/IP and Internet Security
  • CSEM02
  • University of Sunderland
  • Harry R. Erwin, PhD

2
Resources
  • Garfinkel and Spafford, 1996, Practical UNIX and
    Internet Security, OReilly, ISBN 1-56592-148-8
  • B. Schneier, 2000, Secrets and Lies, Wiley, ISBN
    0-471-25311-1.
  • Daniel J. Barrett and Richard E. Silverman, 2001,
    SSH, the Secure Shell, OReilly, ISBN
    0-596-00011-1
  • Eric Rescorla, 2001, SSL and TLS Designing and
    Building Secure Systems, Addison-Wesley, ISBN
    0-201-61598-3

3
TCP/IP
  • The most general packet and message-level
    protocol in use.
  • Operates on LANs, WANs and other network
    protocol.
  • We will discuss IPv4
  • There will be some overlap with lecture 6b.

4
Internet Addresses
  • Dotted quartile
  • 4 8-bit integers
  • Unique in some sense (except that a local LAN may
    have only one address visible to the outside)
  • Multiple address classes mean that not all
    addresses are usable. Classless InterDomain
    Routing (CIDR) has been introduced to address
    this.

5
Routing
  • Routing is transparent
  • Local hosts send packets to their gateway.
  • The gateway is a router and handles matters from
    that point.
  • The architecture routes around outages and
    failures.

6
Hostnames
  • The name of the computer (not its address).
  • Hostnamelt--gtIP Addresses may be many to many!
  • Hostnames begin with an alphanumeric character
    and may contain letters, numbers, and a few
    symbols. Case is ignored.
  • Two parts machine name and domain. The first
    period is the separator.

7
Packets and Protocols
  • ICMPfor control
  • TCPfor connection-oriented service
  • UDPfor connectionless service
  • IGMPfor multicasting control

8
ICMP
  • In-band control of internet operations.
  • Examples
  • Echo request and echo reply
  • Destination unreachable
  • Source quench
  • Redirect
  • Etc

9
TCP
  • Reliable, ordered, connection-oriented service.
  • Connects (16 bit) ports at (32 bit) IP addresses.
  • SYN and ACK bits in the packet header are used to
    negotiate new connections.
  • SYN set to request the connection
  • SYN and ACK set to ack the request
  • ACK set to confirm the connection
  • Three-way handshake
  • This protocol allows unfriendly outsiders to
    detect which ports are being listened to.

10
UDP
  • Unreliable connection-less service
  • 10 times more throughput than TCP
  • 53dns
  • 69tftp
  • 111sunrpc
  • 137windows blithering
  • 161snmp

11
Clients and Services
  • Clients initiate connections to servers.
    Sometimes this is logically backwards as in
    X-Windows, where the client is the sender of the
    information, and the server is the machine
    requesting the information.
  • Daemons are servers that wait for user requests.

12
Name Service
  • The conversion from a name to an address is
    handed by a domain name server (DNS).
  • UDP is used, so a workstation may need to make
    multiple requests.
  • In UNIX systems, DNS is usually handled by bind.
  • Alternatives
  • NIS
  • NetInfo
  • DCE

13
TCP Services
  • 21ftp
  • 23telnet
  • 25smtp
  • 42nameserver
  • 43whois
  • 79finger
  • 80http
  • 109, 110pop
  • 113auth
  • 119nntp

14
TCP/IP Security
  • Risks include
  • Sniffers
  • IP spoofing
  • Connection hijacking
  • Data spoofing

15
Causes of Weak Internet Security
  • Underestimation of the hostility of the internet
    environment
  • Overriding importance of message/packet transfer
  • Evolution

16
Alternatives
  • Encrypt the link
  • Protect the link
  • Encrypt the packets
  • Encrypt the message
  • Encrypt the session
  • Peter Dunne has discussed this.

17
Limitations of Encryption
  • Does not protect against deletion
  • Trapdoors may exist in the encryption program
  • Data can be accessed when not encrypted.
  • Encryption can be broken.
  • Keys can be weak.

18
The Problem
  • IPv4 is insecure. Most TCP/IP services are
    unencrypted. This allows anyone to monitor and
    reconstruct connection traffic on the internet.
  • Requirements for the following can be identified
  • Encrypted connections between parties known to
    each other.
  • Third-party authentication and encrypted
    connection establishment when parties are not
    known to each other.

19
Solutions
  • SSH to support encrypted sessions
  • SSL to provide trusted third-party authentication
    and to support encrypted sessions.

20
SSH
  • Secure shell
  • Transparent encryption.
  • Modern, secure encryption algorithms
  • Reliable, fast, and effective
  • Client/server interaction
  • Eliminates .rhosts and hosts.equiv

21
Services Provided
  • Replaces
  • rsh and telnet with ssh
  • rlogin with slogin
  • rcp with scp
  • ftp with sftp
  • Protocols
  • ssh-1
  • ssh-2

22
SSH1 Authentication Mechanisms
  1. Kerberos
  2. Rhosts (trusted host authentication, insecure)
  3. RhostsRSA (trusted host authentication, insecure)
  4. Public-key (RSA)
  5. TIS
  6. Password (various flavors, relatively insecure)

23
SSH2 Authentication Mechanisms
  1. Public-key (DSA, RSA, OpenPGP)
  2. Hostbased
  3. Password

24
Ciphers
  • SSH1
  • 3DES, IDEA, ARCFOUR (alleged RC4), DES
  • SSH2
  • 3DES, Blowfish, Twofish, CAST-128, IDEA, ARCFOUR

25
Port Forwarding
  • SSH can forward or tunnel ports, allowing you to
    run insecure services securely.
  • ssh -L 3002localhost119 news.yoyo.com

26
A Simple Example
  • ssh -l harry harry.sunderland.ac.uk
  • This allows me to log into harry_at_harry.sunderland.
    ac.uk
  • Another way of doing the same thing is
  • ssh harry_at_harry.sunderland.ac.uk

27
Using scp
  • scp harry_at_harry.sunderland.ac.ukmyfile afile
  • This transfers myfile from my home directory on
    harry.sunderland.ac.uk to afile locally.
  • You can also use sftp similarly to ftp.

28
Threats Countered by SSH
  • Eavesdropping
  • DNS and IP Spoofing
  • Connection Hijacking
  • Man-in-the-Middle Attacks
  • Insertion Attack

29
SSL
  • Secure Sockets Layer
  • An authentication and encryption technique that
    provides security services to TCP by a
    socket-style API.
  • Relies on certificates issued by a trusted third
    party.
  • Invented by Netscape.
  • Is being replaced by TLS (Transport Layer
    Security)

30
Services Provided
  • Secure http
  • pop
  • imap
  • smtp
  • ftp
  • rmi
  • corba
  • iiop
  • telnet
  • ldap

31
SSL Functions
  • Confidential transmission
  • Message integrity
  • Endpoint authentication

32
How It Works
  • An understanding of how SSL works is necessary to
    use it safely.
  • Uses public key cryptography.
  • Trusted third parties (Certificate Authorities)
    provide the certificates that contain the public
    keys.
  • Supports many encryption algorithms.

33
SSL-Enabled UNIX Clients
  • curl,
  • ethereal,
  • ettercap,
  • lynx,
  • stunnel,
  • gabber,
  • links,
  • mutt,
  • xchat,
  • bitchx,
  • lftp,
  • neon,
  • openldap,
  • openslp,
  • pine,
  • various database managers.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "TCP/IP and Internet Security" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!