Professional Documents
Culture Documents
Secure Networking
Secure Networking
Secure Networking
Communicationbetween
UserandServer:
Intheformofpackets.
TraverseseveralRouters.
Canbeinterceptedbya
BadBoy.
MichalLudvig,SUSELabs,01/30/2004,Securenetworking,2
WhataBadBoycanseeinthispacket...
It'
sacleartextrequestforawebpage
www.porn.comservername
/porn/index.htmldocumentname
Authorizationencodedusernameandpassword
MichalLudvig,SUSELabs,01/30/2004,Securenetworking,3
TheAuthorizationstringcontainsanencodedusername
andpassword.
TypeBasicmeansBase64encoding.
MichalLudvig,SUSELabs,01/30/2004,Securenetworking,4
MajorityoftheInternettrafficisincleartext(nonencrypted).
Vulnerableprotocols
Telnet,POP3,IMAP,HTTP,SMTPandalmosteveryother...
Possiblerisks
Passiveeavesdropping
Gatheringpasswordsandothersensitiveinformation.
Activemaninthemiddle
Replayattackresendingapieceofinformtionmanytimes.
Packetmodificationschangingtheinformationonthewaybetween
userandserver.
MichalLudvig,SUSELabs,01/30/2004,Securenetworking,5
...andbringsprivacyandconfidentiality
MichalLudvig,SUSELabs,01/30/2004,Securenetworking,6
Ontheapplicationlevel
Applicationtoapplicationsecurity
SSH,Kerberos,PGP,...
GenericSSL/TLSprotocolusedwithmanyservices:
HTTPs,IMAPs,POP3s,...
Onthenetworklevel
HosttohostorevenNetworktonetworksecurity
Noneedtomodifytheapplications
IPsec,CIPE,proprietaryVPNsolutions
MichalLudvig,SUSELabs,01/30/2004,Securenetworking,7
CIPE IPsec
LinuxandWindowsonly. Widelysupportedstandard.
Presharedkeysonly. Presharedkeys,RSAkeys,
X.509cetrificates,Kerberos
tickets.
UsesUDPpackets. UsesESPand/orAH
protocol.Couldbe
encapsulatedinUDP.
Doesn' tworkwithLinux Twoimplementationsfor
kernel2.6. kernel2.6available.
Onlytwociphersavailable. Currently8ciphersand6
digeststochoosefrom.
MichalLudvig,SUSELabs,01/30/2004,Securenetworking,8
Kernel
Keepsthesymmetricencryptionkeysandsecuritypolicies
Encryptsoutgoingpackets
Decryptsandverifiesincomingpackets
UsesESPand/orAHprotocol(IPprotocols).
Userspacedaemon
Negotiatesthekeyswiththeotherparty
Pushesthekeysandsecuritypoliciesintothekernel
UsesIKEprotocol(UDPprotocol).
MichalLudvig,SUSELabs,01/30/2004,Securenetworking,9
Kernel Userspace
Twoimplementations Threechoices
FreeS/WAN (Super)FreeS/WAN
Availablesince2.0.xkernel Mostwidelyused
RequiresFreeS/WAN Manyextensions
userspace. ShippedinSUSELinux
Moremature IPsectools
NativeIPsecstack PortedfromNetBSD
Availablesince2.6.0 Onlyfornative2.6IPsec
RFCbasedAPI ISAKMPd
Stillhassomeproblems PortedfromOpenBSD
UsedinSUSELinux' kernel Onlyfornative2.6IPsec
MichalLudvig,SUSELabs,01/30/2004,Securenetworking,10
Onlytwotypesofthetrafficonthewire:
IKEKeyexchangeandconnectioncontrol
ESPEncryptedtraffic
MichalLudvig,SUSELabs,01/30/2004,Securenetworking,11
IPprotocol#50
Providesencryption
Preventseavesdropping
tunderstandit.
BadBoyscanstillseethetraffic,butcan'
Providesauthentication
Preventsmaninthemiddleattacks
Ensuresthatthepacketwasn'
tmodifiedsinceitwassent.
Preventsreplayattackeverypacketisacceptedonlyonce.
MichalLudvig,SUSELabs,01/30/2004,Securenetworking,12
IPprotocol#49
Providesonlyauthentication,noencryption
NotreallyusefullwithIPv4
ESPprovidessimilarfunctionality
MichalLudvig,SUSELabs,01/30/2004,Securenetworking,13
UDPprotocol,port500
Implementedinuserspace.
Canusedifferentmethodsforpeer'
sauthentication:
Presharedkeys
X.509certificates
RSAkeys
Kerberostickets
ResultisakeyusedforESP/AHprotocols.
MichalLudvig,SUSELabs,01/30/2004,Securenetworking,14
NATTraversal(NATT)
EncapsulatesIPsectrafficintoUDPpacketsforpassingthrough
NATgatewaysandfirewalls.
NativeIPsec
WithNATT
MichalLudvig,SUSELabs,01/30/2004,Securenetworking,15
Encapsulatesonlythetransporteddata,nottheIPheaders.
Usedforhosttohostconnections.
MichalLudvig,SUSELabs,01/30/2004,Securenetworking,16
Thewholeoriginalpacketisencapsulated.
Usedfornetworktonetworkconnections.
MichalLudvig,SUSELabs,01/30/2004,Securenetworking,17
Firewallingtheencryptedtraffic
OnlyESPprotocolandUDPport500required:
# iptables -A INPUT -p udp dport 500 -j ACCEPT
# iptables -A INPUT -p esp -j ACCEPT
Firewallingthetunelledtraffic
Doneondeviceipsec0(onlywithFreeS/WAN)
Example:blockingoutgoingICMPoverIPsectunnel
# iptables -A FORWARD -p icmp -o ipsec0 -j DROP
MichalLudvig,SUSELabs,01/30/2004,Securenetworking,18
Advancedtopicsforinterestedaudience
SPDBSecurityPolicyDatabase
ContainsIPsecpoliciesfordifferentFrom<>Totraffic.
SADBSecurityAssociationDatabase
HoldscryptographickeysforusewithESP/AH.
PF_KEYv2
KernelinterfaceformanagingSADBandSPDBentries.
ReadmoreinappropriateRFCs:)
MichalLudvig,SUSELabs,01/30/2004,Securenetworking,19
MichalLudvig,SUSELabs,01/30/2004,Securenetworking,20