网络安全威胁与防御策略

TCP/IP Protocols  Contains Five Layers  Top three layers contains many protocols  Actual transmission at the physical layer

TCP/IP Layers Fig 9.1 Application Presentation Session Applications SMTPFTPDNSTELNETHTTP Transport TCPUDP Network ICMP ARPRARP Data Link Physical Protocols specific to the underlying physical media used for data communication at the hardware level IP

Message Transfer using TCP/IP Fig 9.2 Original Message TCP header IP header Original MessageTCP headerIP headerFrame header Original Message TCP header IP header Original MessageTCP headerIP headerFrame header Source Destination

TCP  Reliable transport layer communication  Establishes a logical connection between the communicating hosts  Socket-to-socket communication (Socket = Port + IP address)

TCP Segment Format Fig 9.3 Source Port number Destination Port number Sequence Number Acknowledgement Number Data 2 bytes 4 bytes 20-to-60 bytes header consisting of the following fields Header Length 4 bits Reserved 6 bits Flag 6 bits Window size 2 bytes ChecksumUrgent pointer 2 bytes Options 0 to 40 bytes

IP  Best effort delivery  Does not guarantee success  Leaves error checking to higher layers (e.g. to TCP)

IP Datagram Format Fig 9.4 Version HLEN Service Type Total Length (4 bits) (4 bits) (8 bits) (16 bits) Identification Flags Fragmentation Offset (16 bits) (3 bits) (13 bits) Time to live Protocol Header Checksum (8 bits) (8 bits) (16 bits) Source IP address (32 bits) Destination IP address (32 bits) Data Options

Network Aspects 网络问题  Internal network (e.g. LAN) 内部网络  External Network (e.g. Internet) 外部网络  Threats from the External Network to the Internal Network 来自公司网络内外的威胁

Network Threats 网络威胁 Fig 9.5 N e t w o r k B a c k b o n e Router To Internet Outside dangers can come in from here Inside information can leak out from here Corporate network

Firewall 防火墙  Special type of router 一类特殊的路由器  provides perimeter defence 提供边界防御  imposes restrictions on network services 限制网络服务  only authorized traffic is allowed 只有授权的通信流允许通过  is itself immune to penetration 自身免疫

Firewall Concept 防火墙概念 N e t w o r k B a c k b o n e To Internet Corporate network Firewall

Firewall Types 防火墙类型 Firewalls Packet FiltersApplication Gateways 分组过 滤器 应用 网关

Packet Filter(Screening filter ） 分组过滤器 ( 扫描过滤器 ) Internet Internal (Private) Network Packet filter Protected zone

Packet Filters 分组过滤器 foundation of any firewall system 任何防火墙系统的基础 examine each IP packet (no context) and permit or deny according to rules 检查每个 IP 分组根据规则决定允许或拒绝通过 hence restrict access to services (ports) 对服务（端口）限制访问 possible default policies （可能的默认策略） –that not expressly permitted is prohibited –that not expressly prohibited is permitted

Packet Filters 分组过滤器

Packet Filter Operation 分组过滤器操作 Outgoing packets Incoming packets Receive each packet. Apply rules. If no rules, apply default rules.

Attacks to security of packer filter 对分组过滤器的攻击 IP address spoofing IP 地址伪装 Source routing attacks 源路由攻击 Tiny fragment attacks 分片攻击

Packet Filter Defeating IP Spoofing Attack 分组过滤器对付 IP 伪装攻击 Incoming packet  Internal network and the IP addresses of the hosts Packet filter Source address: STOP!

Application Gateway 应用网关 HTTP SMTP FTP TELNET Outside connection Inside connection Application gateway

Application Level Gateway (or Proxy) 应用网关（代理服务器） has full access to protocol （全访问协议） –user requests service from proxy 用户从代理请求服务 –proxy validates request as legal 代理验证请求合法性 –then actions request and returns result to user 返回结果 need separate proxies for each service 每个服务需要分别代理 –some services naturally support proxying –others are more problematic –custom services generally not supported

Circuit Gateway 电路网关 HTTP SMTP FTP TELNET Application gateway IP address = IP address = Source address = Source address = IP packet Inside host Outside host

Application Gateway – Illusion 应用网关示意图 HTTP SMTP FTP TELNET External host Internal host Application gateway User’s illusion Real connection

Firewall Configurations 防火墙配置 Firewall Configurations Screened host firewall, Single-homed bastion Screened host firewall, Dual-homed bastion Screened subnet firewall 单宿堡垒扫 描主机防火 墙 双宿堡垒扫 描主机防火 墙 扫描子网 防火墙

Screened Host Firewall, Single-homed Bastion 单宿堡垒扫描主机防火墙  Packet filter HTTP SMTP FTP TELNET Internet Application gateway Internal network

Screened Host Firewall, Single-homed Bastion 单宿堡垒扫描主机防火墙

Screened Host Firewall, Dual-homed Bastion 双宿堡垒扫描主机防火墙  Packet filter HTTP SMTP FTP TELNET Internet Application gateway Internal network

Screened Host Firewall, Dual-homed Bastion 双宿堡垒扫描主机防火墙

Screened Subnet Firewall 扫描子网防火墙  Packet filter HTTP SMTP FTP TELNET Internet Application gateway Internal network Packet filter

Demilitarized Zone (DMZ) Fig 9.19  Internet Internal private network Demilitarized Zone (DMZ) Firewall

Security at multiple Layers 多层安全机制 Application Layer Transport Layer Internet Layer Data Link Layer Physical Layer First level of security Second level of security

IPSec IP 安全性  Not concerned with application layer security 不需要考虑应用层安全  would like security implemented by the network for all applications 通过 IP 级安全实现对所有应用的安全保证  More effective in IPv6 在 IPv6 中提供更多的安全

IPSec IP 安全性  general IP Security mechanisms  Provides （ IP 级安全机制提供）  Authentication （认证 / 鉴别）  Confidentiality （保密）  key management （密钥管理）  applicable to use over LANs, across public & private WANs, & for the Internet 应用可以通过 LANs ，公共和专用 WANs ，或 Internet 接受 IPSec 提供的安全保护

IP Security Architecture IP 安全体系结构  specification is quite complex 规范相当复杂  defined in numerous RFC ’ s 在众多 RFC’s 中有定义  mandatory in IPv6, optional in IPv4 在 IPV6 中强制支持，在 IPV4 中选择支持

IPSec Processing Result IPSec 处理的结果 Fig 9.22 Actual data (Encrypted) Transport header (Encrypted) Internet header (Not encrypted)

IPSec in TCP/IP TCP/IP 协议堆栈中的 IPSec Original message Transmission medium Application Transport IPSec Internet Data link Original message Application Transport IPSec Internet Data link Sender Receiver

IPSec Uses IPSec 的应用

IPSec Protocols IPSec 协议 IPSec Authentication Header (AH)Encapsulating Security Payload (ESP)

AH and ESP Operation Modes AH 和 ESP 的操作模式 AH and ESP modes of operation Tunnel modeTransport mode 隧道模式传输模式

Tunnel Mode 隧道模式 X  P1 Proxy P2 Proxy  Y Network 1 Network 2 Tunnel

Tunnel Mode Implementation 隧道模式的实现 A BP1 P2 … Internal IP header and data (encrypted) External IP header (not encrypted)

IPSec steps Fig 9.28 Step 1 Algorithm and Key negotiations using IKE Step 2 Actual AH and ESP operations

Authentication Header (AH) 认证头（ AH ） provides support for data integrity & authentication of IP packets （支持数据完整性和 IP 包的认证） –end system/router can authenticate user/app –prevents address spoofing attacks by tracking sequence numbers based on use of a MAC （基于消息认证码） –HMAC-MD5-96 or HMAC-SHA-1-96 parties must share a secret key （双方必须共享同一 个密钥匙）

AH Format AH 格式 Bit Next header Payload length Reserved Security Parameter Index (SPI) Sequence number Authentication data (Variable size)

Receiver ’ s Sliding Window Fig 9.33 Receiver’s sliding window (W = 8) N – W Marked if a valid packet is received Unmarked if a valid packet is not yet received N

AH Transport Mode AH 的传输模式 IP header TCP header Original data (a) Before applying AH IP header TCP header Original data (b) After applying AH AH

AH Tunnel Mode AH 的隧道模式 IP header TCP header Original data (a) Before applying AH Original IP header TCP header Original data (b) After applying AH AH New IP header

Encapsulating Security Payload 封装安全载荷 provides message content confidentiality & limited traffic flow confidentiality 提供内容和流量限制保密 can optionally provide the same authentication services as AH 可以提供和 AH 相同的认证服务 supports range of ciphers, modes, padding –incl. DES, Triple-DES, RC5, IDEA etc –CBC most common –pad to meet blocksize, for traffic flow

ESP Format ESP 格式 Bit Security Parameter Index (SPI) Sequence Number Padding (0-255 bytes) Payload data (Variable size) Padding lengthNext header Authentication data (Variable size)

ESP Transport Mode ESP 传输模式 IP header TCP header Original data (a) Before applying ESP TCP header Original data (b) After applying ESP ESP header Original IP header ESP trailer ESP auth Encrypted Authenticated

ESP Tunnel Mode ESP 隧道模式 IP header TCP header Original data (a) Before applying ESP TCP header Original data (b) After applying ESP ESP header Original IP header ESP trailer ESP auth Encrypted Authenticated New IP header

ISAKMP Header Format Fig 9.41 Bit Initiator cookie Responder cookie Next payload Major version Minor version Exchange type Flags Message ID Length

Virtual Private Network (VPN) 虚拟专用网  Uses the Internet as if it is a private network 将 Internet 当成专用网络  Far less expensive than a leased line 比租用线路省钱  Uses IPSec protocol 使用 IP 安全协议

VPN Between Two Networks 两个网络间的 VPN X  Network 1 Y  Network 2 Firewall 1 Firewall 2 VPN tunnel Internet

Original Packet 原始分组

Firewall I changes the packet contents Firewall I 改变分组内容

Firewall II retrieves the original packet contents Firewall II 取回原分组内容