Security TunnelingCyber SecuritySpring 2008Reading Material•IPSec overview–Chapter 6 – Network Security Essentials, William Stallings•SSH –RFCs 4251, 4252, 4253•SSL/TLS overview–Slide material from Bishop–Chapter 7.2 – Network Security Essentials, William Stallings•VLAN Security Paper ––http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.htmWhat is a tunnel?• A tunnel identifies packets in a data stream –Identify by encapsulation (new header possibly new trailer)–Identify by labeling. •Entry into a tunnel gives the data stream different characteristics–E.g., Privacy, authentication, different routing characteristics–Security is not always the goal of the tunnel•Also called virtual private networks (VPNs) in many situationsTunnel Protocols for all Levels•Layer 2 –802.1Q VLANs – labels ethernet frames for traffic separation–Proprietary link encryption•Layer 3–IPSec–IPv6 in IPv4 – Carry IPv6 traffic over IPv4 networks–Generic Routing Encapsulation (GRE)–Multiprotocol Label Switching (MPLS) – uses labels to implement circuit switching at layer 3•Layer 4–SSL/TLS–SSH port forwarding•Layer 7–SMIME–DNSSec802.1Q VLAN•Supported by many switches•Augments ethernet frame with tagVLAN Trunking•Enables multiple VLANs to be carried over a single physical link between switchesVLAN used in Siebel•Using VLANs in the lab configuration to create virtual wires between firewalls, hosts, and the outside world•CS Department uses VLAN trunking to virtually connect machines•VLAN trunking will provide lab access to a virtual devices running on a VMWare server in a far distant machine room.VLAN Security Issues•Classic case of security being an after thought–Designed for traffic separation, not security!•VLAN security requires physical security•Cisco white paper on VLAN security–http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtmlVLAN 1•By default Ports are configured to be in VLAN 1–Means VLAN 1 tends to appear on multiple switches–Bad activity on VLAN 1 will affect the entire network•Understand where VLAN 1 is used and prune back unnecessary usesDifferentiate Trusted and Untrusted Ports•Reduce protocols on untrusted ports –Limit points of attack•For example, VLAN Trunking Protocol (VTP) or Dynamic Trunking Protocol (DTP)–Cisco proprietary protocol that allows for automatic propagation of VLAN configuration across the network–If VTP could be co-opted by bad guy can reconfigure the network.Native VLANs•Created for backwards compatibility–One of the VLANs associated with port can be native–All untagged packets to with the native VLAN–All tagged packets in native VLAN get strippedPrivate VLANs•Bundle singleton vlans (secondaries) with promiscuous vlan (primary)•Restrict who can initiate communication within segmentPrivate VLAN Attack•Private VLAN–An escape to let routed traffic pass between L2 constraints–L2 ProxyOther Layer 2 Attacks•MAC Flooding•ARP Spoofing•802.1Q tagging attack–Attacker creates DTP packets. Trick port into going into trunk mode. •Spanning Tree Protocol (STP) Attacks–Broadcast protocol to agree on a tree of bridges to avoid broadcast loops–Attacker attempts to insert packets claiming he is new root bridgeIPSec Operational Architecture•IPSec Security Architecture, RFC 2401•Designed by the Security Working Group of the IETF. –http://ietf.org/html.charters/ipsec-charter.html•Motivated from IPv6 design–Add arbitrary number of extension headers to store information about the security protocols–First IPv4 implementations around ‘97Security Association (SA)•Records on the endpoints that store operational information–E.g., encryption protocol, keying information, traffic stream filters•One SA per endpoint to represent a simplex connection–Two pairs of SAs to represent duplex connectivity•The SA memory footprint can be a limiting factor in the number of tunnels–Smaller routers cannot support very many simultaneous SAs•Must know the ID of your peer’s SA to communicate–Addressed by the Security Parameters Index (SPI)–SPI identified in the security protocol headers–SPI + Peer address + security protocol will uniquely identify a SASA Attributes•Sequence number counter and overflow flag•Anti-Replay Window•AH Info or ESP info•SA Lifetime•IPSec Protocol mode (transport or tunnel)•Path MTUSecurity Policy Database•Implementation specific approach to filter traffic to SA's–E.g., ACLs in Cisco devicesIPSec Protocols•The IPSec framework describes how a number of different IPSec security protocols can be applied to a tunnel•Two protocols implemented–Encapsulating Security Payload (ESP) – provides privacy (encryption) and message authentication (detection of change)–Authentication Header (AH) – provides authentication (detection of change)ESP•RFC 2406•Initially ESP only provided confidentiality not message authentication–You were supposed to use AH get authentication–People argued that ESP as not useful without authentication, so it was added in as an option–Now AH is not so valuable, since you can use a null encryption in ESP to get essentially the same thingESP Header•Both confidentiality and message authentication cover part of the header•Payload is the encrypted original packet•Sequence number is used to avoid replay attacksSecurity Parameters Index (SPI)Sequence NumberPayload Data (variable)Padding (0-255 bytes) Pad Len Next HeaderAuthentication Data (variable)AuthCoverConf.CoverReplay Protection•Monotonically increasing sequence number–Starts at 1–Must renegotiate if number wraps•Window (default 64) to deal with out of order deliverWN+1•IPSec tunnels can be set up in two modes•Tunnel mode–Creates a new IP header and encapsulates the original–Used by gateways•Transport mode–Just encapsulates the transport layer and beyond–Can be used of the source and destination of the traffic are also the tunnel endpointsTunnel and Transport ModesGW IP HdrESP HdrOriginal Packet including orig IP hdrOrig IP Hdr ESP Hdr Original Packet minus IP HdrTunnel and Transport ModesThe InternetXYABSrc=X Dst=YDataSrc=X Dst=YDataSrc=X Dst=YDataESPSPI=10Src=A Dst=BThe InternetXYABSrc=X Dst=YDataSrc=X Dst=YDataESPSPI=10ESPSPI=1025Example: Nested Tunnels•Group in A.org needs to communicate with group in B.org•Gateways of A, B use
View Full Document
Unlocking...