Network Security - honorcup.ruhonorcup.ru/upload/iblock/830/830d681c11e722e125648831a2295c0f.pdf ·...

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved

www.huawei.com

Network Security

Rev 1.0


Objectives

ACL

NAT

AAA

RADIUS + DIAMETER

Tunneling (GRE+IPSec)


Ethernet Access List

Main function: ensure the distributed access

security over the whole network.

Intranet Department A

Department B

Server


Filtering

The ACL classifies packets according to series matching conditions.

The ACL is applied to a switch port to determine whether a packet

should be forwarded or discarded.

The matching rules defined by the ACL can also be quoted in other

occasions needing traffic differentiation, such as, definition of traffic

classification rule in QoS.

An access control rule can be composed of multiple sub-rules.

Time segment control can be defined.

Layer 2

header IP header TCP header

Application-level

header Data


ACL Example

202.1.5.1 192.168.1.10

acl number 3001

rule 10 permit tcp source 192.168.1.0 0.0.0.255

destination 202.1.5.1 0.0.0.0 source-port any

destination-port 80

rule 20 deny ip source any destination any


Features of ACL Application

Traffic Filtering

Routes Filtering

QoS


Objectives

ACL

NAT

AAA

RADIUS + DIAMETER



Private Addresses and Public

Address

Internet

192.168.0.0/24

192.168.1.0/24

192.168.0.0/24

LAN1

LAN2

LAN3

The range of private address:

10.0.0.0 - 10.255.255.255

172.16.0.0 - 172.31.255.255

192.168.0.0 - 192.168.255.255


Why NAT?

NAT (Network Address Translation)

Why do we use NAT?

● Increasingly insufficient IP address resources.

Multiple hosts in a LAN to access Internet by a public IP address,

address translation can be used.

● Network security protection: Address translation technology

can effectively hide the hosts of the internal LAN.

● To provide such services as FTP, WWW and Telnet of the

internal network to external network


Principle of Address Translation

Internet

LAN

PC2

PC1

IP packet

3000 80

192.168.1.1 195.210.5.31 4000 80

202.1.1.5 195.210.5.31

3000 80

192.168.1.2 195.210.5.31

4001 80

202.1.1.5 195.210.5.31

Local Source Destination Outside Source

192.168.1.1:3000 195.210.5.31:80 202.1.1.5:4000

192.168.1.2:3000 195.210.5.31:80 202.1.1.5:4001


Address Pool

Address Pool is the collection of some continuous public IP addresses,

identified by a number.

NAT process will select an address from the address pool as the source

address after the translation.

Address pools enable more LAN users to access Internet simultaneously.

Internet

LAN PC2

PC1 202.38.160.1

202.38.160.2

202.38.160.3

202.38.160.4

Address Pool


Application of Internal Server

Internet

R

Internal server

extranet user

E0 Serial 0

private address:10.0.1.1

port:80

public address:202.38.160.1

port:80

IP:202.39.2.3

map on router:

address:

10.0.1.1←→202.38.160.1

port:

80←→80 Access the server

referring to the map


Disadvantages of NAT

Since the IP address translation is needed for data

packets, the header of the data packet related to IP

address cannot be encrypted, nor to use encrypted

FTP connection in the application protocol. Otherwise,

FTP port command cannot be correctly translated.

Network debugging becomes more difficult. For

instance, while a router in internal network host

attempts to attack other networks, it is hard to point

out which computer is malicious, for the host IP

address is shielded.


Objectives

ACL

NAT

AAA

RADIUS + DIAMETER



Network Architecture and Position of

BRAS

Core

Network

Convergence Layer

Core Layer

Access Layer

NAS (BRAS)

LAN Switch AP DSLAM

Ethernet WLAN ADSL

User User User

NMS AAA

Platform

Service

Platform

Access

Network


AAA

Authentication

Authorization

Accounting


Architecture of NAS(BRAS) device

AAA Server

BRAS

User Packet AAA&UM

Service Control

Policy Server

Connection

Management

Address

Management

User

Identification

DHCP Server


User Identification – Access types

PPP User

NAS

802.1x User

Web User

Bind User

Web Server

EAPoL packet

PPP packet

IP/ARP/DHCP packet

Portal Protocol Packet

HTTP packet

IP/ARP/DHCP packet


PPP overview

Network Protocol

Physical Layer

Network

Layer

Data Link

Layer

Physical

Layer

IP IPX

Network Control Protocol IPCP IPXCP BCP

Authentication Protocol PAP CHAP EAP

Link Control Protocol LCP

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 22

PPP phase diagram

Dead Establish Authenticate

Network Terminate

Up Opened

Fail Fail

Closing Down

LCP PAP/CHAP

IPCP


PAP & CHAP Authentication Process

Authentication_Req

(username, password)

Accept/Reject

PAP

Authentication_Req

(username, ChallengePwd)

Accept/Reject

CHAP

Challenge

Client BRAS

Passwords

comparing

Challenge

generation

ChallengePwd

generation

ChallengePwds

comparing


Why we need PPPoE?

Access

Network

ETH IP DATA

ETH IP DATA PPP

Subscriber

Subscriber

Can identify device, not user

Can identify subscriber


Discovery and Session Stages

Discovery stage

● Discover the AC (Access Concentrator) and acquiring AC’s

MAC

● Allocate Session ID

Session stage

● PPP parameters negotiation

● Data transmission

● Maintain session


PPPoE Discovery phase diagram Client AC

PADI

(Service-Name, Session-ID=0x0000)

PADO

(Service-Name, AC-Name, Session-ID=0x0000)

PADR

(Service-Name, AC-Name, Session-ID=0x0000)

PADS

(Service-Name, AC-Name, Session-ID=0x055A)


DHCP Address allocation modes

Automatic allocation

● DHCP server assign a permanent address to a client

Dynamic allocation

● DHCP server assign an IP address to a client for a limited

period of time (or until the client explicitly relinquishes the

address)

Manual allocation

● a client's IP address is assigned by the network administrator,

and DHCP is used simply to convey the assigned address to

the client


DHCP Working Flow

DHCP Server (selected) DHCP Client

DHCPDICOVER

DHCPOFFER

DHCPREQUEST

DHCPACK or NAK

DHCPRELEASE


Packet format

op (1) htype (1) hlen (1) hops (1)

xid (4)

secs (2) flags (2)

ciaddr (4)

yiaddr (4)

siaddr (4)

giaddr (4)

chaddr (16)

sname (64)

file (128)

options (variable)


Option 82

Preventing IP address from exhausting by DHCP

requests

Realizing static allocation of IP address by DHCP

Preventing static IP address cheating

Option 82:

● Agent Circuit ID

{atm|eth} frame/slot/subslot/port[:vpi.vci|outer_vlan.inner_vlan]

● Agent Remote ID

AccessNodeIdentifier

Example: Quidway Eth 0/1/0/1:0.0


Option 82

PC DSLAM NAS DHCP Server

DISCOVER DISCOVER

Option 82 DISCOVER

Option 82

OFFER

Option 82 OFFER

Option 82 OFFER

REQUEST REQUEST

Option 82 REQUEST

Option 82

ACK

Option 82 ACK

Option 82 ACK


Objectives

ACL

NAT

AAA

RADIUS + DIAMETER



Core Network

(Internet)

Networking Application of RADIUS

AAA

Server

DSLAM LAN Switch

User User

NAS NAS

Access Networks


Architecture of NAS device

AAA Server

NAS

User Packet AAA&UM

Service Control

Policy Server

Connection

Management

Address

Management

User

Identification

DHCP Server


Client-Server Model

User NAS

(RADIUS Client)

RADIUS

Server

AAA

Server

RADIUS = Remote Authentication Dial-In User Service


Key features

Network security

● Shared secret

Flexible Authentication Mechanism

● PAP

● CHAP

Extensible Protocol

● Attribute-Length-Value format


Radius Packet Format

Packet : 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+-

Attribute : 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | Value ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-


Authentication and Accounting Procedure

User NAS RADIUS Server

User request

access Access-Request

Access-Accept

Access-Reject Configure user

Authentication

Accounting-Request

(start) Accounting-Response

Accounting

start

Accounting-Request

(Interim update) Accounting-Response

Accounting-Request

(stop) Accounting-Response

Interim

Accounting

Accounting

stop

User request

termination


PAP and CHAP Interoperation

User NAS RADIUS

Server

Username

Password

Access-Request

Username, Password Check Access-Accept


PAP

CHAP

Challenge

Username

Encrypted challenge Access-Request

Username, Challenge,

Encrypted Challenge

Access-Accept



Why UDP?

1. If the request to a primary Authentication server fails,

a secondary server must be queried

2. The timing requirements of this particular protocol

are significantly different than TCP provides

3. The stateless nature of this protocol simplifies the

use of UDP

4. UDP simplifies the server implementation

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page43

PPP

What’s Diameter?

Diameter protocol

● An AAA protocol, provide Authentication, Authorization

and Accounting (AAA) function

● Advanced than “radius”, so it is called “diameter”

NAS

Traditional network

Radius

AAA client

DSL

3G

WLAN

Diameter

Future network

AAA server AAA server


New demands on AAA protocols

Network access requirements for AAA protocols

● Failover

● Transmission-level security

● Reliable transport

● Agent support

● Server-initiated messages

● Capability negotiation

● Peer discovery and configuration


Diameter Framework

The Diameter protocol consists of the Diameter base protocol and

the Diameter application protocol.

● Diameter base protocol: Provides a secure, reliable, and extensible

framework for various authentication, authorization, and accounting

services.

● Diameter application protocol: Defines functional and data units for

particular applications.

Page 45

Diameter base protocol

NASREQ

application

MIP

application EAP

application

SIP

application

… SCTP TCP

Diameter Stack

Diameter Application


Diameter node type

Diameter node type

● Client

A Diameter Client is a device at the edge of the network that

performs access control. An example of a Diameter client is a

Network Access Server (NAS) or a Foreign Agent (FA).

● Server

A Diameter Server is one that handles authentication,

authorization and accounting requests for a particular realm. By

its very nature, a Diameter Server MUST support Diameter

applications in addition to the base protocol.

● Agent


Role of Diameter Agents

There are four kinds of Diameter Agents

● Relay Agent or Relay

● Proxy Agent or Proxy

● Redirect Agent

● Translation Agent


Relay/Proxy Agent

Page 48


Relay/Proxy Agent

Page 49


Redirect Agent

Page 50


Redirect Agent

Page 51


Translation Agent

Page 52


Diameter Message Structure

The Diameter message structure consists of two

parts:

● Diameter message head

● Diameter AVP

version Message Length

command flags

R P E T r r r rCommand-Code

Application-ID

Hop-by-Hop Identifier

End-to-End Identifier

AVPs …

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

0 1 2 3

Message

head

Message body


Diameter PDU

Command code

Command-Name Abbrev Code

Abort-Session-Request ASR 274

Abort-Session-Answer ASA 274

Accounting-Request ACR 271

Accounting-Answer ACA 271

Capabilities-Exchange-Request CER 257

Capabilities-Exchange- Answer CEA 257

Device-Watchdog-Request DWR 280

Device-Watchdog-Answer DWA 280

Session-Termination- Request STR 275

Session-Termination- Answer STA 275


Diameter AVP

AVP (attribute-value pair)

● The Diameter message body is composed of Diameter AVPs. Each

AVP carries a specific message parameter value, and contains an

AVP head and data. The AVP carries the authentication information,

authorization information, charging information, routing

information, security information, and the request and response

configuration information.

● AVP structure

AVP Code

AVP flags

V M P r r r r rAVP Length

Vendor-ID (opt)

AVP data…

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

0 1 2 3


Example

Use Cx message as an example

I-CSCF HSS

Diameter message: UAA

Diameter header AVPs

Command code

UAA

AVP header

603

AVP code

10415

AVP length

AVP data

603: server capabilities


Diameter Link Establishment-

Capability Exchange

CER / CEA (Capabilities-Exchange-Request / Answer)

● When the two Diameter peers creates the connection, they need to

perform capability exchange. CER/CEA capability exchange is used to

notify the capability (such as protocol version, diameter application, and

security mechanism).

● If the peer receives CER from the unknown peer, it will discard the

message or return the result code DIAMETER_UNKNOWN_PEER.

Page61

Client Server

Connection

Establish

CER

CEA


Diameter Link Heartbeat Message

DWR/DWA (Device-Watchdog-Request / Answer)

● DWR command code is 280. It is used to detect link, also called

heartbeat message or shake hand message.

● If the Node sends several DWR messages continuously, but the peer

Node will not return DWA, the status of the link will be set down.

（not release the link).

Page62

Node1 Node2

DWR

DWA


Diameter Link Disconnection

Message

DPR/DPA (Disconnect-Peer-Request / Answer)

● Command code is 282.

● DPR is used to notify the peer Node to disconnect the link, and the

peer Node return the DPA and then the link is disconnected.

Page63

Node1 Node2

Connection

Release

DPR

DPA


Diameter Link Management Process

Page64

PEER DA

SCTP association

establishment

CER

CEA

Capability exchange is successful and link is normal.

Sends heartbeat message periodically to maintain the link status

DWR

DWA

1. Diameter link establishment process 2.Diameter link disconnection

process

PEER DA

SCTP association

disconnect

DPR

DPA DA initiate to disconnect link

The peer initiate to disconnect link

DPR

DPA

SCTP

association

disconnect

Diameter connection is established through the capability exchange with the

peer;

When DA or the peer want to release the diameter link, it need to send the

DPR message initially to disconnect the link.


Diameter Message Routing Function

Page67

Dia

mete

r basic p

roto

co

l layer

M

s

g

D-Host=×× D-Realm＝××

Whether

carry the

D-Host?

Check the

adjacent peer

device based

on the D-Host?

Y

Choose

the route

and

forward

N

Check the

routing table

based on the

D-Realm and

forward the

mesage

Y

N


Diameter Message Routing Function (Cont.)

Routing：message routing based on

the Realm-Based Routing Table.

Forwarding：message forwarding

based on the peer device table.

The response message does not carry

the target address information, it is

returned according to the path of the

corresponding request message.

RealmB

DA2 Server

Hostname=Server.RealmB

3.Forwarding

Request (…)

RealmA

DA1 Client

Hostname=Client.RealmA

1.Routing

Request (…)

2.Routing

Request (…)

5.Response(…)

6.Respons

e (…)

Request (ApplicationID,

DestRealm= RealmB,

DestHost=Server.RealmB

4.Response

(…)

IETF RFC3588 Diameter Base Protocol


Switchover

Client DA1

DA2

Server

1.Request

6.Response

2.R

eq

uest

5.R

esp

on

se

Request

Queue

Request

Queue

Request

Queue

Diameter cache for each

request message, its

purpose is to retransmit

the message when the

link is fault, to ensure

that the message can be

sent to the destination as

soon as possible, to

reduce delay.。

T bit is set to 1,

the message is

a retransmission

message

Due to link failure,

Request message is not

sent to the peer or did not

receive the response

message


Objectives

ACL

NAT

Access Methods (PPP, PPPoE, DHCP)

AAA

RADIUS + DIAMETER



Internet

VPN Definition

VPN ——Virtual Private Network

Employees in

business trips

Tunnel

Leased line

Office

Headquarter

Branch

Partner

Remote office


Classification of VPN

Based on the applications：

● Access VPN

● Intranet VPN

● Extranet VPN

Based on Realization Layer ：

● Layer 2 VPN

● Layer 3 VPN


Access VPN

Dial network expansion:

● Employees on errands

● Remote small office

POP

POP

Originated by user

POP

Originated by ISP

HQ

Tunnel


Intranet VPN

Internet/ ISP IP

ATM/FR

Tunnel

HQ

Research Institute

Office

Branch


Extranet VPN

Internet/ ISP IP

ATM/FR

Branch

Partner

HQ

Remote Office


Classification Based on Realization

Layer Layer 2 VPN

● L2TP: Layer 2 Tunnel Protocol (RFC 2661)

● PPTP: Point To Point Tunnel Protocol

● L2F: Layer 2 Forwarding

Layer 3 VPN

● GRE : General Routing Encapsulation

● IPSEC : IP Security Protocol


Principle of VPN Design

Security

● Tunnel and Encryption

● Data Authentication

● User Authentication

● Fire Wall and Attack Examination

Reliability

Economical Efficiency

Expansibility


GRE Overview

GRE is generic routing encapsulation protocol. It will

encapsulate datagram of some network layer protocol

(e.g. IP, IPX, AppleTalk, etc.) and enable these

datagram to transmit on IP network

GRE is the layer 3 tunnel protocol of VPN (Virtual

Private Network), that is, a technique called as Tunnel

is adopted between protocol layers


GRE Protocol Stack

IP/IPX

GRE

IP

Link Layer

Passenger Protocol

Encapsulation Protocol

Transmission Protocol

GRE Protocol Stack

Tunnel Interface Message Format

Data Link Layer GRE IP/IPX IP Payload


GRE Build VPN

Original Data Packet Transfer Protocol Header GRE Header

Internet

Tunnel

HQ Branch


IPSec Overview

IPSec（IP Security） is a framework of open

standards developed by the Internet Engineering Task

Force (IETF)

IPSec include two protocol: AH (Authentication

Header ) protocol and ESP (Encapsulating Security

Payload ) protocol

IPSec provides security services at the IP layer, there

are two types of work mode: tunnel mode and

transport mode


Compose of IPSec Protocol

IPSec provides two security protocols

● AH (Authentication Header)

MD5(Message Digest 5)

SHA1(Secure Hash Algorithm)

● ESP (Encapsulation Security Payload)

DES (Data Encryption Standard)

3DES

The other algorithm: Blowfish, cast ...


Security Feature of IPSec

Confidentiality: encrypt a client data and then transmit

it in cipher text.

Data Integrity: authenticate the received data so as to

determine whether the packet has been modified.

Data Authentication: to authenticate the data source

to make sure that the data is sent from a real sender.

● Data integrity

● Data origin authentication

Anti-Replay : prevent some malicious client from

repeatedly sending a data packet. In other words, the

receiver will deny old or repeated data packets.


Basic Concept of IPSec

Security Association

Security Parameter Index

Sequence Number

Life Time

Data Flow

Security Proposal


AH Protocol

Data IP HDR

Data IP HDR AH

Data Org IP HDR AH New IP HDR

Transport mode

Tunnel mode

Next Header Payload Len RESERVED

Security Parameters Index (SPI)

Sequence Number Field

Authentication Data (variable)

AH Format 0 8 16 31


ESP Protocol Data IP HDR

Encryption Data IP HDR ESP Hdr

ESP Hdr New IP HDR

Transport mode

Tunnel mode

ESP Trailer ESP Auth

ESP Trailer ESP Auth

0 8 16 24

Security Parameters Index (SPI)

Sequence Number

Payload Data* (variable)

Padding (0-255 bytes)

Pad Length Next Header

Authentication Data (variable)

ESP format

Data Org IP HDR

Encryption part


IKE

IKE (Internet Key Exchange), an Internet key exchange

protocol, implements hybrid protocol of both Oakley

and SKEME key exchanges

This protocol defines standards for automatically

authenticating IPSec peer end, negotiating security

service and generating shared key

IKE calculate the key, not transmit the key


IKE Security Mechanism

Perfect Forward Security

Authentication

● Identity Authentication

● Identity protection

DH Exchange and key

distribute


IKE Exchange Process

SA Exchange

Key Exchange

ID Exchange

and authentication

Send local

IKE strategy

ID and

Exchange

auth

Key

Generation

Key

generation

Strategy

confirmed

Search the

Matched

strategy

ID and

Exchange

auth

Confirm the

algorithm used

by both sides

Generate Key

Authentication

Peer Identity

Strategy of sender

Strategy of receiver conformed

The key information of sender

The key information of

receiver

The ID and auth data of sender

The ID and auth data of receiver

Peer1 Peer2


DH Exchange and Key Product

a

c=gamodp

damodp

peer2 peer1

b

d=gbmodp

cbmodp

damodp= cbmodp=gabmodp

(g ,p)


The Function of IKE in IPSec

Reduce the complex of configuration by manual

Update the IPSec SA after an Interval time

Update the encryption key after an Interval time

Permit IPSec to provide anti-replay

Permit dynamic authentication between the Peers


Relation Between IPSec and

IKE

IKE

TCP UDP

IPSec

IKE

TCP UDP

IPSec

Encrypted IP Packet

IP

IKE SA negotiation

SA SA

Thank you www.huawei.com

Network Security - honorcup.ruhonorcup.ru/upload/iblock/830/830d681c11e722e125648831a2295c0f.pdf ·...

Documents

Transcript of Network Security - honorcup.ruhonorcup.ru/upload/iblock/830/830d681c11e722e125648831a2295c0f.pdf ·...