Roles of IPsec
-
Upload
dominque23 -
Category
Technology
-
view
1.271 -
download
0
description
Transcript of Roles of IPsec
![Page 1: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/1.jpg)
Lecture II : Lecture II : Security Analysis and PlanningSecurity Analysis and Planning
Internet Security: Principles & Practices
John K. Zao, PhD SMIEEENational Chiao-Tung University
Fall 2005
![Page 2: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/2.jpg)
2Internet Security - System Analysis & Planning
ThemeThemeObjectivesObjectives Highlight objectives of security system design &
implementation
Introduce procedure of security system planning & operation
MottoMotto Security/Safety is a relative measure
NO system is absolutely secure !
Users’ sense of security is usually a fuzzy warm feeling
Security specialists must specify & quantify security measures
Security systems only offer measured protection (safeguards) over selected resources (assets) against identified dangers (threats)
Security protection is a perpetual practice consisting of planning, deployment, monitoring & improvement
![Page 3: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/3.jpg)
3Internet Security - System Analysis & Planning
Security System, Planning & OperationSecurity System, Planning & Operation
ASSET IDENTIFICATION
CONFIG
PLANNI NG OPERATI ON
ASSET EVALUATION
THREAT IDENTIFICATION
THREAT
EVALUATION
POLICY/ MEASURE
FORMULATION
HARDEN
DETECT
RESPONSE
IMPROVE
Vulnerability Analysis
GoalEstablishment
Preventive
Reactive
CorrectiveStrategyDevelopment
Vulnerability Analysis
Service Selection
Mechanism Implementation
![Page 4: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/4.jpg)
4Internet Security - System Analysis & Planning
Security System, ConceptsSecurity System, Concepts Assets – system resources to be valued & protected Vulnerability – system weakness exposes assets to
threats Threats – persons/things/events pose dangers to assets Attacks – actual realizations of security threats Risks – cost measures of realized vulnerability
(considering probability of successful attacks Countermeasures/Safeguards –
structures/policies/mechanisms protect assets from threats
![Page 5: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/5.jpg)
5Internet Security - System Analysis & Planning
Threats, CategorizationThreats, Categorization
Fundamental ThreatsFundamental Threats Confidentiality Violation – leakage of information Integrity Violation – compromise of information consistency Denial of Services – service unavailability to legitimate users Illegitimate Use – service availability to illegitimate users
Enabling ThreatsEnabling Threats Penetration Threats
Masquerade – identity falsification Control/Protection Bypass – system flaw exploitation Authorization Violation – insider violation of usage authorization
Planting Threats Trojan Horse Trapdoor/Backdoor
![Page 6: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/6.jpg)
6Internet Security - System Analysis & Planning
Threats, Categorization [Cont’d]Threats, Categorization [Cont’d]
Underlying ThreatsUnderlying Threats Eavesdropping Traffic Analysis Personnel Indiscretion/Misconducts Media Scavenging …
They are application & environment specific
![Page 7: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/7.jpg)
7Internet Security - System Analysis & Planning
Countermeasures/SafeguardsCountermeasures/Safeguards
Physical SecurityPhysical Security Physical Security
Operational SecurityOperational Security Personnel Security Administrative Security Information Lifecycle Control
Technical SecurityTechnical Security Communication Security Computation Security Media Security Emanation Security
![Page 8: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/8.jpg)
Example: Example: Use of IPsec & IKE in Use of IPsec & IKE in Universal Mobile Telecommunication Universal Mobile Telecommunication SystemSystem
Dr. John K. ZaoSr. Scientist, Information Security
Verizon Communications / BBN Technologies
BBN TechnologiesAn Operating Unit of
IPSEC 2000Paris La Defense - France 10/26/2000
![Page 9: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/9.jpg)
9Internet Security - System Analysis & Planning
OutlineOutline Overview: UMTS 3G Wireless Data Networks
Architecture Domains Strata
Analysis: UMTS Vulnerability & Threats
Countermeasures: UMTS Security Architecture & Mechanisms
Proposal: Possible Use of IPsec & IKE in UMTS Security <ignored >
![Page 10: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/10.jpg)
10Internet Security - System Analysis & Planning
GPRS / UMTS System ArchitectureGPRS / UMTS System Architecture
MSC
EIR
MESIM
AuC
HLR VLR
BSC
BSC
BTS
BTS
BTS
BTS
PSTN / ISDNPSPDN / CSPDN
MESIM
MESIM
MESIM
MSC
Access Netw orkDomain
Core Netw orkDomain
Serving Netw orkDomain
Transit Netw orkDomain
User EquipmentDomain
InfrastructureDomain
MobileEquipment
DomainUSIM
Domain
Home Netw orkDomain
![Page 11: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/11.jpg)
11Internet Security - System Analysis & Planning
UMTS Domain HierarchyUMTS Domain Hierarchy
Access Netw orkDomain
Serving Netw orkDomain
Transit Netw orkDomain
User EquipmentDomain
InfrastructureDomain
MobileEquipment
Domain
USIMDomain
Home/Remote Netw orkDomain
ME USIM
MT SNAN HN / RN
HE / TE
TN
Cu Uu Iu [Yu] [Zu]
SN
User Apps Provider Apps
Domain – a high-level group of UMTS entities; reference points (interfaces) are defined between domains
![Page 12: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/12.jpg)
12Internet Security - System Analysis & Planning
UMTS MT-HN StrataUMTS MT-HN Strata
Home StratumService Stratum
Transport StratumAccess Stratum
Access Netw orkDomain
Serving Netw orkDomain
Transit Netw orkDomain
User EquipmentDomain
InfrastructureDomain
MobileEquipment
Domain
USIMDomain
Home/Remote Netw orkDomain
ME USIM
MT SNAN HN / RN
HE / TE
TN
Cu Uu Iu [Yu] [Zu]
SN
User Apps Provider Apps
Stratum – a group of UMTS protocols that are relevant to one aspect of the services provided by one or more domains
![Page 13: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/13.jpg)
13Internet Security - System Analysis & Planning
UMTS MT-RN StrataUMTS MT-RN Strata
Service Stratum
Transport StratumAccess Stratum
Application Stratum
Access Netw orkDomain
Serving Netw orkDomain
Transit Netw orkDomain
User EquipmentDomain
InfrastructureDomain
MobileEquipment
Domain
USIMDomain
Home/Remote Netw orkDomain
ME USIM
MT SNAN HN / RN
HE / TE
TN
Cu Uu Iu [Yu] [Zu]
SN
User Apps Provider Apps
Stratum – a group of UMTS protocols that are relevant to one aspect of the services provided by one or more domains
![Page 14: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/14.jpg)
14Internet Security - System Analysis & Planning
OutlineOutline Overview: 3G Wireless Data Networks
Analysis: UMTS Security Security Threats Security Architecture Security Features/Services
Network Access Security Network Domain Security User Domain Security Application Domain Security
Security Mechanisms Mobile User Identity Allocation Entity Authentication & Key Agreement User Traffic Confidentiality Network Domain Security
Proposal: Possible Use of IPsec & IKE in UMTS Security
![Page 15: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/15.jpg)
15Internet Security - System Analysis & Planning
3G Security: Threats 3G Security: Threats BasicThreats
Confidentiality Violation
Integrity Violation
Denial of Services
Illegitimate Uses
Repudiation
EnablingThreats
Eavesdropping, User Traffic
Alteration,User Traffic
Intervention,Physical
Masquerading,User
Repudiation,Charge
Eavesdropping, Signal & Control
Alteration,Signal & Control
Intervention,Protocols
Masquerading,Service Net
Repudiation,Traffic Origin
Masquerading,User
Alteration,ME Download
Masquerading,Net Elements
Masquerading,Home Environment
Repudiation,Traffic Delivery
Masquerading,Net Elements
Alteration,USIM Download
Privilege Misuse Privilege Misuse,User
Traffic Analysis, Passive
Alteration,System Data
Service Abuse Privilege Misuse,Service Net
Traffic Analysis, Active
Masquerading,Net Elements
Stealing,Terminals
Unauthorized Access, System Data
Masquerading, Download Origins
Information Leakage User Location
Source: 3G Security; Security Threats & Requirements [3G TS 21.133]
![Page 16: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/16.jpg)
16Internet Security - System Analysis & Planning3G Security : Threats, Radio 3G Security : Threats, Radio InterfaceInterface
BasicThreats
Confidentiality Violation
Integrity Violation
Denial of Services
Illegitimate Uses
Repudiation
EnablingThreats
Eavesdropping, User Traffic
Alteration,User Traffic
Intervention,Physical
Masquerading,User
Repudiation,Charge
Eavesdropping, Signal & Control
Alteration,Signal & Control
Intervention,Protocols
Masquerading,Service Net
Repudiation,Traffic Origin
Masquerading,User
Alteration,ME Download
Masquerading,Net Elements
Masquerading,Home Environment
Repudiation,Traffic Delivery
Masquerading,Net Elements
Alteration,USIM Download
Privilege Misuse Privilege Misuse,User
Traffic Analysis, Passive
Alteration,System Data
Service Abuse Privilege Misuse,Service Net
Traffic Analysis, Active
Masquerading,Net Elements
Stealing,Terminals
Unauthorized Access, System Data
Masquerading, Download Origins
Information Leakage User Location
Relevant Threads Significant Threads
Major Threads Radio Eavesdropping & Traffic Analysis
User & Net Element Masquerading
![Page 17: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/17.jpg)
17Internet Security - System Analysis & Planning3G Security : Threats, ME-USIM 3G Security : Threats, ME-USIM InterfaceInterfaceBasicThreats
Confidentiality Violation
Integrity Violation
Denial of Services
Illegitimate Uses
Repudiation
EnablingThreats
Eavesdropping, (USIM) User Traffic
Alteration, (USIM) User Traffic
Intervention,Physical
Masquerading, User (Stolen ME & USIM)
Repudiation,Charge
Eavesdropping, (USIM) Signal & Control
Alteration, (USIM) Signal & Control
Intervention,Protocols
Masquerading,Service Net
Repudiation,Traffic Origin
Masquerading,User (ME/USIM)
Alteration,ME Download
Masquerading,Net Elements
Masquerading,Home Environment
Repudiation,Traffic Delivery
Masquerading,Net Elements
Alteration,USIM Download
Privilege Misuse Privilege Misuse, (Borrowed USIM)
Traffic Analysis, Passive
Alteration,System Data (ME)
Service Abuse Privilege Misuse, Service Net
Traffic Analysis, Active
Masquerading,Net Elements
Stealing,Terminals (ME)
Unauthorized Access, System Data (USIM)
Masquerading, Download Origins
Information Leakage, User Location
Relevant Threads Significant Threads
Major Threads ME/USIM Masquerading ME/USIM Data Alteration & Access ME/USIM Download Alteration &
Eavesdropping
![Page 18: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/18.jpg)
18Internet Security - System Analysis & Planning3G Security : Threats, General 3G Security : Threats, General SystemSystem
BasicThreats
Confidentiality Violation
Integrity Violation
Denial of Services
Illegitimate Uses
Repudiation
EnablingThreats
Eavesdropping, User Traffic
Alteration,User Traffic
Intervention,Physical
Masquerading,User
Repudiation,Charge
Eavesdropping, Signal & Control
Alteration,Signal & Control
Intervention,Protocols
Masquerading,Service Net
Repudiation,Traffic Origin
Masquerading,User
Alteration,ME Download
Masquerading,Net Elements
Masquerading,Home Environment
Repudiation,Traffic Delivery
Masquerading,Net Elements
Alteration,USIM Download
Privilege Misuse Privilege Misuse,User
Traffic Analysis, Passive
Alteration,System Data
Service Abuse,Emergency Service
Privilege Misuse,Service Net
Traffic Analysis, Active
Masquerading,Net Elements
Stealing,Terminals
Unauthorized Access, System Data
Masquerading, Download Origins
Information Leakage User Location Relevant Threads Significant
ThreadsMajor Threads Privilege Misuse
Network Element Masquerading Wired Link Eavesdropping
![Page 19: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/19.jpg)
19Internet Security - System Analysis & Planning
UMTS Security ArchitectureUMTS Security Architecture
Service Stratum
Transport StratumAccess Stratum
Application Stratum
Access Netw orkDomain
Serving Netw orkDomain
Transit Netw orkDomain
User EquipmentDomain
InfrastructureDomain
MobileEquipment
Domain
USIMDomain
Home/Remote Netw orkDomain
ME USIM
MT SNAN HN / RN
HE / TE
TN
Cu Uu Iu [Yu] [Zu]
SN
User Apps Provider Apps
Network Access Security
Network Domain Security
User Domain Security
Application Domain Security
User Domain Security – protection against attacks on ME - USIM/USIM interfaces
Network Access Security – protection against attacks on radio (access) links Network Domain Security – protection against attacks on wired network
infrastructure Application Domain Security – protection on user &
provider application exchanges Security Management – monitoring & managing user - provider security
features
![Page 20: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/20.jpg)
20Internet Security - System Analysis & PlanningNetwork Access Security, Network Access Security, SafeguardsSafeguardsUser Identity ConfidentialityServicesServices Identity Confidentiality Location Confidentiality Intractability
MechanismsMechanisms Temporary Visiting Identity Encrypted Permanent Identity Encrypted Signal / Control Data
Entity AuthenticationServicesServices
Authentication Mechanism Agreement
User Authentication Network Element Authentication
MechanismsMechanisms HE-SN Authentication & Key
Agreement Local Authentication
Data ConfidentialityServicesServices
Cipher Algorithm Agreement Cipher Key Agreement User Data Confidentiality Signal / Control Data Confidentiality
Data IntegrityServicesServices
Integrity Algorithm Agreement Integrity Key Agreement Signal / Control Data Integrity Signal / Control Data Origin
Authentication
![Page 21: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/21.jpg)
21Internet Security - System Analysis & PlanningNetwork Domain Security, Network Domain Security, SafeguardsSafeguards
Entity AuthenticationServicesServices
Mechanism Agreement Network Element Authentication
MechanismMechanism Explicit Symmetric Key
Authentication
Data ConfidentialityServicesServices
Cipher Algorithm Agreement Cipher Key Agreement Signal / Control Data Confidentiality
Data IntegrityServicesServices
Integrity Algorithm Agreement Integrity Key Agreement Signal / Control Data Integrity Signal / Control Data Origin
Authentication
![Page 22: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/22.jpg)
22Internet Security - System Analysis & Planning
User Domain Security, SafeguardsUser Domain Security, SafeguardsUser - USIM AuthenticationServicesServicesPIN-based Authentication
USIM - ME AuthenticationServicesServices
Shared Secret Authentication
![Page 23: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/23.jpg)
23Internet Security - System Analysis & PlanningApplication Domain Security, Application Domain Security, SafeguardsSafeguards
Secure USIM Download & MessagingServicesServices Application Identity Authentication Application Data Confidentiality Application Data Origin Authentication Application Data Integrity Application Exchange Sequence Integrity Application Exchange Replay Protection Application Data Non-repudiation
IP Security[TBD][TBD]
User Traffic ConfidentialityServiceService
End-to-End Data Confidentiality
User Profile Confidentiality[TBD][TBD]
![Page 24: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/24.jpg)
24Internet Security - System Analysis & Planning* * Mobile User Identity (MUI) Mobile User Identity (MUI) ExchangesExchanges
Temporary MUI (TMUI) Allocation
Permanent MUI (IMUI) Identification
Similar to Mobile IP Registration
Source: UMTS Security Architecture [3G TS 33.102]
![Page 25: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/25.jpg)
25Internet Security - System Analysis & PlanningEntity Authentication & Key Entity Authentication & Key AgreementAgreement
ParametersAuthentication Vector
AV(i) := RAND(i)||XRES(i)||CK(i)||IK(i)||AUTN(i)
AUTN,CK,IK,XRES derived from RAND,SQN,AMF
Authentication Data RequestAuthen_Req := IMUI || HLR_MSG
Authentication Data RequestAuthen_Res := [IMUI] || AV(1..n)
CommentsAuthentication is conducted between
HE/AuC & MS/USIMHE is authentication & key distribution
centerSN/VLR is trusted mediator If HE is off-line then MS-SN
authenticate using shared integrity key & protect their traffic using old (CK,IK)
![Page 26: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/26.jpg)
26Internet Security - System Analysis & Planning
User Traffic ConfidentialityUser Traffic ConfidentialityKey Management
Cipher Key (Ks) Initialization Vector (IV)
Cipher Algorithms Synchronous Stream Cipher
Data stream XOR with key stream
Synchronization controlled by IV
Issues Encryption synchronization
mechanism TFO voice protection
adaptation Data traffic protection
adaptation Encryption termination at net
gateways Encryption management
![Page 27: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/27.jpg)
27Internet Security - System Analysis & Planning
Network Domain SecurityNetwork Domain SecuritySimilar to Multi-Realm Kerberos
Layer I Symmetric Session Key
Negotiation using PK technology
Layer II Session Key Distribution
within each Operator
Layer III Secure communication
between Elements of different Operators
![Page 28: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/28.jpg)
28Internet Security - System Analysis & Planning
BibliographyBibliography3rd Generation Partnership Project, Technical Specification Group (TSG) SA
3G TS 21.133 - 3G Security; Security Threats & Requirements
3G TS 21.120 - 3G Security; Security Principles & Objectives
3G TS 33.105 - 3G Security; Cryptographic Algorithm Requirements
3G TS 33.102 - UMTS; 3G Security; Security Architecture
3G TS 23.101 - UMTS; General UMTS Architecture
GSM Documents GS 02.60 – GPRS; Service Description; Stage 1
GS 03.60 – GPRS; Service Description; Stage 2
GS 02.09 – Security Aspects
GS 03.20 – Security Related Network Functions
Source: http://www.etsi.org/
![Page 29: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/29.jpg)
Assignment I :Assignment I :Security System Analysis & PlanningSecurity System Analysis & Planning
Internet Security: Principles & Practices
John K. Zao, PhD SMIEEENational Chiao-Tung University
Fall 2005
![Page 30: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/30.jpg)
30Internet Security - System Analysis & Planning
System: Campus NetworkSystem: Campus Network
Adm
inis
trato
r Subnet
ServerHost
Host
Host
Host
Router
Switch
Off
icer
Subnet
Server
Host
Host
Host
Host
Student SubnetServer
Host HostHost HostModem Bank
Switch
Dial-in Subnet
Teaching Subnet
Server
Host HostHost Host
Server
HostHost HostHost
Research Subnet
Router
Router
Router
To Public Internet
![Page 31: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/31.jpg)
31Internet Security - System Analysis & Planning
Asset EvaluationAsset EvaluationImportant Users Officers Students
Important Assets Management
Records Research
Records Teaching
Records
Adm
inis
trato
r Subnet
ServerHost
Host
Host
Host
Router
Switch
Off
icer
Subnet
Server
Host
Host
Host
Host
Student SubnetServer
Host HostHost HostModem Bank
Switch
Dial-in Subnet
Teaching Subnet
Server
Host HostHost Host
Server
HostHost HostHost
Research Subnet
Router
Router
Router
To Public Internet
![Page 32: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/32.jpg)
32Internet Security - System Analysis & Planning
Threat AnalysisThreat Analysis
For every subnet: Identify nature of specific threats towards each networking resource & application Evaluate severity of threats towards individual resource & application
Officer SubnetOfficer Subnet
![Page 33: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/33.jpg)
33Internet Security - System Analysis & Planning
Service PlanningService Planning
Perimeter Defense Firewalls Site-to-Site VPN Remote Access VPN IRS Gateway
Host/Server Defense
Configuration Manager
Security Patches Anti-Virus Scanner Anti-Spam Program Spyware Blockers
Adm
inis
trato
r Subnet
ServerHost
Host
Host
Host
Router
Switch
Off
icer
Subnet
Server
Host
Host
Host
Host
Student SubnetServer
Host HostHost HostModem Bank
Switch
Dial-in Subnet
Teaching Subnet
Server
Host HostHost Host
Server
HostHost HostHost
Research Subnet
Router
Router
Router
To Public Internet
![Page 34: Roles of IPsec](https://reader034.fdocuments.us/reader034/viewer/2022050804/548136945806b5e3108b4648/html5/thumbnails/34.jpg)
34Internet Security - System Analysis & Planning
Assignment WorkAssignment Work
Vulnerability Analysis [50%] Service Planning [50%] Architecture Recommendation [20%, optional]