四川大学计算机网络课件 Chapter8.pptVIP

* * * * * * * * * Network Security Limitations of firewalls, gateways IP spoofing: router can’t know if data “really” comes from claimed source if multiple app’s. need special treatment, each has own app. gateway client software must know how to contact gateway. e.g., must set IP address of proxy in Web browser filters often use all or nothing policy for UDP tradeoff: degree of communication with outside world, level of security many highly protected sites still suffer from attacks Network Security Intrusion detection systems packet filtering: operates on TCP/IP headers only no correlation check among sessions IDS: intrusion detection system deep packet inspection: look at packet contents (e.g., check character strings in packet against database of known virus, attack strings) examine correlation among multiple packets port scanning network mapping DoS attack Network Security Web server FTP server DNS server Internet demilitarized zone firewall IDS sensors Intrusion detection systems multiple IDSs: different types of checking at different locations internal network Network Security Network Security (summary) basic techniques…... cryptography (symmetric and public) message integrity end-point authentication …. used in many different security scenarios secure email secure transport (SSL) IP sec 802.11 operational security: firewalls and IDS * * * * * * * * * * * * * * * * * * * * * * * * * * * * Network Security Inside the enchilada: ESP trailer: Padding for block ciphers ESP header: SPI, so receiving entity knows what to do Sequence number, to thwart replay attacks MAC in ESP auth field is created with shared secret key new IPheader ESP hdr originalIP hdr Original IP datagram payload ESP trl ESP auth encrypted “enchilada” authenticated padding padlength nextheader SPI Seq # Network Security IPsec sequence numbers for new SA, sender initializes seq. # to 0 each time datagram is sent on SA: sender increments seq # counter places value in seq # field goal: p