Secure Sockets Layer (SSL)
This week was a bit short as it is our last week, but we did cover a couple new topics. SSL is used to enhance TCP with security services: confidentiality (encryption), data integrity (no modifications), and end-point authentication (no unauthorized access). Although it technically resides in the application layer, SSL is often considered part of the transport protocol. SSL adds on to TCP's handshake procedure by using session keys for encryption and data integrity (MAC keys). Note that there are four session keys used here, 2 for encryption and 2 for integrity, and each host possesses one of each. SSL also uses its own sequence numbers, which are not included in data records themselves, but rather are included in the hash calculation for the MAC keys.
The last thing I want to go over is firewalls. Firewalls have 3 goals: for all traffic in each direction to pass through them, to only allow authorized traffic to pass (as defined by local security policy), and to be immune to penetration or compromise. A traditional packet filter may make filtering decisions based on source or destination IP and/or port, protocol type, TCP flag bits, ICMP message type, or other custom rules. An example of packet filtering would be to drop all outgoing packets to port 80 to deny outside web access, or to drop packets with a TCP ACK bit set to 0 to prevent external clients from connecting to internal servers. Stateful packet filters make decisions based on currently active connections. For example, allowing packets to pass through if they are associated with a known connection.
Firewalls alone are not enough to secure a network. For even finer security, firewalls can be combined with application gateway servers. These servers are application-specific, so a different application gateway is needed for every application. They allow for more control over internet application or user activity, such as preventing a certain host from using telnet. Policy decisions are based on application data. Finally, intrusion detection systems (IDS) can be used for deep packet inspection. Signature-based systems, for example, compare each packet to tens of thousands of signatures. If a packet matches a signature, the system will trigger that a potentially malicious packet has arrived. Anomaly-based systems look for unusual traffic activity, such as flood of ICMP packets, but can sometimes flag legitimate traffic. Most IDS are signature-based but may include some anomaly-based features.