 One way one example of this is that Host a maybe my computer at home for example or or even in the office but say the computer at home connecting via Wi-Fi to my local network and the router x is the the router that connects my home to the internet so via my Internet service provider so this internet link here even though it's small it represents everyone in the in the world all the other networks and Let's say router y is the router of the server that I'm trying to contact post B So we want we're looking at how do we keep our data? Confidential across the entire path and we saw application security or application layer level security provides and to end security and similar with transport layer security it's and to end and then we arrived at Network level security it can be and to end but we said that the problem is that it requires the configuration that the of the operating system Usually to to make it work. It's a little bit harder to set up But we said that IP sec is commonly used in tunneling mode or Network level security in tunneling mode. So let's explain that and and first Explain this example and then see how it works so again let's say that router y and host B inside SIT and I'm at home, and I want to access the SIT network as if I'm inside SIT using the network, but doing it from home then I Want to access the SIT network, but I don't want other people to be able to intercept the data when I access that network So we need some form of security. So one way we could set it up is that on my computer at home I set up IP sec in a mode that allows it to create a secure connection to the SIT router router y and Using IP sec there are other technologies as well, but in this case using IP sec and What that does is when I send data IP sec at this point will do the encryption and the authentication techniques to ensure that across the red path the data is protected but when I want to send to host B What my computer does it say I want to access the website on host B host B is inside SIT host A is at home, but I want to access access that website as if I'm accessing it from inside SIT so if the IP sec has been set up correctly what happens is that I Access that host B using its address and I would create a packet my application would create a packet with some data to send a host B And if we looked at the details of the source IP address and the destination IP address The source is my host host A and the destination is host B So I'm sending so that from A to B. So I've summarized the source and destination here and An IP datagram is created source a destination B But what IP sec does in this setup is that it takes that IP datagram and Puts it inside another IP datagram, and this is the process of tunneling It puts it inside another IP datagram, which looks like the one down the bottom here It's the original one, but really attaches another header that says the source is a it's still coming from a But the destination is router Y and how does this How does IP sec know to send to router Y because it was set up? We said there must be some configuration of the IP sec to say the other end point is router Y so It puts the original IP datagram inside another one creating a Tunneled datagram and the inner one is encrypted So that provides our protection of the data so IP sec not only attaches that extra header, but encrypts everything inside So what happens then this datagram is sent via my host and It will be delivered to router Y Because it will be sent via my Wi-Fi the ethernet it will get to my router X and will be sent across the internet Using the normal IP routing Destination is why therefore the internet will deliver that datagram to router Y router Y will receive that Anyone between host a and router Y if they intercept that datagram they know it's from a They know it is to why but they don't know what's inside because it's encrypted So they cannot see the data that I'm sending to the the server It's delivered to router Y because the destination was why and Then IP sec configured on router Y realizes okay. This is a special packet. It's delivered to Y But it's an IP sec packet so what the router at Y does is that it removes the outer header decrypts the inner part and We're left with the original IP datagram, which says from A to B send this data and Router Y then delivers that datagram here of course to be the destination So the original datagram that the application at host a created A to B with the data is eventually delivered to host B and received and processed so The data is encrypted just from host a to router Y It's not across this last segment But that may be okay because this last segment Let's say is inside SIT and I know no one can intercept that across that ethernet segment inside SIT So I may trust that What I may be more concerned about is that the people on the internet cannot intercept and and view my data That's what I want to stop So that works in that case Why this as opposed to end-to-end encryption? Why not this well If we want to use IP sec or this end-to-end security in this case, we need to set up Those two entities that use IP sec so in this case I need to set up my host and host a my computer and the host at S inside SIT to use IP sec That requires some configuration And if I wanted to connect to a different host inside SIT Host C I would need to configure that one as well And if I wanted to connect to any of the 100 different hosts inside SIT C D E F many others I'd need to configure them separately But in this tunneling mode What I do is or what the computer center does is they configure the router for SIT to use IP sec They just set up one device and it allows us from say our home computer Which we still need to configure to access securely to there and the host inside SIT Don't need to be set up to support the security Makes the The management of the network much simpler We don't need to do anything special to all the computers inside the SIT Just the one router we need to set up at the compromise being we don't have security Between those internal hosts and that router, but that's often not a problem So that's an alternative for using network level security and This process of putting one IP datagram inside another So this A to B with data is an IP datagram A to B means the the header Containing the source and destination IP addresses Then we put that inside another datagram where the data is the original packet encrypted And the header says it's now from A to Y. This is called tunneling Tunneling is usually putting a Packet from one protocol inside the same protocol Or even in a higher level Protocol Normally when we create a packet say an application level packet we put it inside a lower layer protocol packet when we send it We put the HTTP message inside a TCP packet. We put the TCP packet inside an IP datagram That's the normal procedure Tunneling in this case involves putting a Network layer packet an IP packet inside another network layer packet another IP packet and it's all commonly used for this security purpose So that allows me to connect securely from say my home computer to all the computers inside SIT with minimal setup inside SIT a Further extension of that one is okay at home. I have multiple computers my phone my laptop my PC Rather than having to set up all the hosts inside my home to use IP sec Set up my own router to do it Set up my router at home router X to support IP sec and create a tunnel through to the router inside SIT router Y No setup of the host inside SIT. No special setup of the hosts at home Only the two devices the two routers need to be set up to support this security feature and The result is that host a creates a normal IP datagram destination B. Nothing is encrypted It sent normally across the Wi-Fi across my local land to my router but then my router is the The start point of the tunnel So it takes that datagram and this IP sec will be set up to realize anything from A to B We must take that encrypt it Put an outer header on side that that says Let's send this from X to Y across the internet and that datagram is sent across the internet Destination why it will eventually be delivered to router Y IP sec will receive it realize okay. This is an IP sec datagram Remove the outer header decrypt what's inside What we're left is a packet from A to B with the data router Y sends that on to B and we receive it so Same approach using tunneling in this case we can support security across the internet for All the hosts on the source network and all the hosts on the destination network So not just host a but other hosts here. It will also work Of course Nothing's protected across the internal networks. There's no encryption here So we must trust that portion of the network We only have encryption across the internet, which is usually What we're looking for if we may trust our home internal network, but we don't trust the external networks This is called a virtual private network Effectively from our say home network to the internal SIT network Across the internet the internet is a public network. Many people use it. It's not just for one organization It's a public network But we don't want others to see our data. We want our data to be private So we want a private network to connect from router X to Y We can't afford to build our own private network Between those two routers. So we have a virtual one where really what we do is we just encrypt the data between those two points So we call that a virtual private network of EPM This one's also considered a virtual private network of EPM. Any questions on these this use of IPsec or generally network layer security for virtual private networks Which which one's better? Of all the solutions we've seen for security Application transport network, which one's better? Which one are you going to use? Right, there's there's no answer we what I want you to be aware is the different trade-offs with the advantages and disadvantages of each So you choose the solution for based upon what you require your requirements So let's go back and summarize those differences. So with respect to a Virtual private network. So the approach of using IPsec here to create not end-to-end security, but just over a segment of the path This is using the concept called tunneling where we put packets From one layer inside packets usually of the same layer or even a higher layer So we put an IP packet inside another IP packet. We don't normally do that That's what we do with tunneling or specifically we put an IP packet inside an IPsec packet With tunneling there is other ways IPsec is not the only solution. There are others and Especially for virtual private networks. There's other technologies called PPTP the point-to-point tunneling protocol and layer 2 tunneling protocol L to TP and There's another one which is slightly different which uses TLS called open VPN and there are few others as well So IPsec is not the only technology for tunneling And in most cases to do tunneling with any of these technologies it requires some configuration of the devices the endpoints of the tunnel where it starts and finishes and that that can be a disadvantage that is the The user needs to set something up whereas with application level security and transport level security Usually the user doesn't have to do anything different But with tunneling we can provide the support and configuration on routers and therefore Doesn't need to be set up on all the individual hosts. It's done on a router that covers an entire subnet and We see it doesn't provide end-to-end encryption. We must trust some segments in the path in this case my home host to the host inside SIT for example host B then I Trust the internal SIT wired network. It's hard for someone to get access. They need access to the building to do so I trust my home wired network Someone has to get inside my home to intercept that but I don't trust Wi-Fi usually You already already know how to monitor other people's Wi-Fi traffic. It's very easy You can sit outside someone's home and Intercept their packets because wireless is a broadcast medium So sometimes we want to have extra protection across the wireless link and that leads to The last approach link level security We do the encryption across individual links and this really only Makes sense in practice across wireless links So an example which you probably have used is that in Wi-Fi or wireless LAN There's different encryption techniques that it will encrypt your your packets across the wireless link only WPA Wi-Fi protected access is one common technology an older one was WEP and there are a few variations or different versions. So what WPA does is that? Ignoring the other Security mechanisms we send a packet your why Wi-Fi device the wireless chip Inside your laptop or your phone Encrypts that before it sends it across the link and the access point That receives that wireless packet decrypts and then sends on the unencrypted across the rest So link level encryption or link level security is only across a single link and It's commonly used in wireless links because wireless links are much easier for someone to intercept than wireless links Of course it provides no security for the rest of the path so we can't rely on that But if we combine this With say this approach, then we'd be reasonably secure from host a to host B I'd have protection across my wireless link It's hard It's easy for somebody intercept. So having security mechanisms there is important so that they cannot see my data Across my wired link inside my home or inside s it I can trust that to some extent Someone needs physical access to that to intercept But across the internet. I want some encryption because I don't trust all the internet service providers between my home and s it So we can combine these different mechanisms to Achieve the aims that we want link level security is used in other wireless technologies as well Bluetooth ZIG B and others have Your mobile phones even have forms of link level security it works for all Applications all transport protocols all network protocols link level security That's good, but it only works for that link and Of course usually in the internet. We have to traverse many different links. So it's not good for end-to-end security And it requires configuration of both endpoints if you want to use WPA then you need to set a password in your Home access point and inside your your device your mobile phone or laptop so it requires some manual configuration to work So that finishes those four different approaches for where we can implement Security mechanisms in for network or internet security Application level security build it into your application You have control over that as the application developer, but you may have to Spend a lot of effort to do that for your application, which is duplicating a lot of effort that others have done Transport level security very similar, but use the security mechanisms built into the operating system into the transport layer You don't have to develop them yourself as the application developer Both of them provide end-to-end security Network level security IPsec can be used end-to-end, but it's not so common because it requires manual intervention at both endpoints but is commonly used for Virtual private networks to connect one network securely to another network and Link level security mainly applicable for wireless networks or wireless links That finishes this topic. We're not going to cover secure email. That's We're going to skip that one So we've got time to cover one other thing for this course So some of the trade-offs we saw were that okay The different approaches make our application simpler or more complex If we have application level security, we as the application developer must make our application more complex Whether they provide host-to-host or end-to-end encryption or not and how much Support or setup is needed from the user's part in setting up and configuring the devices There are many different security protocols that we haven't talked about especially for VPNs I said IPsec is one, but there are others as well