A centralized approach to computer network security*
|
|
- Jonas Joseph
- 8 years ago
- Views:
Transcription
1 A centralized approach to computer network security* by FRANK R. HEINRICH and DAVID J. KAUFMAN Sysiem Developmeni Corporaiion Santa Monica, California ABSTRACT This paper presents an approach to network security at the system design level. Some basic network concepts and major network security threats are outlined. The design approach is described and a brief security analysis is presented. The proposed network structure incorporates data protection devices called network cryptographic devices and a special-purpose processor, the network security center, to control access in the network. INTRODUCTION The ever-increasing utilization of computer systems has heightened demand for broader computer service and data management capability. Computer networks are an attempt to meet this demand by organizing many individual computer systems to act as a single, very large system or supracomputer. The distribution of data processing functions among a set of distinct systems decentralizes the control of data storage and processing. In addition, information must be transmitted between computers and is therefore subject to exposure. These factors complicate the problem of providing a high degree of security assurance in computer networks. Additionally, current emphasis on privacy considerations underlines the need for network security. Thus security must be a major factor in network design. This paper presents an approach to network security at the system design level. To provide a basis for discussion of this design, a few basic network concepts are first outlined. Some major network security threats are then presented to provide a context for evaluating the system. Finally, the network structure is described and a brief security analysis presented. The proposed network structure incorporates data protection devices called network cryptographic devices and a special pur- * The work reported in this paper was supported by the U.S. Department of Commerce, National Bureau of Standards contract # pose processor, the Network Security Center, to control access in the network. The design in this paper provides a means for centralizing control in computer networks. When global policies toward network access, data storage and processing can be established, this design is quite appropriate. In some instances, however, it may be difficult to develop such global policies. The management at each network site may decide to maintain greater control over local policy and resist centralization. A second approach to computer network security in which control can be more easily distributed, is presented in a companion paper.1 BASIC NETWORK'CONCEPTS In an intercomputer network, a number of computer systems and terminals are linked. The individual computer systems (hosts) and terminals are called network resources. Interconnection of these resources requires functions performed by both hardware and software, but in this section we consider only the logical arrangement of networking functions rather than associating any particular functions with specific hardware devices. Network resources must be physically interconnected in some manner. That is, facilities must exist to provide data paths between network resources. These facilities, called the communications subnetwork may take many forms. The communication subnet~ work may consist of telecommunications lines, a message switch, or a packet s~nitched network. Regardless of the configuration, however, we will view communications subnetworks as logically equivalent, supplying a means for data to flow from any network resource to any other network resource. Figure 1 illustrates three layers, or levels, of network functionality. Layer 1 is network resources; layer 2 is connection-oriented functions; and layer 3 is the communications subnet. Network resources can be thought of as correspondents, freely exhanging information (i.e., message text) by way of a carrier consisting of the connection-oriented functions and the 85
2 86 National Computer Conference, 1976 NETWORK RESOURCE CONNECTION ORIENTED FUNCTIONS COMMUNICATION SUBNETWORK Message Routing and Delivery NETWORK RESOURCE Figure i-layers of network functionality CONNECTION ORIENTED FUNCTIONS communications subnetwork. The connection-oriented functions at different locations are, in turn, correspondents, exchanging information concerning the state of message pipelines via their carrier, the communications subnetwork. We refer to correspondents as being (logically) above the carriers. The actual content of the communication between correspondents is not of concern to lower layers (the carrier). Within a carrier, control messages may also be exchanged which are of no concern to higher level correspondents. Countering the network security threats discussed in the following section will require introduction of additional network functions. These new functions will not alter the logical relationship between the three layers already presented, but will necessitate the addition of a new functional layer. NETWORK SECURITY THREATS With privacy statutes being enacted, security vulnerabilities are a serious concern. Yet networks present formidable security problems due to the multi-user, multi-resource, multi-system environment. Physical and procedural controls have proven to be particularly inadequate in such geographically distributed systems. Primary security threats to intercomputer networks are: 1. Th'reats to Netwo'rk Communication-Network communications are susceptible to several maj or security threats. Penetrators may tap communication lines or network devices outside of physically secure facilities. Tapping of communications may result in unauthorized exposure of sensitive information or alteration of message text. A penetrator may record legitimate messages and replay them at a later time in order to spoof a network resource. Spoofing could also be accomplished by generation of spurious, but apparently legitimate messages. Misrouting and subsequent misdelivery of messages, either accidentally or maliciously, may result in unauthorized disclosure of sensitive information. 2. Counterfeit Network Resources-Network penetrators may be able to utilize counterfeit network resources. A bogus terminal or host computer may be made to appear as a legitimate source or destination of network messages. Without mutual authentication of network resources, uncontrolled use of the network may be obtained by those who would normally not have access to the network. 3. Forged User Identi/ication-A penetrator may gain network privileges by forging the identity of a valid user. Of course, this same threat applies to a single computer system. In a network, however, a penetrator may capitalize on a domino effect. A penetrator may use a forged identity to compromise a single host with poor security controls. Other network resources may then be compromised if they, in turn, trust the user's identity as established by the compromised host. 4. Unauthorized Access by Legitimate Users-Legitimate network users may gain unauthorized access to host computers, data files, programs, etc. A malicious user may take advantage of unauthorized access to delete or modify data files or programs, or even subvert an entire host computer system. Furthermore, sensitive or private information may be subject to unauthorized browsing. If each of the host computer systems which make up the intercomputer network were secure when operated separately, the security threats of forged user identification and unauthorized access would be eliminated. Separate network countermeasures for these threats would then be unnecessary. Mechanisms might still be included to relieve each host of the operational burden of implementing identification/authentication mechanisms and to provide a single unified network access protocol increasing user convenience when accessing various network sites. However, no secure generalpurpose computer systems exist today. Furthermore, it is doubtful such systems will be widely available for a long time. Thus, network mechanisms must be developed to protect network communications and to avoid increasing compromise threats to hosts because those hosts are linked in a network. SYSTEM DESCRIPTION This section presents a system level design of a secure intercomputer network as illustrated in Figure 2. The design incorporates cryptographic devices which
3 Centralized Approach to Computer Network Security 87 TERMINALS TERMINALS that sense the network appears to the user as a single large system. All messages in the Vser-NSC dialogue are enciphered and deciphered by cryptographic devices attached to the terminal and to the NSC. Each network cryptographic device has the capability of protecting such dialogues with the NSC. Creating a con?ection between V and H requires that a new key be established in the cryptographic devices at V's terminal and at H. When the cryptographic devices begin to use the new key they ca~ c~m~unicate, forming a cryptographic link between V and H. Vser V may then initiate formation of a message pipeline to host H via the connectionoriented functions. This connection authorization protocol is similar to that described by Branstad. 2,3 Figu:l'e 2-System ievel design encipher data (Le., transform data in order to conceal its meaning) and decipher data (Le., reverse the encipher process to render data once again intelligible).2 This transformation is based on a secret parameter called a Key. The cryptographic devices provide an additional layer in the logical structure of the network. The design also incorporates a new network resource called a Network Security Center (NSC), which is based on Branstad's concept of a Network Agency.3 Connections between nehvork resources are permitted only when authorized by the NSC, based on stored access control information. This control is enforced by the network cryptographic devices which will form cryptographic links only when instructed by the NSC. The network shown in Figure 2 contains N ehvork Front Ends (NFEs). An NFE is a processor which implements connection-oriented functions for a set of terminals and hosts. A network, which adheres to the secure design, can be built without NFEs. NFEs do have operational advantages, however, and are being considered for use in many future networks. Thus, we address their role in network security. An example may clarify the functioning of the NSC and network cryptographic devices. A user (V) at a terminal, desires access to a process (P) at a distant host (H). Before being connected with H, the user must carryon a dialogue with the NSC. During this dialogue, V must identify himself and supply additional information, such as a password, to authenticate his identity. V then requests access to host H. The NSC verifies the user's identity. If the user's identity is valid, the access request is checked, otherwise access to H is denied. The NSC uses previously stored access control information to determine if V is permitted access to host H. If the access control information indicates that the access request is legitimate, the NSC will initiate establishment of a logical connection between V and H. The scenario is similar to that of a user attached directly to a host with an access control mechanism. In CRYPTOGRAPHIC DEVICES There are two main types of cryptographic devices utilized in this design. One is the cryptographic device at the NSC called the master cryptographic device. The other type is attached to each of the other network resources and is called the slave encryption device. Slav~ encryption devices can accept new keys from a remote location. If attached to a single terminal, a slave cryptographic device need maintain only one new key. If attached to a host or NFE, a slave cryptographic device must be able to maintain several new keys in order to support each of the multiple logical connections with a distinct key. The master cryptographic device must be able to encipher and decipher messages to and from each of the slave cryptographic devices. The master cryptographic device manages establishment of new keys at the slave cryptographic devices. Both the master and slave cryptographic devices distinguish message headers from message text. Headers must remain in the clear so that the communication subnetwork has sufficient control information to route and deliver messages. Only message text will be enciphered and deciphered. These devices should make use of the National Bureau of Standards (NBS) Data Encryption Algorithm, which has been proposed as a Federal Information Processing Standard. -1 Several characteristics of this algorithm make it well suited for use in network cryptographic devices: 1. The secrecy of the transformation is dependent only on the secrecy of the key, not on the secrecy of the algorithm. 2. The length of the key is 64 bits, eight of which are reserved for parity. Thus there are 2 56 potential keys. The key is not so short as to make exhaustive search techniques feasible, yet not so long as to make distribution to a remote device difficult. 3. The algorithm is block-oriented; that is, data
4 88 National Computer Conference, 1976 is grouped into blocks of 64 bits which may be enciphered and deciphered independently of any other block. As long as the same key is used, position or time ~ynchronization of encryption with decryption is not required. Due to routing and transmission differences, message transit time through a network is somewhat variable. Messages may arrive at a destination in a different order than they were sent Using the NBS Algorithm, cryptographic device~ can be built which do not require position or time synchronization and are independent of the communication subsystem. 4. When enciphering or deciphering, the change of a single bit in either the key or the input text has an unpredictable effect on the output text. This characteristic has two implications. First, the correct key must be known to make use of (Le., decipher) enciphered information. Second, alterations to enciphered text cannot produce predictable changes to the corresponding clear text. 5. Analysis of clear/enciphered text pairs does not aid in code-breaking to determine the key used. Penetrators are forced to use impractical exhaustive search techniques for code-breaking. 6. The NBS algorithm is expected to be available as an LSI package. This will provide a low cost, high speed implementation suitable for use in network cryptographic devices. Network security center The NSC authenticates the identity of network users and authorizes connections between network resources. When an access request is approved, the NSC must generate a random, distinct encryption key to be distributed to the cryptographic devices at both subject and object. In addition, the NSC will keep audit logs of all access requests, both approved and denied, and will issue appropriate alarms when a suspected penetration attempt is detected. The NSC must, therefore, maintain a data base which contains sufficient information to verify (authenticate) the identity of users, and sufficient access control information to determine the legitimacy of access requests (access authorization). This data base will not remain static, but will require timely updating. This updating can be accomplished by a security officer at the NSC or by protocols between the NSC and network hosts. Except for authentication of updates, the issues of NSC data base updating are conventional data management system cost and performance tradeoff's and beyond the scope of concern here. NSC access control information is defined in terms of subjects, objects, and capabilities. A subject is an entity such as a user or a process that can initiate Subjects I I r--0_b.;...je_ct_s_,,..._ /1 The access control information can be represented by a 3-dimensional space. The shaded plane would contain all information concerning user A. Figure 3-Access control matrix access requests. An object is an entity such as a data file, a process, a host computer system or another network resource that can be the target of access requests. Capabilities are the actions which a subject may perform on an object. A good conceptual model for the access control information is a three-dimensional access matrix 5 as illustrated in Figure 3. On one axis of the matrix are subjects; on another axis are the objects, and on the third axis are the capabilities. Entries in the matrix are boolean values, indicating whether a capability is available to a subject for a given object. This model can accommodate objects to any desired degree of granularity; where granularity refers to the relative size of the subject being controlled. For most systems this matrix is rather sparsely populated, with subjects having access to only a few objects. Thus the actual implementation will use some other more compact and logically equivalent data structure. Network front ends A Network Front End (NFE) may interface one or more network resources to the communications subnetwork. The NFE performs the connection-oriented functions on behalf of hosts as well as terminals. The NFE could also provide a user-level command interface for terminals. It is likely that NFEs can reduce the software cost and system overhead normally involved in connecting to networks. A Secure Front End may, in fact, enhance network security, a concept discussed later.
5 Centralized Approach to Computer Network Security 89 SECURITY ANALYSIS The system design presented above counters the network security threats. The following discussion analyzes the design approach with respect to the threats presented earlier. 1. Network Communication Threats-The characteristics of the NBS data encryption algorithm (and cryptographic devices in general) eliminate many network communication threats. Obviously, line tapping yields encrypted text which cannot be read by a penetrator. Furthermore, alteration of enciphered text can be detected if an error detection field is included in the message. This error check must be enciphered, so that the error check value cannot be predictably altered. Additionally, the check value must be calculated with clear, rather than enciphered, text; otherwise it is possible to alter enciphered text such that the error detection field does not indicate the change. Inclusion of redundancy checks and message sequence numbers within the enciphered portion of the message can prevent undetected message playback or introduction of spurious messages. The network cryptographic devices used in this design utilize a distinct encryption key for each logical connection between network resources. Therefore, misrouted messages are rendered unintelligible to unauthorized recipients. Currently available "line" cryptographic devices can only be placed on the communication lines, and therefore do not eliminate the threat of misrouting. Network cryptographic devices with the characteristics required in this design offer greater security assurance than is currently available with existing "line encryption" devices. Although not currently available, network cryptographic devices can be built with current technology. 2. Counterfeit Network Resources-The term endto-end encryption refers to data being enciphered at the source and remaining unintelligible until it is deciphered at its final destination. Network cryptographic devices provide such end-to-end encryption, thereby eliminating the threat of counterfeit network resources. Communication with a bogus network resource is impossible because it would not be attached to a network cryptographic device, or know an appropriate key. If a network resource, attached to an NFE, is the source or target of network communication, the NFE is responsible for maintaining a proper message pipeline. The NFE must, therefore, guarantee that connections are made with the proper resource. Thus a secure NFE guarantees that the message routing and connection management functions are performed correctly on behalf of attached terminals and hosts. 3. Forged User Identity-The NSC requires each user to identify himself and provide information to authenticate that identity. A user's identity is validated before connection to any network resource is permitted. The NSC is a separate tamper-proof mechanism which is not part of a general purpose host computer system. Therefore, the NSC provides a protected environment for the user authentication process, which is less vulnerable than similar mechanisms within a general purpose host. 4. Unauthorized Access-The NSC maintains an access control data base that defines all permitted a connection between network resource is formed. The NSC is only involved in the initial decision to permit or deny access; an acceptable overhead cost analogous to "opening" a file in most operating systems. Access requests may specify objects with a varying degree or granularity, but network cryptographic devices can enforce access control only to the granularity of entire network resources. The NSC can, however, pass the results of the access request decision, and any necessary parameters for enforcement, to the host system. The host can then provide the finer granularity of enforcement. Terminals should not be connected to the network through network hosts. Connection of terminals to the network through general-purpose computer systems needlessly exposes the terminal's communications to security vulnerabilities within the host. Similarly~ the hosts are subject to uncontrolled access from the terminals. When terminals are connected directly to the network, on the other hand, all access can be controlled by the NSC. Terminals could therefore either be connected directly to the network with their own cryptographic device (and providing their own connection-oriented functions and message formatting) or be connected to the network through a secure NFE. SUMMARY AND CONCLUSION The secure network design outlined here is a centralized management and control philosophy based upon centralized key management. Keys are generated by the NSC and managed by the master cryptographic device. NSC access control decisions are enforced through the use of centralized key management. A companion paperl describes an alternative, equally effective approach to network security based upon decentralized key management, and is useful where centralized control is precluded by law, policy, jurisdiction, reliability or practical constraints. In that decentralized approach, all cryptographic devices are identical, but more complex, with each capable of generating keys and relaying keys to other cryptographic devices. The master cryptographic device is eliminated and the NSC is optional. The network structure described in this paper greatly reduces network security vulnerabilities. The
6 90 National Computer Conference NSC provides a separate, secure network facility to insure that only legitimate users can access network resources and that only authorized access requests are... a... -.v..ffarl 1-''-'.L.l.l ,;l..vu. Network cryptographic devices virtually eliminate security threats to network communications and aid in authentication of network resources. Although currently available cryptographic devices do not have the appropriate characteristics, suitable network cryptographic devices can be built with existing technology. Thus, a high degree of cost-effective security assurance can be provided in computer networks with currently available technology. REFERENCES 1. Kaufman, D. J., A Distributed App1'oach to Computer Network Security, System Development Corporation, SP-3848, May 31, Branstad, D. K., "Encryption Protection in Computer Data Communications," Fourth Data Communications Symposium, Quebec City, Canada, October Branstad, D. K., "Security Aspects at Computer Networks," AIAA Computer Network Conference, Huntsville, Alabama, April National Bureau of Standards Data Encryption Algorithm, Federal Register, March 17, 1975 and August 4, Lampson, B. \V., "Dynamic Protection Structures," Fall Joint Computer Conference, 1967.
IY2760/CS3760: Part 6. IY2760: Part 6
IY2760/CS3760: Part 6 In this part of the course we give a general introduction to network security. We introduce widely used security-specific concepts and terminology. This discussion is based primarily
More informationChapter 23. Database Security. Security Issues. Database Security
Chapter 23 Database Security Security Issues Legal and ethical issues Policy issues System-related issues The need to identify multiple security levels 2 Database Security A DBMS typically includes a database
More informationSecurity (II) ISO 7498-2: Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012
Course Outline: Fundamental Topics System View of Network Security Network Security Model Security Threat Model & Security Services Model Overview of Network Security Security Basis: Cryptography Secret
More informationOverview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks
More informationReference Guide for Security in Networks
Reference Guide for Security in Networks This reference guide is provided to aid in understanding security concepts and their application in various network architectures. It should not be used as a template
More informationContent Teaching Academy at James Madison University
Content Teaching Academy at James Madison University 1 2 The Battle Field: Computers, LANs & Internetworks 3 Definitions Computer Security - generic name for the collection of tools designed to protect
More informationEvaluation Report. Office of Inspector General
Evaluation Report OIG-08-035 INFORMATION TECHNOLOGY: Network Security at the Office of the Comptroller of the Currency Needs Improvement June 03, 2008 Office of Inspector General Department of the Treasury
More informationSY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.
system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped
More informationTechnical Standards for Information Security Measures for the Central Government Computer Systems
Technical Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 2.1 General...
More informationFirewalls Overview and Best Practices. White Paper
Firewalls Overview and Best Practices White Paper Copyright Decipher Information Systems, 2005. All rights reserved. The information in this publication is furnished for information use only, does not
More information12 FAM 650 ACQUISITION SECURITY REQUIREMENTS FOR OPERATING SYSTEMS AND SUBSYSTEM COMPONENTS
12 FAM 650 ACQUISITION SECURITY REQUIREMENTS FOR OPERATING SYSTEMS AND SUBSYSTEM COMPONENTS 12 FAM 651 GENERAL (CT:DS-180; 06-20-2012) (Office of Origin: DS/SI/CS) a. Acquisition authorities must follow
More informationCompter Networks Chapter 9: Network Security
Goals of this chapter Compter Networks Chapter 9: Network Security Give a brief glimpse of security in communication networks Basic goals and mechanisms Holger Karl Slide set: Günter Schäfer, TU Ilmenau
More informationSecure cloud access system using JAR ABSTRACT:
Secure cloud access system using JAR ABSTRACT: Cloud computing enables highly scalable services to be easily consumed over the Internet on an as-needed basis. A major feature of the cloud services is that
More informationWireless Sensor Networks Chapter 14: Security in WSNs
Wireless Sensor Networks Chapter 14: Security in WSNs António Grilo Courtesy: see reading list Goals of this chapter To give an understanding of the security vulnerabilities of Wireless Sensor Networks
More information7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?
7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk
More informationVoltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review
Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review Prepared for: Coalfire Systems, Inc. March 2, 2012 Table of Contents EXECUTIVE SUMMARY... 3 DETAILED PROJECT OVERVIEW...
More informationΕΠΛ 674: Εργαστήριο 5 Firewalls
ΕΠΛ 674: Εργαστήριο 5 Firewalls Παύλος Αντωνίου Εαρινό Εξάμηνο 2011 Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized
More informationEnterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February 2010 www.alvandsolutions.
Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH White Paper February 2010 www.alvandsolutions.com Overview Today s increasing security threats and regulatory
More informationTable: Security Services (X.800)
SECURIT SERVICES X.800 defines a security service as a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers. Also the
More informationComputer Network. Interconnected collection of autonomous computers that are able to exchange information
Introduction Computer Network. Interconnected collection of autonomous computers that are able to exchange information No master/slave relationship between the computers in the network Data Communications.
More informationCentral Agency for Information Technology
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
More informationChapter 23. Database Security. Security Issues. Database Security
Chapter 23 Database Security Security Issues Legal and ethical issues Policy issues System-related issues The need to identify multiple security levels 2 Database Security A DBMS typically includes a database
More informationChap. 1: Introduction
Chap. 1: Introduction Introduction Services, Mechanisms, and Attacks The OSI Security Architecture Cryptography 1 1 Introduction Computer Security the generic name for the collection of tools designed
More informationNETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015
NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X
More informationTaxonomic Modeling of Security Threats in Software Defined Networking
Taxonomic Modeling of Security Threats in Software Defined Networking Recent advances in software defined networking (SDN) provide an opportunity to create flexible and secure next-generation networks.
More informationΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science
ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized Internet users
More informationSecurity Architecture Whitepaper
Security Architecture Whitepaper 2015 by Network2Share Pty Ltd. All rights reserved. 1 Table of Contents CloudFileSync Security 1 Introduction 1 Data Security 2 Local Encryption - Data on the local computer
More informationChapter 7 Information System Security and Control
Chapter 7 Information System Security and Control Essay Questions: 1. Hackers and their companion viruses are an increasing problem, especially on the Internet. What can a digital company do to protect
More informationE-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)
E-Commerce Security An e-commerce security system has four fronts: LECTURE 7 (SECURITY) Web Client Security Data Transport Security Web Server Security Operating System Security A safe e-commerce system
More informationpreliminary experiment conducted on Amazon EC2 instance further demonstrates the fast performance of the design.
Privacy-Preserving Public Auditing For Secure Cloud Storage ABSTRACT: Using cloud storage, users can remotely store their data and enjoy the on-demand high-quality applications and services from a shared
More informationDraft ITU-T Recommendation X.805 (Formerly X.css), Security architecture for systems providing end-to-end communications
Draft ITU-T Recommendation X.805 (Formerly X.css), architecture for systems providing end-to-end communications Summary This Recommendation defines the general security-related architectural elements that
More informationSecuring VoIP Networks using graded Protection Levels
Securing VoIP Networks using graded Protection Levels Andreas C. Schmidt Bundesamt für Sicherheit in der Informationstechnik, Godesberger Allee 185-189, D-53175 Bonn Andreas.Schmidt@bsi.bund.de Abstract
More informationCHAPTER 1 INTRODUCTION
1 CHAPTER 1 INTRODUCTION 1.1 Introduction Cloud computing as a new paradigm of information technology that offers tremendous advantages in economic aspects such as reduced time to market, flexible computing
More informationSync Security and Privacy Brief
Introduction Security and privacy are two of the leading issues for users when transferring important files. Keeping data on-premises makes business and IT leaders feel more secure, but comes with technical
More informationComplying with PCI Data Security
Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring
More informationDefense in Cyber Space Beating Cyber Threats that Target Mesh Networks
Beating Cyber Threats that Target Mesh Networks Trent Nelson, Cyber Security Assessment Lead, Idaho National Laboratory Jeff Becker, Global Wireless Business Director, Honeywell Process Solutions Table
More informationINTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli 4-25-2002
INTERNET SECURITY: FIREWALLS AND BEYOND Mehernosh H. Amroli 4-25-2002 Preview History of Internet Firewall Technology Internet Layer Security Transport Layer Security Application Layer Security Before
More informationA Strategic Approach to Enterprise Key Management
Ingrian - Enterprise Key Management. A Strategic Approach to Enterprise Key Management Executive Summary: In response to security threats and regulatory mandates, enterprises have adopted a range of encryption
More informationNetwork Security. Network Security Hierarchy. CISCO Security Curriculum
Network Security Network Security Hierarchy Material elaborat dupa: CISCO Security Curriculum Kenny Paterson s Lectures for: M.Sc. in Information Security, Royal Holloway, University of London 1 Objectives
More informationE-Commerce Security Perimeter (ESP) Identification and Access Control Process
Electronic Security Perimeter (ESP) Identification and Access Control Process 1. Introduction. A. This document outlines a multi-step process for identifying and protecting ESPs pursuant to the North American
More informationHow To Use A College Computer System Safely
1.0 Overview Keuka College provides access to modern information technology in support of its mission to promote excellence and achievement across its mission areas of instruction, research, and service.
More informationINTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY
INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY A PATH FOR HORIZING YOUR INNOVATIVE WORK AN OVERVIEW OF MOBILE ADHOC NETWORK: INTRUSION DETECTION, TYPES OF ATTACKS AND
More informationSecurity in Wireless Local Area Network
Fourth LACCEI International Latin American and Caribbean Conference for Engineering and Technology (LACCET 2006) Breaking Frontiers and Barriers in Engineering: Education, Research and Practice 21-23 June
More informationETHERNET WAN ENCRYPTION SOLUTIONS COMPARED
HERN WAN ENCRYPTION SOLUTIONS COMPARED KEY WORDS AND TERMS MACsec, WAN security, WAN data protection, MACsec encryption, network data protection, network data security, high-speed encryption, Senetas,
More informationHealthcare Compliance Solutions
Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and
More informationInformation Technology Security Guideline. Network Security Zoning
Information Technology Security Guideline Network Security Zoning Design Considerations for Placement of s within Zones ITSG-38 This page intentionally left blank. Foreword The Network Security Zoning
More informationHIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationSERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security
International Telecommunication Union ITU-T Y.2740 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (01/2011) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS
More informationSecuring your Online Data Transfer with SSL
Securing your Online Data Transfer with SSL A GUIDE TO UNDERSTANDING SSL CERTIFICATES, how they operate and their application 1. Overview 2. What is SSL? 3. How to tell if a Website is Secure 4. What does
More informationHughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R
HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R HughesNet Managed Broadband Network Services include a high level of end-toend security utilizing a robust architecture designed by
More informationIntro to Firewalls. Summary
Topic 3: Lesson 2 Intro to Firewalls Summary Basic questions What is a firewall? What can a firewall do? What is packet filtering? What is proxying? What is stateful packet filtering? Compare network layer
More informationAdvanced Topics in Distributed Systems. Dr. Ayman Abdel-Hamid Computer Science Department Virginia Tech
Advanced Topics in Distributed Systems Dr. Ayman Abdel-Hamid Computer Science Department Virginia Tech Security Introduction Based on Ch1, Cryptography and Network Security 4 th Ed Security Dr. Ayman Abdel-Hamid,
More informationSpillemyndigheden s Certification Programme Information Security Management System
SCP.03.00.EN.1.0 Table of contents Table of contents... 2 1 Introduction... 3 1.1 Spillemyndigheden s certification programme... 3 1.2 Objectives of the... 3 1.3 Scope of this document... 4 1.4 Definitions...
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationUsing Data Encryption to Achieve HIPAA Safe Harbor in the Cloud
Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud 1 Contents The Obligation to Protect Patient Data in the Cloud................................................... Complying with the HIPAA
More informationCornerstones of Security
Internet Security Cornerstones of Security Authenticity the sender (either client or server) of a message is who he, she or it claims to be Privacy the contents of a message are secret and only known to
More informationHANDBOOK 8 NETWORK SECURITY Version 1.0
Australian Communications-Electronic Security Instruction 33 (ACSI 33) Point of Contact: Customer Services Team Phone: 02 6265 0197 Email: assist@dsd.gov.au HANDBOOK 8 NETWORK SECURITY Version 1.0 Objectives
More informationSecurity Digital Certificate Manager
System i Security Digital Certificate Manager Version 5 Release 4 System i Security Digital Certificate Manager Version 5 Release 4 Note Before using this information and the product it supports, be sure
More informationNetwork Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶
Network Security 網 路 安 全 Lecture 1 February 20, 2012 洪 國 寶 1 Outline Course information Motivation Introduction to security Basic network concepts Network security models Outline of the course 2 Course
More informationSecurity Digital Certificate Manager
IBM i Security Digital Certificate Manager 7.1 IBM i Security Digital Certificate Manager 7.1 Note Before using this information and the product it supports, be sure to read the information in Notices,
More informationWhy Choose Integrated VPN/Firewall Solutions over Stand-alone VPNs
Why Choose Integrated VPN/Firewall Solutions over Stand-alone VPNs P/N 500205 July 2000 Check Point Software Technologies Ltd. In this Document: Introduction Page 1 Integrated VPN/firewall Page 2 placed
More informationRemote Access Security
Glen Doss Towson University Center for Applied Information Technology Remote Access Security I. Introduction Providing remote access to a network over the Internet has added an entirely new dimension to
More informationSummary of CIP Version 5 Standards
Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have
More informationPayment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0
Payment Card Industry (PCI) Data Security Standard Summary of s from Version 2.0 to 3.0 November 2013 Introduction This document provides a summary of changes from v2.0 to v3.0. Table 1 provides an overview
More informationCOSC 472 Network Security
COSC 472 Network Security Instructor: Dr. Enyue (Annie) Lu Office hours: http://faculty.salisbury.edu/~ealu/schedule.htm Office room: HS114 Email: ealu@salisbury.edu Course information: http://faculty.salisbury.edu/~ealu/cosc472/cosc472.html
More informationSecuring your Online Data Transfer with SSL A GUIDE TO UNDERSTANDING SSL CERTIFICATES, how they operate and their application INDEX 1. Overview 2. What is SSL? 3. How to tell if a Website is Secure 4.
More information83-10-40 Firewalls: An Effective Solution for Internet Security E. Eugene Schultz Payoff
83-10-40 Firewalls: An Effective Solution for Internet Security E. Eugene Schultz Payoff Firewalls are an effective method of reducing the possibility of network intrusion by attackers. The key to successful
More informationSecurity Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress
Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress Alan Davy and Lei Shi Telecommunication Software&Systems Group, Waterford Institute of Technology, Ireland adavy,lshi@tssg.org
More informationPlain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75
Plain English Guide To Common Criteria Requirements In The Field Device Protection Profile Version 0.75 Prepared For: Process Control Security Requirements Forum (PCSRF) Prepared By: Digital Bond, Inc.
More informationS E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010
S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M Bomgar Product Penetration Test September 2010 Table of Contents Introduction... 1 Executive Summary... 1 Bomgar Application Environment Overview...
More informationCMSC 421, Operating Systems. Fall 2008. Security. URL: http://www.csee.umbc.edu/~kalpakis/courses/421. Dr. Kalpakis
CMSC 421, Operating Systems. Fall 2008 Security Dr. Kalpakis URL: http://www.csee.umbc.edu/~kalpakis/courses/421 Outline The Security Problem Authentication Program Threats System Threats Securing Systems
More informationNetwork Security. by David G. Messerschmitt. Secure and Insecure Authentication. Security Flaws in Public Servers. Firewalls and Packet Filtering
Network Security by David G. Messerschmitt Supplementary section for Understanding Networked Applications: A First Course, Morgan Kaufmann, 1999. Copyright notice: Permission is granted to copy and distribute
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More informationMANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s
More informationExecutive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:
Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationPart I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT
Part I Contents Part I Introduction to Information Security Definition of Crypto Cryptographic Objectives Security Threats and Attacks The process Security Security Services Cryptography Cryptography (code
More informationFirewall Architecture
NEXTEP Broadband White Paper Firewall Architecture Understanding the purpose of a firewall when connecting to ADSL network services. A Nextep Broadband White Paper June 2001 Firewall Architecture WHAT
More informationBusiness Continuity and Disaster Recovery Solutions in Government
> Business Continuity and Disaster Recovery Solutions in Government Protecting Critical Data Flow for Uninterrupted Services WHITE PAPER January 2010 J. Asenjo, CISSP www.thalesgroup.com/iss Information
More informationPCI Data Security Standards (DSS)
ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants
More informationTABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY
IT FIREWALL POLICY TABLE OF CONTENT 1. INTRODUCTION... 3 2. TERMS AND DEFINITION... 3 3. PURPOSE... 5 4. SCOPE... 5 5. POLICY STATEMENT... 5 6. REQUIREMENTS... 5 7. OPERATIONS... 6 8. CONFIGURATION...
More informationPotential Targets - Field Devices
Potential Targets - Field Devices Motorola Field Devices: Remote Terminal Units ACE 3600 Front End Devices ACE IP Gateway ACE Field Interface Unit (ACE FIU) 2 Credential Cracking Repeated attempts to
More informationAn Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance
An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security
More informationBest Practices for Network Security. Name. University/College. Unit Name. Unit Code. Lecturer
1 Best Practices for Network Security Name University/College Unit Name Unit Code Lecturer 27 March 2014 2 Outline Introduction...3 Developing Network Security Best Practices...5 I. The Pillars of network
More informationPreventing Resource Exhaustion Attacks in Ad Hoc Networks
Preventing Resource Exhaustion Attacks in Ad Hoc Networks Masao Tanabe and Masaki Aida NTT Information Sharing Platform Laboratories, NTT Corporation, 3-9-11, Midori-cho, Musashino-shi, Tokyo 180-8585
More informationSecuring your Microsoft Internet Information Services (MS IIS) Web Server with a thawte Digital Certificate thawte thawte thawte thawte thawte 10.
Securing your Microsoft Internet Information Services (MS IIS) Web Server with a thawte Digital Certificate A STEP-BY-STEP GUIDE to test, install and use a thawte Digital Certificate on your MS IIS Web
More informationClient Server Registration Protocol
Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are
More informationBasics of Internet Security
Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational
More informationChapter 8 A secure virtual web database environment
Chapter 8 Information security with special reference to database interconnectivity Page 146 8.1 Introduction The previous three chapters investigated current state-of-the-art database security services
More informationWireless Sensor Network Security. Seth A. Hellbusch CMPE 257
Wireless Sensor Network Security Seth A. Hellbusch CMPE 257 Wireless Sensor Networks (WSN) 2 The main characteristics of a WSN include: Power consumption constrains for nodes using batteries or energy
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationSmart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi
Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Purpose This paper is intended to describe the benefits of smart card implementation and it combination with Public
More informationPAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ
PAVING THE PATH TO THE ELIMINATION A RSACCESS WHITE PAPER 1 The Traditional Role of DMZ 2 The Challenges of today s DMZ deployments 2.1 Ensuring the Security of Application and Data Located in the DMZ
More informationNetwork Security. Chapter 9 Integrating Security Services into Communication Architectures
Network Security Chapter 9 Integrating Security Services into Communication Architectures Network Security (WS 00): 09 Integration of Security Services Motivation: What to do where?! Analogous to the methodology
More informationGuideline on Auditing and Log Management
CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius
More informationTCG Trusted Network Connect IF-MAP Metadata for ICS Security. Document Draft Comments. Prepared by Joseph J. Januszewski, III, CISSP
TCG Trusted Network Connect IF-MAP Metadata for ICS Security Document Draft Comments Prepared by Joseph J. Januszewski, III, CISSP Comments Januszewski Page 1 Page vi: Although the document is concerned
More informationVPN. Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu
VPN Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu What is VPN? A VPN (virtual private network) is a private data network that uses public telecommunicating infrastructure (Internet), maintaining
More informationchap18.wireless Network Security
SeoulTech UCS Lab 2015-1 st chap18.wireless Network Security JeongKyu Lee Email: jungkyu21@seoultech.ac.kr Table of Contents 18.1 Wireless Security 18.2 Mobile Device Security 18.3 IEEE 802.11 Wireless
More informationSAN Conceptual and Design Basics
TECHNICAL NOTE VMware Infrastructure 3 SAN Conceptual and Design Basics VMware ESX Server can be used in conjunction with a SAN (storage area network), a specialized high speed network that connects computer
More information