Introduction to ATM Security Josef Kolbitsch

Size: px
Start display at page:

Download "Introduction to ATM Security Josef Kolbitsch"

Transcription

1 Introduction to ATM Security Abstract Introduction Requirements of a security system Threats to an ATM Network Basic Requirements Context Agility Security Services The ATM Security Framework AF-SEC-1 Verif ication of Identities AF-SEC-2 Controlled Access and Authorization Protection of Conf identiality AF-SEC-4 Protection of Data Integrity AF-SEC-5 Strong Accountability AF-SEC-9 Security Recovery AF-SEC-10 Management of Security Security Messaging Implementation Context-Agile High-Speed Encryption The OCTANE-Shell The OCTANE Encryption-Unit Concerns Conclusion...10 References...11

2 Abstract Security in ATM networks is necessary because ATM is widespread and many areas such as financial- or medical-applications, network-administration, etc. require very sensitive handling of the transmitted data. If we look at other fields of interest (only multimedia technologies and cable television shall be mentioned among others) we see that ATM channels might be used for billing. Misuse of the ATM network, manipulation of transmitted data, spoofing, or repudiation would be fatal in billing-/accounting-system. Therefore the ATM Forum, the most important committee in developing and enforcing new standards concerning ATM, introduced the ATM Security Specification 1.0 in The specification contains mechanisms to protect transmitted data in the user - and the control plane. The management plane will be treated in phase two of the specification. 1 Introduction The ATM Security Specification ([2]) describes the security services that are necessary to protect the user- and the control plane. Confidentiality, data integrity, accountability, and access control are the main objectives. In the ATM Security Framework ([1]) ten necessary functions, AF-SEC-1 to AF- SEC-10, are proposed: AF-SEC-1: Verfication of Identities; AF-SEC-2: Controlled Access and Authorization; AF-SEC-3: Protection of Confidentiality; AF-SEC-4: Protection of Data Integrity; AF-SEC-5: Strong Accountability; AF-SEC-6: Activity Logging; AF-SEC-7: Alarm Reporting; AF-SEC-8: Audit; AF-SEC-9: Security Recovery; AF-SEC-10: Management of Security. However not all of those security requirements will be discussed. AF-SEC-6 to AF-SEC-8 are mainly logging-functions that are not subject of this review. AF-SEC-5 is essentially accomplished using authentication and authorization; thus it will be mentioned together with AF-SEC-1 and AF-SEC-2. Verification of identities (verification the claimed identity of any actor in an ATM network), controlled access and authorization (the actors must not gain access to data they are not authorized to), protection of confidentiality (stored and communicated data must be handled confidentially), and protection of data integrity (the integrity of stored and transmitted data must be guaranteed) will be discussed in detail. Security recovery and the management of security services will be mentioned as sub-item of respectively in combination with AF-SEC-1 to AF-SEC-4. After the theoretical discussion of the Phase One ATM Security Specification proposals of implementations (presented in [3] and [10]) will be shown in order to make the ideas behind the specification clearer. Furthermore different needs in an ATM security system will be dealt with. They can largely be satisfied by different encryption techniques (several algorithms, modes of operation, different key-lengths, etc.). Hence, a system providing more than one encryption mechanism, so-called context agility, may be desirable. The in-depth discussion of the ATM Security Specification and different interpretaions respectively realizations of it are beyond the scope of this short paper, and so only a glance at this broad topic and a rather superficial presentation of basic concepts are the aims of this Introduction to ATM Security. 2 Requirements of a security system 2.1 Threats to an ATM Network ATM networks are vulnerable to many kinds of attacks and very often the possibilities are underestimated. This paragraph shall give an overview of possible violations. Spoofing. An entity on a network pretends to be someone else and by doing that tries to gain access to information of other entities on the network. Eavesdropping. Communication is monitored (traffic analysis) and the attacker tries to find out some crucial information about its victim: password, other secret data, etc. Unauthorized Access. An actor on the network tries to access resources of another actor on the network without having the permission, i.e. authorization, to do so. 2

3 Corruption of Information. The integrity of stored or transmitted data is altered, deleted, reordered, replayed or delayed by an entity with an appropriate authorization. Forgery. Faked data is sent to other enties or is claimed to have been received. The owner -information must be changed to do this authentically. Denial of Services. Either an entity fails to perform the assigned function on the network (the access to an ATM service will be denied) or an entity prevents other entities from doing so (for instance by flooding a network-component). 2.2 Basic Requirements The requirements of users and system providers cannot always be met at the same time. Still the demands are clear: Users want to have secure systems, where all data are handled sensitively and no delays occur. On the other hand such a system has to be compatible to switching hardware that does not provide security mechasnisms. Therefore the cell header must not be changed so that the cells can be transferred to the destination address even if network components in between are not aware of the precautions. The two end-systems will have to negotiate the use of some security system at connection startup. The components have to accomodate to the switching process efficiently. No additional delays are allowed since a certain Quality of Services (QoS) has to be met. To provide more compatibility among different security/encryption hardware respectively end-systems interoperability at different speeds (up to OC-192 at 10 Gbps) and a wider range of appropriate algorithms and keys (key- or context-agility) might be required. This leads us to the measures of the Phase One ATM Security Framework that is described in section Context-agility Context-agility is probably the most important issue. A context-agile encryption system can switch between various cryptographic contexts such as the key, key length, initial variables, the algorithm used, etc. This is necessary because in port-to-port -communication (between an encryptor and a decryptor let s say of two different manufacturers or two service-providers with different security-requirements) several algorithms or key-lengths might be necessary. A complete review on context-agility can be obtained from [3]. Key agility. The attribute key-agile means that the contextparameters are limited to key, initial variable, present state, etc. they are limited to one single algorithm. Key-agile implementations are rather software- than hardware and therefore not always capable of high-speed switching and encryption. The advantage is that on shared systems, i.e. a network, more than one key can be used which is inevitable when there are several users. The biggest disadvantage is that this agility is limited to the key and therefore not really flexbile. Robustness agile encryptors/decryptors solve this problem. Robustness agility. Robustness agility refers to the robustness or strength of encryption algorithms that is determined by different cryptographic algorithms, different modes of operation (of the same algorithm), and different key lengths. (Also other variables may be used as part of the cryptographic context.) It is necessary because of different types of traffic (video, radio, network administration, etc.) and political boundaries (export limitations of cryptograhpic algorithms). Since robustness-agility requires more information in the cryptographic context, more memory is needed. An example would be one algorithm with different strength: 128 bit (for US-residential connections) and 40 bit (outside the US). Algorithm agility. Algorithm agile encryption/decryptionhardware contains multiple algorithms and is fast enough to switch between them so that all cells may have different algorithms resp. different cryptographic contexts. Also just different modes of operation of the algorithm can be employed. Obviously this algorithm agility is even better than robustness agility because of better compatibility, which is most welcome. Not all algorithms, though, can be used because some don t scale well in high-speed environments: algorithms with feedback based on combinations of key and plain- or ciphertext such as DES with cipher-block-chaining (CBC). Filter generator algorithms like DES in counter mode are better. Encryptors should be agile between widely used algorithms and scalable, high-performance algorithms. Also both private/ public (asymmetric) and secret-key (symmetric) encryption may be implemented. 3

4 3 Security Services 3.1 The ATM Security Framework 1.0 As already mentioned above, the Phase One ATM Security Framework defines (functional) security requirements and security services. In this specification only the user-plane (for user data) and the control-plane (connection establishment, signaling, etc.) are protected the management plane (coordination of control- and user-plane) will be part of the second phase. In the user- as well as the control-plane security for stored and transported information is established through authentication, access control, an integrity service, and confidentiality. Communication may be user-to-network interaction (UNI, between an end-system and an ATM switch) and network-tonetwork interaction (NNI, between two ATM switches). Security relevant actions are defined for user-to-user interaction (UUI, between two end-systems) and NNI (see above). The idea of the security framework is that after the exchange of keys and necessary security parameters (before any user data is transmitted) all data will be encrypted on cell-basis. For compatibility reasons the header of a cell remains in plaintext in order to make sure that systems that are not aware of the security services can perform the cell-switching without any problems. The payload of the cell will be encrypted using the negotiated key (and other parameters). Since the ATM cell has a fixed size, this operation can be carried out in hardware, which makes the encryption much faster than software-implementations. 3.2 AF-SEC-1 Verification of Identities Figure 1: Schematic representation of ATM security components. The general structure of an ATM network with security components is laid out in figure 1: Each virtual private network (or LAN) has an ATM switching-device as entrance to the corenetwork (the public network). Between the switching device and the network itself a crypto-unit is inserted. This cryptounit performs all necessary negotiations between the two endsystems and does all encryption/decryption of the data. Figure 2: Interaction types in ATM networks. The ATM network shall support capabilities to establish and verify the claimed identity of any actor in an ATM network. That means that before exchanging any user data a verification of identites has to take place. This initial authentication is combinded with key exchange and security options. Authentication does not address human user authentication because no human entities can be found on the user-plane. Authentication is needed to avoid spoofing (masquerade threats) and is the basis for services such as authorization and non-repudiation. Unlike datagram-oriented services, ATM allows authentication for a connection (and not only for one packet). Thus the overhead is much smaller and stronger (slower) encryption can be used. For the key exchange a standardized combined authentication, key exchange, and security negotiation protocol exists. It is available in a three-way- (three flows) and a two-way-version (two flows). In the two-way security message exchange protocol one party (security agent, SA) is the initiator and the other one is the responder. At the beginning of the process of setting up a connection, the initiator sends FLOW1-2WE which contains A, B (authentication entities), and SecOpt (Security Negotiation 4

5 Figure 3: Two-way authentication, key exchange, and security negotiation protocol. (Taken from [4].) Figure 4: Three-way authentication, key exchange, and security negotiation protocol. (Taken from [4]). Options). If key exchange is required, the necessary authentication tokens (T a, R a, etc.) are included. On arrival of FLOW1-2WE the responder checks if it is the intended recipient, extracts and interprets SecOpt. If key exchange or authentication is needed, the signature (integrity of FLOW1-2WE), the order (replay or out-of-order), and the timestamp are verified; the nonce is extracted for reply. Finally B sends FLOW2-2WE containing A, B, R a, etc. back to the initiator A. The initiator in return checks, if the received Ra from FLOW2-2WE is identical to that sent in FLOW1-2WE, verifies the signature, and extracts ConfPar b (if present). The three-way negotiation protocol uses quite a similar procedure to exchange keys and parameters as described in [2] and [4]: The initiator A sends its data to the responder B, which checks the validity of the information. B sends the data together with his data back to A that in return again checks they keys, certificates, etc. Ultimately the initiator sends the data back to the responder once again, and the communication (transfer of data) may begin. In order to avoid spoofing and replay-attacks, the keys must be fresh, and the authentication flows must be unique. When using assymetric encryption algorithms in contrast to symmetric algorithms, the (private) keys only have to be issued once per user. However symmetric algorithms are computationally not as complex as assymetric ones. 3.3 AF-SEC-2 Controlled Access and Authorization The ATM network shall support capabilities to ensure that actors are prevented from gaining access to information or resources they are not authorized to access. Access Control decides wheter a connection is authenticated to proceed. A trusted calling party may label the sensitivity of the required connection. If it is acceptable, the initiation will continue. This is very important for multilevel secure ATM networks with trusted components. On the control Plane authentication plays a very important role. (The control plane is responsible for configuring network devices. In version 1 of the ATM Security Specification only authentication is provided.) Authentication is a good protection against spoofing and also against Denial of Services (DoS) because messages that are not authentic can simply be ignored. An Authentication Information Element contains information about which data were used for the creation of the signature so that switches may change the signature without invalidating it. 3.4 AF-SEC-3 Protection of Confidentiality The ATM network shall support the capability to keep stored and communicated data confidential. The confidentiality service provides protection against eavesdropping. The encryption on cell-level assures that only the 5

6 actor with the corresponding key(s) (symmetric, assymetric) can decrypt the data. 3.5 AF-SEC-4 Protection of Data Integrity The ATM network shall support granting the integrity of stored and communicated data. The Integrity Service is also called Data Origin Authentication. It is active for one session and provides protection against threads like spoofing or insertion/deletion attacks. To the AAL Service Data Unit (SDU) a message or authentication code (MAC) is appended. (The ATM Adaption Layer SDU-level is used rather than the ATM layer because the ATM cell is filled up with 53 bytes (5 bytes header and 48 bytes payload) and An integrity-check with replay/reordering is only necessary when ATM-native applications are used that do not provide sequence numbers. If a higher-level protocol such as TCP with sequence numbers of its own is used, though, it is not necessary to use replay/reodering since it causes more overhead. 3.6 AF-SEC-5 Strong Accountability The ATM network shall support the capability that an entity can not deny the responsibility for any of its performed actions as well as their effects. Strong accountability implies non-repudiation. That is on thwe whole achieved through authentication and authorization which is described in 3.2. It is very important that everybody is responsible for his actions because if we think of multimedia applications (cable television, etc.) billing plays a big role. Without accountability a billing-system would not work. 3.7 AF-SEC-9 Security Recovery Figure 5: The appended message authentication code (MAC). (Taken from [4].) so no place is left for the MAC.) This MAC has a key that is negotiated during connection establishment, which makes for the receiver sure that the SDU originates from the correct source. As described in figure 5, between two modes can be distinguished: Integrity with and integrity without replay/reordering protection. In the former the MAC is calculated over the SDU (independent from the ATM cells) and appended to the SDU. The latter works as follows: A sequence number is appended to the SDU. Now the MAC is calculated using the SDU and the sequence number and also appended. The ATM network shall support recovery from successful and attempted breaches on security. A potential problem of cell encryption is the loss of cells. If only one cell is lost, decryption is impossible. Certain modes of operation of some algorithms handle cell loss. In general cell loss can be handled with OAM-cells (Operation, Administration, and Maintainance) that carry resynchronization information. By the means of those OAM-cells reynchronization can be accomplished. 3.8 AF-SEC-10 Management of Security The ATM network shall support capabilities to manage the security services derived from the security requirements listed above. Management functions will be presented in section 4.2 as part of a context-agile implementation for a high-speed 6

7 encryption system. Key management in general. Since the probability of crakking a key increases with time, keys are be updated on a regular basis. (The frequency is deter,omded by the rate at which data is transferred.) At the establishment of the connection a master key, which is being used to generate the short-lived session-keys, is created together with the first session-key. The session-keys are the keys that are really used for encrypting the data. Those session-keys are transferred in the data-channel for the receiver to be able to load and apply them immediately. The keys are sent in special OAM-cells; always more than one (typically 1,000) of these cells are sent to make sure that at least one arrives. 3.9 Security Messaging In order to esatblish all those security services described above, a mechanism for transmitting security related messages is needed. During connection lifetime OAM-cells are used for that purpose, at connection establishment the signaling channel is used. Connection Establishment. If the two end-systems support security messaging, the signaling channel is used immediately after connection-setup (before any data is sent). For communication during connection establishment two methods are defined: Security Signaling and In-Band Security Messaging. Security Signaling. To support the discussed security protocols, extensions to the existing ATM signaling specification concerning security options, authentication parameters, etc. are currently developed. Those information elements (IEs) contain information about security capabilities of the end sytems and involved security agents (authentication, confidentiality, key length, etc.). The problem of this methods is backward-compatibility! That may be solved using In-Band Messaging. By sending the information elements in the data-channel it is assured that they are recognized and not dropped (unlike the signaling channel where they are dropped when not recognized). Right after the channel is set up, (user-)data traffic is blocked and the IEs are transmitted inband. Afterwards the the channel is unblocked and the data (from the user) are sent. During Connection Lifetime. A mechanism to perform synchronization and session-key update is required. These data are time-sensitive (to the data-traffic) and therefore they have to be transmitted in the same VCC/VPC as the data itself otherwise synchronization-cells don t make sense. The use of OAM-cells either on VCC- or on VCP-level makes sure that these cells are identified by the receiving security agent, and that an appropriate action will be performed. 4 Implementation 4.1 Context-Agile High-Speed Encryption This implementation was proposed in [3] in It is a hardware-independet system that relies largely on standard-components but still sould be operable at speeds of about 10 Gbps. The name of this architecture is OCTANE (OC-192 ConText-Agile Network Encryptor). The system is designed in various modules such as physical input/output, cell routing or encryption/decryption. A shell is the framework that holds together those modules. Beyond the scope of the shell are the cryptographic modules that provide context-agility. By using several different cryptographic modules with different algorithms, modes of operation, different key-length, etc. context-agility is introduced. A so-called cell-router (in the shell) determines, to which crypto-module the incoming cell shall be sent. after applying the cryptographic function to the cell, the cells will be put together to a stream by the cell-combiner (also part of the shell). This architecture provides the possibility to simply exchange cryptographic modules. The whole system can also be divided into a realtime and a non-realtime part. The realtime-part contains all parts that have to operate at the speed of the cell-stream: input/output, the cell router and - combiner, the cryptographic modules. The non-realtime modules are the control of the cell-router and the identification-and-association module and the key management module (for the cryptographic modules). The architecture of OCTANE seems to be quite simple and clear yet still powerful enough to handle encryption at ATMspeed and above. The system is shown in figure 6 and its functional details are described in sections 4.2 and

8 Figure 6: Module relationships of the OCTANE high-speed encryption system. 4.2 The OCTANE-Shell Physical I/O. The input/output module gets the cell-streamfrom the host and sends them to the ATM-network and vice versa. Identification & Association. The VPI/VCI ( Virtual Path Identifier/Virtual Channel Identifier) is not only used for switching but also for determining the cryptographic context by doing a table-lookup either in conventional RAM or in Content Adressable Memory (CAM), which is rather expensive. Cell Router. The cell router assignes the cell to the appropriate crypto-path for the desired algorithm. This is being done because there should be no interference of the cryptographic module itself at all. The user must be authorized to use the given algorithm! Therefore an authentication must have taken place in advance. The data from a user must utilize a specific context it is authorized for (assurance). Cell combiner. After the encryption or decryption process the cells from the crypto-path have to be re-combined to a single high-speed stream. Three methods might be used: First-Come First-Served (FCFS), latency matching (assuming that all paths are constantly at the same speed), and priority serving. Non-Realtime Control. Basic housekeeping functions and the transfer of signaling cells from the high-speed to the lowspeed path for interpretation are the main tasks of the nonrealtime control. 4.3 The OCTANE Encryption-Unit The cryptographic module shown in figure 7 does all necessary encryption and decryption as well as synchronization. Cell Processor. The cell processor decides in realtime on cell-basis either if a cell is an OAM-cell or a data-cell. An OAMcell will be used for re-synchronization, a data-cell will be encrypted (or decrypted). Encryption/decryption. During the key-generation the data are in a FIFO-buffer between the cell processor and the mixer. The state vector (SV ) is fetched according to the contextinformation of the cell header. Using these two values (together with the key in the crypto-variable memory), a new key will be generated. At the end of this process the state vector will be written back to the SV-memory. The encryption itself is 8

9 Figure 7: Schematic presentation of a cryptographic module. done in the mixer, where the key will be applied to the plaintext from the cell processor. Resynchronization. There may be two kinds of cells, depending on cell reception (into the module) and cell insertion (from the module). On insertion, set the state vector to a new value and update it respectively write it to the resynchronization cell. On reception verify the computed cyclic redundancy check (CRC). Key Management. The key management module is responsible for housekeeping-sevices of the encryptor and the generation of Traffic Encryption Keys (TEK), i.e. the cryptovariables. 4.4 Concerns Implementation concerns about the OCTANE-architecture are to a certain amount related to the high speed at which encryption has to take place. The availability of required hardware-componentes is not always assured. Large Context Space. Since there are 224 respectively 228 VPI/VCI-combinations, a flat (straight indexed) memoryscheme for cryptographic-context lookup is too costly. The encryptor could use an associative memory (content addressable memory-lookup) to get keys and other cryptographic state-information quickly enough, but the larger the key, the more expensive will those algorithms be to implement. Memory with these properties is either very expensive or doesn t exist, yet, and might limit the possible number of active VCs. Another proposal in [5] uses two tables: A key-table can hold up to 65,000 active keys, and a 4 million entry VCtable stores 16it-pointers to the key table. In order to select a key, the VC-address is used to get the pointer from the VCtable which will be used to get the corresponding key. Cryptographic Synchronization. When an encryptor-decryptor-pair loses synchronization, the output data of the decryptor will be scrambled. Heavy data-loss is the consequence. Some cryptographic algorithms are self-synchronizing, others need initial synchronization and re-synchronization after each cells loss or even periodically. Synchronization-state information has to be added to the information that is stored for each VC. Throughput. If encryption/decryption cannot keep up with the maximum cell arrival rate, the throughput on that VC must be reduced in some way to avoid cell-loss. This can be done at VC-setup time via Cell Administration Control (CAC) or by participating in the flow control after VC-setup. In either case, the encryption/decryption devices must participate in the establishment and/or control of the VC, making it no longer transparent! Quality of Services. Encryption/decryption may of course affect QoS, since different algorithms, modes, key lengths, etc. might deteriorate delay, throughput, and other properties of QoS. Therefore ATM QoS must incorporate the type of encryption during VC-setup. Still an interesting effect may occur: Due to the different latencies of different algorithms, cells that use different algorithms are re-ordered. Cells and VCs using the same algorithm will stay in order, though. Those delayed streams will be queued and re-combined which causes further delays. One possible solution: Output buffers to low-latency algorithms could be applied to algorithm-agile encryptors, i.e. delay equalization is achieved. 9

10 5 Conclusion This introduction to ATM security has clearly shown that there is on the one hand a robust security specification that standardizes the security requirements for ATM networks and on the other hand there are still numerous problems and pitfalls. ATM security provides strong protection of the user s data and offers the possiblity to make a network secure. Authentication, confidentiality, and data integrity are the foundations of a security framework that fulfills the user s needs for secure communication. Furthermore a context-agile encryptor at an ATM-aggregation point satisfies not only security concerns of virtual private networks but also brings cost-savings. [5] proposes a context-agile encryption system for speeds up to 10 Gbps (OC-192), and other key- and robustness-agile prototypes already exist. So we can be looking forward to more products and Phase Two of the ATM Security Specification. Tuesday, May 23 rd, 2000, 3:50. Monday, June 25 th, 2000, 22:30. 10

11 References [1] The ATM Forum Technical Committee, ATM Security Framework 1.0, AF-SEC , February [2] The ATM Forum Technical Committee, ATM Security Specification 1.0, ATM-SEC , February [3] Lyndon G. Pierson, Edward L. Witzke, Sandia National Laboratories, Mark O. Bean, and Gerry J. Trombley, National Security Agency, Context-Agile Encryption for High Speed Communication Networks, Computer Communication Review, ISSN , Volume 29, Number 1, pages 35-49, January [4] Mohammad Peyravian, IBM Corporation, and Thomas D. Tarman, Sandia National Laboratories, Asynchronous Transfer Mode Security, IEEE Network, ISSN , Volume 11, Number 3, pages 34-40, May/June [5] Daniel Stevenson, Nathan Hillery, and Greg Byrd, Secure Communications in ATM Networks, Communication of the ACM, ISSN , Volume 38, Number 2, pages 45-52, February [6] Mohammad Peyravian, IBM Corporation, and Els Van Herreweghen, IBM Research Laboratory, ATM Security Scope and Requirements, ATM Forum/ , June [7] Mohammad Peyravian, IBM Corporation, Gene Tsudik and Els Van Herreweghen, IBM Research Laboratory, A Framework for Authenticated Key Distribution in ATM Networks, ATM Forum/ , June [8] Mohammad Peyravian, IBM Corporation, Gene Tsudik, and Els Van Herreweghen, IBM Research Laboratory, A Certification Infrastructure for ATM, ATM Forum/95-xxxx, August [9 Donglin Liang, Ohio State University, A Survey on ATM Security, August [10] Herbert Leitold, Udo Payer, and Reinhold Posch, Institute for Applied Information Processing and Communications, Graz University of Technology, A Hardware Encryption Model for ATM Devices. 11

Encrypting ATM Firewall

Encrypting ATM Firewall Encrypting ATM Firewall Abstract This paper explores the mechanics and policies that are necessary to protect information transmitted over an untrusted high speed wide area ATM network. The network model

More information

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security? 7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk

More information

Security (II) ISO 7498-2: Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

Security (II) ISO 7498-2: Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012 Course Outline: Fundamental Topics System View of Network Security Network Security Model Security Threat Model & Security Services Model Overview of Network Security Security Basis: Cryptography Secret

More information

Content Teaching Academy at James Madison University

Content Teaching Academy at James Madison University Content Teaching Academy at James Madison University 1 2 The Battle Field: Computers, LANs & Internetworks 3 Definitions Computer Security - generic name for the collection of tools designed to protect

More information

Cryptography and Network Security Sixth Edition by William Stallings

Cryptography and Network Security Sixth Edition by William Stallings Cryptography and Network Security Sixth Edition by William Stallings Chapter 1 Overview The combination of space, time, and strength that must be considered as the basic elements of this theory of defense

More information

Securing VoIP Networks using graded Protection Levels

Securing VoIP Networks using graded Protection Levels Securing VoIP Networks using graded Protection Levels Andreas C. Schmidt Bundesamt für Sicherheit in der Informationstechnik, Godesberger Allee 185-189, D-53175 Bonn Andreas.Schmidt@bsi.bund.de Abstract

More information

Chap. 1: Introduction

Chap. 1: Introduction Chap. 1: Introduction Introduction Services, Mechanisms, and Attacks The OSI Security Architecture Cryptography 1 1 Introduction Computer Security the generic name for the collection of tools designed

More information

Computer Network. Interconnected collection of autonomous computers that are able to exchange information

Computer Network. Interconnected collection of autonomous computers that are able to exchange information Introduction Computer Network. Interconnected collection of autonomous computers that are able to exchange information No master/slave relationship between the computers in the network Data Communications.

More information

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75 Plain English Guide To Common Criteria Requirements In The Field Device Protection Profile Version 0.75 Prepared For: Process Control Security Requirements Forum (PCSRF) Prepared By: Digital Bond, Inc.

More information

Security vulnerabilities in the Internet and possible solutions

Security vulnerabilities in the Internet and possible solutions Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in

More information

Compter Networks Chapter 9: Network Security

Compter Networks Chapter 9: Network Security Goals of this chapter Compter Networks Chapter 9: Network Security Give a brief glimpse of security in communication networks Basic goals and mechanisms Holger Karl Slide set: Günter Schäfer, TU Ilmenau

More information

IY2760/CS3760: Part 6. IY2760: Part 6

IY2760/CS3760: Part 6. IY2760: Part 6 IY2760/CS3760: Part 6 In this part of the course we give a general introduction to network security. We introduce widely used security-specific concepts and terminology. This discussion is based primarily

More information

Client Server Registration Protocol

Client Server Registration Protocol Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are

More information

Key Hopping A Security Enhancement Scheme for IEEE 802.11 WEP Standards

Key Hopping A Security Enhancement Scheme for IEEE 802.11 WEP Standards White Paper Key Hopping A Security Enhancement Scheme for IEEE 802.11 WEP Standards By Dr. Wen-Ping Ying, Director of Software Development, February 2002 Introduction Wireless LAN networking allows the

More information

APNIC elearning: IPSec Basics. Contact: training@apnic.net. esec03_v1.0

APNIC elearning: IPSec Basics. Contact: training@apnic.net. esec03_v1.0 APNIC elearning: IPSec Basics Contact: training@apnic.net esec03_v1.0 Overview Virtual Private Networks What is IPsec? Benefits of IPsec Tunnel and Transport Mode IPsec Architecture Security Associations

More information

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust Security in Wireless LANs and Mobile Networks Wireless Magnifies Exposure Vulnerability Information going across the wireless link is exposed to anyone within radio range RF may extend beyond a room or

More information

ETHERNET WAN ENCRYPTION SOLUTIONS COMPARED

ETHERNET WAN ENCRYPTION SOLUTIONS COMPARED HERN WAN ENCRYPTION SOLUTIONS COMPARED KEY WORDS AND TERMS MACsec, WAN security, WAN data protection, MACsec encryption, network data protection, network data security, high-speed encryption, Senetas,

More information

HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper

HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper Rev 1.0 HIPAA Security Considerations for Broadband Fixed Wireless Access Systems This white paper will investigate

More information

Chapter 10. Network Security

Chapter 10. Network Security Chapter 10 Network Security 10.1. Chapter 10: Outline 10.1 INTRODUCTION 10.2 CONFIDENTIALITY 10.3 OTHER ASPECTS OF SECURITY 10.4 INTERNET SECURITY 10.5 FIREWALLS 10.2 Chapter 10: Objective We introduce

More information

How To Secure My Data

How To Secure My Data How To Secure My Data What to Protect??? DATA Data At Rest Data at Rest Examples Lost Infected Easily Used as Backup Lent to others Data Corruptions more common Stolen Left at airports, on trains etc Hard

More information

SECURITY TRENDS-ATTACKS-SERVICES

SECURITY TRENDS-ATTACKS-SERVICES SECURITY TRENDS-ATTACKS-SERVICES 1.1 INTRODUCTION Computer data often travels from one computer to another, leaving the safety of its protected physical surroundings. Once the data is out of hand, people

More information

Link Layer. 5.6 Hubs and switches 5.7 PPP 5.8 Link Virtualization: ATM and MPLS

Link Layer. 5.6 Hubs and switches 5.7 PPP 5.8 Link Virtualization: ATM and MPLS Link Layer 5.1 Introduction and services 5.2 Error detection and correction 5.3Multiple access protocols 5.4 Link-Layer Addressing 5.5 Ethernet 5.6 Hubs and switches 5.7 PPP 5.8 Link Virtualization: and

More information

Draft ITU-T Recommendation X.805 (Formerly X.css), Security architecture for systems providing end-to-end communications

Draft ITU-T Recommendation X.805 (Formerly X.css), Security architecture for systems providing end-to-end communications Draft ITU-T Recommendation X.805 (Formerly X.css), architecture for systems providing end-to-end communications Summary This Recommendation defines the general security-related architectural elements that

More information

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security Security+ Guide to Network Security Fundamentals, Third Edition Chapter 6 Wireless Network Security Objectives Overview of IEEE 802.11 wireless security Define vulnerabilities of Open System Authentication,

More information

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity Basic Security Requirements and Techniques Confidentiality The property that stored or transmitted information cannot be read or altered by an unauthorized party Integrity The property that any alteration

More information

Security in Wireless Local Area Network

Security in Wireless Local Area Network Fourth LACCEI International Latin American and Caribbean Conference for Engineering and Technology (LACCET 2006) Breaking Frontiers and Barriers in Engineering: Education, Research and Practice 21-23 June

More information

Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23 Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest

More information

Chapter 9: Transport Layer and Security Protocols for Ad Hoc Wireless Networks

Chapter 9: Transport Layer and Security Protocols for Ad Hoc Wireless Networks Chapter 9: Transport Layer and Security Protocols for Ad Hoc Wireless Networks Introduction Issues Design Goals Classifications TCP Over Ad Hoc Wireless Networks Other Transport Layer Protocols Security

More information

SPINS: Security Protocols for Sensor Networks

SPINS: Security Protocols for Sensor Networks SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, J.D. Tygar, Victor Wen, and David Culler Department of Electrical Engineering & Computer Sciences, University of California

More information

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped

More information

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and non-repudiation. How to obtain a digital certificate. Installing

More information

Authentication Application

Authentication Application Authentication Application KERBEROS In an open distributed environment servers to be able to restrict access to authorized users to be able to authenticate requests for service a workstation cannot be

More information

UPPER LAYER SWITCHING

UPPER LAYER SWITCHING 52-20-40 DATA COMMUNICATIONS MANAGEMENT UPPER LAYER SWITCHING Gilbert Held INSIDE Upper Layer Operations; Address Translation; Layer 3 Switching; Layer 4 Switching OVERVIEW The first series of LAN switches

More information

COSC 472 Network Security

COSC 472 Network Security COSC 472 Network Security Instructor: Dr. Enyue (Annie) Lu Office hours: http://faculty.salisbury.edu/~ealu/schedule.htm Office room: HS114 Email: ealu@salisbury.edu Course information: http://faculty.salisbury.edu/~ealu/cosc472/cosc472.html

More information

Chapter 6 CDMA/802.11i

Chapter 6 CDMA/802.11i Chapter 6 CDMA/802.11i IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 Some material copyright 1996-2012 J.F Kurose and K.W. Ross,

More information

Best practices for protecting network data

Best practices for protecting network data Best practices for protecting network data A company s value at risk The biggest risk to network security is underestimating the threat to network security. Recent security breaches have proven that much

More information

Distributed Systems: Concepts and Design

Distributed Systems: Concepts and Design Distributed Systems: Concepts and Design Edition 3 By George Coulouris, Jean Dollimore and Tim Kindberg Addison-Wesley, Pearson Education 2001. Chapter 2 Exercise Solutions 2.1 Describe and illustrate

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

CS5490/6490: Network Security- Lecture Notes - November 9 th 2015

CS5490/6490: Network Security- Lecture Notes - November 9 th 2015 CS5490/6490: Network Security- Lecture Notes - November 9 th 2015 Wireless LAN security (Reference - Security & Cooperation in Wireless Networks by Buttyan & Hubaux, Cambridge Univ. Press, 2007, Chapter

More information

Table: Security Services (X.800)

Table: Security Services (X.800) SECURIT SERVICES X.800 defines a security service as a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers. Also the

More information

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide Network Security [2] Public Key Encryption Also used in message authentication & key distribution Based on mathematical algorithms, not only on operations over bit patterns (as conventional) => much overhead

More information

Savitribai Phule Pune University

Savitribai Phule Pune University Savitribai Phule Pune University Centre for Information and Network Security Course: Introduction to Cyber Security / Information Security Module : Pre-requisites in Information and Network Security Chapter

More information

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References Lecture Objectives Wireless Networks and Mobile Systems Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks Introduce security vulnerabilities and defenses Describe security functions

More information

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode 13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) PPP-based remote access using dial-in PPP encryption control protocol (ECP) PPP extensible authentication protocol (EAP) 13.2 Layer 2/3/4

More information

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.

More information

159.334 Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

159.334 Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology Network Security 1 Professor Richard Harris School of Engineering and Advanced Technology Presentation Outline Overview of Identification and Authentication The importance of identification and Authentication

More information

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

CS 356 Lecture 27 Internet Security Protocols. Spring 2013 CS 356 Lecture 27 Internet Security Protocols Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

Security. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Security. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1 Contents Security requirements Public key cryptography Key agreement/transport schemes Man-in-the-middle attack vulnerability Encryption. digital signature, hash, certification Complete security solutions

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 02 Overview on Modern Cryptography

More information

Network Security Fundamentals

Network Security Fundamentals APNIC elearning: Network Security Fundamentals 27 November 2013 04:30 pm Brisbane Time (GMT+10) Introduction Presenter Sheryl Hermoso Training Officer sheryl@apnic.net Specialties: Network Security IPv6

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

Network Security Technology Network Management

Network Security Technology Network Management COMPUTER NETWORKS Network Security Technology Network Management Source Encryption E(K,P) Decryption D(K,C) Destination The author of these slides is Dr. Mark Pullen of George Mason University. Permission

More information

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶 Network Security 網 路 安 全 Lecture 1 February 20, 2012 洪 國 寶 1 Outline Course information Motivation Introduction to security Basic network concepts Network security models Outline of the course 2 Course

More information

APNIC elearning: Network Security Fundamentals. 20 March 2013 10:30 pm Brisbane Time (GMT+10)

APNIC elearning: Network Security Fundamentals. 20 March 2013 10:30 pm Brisbane Time (GMT+10) APNIC elearning: Network Security Fundamentals 20 March 2013 10:30 pm Brisbane Time (GMT+10) Introduction Presenter/s Nurul Islam Roman Senior Training Specialist nurul@apnic.net Specialties: Routing &

More information

The Secure Sockets Layer (SSL)

The Secure Sockets Layer (SSL) Due to the fact that nearly all businesses have websites (as well as government agencies and individuals) a large enthusiasm exists for setting up facilities on the Web for electronic commerce. Of course

More information

Advanced Topics in Distributed Systems. Dr. Ayman Abdel-Hamid Computer Science Department Virginia Tech

Advanced Topics in Distributed Systems. Dr. Ayman Abdel-Hamid Computer Science Department Virginia Tech Advanced Topics in Distributed Systems Dr. Ayman Abdel-Hamid Computer Science Department Virginia Tech Security Introduction Based on Ch1, Cryptography and Network Security 4 th Ed Security Dr. Ayman Abdel-Hamid,

More information

Message Authentication Codes

Message Authentication Codes 2 MAC Message Authentication Codes : and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l08, Steve/Courses/2013/s2/css322/lectures/mac.tex,

More information

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli 4-25-2002

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli 4-25-2002 INTERNET SECURITY: FIREWALLS AND BEYOND Mehernosh H. Amroli 4-25-2002 Preview History of Internet Firewall Technology Internet Layer Security Transport Layer Security Application Layer Security Before

More information

Frame Relay and Frame-Based ATM: A Comparison of Technologies

Frame Relay and Frame-Based ATM: A Comparison of Technologies White Paper and -Based : A Comparison of Technologies Larry Greenstein Nuera Communications VP, Technology, Forum June 1995 June 27, 1995 i TABLE OF CONTENTS 1. PREFACE...1 2. INTRODUCTION...1 3. INTERWORKING

More information

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT Part I Contents Part I Introduction to Information Security Definition of Crypto Cryptographic Objectives Security Threats and Attacks The process Security Security Services Cryptography Cryptography (code

More information

CTS2134 Introduction to Networking. Module 07: Wide Area Networks

CTS2134 Introduction to Networking. Module 07: Wide Area Networks CTS2134 Introduction to Networking Module 07: Wide Area Networks WAN cloud Central Office (CO) Local loop WAN components Demarcation point (demarc) Consumer Premises Equipment (CPE) Channel Service Unit/Data

More information

A Survey on ATM Security

A Survey on ATM Security A Survey on ATM Security Donglin Liang, dliang@cis.ohio-state.edu This paper discusses the ATM security problems, requirements, implementation issues and challenges. Most recent ATM Forum contributions

More information

Cryptography and Network Security

Cryptography and Network Security Cryptography and Network Security Third Edition by William Stallings Lecture slides by Shinu Mathew John http://shinu.info/ Chapter 1 Introduction http://shinu.info/ 2 Background Information Security requirements

More information

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography What Is Steganography? Steganography Process of hiding the existence of the data within another file Example:

More information

Case Study for Layer 3 Authentication and Encryption

Case Study for Layer 3 Authentication and Encryption CHAPTER 2 Case Study for Layer 3 Authentication and Encryption This chapter explains the basic tasks for configuring a multi-service, extranet Virtual Private Network (VPN) between a Cisco Secure VPN Client

More information

Architecture of distributed network processors: specifics of application in information security systems

Architecture of distributed network processors: specifics of application in information security systems Architecture of distributed network processors: specifics of application in information security systems V.Zaborovsky, Politechnical University, Sait-Petersburg, Russia vlad@neva.ru 1. Introduction Modern

More information

Securing IP Networks with Implementation of IPv6

Securing IP Networks with Implementation of IPv6 Securing IP Networks with Implementation of IPv6 R.M.Agarwal DDG(SA), TEC Security Threats in IP Networks Packet sniffing IP Spoofing Connection Hijacking Denial of Service (DoS) Attacks Man in the Middle

More information

Secure cloud access system using JAR ABSTRACT:

Secure cloud access system using JAR ABSTRACT: Secure cloud access system using JAR ABSTRACT: Cloud computing enables highly scalable services to be easily consumed over the Internet on an as-needed basis. A major feature of the cloud services is that

More information

CMSC 421, Operating Systems. Fall 2008. Security. URL: http://www.csee.umbc.edu/~kalpakis/courses/421. Dr. Kalpakis

CMSC 421, Operating Systems. Fall 2008. Security. URL: http://www.csee.umbc.edu/~kalpakis/courses/421. Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 Security Dr. Kalpakis URL: http://www.csee.umbc.edu/~kalpakis/courses/421 Outline The Security Problem Authentication Program Threats System Threats Securing Systems

More information

Technical Committee. ATM Security Specification Version 1.1. af-sec-0100.002

Technical Committee. ATM Security Specification Version 1.1. af-sec-0100.002 Technical Committee ATM Security Specification Version 1.1 March, 2001 2001 by The ATM Forum. This specification/document may be reproduced and distributed in whole, but (except as provided in the next

More information

Chapter 15 User Authentication

Chapter 15 User Authentication Chapter 15 User Authentication 2015. 04. 06 Jae Woong Joo SeoulTech (woong07@seoultech.ac.kr) Table of Contents 15.1 Remote User-Authentication Principles 15.2 Remote User-Authentication Using Symmetric

More information

Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress

Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress Alan Davy and Lei Shi Telecommunication Software&Systems Group, Waterford Institute of Technology, Ireland adavy,lshi@tssg.org

More information

Freescale Security Backgrounder Page 1

Freescale Security Backgrounder Page 1 Freescale Security Backgrounder Page 1 Freescale Security Backgrounder Page 2 Table of Contents 1. Secure Internet Traffic: A Market Imperative 2. Overview of Network Security Technologies 3. Differences

More information

A Comparative Study of Security Features in FreeBSD and OpenBSD

A Comparative Study of Security Features in FreeBSD and OpenBSD Department of Computer Science Magnus Persson A Comparative Study of Security Features in FreeBSD and OpenBSD Master s Thesis 2006:02 A Comparative Study of Security Features in FreeBSD and OpenBSD Magnus

More information

Overview. SSL Cryptography Overview CHAPTER 1

Overview. SSL Cryptography Overview CHAPTER 1 CHAPTER 1 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. The features in this chapter apply to IPv4 and IPv6 unless otherwise noted. Secure

More information

co Characterizing and Tracing Packet Floods Using Cisco R

co Characterizing and Tracing Packet Floods Using Cisco R co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1

More information

SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security

SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security International Telecommunication Union ITU-T Y.2740 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (01/2011) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS

More information

AN OVERVIEW OF QUALITY OF SERVICE COMPUTER NETWORK

AN OVERVIEW OF QUALITY OF SERVICE COMPUTER NETWORK Abstract AN OVERVIEW OF QUALITY OF SERVICE COMPUTER NETWORK Mrs. Amandeep Kaur, Assistant Professor, Department of Computer Application, Apeejay Institute of Management, Ramamandi, Jalandhar-144001, Punjab,

More information

Information Security Basic Concepts

Information Security Basic Concepts Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,

More information

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann

More information

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec CSCI 454/554 Computer and Network Security Topic 8.1 IPsec Outline IPsec Objectives IPsec architecture & concepts IPsec authentication header IPsec encapsulating security payload 2 IPsec Objectives Why

More information

High-Level Data Link Control

High-Level Data Link Control High-Level Data Link Control This class of data link layer protocols includes High-level Data Link Control (HDLC), Link Access Procedure Balanced (LAPB) for X.25, Link Access Procedure for D-channel (LAPD)

More information

Lecture 10: Virtual LANs (VLAN) and Virtual Private Networks (VPN)

Lecture 10: Virtual LANs (VLAN) and Virtual Private Networks (VPN) Lecture 10: Virtual LANs (VLAN) and Virtual Private Networks (VPN) Prof. Shervin Shirmohammadi SITE, University of Ottawa Prof. Shervin Shirmohammadi CEG 4185 10-1 Virtual LANs Description: Group of devices

More information

An Introduction to Cryptography and Digital Signatures

An Introduction to Cryptography and Digital Signatures An Introduction to Cryptography and Digital Signatures Author: Ian Curry March 2001 Version 2.0 Copyright 2001-2003 Entrust. All rights reserved. Cryptography The concept of securing messages through

More information

Common security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon

Common security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon 1 Common security requirements Basic security tools Secret-key cryptography Public-key cryptography Example Online shopping with Amazon 2 Alice credit card # is xxxx Internet What could the hacker possibly

More information

Process Control and Automation using Modbus Protocol

Process Control and Automation using Modbus Protocol Process Control and Automation using Modbus Protocol Modbus is the fundamental network protocol used in most industrial applications today. It is universal, open and an easy to use protocol. Modbus has

More information

Ring Local Area Network. Ring LANs

Ring Local Area Network. Ring LANs Ring Local Area Network Ring interface (1-bit buffer) Ring interface To station From station Ring LANs The ring is a series of bit repeaters, each connected by a unidirectional transmission link All arriving

More information

Network Security. Chapter 1. Prof. Dr.-Ing. Georg Carle Dr. Heiko Niedermayer Cornelius Diekmann, M.Sc. Technische Universität München

Network Security. Chapter 1. Prof. Dr.-Ing. Georg Carle Dr. Heiko Niedermayer Cornelius Diekmann, M.Sc. Technische Universität München Network Security Chapter 1 Prof. Dr.-Ing. Georg Carle Dr. Heiko Niedermayer Cornelius Diekmann, M.Sc. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Version: June 13, 2015 IN2101,

More information

Chapter 8 Security. IC322 Fall 2014. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Chapter 8 Security. IC322 Fall 2014. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 Chapter 8 Security IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross, All

More information

Chapter 17. Transport-Level Security

Chapter 17. Transport-Level Security Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics

More information

Cryptographic Modules, Security Level Enhanced. Endorsed by the Bundesamt für Sicherheit in der Informationstechnik

Cryptographic Modules, Security Level Enhanced. Endorsed by the Bundesamt für Sicherheit in der Informationstechnik Common Criteria Protection Profile Cryptographic Modules, Security Level Enhanced BSI-CC-PP-0045 Endorsed by the Foreword This Protection Profile - Cryptographic Modules, Security Level Enhanced - is issued

More information

ESSENTIALS. Understanding Ethernet Switches and Routers. April 2011 VOLUME 3 ISSUE 1 A TECHNICAL SUPPLEMENT TO CONTROL NETWORK

ESSENTIALS. Understanding Ethernet Switches and Routers. April 2011 VOLUME 3 ISSUE 1 A TECHNICAL SUPPLEMENT TO CONTROL NETWORK VOLUME 3 ISSUE 1 A TECHNICAL SUPPLEMENT TO CONTROL NETWORK Contemporary Control Systems, Inc. Understanding Ethernet Switches and Routers This extended article was based on a two-part article that was

More information

Authentication requirement Authentication function MAC Hash function Security of

Authentication requirement Authentication function MAC Hash function Security of UNIT 3 AUTHENTICATION Authentication requirement Authentication function MAC Hash function Security of hash function and MAC SHA HMAC CMAC Digital signature and authentication protocols DSS Slides Courtesy

More information

INTERNATIONAL TELECOMMUNICATION UNION $!4! #/--5.)#!4)/..%47/2+3 /0%. 3934%-3 ).4%2#/..%#4)/. /3) 3%#52)49 3425#452%!.$!00,)#!4)/.

INTERNATIONAL TELECOMMUNICATION UNION $!4! #/--5.)#!4)/..%47/2+3 /0%. 3934%-3 ).4%2#/..%#4)/. /3) 3%#52)49 3425#452%!.$!00,)#!4)/. INTERNATIONAL TELECOMMUNICATION UNION ##)44 8 THE INTERNATIONAL TELEGRAPH AND TELEPHONE CONSULTATIVE COMMITTEE $!4! #/--5.)#!4)/..%47/2+3 /0%. 3934%-3 ).4%2#/..%#4)/. /3) 3%#52)49 3425#452%!.$!00,)#!4)/.3

More information

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui School of Engineering and Computer Science Te Kura Mātai Pūkaha, Pūrorohiko PO Box 600 Wellington New Zealand Tel: +64 4 463

More information

1. Computer Security: An Introduction. Definitions Security threats and analysis Types of security controls Security services

1. Computer Security: An Introduction. Definitions Security threats and analysis Types of security controls Security services 1. Computer Security: An Introduction Definitions Security threats and analysis Types of security controls Security services Mar 2012 ICS413 network security 1 1.1 Definitions A computer security system

More information

A Model-based Methodology for Developing Secure VoIP Systems

A Model-based Methodology for Developing Secure VoIP Systems A Model-based Methodology for Developing Secure VoIP Systems Juan C Pelaez, Ph. D. November 24, 200 VoIP overview What is VoIP? Why use VoIP? Strong effect on global communications VoIP will replace PSTN

More information

Notes on Network Security - Introduction

Notes on Network Security - Introduction Notes on Network Security - Introduction Security comes in all shapes and sizes, ranging from problems with software on a computer, to the integrity of messages and emails being sent on the Internet. Network

More information

Switch Fabric Implementation Using Shared Memory

Switch Fabric Implementation Using Shared Memory Order this document by /D Switch Fabric Implementation Using Shared Memory Prepared by: Lakshmi Mandyam and B. Kinney INTRODUCTION Whether it be for the World Wide Web or for an intra office network, today

More information