A Survey on ATM Security

Size: px
Start display at page:

Download "A Survey on ATM Security"

Transcription

1 A Survey on ATM Security Donglin Liang, This paper discusses the ATM security problems, requirements, implementation issues and challenges. Most recent ATM Forum contributions about security and two recent results, drafts about ATM Security Framework and Phase I Specification are also discussed in this paper. Other Reports on Recent Advances in Networking Back to Raj Jain's Home page Table of Contents 1. Overview 2. Threats to ATM networks 2.1 Eavesdropping 2.2 Spoofing 2.3 Service Denial 2.4 Stealing of VCs 2.5 Traffic Analysis 3. Requirements of ATM security system 3.1 Requirements of a network security system 3.2 ATM Security Framework 4. Implementing security services on ATM 4.1 ATM Security Scope 4.2 Placement of ATM Security Services 4.3 Draft Phase I Security Specification 4.4 Comments and Suggestions on Phase I Security Specification 4.5 Challenges in ATM Security 5. Conclusion Reference 1. Overview In recent years, security has been more and more significant in network environment with the emergence of the internetworking technology. The internetworking technology can provide the communication channels across networks so that machines in different networks can talk to each other. However, the internetworking communication will be exposed to all kinds of attacks in such an open environment. Most of the network (1 of 14) [2/7/ :51:41 AM]

2 technologies, without integrating with security mechanism originally, have to be redesigned to provide some security services. ATM is one of those technologies. ATM stands for Asynchronous Transfer Mode. Originally, it is a transfer mode to implement the B-ISDN(Broadband Integrated Services Digital Network) technology so that all forms of data traffic(voice, video, data etc.) can be transferred over telecommunication networks. But ATM is not restricted to B-ISDN. It has been used to provide a simplified network infrastructure for various network connections, e.g. LAN, MAN or WAN. ATM is a connection-oriented technique. In ATM, hosts are connected by a network of switches. When two parties want to talk, they request a Virtual Channel from the switch network first. Then the two parties can send data to each other. Although the communication parties can send data in any size, ATM always delivers data in a fixed size unit, which is called a cell. A cell has 5 octet header and 48 octet payload. Cell switching will base on the 5 octet header. In the way, a cell can go through a switch very quickly. To meet different requirements of specific traffic, ATM also introduces the concept of Quality of Service(QoS). Details about ATM technology can be found in any ATM textbooks[cl95, DL95]. And the most recent advances in this area can be found in discussions and contributions of ATM Forum, which is the standards organization for ATM. In fact, issues in ATM security have not gained enough attention until 1995, when a group within ATM Forum was established to address the security issues. Therefore, compared with other security area, ATM security is still in its beginning. In this paper, we first examine the threats to ATM networks. And then we discuss the requirements of ATM security. In section 4 we are going to discuss the implementation issues of ATM security. Phase I ATM Security Specification has been discussed in this section. In conclusion, we discuss some examples of the ATM security products. 2. Threats to ATM networks As other networks, ATM networks will suffer a lot of threats[lpr97, Hanson95, Chuang96, Deng95, KB96, TF95]. Typical ones are eavesdropping, spoofing, service denial, VC stealing and traffic analysis etc. Notice that VC stealing and traffic analysis happen only in ATM networks. 2.1 Eavesdropping Eavesdropping refers to the threat that the attacker connects or taps into the transmission media and gain unauthorized access to the data. It is one of the most common attacks to the network. Since most ATM networks are connected with optic cables, some people might get the wrong impression that is not so easy to tap a ATM network. However, Bacon [BACON] reported that depending on the tapping point, equipment to tap a fiber optic cable costs about $2,000, which is affordable for almost any individual. Although a hacker has to be familiar with the communication technology and relevant protocols operating at the tapping point, this information is widely available in academic environment. For instance, any member of ATM forum can access to the contributions and specification about ATM architectures and ATM security. And also there are a lot of homepages relative to these topics. As the technology become matured, standards will be established and the technology will be well-known, nothing will be protected by keeping the document secret. 2.2 Spoofing Spoofing attack means that an attacker tries to impersonate another user to the third part therefore can get access to resources belonging to the victim to take advantages or just destroy them. Spoofing might need special tools to (2 of 14) [2/7/ :51:41 AM]

3 manipulate the protocol data unit. And sometimes it might require the attacker has special access permission, say, must be the super user in UNIX environment. However, since a network will be connected to many untrusted networks via the Internet, it's impossible to prevent a hacker from getting this access permission or even trace the people with this particular access permission. ATM is being implemented in public domain. Therefore, it is subject to this kind of attack also. 2.3 Service Denial ATM is a connection-oriented technique. A connection, which is called Virtual Circuit(VC) in ATM, is managed by a set of signals. VC is established by SETUP signals and can be disconnected by RELEASE or DROP PARTY signals. If an attacker sends RELEASE or DROP PARTY signal to any intermediate switch on the way of a VC, then the VC will be disconnected[shb95]. By sending these signals frequently, the attacker can greatly disturb the communication between one user to another, therefore will disable the Quality of Service(QoS) in ATM. Combining this technique with other tricks like eavesdropping, the attacker can even completely block one user from another. 2.4 Stealing of VCs If two switches in an ATM network compromise, the attacker can even steal a VC from another user. Say VC1 and VC2 are two virtual channels which will go through switch A and switch B. VC1 is owned by user U1 and VC2 is owned user U2. If A and B have compromised, then A can switch VC1's cells going from A to B through VC2 and B will switch back those cells to VC1. Since switches will forward cells based on the VCI(Virtual Channel Identifier) or VPI(Virtual Path Identifier) in the cell header, A and B can just alter these fields back and forth. Switches between A and B won't notice these changes and will switch the assumed VC2's cells just like the authentic VC2's cells. In public packet-switching network, U1 won't gain too much by this trick. However, in ATM network, if quality of service is guaranteed, then user 1 can gain a lot by stealing a higher quality channel which user 1 is not entitled to use according to the access control policy. User 1 can gain even more if every user has to pay for the communication. In both cases, user 2 will be hurt. Someone maybe argues that the possibility that the switches will compromise is pretty low. That will true if the ATM network is owned by one organization. However, as mentioned by Alles[ALLES95], when we consider ATM internetworking, in which case cells will travel through different ATM networks, it will be very easy for two switches to compromise. 2.5 Traffic Analysis Traffic analysis[tf95] refers to a threat that the hacker can get information by collecting and analyzing the information like the volume, timing and the communication parties of a VC. Volume and timing can reveal a lot of information to the hacker even though the data is encrypted, because encryption won't affect the volume and timing of information. And also the source and destination parties can be obtained from the cell header (normally is in clear text) and some knowledge about the routing table. Another related threat is called convert channels. In this technique, the attacker can encode the information in the timing and volume of data, VCI, or even session key to release information to another people without being monitored. Normally, these two attack won't happen. However, when ATM is used in a environment requiring stringent security, it might happen. 3. Requirements of ATM security system To build an ATM security system, the first thing we should do is to identify the requirements of securing communication over ATM. This issue has been discussed widely in ATM Forum[MH95, SPEC97,FRWK97] and (3 of 14) [2/7/ :51:41 AM]

4 literature[tf95, SHBW96, KB96, Deng95]. In this section, we are going to talk about general requirements for network security system, and then we will discuss the first draft of ATM security framework, which has summarized the recent results for this topic in ATM Forum contributions. 3.1 Requirements of a network security system When we talk about the network security, the following requirement has to be considered: Authentication: The user is the one it claims to be. Confidentiality: Only authorized users can access the content of the data. Integrity: The data is altered by the third parties during the transmission. Non-repudiation: A user can not deny the fact that it has accessed a service or data. It's proved that besides non-repudiation, a secure public network at least has to meet the other three requirements. And a security system for a network also has to provide a secure key management(e.g. key distribution) services and user access control. A good key management scheme are the foundation of a security system. Security comes from the encryption/decryption. If the keys used in encryption/decryption can be easily obtained by an attacker, then the security system will be defeated. And in a network system, because there are some many users, key management and distribution can no longer be done manually, it has to be done automatically or half automatically and key exchange will go through the network. How to secure the keys when they are transferred over the network, especially when the network is setup, is a big issue. Authentication is important in communication system. In a public network, everything, even the keys, has to be authenticated to prevent spoofing. Confidentiality is not only required to keep the data from unauthorized access, but also can guarantee the correctness of distribution of symmetric key. Integrity can be viewed as some kind of authentication, which means the data should the original data sent by the one who claims it (without tampering). Key management, authentication, confidentiality and integrity depend on each other. Flaws in any of them will make the system insecure. Access control is more significant in ATM networks than in other networks. ATM networks guarantee the quality of services(qos) of communication. QoS is implemented by classifying the traffic into different classes and route them in different priorities. If the access to the network is unrestricted, then it turns out nothing can be done about QoS. For more details and discussion about these concepts, the reader can refer to recent data security texts as [CLS89, MP93, SP89]. 3.2 ATM Security Framework People have practiced security for a long time. In the past, security services were considered only after the network service was totally designed. These ad hoc approaches turn out to be unsatisfactory. ATM Forum tries to avoid such pitfalls by considering the security as one integrated part of ATM. Recently, ATM Forum Security Working Group proposes a draft of Security Framework for ATM[FRWK97] to address the basic requirements for ATM security. The framework is originally proposed by Klasen, Munzert and Nauer[KMN971] in February Based on the analysis of the objectives from the customer side, operator side and public community side, the draft identifies the main security objectives for ATM security: Confidentiality Data Integrity (4 of 14) [2/7/ :51:41 AM]

5 Accountability Availability Confidentiality and data integrity are obvious. Accountability means that all ATM network service invocations and network management activities should accountable. And any entity should be responsible for the actions it initiates. Accountability includes both authentication and non-repudiation. It is extremely important for operators to manage the system and bill the services. Availability means all legitimate entities should be able to access to ATM facilities correctly, no service denial should happen. That is important for QoS operation. According to these main objectives, the draft proposes the principal functions which a ATM security system should provide: Verification of Identities: Security system should be able to establish and verify the claimed identity of any actor in an ATM network. Controlled Access and Authorization: The actors should not be able to gain access to information or resources if they are not authorized to. Protection of Confidentiality: Stored and communicated data should be confidential. Protection of Data Integrity: The security system should guarantee the integrity of the stored and communicated data. Strong Accountability: An entity can not deny the responsibility of its performed actions as well as their effects. Activities Logging: The security system should support the capability to retrieve information about security activities in the Network Elements with the possibility of tracing this information to individuals or entities. Alarm reporting: The security system should be able to generate alarm notification about certain adjustable and selective security related events. Audit: When violations of security happen, the system should be able to analyze the logged data relevant to security. Security Recovery: The security system should be able recover from successful or attempted breaches of security. Security Management: The security system should be able to manage the security services derived from the above requirements. Among the ten requirements, the last two won't provide security services. However, they are necessary to support the maintenance of security services. If the security system can not be recovered from attacks and can not provide security services any more, then the system won't be secure after these attacks. On the other hand, security services and the information about security have to be managed securely. They are the foundations of the security system. The draft also includes how to interpret the functional requirements for user plane to the specific ATM instances (the interpretation first appears in [KMN972]). Interpretation about the functional requirements for control plane can be found in [KM97]. However, they don't include too many details. Actually, different instances of ATM network will have different concerns about the threats therefore will emphasize on different objectives. A framework should be abstract enough so that can provide a guideline to different ATM instances. The security working group will finish the mapping of the security services to ATM network architecture and identification of the mechanisms and algorithms to implement the security service in the future. But whatever they will come up finally, it should be flexible enough to fit in different ATM network instances. (5 of 14) [2/7/ :51:41 AM]

6 4. Implementing security services on ATM After we identify the requirements of a ATM security system, we will discuss how to implement security services on ATM network. In this section, we first examine the architecture of ATM and identify the ATM security scope. And then we are going to discuss how to place the security services in ATM architecture. After that, we will discuss the current draft of Phase I Security Specification 01-03, which is proposed by ATM Forum. And then we survey some new comments and suggestions which are not included in the current draft of Phase I Security Specification. At last, we discuss some challenges for implementing ATM security services. 4.1 ATM Security Scope To identify ATM security scope, let's first look at the architecture of ATM. ATM architecture (figure 1) includes three planes: User plane Control Plane Management plane A plane includes entities. Entities in user plane are used to transfer user data. While the entities in control plane will deal with connection establishment, release and other connection functions. And the management plane entities perform management and coordination functions related to both the user plane and the control plane. In particular, (6 of 14) [2/7/ :51:41 AM]

7 the management plane includes the PNNI functions related to establishment of a routing infrastructure. Besides entities in these three planes, there are ATM layer entities. The ATM layer entities perform ATM data transfer on behalf of the other entities in the three planes. Figure 2 shows the interaction of all the entities. It's obvious that to implement the security requirements in ATM networks, all the three planes and the ATM layer have to be included into the scope. 4.2 Placement of ATM Security Services After we identify the requirements and scope of ATM security, now we will discuss how to put the security services in the ATM network architecture. According to figure 2, user plane is the plane that directly interact with user. Therefore to meet the user's security objectives, user plane has to provide security services like access control, authentication, data confidentiality and integrity. Other services like key exchange, certification infrastructure and negotiation of security options might be useful to meet the variety of the customers' requirements. Therefore they also should be supported by user plane[spec97]. Note that providing different security services options is important because of the various traffic classes in ATM network. Different connections have different security requirements. User plane security services have to provide enough flexibility to meet these requirements. In ATM Control plane will configure the network to provide communication channel for a user. From figure 2, we (7 of 14) [2/7/ :51:41 AM]

8 can see control plane can interact with the switching table, or to manage the virtual channel. Several attacks mentioned in section 2 are relative to control plane. Therefore, it is very important to secure control panel. The key point to secure control plane may be to provide authentication and confidentiality of signal[spec97]. If the message recipient or even the third party can verify the source of this message, then denial of service attack can not happen. And Control plane authentication could also be used to provide the auditing information for accurate billing which should be immune to repudiation. Management plane security is also important. Chuang[Chuang96] has suggested that management plane security scheme at least should consider the following items: Bootstrapping security, authenticated neighbor discovery, the Interim Local Management Interface security and permanent virtual circuit security. And in security framework, we have to provide security recovery and security management. The major parts of these two requirements seem have to be implemented in management plane. Since all data have to be transmitted through ATM layer, the security of ATM layer is extremely important. As pointed out by Peyravian and Herreweghen[MH95], authentication, confidentiality and integrity are also required in the ATM layer. ATM layer security has to be implemented on end-to-end(atm endpoint to ATM endpoint), edge to edge (border ATM switch to border ATM switch) and ATM end point to switches basis[mh95]. Here, data integrity is a tricky thing. Since the switches can see and forward ATM cells, data integrity for edge-to-edge and ATM endpoint to switches is better to be implemented on a per-atm-cell basis. That means we have to include a signature to each cell. That will introduce a unwanted overhead. Therefore, Peyravian and Herreweghen[MH95] suggest that integrity only be provided on an endpoint to endpoint basis. It should be aware that endpoint to endpoint security in ATM layer is different from the security in higher layer[mh95]. An ATM layer connection is not the same as a higher layer connection. Therefore although a ATM connection is authenticated and secure, higher layer connection still should be authenticated and protected. This is necessary especially when a connection is set up for a legacy network which is connected to a ATM switch. In this case, the connection will be shared by all hosts on the legacy network. Actually, the security issue of this scenario is still untouched yet. 4.3 Draft of Phase I Security Specification To solve the security problem for ATM security, ATM Forum Security Working Group is working on an ATM security infrastructure. Their efforts end up with Phase I Security Specification[SPEC97]. Until now, they have come up with the third draft (01-03). Current draft of Phase I Security Specification deals mainly with the security mechanisms in user plane and a part of control plane. It includes mechanisms for authentication, confidentiality, data integrity and access control for the user plane. It also includes mechanisms for authentication for the control plane. Management plane and the rest of control plane have not been touched yet. The specification also specifies some supportive security services: negotiation of security services and parameters. Note that the specification just specifies the mechanisms which must be implemented in the ATM layer and/or AAL(ATM Adaptation Layer)[SPEC97]. The goal of Phase I Security Specification is to provide a flexible enough infrastructure so that it can accommodate different algorithms and key lengths, provide interoperability across vendors, provide compatibility ATM devices without security extension, and provide separability of authentication and integrity from confidentiality. The infrastructure also has to be scalable to a large number users, compatible across successive versions of specifications. User plane security in the Phase I Security Specification is applied on a per VC basis. The security services will be supported in point-to-point and point-to-multipoint fashion. At the ends of a VC or along the path of VC, there will (8 of 14) [2/7/ :51:41 AM]

9 be Security Agents (SAs [Bullard97]). The security will be implemented between security agents. In user plane security, access control is used to prevent unauthorized party to establish connections. To make the specification independent from any implementation, the Phase I Specification standardizes the information and the information exchange mechanism required by a specific access control algorithm. Authentication is used to make sure that the calling and called parties are indeed genuine. Authentication is the first step of the communication. In the specification, authentication is done via cryptographic techniques with symmetric or asymmetric key algorithms. According to the specification, data confidentiality mechanism is on per cell basis. Payload of a cell will be encrypted so that it won't be accessed by unauthorized user. Notice that the encryptor won't encrypt or change the cell header. Data integrity is separated from the data confidentiality in the phase I Specification. This separation allows the data integrity services to be implemented at the AAL Service Data Unit(SDU) level. For each AAL-SDU unit, a signature is computed and attached to the ALL-SDU so that the receiver can check whether or not the data are corrupted. Data integrity has two options. One provides replay/reordering protection while another does not. The difference in implementation is that for option with replay/reordering protection, a sequence number is attached to the AAL-SDU before the calculation of the the signature therefore the signature will protect both the data and sequence number. Therefore the receiver can discard an old AAL-SDU based on the sequence number attached to AAL-SDU. Control plane security currently just provides a signaling authentication mechanism which will bind an ATM signaling message to its source. This binding can be used to verify the message is from the source it claims to be by the receiver or the third parties. This can protect ATM network from such attacks like service denial which will manipulate the signals. Signaling authentication is also significant to accurate billing. Notice that authentication for the control plane is different from authentication in user plane because a signaling message has both end-to-end and hop-by-hop significance. A signaling message will be processed by each switch on the way. Therefore hop-by-hop authentication is necessary. In current draft of the specification, the authentication of control plane is till not finished yet. Compared to the work about security of user plane and control plane, support services are more mature in current draft of the specification. The following issues has been addressed: security message exchange protocols and basic negotiation security messaging in the control plane security messaging in the user plane key exchange session key update certificate infrastructure These services provide a basis for the ATM security system. The Phase I Security Specification has specified how to apply the existing algorithm to implement the these services. 4.4 Comments and Suggestions to Phase I Security Specification Phase I Security Specification has addressed a lot of issues in ATM security. However, compared with what we expect in the security framework, the achievement is far from success. A lot of comments and suggestions have been made. First issue is about the security of management plane. Management plane is not included in the scope of Phase I Security Specification. As pointed out by Bogler et al[bnm97], Phase I Security Specification should include some basic management requirements and managed entities for ATM security. Otherwise interoperability will be confined to user and control plane. Being aware of that, they propose a protocol independent MIB for the management of (9 of 14) [2/7/ :51:41 AM]

10 ATM security services[bmn97]. However, their scheme doesn't cover all the aspects of security management. Two other important issues, ATM system security management and security of ATM network management, are not addressed in their proposal at all. Realizing the importance of the security of ATM network management, Przygieda and Bullard[PB971] proposed a mechanism for PNNI peer authentication and cryptographic data integrity, which was accepted in ATM Forum Chicago meeting and developed into baseline text[pb972] later. In their proposal, they identify two kinds of threats to PNNI: 1) "Unauthorized introduction of routing information"; 2) "Unauthorized modification of routing information". Under this circumstance, authentication and integrity are the most important requiremnts. To provide strong authentication between peer entities, they introduce a PNNI certification hierarchy. In this hierarchy, a peer has to present a credetials which has been certified by an authority to the ones it wants to speak to. After authentication is finished, the peers can exchange session keys which they can use to protect the integrity of the later messages. After that, peers can talk to each other safely. Notice that this proposal doesn't slove all the security problems for PNNI. For example, if a trusted PNNI peer entity introduces inappropriate information, then there is no way to provent it. Another suggestion is about negotiation of algorithms for security services. In current draft of Phase I ATM Security Specification, only a primary and an alternate algorithms are available to select for each security service. Hebda, Shields and Kubic point out that it's desirable to allow more than two algorithm choices to be selected for any security service[hsk97]. Therefore, they propose a scheme that an initiator can give a list algorithms and the responder can select one from it based on its capabilities and the priorities of the list of algorithm. By this way, the negotiation of algorithms will be quite flexible, although it might result in choosing an unexpected combinations of algorithms for a set of security services[hsk97]. As mentioned above, even authentication of control plane is not finished in current draft of Phase I Security Specification. A suggestion has been made by Shields et al[skh97]. In their proposal, user plane data integrity will be used to provide hop-by-hop authentication of signaling messages.that is, a keyed hash function will be computed over the AAL5 SDU as the signature. Each authenticated link has an agree-upon algorithm and key(s). Notice that control plane authentication can not use two- or three- way exchange protocol because the signals have to be verified when they traverse in the network. When ATM technology is used in wireless communication, unique security problems will arise [CF97]. These will introduce a set of mobile specific security requirements[bw96] into ATM security. Therefore Bautz and Wrona[BW97] suggest that security for wireless ATM should be include in the future version of security specification. In next section, we are going to look at what makes it so difficult to implement. 4.5 Challenges in ATM Security At the first glimpse, ATM security should not be too difficult to implement since we have a various security practices in other fields. However, ATM security is very difficult to implement. ATM switch is a high speed cell multiplexer and ATM network is a connection-oriented network. These properties will bring some unique problems when we try to secure the ATM communication. In this section we will present some challenges in implementation of ATM security mechanism, most of them can be seen in [Chuang96]. It is clear that encryption is the basis for a lot of security problems. In ATM security, encryption will happen in two level. One level is the application level. There won't be any problem with it since we can apply any security mechanism. Another level is the ATM layer level. In this level, we are going to deploy security mechanism to a switch. Since switch see and forward only cells, we have to apply security mechanism to a cell. That can not be (10 of 14) [2/7/ :51:41 AM]

11 totally avoided in ATM network. For example, if we want to provide integrity and confidentiality services to the cell header, or if we want to protect the signals, then we have to do encryption/decryption a cell in each switch. That will bring a series adverse effects. The first challenge in securing ATM network is how to find a cryptographic mechanism to match the high communication speed of a switch. Cryptography is used to provide confidentiality, authentication, and even integrity service for a security system. Unfortunately, most traditional cryptographic mechanisms operate within 10 Mbps when implemented in software or hundred Mbps when implemented in hardware. This speed is impossible to meet the speed of a switch, which normally will operate at hundreds of Mbps upto Gbps. Although [HE92] had proposed an implementation of DES which can operate at Gbps, it takes a big time overhead to warm up when the session key changes. Due to key agility requirement we shall introduce, it's not a good solution to that problem. From here we can see why Phase I Security Specification hasn't addressed how to protect the cell header. Another issue will rule out a lot of traditional cryptographic mechanisms. ATM cell payload is 48 bytes. Therefore any block cipher with block size more than 384 bits can not be applied to encrypt a cell. Even the block size of a cipher is smaller than 384 bits, the alignment of the cell and cipher block also affect the choice of a cryptographic algorithm. Phase I Security Specification will encounter this problem since the data confidentiality in user plane is on per cell basis. An alternate for block ciphers is stream ciphers. However, this solution will suffer from the problem of resynchronization. If a cell is lost during the transmission, then when the receiver receives and decrypt the cell sequence, the data will look like garbage. Even we can find a cryptographic mechanism which can meet the above requirements, high speed in ATM can introduce difficulties in key management. With such a high speed, ATM can transfer a high volume of data in a short time. Assume an ATM operates at a speed of 130Mbps. That means there can be 0.37M cells switching through a switch within one second. If we use DES cipher with block size of 64 bits, then about 2M DES cipher blocks will go through a switch per second. If the number of VCs running through this switch is not too big, then with such an amount data, an attacker can easily break the session key in a relatively short time. Notice that always assuming that the hacker can not access such a computing power is not true in a short future, or even now. To avoid this kind of attack, the system has to change the session key frequently. If we assume that one session key can not be used more than 100M cipher blocks, then the lifetime of a session key becomes as short as several hundred seconds. This will make a lot of traditional key exchange mechanism inadequate. Even we have a scheme which can successfully change the session key at this speed, that will introduce another problem. In traditional key exchange mechanism, session key will be encrypted by a permanent key. Frequently exchanging session key will give enough information to an attacker to break the permanent key in a relative short amount of time. As suggested in Phase I Security Specification, security will be applied on a per VC basis. That is to say, an encryptor/decryptor will use different keys for different VC. One advantage of this method is to protect the confidentiality of other VC in case one VC has been compromised. Another advantage the life time of session key can be reasonable long since normally the traffic of one VC is not so high as the total traffic of the system(this assumption might not be true in the future if multimedia becomes popular over the ATM). With this method, the system can even provide different quality of security service to different VC, therefore to introduce the concept of QoS into the ATM security. However, one difficulty to implement this scheme in ATM is that it requires the encryptor to have the ability to access a range of key data at a high speed[tf95]. It also requires the encryptor can change the session key dynamically and apply to next cell very quickly. This requirement, called key agility, is non-trivial. As mentioned in [HE92], some cryptographic algorithm require a long set up time when the encrypt key changes. Even worse, according to large number of potential VCs, looking up the key in big key table will introduce a time overhead which can be in the critical path therefore can be the bottleneck of the system. (11 of 14) [2/7/ :51:41 AM]

12 Finally, according to the ATM's capacity to support multi-service traffic, how to charge the services and maintain a secure billing system are still unknown. And how to combine it with the electronic monetary systems is another interesting question. Back to Table Contents 5. Conclusion ATM technology perhaps is the most complex networking technology we ever have. To secure such a complex system will be even more difficult than design it. And now people just begin to discuss some issues of ATM security. It will take times for us to figure out how to completely achieve our security objectives. Because the goal of ATM is to provide a unified networking platform and communication infrastructure, ATM security, as a part of this infrastructure, has to be flexible and compatible with other technology. That will introduce more difficulties to ATM security. As we have discussed in this paper, we do achieve something in the past two years. As mentioned before, ATM Forum Security Working Group has come up with drafts for security specification and security framework. A lot of other security issues have been discussed in ATM Forum, as surveyed in this paper. The problem, although seems bigger and bigger, becomes more and more clear. There are some products about ATM security available right now. Most of them are about encryption. For example, GTE introduces a product called InfoGuard 100 which provides secure delivery of ATM cells over local and wide area ATM networks. Another product of GTE is called FASTLANE encryptor which is claimed to provide high-speed, transparent, low-latency security services for multi-media applications across both local and wide area ATM networks. Secant Network Technologies offers a Key Agile Encryptor system called CellCase which can handle at least 35 calls per second. Network System claims that they have implemented a ATM firework system. Although these implementations are quite small compared to the big picture of the ATM security. It will provide some experience for us to implement security services in ATM network. Reference ATM Forum Constributions: [SPEC97] Security Working Group, Phase I ATM Security Specification, ATM Forum BTD-SEC-01.03, July 1997 Proposing an ATM scurity infrastruture. [FRWK97] Security Working Group, Security Framework for ATM Networks, ATM Forum BTD-SEC-FRWK-01.01, July 1997 Discussing the general functional requirements of ATM security system. [KMN971] W Klasen, M. Munzert, and B. Nauer, Security Framework for ATM Networks, ATM FORUM/ , Feb 1997 Proposing a security framework. [KMN972] W Klasen, M. Munzert, and B. Nauer, Plane Specific interpretation of functional security requirement, ATM FORUM/ , April 1997 Interpretation of security requirement for user plane. (12 of 14) [2/7/ :51:41 AM]

13 [BNM97]G. Bogler, B. Nauer, and M. Munzert, Proposed work on management capabilities for ATM security, ATM FORUM/ ,Feb 1997 Discussing the need to include management capabilities in Phase I Security Specification. [BMN97] G. Bogler, M. Munzert, and B. Nauer, Requirements and Protocol Independent MIB for the Management of the ATM Security Services, ATM FORUM/ R1, July 1997 Proposing protocol for security management in control and user planes. [HSK97] Kim Hebda, Linda Shields, and Chris Kubic, Selection and Negotiation of Multiple Algorithms to Support Security Services, ATM FORUM/ , July 1997 Extending selection of security algorithm from two to more than two. [SKH97] Linda Shields, Chris Kubic, and Kim Hebda, Control Panel Authentication, ATM FORUM/ , July 1997 Proposing a method to use user plane data integrity to provide hop-by-hop authentication of signaling messages. [PB972] Tony Przygienda, and Carter Bullard, Baseline Text for PNNI Peer Authentication and Cryptographic Data Integrity, ATM FORUM/ , July 1997 Dicussing mechanism to secure PNNI messages. [PB971] Tony Przygienda, and Carter Bullard, Mechanisms and Formats for PNNI Peer Authentication and Cryptographic Data Integrity, ATM FORUM/ , April 1997 Original version of [PB972] [KM97] W. Klasen, M. Munzert, Plane Specific Interpretation of Functional Security Requirements - Control Plane, ATM FORUM/ , July 1997 Interpretating the security requirements proposed in ATM scurity framework in contral plane. [BW96] G. Bautz, K. Wrona, Security requirements for WATM Systems, ATM FORUM/ , Oct 1996 Identifying the basic security reuqirement for wireless ATM. [BW97] G. Bautz, K. Wrona, Proposal to include Security for Wireless ATM into the phase 2 working scope of the SEC WG, ATM FORUM/ , July 1997 Discussing the need to include security for wireless ATM into ATM security scope. [CF97] C. Clanton, L. D. Finkelstein, Proposed Definition of the Wireless ATM Security Problem, ATM FORUM/ Discussion about the general security problem about wireless ATM. [Bullard97] Carter Bullard, ATM Forum Security Agent Specification, ATM Forum/ , April 1997 Introducing the concept of security agents. [MH95]]M. Peyravian and E. V. Herreweghen,ATM Scope & Requirement, ATM FORUM/ Discussing basic security requrements for ATM security. Publications: [TF95] Richard Taylor, Greg Findlow, Asynchronous Transfer Mode: Security Issues, Proc. Aus tralian Telecommunication Networks and Applications Conference;pp , 5-7 Dec. 1995; pp Discussing basic threats and countermeasures of ATM security. A security architecture is also discussed. [ALLES95] Anthony Alles, ATM Internetworking, presented at Engineering InterOp, Las Vegas, March 1995 Has mentioned the security problems when ATM is connected by internet. [KB96] J. Kimmins and B. Booth: "Security for ATM networks"; Computer Security Journal; XII(1):21-29; 1996 Discussing relevant aspects of ATM security. (13 of 14) [2/7/ :51:41 AM]

14 [Deng95] R. Deng et al: "Securing Data Transfer in Asynchronous Transfer Mode Networks"; Proceedings of GLOBECOM'95, Singapore, November 13-17, 1995, pp Dicussing security requirements and security architecture for ATM networks. [Chuang96] Shaw-Cheng Chuang: "Securing {ATM} Networks",3rd {ACM} Conference on Computer and Communications Security, New Delhi, India, 1996, pp Discussing challenges, secutiy mechanism placement and security requirements of ATM networks. [SHBW95] Daniel Stevenson, Nathan Hillery, Greg Byrd and Dan Winkelstein, Design of a Key Agile Cryptographic System for OC-12c Rate ATM, Internet Society Symposium on Network and Distributed Systems Security,Feb 1995 [SHB95]D. Stevenson and N. Hillery and G. Byrd, Secure communications in {ATM} networks Communications of the ACM, Volume 38, No 2, pp , Feb, 1995 Discussing issues like security threats, cell encryption and securing call setup in ATM network. [Sem94] W. Semancik et al: "Cell level encryption for ATM networks and some results from initial testing"; Proc. DoD Fiber Optics `94 Conf.; Armed Forces Commun. and Elect. Assn.; Mar 22-24; 1994 [Hanson95] L. Hanson, "The Impact of ATM on Security in Data Network", Proc. of Compsec International 1995, Conf. 12, pp [Chuang95] S.C Chuang, "A Flexible and Secure Multicast Architecture for ATM Networks, Global Telecomunication Coference, Nov. 1995, pp [LPR97] Maryline Laurent, Olivier Paul, Pierre Rolin,"Securing communications over ATM networks", IFIPSEC'97, Copenhagen, Denmark, May 1997 [[Lau96] Maryline Laurent, "Security Flows Analysis of the ATM Emulated LAN Architecture", IFIP,Conference on Communications and Multimedia Security, Essen, Germany, September 1996 [HE92] H. Eberle, A High Speed DES Implementation for Network Applications, Advances in Cryptology-CRYPTO 92, Berlin:Spring-Verlay, pp ,1993 [BACON] M. Bacon, Security: a question of confidence, Telecommunications (int. ed.) (USA) Vol. 23, No. 11, pp 51-52, Nov Data Security Textbooks: [CLS89]. W. Caelli, D. Longley and M. Shain, Information Security for Managers, Macmillan U.K., Stockton Press Canada, 1989 [MP93] M. Purser, Secure Data Networking, Artech House USA, 1993 [SP89]. J. Seberry and J. Pieprzyk, Cryptography: An Introduction to Computer Security, Prentice Hall, 1989 ATM Textbooks [DL95] H. Dutton and P. Lenhard, "Asnchronous Transfer Mode (ATM) Technical Overview", 2nd Ed., Prentice Hall, 1995 [CL95] T. M. Chen, and S. S. Liu, "ATM Switching Systems", Artech House, INC., 1995 Last Modified 8/14/ (14 of 14) [2/7/ :51:41 AM]

Encrypting ATM Firewall

Encrypting ATM Firewall Encrypting ATM Firewall Abstract This paper explores the mechanics and policies that are necessary to protect information transmitted over an untrusted high speed wide area ATM network. The network model

More information

Cryptography and Network Security Sixth Edition by William Stallings

Cryptography and Network Security Sixth Edition by William Stallings Cryptography and Network Security Sixth Edition by William Stallings Chapter 1 Overview The combination of space, time, and strength that must be considered as the basic elements of this theory of defense

More information

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶 Network Security 網 路 安 全 Lecture 1 February 20, 2012 洪 國 寶 1 Outline Course information Motivation Introduction to security Basic network concepts Network security models Outline of the course 2 Course

More information

Chap. 1: Introduction

Chap. 1: Introduction Chap. 1: Introduction Introduction Services, Mechanisms, and Attacks The OSI Security Architecture Cryptography 1 1 Introduction Computer Security the generic name for the collection of tools designed

More information

Security (II) ISO 7498-2: Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

Security (II) ISO 7498-2: Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012 Course Outline: Fundamental Topics System View of Network Security Network Security Model Security Threat Model & Security Services Model Overview of Network Security Security Basis: Cryptography Secret

More information

Advanced Topics in Distributed Systems. Dr. Ayman Abdel-Hamid Computer Science Department Virginia Tech

Advanced Topics in Distributed Systems. Dr. Ayman Abdel-Hamid Computer Science Department Virginia Tech Advanced Topics in Distributed Systems Dr. Ayman Abdel-Hamid Computer Science Department Virginia Tech Security Introduction Based on Ch1, Cryptography and Network Security 4 th Ed Security Dr. Ayman Abdel-Hamid,

More information

Securing an IP SAN. Application Brief

Securing an IP SAN. Application Brief Securing an IP SAN Application Brief All trademark names are the property of their respective companies. This publication contains opinions of StoneFly, Inc., which are subject to change from time to time.

More information

SECURITY TRENDS-ATTACKS-SERVICES

SECURITY TRENDS-ATTACKS-SERVICES SECURITY TRENDS-ATTACKS-SERVICES 1.1 INTRODUCTION Computer data often travels from one computer to another, leaving the safety of its protected physical surroundings. Once the data is out of hand, people

More information

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References Lecture Objectives Wireless Networks and Mobile Systems Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks Introduce security vulnerabilities and defenses Describe security functions

More information

Computer Network. Interconnected collection of autonomous computers that are able to exchange information

Computer Network. Interconnected collection of autonomous computers that are able to exchange information Introduction Computer Network. Interconnected collection of autonomous computers that are able to exchange information No master/slave relationship between the computers in the network Data Communications.

More information

Overview. SSL Cryptography Overview CHAPTER 1

Overview. SSL Cryptography Overview CHAPTER 1 CHAPTER 1 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. The features in this chapter apply to IPv4 and IPv6 unless otherwise noted. Secure

More information

ETHERNET ENCRYPTION MODES TECHNICAL-PAPER

ETHERNET ENCRYPTION MODES TECHNICAL-PAPER 1 ETHERNET ENCRYPTION MODES TECHNICAL-PAPER The CN series encryption platform is designed to secure information transmitted over a number of network protocols. The CN series encryptors secure Ethernet

More information

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust Security in Wireless LANs and Mobile Networks Wireless Magnifies Exposure Vulnerability Information going across the wireless link is exposed to anyone within radio range RF may extend beyond a room or

More information

Securing VoIP Networks using graded Protection Levels

Securing VoIP Networks using graded Protection Levels Securing VoIP Networks using graded Protection Levels Andreas C. Schmidt Bundesamt für Sicherheit in der Informationstechnik, Godesberger Allee 185-189, D-53175 Bonn Andreas.Schmidt@bsi.bund.de Abstract

More information

Cryptography and Network Security

Cryptography and Network Security Cryptography and Network Security Third Edition by William Stallings Lecture slides by Shinu Mathew John http://shinu.info/ Chapter 1 Introduction http://shinu.info/ 2 Background Information Security requirements

More information

Chapter 9: Transport Layer and Security Protocols for Ad Hoc Wireless Networks

Chapter 9: Transport Layer and Security Protocols for Ad Hoc Wireless Networks Chapter 9: Transport Layer and Security Protocols for Ad Hoc Wireless Networks Introduction Issues Design Goals Classifications TCP Over Ad Hoc Wireless Networks Other Transport Layer Protocols Security

More information

Chapter 1: Introduction

Chapter 1: Introduction Chapter 1 Introduction 1 Chapter 1: Introduction 1.1 Inspiration Cloud Computing Inspired by the cloud computing characteristics like pay per use, rapid elasticity, scalable, on demand self service, secure

More information

Content Teaching Academy at James Madison University

Content Teaching Academy at James Madison University Content Teaching Academy at James Madison University 1 2 The Battle Field: Computers, LANs & Internetworks 3 Definitions Computer Security - generic name for the collection of tools designed to protect

More information

Network Security Essentials

Network Security Essentials Network Security Essentials Fifth Edition by William Stallings Chapter 1 Introduction On War The combination of space, time, and strength that must be considered as the basic elements of this theory of

More information

WAN. Introduction. Services used by WAN. Circuit Switched Services. Architecture of Switch Services

WAN. Introduction. Services used by WAN. Circuit Switched Services. Architecture of Switch Services WAN Introduction Wide area networks (WANs) Connect BNs and LANs across longer distances, often hundreds of miles or more Typically built by using leased circuits from common carriers such as AT&T Most

More information

IY2760/CS3760: Part 6. IY2760: Part 6

IY2760/CS3760: Part 6. IY2760: Part 6 IY2760/CS3760: Part 6 In this part of the course we give a general introduction to network security. We introduce widely used security-specific concepts and terminology. This discussion is based primarily

More information

How To Secure My Data

How To Secure My Data How To Secure My Data What to Protect??? DATA Data At Rest Data at Rest Examples Lost Infected Easily Used as Backup Lent to others Data Corruptions more common Stolen Left at airports, on trains etc Hard

More information

Security vulnerabilities in the Internet and possible solutions

Security vulnerabilities in the Internet and possible solutions Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in

More information

Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress

Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress Alan Davy and Lei Shi Telecommunication Software&Systems Group, Waterford Institute of Technology, Ireland adavy,lshi@tssg.org

More information

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode 13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) PPP-based remote access using dial-in PPP encryption control protocol (ECP) PPP extensible authentication protocol (EAP) 13.2 Layer 2/3/4

More information

ETHERNET WAN ENCRYPTION SOLUTIONS COMPARED

ETHERNET WAN ENCRYPTION SOLUTIONS COMPARED HERN WAN ENCRYPTION SOLUTIONS COMPARED KEY WORDS AND TERMS MACsec, WAN security, WAN data protection, MACsec encryption, network data protection, network data security, high-speed encryption, Senetas,

More information

Security in Wireless Local Area Network

Security in Wireless Local Area Network Fourth LACCEI International Latin American and Caribbean Conference for Engineering and Technology (LACCET 2006) Breaking Frontiers and Barriers in Engineering: Education, Research and Practice 21-23 June

More information

Chapter 7 Transport-Level Security

Chapter 7 Transport-Level Security Cryptography and Network Security Chapter 7 Transport-Level Security Lectured by Nguyễn Đức Thái Outline Web Security Issues Security Socket Layer (SSL) Transport Layer Security (TLS) HTTPS Secure Shell

More information

The Case For Secure Email

The Case For Secure Email The Case For Secure Email By Erik Kangas, PhD, President, Lux Scientiae, Incorporated http://luxsci.com Contents Section 1: Introduction Section 2: How Email Works Section 3: Security Threats to Your Email

More information

Overview of Network Hardware and Software. CS158a Chris Pollett Jan 29, 2007.

Overview of Network Hardware and Software. CS158a Chris Pollett Jan 29, 2007. Overview of Network Hardware and Software CS158a Chris Pollett Jan 29, 2007. Outline Scales of Networks Protocol Hierarchies Scales of Networks Last day, we talked about broadcast versus point-to-point

More information

COSC 472 Network Security

COSC 472 Network Security COSC 472 Network Security Instructor: Dr. Enyue (Annie) Lu Office hours: http://faculty.salisbury.edu/~ealu/schedule.htm Office room: HS114 Email: ealu@salisbury.edu Course information: http://faculty.salisbury.edu/~ealu/cosc472/cosc472.html

More information

Lecture Computer Networks

Lecture Computer Networks Lecture Computer Networks Prof. Dr. Hans Peter Großmann mit M. Rabel sowie H. Hutschenreiter und T. Nau Sommersemester 2012 Institut für Organisation und Management von Informationssystemen Asynchronous

More information

TLS and SRTP for Skype Connect. Technical Datasheet

TLS and SRTP for Skype Connect. Technical Datasheet TLS and SRTP for Skype Connect Technical Datasheet Copyright Skype Limited 2011 Introducing TLS and SRTP Protocols help protect enterprise communications Skype Connect now provides Transport Layer Security

More information

TDM services over IP networks

TDM services over IP networks Keyur Parikh Junius Kim TDM services over IP networks 1. ABSTRACT Time Division Multiplexing (TDM) circuits have been the backbone of communications over the past several decades. These circuits which

More information

Frame Relay and Frame-Based ATM: A Comparison of Technologies

Frame Relay and Frame-Based ATM: A Comparison of Technologies White Paper and -Based : A Comparison of Technologies Larry Greenstein Nuera Communications VP, Technology, Forum June 1995 June 27, 1995 i TABLE OF CONTENTS 1. PREFACE...1 2. INTRODUCTION...1 3. INTERWORKING

More information

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security? 7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk

More information

Next Generation Cloud Computing Issues and Solutions

Next Generation Cloud Computing Issues and Solutions Next Generation Cloud Computing Issues and Solutions Jeon SeungHwan 1, Yvette E. Gelogo 1 and Byungjoo Park 1 * 1 Department of Multimedia Engineering, Hannam University 133 Ojeong-dong, Daeduk-gu, Daejeon,

More information

Securing IP Networks with Implementation of IPv6

Securing IP Networks with Implementation of IPv6 Securing IP Networks with Implementation of IPv6 R.M.Agarwal DDG(SA), TEC Security Threats in IP Networks Packet sniffing IP Spoofing Connection Hijacking Denial of Service (DoS) Attacks Man in the Middle

More information

Packet Level Authentication Overview

Packet Level Authentication Overview Packet Level Authentication Overview Dmitrij Lagutin, Dmitrij.Lagutin@hiit.fi Helsinki Institute for Information Technology HIIT Aalto University School of Science and Technology Contents Introduction

More information

Chapter 17. Transport-Level Security

Chapter 17. Transport-Level Security Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics

More information

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications Learning objectives E-commerce Security Threats and Protection Mechanisms. This lecture covers internet security issues and discusses their impact on an e-commerce. Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html

More information

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui School of Engineering and Computer Science Te Kura Mātai Pūkaha, Pūrorohiko PO Box 600 Wellington New Zealand Tel: +64 4 463

More information

Compter Networks Chapter 9: Network Security

Compter Networks Chapter 9: Network Security Goals of this chapter Compter Networks Chapter 9: Network Security Give a brief glimpse of security in communication networks Basic goals and mechanisms Holger Karl Slide set: Günter Schäfer, TU Ilmenau

More information

Network Security. Chapter 9 Integrating Security Services into Communication Architectures

Network Security. Chapter 9 Integrating Security Services into Communication Architectures Network Security Chapter 9 Integrating Security Services into Communication Architectures Network Security (WS 00): 09 Integration of Security Services Motivation: What to do where?! Analogous to the methodology

More information

SP 800-130 A Framework for Designing Cryptographic Key Management Systems. 5/25/2012 Lunch and Learn Scott Shorter

SP 800-130 A Framework for Designing Cryptographic Key Management Systems. 5/25/2012 Lunch and Learn Scott Shorter SP 800-130 A Framework for Designing Cryptographic Key Management Systems 5/25/2012 Lunch and Learn Scott Shorter Topics Follows the Sections of SP 800-130 draft 2: Introduction Framework Basics Goals

More information

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75 Plain English Guide To Common Criteria Requirements In The Field Device Protection Profile Version 0.75 Prepared For: Process Control Security Requirements Forum (PCSRF) Prepared By: Digital Bond, Inc.

More information

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

2. From a control perspective, the PRIMARY objective of classifying information assets is to: MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 02 Overview on Modern Cryptography

More information

Why you need secure email

Why you need secure email Why you need secure email WHITE PAPER CONTENTS 1. Executive summary 2. How email works 3. Security threats to your email communications 4. Symmetric and asymmetric encryption 5. Securing your email with

More information

VPN. Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu

VPN. Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu VPN Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu What is VPN? A VPN (virtual private network) is a private data network that uses public telecommunicating infrastructure (Internet), maintaining

More information

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY A PATH FOR HORIZING YOUR INNOVATIVE WORK AN OVERVIEW OF MOBILE ADHOC NETWORK: INTRUSION DETECTION, TYPES OF ATTACKS AND

More information

Chapter 2 - The TCP/IP and OSI Networking Models

Chapter 2 - The TCP/IP and OSI Networking Models Chapter 2 - The TCP/IP and OSI Networking Models TCP/IP : Transmission Control Protocol/Internet Protocol OSI : Open System Interconnection RFC Request for Comments TCP/IP Architecture Layers Application

More information

Draft ITU-T Recommendation X.805 (Formerly X.css), Security architecture for systems providing end-to-end communications

Draft ITU-T Recommendation X.805 (Formerly X.css), Security architecture for systems providing end-to-end communications Draft ITU-T Recommendation X.805 (Formerly X.css), architecture for systems providing end-to-end communications Summary This Recommendation defines the general security-related architectural elements that

More information

Data Storage Security in Cloud Computing

Data Storage Security in Cloud Computing Data Storage Security in Cloud Computing Prashant M. Patil Asst. Professor. ASM s, Institute of Management & Computer Studies (IMCOST), Thane (w), India E_mail: prashantpatil11@rediffmail.com ABSTRACT

More information

Chapter 5. Data Communication And Internet Technology

Chapter 5. Data Communication And Internet Technology Chapter 5 Data Communication And Internet Technology Purpose Understand the fundamental networking concepts Agenda Network Concepts Communication Protocol TCP/IP-OSI Architecture Network Types LAN WAN

More information

Spirent Abacus. SIP over TLS Test 编 号 版 本 修 改 时 间 说 明

Spirent Abacus. SIP over TLS Test 编 号 版 本 修 改 时 间 说 明 Spirent Abacus SIP over TLS Test 编 号 版 本 修 改 时 间 说 明 1 1. TLS Interview (Transport Layer Security Protocol) (1) TLS Feature Introduction: 1. TLS is a successor of Secure Sockets Layer (SSL), a cryptographic

More information

Security Digital Certificate Manager

Security Digital Certificate Manager System i Security Digital Certificate Manager Version 5 Release 4 System i Security Digital Certificate Manager Version 5 Release 4 Note Before using this information and the product it supports, be sure

More information

SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security

SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security International Telecommunication Union ITU-T Y.2740 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (01/2011) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS

More information

VPN Technologies: Definitions and Requirements

VPN Technologies: Definitions and Requirements VPN Technologies: Definitions and Requirements 1. Introduction VPN Consortium, January 2003 This white paper describes the major technologies for virtual private networks (VPNs) used today on the Internet.

More information

Information System Security

Information System Security Information System Security Chapter 1:Introduction Dr. Lo ai Tawalbeh Faculty of Information system and Technology, The Arab Academy for Banking and Financial Sciences. Jordan Chapter 1 Introduction The

More information

Smart Queue Scheduling for QoS Spring 2001 Final Report

Smart Queue Scheduling for QoS Spring 2001 Final Report ENSC 833-3: NETWORK PROTOCOLS AND PERFORMANCE CMPT 885-3: SPECIAL TOPICS: HIGH-PERFORMANCE NETWORKS Smart Queue Scheduling for QoS Spring 2001 Final Report By Haijing Fang(hfanga@sfu.ca) & Liu Tang(llt@sfu.ca)

More information

Cryptography and Network Security Overview & Chapter 1. Network Security. Chapter 0 Reader s s Guide. Standards Organizations.

Cryptography and Network Security Overview & Chapter 1. Network Security. Chapter 0 Reader s s Guide. Standards Organizations. Cryptography and Network Security Overview & Chapter 1 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 0 Reader s s Guide The art of war teaches us to rely

More information

Sync Security and Privacy Brief

Sync Security and Privacy Brief Introduction Security and privacy are two of the leading issues for users when transferring important files. Keeping data on-premises makes business and IT leaders feel more secure, but comes with technical

More information

Business Continuity and Disaster Recovery Solutions in Government

Business Continuity and Disaster Recovery Solutions in Government > Business Continuity and Disaster Recovery Solutions in Government Protecting Critical Data Flow for Uninterrupted Services WHITE PAPER January 2010 J. Asenjo, CISSP www.thalesgroup.com/iss Information

More information

VoIP Security Threats and Vulnerabilities

VoIP Security Threats and Vulnerabilities Abstract VoIP Security Threats and Vulnerabilities S.M.A.Rizvi and P.S.Dowland Network Research Group, University of Plymouth, Plymouth, UK e-mail: info@network-research-group.org This paper presents the

More information

Chapter 10. Network Security

Chapter 10. Network Security Chapter 10 Network Security 10.1. Chapter 10: Outline 10.1 INTRODUCTION 10.2 CONFIDENTIALITY 10.3 OTHER ASPECTS OF SECURITY 10.4 INTERNET SECURITY 10.5 FIREWALLS 10.2 Chapter 10: Objective We introduce

More information

Client Server Registration Protocol

Client Server Registration Protocol Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are

More information

Chapter 9 Integrating Security Services into Communication Architectures

Chapter 9 Integrating Security Services into Communication Architectures Network Security Chapter 9 Integrating Security Services into Communication Architectures Prof. Dr.-Ing. Georg Carle Chair for Computer Networks & Internet Wilhelm-Schickard-Institute for Computer Science

More information

PrivyLink Internet Application Security Environment *

PrivyLink Internet Application Security Environment * WHITE PAPER PrivyLink Internet Application Security Environment * The End-to-end Security Solution for Internet Applications September 2003 The potential business advantages of the Internet are immense.

More information

Notes on Network Security - Introduction

Notes on Network Security - Introduction Notes on Network Security - Introduction Security comes in all shapes and sizes, ranging from problems with software on a computer, to the integrity of messages and emails being sent on the Internet. Network

More information

SecureCom Mobile s mission is to help people keep their private communication private.

SecureCom Mobile s mission is to help people keep their private communication private. About SecureCom Mobile SecureCom Mobile s mission is to help people keep their private communication private. We believe people have a right to share ideas with each other, confident that only the intended

More information

Link Layer. 5.6 Hubs and switches 5.7 PPP 5.8 Link Virtualization: ATM and MPLS

Link Layer. 5.6 Hubs and switches 5.7 PPP 5.8 Link Virtualization: ATM and MPLS Link Layer 5.1 Introduction and services 5.2 Error detection and correction 5.3Multiple access protocols 5.4 Link-Layer Addressing 5.5 Ethernet 5.6 Hubs and switches 5.7 PPP 5.8 Link Virtualization: and

More information

Is your data safe out there? -A white Paper on Online Security

Is your data safe out there? -A white Paper on Online Security Is your data safe out there? -A white Paper on Online Security Introduction: People should be concerned of sending critical data over the internet, because the internet is a whole new world that connects

More information

DATA SECURITY 1/12. Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0

DATA SECURITY 1/12. Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0 DATA SECURITY 1/12 Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0 Contents 1. INTRODUCTION... 3 2. REMOTE ACCESS ARCHITECTURES... 3 2.1 DIAL-UP MODEM ACCESS... 3 2.2 SECURE INTERNET ACCESS

More information

OSI Reference Model: An Overview

OSI Reference Model: An Overview OSI Reference Model: An Overview Gaurav Bora 1, Saurabh Bora 2, Shivendra Singh 3, Sheikh Mohamad Arsalan 4 ( 1 Department of Electronics, Uttarakhand Technical University, Dehradun, INDIA) ( 2 Department

More information

Wireless Networks. Welcome to Wireless

Wireless Networks. Welcome to Wireless Wireless Networks 11/1/2010 Wireless Networks 1 Welcome to Wireless Radio waves No need to be physically plugged into the network Remote access Coverage Personal Area Network (PAN) Local Area Network (LAN)

More information

Case Study for Layer 3 Authentication and Encryption

Case Study for Layer 3 Authentication and Encryption CHAPTER 2 Case Study for Layer 3 Authentication and Encryption This chapter explains the basic tasks for configuring a multi-service, extranet Virtual Private Network (VPN) between a Cisco Secure VPN Client

More information

Keywords Cloud Storage, Error Identification, Partitioning, Cloud Storage Integrity Checking, Digital Signature Extraction, Encryption, Decryption

Keywords Cloud Storage, Error Identification, Partitioning, Cloud Storage Integrity Checking, Digital Signature Extraction, Encryption, Decryption Partitioning Data and Domain Integrity Checking for Storage - Improving Cloud Storage Security Using Data Partitioning Technique Santosh Jogade *, Ravi Sharma, Prof. Rajani Kadam Department Of Computer

More information

HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper

HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper Rev 1.0 HIPAA Security Considerations for Broadband Fixed Wireless Access Systems This white paper will investigate

More information

Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23 Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest

More information

Fundamentals of Mobile and Pervasive Computing

Fundamentals of Mobile and Pervasive Computing Fundamentals of Mobile and Pervasive Computing Frank Adelstein Sandeep K. S. Gupta Golden G. Richard III Loren Schwiebert Technische Universitat Darmstadt FACHBEREICH INFORMATIK B1BLIOTHEK Inventar-Nr.:

More information

TELECOMMUNICATION NETWORKS

TELECOMMUNICATION NETWORKS THE USE OF INFORMATION TECHNOLOGY STANDARDS TO SECURE TELECOMMUNICATION NETWORKS John Snare * Manager Telematic and Security Systems Section Telecom Australia Research Laboratories Victoria TELECOMMUNICATIONS

More information

Department of Computer & Information Sciences. CSCI-445: Computer and Network Security Syllabus

Department of Computer & Information Sciences. CSCI-445: Computer and Network Security Syllabus Department of Computer & Information Sciences CSCI-445: Computer and Network Security Syllabus Course Description This course provides detailed, in depth overview of pressing network security problems

More information

APWG. (n.d.). Unifying the global response to cybecrime. Retrieved from http://www.antiphishing.org/

APWG. (n.d.). Unifying the global response to cybecrime. Retrieved from http://www.antiphishing.org/ DB1 Phishing attacks, usually implemented through HTML enabled e-mails, are becoming more common and more sophisticated. As a network manager, how would you go about protecting your users from a phishing

More information

Security Digital Certificate Manager

Security Digital Certificate Manager IBM i Security Digital Certificate Manager 7.1 IBM i Security Digital Certificate Manager 7.1 Note Before using this information and the product it supports, be sure to read the information in Notices,

More information

March 2005. PGP White Paper. Transport Layer Security (TLS) & Encryption: Complementary Security Tools

March 2005. PGP White Paper. Transport Layer Security (TLS) & Encryption: Complementary Security Tools March 2005 PGP White Paper Transport Layer Security (TLS) & Encryption: Complementary Security Tools PGP White Paper TLS & Encryption 1 Table of Contents INTRODUCTION... 2 HISTORY OF TRANSPORT LAYER SECURITY...

More information

Lecture 17 - Network Security

Lecture 17 - Network Security Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ Idea Why donʼt we just integrate some of these neat

More information

ITL BULLETIN FOR JANUARY 2011

ITL BULLETIN FOR JANUARY 2011 ITL BULLETIN FOR JANUARY 2011 INTERNET PROTOCOL VERSION 6 (IPv6): NIST GUIDELINES HELP ORGANIZATIONS MANAGE THE SECURE DEPLOYMENT OF THE NEW NETWORK PROTOCOL Shirley Radack, Editor Computer Security Division

More information

HANDBOOK 8 NETWORK SECURITY Version 1.0

HANDBOOK 8 NETWORK SECURITY Version 1.0 Australian Communications-Electronic Security Instruction 33 (ACSI 33) Point of Contact: Customer Services Team Phone: 02 6265 0197 Email: assist@dsd.gov.au HANDBOOK 8 NETWORK SECURITY Version 1.0 Objectives

More information

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7 20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic

More information

SafeNet Network Encryption Solutions Safenet High-Speed Network Encryptors Combine the Highest Performance With the Easiest Integration and

SafeNet Network Encryption Solutions Safenet High-Speed Network Encryptors Combine the Highest Performance With the Easiest Integration and SafeNet Network Encryption Solutions Safenet High-Speed Network Encryptors Combine the Highest Performance With the Easiest Integration and Management SafeNet Network Encryption and Isolation Solution

More information

Cryptography and Network Security Chapter 1

Cryptography and Network Security Chapter 1 Cryptography and Network Security Chapter 1 Acknowledgments Lecture slides are based on the slides created by Lawrie Brown Chapter 1 Introduction The art of war teaches us to rely not on the likelihood

More information

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and non-repudiation. How to obtain a digital certificate. Installing

More information

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM Okumoku-Evroro Oniovosa Lecturer, Department of Computer Science Delta State University, Abraka, Nigeria Email: victorkleo@live.com ABSTRACT Internet security

More information

Problems of Security in Ad Hoc Sensor Network

Problems of Security in Ad Hoc Sensor Network Problems of Security in Ad Hoc Sensor Network Petr Hanáček * hanacek@fit.vutbr.cz Abstract: The paper deals with a problem of secure communication between autonomous agents that form an ad hoc sensor wireless

More information

Evaluate the Usability of Security Audits in Electronic Commerce

Evaluate the Usability of Security Audits in Electronic Commerce Evaluate the Usability of Security Audits in Electronic Commerce K.A.D.C.P Kahandawaarachchi, M.C Adipola, D.Y.S Mahagederawatte and P Hewamallikage 3 rd Year Information Systems Undergraduates Sri Lanka

More information

EE4367 Telecom. Switching & Transmission. Prof. Murat Torlak

EE4367 Telecom. Switching & Transmission. Prof. Murat Torlak Packet Switching and Computer Networks Switching As computer networks became more pervasive, more and more data and also less voice was transmitted over telephone lines. Circuit Switching The telephone

More information

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli 4-25-2002

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli 4-25-2002 INTERNET SECURITY: FIREWALLS AND BEYOND Mehernosh H. Amroli 4-25-2002 Preview History of Internet Firewall Technology Internet Layer Security Transport Layer Security Application Layer Security Before

More information