Chapter 9 Integrating Security Services into Communication Architectures



Similar documents
Network Security. Chapter 9 Integrating Security Services into Communication Architectures

Computer Network. Interconnected collection of autonomous computers that are able to exchange information

Communication Networks. MAP-TELE 2011/12 José Ruela

Security (II) ISO : Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

Computer Networks Vs. Distributed Systems

Zarządzanie sieciami telekomunikacyjnymi

Security Technology: Firewalls and VPNs

Computer Networks. Definition of LAN. Connection of Network. Key Points of LAN. Lecture 06 Connecting Networks

Application Note AP050001EN June VPN setup for the XV100

ethernet services for multi-site connectivity security, performance, ip transparency

References and Requirements for CPE Architectures for Data Access

Lecture 1. Lecture Overview. Intro to Networking. Intro to Networking. Motivation behind Networking. Computer / Data Networks

Master Course Computer Networks IN2097

Securing an IP SAN. Application Brief

Security Design.

NZQA Expiring unit standard 6857 version 4 Page 1 of 5. Demonstrate an understanding of local and wide area computer networks

Communications and Computer Networks

12. Firewalls Content

Introduction to Computer Networks and Data Communications

For extra services running behind your router. What to do after IP change

Mobility and cellular networks

Gateways and Their Roles

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

CSET 4750 Computer Networks and Data Communications (4 semester credit hours) CSET Required IT Required

Convergence Technologies Professional (CTP) Course 1: Data Networking

Overview of Routing between Virtual LANs

CSE 3461 / 5461: Computer Networking & Internet Technologies

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Protocols and Architecture. Protocol Architecture.

IP-VPN Architecture and Implementation O. Satty Joshua 13 December Abstract

1.264 Lecture 37. Telecom: Enterprise networks, VPN

Advanced Internetworking

Protocols. Packets. What's in an IP packet

Intranet Security Solution

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

Firewall Architecture

Vega 100G and Vega 200G Gamma Config Guide

Introduction: Why do we need computer networks?

Wireless Links - Wireless communication relies on radio signals or infrared signals for transmitting data.

Steelcape Product Overview and Functional Description

Virtual Private Networks

Basic Network Configuration

Circuit-Switched Router Connections Nathan J. Muller

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

Chapter 5. Data Communication And Internet Technology

The WestNet Advantage: -- Textbooks, ebooks, ecourses -- Instructor Resourse Center -- Student Resource Center

"ASM s INTERNATIONAL E-Journal on Ongoing Research in Management and IT"

Remote Access VPNs Performance Comparison between Windows Server 2003 and Fedora Core 6

SFWR 4C03: Computer Networks & Computer Security Jan 3-7, Lecturer: Kartik Krishnan Lecture 1-3

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

IP Networking. Overview. Networks Impact Daily Life. IP Networking - Part 1. How Networks Impact Daily Life. How Networks Impact Daily Life

Associate in Science Degree in Computer Network Systems Engineering

EE4367 Telecom. Switching & Transmission. Prof. Murat Torlak

2. IP Networks, IP Hosts and IP Ports

Chapter 9. IP Secure

WAN. Introduction. Services used by WAN. Circuit Switched Services. Architecture of Switch Services

2.1 What are distributed systems? What are systems? Different kind of systems How to distribute systems? 2.2 Communication concepts

White Paper. Telenor VPN

524 Computer Networks

Network Security Topologies. Chapter 11

Genexis FTTH Network Architecture

CS 294-7: Cellular Digital Packet Data (CDPD) Prof. Randy H. Katz CS Division University of California, Berkeley Berkeley, CA

Expert Reference Series of White Papers. Understanding Network Regions: The Essentials

Firewalls and Virtual Private Networks

SpiderCloud E-RAN Security Overview

Certes Networks Layer 4 Encryption. Network Services Impact Test Results

BroadCloud PBX Customer Minimum Requirements

Availability Digest. Redundant Load Balancing for High Availability July 2013

Cloud Infrastructure Planning. Chapter Six

Understanding TCP/IP. Introduction. What is an Architectural Model? APPENDIX

DirectAccess in Windows 7 and Windows Server 2008 R2. Aydin Aslaner Senior Support Escalation Engineer Microsoft MEA Networking Team

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

5.0 Network Architecture. 5.1 Internet vs. Intranet 5.2 NAT 5.3 Mobile Network

RA-MPLS VPN Services. Kapil Kumar Network Planning & Engineering Data. Kapil.Kumar@relianceinfo.com

Domain Name System. Proper use reduces intranet administration costs. Architecture DNS. Service. Flexible Scalable Extensible

Wide Area Networks. Learning Objectives. LAN and WAN. School of Business Eastern Illinois University. (Week 11, Thursday 3/22/2007)

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

MINIMUM NETWORK REQUIREMENTS 1. REQUIREMENTS SUMMARY... 1

BCIS BUSINESS DATA COMMUNICATIONS and NETWORKING Mr. Cengiz Capan -- Spring 2016

Layered Architectures and Applications

SITEL Voice Architecture

High-performance VoIP Traffic Optimizer Client Solution

WAN Technology. Heng Sovannarith

How To Protect Your Network From Attack

Using Rsync for NAS-to-NAS Backups

Introduction to WAN Technologies

VPN. Date: 4/15/2004 By: Heena Patel

Cisco RV 120W Wireless-N VPN Firewall

Cable Modems. Definition. Overview. Topics. 1. How Cable Modems Work

Chapter 12 Supporting Network Address Translation (NAT)

Internetworking Microsoft TCP/IP on Microsoft Windows NT 4.0

The OSI Model and the TCP/IP Protocol Suite

Security Engineering Part III Network Security. Security Protocols (II): IPsec

Cisco Unified Communications Manager 7.0

How To Use A Network Over The Internet (Networking) With A Network (Netware) And A Network On A Computer (Network)

HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶

Transcription:

Network Security Chapter 9 Integrating Security Services into Communication Architectures Prof. Dr.-Ing. Georg Carle Chair for Computer Networks & Internet Wilhelm-Schickard-Institute for Computer Science University of Tübingen http://net.informatik.uni-tuebingen.de/ carle@informatik.uni-tuebingen.de Network Security, WS 2003/04 9. Chapter 9 Integrating Security Services into Communication Architectures Network Security, WS 2003/04 9.2

Motivation: What to do where Analogous to the methodology of security analysis, there are two dimensions guiding the integration of security services into communications architectures: Endsystem (Initiator) Network Endsystem (Responder) 5 5 4 4 3 3 2 2 Network Data Link Physical Application Transport 3 3 3 3 2 2 2 2 Network Data Link Physical 5 5 4 4 3 3 2 2 Dimension : Which security service should be realized in which node Dimension 2: Which security service should be realized in which layer Network Security, WS 2003/04 9.3 A Pragmatic Model for Secured & Networked Computing () Application A Application B End System Comm. Application Level End System Level Application C Application B End System Comm. End- System End- System 2 Subnetwork Subnetwork 2 Subnetwork Level Inter-Network Link Level Network Security, WS 2003/04 9.4

A Pragmatic Model for Secured & Networked Computing (2) Application: A piece of software that accomplishes some specific task, e.g. electronic email, web service, word processing, data storage, etc. End System: One piece of equipment, anywhere in the range from personal computer to server to mainframe computer For security purposes one end system usually has one policy authority Subnetwork: A collection of communication facilities being under the control of one administrative organization, e.g. a LAN, campus network, WAN, etc. For security purposes one subnetwork usually has one policy authority Inter-Network: A collection of inter-connected subnetworks In general, the subnets connected in an inter-network have different policy authorities Network Security, WS 2003/04 9.5 A Pragmatic Model for Secured & Networked Computing (3) There are four levels at which distinct requirements for security protocol elements arise: Application level: Security protocol elements that are application dependent End system level: Provision of protection on an end system to end system basis Subnetwork level: Provision of protection over a subnetwork or an inter-network which is considered less secure than other parts of the network environment Link level: Provision of protection internal to a subnetwork, e.g. over a link which is considered less trusted than other parts of the subnetwork environment Network Security, WS 2003/04 9.6

Relationships Between s & Requirements Levels Protocol s Application Transport Network Link Physical Security Protocol Elements Level Application Level End System Level Subnetwork Level Link Level The relations between protocol layers and the protocol element security requirements levels are not one-to-one: Security mechanisms for fulfilling both the end system and the subnetwork level requirements can be either realized in the transport and / or the network layer Link level requirements can be met by integrating security mechanisms or using special functions of the either the link layer and / or the physical layer Network Security, WS 2003/04 9.7 General Considerations for Architectural Placement () Traffic mixing: As a result of multiplexing, there is greater tendencies at lower levels to have data items from different source/destination-users and / or applications mixed in one data stream A security service realized at one layer / level will treat the traffic of that layer / level in an equal manner, resulting in inadequate control over security mechanisms for users and applications If a security policy demands for a more differentiated treatment, it should be better realized at a higher level Route knowledge: At lower levels, there tends to be more knowledge about the security characteristics of different routes and links In environments, where such characteristics vary significantly, placing security at lower levels can have effectiveness and efficiency benefits Appropriate security services can be selected on a subnetwork or link basis eliminating cost for security, where protection is unnecessary Network Security, WS 2003/04 9.8

General Considerations for Architectural Placement (2) Number of protection points: Placing security at the application level requires security to be implemented in every sensitive application and every end system Placing security at the link level requires security to be implemented at the end of every network link which is considered to be less trusted Placing security in the middle of the architecture will tend to require security features to be installed at fewer points Protocol header protection: Security protection at higher levels can not protect protocol headers of lower protocol layers The networking infrastructure might need to be protected as well Source / sink binding: Security services like data origin authentication and non-repudiation depend upon association of data with its source or sink This is most efficiently achieved at higher levels, especially the application level Network Security, WS 2003/04 9.9 Considerations Regarding Specific Levels () Application level: This level might be the only appropriate level, for example because: A security service is application specific, e.g. access control for a networked file store A security service needs to traverse application gateways, e.g. integrity and / or confidentiality of electronic mail Semantics of data is important, e.g. for non-repudiation services It is beyond the reach of a user / application programmer to integrate security at a lower level End system level: This level is appropriate when end systems are assumed to be trusted and the communication network is assumed to be untrusted Further advantages of end system level security: Security services are transparent to applications The management of security services can be more easily given in the hands of one system administrator Network Security, WS 2003/04 9.0

Considerations Regarding Specific Levels (2) Subnetwork level: Even if security implemented on this level might be implemented in the same protocol layer like for the end system level, these should not be mixed up: With security implemented on the subnetwork level, usually the same protection is realized for all end systems of that subnetwork It is very common, that a subnetwork close to an end system is considered equally trusted, as there are on the same premises and administered by the same authorities In most situations there are far less subnetwork gateways to be secured than there are end systems Link level: If there are relatively few untrusted links, it might be sufficient and as well easier and cheaper to protect the network on the link level Furthermore the link level allows to make use of specific protection techniques, like spread spectrum or frequency hopping techniques Traffic flow confidentially usually demands for link level protection Network Security, WS 2003/04 9. Human User Interactions Some network security services involve direct interaction with a human user, the most important one being authentication Such interactions do not cleanly fit into any of the architectural options presented so far, as the user is external to the communication facilities Communications supporting authentication can be realized in one of the following manners: Locally: The human user authenticates to the local end system The end system authenticates itself to the remote end system and advises the user identity The remote system has to trust the local end system Involving protocol elements at the application layer: The user passes some authentication information to the local system which is securely relayed to the remote system Combining the above means: Example: Kerberos Network Security, WS 2003/04 9.2

Integration into Lower Protocol s vs. Applications Benefits of integrating security services into lower network layers: Security: The network itself also needs to be protected Security mechanisms realised in the network elements (esp. in hardware) are often harder to attack for network users Application Independence: Basic network security services need not be integrated into every single application Quality of Service (QoS): QoS preserving scheduling of the communication subsystem can also schedule encryption of co-existing data streams Example: simultaneous voice call and FTP transfer Efficiency: Hardware support for computationally intensive encryption / decryption can be easier integrated into protocol processing Network Security, WS 2003/04 9.3 Integration into End Systems vs. Intermediate Systems Integration into end systems: Can be done generally either on the application or end system level In some special cases also a link level protection might be appropriate, e.g. when using a modem to connect to a dedicated device Integration into intermediate systems Can be done on all four levels: Application / end system level: for securing management interfaces of intermediate nodes, not for securing user data traffic Subnetwork / link level: for securing user data traffic Depending on the security objectives an integration in both end systems and intermediate systems might be appropriate Network Security, WS 2003/04 9.4

Example: Authentication Relations in Inter-Networks Private Network Public Network Private Network Authentication Relation Application for securing Endsystem Endsystem User Channels Endsystem Intermediate System Management Interfaces, Accounting Intermediate Intermediate System Network Operation: Signaling Routing, Accounting,... Network Security, WS 2003/04 9.5 Conclusion Integration of security services into communications architectures is guided by two main questions: Which security service into which node Which security service into which layer These design choices can also be guided by looking at a pragmatic model of networked computing which distinguishes four different levels on which security services may be realized: Application / end system / subnetwork / link level As there are various reasons for and against each option, there is no single solution to this design problem In this course we will, therefore, study some examples of security services integration into network architectures in order to better understand the implications of the design choices made Network Security, WS 2003/04 9.6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information