Security (II) ISO 7498-2: Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012



Similar documents
Network Security. Network Security Hierarchy. CISCO Security Curriculum

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶

Chap. 1: Introduction

IY2760/CS3760: Part 6. IY2760: Part 6

Objectives of Lecture. Network Architecture. Protocols. Contents

Cryptography and Network Security

IC3 - Network Security. IC3 - Network Security. M.Sc. in Information Security Royal Holloway, University of London

COSC 472 Network Security

Cryptography and Network Security Chapter 1

Table: Security Services (X.800)

Advanced Topics in Distributed Systems. Dr. Ayman Abdel-Hamid Computer Science Department Virginia Tech

Chapter 9. IP Secure

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Introduction to Internet Security

Information System Security

Protocols and Architecture. Protocol Architecture.

INTERNATIONAL TELECOMMUNICATION UNION DATA COMMUNICATION NETWORKS: OPEN SYSTEMS INTERCONNECTION (OSI); SECURITY, STRUCTURE AND APPLICATIONS

Computer Networks Vs. Distributed Systems

The OSI Model and the TCP/IP Protocol Suite PROTOCOL LAYERS. Hierarchy. Services THE OSI MODEL

INTERNATIONAL TELECOMMUNICATION UNION $!4! #/--5.)#!4)/..%47/2+3 /0%. 3934%-3 ).4%2#/..%#4)/. /3) 3%#52) #452%!.$!00,)#!4)/.

Cryptography and Network Security Overview & Chapter 1. Network Security. Chapter 0 Reader s s Guide. Standards Organizations.

7. Public Key Cryptosystems and Digital Signatures, 8. Firewalls, 9. Intrusion detection systems, 10. Biometric Security Systems, 11.

CSCI 4541/6541: NETWORK SECURITY

Introduction to Computer Security

Module 1. Introduction. Version 2 CSE IIT, Kharagpur

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Protocol Architecture

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

EE4367 Telecom. Switching & Transmission. Prof. Murat Torlak

Content Teaching Academy at James Madison University

How To Understand The Layered Architecture Of A Network

Protocol Data Units and Encapsulation

Understanding TCP/IP. Introduction. What is an Architectural Model? APPENDIX

Introduction to Computer Security

Report to WIPO SCIT Plenary Trilateral Secure Virtual Private Network Primer. February 3, 1999

MANAGEMENT OF SECURE SYSTEMS AND SECURITY WITHIN OSI 1

Chapter 10. Network Security

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

How To Design A Layered Network In A Computer Network

The OSI model has seven layers. The principles that were applied to arrive at the seven layers can be briefly summarized as follows:

Weighted Total Mark. Weighted Exam Mark

Chapter 17. Transport-Level Security

Chapter 7 Transport-Level Security

Communication Networks. MAP-TELE 2011/12 José Ruela

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

EE5723/EE4723. Computer & Network Security. Course Coverage. Prerequisites. Course Logistics. Truly a Network Security course

Basic Networking Concepts. 1. Introduction 2. Protocols 3. Protocol Layers 4. Network Interconnection/Internet

Introduction to Security

Notes on Network Security - Introduction

First Semester Examinations 2011/12 INTERNET PRINCIPLES

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

Cornerstones of Security

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

EITF25 Internet Techniques and Applications L5: Wide Area Networks (WAN) Stefan Höst

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Computer Network. Interconnected collection of autonomous computers that are able to exchange information

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

The OSI Model and the TCP/IP Protocol Suite

Reference Guide for Security in Networks

CSE/EE 461 Lecture 23

ICS 153 Introduction to Computer Networks. Inst: Chris Davison

524 Computer Networks

Zarządzanie sieciami telekomunikacyjnymi

CRYPTOGRAPHY IN NETWORK SECURITY

Lecture 28: Internet Protocols

Network Security Technology Network Management

Network Security Part II: Standards

Protocol Rollback and Network Security

Layered Architectures and Applications

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

Network Security. Chapter 9 Integrating Security Services into Communication Architectures

IP Security. Ola Flygt Växjö University, Sweden

Lecture 10: Communications Security

12. Firewalls Content

The OSI Model: Understanding the Seven Layers of Computer Networks

Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress

IP Networking. Overview. Networks Impact Daily Life. IP Networking - Part 1. How Networks Impact Daily Life. How Networks Impact Daily Life

Cryptography and Network Security: Overview

The OSI and TCP/IP Models. Lesson 2

ICTTEN8195B Evaluate and apply network security

CPS221 Lecture: Layered Network Architecture

Securing IP Networks with Implementation of IPv6

Network Security Protocols

Security vulnerabilities in the Internet and possible solutions

Securing an IP SAN. Application Brief

: Network Security. Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT

Cryptography and network security CNET4523

CSE 3461 / 5461: Computer Networking & Internet Technologies

Computer Networks CS321

Case Study for Layer 3 Authentication and Encryption

Virtual Private Networks

Ethernet. Ethernet. Network Devices

CS 4803 Computer and Network Security

Information Technology Career Cluster Introduction to Cybersecurity Course Number:

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Communications and Computer Networks

Transcription:

Course Outline: Fundamental Topics System View of Network Security Network Security Model Security Threat Model & Security Services Model Overview of Network Security Security Basis: Cryptography Secret key cryptography Hashes and message digests Public key cryptography Key distribution and management Network Security Applications: Authentication and security handshakes pitfalls Well known network security protocols such as Kerberos, IPSec, SSL/SET, PGP& PKI, WEP An Overview of Network Security (II) Outline Security Architecture of OSI Reference Model Security Placement w/in Multiple Protocol Layers ISO 7498-2: Security Architecture of OSI Reference Model Internet Protocol Architecture The OSI reference model & its services (ISO 7498-1) Details of ISO 7498-2 1

Internetworking Internet Protocol Layering Host A Host B Application Layer Application Layer HTTP Message Router Network B Host B Transport Layer TCP Packet Transport Layer Network A Internet Layer IP Datagram Router Internet Layer IP Datagram Internet Layer Host A Network Layer Ethernet Frame Physical Network Network Layer Ethernet Frame Physical Network Network Layer The OSI Reference Model: ISO 7498-1 OSI Reference Model - internationally standardized network architecture. An abstract representation of an ideal network protocol stack OSI = Open Systems Interconnection Specified in ISO 7498-1 Model has 7 layers Internet Protocols vs. OSI Internet OSI Application 7 5 4 3 Application TCP IP Presentation Session Transport Network 6 5 4 3 2 Network Interface Data Link 2 1 Hardware Physical 1 2

Lower/Upper Layers Layers 1-4 often referred to as lower layers. Layers 5-7 are the upper layers. Lower layers relate more closely to the communications technology. Upper layers relate to applications. Layer 7: Application Layer Home to wide variety of protocols for specific user needs, e.g.: virtual terminal service, file transfer, electronic mail, directory services. Layer 6: Presentation Layer Concerned with representation of transmitted data. Deals with different data representations, e.g. of numbers, characters. Also deals with data compression and encryption. Layer for source coding. Layer 5: Session Layer Allows establishment of sessions between machines, e.g. to allow remote logins provide file transfer service. Responsible for dialogue control. Also performs token management and synchronization. 3

Layer 4: Transport Layer Basic function is to take data from Session Layer, split it up into smaller units, and ensure that the units arrive correctly. Concerned with efficient provision of service. The Transport Layer also determines the type of service to provide to the Session Layer. Also responsible for congestion control. Layer 3: Network Layer Controls the subnet. Key issue is routing in the subnet; can be based on: static tables, determined at start of session, highly dynamic (varying for each packet). Layer 2: Data Link Layer Provides reliable, error-free service on top of raw Level 1 service. include encoding, CRC, etc. Breaks data into frames. Requires creation of frame boundaries. Frames used to manage errors via acknowledgements and selective frame retransmission. Layer 1: Physical Layer Concerned with bit transmission over physical channel. Issues include: definition of 0/1, whether channel simplex/duplex, connector design. Mechanical, electrical, procedural matters. 4

Layering Principles SDU (N+1) Entity Service User (N) Entity Service Provider N+1 PDU Layer N+1 protocol Layer N Service Access Point (SAP) Layer N protocol N PDU N PDU (N+1) Entity Service User (N) Entity Service Provider PDU - Protocol Data Unit SDU - Service Data Unit Services & Protocols Service = set of primitives provided by one layer to layer above. Service defines what each layer can do (but not how it does it). Protocol = set of rules governing g data communication between peer entities, i.e. format and meaning of frames/packets. ISO 7498-2: Security Architecture Provides standard definitions of security terminology Provides standard descriptions for security services and mechanisms Defines where in OSI reference model security services may be provided Introduces security management concepts Policies, threats, services, & mechanisms In a secure system, the rules governing security behavior should be made explicit in the form of a security policy. Security policy: the set of criteria for the provision of security services. A security threat is a possible means by which a security policy may be breached (e.g. loss of integrity or confidentiality). A security service is a measure which can be put in place to address a threat (e.g. provision of confidentiality). A security mechanism is a means to provide a service (e.g. encryption, digital signature). 5

Security life-cycle in ISO 7498-2 Define security Model Define security policy Analyze security threats (according to policy) Define security services to meet threats Define security mechanisms to provide services Provide on-going management of security Step1: Generic security policy ISO 7498-2 generic authorization policy: Information may not be given to, accessed by, nor permitted to be inferred by, nor may any resource be used by, those not appropriately authorized. Possible basis for more detailed policy. Does not cover availability (e.g. DoS attack) issues (for legitimate user). Policy Types ISO 7498-2 distinguishes between 2 types of security policies: Identity-based: where access to and use of resources are determined on the basis of the identities of users and resources Rule-based: where resource access is controlled by global rules imposed on all users, e.g. using security labels. Step 2: Fundamental threats A threat is: a person, thing, event or idea which poses some danger to an asset (in terms of confidentiality, integrity, availability or legitimate t use). ) An attack is a realization of a threat Safeguards = countermeasures (e.g. controls, procedures) to protect against threats. Vulnerabilities = weaknesses in safeguards Four fundamental threats: Information leakage Integrity violation DoS illegitimate use 6

Step3: Security Services Security services in ISO 7498-2 are a special class of safeguards applying to a communication environment. ISO 7498-2 defines 5 main categories of security service: Authentication (including entity authentication and origin authentication) Access control Data confidentiality Data integrity Non-repudiation Step 4: Security Mechanisms To provide and support security services Can be divided into two classes: Specific security mechanisms, used to provide specific security services, and Pervasive security mechanisms (e.g., trust functionality, intrusion/event detection, security recovery), not specific to particular services. Often expensive Specific security mechanisms Eight types: encipherment digital signature access control mechanisms data integrity mechanisms authentication exchanges traffic padding routing control notarization Specific Mechanisms (Cont d) Encipherment mechanisms = encryption or cipher algorithms. Can provide data and traffic flow confidentiality. Digital signature mechanisms signing procedure (private) verification procedure (public). Can provide non-repudiation, origin authentication and data integrity services. Both can be basis of some authentication exchange mechanisms. 7

Specific Mechanisms (Cont d) Access Control mechanisms A server using client information to decide whether to grant access to resources E.g. access control lists, capabilities, security labels. Data integrity mechanisms Protection against modification of data. Provide data integrity and origin authentication services. Also basis of some authentication ti ti exchange mechanisms. Authentication exchange mechanisms Provide entity authentication service. Specific Mechanisms (Cont d) Traffic padding mechanisms The addition of pretend data to conceal real volumes of data traffic. Provides traffic flow confidentiality. Routing control mechanisms Used to prevent sensitive data using insecure channels. E.g. route might be chosen to use only physically secure network components. Notarization ti mechanisms Integrity, origin and/or destination of data can be guaranteed by using a 3rd party trusted notary. Notary typically applies a cryptographic transformation to the data. Service/mechanism table ISO 7498-2 indicates which mechanisms can be used to provide which services Illustrative NOT definitive. Mechanism Enciph - Digital Access Data Service erment sign. Control integrity it Entity authentication Origin authentication Access control Connection confidentiality Connectionless confidentiality Selective field confidentiality Traffic flow confidentiality Connection integrity with recovery Connection integrity without recovery Selective field connection integrity Connectionless integrity Selective field connectionless integrity Non -repudiation of origin Non -repudiation of delivery Service/mechanism table (cont d) Service Entity authentication Origin authentication Access control Connection confidentiality Connectionlessconfidentiality Mechanism Auth. exchange Traffic padding Selective field confidentiality Traffic flow confidentiality Connection integrity with recovery Connection integrity without recovery Selective e field connection integrity Connectionless integrity Selective field connectionless integrity Non-repudiation of origin Non-repudiation of delivery Routing Control Notaris - ation 8

Pervasive security mechanisms Five types identified: trusted functionality, security labels, event detection, security audit trail, security recovery. Pervasive Mechanisms Trusted functionality Any functionality providing or accessing security mechanisms should be trustworthy. May involve combination of software and hardware. Security labels Any resource (e.g. stored data, processing power, communications bandwidth) may have security label associated with it to indicate security sensitivity. Similarly labels may be associated with users. Labels may need to be securely bound to transferred data. Pervasive Mechanisms (Cont d) Event detection Includes detection of attempted security violations, legitimate security-related activity. Can be used to trigger event reporting (alarms), event logging, automated recovery. Security audit trail Log of past security-related events. Permits detection and investigation of past security breaches Security recovery Includes mechanisms to handle requests to recover from security failures (security tolerant). May include immediate abort of operations, temporary invalidation of an entity, addition of entity to a blacklist. Link vs. End-to-End Encryption Ref: Network Security Essential, by Stallings Link and E2E Encryption: (1) Link encryption: A lot of encryption devices Decrypt each packet at every switch -Intermediate switch must be trusted -Invisible to the users (2) End-to-end encryption Addresses potential flaws in lower layers The source encrypt and the receiver decrypts Payload encrypted Header in the clear Only end nodes must be trusted (3) High Security: Both link and E2E encrypion are needed 9

Link-to-link Encryption Protocol layer 5. application 4. transport 3. network 2. data link 1. physical Security Services & Layering in General Sender Message Intermediate Host message (plaintext) exposed Receiver Typical Message: Link Encryption B N T M E Message Transport Header Network Header Data Link Header Data Link Trailer Message encrypted Message in plaintext Ref: Security in Computing, by Charles P. Pfleeger & Shari Lawrence Pfleeger If all hosts on a network are reasonably trustworthy, but the communications medium is shared w/ other users or is not secure, link encryption is an easy control to use Security Services & Layering in General End-to-End Encryption Typical Message: End-to-End Encryption Protocol layer 5. application 4. transport 3. network 2dt 2. data lik link Sender Intermediate t Host Receiver Message message (plaintext) exposed B N T M Message Transport Header Network Header E 1. physical Data Link Header Message encrypted Message in plaintext Data Link Trailer 10

Comparison of Encryption Architecture Link-to-link encryption Message is plaintext inside of hosts (trustworthy?): node authentication needed Faster (mostly hardware); Easier/invisible i ibl for user one key per node/interface pair End-to-end encryption Flexible (hardware or software) Application & user aware No trust in intermediate nodes required: need end user authentication One key per host pair Unavoidable multilayer security provisioning 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information