The document provides an overview of the Telecommunications and Network Security domain, covering security countermeasures and controls for different layers of the OSI model including physical, data-link, network, transport, and application layers. It also discusses VPNs, NAS, and technical implementations of countermeasures like routers, switches, firewalls, and intrusion detection/prevention systems. The learning objectives focus on understanding communications and network security as it relates to data transmission in local and wide area networks.
This document provides an overview of topics related to telecommunications and network security that will be covered in a two-part review. Part 1 will discuss security principles and the IP architecture, terms and definitions, and the OSI and TCP/IP models from the physical layer to the application layer. Part 2 will continue the discussion of security principles and network architecture, then cover security countermeasures and controls at each layer. Both parts aim to demonstrate an understanding of communications and network security as it relates to data networks.
This document provides an overview of the key topics within the Security Architecture & Design domain for the CISSP certification. It covers computing platforms such as early electro-mechanical machines, the von Neumann model, and transistor-based computers. It also discusses security models, evaluation and certification, security architecture concepts and implementation models. Specific topics include operating systems, CPU and memory components, software elements, process scheduling, and operating modes. The document serves as a high-level study aid for understanding the domain's important foundational concepts.
The document provides an overview of the Information Security & Risk Management domain for the CISSP certification. It discusses key topics including information security concepts, governance, risk management, information classification, and security controls. The objectives are to understand planning and securing information assets, developing security policies and procedures, conducting risk assessments, and implementing controls to ensure confidentiality, integrity and availability. New requirements for 2012 include project management knowledge and privacy compliance.
This document discusses cryptography and public key infrastructure (PKI) in two parts. Part 1 reviews classic and modern ciphers as well as hash functions, symmetric and asymmetric cryptography, and hybrid cryptography. Part 2 discusses utilization of cryptography through PKI, types of crypto attacks, and issues with crypto export. It provides details on PKI components like directory services and certificate management services.
This document provides an overview of access control concepts and topics relevant to the CISSP certification. It defines access control as the mechanisms that grant or revoke the right to access data or perform actions on an information system. The document outlines key access control topics like identification, authentication, authorization, accountability, access control models, and monitoring. It also discusses access control principles such as least privilege and separation of duties.
This document provides an overview of access control systems and methodology. It discusses key access control concepts like authentication, identification, and authorization. It covers different access control models like discretionary access control (DAC), mandatory access control (MAC), and formal models like Bell-LaPadula and Biba. The document also discusses access control implementation through hardware, software, policies and other means. It highlights challenges with formal access control models and standards like the Orange Book.
The document discusses the Operations Security domain of the CISSP Common Body of Knowledge, including defining the domain, identifying resource protection needs, threats to information operations, and security controls and countermeasures used in operations security. Personnel security, physical security, and technical controls are discussed as ways to reduce vulnerabilities and protect organizational assets from both internal and external threats.
This document discusses the need for adopting an industry standard network security architecture model to improve security without unnecessary complexity. It outlines the evolution of typical network architectures from closed to increasingly open and exposed. This has introduced new threats that cannot be addressed by isolated security solutions alone. The document advocates aligning security controls according to well-defined architectural principles and business needs, and properly managing the integrated system as a whole.
This document provides an overview of topics related to telecommunications and network security that will be covered in a two-part review. Part 1 will discuss security principles and the IP architecture, terms and definitions, and the OSI and TCP/IP models from the physical layer to the application layer. Part 2 will continue the discussion of security principles and network architecture, then cover security countermeasures and controls at each layer. Both parts aim to demonstrate an understanding of communications and network security as it relates to data networks.
This document provides an overview of the key topics within the Security Architecture & Design domain for the CISSP certification. It covers computing platforms such as early electro-mechanical machines, the von Neumann model, and transistor-based computers. It also discusses security models, evaluation and certification, security architecture concepts and implementation models. Specific topics include operating systems, CPU and memory components, software elements, process scheduling, and operating modes. The document serves as a high-level study aid for understanding the domain's important foundational concepts.
The document provides an overview of the Information Security & Risk Management domain for the CISSP certification. It discusses key topics including information security concepts, governance, risk management, information classification, and security controls. The objectives are to understand planning and securing information assets, developing security policies and procedures, conducting risk assessments, and implementing controls to ensure confidentiality, integrity and availability. New requirements for 2012 include project management knowledge and privacy compliance.
This document discusses cryptography and public key infrastructure (PKI) in two parts. Part 1 reviews classic and modern ciphers as well as hash functions, symmetric and asymmetric cryptography, and hybrid cryptography. Part 2 discusses utilization of cryptography through PKI, types of crypto attacks, and issues with crypto export. It provides details on PKI components like directory services and certificate management services.
This document provides an overview of access control concepts and topics relevant to the CISSP certification. It defines access control as the mechanisms that grant or revoke the right to access data or perform actions on an information system. The document outlines key access control topics like identification, authentication, authorization, accountability, access control models, and monitoring. It also discusses access control principles such as least privilege and separation of duties.
This document provides an overview of access control systems and methodology. It discusses key access control concepts like authentication, identification, and authorization. It covers different access control models like discretionary access control (DAC), mandatory access control (MAC), and formal models like Bell-LaPadula and Biba. The document also discusses access control implementation through hardware, software, policies and other means. It highlights challenges with formal access control models and standards like the Orange Book.
The document discusses the Operations Security domain of the CISSP Common Body of Knowledge, including defining the domain, identifying resource protection needs, threats to information operations, and security controls and countermeasures used in operations security. Personnel security, physical security, and technical controls are discussed as ways to reduce vulnerabilities and protect organizational assets from both internal and external threats.
This document discusses the need for adopting an industry standard network security architecture model to improve security without unnecessary complexity. It outlines the evolution of typical network architectures from closed to increasingly open and exposed. This has introduced new threats that cannot be addressed by isolated security solutions alone. The document advocates aligning security controls according to well-defined architectural principles and business needs, and properly managing the integrated system as a whole.
This document discusses operations security principles and controls. It covers general security concepts like accountability, separation of duties, and least privilege. It then details various technical, physical, and administrative controls for securing hardware, software, data, communications, facilities, personnel, and operations. The goals are to prevent security issues, detect any violations, and enable recovery of systems and data if problems occur. Key areas covered include access controls, backup and disaster recovery, change management, and configuration management.
McAffee_Security and System Integrity in Embedded DevicesIşınsu Akçetin
The document discusses McAfee's embedded security solutions for OEMs. It provides an overview of McAfee Embedded Control, which offers application control and change control to prevent unauthorized software and enforce change policies. It also discusses the McAfee Embedded Anti-Virus SDK and Embedded Reputation SDK for integrating virus detection and reputation services. Finally, it discusses how McAfee ePolicy Orchestrator provides centralized security management and how these solutions have benefited OEMs like NCR, NEC, Merge Healthcare, and Sharp by reducing support costs, enforcing compliance, and preventing unauthorized changes on embedded devices.
Next Generation Network: Security and Architectureijsrd.com
Wireless sensor networks will be widely deployed in the near future. While much research has focused on making these networks feasible and useful, security has received little attention. Wireless Sensor Networks (WSN) are a most challenging and emerging technology for the Research due to their vital scope in the field coupled with their low processing power and associated low energy. As wireless sensor networks continue to grow, so does the need for effective security mechanisms. Because sensor networks may interact with sensitive data and/or operate in hostile unattended environments, it is imperative that these security concerns be addressed from the beginning of the system design staring with a brief overview of the sensor networks security, a review is made of and how to provide the security in the wireless sensor networks. This paper studies the security problems, Requirement, Architecture of WSN and different platform, characterized by severely constrained computational and energy resources, and an ad hoc operational environment.
The document summarizes the components, purpose, and strategies of a security policy for T.Z.A.S.P. Mandal's Pragati College. It discusses the need for security policies to protect data, networks, and computing resources. The key components outlined include access policies, privacy policies, and guidelines for acceptable use, purchasing, authentication, availability, and violation reporting. Strategies discussed are host security, user authentication, password protection, firewalls, demilitarized zones, and encryption. The purpose is to inform users of security requirements and provide a baseline for compliance.
The document discusses cybersecurity and why a technological approach alone is not sufficient. It argues that cybersecurity is a socio-technical problem, as technology cannot guarantee reliability and human and organizational factors like insider threats, procedures, carelessness, and social engineering present vulnerabilities. A holistic approach is needed across personal, organizational, national, and international levels that includes deterrence, awareness, realistic procedures, monitoring, and cooperation.
Operations Security seeks to primarily protect against compromising emanations, which are unintended signals that can be captured and analyzed to derive sensitive information. It aims to protect information processing assets and their confidentiality, integrity, and availability. Key aspects of Operations Security include privileged entity controls like account management, resource protection of facilities, hardware, software and data, and continuity of operations.
This document discusses security cases, which provide a structured argument and evidence to support the claim that a system is acceptably secure. It focuses on addressing the potential for buffer overflows in code. The argument is that coding practices, code reviews, static analysis, and system testing with invalid inputs provide evidence there are no buffer overflow possibilities in the code. Tool support is needed to manage the large amount of documentation required to build the security case.
This document provides an overview and agenda for a presentation on the CCNA Security career path option. The presentation covers topics such as attack methodologies, security policies, cryptography, firewalls, VPNs, IPS, and layer 2 security. It aims to discuss security issues and relevant Cisco technologies at the associate level, using demonstrations of attacks and their mitigation. The goals are to supplement but not replace the CCNA Security certification course, and include both conceptual discussions and practical examples.
Routeco cyber security and secure remote access 1 01RoutecoMarketing
There is typically a 15:1 ratio of industrial devices to enterprise devices within a manufacturing plant. The industrial internet of things presents opportunities for growth but also increased risks of disruption through threats like theft, natural disasters, unauthorized access, and malware. A defense-in-depth security approach is recommended, incorporating physical security, network segmentation, firewalls, authentication, and monitoring to protect industrial control systems.
This document discusses embedded systems security and how it can be improved. It is difficult to design secure embedded systems because economic incentives often reward producing insecure products, and adding security after development is challenging. However, security can be improved by designing it in from the start using principles like minimal implementation, component architecture, and independent validation. The document provides an overview of embedded systems, operating systems, networked devices, and motivates the importance of security.
The document discusses trends in IT security innovations and solutions. It covers topics like mobility raising security issues, common security problems in enterprises, and the need for monitoring systems, encryption, and network visibility solutions to address vulnerabilities. The presentation promotes specific products from SpectorSoft, PGP, and Lumension that can help with monitoring, encryption, and network access control.
introduction to Embedded System SecurityAdel Barkam
The document provides an introduction to embedded system security. It defines an embedded system and gives examples. Embedded system security is defined as protecting resources an embedded system is responsible for. The document discusses why security is important for embedded systems and types of attacks, including embedded software attacks and embedded hardware attacks. It covers topics like firmware vs operating systems, and types of hardware attacks such as probing, side-channel attacks, and fault induction.
This document discusses proactive security intelligence for smart utilities. It covers the threat landscape including sophisticated malware like Stuxnet, targeted attacks using zero-days and social engineering, and high-volume attacks. It notes challenges in securing critical infrastructures due to their use of common operating systems and protocols. The document advocates taking a performance and analytics-driven approach to proactive security using network simulation, penetration testing, and predictive modeling to identify exposures before they can be exploited.
This document summarizes the topics covered in the first lecture of a security engineering course. It discusses security engineering and management, security risk assessment, and designing systems for security. The lecture covers tools and techniques for developing secure systems, assessing security risks, and designing system architectures to protect assets and distribute them for redundancy.
This document provides an introduction to information security and network security. It defines key terms, outlines common threats and attacks, and discusses security models and frameworks. The objectives are to explain the relationships between information and network security, define critical concepts, and discuss the roles of security professionals and how organizations implement security policies.
This document provides an overview of healthcare information security and compliance with HIPAA regulations. It discusses the state of information security threats in 2001, an introduction to HIPAA, implications for organizations, typical gaps found in HIPAA compliance reviews, and why organizations should comply with security standards. The document promotes healthcare security services from KentTrust to help organizations assess risks, identify gaps, and implement compliant security solutions to protect patient information.
Hardware, and Trust Security: Explain it like I’m 5!Teddy Reed
This document provides an outline for a presentation on hardware and trust security. It begins by stating the objectives are to simplify complex explanations of hardware security and provide an overview of technologies and features while using references to Lego and Pokémon. The outline covers designer and administrator goals, hardware security failures and use cases, and the building blocks of hardware security including dedicated storage, algorithm implementations, and tamper resilience. Examples are given of how the building blocks can be used to build a Trusted Platform Module or Hardware Security Module.
DTS Solution - Software Defined Security v1.0Shah Sheikh
The document discusses software defined networking (SDN) and network virtualization. It explains that SDN separates the control plane and data plane, allowing network control through external systems rather than individual device configuration. Network virtualization decouples applications from hardware and allows for logical network topologies on the same physical infrastructure through resource isolation. OpenFlow is presented as a standard for SDN implementation, and tools like Open vSwitch, Mininet and OpenDaylight are discussed. Challenges around scalability, reliability and consistency with the separation of planes are also covered.
This document provides an overview of firewall technologies and administration. It describes what firewalls do, including restricting network access and recording network activity. It explains the different types of firewall implementations like packet filtering, application-level gateways, and circuit-level gateways. Firewall rules control traffic by allowing authorized traffic to pass through and blocking unauthorized traffic based on packet information like source/destination addresses and protocols.
This document provides an overview of cryptography concepts including:
- A brief history of cryptography from manual ciphers to modern computer-based systems.
- Key terms like plaintext, ciphertext, and keyspace.
- Types of cryptographic methods including symmetric, asymmetric, and hashing algorithms.
- Public key infrastructure components like certificates and certificate authorities.
- Cryptanalysis techniques for attacking cryptosystems such as brute force and social engineering attacks.
- Applications of cryptography including email security, network security protocols like SSL/TLS, and IPSec.
This document provides an overview of the Software Development Security Domain topic from the CISSP Common Body of Knowledge. It discusses software development life cycle models and processes, programming languages, database and data warehousing vulnerabilities and protections, and software vulnerabilities and threats. Key frameworks covered include ISO/IEC 15288, SW-CMM, and SSE-CMM. The document also examines governance approaches like COBIT and the importance of assurance requirements.
This document discusses operations security principles and controls. It covers general security concepts like accountability, separation of duties, and least privilege. It then details various technical, physical, and administrative controls for securing hardware, software, data, communications, facilities, personnel, and operations. The goals are to prevent security issues, detect any violations, and enable recovery of systems and data if problems occur. Key areas covered include access controls, backup and disaster recovery, change management, and configuration management.
McAffee_Security and System Integrity in Embedded DevicesIşınsu Akçetin
The document discusses McAfee's embedded security solutions for OEMs. It provides an overview of McAfee Embedded Control, which offers application control and change control to prevent unauthorized software and enforce change policies. It also discusses the McAfee Embedded Anti-Virus SDK and Embedded Reputation SDK for integrating virus detection and reputation services. Finally, it discusses how McAfee ePolicy Orchestrator provides centralized security management and how these solutions have benefited OEMs like NCR, NEC, Merge Healthcare, and Sharp by reducing support costs, enforcing compliance, and preventing unauthorized changes on embedded devices.
Next Generation Network: Security and Architectureijsrd.com
Wireless sensor networks will be widely deployed in the near future. While much research has focused on making these networks feasible and useful, security has received little attention. Wireless Sensor Networks (WSN) are a most challenging and emerging technology for the Research due to their vital scope in the field coupled with their low processing power and associated low energy. As wireless sensor networks continue to grow, so does the need for effective security mechanisms. Because sensor networks may interact with sensitive data and/or operate in hostile unattended environments, it is imperative that these security concerns be addressed from the beginning of the system design staring with a brief overview of the sensor networks security, a review is made of and how to provide the security in the wireless sensor networks. This paper studies the security problems, Requirement, Architecture of WSN and different platform, characterized by severely constrained computational and energy resources, and an ad hoc operational environment.
The document summarizes the components, purpose, and strategies of a security policy for T.Z.A.S.P. Mandal's Pragati College. It discusses the need for security policies to protect data, networks, and computing resources. The key components outlined include access policies, privacy policies, and guidelines for acceptable use, purchasing, authentication, availability, and violation reporting. Strategies discussed are host security, user authentication, password protection, firewalls, demilitarized zones, and encryption. The purpose is to inform users of security requirements and provide a baseline for compliance.
The document discusses cybersecurity and why a technological approach alone is not sufficient. It argues that cybersecurity is a socio-technical problem, as technology cannot guarantee reliability and human and organizational factors like insider threats, procedures, carelessness, and social engineering present vulnerabilities. A holistic approach is needed across personal, organizational, national, and international levels that includes deterrence, awareness, realistic procedures, monitoring, and cooperation.
Operations Security seeks to primarily protect against compromising emanations, which are unintended signals that can be captured and analyzed to derive sensitive information. It aims to protect information processing assets and their confidentiality, integrity, and availability. Key aspects of Operations Security include privileged entity controls like account management, resource protection of facilities, hardware, software and data, and continuity of operations.
This document discusses security cases, which provide a structured argument and evidence to support the claim that a system is acceptably secure. It focuses on addressing the potential for buffer overflows in code. The argument is that coding practices, code reviews, static analysis, and system testing with invalid inputs provide evidence there are no buffer overflow possibilities in the code. Tool support is needed to manage the large amount of documentation required to build the security case.
This document provides an overview and agenda for a presentation on the CCNA Security career path option. The presentation covers topics such as attack methodologies, security policies, cryptography, firewalls, VPNs, IPS, and layer 2 security. It aims to discuss security issues and relevant Cisco technologies at the associate level, using demonstrations of attacks and their mitigation. The goals are to supplement but not replace the CCNA Security certification course, and include both conceptual discussions and practical examples.
Routeco cyber security and secure remote access 1 01RoutecoMarketing
There is typically a 15:1 ratio of industrial devices to enterprise devices within a manufacturing plant. The industrial internet of things presents opportunities for growth but also increased risks of disruption through threats like theft, natural disasters, unauthorized access, and malware. A defense-in-depth security approach is recommended, incorporating physical security, network segmentation, firewalls, authentication, and monitoring to protect industrial control systems.
This document discusses embedded systems security and how it can be improved. It is difficult to design secure embedded systems because economic incentives often reward producing insecure products, and adding security after development is challenging. However, security can be improved by designing it in from the start using principles like minimal implementation, component architecture, and independent validation. The document provides an overview of embedded systems, operating systems, networked devices, and motivates the importance of security.
The document discusses trends in IT security innovations and solutions. It covers topics like mobility raising security issues, common security problems in enterprises, and the need for monitoring systems, encryption, and network visibility solutions to address vulnerabilities. The presentation promotes specific products from SpectorSoft, PGP, and Lumension that can help with monitoring, encryption, and network access control.
introduction to Embedded System SecurityAdel Barkam
The document provides an introduction to embedded system security. It defines an embedded system and gives examples. Embedded system security is defined as protecting resources an embedded system is responsible for. The document discusses why security is important for embedded systems and types of attacks, including embedded software attacks and embedded hardware attacks. It covers topics like firmware vs operating systems, and types of hardware attacks such as probing, side-channel attacks, and fault induction.
This document discusses proactive security intelligence for smart utilities. It covers the threat landscape including sophisticated malware like Stuxnet, targeted attacks using zero-days and social engineering, and high-volume attacks. It notes challenges in securing critical infrastructures due to their use of common operating systems and protocols. The document advocates taking a performance and analytics-driven approach to proactive security using network simulation, penetration testing, and predictive modeling to identify exposures before they can be exploited.
This document summarizes the topics covered in the first lecture of a security engineering course. It discusses security engineering and management, security risk assessment, and designing systems for security. The lecture covers tools and techniques for developing secure systems, assessing security risks, and designing system architectures to protect assets and distribute them for redundancy.
This document provides an introduction to information security and network security. It defines key terms, outlines common threats and attacks, and discusses security models and frameworks. The objectives are to explain the relationships between information and network security, define critical concepts, and discuss the roles of security professionals and how organizations implement security policies.
This document provides an overview of healthcare information security and compliance with HIPAA regulations. It discusses the state of information security threats in 2001, an introduction to HIPAA, implications for organizations, typical gaps found in HIPAA compliance reviews, and why organizations should comply with security standards. The document promotes healthcare security services from KentTrust to help organizations assess risks, identify gaps, and implement compliant security solutions to protect patient information.
Hardware, and Trust Security: Explain it like I’m 5!Teddy Reed
This document provides an outline for a presentation on hardware and trust security. It begins by stating the objectives are to simplify complex explanations of hardware security and provide an overview of technologies and features while using references to Lego and Pokémon. The outline covers designer and administrator goals, hardware security failures and use cases, and the building blocks of hardware security including dedicated storage, algorithm implementations, and tamper resilience. Examples are given of how the building blocks can be used to build a Trusted Platform Module or Hardware Security Module.
DTS Solution - Software Defined Security v1.0Shah Sheikh
The document discusses software defined networking (SDN) and network virtualization. It explains that SDN separates the control plane and data plane, allowing network control through external systems rather than individual device configuration. Network virtualization decouples applications from hardware and allows for logical network topologies on the same physical infrastructure through resource isolation. OpenFlow is presented as a standard for SDN implementation, and tools like Open vSwitch, Mininet and OpenDaylight are discussed. Challenges around scalability, reliability and consistency with the separation of planes are also covered.
This document provides an overview of firewall technologies and administration. It describes what firewalls do, including restricting network access and recording network activity. It explains the different types of firewall implementations like packet filtering, application-level gateways, and circuit-level gateways. Firewall rules control traffic by allowing authorized traffic to pass through and blocking unauthorized traffic based on packet information like source/destination addresses and protocols.
This document provides an overview of cryptography concepts including:
- A brief history of cryptography from manual ciphers to modern computer-based systems.
- Key terms like plaintext, ciphertext, and keyspace.
- Types of cryptographic methods including symmetric, asymmetric, and hashing algorithms.
- Public key infrastructure components like certificates and certificate authorities.
- Cryptanalysis techniques for attacking cryptosystems such as brute force and social engineering attacks.
- Applications of cryptography including email security, network security protocols like SSL/TLS, and IPSec.
This document provides an overview of the Software Development Security Domain topic from the CISSP Common Body of Knowledge. It discusses software development life cycle models and processes, programming languages, database and data warehousing vulnerabilities and protections, and software vulnerabilities and threats. Key frameworks covered include ISO/IEC 15288, SW-CMM, and SSE-CMM. The document also examines governance approaches like COBIT and the importance of assurance requirements.
The document discusses the Business Continuity and Disaster Recovery Planning domain of the CISSP Common Body of Knowledge. It covers key topics in this domain including business continuity planning (BCP), disaster recovery planning (DRP), and business impact analysis (BIA). The candidate is expected to understand the differences between BCP and DRP, as well as the processes involved in BCP such as project initiation, BIA, recovery strategy development, and plan testing and maintenance.
The document summarizes key topics in the Legal, Regulations, Compliance and Investigations domain of the CISSP Common Body of Knowledge, including:
1) It addresses laws, regulations, ethics, investigations and compliance. This domain includes understanding computer crimes and incident response capabilities to address advanced threats.
2) Topics covered are laws and regulatory compliance, investigations, and ethics.
3) Laws and regulations provide the source for organizational policies and security requirements to ensure compliance. Categories of law include civil law, common law, customary law, and religious law.
The document discusses the Cryptography domain of the CISSP exam, which addresses principles and methods for ensuring information security. It covers topics like cryptography terms and history, different types of ciphers and cryptographic algorithms, and utilization of cryptography in technologies like PKI and protocols. The document also provides sample questions to test understanding of cryptography concepts.
Cryptography is the science of encrypting and decrypting data using mathematical concepts. It allows sensitive information to be stored or transmitted securely over insecure networks so that only the intended recipient can read it. The key concepts in cryptography include symmetric and asymmetric encryption algorithms, cryptosystems, cryptanalysis, cryptographic primitives like block ciphers and stream ciphers, and elements like keys, initialization vectors, and cryptographic services like confidentiality, integrity, authentication, and non-repudiation. Proper implementation with secure algorithms, large random keys, and protection of actual keys is important for cryptosystem strength.
This document discusses an approach called OPBUS that aims to automate risk treatment in business processes. OPBUS extends business process models to include risk assessment. It uses a domain specific language to assess risks in business processes by analyzing activities, data flows, and threats. OPBUS then uses constraint programming techniques and security pattern models to generate optimized configurations of security controls to address identified risks in an automated manner. The approach was prototyped as an Eclipse plugin to demonstrate specification of security patterns and risk-based selection of security controls for business processes.
The document provides a summary of Mark Elias Abi Habib's qualifications, experience, and objective. It outlines his 18 years of experience in technical director roles managing computer, telecommunication, and security projects. His qualifications include a Master's degree in electronic sciences and certifications in technologies such as Ruckus Wireless, Dahua Security, and Cisco CCNA. He currently serves as the Technical Director for CCNS sarl, where he manages technical teams and tracks projects.
Finto Thomas is an Information Technology Security Consultant with over 8.5 years of experience advising large businesses and Fortune 500 companies. He has expertise in network and security architectural design, implementation, and review. Some of his skills include cyber threat intelligence, penetration testing, firewall configuration, and cloud/mobile security. He is certified in CISSP, several Cisco certifications, ITIL, and IBM Qradar. He has worked as a Project Manager at IBM India and held security roles at Wipro and Trimax Data Centre.
The document discusses security considerations for hosted contact centers. It covers topics like computer security, examples of security breaches, cloud security characteristics, call center specific security measures around physical access, VOIP, recordings, CRM systems and PCI compliance. The document also compares the security advantages and disadvantages of cloud vs on-premise systems.
The document provides an overview of routing services and focuses on complex enterprise network frameworks, creating implementation plans, and reviewing IP routing principles. Specifically, it discusses Cisco's Intelligent Information Network (IIN) and Services Oriented Network Architecture (SONA) frameworks, the process for creating and documenting an implementation plan, and concepts of static and dynamic routing, routing protocols, and how routes are populated in a routing table.
This document discusses services offered by Networking & Security Consulting s.r.l. to design, implement, and manage secure communication networks for public and private organizations. They have over 20 years of experience in telecommunications projects and offer services such as requirements gathering, technology selection, project management, security audits, technology transfers, and training. Their team has expertise in networking, security, project management, quality assurance, and marketing. They aim to help organizations improve communication security, share infrastructure securely, adopt new technologies, lower costs, and leverage security investments through network virtualization and other solutions.
This document discusses network and system security assessment services provided by Apollo Infoways. Their services help organizations understand their current security posture, identify risks and vulnerabilities, and effectively utilize existing network infrastructure investments. Apollo Infoways' assessments evaluate network, system and data center security architectures and controls to identify gaps and recommend improvements aligned with an organization's security needs and business objectives.
Santoskumaar S is a security professional with over 4 years of experience in vulnerability and risk assessment. He has expertise in using tools like Qualys Guard, Nessus, Kali Linux, and Metasploit to perform security assessments and identify vulnerabilities. Currently he works as a Risk Specialist at Infosys BPO where he is responsible for PCI compliance, vulnerability testing, security implementation, and audits. Previously he worked as a Security Analyst and Transmission Engineer at Tata Communications handling tasks like network security reviews, penetration testing, and optical network maintenance.
This document discusses best practices for migrating distributed control systems (DCS). It covers why migrations are necessary due to issues like aging systems, loss of support, and high maintenance costs. Selection criteria for new systems include taking advantage of new technologies, long-term supplier support, accommodating advanced applications, and minimizing costs, risks, and downtime. Common migration approaches like bulldozing, cabling solutions, transition solutions, and I/O replacement are presented along with their benefits and challenges. Critical implementation guidelines emphasize planning with clear objectives and timeframes, using standards, involving operations teams early, and preparing with a project timeframe shorter than the outage period.
This document contains a summary of Irfan Ur Rehman's resume. It lists his contact information, objective to work in an IT or information security role, over 10 years of experience in areas like IT support, customer relations, and managing large projects and budgets. It also provides details of his technical skills, academic and professional qualifications, career history working for organizations like UN-HABITAT and Askari Bank, consultancy experience, and lists some projects he has worked on.
The document discusses NetDruid Communication Server which provides remote server management through proactive monitoring and management of networks. It allows for easy manageability of growing networks, reduces dependency on IT staff and infrastructure, and ensures compliance. The service model has shifted from traditional delivery to a one-stop shop offering various IT services. Key advantages for customers include reduced costs, high availability, and adaptability to changing technologies. The architecture utilizes various modules to manage networks, security, backups, trouble tickets, and assets.
This document provides an overview of the IT Essentials: PC Hardware and Software v4.1 course from Cisco Networking Academy. The summary is as follows:
1. IT Essentials v4.1 is a computer hardware and software course that covers PC assembly, maintenance, networking, security and prepares students for A+ certification.
2. The course is divided into two parts - fundamentals and advanced topics. It includes new content on current hardware, Windows Vista/7, networking and security skills.
3. Hands-on labs and new Packet Tracer activities provide an interactive learning experience. Instructors can access training, and students can download the Packet Tracer software.
4
This document provides a summary of Tianqiang Yu's work experience and skills. He has over 8 years of experience in IT, networking, customer service, and technical support. Some of his key experiences include routing and switching, security, F5 load balancing, and Palo Alto firewalls. He is proficient in network administration, routing protocols, security technologies, and has experience supporting corporate clients and managing teams. He has certifications in Cisco CCNP, CCNA, and is working towards Cisco CCIE Security. He is currently working as a Security Operations Engineer for Citizens Bank, where he is responsible for network and security operations support.
This document discusses server virtualization from a security perspective. It provides an overview of virtualization and its opportunities such as alleviating administration and enabling server consolidation. However, it also outlines several threats and challenges, such as increased complexity, interdependencies between servers, and ensuring proper isolation between virtual machines. While virtualization provides benefits, the document emphasizes that server consolidation does not come for free and fundamental challenges around identification, administration, and protection still remain. Proper methods, mechanisms, and administrative competencies are needed to securely take advantage of virtualization.
The document provides a summary of a network engineer's experience and qualifications. It includes 8 years of experience in network design, implementation, operations, monitoring and troubleshooting. Specific experience includes data center networks, IP telephony, wireless networks and security technologies. The engineer has professional certifications from Cisco and Microsoft, and a Bachelor's degree in electrical and electronic engineering.
Xaas infotech is a system integrator founded in 2009 that specializes in ICT infrastructure, information security, surveillance systems, and consulting services. Its core purpose is to provide technical solutions to address clients' pain points and increase productivity. The company's mission is to become a trusted partner for enterprise system integration. It has a team of over 8 professionals with expertise in turnkey, enterprise, and SMB solutions across various regions.
C S S L P & OWASP 2010 & Web Goat By Surachai.C Publish PresentationWon Ju Jub
The document provides information about Surachai Chatchalermpun's qualifications and an upcoming presentation on secure software development. It includes:
1) Surachai Chatchalermpun's credentials which include a Master's Degree in Management Information Systems and certifications as a Certified Secure Software Lifecycle Professional (CSSLP) and EC-Council Certified Security Analyst (ECSA).
2) An agenda for the presentation that will discuss challenges in application security today, provide an overview of the CSSLP and Open Web Application Security Project (OWASP), demonstrate the WebGoat security training tool, and include a WebGoat lesson.
3) A brief speaker profile for Surachai Ch
C S S L P & OWASP 2010 & Web Goat By Surachai.C Publish Presentation
3 Telecom+Network Part2
1. CISSP® Common Body of Knowledge
Review:
Telecommunications &
Network Security Domain –
Part 2
Version: 5.9
CISSP Common Body of Knowledge Review by Alfred Ouyang is licensed under the Creative Commons
Attribution-NonCommercial-ShareAlike 3.0 Unported License. To view a copy of this license, visit
http://creativecommons.org/licenses/by-nc-sa/3.0/ or send a letter to Creative Commons, 444 Castro Street, Suite
900, Mountain View, California, 94041, USA.
2. Learning Objectives
Telecommunications & Network Security Domain – Part 2
The Telecommunications and Network Security domain
encompasses the structures, techniques, transport protocols, and
security measures used to provide integrity, availability,
confidentiality, and authentication for transmissions over private
and public communication networks.
The candidate is expected to demonstrate an understanding of
communications and network security as it relates to data
communications in local area and wide area networks, remote
access, internet/intranet/extranet configurations. Candidates should
be knowledgeable with network equipment such as switches,
bridges, and routers, as well as networking protocols (e.g., TCP/IP,
IPSec,) and VPNs.
Reference: CISSP CIB, January 2012 (Rev. 2)
-2-
3. Question:
• Name the seven layers of OSI reference model?
–
–
–
–
–
–
–
Hint: “People do not throw sausage pizza away”
-3-
4. Question:
• Name the seven layers of OSI reference model?
– Physical (people)
– Data-Link (do)
– Network (not)
– Transport (throw)
– Session (sausage)
– Presentation (pizza)
– Application (away)
-4-
5. Topics
Telecommunications & Network Security Domain – Part 2
• Security Countermeasures and Controls
– Physical Layer
– Data-Link Layer
– IP Network Layer
– Transport Layer
– Application Layer
• VPN
• NAS
-5-
6. Implementation of Technical Countermeasures
Example implementation of
technical countermeasures
in Network and
Process & Procedure
Security Operations
Operations
Security CONOPs,
DEFENSE-IN-DEPTH
Security
Internetworking Services:
Information Assurance Defense Information
OSI Reference Internet Protocol
• Routers
Technical Framework Infrastructure (DII) &
Model Suite
(IATF) Security Mechanisms
Certification and Accreditation
Application NFS
OS +
• Switches
Technical Countermeasures
Defending the Host-based IDS +
FTP, Telnet, Computing Secure Messaging +
SMTP, Environment Trusted RDBMS
Presentation XDR
HTTP,
SNMP… etc.
• Encryptors
Security mechanism,
System Architecture,
Domain Controller +
Session RPC Active Directory
Supporting the Service + DIICOE APM
Infrastructure (+ Directory Services +
• Firewalls
X.509-based PKI/KMI/
Transport TCP UDP CA)
Firewall + Network-based IDS
Defending the Enclave
+ Switchs
• Intrusion Detection System
Network Routing IP
ICMP
Protocols
ARP, RARP Defending the Network &
Routers + KGs
Infrastructure
(IDS)
Data-Link
Physical Sec.
Physical
• Intrusion Prevention
Protection of Critical
Facility Security,
Infrastructure
Systems (IPS)
• Operating Systems (OS)
-6-
7. Topics
Telecommunications & Network Security Domain – Part 2
• Security Countermeasures and Controls
OSI Reference TCP/IP Protocol
Memorization
Model Architecture
– Physical Layer Away Application
– Data-Link Layer Pizza Presentation
Application
Layer
– IP Network Layer Sausage Session
– Transport Layer Host-to-Host
Throw
–
Transport Transport
Application Layer Layer
• VPN Not Network Internet Layer
Network
• NAS
Access Layer
Do Data-Link
People Physical
-7-
8. Security Countermeasures & Controls
Security of Physical Layer – Review
Transport Medium
• Cables
OSI Reference TCP/IP Protocol
Model Architecture
– LAN: Twisted Pair (Shield, Un-shield), Coaxial, Application
Fiber Optics (Single-mode, Multi-mode) Presentation
Application
Layer
– WAN: SONET, X.21-bis, HSSI, SMDS
Session
• Radio Frequency (RF) Host-to-Host
Transport Transport
– LAN: 2.4GHz, 5GHz, UWB (3.1GHz – 10.6GHz) Layer
– WAN: Microwave (VHF, UHF, HF) (300MHz – Network Internet Layer
300GHz) Data-Link
Network
Access Layer
• Light Physical
– LAN: Infrared
– WAN: LASER (medium: fiber, air)
-8-
9. Security of Physical Layer
Transport Media
• Physical protection of transport media
– Cables/ Fibers: Casings (Concrete, Steel pipe, Plastic, etc.)
– RF: Allocation of radio spectrum, power of RF, selection of
line-of-sight (LOS), protection from element (rain, ice, air)
– Optical: Selection of transport medium, light wave spectrum
(multi-mode), LOS and strength of light beam (e.g. LASER,
single-mode)
• Path Diversity of transport media
– Cables / Fibers: Geographic diversity
– RF: Utilization of radio channels, coverage area
– Optical: Multi-mode
-9-
10. Security of Physical Layer
Transport Media
Security considerations for transport media…
• EMI (Electromagnetic Interference)
– Crosstalk
– HEMP (High-altitude Electromagnetic Pulse)
• RFI (Radio Frequency Interference)
– UWB (Ultra Wide Band): > 500MHz, FCC authorizes the
unlicensed use in 3.1 – 10.6GHz
– Household microwave oven: 2.45GHz
• Transient. Disturbance of power traveling across
transport medium
• Attenuation. Loss of signal strength over distance
- 10 -
11. Security of Physical Layer
Transport Interfaces (I/Fs)
• Physical protection of transport I/Fs
– Access control of network equipment
• Telco Demarcation / Telecommunication Room
• Data Center / Server Room
• Network Closet
• Logical protection of transport I/Fs
– Disable All Interfaces Not In-Use
– Enable Interface only when Ready-To-Use
– Designate specific I/Fs for management
– Designate specific I/Fs for monitor
- 11 -
12. Security of Physical Layer
Network Equipment
• Enable service password-encryption on all
routers.
• Use enable secret command and not with the
enable password command
• Each router shall have different enable and user
password
• Access routers only from “secured or trusted” server
or console
• Reconfigure the connect, telnet, rlogin, show ip
access-lists, and show logging command to privilege
level 15 (secret)
• Add Warning Banner
Reference: DISA FSO Network STIG
- 12 -
13. Questions:
• Why household microwave oven may interfere with
your Wi-Fi (IEEE 802.11b/g)?
–
• Loss of signal strength over distance is?
–
• Disturbance of power traveling across a transport
medium is?
–
- 13 -
14. Answers:
• Why household microwave oven may interfere with
your Wi-Fi (IEEE 802.11b/g)?
– The microwave oven operates in 2.45GHz and Wi-Fi
operates in 2.4GHz
• Loss of signal strength over distance is?
– Attenuation
• Disturbance of power traveling across a transport
medium is?
– Transient
- 14 -
15. Topics
Telecommunications & Network Security Domain – Part 2
• Security Countermeasures and Controls Memorization OSI Reference TCP/IP Protocol
Model Architecture
– Physical Layer Away Application
– Data-Link Layer Pizza Presentation
Application
Layer
– IP Network Layer Sausage Session
– Transport Layer Host-to-Host
Throw
–
Transport Transport
Application Layer Layer
• VPN Not Network Internet Layer
Network
• NAS
Access Layer
Do Data-Link
People Physical
- 15 -
16. Security Countermeasures & Controls
Security of Data-Link Layer – Review
• Data-Link Layer
– MAC (LAN & WAN)
OSI Reference TCP/IP Protocol
Model Architecture
– LLC (LAN) Application
• LAN Data-Link Layer Protocols Presentation
Application
Layer
– Ethernet (CSMA/CD) Session
– Token Ring (Token Passing) Host-to-Host
Transport Transport
– IEEE 802.11 a/b/g (CSMA/CA) Layer
• WAN Data-Link Layer Protocols
Network Internet Layer
Network
– X.25 Data-Link Access Layer
– Frame Relay Physical
– SMDS (Switched Multi-gigabit Data Services)
– ISDN (Integrated Services Digital Network)
– HDLC (High-level Data Link Control)
– ATM (Asynchronous Transfer Mode)
- 16 -
17. Security Countermeasures & Controls
Security of Data-Link Layer
Confidentiality and Integrity of Data-Link Layer
• SLIP (Serial Line Internet Protocol)
• PPP (Point-to-Point Protocol)
• L2TP (Layer 2 Tunnel Protocol)
• Link Encryption (i.e. Link / Bulk Encryptor) : ISDN,
Frame Relay, ATM
• RF:
– LAN: WEP (Wired Equivalent Privacy), EAP (Extensible
Authentication Protocol), IEEE 802.1X
– WAN: AN/PSC-5 Radio (w/ embedded encryption for
SATCOM, DAMA, LOS communications), TADIL-J (Link-16)
(w/ embedded encryption for LOS communications)
- 17 -
18. Security of Data-Link Layer
Serial Line Internet Protocol (SLIP)
• SLIP (Serial Line Internet Protocol) is a packet
framing protocol that encapsulates IP packets on a
serial line
• Runs over variety of network media:
– LAN: Ethernet, Token Ring
– WAN: X.25, Satellite links, and serial lines
• Supports only one network protocol at a time.
• No error correction
• No security
- 18 -
19. Security of Data-Link Layer
Point-to-Point Protocol (PPP)
• PPP (Point-to-Point Protocol) is a encapsulation
mechanism for transporting multi-protocol packets
across Layer 2 point-to-point links. (RFC 1661)
– ISDN, Frame Relay, ATM, etc.
• PPP replaces SLIP because:
– Support multiple network protocols (IP, AppleTalk, IPX, etc.)
in a session
– Options for authentication
• Security features:
– PAP (Password Authentication Protocol)
– CHAP (Challenge Handshake Authentication Protocol)
– EAP (Extensible Authentication Protocol)
- 19 -
20. Security of Data-Link Layer
Point-to-Point Protocol (PPP)
• PAP (Password Authentication Protocol) (RFC
1334)
– Authentication process is in plaintext, and it is send over the
established link
• CHAP (Challenge Handshake Authentication
Protocol) (RFC 1994, replaces RFC 1334)
– Protection against playback attack by using 3-way
handshake:
1. After link established, authenticator sends a “challenge”
message to the peer
2. Peer response with a value calculated using a “one-way hash”
3. Authenticator calculate the expected hash value and match
against the response
– CHAP requires that the “secret” key be available in plaintext
form. But the “secret” key is NOT send over the link
- 20 -
21. Security of Data-Link Layer
Point-to-Point Protocol (PPP)
• EAP (Extensible Authentication Protocol) (RFC 2284)
supports multiple authentication mechanisms:
– MD5-Challenge
– One-Time Password (OTP)
– Generic Token Card
• Protection against playback attack by using 3-way
handshake:
1. After link established, authenticator sends a authentication
request message to the peer
2. Peer send response with a set of values that matches
authentication mechanism of the authenticator
3. Authenticator calculates the expected value and match
against the response
- 21 -
22. Security of Data-Link Layer
Layer 2 Tunnel Protocol (L2TP)
• L2TP (Layer 2 Tunnel Protocol) (RFC 2661)
extends the PPP model by allowing the L2 and PPP
endpoints to reside on different devices (e.g.
workstation to router) interconnected by a packet-
switched network
PPP Frames
L2TP Data Message L2TP Control Message
L2TP Data Channel (unreliable) L2TP Control Channel (reliable)
Physical Layer Packet Transport (Frame Relay, ATM, ISDN, etc.)
- 22 -
23. Security of Data-Link Layer
Wired Equivalent Privacy (WEP)
• WEP (Wired Equivalent Privacy) is an optional IEEE
802.11 encryption standard.
– Implemented at the MAC sub-layer
– Use RSA’s RC4 stream cipher with variable key-size
– Shared symmetric key, 40-bit! (104-bit is not a standard!)
with 24-bit IV (Initialization Vector)
• Security issue with WEP…
– Size of IV (24-bit) +
– Shared static symmetric key (40-bit or 104-bit)
– Hacker can collect enough frames in same IV and find out
the symmetric key (i.e. related key attack)
• Mitigation:
– IPsec over 802.11
– IEEE 802.11i and IEEE 802.1X
Reference: http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy
- 23 -
24. Security of Data-Link Layer
IEEE 802.1X
• IEEE 802.1X uses EAP (Extensible Authentication
Protocol)
– 802.1X is an interoperability standard NOT a security
standard!
• Uses 3-way handshake, in state machine model:
1. Unauthorized State: After link established, authenticator
(access point) sends a authentication request message to
the peer.
2. Unauthorized State: Peer send response with a set of values
that matches authentication mechanism of the authenticator.
3. Unauthorized State: Authenticator calculates the expected
value and match against the response.
4. Authorized State: Exchange encrypted data message.
Reference: http://standards.ieee.org/getieee802/download/802.1X-2004.pdf.
- 24 -
25. Security of Data-Link Layer
IEEE 802.11i
• IEEE 802.11i standard has
been ratified on 6/24/2004. Client Workstation
(STA)
Access Point
(AP)
– FIPS 140-2 certified by NIST. AP sends a single use random numeric
value (Nonce) to STA
– A.k.a. WPA2 (Wi-Fi Protected ANonce
Access version 2)
STA returns a “single use nonce” along
• Uses IEEE 802.1X (i.e.
STA constructs a Pair-wise
Transient Key (PTK)* with Message Integrity Code (MIC)
SNonce + MIC
EAP) for authentication.
• Uses 4-way handshake. AP returns a Group Temporal Key
(GTK) along with MIC to STA
AP constructs a
PTK*
• Uses AES-based CCMP GTK + MIC
STA send an acknowledgement to AP
(Counter-mode Cipher- ACK
block-chaining Message * As soon as the PTK is obtained it is divided into 3 separate keys:
EAP-KCK (Extended Authentication Protocol-Key Confirmation Key)
authentication code EAP-KEK (Key Encryption Key)
TK (Temporal Key) – The key used to encrypt the wireless traffic.
Protocol).
Reference:
- Q&A, Wi-Fi Protected Access, WPA2 and IEEE 802.11i, Cisco Systems
- http://en.wikipedia.org/wiki/IEEE_802.11i
- 25 -
26. Security of Data-Link Layer
Address Resolution Protocol (ARP) & Reverse ARP (RARP)
• ARP (Address Resolution Protocol) maps MAC
addresses (physical addresses) to IP addresses
(logical addresses)
• RARP (Reverse ARP), opposite of ARP, maps IP
addresses to MAC addresses
• Preserving integrity of ARP table is the key to
security of switching topology.
- 26 -
27. Security of Data-Link Layer
Address Resolution Protocol (ARP) & Reverse ARP (RARP)
ARP Table is vulnerable to…
• Denial-of-Services (DoS) Attack
– A hacker can easily associate an operationally significant IP
address to a false MAC address. Then your router begin to
send packets into a non-existing I/F.
• Man-in-the Middle Attack
– A hacker can exploit ARP Cache Poisoning to intercept
network traffic between two devices in your network.
• MAC Flooding Attack
– MAC Flooding is an ARP Cache Poisoning technique aimed
at network switches. By flooding a switch's ARP table with a
ton of spoofed ARP replies, a hacker can overload network
switch and put it in “hub” mode. Then the hacker can packet
sniff your network while the switch is in "hub" mode.
Reference: DISA FSO Network STIG
- 27 -
28. Security of Data-Link Layer
Address Resolution Protocol (ARP) & Reverse ARP (RARP)
To preserve integrity of ARP table…
• Logical Access Control:
– Static ARP table. Not scalable, but very effective.
– Enable port security using sticky MAC address. Write the
dynamically learned MAC addresses into memory.
– Disable all un-necessary protocols & services.
• Physical Access Control:
– Disable all Interfaces Not In-Use.
– Enable Interface only when Ready-To-Use.
– Designate specific I/Fs for management.
– Designate specific I/Fs for monitor.
Reference: DISA FSO Network STIG
- 28 -
29. Questions:
• Why Point-to-point protocol (PPP) is better than Serial
Line Internet Protocol (SLIP)?
–
–
• Both Challenge handshake authentication protocol
(CHAP) and Extensible authentication protocol (EAP)
uses 3-way handshake. What is the advantage using
EAP instead of CHAP?
–
- 29 -
30. Answers:
• Why Point-to-point protocol (PPP) is better than Serial
Line Internet Protocol (SLIP)?
– PPP supports multiple internetworking protocols in a session
– SLIP has no security feature
• Both Challenge handshake authentication protocol
(CHAP) and Extensible authentication protocol (EAP)
uses 3-way handshake. What is the advantage using
EAP instead of CHAP?
– EAP supports multiple authentication mechanisms: MD5,
One-time password (OTP), and Token card.
- 30 -
31. Questions:
• What is the size of the shared static symmetric key
for 128-bit Wired Equivalent Privacy (WEP)?
–
• What is the relationship between IEEE 802.1X and
IEEE 802.11i?
–
• Is IEEE 802.1X a security standard?
–
• What is the primary security issue for Layer 2
switches?
–
- 31 -
32. Answers:
• What is the size of the shared static symmetric key
for 128-bit Wired Equivalent Privacy (WEP)?
– 104-bit. 24-bit of Initialization vector (IV)
• What is the relationship between IEEE 802.1X and
IEEE 802.11i?
– IEEE 802.11i uses IEEE 802.1X for EAP authentication
• Is IEEE 802.1X a security standard?
– No. IEEE 802.1X is an interoperability standard
• What is the primary security issue for Layer 2
switches?
– Preserving the integrity of ARP table
- 32 -
33. Topics
Telecommunications & Network Security Domain – Part 2
• Security Countermeasures and Controls
OSI Reference TCP/IP Protocol
Memorization Model Architecture
– Physical Layer Away Application
– Data-Link Layer Pizza Presentation
Application
Layer
– IP Network Layer
Sausage Session
– Transport Layer Host-to-Host
Throw
–
Transport Transport
Application Layer Layer
• VPN Not Network Internet Layer
Network
• NAS
Access Layer
Do Data-Link
People Physical
- 33 -
34. Security Countermeasures & Controls
Security of Network Layer – Review
• Logical Addressing (IP address)
•
OSI Reference TCP/IP Protocol
Controls: ICMP, ARP, RARP Model Architecture
• Routing: Static, Dynamic
Application
•
Application
Routing Protocols: Presentation
Layer
– Interior Gateway Protocols (IGP’s) Session
• Distance Vector Routing Protocols Transport
Host-to-Host
Transport
Layer
• Link State Routing Protocols
Network Internet Layer
– Exterior Gateway Protocols (EGP’s)
Network
• State Vector Protocols Data-Link Access Layer
Physical
- 34 -
35. Security of Network Layer
Network Address Translation (NAT)
NAT (Network Address Translation) is a method of
connecting multiple computers to the Internet (or any
other IP network) using one IP address.
• The increased use of NAT comes from several
factors:
– Shortage of IP addresses
– Security needs
– Ease and flexibility of network administration
• RFC 1918 reserves the following private IP
addresses for NAT
– Class A: 10.0.0.0 – 10.255.255.255
– Class B: 172.16.0.0 – 172.31.255.255
– Class C: 192.168.0.0 – 192.168.255.255
Reference: http://www.ietf.org/rfc/rfc1918.txt
- 35 -
36. Security of Network Layer
Virtual IP Address (VIP)
VIP (Virtual IP Address) is a method that maps a virtual
internetworking entity into many computing hosts.
• One-to-Many:
– Used for Load-Balance / Sharing
– Used limit exposure of multiple IP addresses or multiple
network I/Fs. (one-to-many)
• Many-to-one:
– One network I/F to many IP addresses.
– Used for Application sharing
- 36 -
37. Security of Network Layer
Routing: Static vs. Dynamic
Preserving integrity of route table is the key to security
of routing topology.
• Static routing is the most secure routing
configuration. However, scalability is a major
drawback.
– Static Route Table, no automatic updates.
• Dynamic routing is scalable, but need to establish
security policy to preserve integrity of route table
– Automatic updates.
– Need to set thresholds.
– Authenticate neighbors and peers.
- 37 -
38. Security of Network Layer
Dynamic Routing
There are two types of routing protocols:
• Interior Gateway Protocols (IGPs)
– Routing Information Protocols (RIP)
– Interior Gateway Routing Protocol (IGRP)
– Enhanced IGRP (EIGRP, Cisco proprietary)
– Open Shortest Path First (OSPF)
– Intermediate System to Intermediate System (IS-IS)
• Exterior Gateway Protocols (EGPs)
– Exterior Gateway Protocol (EGP, RFC 827). EGP is no
longer in use for Internet
– Border Gateway Protocol (BGP). BGP is the standard
routing protocol for Internet
- 38 -
39. Security of Network Layer
Dynamic Routing: Interior Gateway Protocols (IGPs)
• Router uses distance vector routing protocols
mathematically compare routes using some
measurement of distance (or # of hops) and send all
or a portion of route table in a routing update
message at regular intervals to each of neighbor
routers.
– RIP (Routing Information Protocol)
– IGRP (Interior Gateway Routing Protocol)
– EIGRP (Enhanced IGRP, Cisco proprietary)
• Security issues:
– Integrity of routing tables: Automatic distribution of route
table updates.
– Operational stability: The routing updates create chain-
reaction of route table recalculations to every neighbor
routers.
Reference: Routing TCP/IP Volume I, by J. Doyle, et. al., Cisco Press
- 39 -
40. Security of Network Layer
Dynamic Routing: Interior Gateway Protocols (IGPs)
• To preserve integrity of route table: Use MD-5
authentication between neighbor routers.
– Do not use RIPv1, because it does not support MD-5
authentication.
• To improve operational stability of routers running
distance vector IGP’s:
– Use Split horizons with poison-reverse updates. It prevents
routing loops by preventing a router from updating adjacent
neighbors of any routing changes that it originally learned
from those neighbors.
– Use Hold downs (for IGRP & EIGRP). It prevents IGRP’s
interval updates from wrongly reinstating an invalid route.
Reference: Routing TCP/IP Volume I, by J. Doyle, et. al., Cisco Press
- 40 -
41. Security of Network Layer
Dynamic Routing: Interior Gateway Protocols (IGPs)
• Router uses link-state routing protocols sends only
link-state advertisements (LSAs) to each of its
neighbor routers.
– OSPF (Open Shortest Path First)
– IS-IS (Integrated intermediate system-to-intermediate
system)
• Security issues:
– Integrity of routing tables: Automatic distribution of LSAs.
– Operational stability: After the adjacencies are established,
the router may begin sending out LSAs. the LSAs create
chain-reaction of recalculations of route paths to every
neighbor routers (i.e. Link-state Flooding).
Reference: Routing TCP/IP Volume I, by J. Doyle, et. al., Cisco Press
- 41 -
42. Security of Network Layer
Dynamic Routing: Interior Gateway Protocols (IGPs)
• To preserve integrity of route table: Use MD-5
authentication between neighbor routers.
• To improve operational stability of routers running
link-state IGP’s:
– Set sequence number for each link-state advertisement
(LSA). The sequence numbers are stored along with the
LSAs, so when a router receives the same LSA that is
already in the database and the sequence number is the
same, the received information is discarded.
Reference: Routing TCP/IP Volume I, by J. Doyle, et. al., Cisco Press
- 42 -
43. Security of Network Layer
Dynamic Routing: Exterior Gateway Protocols (EGPs)
• Exterior gateway protocols are design for routing
between multiple AS’ (Autonomous Systems).
– EGP (Exterior Gateway Protocol).
– BGP (Border Gateway Protocol).
BGP is THE routing protocol for Internet. BGP peers exchange
full routing information when a new peer is introduced, then send
only updates for route change. BGP is a path vector routing
protocol, because the router does its own path calculation, and
advertises only the optimal path to a destination network.
• Security issues:
– Integrity of routing tables: Automatic distribution of route table
updates.
– Operational stability: The router running BGP is vulnerable to
“route-flap”. Where a unstable routing path to an unreachable
network may cause dynamic updates to all peering routers
and this impacts performance of entire Internet!
- 43 -
44. Security of Network Layer
Dynamic Routing: Exterior Gateway Protocols (EGPs)
• To preserve integrity of route table: Use MD-5
authentication between peering routers.
• To preserve operational stability of edge routers
running BGP:
– Enable BGP route-flap damping on all edge routers. For
example:
Prefix length: /24 /19 /16
Suppress time: 3hr. 45-60min. <30min.
– Set ACL to deny all “Bogon” IP addresses. For Edge routers
peering on Internet.
Note: “Bogon” IP addresses are the un-used or not been
assigned IP addresses on the Internet. The list can be
obtained at http://www.cymru.com/Documents/bogon-list.html.
- 44 -
45. Security of Network Layer
Packet-filtering Firewall
• Router ACL’s = Packet-filtering
firewall Application Application
• Firewall Policy: Deny by default, Presentation Presentation
Permit by exception. Session Session
– Understand the data-flow (i.e. Transport Transport
source, destination, protocols, and Network Network Network
routing methods), so the security Data-Link Data-Link Data-Link
engineer knows how to apply IP Physical Physical Physical
filtering. Source
Firewall
Destination
(RTR w/ ACL)
– Knows the specific inbound and
outbound I/F’s
– Disable all un-necessary protocols
& services.
Reference: DISA FSO Network STIG
- 45 -
46. Security of Network Layer
Packet-filtering Firewall
OSI Reference
• Use distribute-list <ACL> out to control Model
outbound routing information. Application
• Use distribute-list <ACL> in to control Presentation
inbound routing information.
• Global Filtering:
Session
1. Create ACLs that defines what network information is Transport
allowed in/out.
2. Configure distribute-list in the appropriate Network
direction under the router’s routing protocol
Data-Link
configuration.
• Per-interface Filtering: Physical
– Apply distribute-list <ACL> <in/out> to a
<specific interface>
Reference: DISA FSO Network STIG
- 46 -
47. Security of Network Layer
Security of Network Equipment
• Physical Access Control
– Dedicated access ports for management
• Console Port, Auxiliary Port, VTY (Virtual TTY) Port.
– Dedicated monitoring I/Fs for SNMP
• Use SNMPv3, or SNMPv2c, no default community strings
• For SNMPv2c, treat community strings as “password”.
• Logical Access Control
– Set password & privilege levels.
– Implement AAA (Authentication, Authorization &
Accountability).
– Implement centralized authentication & authorization
mechanism: TACACS+ or RADIUS.
Reference: DISA FSO Network STIG
- 47 -
48. Security of Network Layer
Security of Network Equipment
• Time synchronization
– Use multiple time sources.
– Use NTP for all Layer 3 equipment to synchronize their time.
– Use NTP authentication between clients, servers, and peers
to ensure that time is synchronized to approved servers only.
• Event Logging
– Configure key ACLs to record access violations.
– Example: Anti-spoofing violations, VTY access attempts,
Router filter violations, ICMP, HTTP, SNMP…etc.
Reference: DISA FSO Network STIG
- 48 -
49. Questions:
• What are the two primary security issues associated
with the use of dynamic routing protocols?
–
–
• What is the difference between Interior gateway
protocols (IGPs) and Exterior gateway protocols
(EGPs)?
–
- 49 -
50. Answers:
• What are the two primary security issues associated
with the use of dynamic routing protocols?
– Integrity of routing tables
– Operational stability
• What is the difference between Interior gateway
protocols (IGPs) and Exterior gateway protocols
(EGPs)?
– IGPs are used within autonomous systems. EGPs are used
between autonomous systems
- 50 -
51. Topics
Telecommunications & Network Security Domain – Part 2
• Security Countermeasures and Controls Memorization OSI Reference TCP/IP Protocol
Model Architecture
– Physical Layer Away Application
– Data-Link Layer Pizza Presentation
Application
Layer
– IP Network Layer Sausage Session
– Transport Layer Host-to-Host
Throw
–
Transport Transport
Application Layer Layer
• VPN Not Network Internet Layer
Network
• NAS
Access Layer
Do Data-Link
People Physical
- 51 -
52. Security of Transport & Application Layers
Firewalls
• Packet-filtering firewall (i.e. Router ACLs)
– Do not examine Layer 4-7 data. Therefore it cannot prevent
application-specific attacks
• Proxy firewall
– It supports selected IP protocols (I.e. DNS, Finger, FTP,
HTTP, LDAP, NNTP, SMTP, Telnet). For multicast protocols
(PIM, IGMP…etc) must be TUNNEL through the firewall
• Stateful inspection firewall
– It’s faster than proxy firewall and more flexible because it
examines TCP/IP protocols not the data
– Unlike proxy firewall, it does not rewrite every packets and
does not “talk” on application server’s behalf
- 52 -
53. Security of Transport & Application Layers
Firewalls
Hybrid Firewalls…
• Circuit-level proxy firewall
– IETF created SOCKS proxy protocol (RFC 1928) for secure
communications
– SOCKS creates a circuit between client and server without
requiring knowledge about the internetworking service. (No
application specific controls)
– It supports user authentication
• Application proxy firewall
– Application proxy + Stateful inspection
– A different proxy is needed for each service
– It supports user authentication for each supported services.
– e.g. Checkpoint Firewall-1 NG
- 53 -
54. Security of Transport & Application Layers
Packet-filtering firewalls
• Router ACL’s ~ Packet-filter
firewall Application Application
• Firewall Policy: Deny by default, Presentation Presentation
Permit by exception Session Session
– Understand the data-flow (i.e. Transport Transport
source, destination, protocols, and Network Network Network
routing methods), so the security Data-Link Data-Link Data-Link
engineer knows how to apply IP Physical Physical Physical
filtering Source
Firewall
Destination
(RTR w/ ACL)
– Knows the specific inbound and
outbound I/F’s
– Disable all un-necessary protocols
& services
Source: DISA FSO Network STIG
- 54 -
55. Security of Transport & Application Layers
Proxy firewalls
• Do not allow any direct
connections between internal
and external computing hosts Application Application Application
TCP/IP Application
Layer
Presentation Presentation Presentation
• Able to analyze application Session Session Session
commands inside the payload Transport Transport Transport
(datagram) Network Network Network
• Supports user-level Data-Link Data-Link Data-Link
authentications. Able to keep a Physical Physical Physical
comprehensive logs of traffic and Source Firewall Destination
specific user activities
- 55 -
56. Security of Transport & Application Layers
Stateful inspection firewalls
• Supports all TCP/IP-based
services, including UDP (by Application Application Application
some) Presentation Presentation Presentation
Stateful Inspection
• Inspects TCP/IP packets and Session Session Session
keep track of states of each Transport Transport Transport
packets. Low overhead and high Network Network Network
throughput Data-Link Data-Link Data-Link
Physical Physical Physical
• Allows direct TCP/IP sessions
Source Firewall Destination
between internal computing
hosts and external clients
• Offers no user authentication
- 56 -
57. Security of Transport & Application Layers
Firewall Policy
OSI Reference
Model
In principal, firewall performs three actions:
• Accept: where the firewall passes the IP packets
Application
through the firewall as matched by the specific Presentation
rule Session
• Deny: where the firewall drops the IP packets
Transport
when not matched by the specific rule and return
an error message to the source system. (log Network
entries are generated) Data-Link
• Discard: where the firewall drops the IP packets, Physical
and not return an error message to the source
system. (i.e., Like a “black hole”)
- 57 -
58. Security of Transport & Application Layers
Network Design with Firewalls
Federated
ISP
` Enterprise
` ISP `
Employee User
HTTP / VPN or
Public users VPN dedicated
HTTPS
(Citizen and LoB) circuit
DOI Intranets
Internet Intranet
DOI Intranets
Redundant Routers using diverse
path uplinks to external networks
Exterior Firewalls
Multi-Service Switches
Content Switch for load
balacing
DMZ DMZ
External DNS External DNS
Business Specific VLAN Business Specific VLAN
FTP Srvr. Web Srvrs Web Application Srvrs Web Application Srvrs Web Srvrs FTP Srvr.
Proxy-ed Proxy-ed Proxy-ed Proxy-ed Proxy-ed Proxy-ed
E-mail Srvr. Certificate Srvr. Directory Srvr. Directory Srvr. Certificate Srvr. E-mail Srvr.
(Virtual) (Virtual) (Virtual) (Virtual) (Virtual) (Virtual)
Primary Backup
- 58 -
59. Security of Transport & Application Layers
Intrusion Detection System (IDS) &
Intrusion Prevention System (IPS)
• Network-IDS (Intrusion Detection System) is a
“passive” device
– To detect attacks and other security violations
– To detect and deal with pre-ambles to attacks (i.e.,
“doorknob rattling”/ probing / scanning)
– To document the threat to a network, and improve diagnosis,
recovery and correction of an unauthorized intrusion
• Network-IPS (Intrusion Prevention System) is a “in-
line” device
– Has all the same service features of a N-IDS, plus
– Inference the internetworking “behavior” to PREVENT further
damage to internetworking services
- 59 -
60. Security of Transport & Application Layers
Intrusion Detection System (IDS) &
Intrusion Prevention System (IPS)
• N-IDS (and Host-IDS) use “knowledge-based” (a.k.a.
“signature-based”) methodology to detect intrusions
– Uses a database of known attacks and vulnerabilities called
signatures
– Only as good as the last signature update
– Can be difficult to tune – false positives, acceptable
behavior.
• N-IPS uses “behavior-based” methodology to detect
and prevent intrusions.
– Learns normal network or host behavior
– Alerts when behavior deviates from the norm such as
malformed packets, abnormal network utilization, or memory
usage
- 60 -
61. Security of Transport & Application Layers
Network-based Intrusion Detection System (N-IDS)
• Network-IDS (intrusion detection system) is a
“passive” device
– There are two way to setup the listening interfaces:
Network TAP and VLAN Port Spanning on L2 switch
– N-IDS is composted of two components: Pre-processor
(Sensor) and Event Collector/Analyzer
• Pre-processor assembles the packets and match them against
a pre-defined signature database
• Event Collector/Analyzer collects the events from all the
sensors, correlate and present intrusion pattern
L2 Switch with Port
Span on VLAN
Business Specific VLAN Business Specific VLAN
Listening I/F Listening I/F
N-IDS N-IDS
Sensor Sensor
Monitor & Management VLAN Reporting I/F Monitor & Management VLAN Reporting I/F
- 61 -
62. Security of Transport & Application Layers
Network-based Intrusion Prevention System (N-IPS)
• Network-IPS (intrusion prevention system) is an “in-line”
device
– Examines network traffic and automatically blocks
inappropriate or malicious traffic
– However, it may block some “normal” enterprise
internetworking LAN traffic. So, it’s best to use it between the
edge router and exterior perimeter firewall
Redundant Routers using diverse
path uplinks to external networks
N-IPS
Exterior Firewalls
Multi-Service Switches
Content Switch for load
balacing
DMZ DMZ
Primary Backup
- 62 -
63. Questions:
• What are the five common types of firewall?
–
–
–
–
–
• What are the three policy actions a firewall can take?
–
–
–
- 63 -
64. Answers:
• What are the five common types of firewall?
– Packet filtering
– Proxy
– Stateful inspection
– Circuit-level proxy (i.e., SOCKS)
– Application proxy
• What are the three policy actions a firewall can take?
– Accept
– Deny
– Discard
- 64 -
65. Questions:
• If 1 is a router, 4 is located in a DMZ.
What is 2?
1 2 4 –
3
• If 3 is a switch, 5 is a N-IDS, and 6 is a
5 6 computing platform. What does one
have to do to the switch ports to 5 and
6?
–
- 65 -
66. Answers:
• If 1 is a router, 4 is located in a DMZ.
What is 2?
1 2 4 – Firewall
3
• If 3 is a switch, 5 is a N-IDS, and 6 is a
5 6 computing platform. What does one
have to do to the switch ports to 5 and
6?
– Provision a port span
- 66 -
67. Topics
Telecommunications & Network Security Domain – Part 2
• Security Countermeasures and Controls Memorization OSI Reference TCP/IP Protocol
Model Architecture
– Physical Layer Away Application
– Data-Link Layer Pizza Presentation
Application
Layer
– IP Network Layer Sausage Session
– Transport Layer Host-to-Host
Throw
–
Transport Transport
Application Layer Layer
• VPN Not Network Internet Layer
Network
• NAS
Access Layer
Do Data-Link
People Physical
- 67 -
68. Security Countermeasures & Controls
Security of Application Layers – S-HTTP vs. HTTPS
• S-HTTP (Secure HTTP) (RFC 2660) is an
experimental protocol designed for use in conjunction
with HTTP
– S-HTTP is a Message-oriented secure communication
protocol
• HTTPS is HTTP over SSL (Secure Socket Layer).
– SSL works at the Transport Layer level
– HTTP message is encapsulated within the SSL
- 68 -
69. Security Countermeasures & Controls
Security of Application Layers – SET
Secure Electronic Transaction (SET) is a system for
ensuring the security of financial transactions on the
Internet. It was supported initially by MasterCard,
Visa, Microsoft, Netscape, and others
• A user is given an electronic wallet (digital certificate)
and a transaction is conducted and verified using a
combination of digital certificates and digital signature
among the purchaser, a merchant, and the
purchaser's bank in a way that ensures privacy and
confidentiality
• SET uses Netscape's SSL, Microsoft's STT (Secure
Transaction Technology), and Terisa System's S-
HTTP
• SET uses some but not all aspects of a PKI
- 69 -
70. Security Countermeasures & Controls
Security of Application Layers – DNS
• Domain Name System (DNS) translates hostnames to IP
addresses. BIND (Berkeley Internet Name Domain) is the
most commonly used DNS server on the Internet
– DNS server. It supplies domain name to IP address conversion
– DNS resolver. When it can not resolve DNS request. It send a
DNS query to another known DNS server
• Security issues with DNS:
– DNS cache poisoning, where the legitimate IP addresses are
replaced
– DNS spoofing, where the attacker spoofs the DNS server’s answer
with it’s own IP address in source-address field
• Countermeasures:
– Forbid recursive queries to prevent spoofing
– Setup multiple DNS servers (External, internal)
– Keep your BIND up to date
Reference: http://en.wikipedia.org/wiki/Domain_name_system
- 70 -
71. Security Countermeasures & Controls
Security of Application Layers – Computing Hosts
Protection of servers (network focused)…
• Be specific on service functions
– Limit services, minimize potential exposures
– Focus on a single function…
Web Server Web Pages
DNS Server DNS
E-mail Server E-mail
DB Server DB Services
• Install Host-IDS
– Enforce CM and Change Control
• Install Anti-Virus
• Disable all processes/services not in use
• Enforce strict access control
– Network I/Fs
– OS / Applications
- 71 -
72. Security Countermeasures & Controls
Technical Countermeasures in IATF v3.1
Defense-In-
Security Mechanism Security Services
Depth Security Services Spectrum:
Redundant & Diverse Comm. Links Availability • Access Control
Defending the • Confidentiality
Network & Encryptors Confidentiality, Integrity • Integrity
Infrastructure • Availability
Routers Access Control
• Non-Repudiation
Defending the Access Control,
Firewalls
Enclave Integrity
Boundary Multi-Service & Layer 2 Switches Access Control
Network-based & Host-based IDS’s Integrity
Defending the Access Control,
Hardened OS
Computing Integrity
Environment
Access Control,
Anti-Virus Software
Integrity
Confidentiality: Access
Control, Identification,
Supporting the PKI (X.509-based Messaging:
Authentication,
Infrastructure DMS)
Integrity, Non-
Repudiation
Reference & Guidelines:
• Information Assurance Technical Framework (IATF), Release 3.1
• DoDI 8500.2 Information Assurance (IA) Implementation
- 72 -
73. Topics
Telecommunications & Network Security Domain – Part 2
• Security Principles & Network Architecture
• Security Countermeasures and Controls
– Physical Layer
– Data-Link Layer
– IP Network Layer
– Transport Layer
– Application Layer
• VPN
• NAS
- 73 -
74. Security Countermeasures & Controls
Virtual Private Network (VPN) & Tunneling
• Tunneling is used to “package/encapsulate” packets and
transport them INSIDE of another packets from one
internetworking domain to another.
• VPN enables the shared internetworking resources to be
used as private or dedicated circuits. (i.e. Access Control)
– Types of VPN:
• LAN-to-LAN
• Remote Client Access
• Client-less Remote Access
– Example:
• PPTP (Point-to-Point Tunneling Protocol)
• L2TP (Layer 2 Tunneling Protocol)
• MPLS (Multi-Protocol Label Switching)
• GRE (Generic Routing Encapsulation)
• IPsec (Internet Protocol Security)
• SSH (Secure Shell)
- 74 -
75. Virtual Private Network (VPN)
Point-to-Point Tunneling Protocol (PPTP)
PPTP (Point-to-Point Tunneling Protocol) operates at
Layer 2. (RFC 2637)
• A protocol which allows PPP (Point-to-Point Protocol)
to be tunneled through an IP-based network.
– PPTP packages data within PPP packets, then encapsulates
the PPP packets within IP packets for transmission through
an Internet-based VPN tunnel
• PPTP supports data encryption and compression
• PPTP also uses a form of GRE to get data to and
from its final destination
- 75 -
76. Virtual Private Network (VPN)
Layer 2 Tunneling Protocol (L2TP)
L2TP (Layer 2 Tunneling Protocol) operates at Layer 2.
(RFC 2661)
• A protocol which allows PPP (Point-to-Point Protocol)
to be tunneled through an IP-based network.
• It is a hybrid of PPTP and L2F can support multiple
protocols
• Often combined with IPsec for security
- 76 -
77. Virtual Private Network (VPN)
Multi-Protocol Label Switching (MPLS)
MPLS (Multi-Protocol Label Switching) (a.k.a. Tag
Switching), operates at Layer 2
• a data-carrying mechanism, operating at data-link
layer. It was designed to provide a unified data-
carrying service for both circuit-based clients and
packet-switching clients which provide a datagram
service model
• It can be used to carry many different kinds of traffic,
including both voice telephone traffic and IP packets.
• It does not rely on encapsulation and encryption to
maintain high-level of security
- 77 -
78. Virtual Private Network (VPN)
Generic Routing Encapsulation (GRE)
GRE (Generic Routing Encapsulation) (RFC 2784)
• GRE is a Network Layer tunnel that allows any
network protocol to be transmitted over a network
running some other protocol such as:
– Transmitting multicast datagrams over a unicast network.
– Transmitting non-TCP/IP routing protocols such as:
AppleTalk, IPX, etc.
• GRE can be a security issue (i.e. packet-filtering), so
recommended that GRE be created in front of a
firewall.
- 78 -
79. Virtual Private Network (VPN)
IPsec… (1/6)
IPsec is a protocol suite (RFC 2401 4301, 2411).
• Transport Layer:
– AH (IP Authentication Header) provides connection-less
integrity, data origin authentication.
– ESP (Encapsulating Security Payload) provides
confidentiality through encryption.
• Application Layer: (RFC 4306)
– IKE (Internet Key Exchange) is performed using ISAKMP
(Internet Security Association and Key Management
Protocol).
- 79 -
80. Virtual Private Network (VPN)
IPsec… (2/6)
• Authentication Header (AH) (RFC 4302)
– AH follows right after IP header
– Next Header: Identifies the protocol of transferred data
– Payload Length: Size of AH packet
– SPI: Identifies the security parameters, which in combination
with the IP address, identify the security association
implemented with this packet
– Sequence Number: Used to prevent replay attacks
– Authentication Data: Contains the integrity check value
(ICV) to authenticate the packet
Bits
0 4 8 12 16 20 24 28 31
1 Next Header Payload Length Reserved
2 Security Parameters Index (SPI)
Words
3 Sequence Number
4 Authentication Data (variable)
- 80 -
81. Virtual Private Network (VPN)
IPsec… (3/6)
• Encapsulating Security Payload (ESP) (RFC 4303)
– ESP operates directly on top of IP header
– SPI: Identifies the security parameters in combination with
the IP address
– Sequence Number: Used to prevent replay attacks
– Payload Data: The encapsulated data
– Padding: Used to pad the data for block cipher
– Pad Length: Necessary to indicate the size of padding
– Next Header: Identifies the protocol of the transferred data
– Authentication Data: Contains the integrity check value (ICV)
to authenticate the packet Bits
0 4 8 12 16 20 24 28 31
1 Security Parameters Index (SPI)
2 Sequence Number
Words
3 Payload Data (variable)
4 Payload Data... Padding... Pad Length Next Header
5 Authentication Data (variable)
- 81 -
82. Virtual Private Network (VPN)
IPsec… (4/6)
IPsec imposes computational
performance costs on the host or IPsec
Architecture
security gateways.
• Memory needed for IPSec code and ESP Protocol AH Protocol
data structures
• Computation of integrity check
values. Encryption
Algorithm
Authentication
Algorithm
Encryption Authentication
• Encryption and decryption. Algorithm
Encryption
Algorithm
Algorithm
Authentication
Algorithm
• Added per-packet handling-
manifested by increased latency and Domain of
Interpritation
possibly, reduced throughput (DOI)
• Use of SA/key management
protocols, especially those that Key Management
employ public key cryptography,
also adds computational costs to
use of IPSec
Reference: http://tools.ietf.org/html/rfc2411
- 82 -
83. Virtual Private Network (VPN)
IPsec… (5/6)
IPsec operates in two modes:
• Transport mode:
– Only the payload is protected (i.e., encryption & hash)
– IP headers are not encrypted
– If AH is used then IP address can not be translated (i.e., NAT)
– For host-to-host communications only
• Tunnel mode:
– The payload and header are protected (i.e., encryption & hash)
– Used for network-to-network, host-to-network, and host-to-host
communications
Reference: http://en.wikipedia.org/wiki/IPsec
- 83 -
84. Virtual Private Network (VPN)
IPsec... (6/6)
IPsec is implemented in the following “popular” ways…
• Network-to-Network
– IPsec tunnel between two security gateways
– GRE/IPsec in established Layer 3 tunnel
– L2TP/IPsec in established Layer 2 tunnel
• Host-to-Network
– L2TP/IPsec in established Layer 2 tunnel via VPN client on
remote client (i.e. your laptop or PC)
– IPsec tunnel between VPN client to security gateway
• Host-to-Host
– IPsec in transport mode or tunnel mode between two
computing machines
Reference:
• http://en.wikipedia.org/wiki/IPsec
• http://en.wikipedia.org/wiki/L2TP
• http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html
• http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt4/scipsec.htm
• RFC 4301, Security Architecture for the Internet Protocol (http://tools.ietf.org/html/rfc4301)
- 84 -
85. Virtual Private Network (VPN)
Secure Sockets Layer (SSL)
SSL (Secure Sockets Layer)
Client Server
• Runs between the Application Layer client hello
(HTTP, SMTP, NNTP, etc) and server hello
Transport Layer (TCP) certificate
server key exchange
• Supports client/server’s negotiation Request for client’s certificate
server hello done
of cryptographic algorithms:
– Public-key cryptography: RSA, Diffie-
certificate
client key exchange
Hellman, DSA or Fortezza certificate verification
– Symmetric ciphers: RC2, IDEA, DES,
change cipher specification
finished
3DES or AES
change cipher specification
– One-way hash functions: MD5 or SHA finished
Application Data...
Reference: http://wp.netscape.com/eng/ssl3/
- 85 -
86. Virtual Private Network (VPN)
Secure Sockets Layer (SSL)
Remote Client Server
• SSL works in two modes: Client Application
(with embedded support for
Server Application
(with embedded support for
– Application embedded. i.e. HTTPS
SSL/TLS) SSL/TLS)
SSLv3/TLSv1 SSLv3/TLSv1
– SSL Tunnel or SSL VPN (e.g. TCP/IP stack TCP/IP stack
OpenVPN) Data-Link Layer Data-Link Layer
• SSL VPN is less complex than SSL/TLS encrypted
payload using e.g.
2048 RSA, 3DES
IPsec… Remote Client DOI ESN Networks
– Unlike IPsec, SSL protocol sits on
Server Applications Server Applications
top of Transport Layer stack. Server Applications
Server Applications
Server Applications
Server Applications
Server Applications
Server Applications
– OpenVPN (a.k.a. user-space VPN) TCP/IP stack TCP/IP stack
because unlike IPsec, it operates
out side of OS kernel. SSLv3/TLSv1 Tunnel Client
Software
SSLv3/TLSv1 Tunnel
Security Gateway
– SSL is more flexible in supporting SSLv3/TLSv1 SSLv3/TLSv1
multiple cryptographic algorithms TCP/IP stack TCP/IP stack
Data-Link Layer Data-Link Layer
Proprietary transparent SSL/
TLS encrypted VPN tunnel
using e.g. 2048 RSA, 3DES
- 86 -
87. Virtual Private Network (VPN)
Transport Layer Security (TLS)
• TLS 1.0 (Transport Layer Security) Client Server
(RFC 2246) is defined base on SSL client hello
3.0 server hello
certificate
• TLS and SSL protocols are not server key exchange
Request for client’s certificate
interchangeable. (during a server hello done
client/server session) certificate
• The selection of TLS or SSL is client key exchange
certificate verification
negotiated between client/server at change cipher specification
the “hello”.
finished
change cipher specification
finished
Application Data...
Reference: http://www.ietf.org/rfc/rfc2246.txt
- 87 -