Professional Documents
Culture Documents
BRC-Network Security Overview
BRC-Network Security Overview
Passive Attack:
a. Release of message content
b. Traffic analysis
Active Attack:
RFC 2828:
A processing or communication service that is provided by a system to give
a specific kind of protection to system resources; security services
implement security policies and are implemented by security mechanisms.
Security
Services
Security Mechanisms
• The mechanisms are divided into those that are
implemented in a specific protocol layer, such as TCP or an
application-layer protocol, and those that are not specific to
any particular protocol layer or security service.
Security
Mechanism
Relationship Between Security Services and Mechanisms
Relationship between Security Services and Security Attacks
Relationship between Security Mechanisms and Attacks.
Positioning of Security Services in Network
Physical layer
• Available Services
– Connection Confidentiality
– Traffic Flow Confidentiality
• Full
• Limited
These services are restricted to passive threats and are
applicable to point-to-point or multi-peer
communications.
• Available Mechanisms
– Total encipherment
– Transmission security (specific form of encipherment
applicable to physical layer only)
Data link layer
• Available Services
– Connection Confidentiality
– Connectionless Confidentiality
• Available Mechanisms
– Encipherment
Network layer
• Available Services
May be provided by the protocol that performs sub-network access
functions or by the protocol that performs relaying and routing
– Peer Entity Authentication
– Data Origin Authentication
– Access Control service
– Connection Confidentiality
– Connectionless Confidentiality
– Traffic Flow Confidentiality
– Connection Integrity without recovery
– Connectionless Integrity
These services may be provided alone or in combination.
• Available Mechanisms
– Peer Entity Authentication: appropriate combination of
cryptographically-derived or protected authentication
exchanges, protected password exchange and signature
mechanisms
– Data Origin Authentication: encipherment or signature mechs
– Access Control service: appropriate use of specific access
control mechs
– Connection Confidentiality: encipherment and/or routing
control
– Connectionless Confidentiality: encipherment and/or routing
control
– Traffic Flow Confidentiality: traffic padding mech, in
conjunction with a confidentiality service at or below the
network layer and/or routing protocol
– Connection Integrity without recovery: data integrity
mechanism, sometimes in conjunction with an encipherment
mechanism
– Connectionless Integrity: same as above
Transport layer
• Available Services
– Peer Entity Authentication
– Data Origin Authentication
– Access Control service
– Connection Confidentiality
– Connectionless Confidentiality
– Connection Integrity with recovery
– Connection Integrity without recovery
– Connectionless Integrity
These services may be provided alone or in combination.
• Available Mechanisms
– Peer Entity Authentication: appropriate combination of
cryptographically-derived or protected authentication exchanges,
protected password exchange and signature mechanisms
– Data Origin Authentication: encipherment or signature mechs
– Access Control service: appropriate use of specific access control
mechs
– Connection Confidentiality: encipherment
– Connectionless Confidentiality: encipherment
– Connection Integrity with recovery: data integrity mechanism,
sometimes in conjunction with an encipherment mechanism
– Connection Integrity without recovery: same as above
– Connectionless Integrity: same as above
These mechanisms will operate in such a manner that individual
transport connections can be isolated from each other
Application layer
• Available Services
– Peer Entity Authentication
– Data Origin Authentication
– Access Control Service
– Connection Confidentiality
– Connectionless Confidentiality
– Selective Field Confidentiality
– Traffic Flow Confidentiality
– Connection Integrity with Recovery
– Connection Integrity without Recovery
– Selective Field Connection Integrity
– Connectionless Integrity
– Selective Field Connectionless Integrity
– Non-repudiation with Proof of Origin
– Non-repudiation with Proof of Delivery
• Available Mechanisms
– Peer Entity Authentication: auth info transferred between application
entities, protected by lower layer encipherment
– Data Origin Authentication: signature or loewr layer mechs
– Access Control Service: combination of access control mechs in the
application or lower layers
– Connection Confidentiality: lower layer encipherment
– Connectionless Confidentiality: lower layer encipherment
– Selective Field Confidentiality: encipherment at presentation layer
– Traffic Flow Confidentiality: traffic padding, plus confidentiality at a
lower level
– Connection Integrity with Recovery: lower layer data integrity
– Connection Integrity without Recovery: lower layer data integrity
– Selective Field Connection Integrity: data integrity
– Connectionless Integrity: lower layer data integrity
– Selective Field Connectionless Integrity: data integrity
– Non-repudiation with Proof of Origin: combination of signature and lower
layer data integrity (possibly in conjunction with 3rd party notaries)
– Non-repudiation with Proof of Delivery: combination of signature and
lower layer data integrity (possibly in conjunction with 3rd party
notaries)
Model for Network Security
This general model shows that there are four basic tasks in
designing a particular security service: