IC3 - Network Security. IC3 - Network Security. M.Sc. in Information Security Royal Holloway, University of London

1

IC3 - Network Security

M.Sc. in Information Security

Royal Holloway, University of London

2

IC3 - Network Security

Lecture 1, Part 1

Introduction to Networking

3 CINS/F1-01

Objectives of Lecture

• Networking background

• Show how networks can be understood using a layered approach.

• Introduce the OSI seven layer reference model.

• Introduce the concepts of internetworking and routing.

• Understanding the difference between network

protocols and services.

4

Contents

1.1 Extended example: how the Internet protocols fetch a web page

1.2 The concept of protocol layering 1.3 Internetworking and routing 1.4 The OSI seven layer model

5

1.1 Internet Protocols

Network

Web Browser

Web Server

How does a web browser application retrieve data from a web server?

6

Application Layer

• Users invoke applications which “speak” using application protocol.

• Applications interact with a transport protocol to send or receive data.

• Application protocol in our example: Hypertext Transfer Protocol (HTTP).

• Other application protocols: FTP, SMTP, DNS, NFS, SMB/CIFS, …

7

Application Layer Example

• HTTP outline:

– GET /directory/dirsearch.html HTTP/1.1 – Host: news.bbc.co.uk

– Other fields also included (e.g. client application identifier, encoding methods,…)

GET /directory/dirsearch.html HTTP/1.1 Host: news.bbc.co.uk

HTTP Message

8

Transport Layer

• Provides end-to-end communication between applications.

• Transport Protocol: Transport Control Protocol (TCP) – a reliable, connection-oriented transport protocol.

• Divides stream of application messages into packets. • Interacts with Internet Layer to send or receive data. • In general, a transport protocol may be

– reliable or unreliable,

– connection-oriented or connectionless, – and flow may or may not be regulated.

9

Transport Layer Example

• TCP outline:

– Source Port: 1081 – Destination Port: 80 – Checksum: 0xa858

– Other header fields and payload

GET /directory/dirsearch.html HTTP/1.1 Host: news.bbc.co.uk Src: 1081 Dst: 80 Chksum: 0xa858 HTTP Message TCP payload TCP header 10

Internet Layer

• Responsible for routing communications between one machine and another.

• Accepts requests to send packets to destination address.

• Internet Protocol (IP) encapsulates packets in IP datagram with IP header and uses routing algorithm to decide whether to send directly or indirectly.

11

Internet Layer Example

• IP outline:

– Time to live: 128

– Header checksum: 0x57d1 – Source: nonesuch (192.168.0.40)

– Destination: news.bbc.co.uk (192.168.0.50) – Other header fields and payload

GET /directory/dirsearch.html HTTP/1.1 Host: news.bbc.co.uk Src: 1081 Dst: 80 Chksum: 0xa858 Src: 192.168.0.40 Dst: 192.168.0.50 TTL: 128 HTTP Message TCP header

IP datagram header IP payload

12

Network Interface Layer

• Accepts IP datagrams and prepares for transmission over specific physical network

• Maybe a simple device driver (e.g. an Ethernet driver) or a complex subsystem with further data link protocols (e.g. in an ATM network)

• Output of network interface layer is a signal suitable for transmission on a particular physical medium

– Alternatively, this can then be further (transparently) encapsulated: PPPoE used commonly in residential DSL and cable applications

13 Src: 00:e0:81:10:19:fc Dst: 00:a0:cc:54:1d:4e Type: IP

Network Interface Layer Example

• Ethernet outline:

– Destination: 00:a0:cc:54:1d:4e – Source: 00:e0:81:10:19:fc – Type: IP

– Other header fields and payload

GET /directory/dirsearch.html HTTP/1.1 Host: news.bbc.co.uk Src: 1081 Dst: 80 Chksum: 0xa858 Src: 192.168.0.40 Dst: 192.168.0.50 TTL: 128 Ethernet Frame 14

Physical Layer

• A layer representing the actual communications medium.

– Could be an Ethernet cable (TP, 10Base2, etc.), optical fibre, wireless link, telephone wire or even a carrier pigeon (http://www.ietf.org/rfc/rfc1149.txt) – Sometimes not considered as a separate layer in

TCP/IP networking; sometimes not considered part of TCP/IP at all.

– Thus creating confusion over whether there are really 4 or 5 layers in TCP/IP.

15

At The Server

• The server contains a set of layers matching those at the client:

– The physical signal is presented to the server’s network interface layer which reconstructs the Ethernet frame. – The network interface layer extracts an IP datagram and

passes it up to the Internet layer.

– The Internet layer checks the datagram, extracts a TCP segment and passes it up to the transport layer. – The transport layer checks for errors and passes the TCP

payload (an http message) onto the application layer. – The web server at the application layer receives the http

message and processes it.

• Return messages from web server to web browser are handled in the same way.

16

1.2 Protocol Layering

Application Layer Transport Layer Internet Layer Network Interface Layer Physical Network Application Layer Transport Layer Internet Layer Network Interface Layer Message Packet Datagram Frame Host A Host B

17

Protocol Layering

Application Layer Transport Layer Internet Layer Network Interface Layer Physical Network Application Layer Transport Layer Internet Layer Network Interface Layer HTTP Message TCP Packet IP Datagram Ethernet Frame

Web Browser Web Server

18

Protocol Hierarchies

• Protocols are stacked vertically as series of ‘layers’.

• Each layer offers services to layer above through an interface, shielding implementation details.

• Layer n on one machine communicates with layer n on another machine (they are peer

processes/entities) using Layer n Protocol. • The entire hierarchy is called a protocol stack

– e.g. the TCP/IP protocol stack

19

Layers, Protocols & Interfaces

Physical communications medium

Layer 1 Layer 1 protocol Layer 1

Layer 2 Layer 2 Layer 1/2 interface Layer 1/2 interface Layer 2 protocol Layer n protocol Layer n Layer n Layer 2/3 interface Layer n-1/n interface Layer 2/3 interface Layer n-1/n interface Layer n/n+1 interface Layer n/n+1 interface 20

Layer and Interface Design

• An important design objective is ‘clean’ interfaces, having minimal set of well-defined services.

• Use of protocol layering and clean-cut interfaces enables:

– easy replacement of individual layers

– designers and implementers to focus on solving one sub-problem at a time

– independent implementations of the same layer to inter-operate

– minimisation of inter-layer communications – diagnosis of faults, errors, congestion,…

21

Virtual & Actual Communications

• Important to understand difference between:

– virtual and actual communications, – protocols and interfaces.

• Peer processes ‘think’ of communications as being ‘horizontal’ using protocol.

• Actual communications is via interfaces (and the physical communications medium).

• Peer process idea is key to network design.

22

Protocol Layering – The Downside

• Protocol layering does not solve all networking problems!

• Some issues need to be addressed at many layers, e.g:

– need to address data (say who it’s for), – possible need for setting up connections, – data transfer rules (simplex, half-duplex, ...), – error management,

– deal with message component re-ordering, – flow control,

– routing.

• Layering can introduce inefficiencies.

23

Interlude: Historical Background

• Current networks (even telephony) are packet-based

– Davies (NPL, UK), Baran (RAND, US) 1960...1966 – ARPANET resulted from a proposal to interconnect

research computer facilities funded by DARPA (Roberts, 1967)

– Even during the first phase, ARPANET

interconnected heterogeneous computer systems – Survivability against thermonuclear attack was not a

priority – despite persistent legends

24

Network Types (1)

• Connection-oriented Networks

– Example: POTS system (at least before the transition to digital networks)

– Circuits are used exclusively for the duration of a connection

– Hierarchical addressing mechanism (prefix-free codes..)

• Vulnerability in case of component failure

– Intelligence is located in the network components – Edge devices are „dumb“

– Unsuitable for data traffic: Fluctuations in bandwidth requirements make dedicated channels inefficient

25

Network Types (2)

• Packet-based (Connectionless) Networks

– Data streams are disassembled into datagrams (packets)

– Packets are routed independently through the network

– Each node only needs to know about the „next hop“ – Optimizes the utilization of available bandwith – Intelligence is located in the edge device

• Connections can be simple point-to-point lines

26

Network Topologies (Baran, 1963)

27 First ARPANET Connection (Sep. ’69)

The ARPANET team at BBN

28

The First Network Interface “Card”

29

Structure of an NCP Datagram

30 Host/IMP-IMP/Host Communication

31 First Successful ARPANET Data Transmission

32

1.3 Internetworking and Routing

• No single networking technology can satisfy all requirements.

• Universal interconnection is desired.

• Protocols allow communication between nodes without understanding underlying mechanisms.

• Internetworking is the process by which a

group of disparate, heterogeneous networks can be linked to form a single logical network.

• The Internet is just such a collection

– Universal interconnection is achieved through use of coordination of IP addressing and use of IP protocol.

33

Routing

Web Server Web Browser Router Network A Network B

Routing is the mechanism used to transfer data

between networks to reach the correct destination.

In TCP/IP, routing takes place at the IP layer: routers are not aware of transport and application layers.

34

Protocol Layering and Routing

Application Layer Transport Layer Internet Layer NetworkInterface Physical Network Application Layer Transport Layer Internet Layer Network Interface HTTP Message TCP Packet Ethernet Frame Ethernet Frame IP Datagram IP Datagram Internet Layer Network Layer Physical Network Host B Host A Router 35

1.4 The OSI Reference Model

• OSI Reference Model – an internationally standardised network architecture.

• An abstract representation of an ideal network protocol stack; not used in real networks.

• OSI = Open Systems Interconnection.

• Specified in ISO 7498-1.

• Model has 7 layers (with some variants splitting layer 2 into sub-layers).

36

The OSI Model

Layer 7 Layer 6 Layer 5 Layer 4 Layer 3 Layer 2 Layer 1 Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical Layer

37

Lower/Upper Layers

• Layers 1-4 often referred to as lower layers.

• Layers 5-7 are the upper layers.

• Lower layers relate more closely to the communications technology.

• Layers 1 – 3 manage the communications subnet.

– the entire set of communications nodes required to manage comms. between a pair of machines.

• Layers 4 – 7 are true ‘end-to-end’ protocols.

• Upper layers relate to application.

38

Layer 7: Application Layer

• Home to wide variety of protocols for specific user needs, e.g.:

– virtual terminal service, – file transfer,

– electronic mail, – directory services.

39

Layer 6: Presentation Layer

• Concerned with representation of transmitted data.

• Deals with different data representations.

– ASCII or EBCDIC,

– one’s complement or two’s complement, – byte ordering conventions,

– floating point conventions (IEEE or proprietary).

• Also deals with data compression

• Mostly a conceptual layer, typically these functions are subsumed by applications combining layer 6/7 functionality

40

Layer 5: Session Layer

• Allows establishment of sessions between machines, e.g. to

– allow remote logins – provide file transfer service.

• Responsible for:

– Dialogue control

• which entity sends when with half-duplex communications?

– Token management

• E.g. control which entity can perform an operation on shared data.

– Synchronization

41

Layer 4: Transport Layer

• Basic function is to take data from Session Layer, split it up into smaller units, and ensure that the units arrive correctly.

• Concerned with efficient provision of service.

– maybe multiple connections per session or multiple sessions per connection.

• The Transport Layer also determines the ‘type of service’ to provide to the Session Layer.

– most commonly, error-free, point-to-point, with guarantee of correct ordering of data.

– could be transport of isolated messages only (no ordering guarantees) or broadcast.

42

Layer 3: Network Layer

• Provides uniform addressing scheme for network addresses.

• Shields upper layers from details of lower layers.

• A key responsibility is control of routing.

• Routing can be based on:

– static tables,

– determined at start of session,

– highly dynamic (varying for each packet depending on network load).

• Also responsible for congestion control and usage monitoring.

43

Layer 2: Data Link Layer

• Provides reliable, error-free service on top of raw Layer 1 service.

– corrects errors at the ‘bit’ level.

• Breaks data into frames.

– requires creation of frame boundaries using special bit sequences.

• Frames used to manage errors via acknowledgements and selective frame retransmission.

44

Layer 1: Physical Layer

• Concerned with bit transmission over physical channel.

• Issues include:

– definition of 0/1, typically using more complex modulation schemes (OFDM/QFDM) encoding multiple bits in single transmission signals – whether channel simplex/duplex, – connector design.

45

Internet Protocols vs OSI

Application Presentation Session Transport Network Data Link Physical Application TCP IP Network Interface Hardware 1 2 3 4 5 1 2 3 4 6 5 7 46

Services in the OSI Model

• In OSI model, each layer provide services to layer above, and ‘consumes’ services provided by layer below.

• Active elements in a layer are called entities.

• Entities in same layer in different machines are called peer entities.

47

Services and Protocols

• ServiceSet of primitives provided by one layer

to layer above.

• Service defines what layer can do (but not how it does it).

• ProtocolSet of rules governing data

communication between peer entities, i.e. format and meaning of frames/packets.

• Service/protocol decoupling is very important for easing change and upgrade paths

– Protocols tend to be extremely long-lived, so adaptation should not require operation of multiple parallel revisions 48

Layering Principles

(n+1) Entity Service User (n) Entity Service Provider (n+1) Entity Service User (n) Entity Service Provider Layer n Service Access Point (SAP)

Layer n protocol

n+1 PDU

Layer n+1 protocol

SDU

PDU - Protocol Data Unit SDU - Service Data Unit

n PDU

49

Connections

• Layers can offer connection-oriented or connectionless services.

• Connection-oriented like telephone system.

• Connectionless like postal system.

– Not all applications need connections – In some applications (time-sensitive, or

point-multipoint protocols) connections are undesirable

• Each service has an associated Quality-of-service (e.g. reliable or unreliable).

50

Reliability Issues

• Reliable services never lose/corrupt data.

• Reliable service costs more

– Bandwidth, latency, storage,…

• Typical application for reliable service is file transfer.

• Typical application not needing reliable service is voice traffic

– The human auditory system is highly sensitive to jitter: Drop-outs of voice signals are tolerated much better than delayed and jittery signals

51

IC3 - Network Security

Lecture 1, Part 2

Introduction to Network Security

52 CINS/F1-01

Objectives of Lecture

• Understand why security should be a

fundamental consideration when designing and operating networks.

• Examine the primary enabling threats and

fundamental threats to security for networks. • Introduce security services and mechanisms,

and show how they can be used to counter threats.

• Study the provision of security services at different network layers in ISO7498-2.

53

Contents

1.5 Why network security? 1.6 Security policies for networks 1.7 Security threats for networks 1.8 Security services and mechanisms 1.9 Security services and layers

54

1.5 Why Network Security?

• Organisations and individuals are increasingly reliant on networks of all kinds for day-to-day operations:

– E-mail used in preference to letter, fax, telephone for many routine communications (and some where we ought to know better).

– B2B and C2B e-commerce still growing rapidly. – The Internet is a vast repository of information of all kinds:

competitors and their prices, stock markets, cheap flights,…. – Increased reliance on networks for supply chains of all kinds:

from supermarkets to aircraft components.

– Utility companies control plant operations (SCADA), banks move money, governments talk to citizens over networks. – Growth of mobile telephony for voice and data (GPRS/EDGE,

HSDPA, 3G services...)

55

Why Network Security?

• Networks are becoming increasingly inter-connected and their security consequently more complex:

– If I send sensitive data over my internal network, then who else can see it or even alter it? My employees? My competitors? – Can a hacker who gets into my internal network then obtain

access to other resources (computer accounts, stored data)? Can he use my network as a stepping-off point for further attacks? I am then liable?

– A compelling Internet presence is essential for my company, but if someone can see my website, can they alter (deface) it too?

– How can consumers trust that a given website is that of a reputable company and not one who will mis-use their credit card details?

• Phishing and Pharming activities, social engineering

56

Why Network Security?

• Safeguarding the confidentiality, integrity and

availability of data carried on these various networks is therefore essential.

• Authenticity and accountability are often also important: who did what and when?

• It’s not only about security of Internet-connected systems.

– Insider threats are often more potent than threats originating on the Internet.

• It’s not only about TCP/IP networks.

– Many networks use special-purpose protocols and architectures.

– However TCP/IP dominates in LANs and the Internet… and is increasingly used also in wildly inappropriate environments

57

1.6 Security Policies for Networks

• In this and the following sections, we follow the approach of ISO7498-2

– A companion document to ISO7498-1 (the seven layer model),

– Provides a useful overview of the security issues pertinent to networks,

– Equips us with a handy set of definitions to fix our terminology.

58

Security Policies for Networks

• In a secure system, the rules governing security behaviour should be made explicit in the form of an Information Security Policy.

• Security policy: ‘the set of criteria for the provision of security services’

– Essentially, a set of rules

– May be very high level or quite detailed, but typically does not include implementation details

• Security domain: the scope of application of a security policy.

– where, to what information and to whom the policy applies.

59

Security Policies for Networks

• A network security policy should interpret the overall Information Security Policy in the context of the networked environment:

• Defines what is the responsibility of the network and what is not.

• Describes what security is to be available from the network.

• Describes rules for using the network.

• Describes who is responsible for the management and security of the network.

60

Generic Security Policy

• A generic authorization policy (from ISO 7498-2):

‘Information may not be given to, accessed by, nor permitted to be inferred by, nor may any resource be used by, those not appropriately authorized.’

• Possible basis for more detailed policy: needs lots of refinement to produce final document:

– What information? – What resources?

– Who is authorized and for what? – What about availability?

61

The Security Life-Cycle

• A generic model for the security life-cycle, including network security issues, can include the following steps:

– Define security policy,

– Analyze security threats (according to policy) and associated risks, given existing safeguards, – Define security services to meet/reduce threats, in

order to bring risks down to acceptable levels, – Define security mechanisms to provide services, – Provide on-going management of security.

• Security policy in general will be covered in more detail in IC1.

62

1.7 Security Threats for Networks

• A threat is:

– a person, thing, event or idea which poses some danger to an asset (in terms of confidentiality, integrity, availability or legitimate use).

– a possible means by which a security policy may be breached.

• An attack is a realization of a threat.

• Safeguards are measures (e.g. controls,

procedures) to protect against threats.

• Vulnerabilities are weaknesses in safeguards.

63

Risk

• Risk is a measure of the cost of a vulnerability (taking into account probability of a successful attack).

• Risk analysis determines whether expenditure on new or better safeguards is warranted.

• Risk analysis can be quantitative or qualitative.

• Risk analysis will be covered in more detail in IC1.

64

Threats

Threats can be classified as:

• deliberate (e.g. hacker penetration);

• accidental (e.g. a sensitive file being sent to the

wrong address).

Deliberate threats can be further sub-divided:

• passive (e.g. monitoring, wire-tapping);

• active (e.g. changing the value of a financial

transaction).

• In general passive threats are easier to realise than active ones.

65

Fundamental Threats

• Four fundamental threats (matching four ‘standard’ security goals: confidentiality, integrity, availability, legitimate use):

– Information leakage, – Integrity violation, – Denial of service, – Illegitimate use.

(There are other ways to classify threats – some are application dependent: E.g. timeliness and trustworthiness)

66

Fundamental Threat Examples

• Information Leakage

– Prince Charles mobile phone calls, 1993.

• Integrity violation

– USA Today, falsified reports of missile attacks on Israel, 7/2002.

• Denial of service

– Hacks in 1999/2000 have turned into lucrative organized crime (blackmail) activity

– http://grc.com/dos/grcdos.htm

• Illegitimate use

– Cloning of first generation mobile phone identities. – Phone phreaking.

67

Primary Enabling Threats

• Realization of any of these primary enabling threats can lead directly to a realization of a fundamental threat: – Masquerade, – Bypassing controls, – Authorization violation, – Trojan horse, – Trapdoor.

• First three are penetration threats, last two are

planting threats.

68

Primary Enabling Threat Examples

• Masquerade

– Phishing attacks on on-line bank accounts – Illegitimate Use – Other OC activities, political smear campaigns, …

• Bypassing controls

– ADSL modem passwords, carding for cable/sat TV – Illegitimate Use

• Authorization violation

– Students running mp3 download site from University computers – Illegitimate Use

• Trojan horse

– PWSteal.Trojan, 1999 – Information Leakage

• Trapdoor

– Ken Thompson, Unix login – Reflections on Trusting Trust, 1975 - Illegitimate Use

69

1.8 Security Services and Mechanisms

• A security threat is a possible means by which a security policy may be breached (e.g. loss of integrity or confidentiality).

• A security service is a measure which can be put in place to address a threat (e.g. provision of confidentiality).

• A security mechanism is a means to provide a service (e.g. encryption, digital signature).

70

Security Service Classification

• Security services in ISO 7498-2 are a special class of safeguard applying to a communications environment. • Five main categories of security service:

– Authentication (including entity authentication and origin authentication),

– Access control, – Data confidentiality, – Data integrity, – Non-repudiation.

• Sixth category: “other” – includes physical security, personnel security, computer security, life-cycle controls,…

71

Authentication

• Entity authentication provides checking of a

claimed identity at a point in time.

• Typically used at start of a connection.

• Addresses masquerade and replay threats.

• Origin authentication provides verification of

source of data.

• Does not protect against replay or delay.

• Lots of examples in Lectures 4, 5 and 6 on

secure protocols.

72

Access Control

• Provides protection against unauthorized use of resource, including:

– use of a communications resource,

– reading, writing or deletion of an information resource,

– execution of a processing resource.

• Example: file permissions in Unix/NT file

73

Data Confidentiality

• Protection against unauthorized disclosure of information.

• Four types:

– Connection confidentiality, – Connectionless confidentiality, – Selective field confidentiality, – Traffic flow confidentiality.

• Example: encrypting routers as part of SWIFT funds transfer network.

– Does not protect against eavesdropping at end-points …

• Example: winnowing and chaffing

(http://theory.lcs.mit.edu/~rivest/chaffing.txt).

74

Data Integrity

• Provides protection against active threats to the validity of data.

• Five types:

– Connection integrity with recovery, – Connection integrity without recovery, – Selective field connection integrity, – Connectionless integrity,

– Selective field connectionless integrity.

• Example: MD5 hashes on software at

http://www.apache.org/dist/httpd/binaries/linux/

• Example: AH protocol in IPSec (Lecture 8/9).

75

Non-repudiation

• Protects against a sender of data denying that data was sent (non-repudiation of origin).

• Protects against a receiver of data denying that data was received (non-repudiation of delivery).

• Example: analogous to signing a letter and

sending via recorded delivery.

• Example: signatures in S/MIME secure e-mail

system (Lecture 5).

76

Security Mechanisms

• Exist to provide and support security services.

• Can be divided into two classes:

– Specific security mechanisms, used to provide specific security services, and

– Pervasive security mechanisms, not specific to particular services.

77

Specific Security Mechanisms

• Eight types:

– encipherment, – digital signature,

– access control mechanisms, – data integrity mechanisms, – authentication exchanges, – traffic padding, – routing control, – notarization. 78

Specific Mechanisms 1

• Encipherment mechanisms = encryption algorithms.

– Can provide data and traffic flow confidentiality. – Covered in detail in IC2

• Digital signature mechanisms

– signing procedure (private), – verification procedure (public).

– Can provide non-repudiation, origin authentication and data integrity services.

– Also addressed in detail in IC2

• Both can be basis of some authentication exchange mechanisms.

79

Specific Mechanisms 2

• Access Control mechanisms

– A server using client information to decide whether to grant access to resources

• E.g. access control lists, capabilities, security labels.

– A major topic in IC4

• Data integrity mechanisms

– Protection against modification of data.

• Provide data integrity and origin authentication services. Also basis of some authentication exchange mechanisms.

– Discussed further in IC2

• Authentication exchange mechanisms

– Provide entity authentication service. – Covered in detail in IC3 Lecture 4.

80

Specific Mechanisms 3

• Traffic padding mechanisms

– The addition of ‘chaff’ data to conceal real volumes and patterns of data traffic.

– Provides traffic flow confidentiality.

• Routing control mechanisms

– Used to prevent sensitive data using insecure channels. – E.g. route might be chosen to use only physically secure

network components.

• Notarization mechanisms

– Integrity, origin and/or destination of data can be guaranteed by using a 3rd party trusted notary.

81

Pervasive Security Mechanisms

• Five types identified:

– trusted functionality, – security labels, – event detection, – security audit trail, – security recovery.

82

Pervasive Mechanisms 1

• Trusted functionality

– Any functionality providing or accessing security mechanisms should be trustworthy.

– May involve combination of software and hardware.

• Security labels

– Any resource (e.g. stored data, processing power, communications bandwidth) may have security label associated with it to indicate security sensitivity. – Similarly labels may be associated with users.

Labels may need to be securely bound to transferred data.

83

Pervasive Mechanisms 2

• Event detection

– Includes detection of • attempted security violations, • legitimate security-related activity.

– Can be used to trigger event reporting (alarms), event logging, automated recovery.

• Security audit trail

– Log of past security-related events.

– Permits detection and investigation of past security breaches.

• Security recovery

– Includes mechanisms to handle requests to recover from security failures.

– May include immediate abort of operations, temporary invalidation of an entity, addition of entity to a blacklist.

84

Services Versus Mechanisms

• ISO 7498-2 indicates which mechanisms can be used to provide which services.

• Illustrative NOT definitive.

• Omissions include:

– use of integrity mechanisms to help provide authentication services,

– use of encipherment to help provide non-repudiation service (as part of notarization).

85

Service/Mechanism Table 1

Mechanism Service Enciph- erment Digital sign. Access Control Data integrity Entity authentication Y Y Origin authentication Y Y Access control Y Connection confidentiality Y Connectionless confidentiality Y

Selective field confidentiality Y

Traffic flow confidentiality Y

Connection integrity with recovery Y Y

Connection integrity without recovery Y Y

Selective field connection integrity Y Y

Connectionless integrity Y Y Y

Selective field connectionless integrity Y Y Y

Non-repudiation of origin Y Y Non-repudiation of delivery Y Y 86

Service/Mechanism Table 2

Mechanism Service Auth. exchange Traffic padding Routing Control Notaris- ation Entity authentication Y Origin authentication Access control Connection confidentiality Y Connectionless confidentiality Y Selective field confidentiality

Traffic flow confidentiality Y Y Connection integrity with recovery

Connection integrity without recovery Selective field connection integrity Connectionless integrity

Selective field connectionless integrity

Non-repudiation of origin Y Non-repudiation of delivery Y

87

1.9 Security Services And Layers

• ISO 7498-2 lays down which security services can be provided in which of the 7 layers.

• Layers 1 and 2 may only provide confidentiality services.

• Layers 3/4 may provide many services.

• Layer 7 may provide all services.

• A set of principles dictate which services can/should be provided at which layers.

• We’ll return to this issue in Lectures 8/9.

88

Service/Layer Table

Layer Service Layer 1 Layer 2 Layer 3 Layer 4 Layer 5/6 Layer 7 Entity authentication Y Y Y Origin authentication Y Y Y Access control Y Y Y Connection confidentiality Y Y Y Y Y Connectionless confidentiality Y Y Y Y Selective field confidentiality Y Traffic flow confidentiality Y Y Y Connection integrity with recovery Y Y Connection integrity without recovery Y Y Y Selective field connection integrity Y Connectionless integrity Y Y Y Selective field connectionless integrity Y Non-repudiation of origin Y Non-repudiation of delivery Y