7 layer security

8/8/2019 7 LAYER Security

1/17

7 LAYERS SECURITY

Security

Security of the OSI Model

Santosh baranwal11089E071B.TechI.T 3rd YrSec-B

9/30/2010


2/17

ISO-International Standards Organisation

Multinational body dedicated to worldwide agreement

on international standards

An ISO standard that covers all aspects of network

communication is the OSI

OSI-Open System Interconnection

OSI is a model and not a protocol

Vendor specific protocols close off communicationbetween unrelated systems

OSI model is to open communication between

different systems without requiring changes to the

logic of the underlying hardware and software

OSI Layers

The OSI model is built of seven ordered layers:

Layer-1: Physical

Layer-2: Data Link

Layer-3: Network

Layer-4: Transport

Layer-5: Session

Layer-6: Presentation

Layer-7: Application

The seven layers can be thought of as belonging to three sub

groups


3/17

Network Support Layers (Layers 1-3)

Deal with the physical aspects of moving data from

one device to another

User Support Layers (Layers 5-7)

Allow interoperability among unrelated software

systems

Layer-4 ensures end to end reliable data transmission

Layer-1(Physical)

First of three network support layers

Concerned with physical transmission of data bits and

ensures that a bit entering at one end of the transmission

media reaches the other end

Deals with the mechanical and electrical specifications of the

interface and transmission medium e.g. Optical, coax, RF,

twisted pair etc.

Defines the type of encoding i.e. how 0s and 1s are changed

to signals

Defines data rate / transmission rate i.e. defines the duration

of a bit

Responsible for synchronisation of sender and the receiver

clocks

Concerned with the connection of the devices to the medium

Point-to-point configuration

Multipoint configuration

Physical topology

Mesh; Star; Ring; Bus


4/17

Transmission Mode

Simplex; Half-Duplex; Full-Duplex

SECURITY ON (PHYSICAL LAYER)Physically secure and mange the cable plant

Wiring closets

WAN connections

CSU/DSU

Physically secure and control access to networkingequipment

Routers

Hubs

Switches

Physically secure and control access to servers, mainframes

Provide redundant power and WAN connections

LAYER 2(Data Link Layer)


5/17

Second of three network support layers

Divides the bit stream received from network layer into

manageable data units called frames

Transforms the physical layer to a reliable link by adding

mechanism to detect and retransmit damaged frames

Responsible for physical addressing of the devices

Responsible for link-by-link flow control and error free

delivery of data

Responsible for Media Access Control

SECURITY Framework ON(Data Link

Layer)

VPNs protecting the links between networks

Network Intrusion Detection Systems (NIDS)

watching traffic for attacks

Host Intrusion Detection Systems (HIDS) protecting

connections to critical servers/hosts

Virus scanning taking place on traffic coming in

from outside the customers network.

Concerned with getting packets from source to

destination.


6/17

The network layer must know the topology of the subnet

and choose appropriate paths through it.

When source and destination are in different networks, the

network layer (IP) must deal with these differences.

* Key issue: what service does the network layer provide

to the transport layer(connection-oriented or

connectionless).

* The Security Framework--

Network

* Firewall performing stateful inspection of incoming and

outgoing packets

* Router Access Control Lists (ACLs) filtering packets bound

between networks

* Virus scanning of attachments at the e-mail gateways

1. The services provided by the network layer should be

independent of the subnet topology.


7/17

2. The Transport Layer should be shielded from the number,

type and topology of the subnets present.

Layer-4 (Transport)

Responsible for Source-to-Destination delivery of the

entire message

Uses service-point address (port address) for end-to-end

delivery

Network layer gets each packet to correct computer,

transport layer gets the entire message to the correct

process

Responsible for segmenting a message into transmittable

segments

At the destination the message is correctly reassembled


8/17


9/17

Security on( Transport Layer)

Developing a mechanism which enables the

transport layer security server to resume

sessions and avoid keeping per client session

state. The TLS server encapsulates the session

state into a ticket which is forwarded to the

client for it to resume the session.

A TICKET is defined as a cryptographically

protected data structure that is created by a

server and consumed by it to rebuild session-specific state.

The ticket is created by the TLS server and sent

to the TLS client, when the TLS client wants to

resume a session it presents the ticket to the TLS

server. The ticket is distributed to the client

using the NewSessionTicket TLS handshakemessage, this message is sent during the TLS

handshake before the ChangeCipherSpec

message, after the server has successfully

verified the client's Finished message.

Diagram views


10/17

Expected Execution

It can be done using a single system where we can open

multiple CHILDS (clients) and using the connection

program we can restrict one of the childs from

accessing the server and then we can resume the

connection using our mechanism.

Platform Usage: C, Linux

Layer-5(Session)


11/17

First of the three user support layers

It is the network dialog controller

It establishes, maintains, and synchronises the interaction

between communicating systems

It allows the communication between two processes to

take place either in half-duplex or full-duplex

Allows a process to add checkpoints (synchronisation points)

into a stream of data

The session layer defines how to start, control, and end

conversations (called sessions). This includes the control

and management of multiple bidirectional messages so

that the application can be notified if only some of a series

of messages are completed. This allows the presentation

layer to have a seamless view of an incoming stream of

data. The presentation layer can be presented with data if

all flows occur in some cases. For example, an automatedteller machine transaction in which you withdraw cash

from your checking account should not debit your account,

and then fail, before handing you the cash, recording the

transaction even though you did not receive money. The

session layer creates ways to imply which flows are part of

the same session and which flows must complete before

any are considered complete.

RPC, SQL, NFS,

NetBIOS names,

AppleTalk ASP, DECnet

SCP


12/17

Accounting, conversation control

who can talk when, and session parameter

negotiation.

Dialogue control and seperation

enable applications to communicate between the

source and destination

Dialogue Control Two-way alternate communication

Communication partners take turns while

sending messages to avoid interrupting each

other.

For example; Internet Relay Chat (IRC)


13/17

Two-way simultaneous communication

Communication partners send each other

whatever they want without waiting turns.

Synchronization Problem

Network File System (NFS)

Structured Query Language (SQL)

Remote Procedure Call (RPC)

X-Window System

AppleTalk Session Protocol (ASP)

Digital Network Architecture Session Control Protocol (DNA

SCP)


14/17


15/17

OS and application hardening at the system level

Conduct security health checking to determine if security

polices for types of applications allowed to run, password

composition and length, services allowed on hosts, etc.are being followed

Provide vulnerability scanning to test the configuration of

applications and systems, looking for vulnerabilities,

missing patches, etc.

Conduct penetration tests to determine if machines can be

exploited and privileged access gained

User account management on the network

User account management on individual systems

User account management for specific applications,

RDBMS, etc.

Virus scanning and updates on individual machines and

user desktops

Role & Rules Based Access Control (RBAC)

PKI and digital certificates

Layer-7(Application)

Top of the three user support layers

Enables the user, human or software, to access the network

It provides user interfaces and support for services e.g.

electronic mail, remote file access and transfer, shared

database management and other types of distributed

information services

No headers or trailers are added by this layer


16/17

The application layer is the seventh level of the sevenlayer OSI model. Its the highest layer of the OSI model.

The book and the course are organized and broken down

by the OSI model!

Security of the application layer is critical.

Review the Guard the Application Layer

document.

Security frame work is same as presentation

layer.


17/17

7 layer security

Documents