7 layer security
TRANSCRIPT
-
8/8/2019 7 LAYER Security
1/17
7 LAYERS SECURITY
Security
Security of the OSI Model
Santosh baranwal11089E071B.TechI.T 3rd YrSec-B
9/30/2010
-
8/8/2019 7 LAYER Security
2/17
ISO-International Standards Organisation
Multinational body dedicated to worldwide agreement
on international standards
An ISO standard that covers all aspects of network
communication is the OSI
OSI-Open System Interconnection
OSI is a model and not a protocol
Vendor specific protocols close off communicationbetween unrelated systems
OSI model is to open communication between
different systems without requiring changes to the
logic of the underlying hardware and software
OSI Layers
The OSI model is built of seven ordered layers:
Layer-1: Physical
Layer-2: Data Link
Layer-3: Network
Layer-4: Transport
Layer-5: Session
Layer-6: Presentation
Layer-7: Application
The seven layers can be thought of as belonging to three sub
groups
-
8/8/2019 7 LAYER Security
3/17
Network Support Layers (Layers 1-3)
Deal with the physical aspects of moving data from
one device to another
User Support Layers (Layers 5-7)
Allow interoperability among unrelated software
systems
Layer-4 ensures end to end reliable data transmission
Layer-1(Physical)
First of three network support layers
Concerned with physical transmission of data bits and
ensures that a bit entering at one end of the transmission
media reaches the other end
Deals with the mechanical and electrical specifications of the
interface and transmission medium e.g. Optical, coax, RF,
twisted pair etc.
Defines the type of encoding i.e. how 0s and 1s are changed
to signals
Defines data rate / transmission rate i.e. defines the duration
of a bit
Responsible for synchronisation of sender and the receiver
clocks
Concerned with the connection of the devices to the medium
Point-to-point configuration
Multipoint configuration
Physical topology
Mesh; Star; Ring; Bus
-
8/8/2019 7 LAYER Security
4/17
Transmission Mode
Simplex; Half-Duplex; Full-Duplex
SECURITY ON (PHYSICAL LAYER)Physically secure and mange the cable plant
Wiring closets
WAN connections
CSU/DSU
Physically secure and control access to networkingequipment
Routers
Hubs
Switches
Physically secure and control access to servers, mainframes
Provide redundant power and WAN connections
LAYER 2(Data Link Layer)
-
8/8/2019 7 LAYER Security
5/17
Second of three network support layers
Divides the bit stream received from network layer into
manageable data units called frames
Transforms the physical layer to a reliable link by adding
mechanism to detect and retransmit damaged frames
Responsible for physical addressing of the devices
Responsible for link-by-link flow control and error free
delivery of data
Responsible for Media Access Control
SECURITY Framework ON(Data Link
Layer)
VPNs protecting the links between networks
Network Intrusion Detection Systems (NIDS)
watching traffic for attacks
Host Intrusion Detection Systems (HIDS) protecting
connections to critical servers/hosts
Virus scanning taking place on traffic coming in
from outside the customers network.
Concerned with getting packets from source to
destination.
-
8/8/2019 7 LAYER Security
6/17
The network layer must know the topology of the subnet
and choose appropriate paths through it.
When source and destination are in different networks, the
network layer (IP) must deal with these differences.
* Key issue: what service does the network layer provide
to the transport layer(connection-oriented or
connectionless).
* The Security Framework--
Network
* Firewall performing stateful inspection of incoming and
outgoing packets
* Router Access Control Lists (ACLs) filtering packets bound
between networks
* Virus scanning of attachments at the e-mail gateways
1. The services provided by the network layer should be
independent of the subnet topology.
-
8/8/2019 7 LAYER Security
7/17
2. The Transport Layer should be shielded from the number,
type and topology of the subnets present.
Layer-4 (Transport)
Responsible for Source-to-Destination delivery of the
entire message
Uses service-point address (port address) for end-to-end
delivery
Network layer gets each packet to correct computer,
transport layer gets the entire message to the correct
process
Responsible for segmenting a message into transmittable
segments
At the destination the message is correctly reassembled
-
8/8/2019 7 LAYER Security
8/17
-
8/8/2019 7 LAYER Security
9/17
Security on( Transport Layer)
Developing a mechanism which enables the
transport layer security server to resume
sessions and avoid keeping per client session
state. The TLS server encapsulates the session
state into a ticket which is forwarded to the
client for it to resume the session.
A TICKET is defined as a cryptographically
protected data structure that is created by a
server and consumed by it to rebuild session-specific state.
The ticket is created by the TLS server and sent
to the TLS client, when the TLS client wants to
resume a session it presents the ticket to the TLS
server. The ticket is distributed to the client
using the NewSessionTicket TLS handshakemessage, this message is sent during the TLS
handshake before the ChangeCipherSpec
message, after the server has successfully
verified the client's Finished message.
Diagram views
-
8/8/2019 7 LAYER Security
10/17
Expected Execution
It can be done using a single system where we can open
multiple CHILDS (clients) and using the connection
program we can restrict one of the childs from
accessing the server and then we can resume the
connection using our mechanism.
Platform Usage: C, Linux
Layer-5(Session)
-
8/8/2019 7 LAYER Security
11/17
First of the three user support layers
It is the network dialog controller
It establishes, maintains, and synchronises the interaction
between communicating systems
It allows the communication between two processes to
take place either in half-duplex or full-duplex
Allows a process to add checkpoints (synchronisation points)
into a stream of data
The session layer defines how to start, control, and end
conversations (called sessions). This includes the control
and management of multiple bidirectional messages so
that the application can be notified if only some of a series
of messages are completed. This allows the presentation
layer to have a seamless view of an incoming stream of
data. The presentation layer can be presented with data if
all flows occur in some cases. For example, an automatedteller machine transaction in which you withdraw cash
from your checking account should not debit your account,
and then fail, before handing you the cash, recording the
transaction even though you did not receive money. The
session layer creates ways to imply which flows are part of
the same session and which flows must complete before
any are considered complete.
RPC, SQL, NFS,
NetBIOS names,
AppleTalk ASP, DECnet
SCP
-
8/8/2019 7 LAYER Security
12/17
Accounting, conversation control
who can talk when, and session parameter
negotiation.
Dialogue control and seperation
enable applications to communicate between the
source and destination
Dialogue Control Two-way alternate communication
Communication partners take turns while
sending messages to avoid interrupting each
other.
For example; Internet Relay Chat (IRC)
-
8/8/2019 7 LAYER Security
13/17
Two-way simultaneous communication
Communication partners send each other
whatever they want without waiting turns.
Synchronization Problem
Network File System (NFS)
Structured Query Language (SQL)
Remote Procedure Call (RPC)
X-Window System
AppleTalk Session Protocol (ASP)
Digital Network Architecture Session Control Protocol (DNA
SCP)
-
8/8/2019 7 LAYER Security
14/17
-
8/8/2019 7 LAYER Security
15/17
OS and application hardening at the system level
Conduct security health checking to determine if security
polices for types of applications allowed to run, password
composition and length, services allowed on hosts, etc.are being followed
Provide vulnerability scanning to test the configuration of
applications and systems, looking for vulnerabilities,
missing patches, etc.
Conduct penetration tests to determine if machines can be
exploited and privileged access gained
User account management on the network
User account management on individual systems
User account management for specific applications,
RDBMS, etc.
Virus scanning and updates on individual machines and
user desktops
Role & Rules Based Access Control (RBAC)
PKI and digital certificates
Layer-7(Application)
Top of the three user support layers
Enables the user, human or software, to access the network
It provides user interfaces and support for services e.g.
electronic mail, remote file access and transfer, shared
database management and other types of distributed
information services
No headers or trailers are added by this layer
-
8/8/2019 7 LAYER Security
16/17
The application layer is the seventh level of the sevenlayer OSI model. Its the highest layer of the OSI model.
The book and the course are organized and broken down
by the OSI model!
Security of the application layer is critical.
Review the Guard the Application Layer
document.
Security frame work is same as presentation
layer.
-
8/8/2019 7 LAYER Security
17/17