security of the information and the technoogy
researchai1
14 views
20 slides
Oct 05, 2024
Slide 1 of 20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
About This Presentation
Seciruty
Slide Content
Copyright: a. umar
Wireless Security
• Security principles
•Special issues in wireless security
•Security issues unique to 802.11,
satellites, cellular networks, WAP, etc.
•Security methodology
Amjad Umar
Wireless Security
• Security principles
•Special issues in wireless security
•Security issues unique to 802.11,
satellites, cellular networks, WAP, etc.
•Security methodology
Amjad Umar
Copyright: a. umar
Wireless Security Example
Wireless LAN
Cell
Wireless LAN
Cell
Wireless LAN
Cell
Centrex
Router
and
Firewall
Link to
Public Internet
T1
or
DSL
X
Y Z
LAN Server
Fast Ethernet
LAN(Backbone)
1. No physical net security
(server ID/PW)
2. No physical net security
(server ID/PW + encryption)
3. Physical net security
(optional
server ID/PW + encryption)
A
B
C D
Wired Ethernet
LAN
Wireless Security Example
Wireless LAN
Cell
Wireless LAN
Cell
Wireless LAN
Cell
Centrex
Router
and
Firewall
Link to
Public Internet
T1
or
DSL
X
Y Z
LAN Server
Fast Ethernet
LAN(Backbone)
1. No physical net security
(server ID/PW)
2. No physical net security
(server ID/PW + encryption)
3. Physical net security
(optional
server ID/PW + encryption)
A
B
C D
Wired Ethernet
LAN
Copyright: a. umar
•Enterprises need to protect corporate IT and physical assets to
–respond to external factors
–organizational requirements.
•An architectural view is needed that
–Shows how the various corporate assets can be protected
–Uses a combination of technical and organizational approaches.
•A framework is needed to review security at the following levels:
–- corporate networks (wired plus wireless)
–- interconnectivity services, commonly known as middleware
–- distributed applications
•For each level, the areas of vulnerabilities should be identified in
terms of use and immaturity of security solutions.
•Tradeoffs between security and system availability need to be
addressed
General Security Issues
•Enterprises need to protect corporate IT and physical assets to
–respond to external factors
–organizational requirements.
•An architectural view is needed that
–Shows how the various corporate assets can be protected
–Uses a combination of technical and organizational approaches.
•A framework is needed to review security at the following levels:
–- corporate networks (wired plus wireless)
–- interconnectivity services, commonly known as middleware
–- distributed applications
•For each level, the areas of vulnerabilities should be identified in
terms of use and immaturity of security solutions.
•Tradeoffs between security and system availability need to be
addressed
General Security Issues
Copyright: a. umar
Security Architecture
Security
Solutions
External Factors
•Intruder/attacker/assault Threats
•Privacy and confidentialty laws
•Consumer/customer attitudes
Organizational Requirements
•Survivability and Tolerance
•Requirements
•QoS Requiremensts
•Budgettary and policy restrictions
IT Assets
•Applications and automated services
•Databases, files
•Computing platforms
•Middleware (e.g., web servers)
•Networks (hardware, routing software)
Latest Security Technologies
•Cryptographic techniques
•Managing digital certificates and PKI
•Secure payment systems
•Significant research developments
Physical Assets
•Humans
•Buildings
•Other corporate assets
(e.g., planes, trains, and
automobiles)
Security Architecture
Security
Solutions
External Factors
•Intruder/attacker/assault Threats
•Privacy and confidentialty laws
•Consumer/customer attitudes
Organizational Requirements
•Survivability and Tolerance
•Requirements
•QoS Requiremensts
•Budgettary and policy restrictions
IT Assets
•Applications and automated services
•Databases, files
•Computing platforms
•Middleware (e.g., web servers)
•Networks (hardware, routing software)
Latest Security Technologies
•Cryptographic techniques
•Managing digital certificates and PKI
•Secure payment systems
•Significant research developments
Physical Assets
•Humans
•Buildings
•Other corporate assets
(e.g., planes, trains, and
automobiles)
Copyright: a. umar
Wireless security Issues
•Several security concerns at all layers
–Wireless networks (cellular, wi-fi, adhoc, satellite)
–Wireless platforms (Mobile IP, WAP, I-Mode, Wireless Java, Mobile
Web services)
– Mobile applications (holding digital certificates in handsets)
•Too many issues needing attention
–Cellular security (location services)
–Satellite security (GAO report)
–Mobile adhoc network security
–Wireless platform security (WAP, BREW)
–M-application security (handset certificates)
•An architecture approach is needed – a solution that considers
tradeoffs and works within constraints and limitations
Wireless security Issues
•Several security concerns at all layers
–Wireless networks (cellular, wi-fi, adhoc, satellite)
–Wireless platforms (Mobile IP, WAP, I-Mode, Wireless Java, Mobile
Web services)
– Mobile applications (holding digital certificates in handsets)
•Too many issues needing attention
–Cellular security (location services)
–Satellite security (GAO report)
–Mobile adhoc network security
–Wireless platform security (WAP, BREW)
–M-application security (handset certificates)
•An architecture approach is needed – a solution that considers
tradeoffs and works within constraints and limitations
Copyright: a. umar
Different Views: User View (PIA4)
Privacy
assure privacy of information (i.e., no one other than the authorized people can see the information) in
storage or transmission
Integrity
the integrity of information (i.e., no unauthorized modification)
Authentication:
identify for certain who is communicating with you
Authorization (Access control):
determine what access rights that person has).
Accountability (Auditing): .
assure that you can tell who did what when and convince yourself that the system keeps its security
promises.
Includes non-repudiation (NR) -- the ability to provide proof of the origin or delivery of data.
NR protects the sender against a false denial by the recipient that the data has been received. Also
protects the recipient against false denial by the sender that the data has been sent..
a receiver cannot say that he/she never received the data or the sender cannot say that he/she never
sent any data
Availability: access to system when a user needs it
Different Views: User View (PIA4)
Privacy
assure privacy of information (i.e., no one other than the authorized people can see the information) in
storage or transmission
Integrity
the integrity of information (i.e., no unauthorized modification)
Authentication:
identify for certain who is communicating with you
Authorization (Access control):
determine what access rights that person has).
Accountability (Auditing): .
assure that you can tell who did what when and convince yourself that the system keeps its security
promises.
Includes non-repudiation (NR) -- the ability to provide proof of the origin or delivery of data.
NR protects the sender against a false denial by the recipient that the data has been received. Also
protects the recipient against false denial by the sender that the data has been sent..
a receiver cannot say that he/she never received the data or the sender cannot say that he/she never
sent any data
Availability: access to system when a user needs it
Copyright: a. umar
Additional views
•Hacking versus Assaults:
–Hackers – “ankle biters”
–Assault – aim is destruction
–Higher level of protection is needed for assaults
•Intrusion tolerance versus security
–Security generally means “protected” from malicious entities
–Intrusions may be due to malicious or natural events
–Intrusion tolerance combines fault tolerance
–Fault tolerance achieved through replication
–Security achieved through reducing replication
–How to resolve tradeoffs
•Information assurance versus security
–Security concentrates on protection
–Information assurance (IA) deals with how to recover from breaches
–IA includes security plus backup/recovery, disaster recovery, contingency planning
•Auditing: Verify against policies and procedures
Additional views
•Hacking versus Assaults:
–Hackers – “ankle biters”
–Assault – aim is destruction
–Higher level of protection is needed for assaults
•Intrusion tolerance versus security
–Security generally means “protected” from malicious entities
–Intrusions may be due to malicious or natural events
–Intrusion tolerance combines fault tolerance
–Fault tolerance achieved through replication
–Security achieved through reducing replication
–How to resolve tradeoffs
•Information assurance versus security
–Security concentrates on protection
–Information assurance (IA) deals with how to recover from breaches
–IA includes security plus backup/recovery, disaster recovery, contingency planning
•Auditing: Verify against policies and procedures
Copyright: a. umar
Sample Wireless Security Technologies
Applications
Middleware
Wireless
Link
•802.11 security (WEP)
•Cellular network security
•Satellite link security
•WLL and cordless link security
•SSL and TLS
•WAP security (WTLS)
•Web security (HTTPS, PICS, HTTP Headers)
•Proxy server security
•SET for transaction security
•S/MIME and PGP for secure email
•Java security (sandboxes)
•Database security
TCP/IP
•IPSEC and wirless VPN
•Mobile IP
Can use
higher level
services to
compensate
for lower layers
Tradeoffs in
performance
and security
Sample Wireless Security Technologies
Applications
Middleware
Wireless
Link
•802.11 security (WEP)
•Cellular network security
•Satellite link security
•WLL and cordless link security
•SSL and TLS
•WAP security (WTLS)
•Web security (HTTPS, PICS, HTTP Headers)
•Proxy server security
•SET for transaction security
•S/MIME and PGP for secure email
•Java security (sandboxes)
•Database security
TCP/IP
•IPSEC and wirless VPN
•Mobile IP
Can use
higher level
services to
compensate
for lower layers
Tradeoffs in
performance
and security
Copyright: a. umar
Physical Network (layer1 –2)
TelnetFTPSMTPHTTP
TCP /IP
TelnetFTPSMTPHTTP
IPsec (VPN)
Physical network
TCP /IP
SMTP
HTTP
Physical network
PGPS/MIME
SSL
a) Physical Network Level Security
(encryption at physical network level)
b) Transport Level Security
(encryption at IP level)
c) Higher Level Security
(encryption at SSL or application level)
Security Tradeoffs
A2A1A3A3
Legend: Darker areas indicate
security (say encryption)
Physical Network (layer1 –2)
TelnetFTPSMTPHTTP
TCP /IP
TelnetFTPSMTPHTTP
IPsec (VPN)
Physical network
TCP /IP
SMTP
HTTP
Physical network
PGPS/MIME
SSL
a) Physical Network Level Security
(encryption at physical network level)
b) Transport Level Security
(encryption at IP level)
c) Higher Level Security
(encryption at SSL or application level)
Security Tradeoffs
A2A1A3A3
Legend: Darker areas indicate
security (say encryption)
Copyright: a. umar
Wireless Security Example
Wireless LAN
Cell
Wireless LAN
Cell
Wireless LAN
Cell
Centrex
Router
and
Firewall
Link to
Public Internet
T1
or
DSL
X
Y Z
LAN Server
Fast Ethernet
LAN(Backbone)
1. No physical net security
(server ID/PW)
2. No physical net security
(server ID/PW + encryption)
3. Physical net security
(optional
server ID/PW + encryption)
A
B
C D
Wired Ethernet
LAN
Wireless Security Example
Wireless LAN
Cell
Wireless LAN
Cell
Wireless LAN
Cell
Centrex
Router
and
Firewall
Link to
Public Internet
T1
or
DSL
X
Y Z
LAN Server
Fast Ethernet
LAN(Backbone)
1. No physical net security
(server ID/PW)
2. No physical net security
(server ID/PW + encryption)
3. Physical net security
(optional
server ID/PW + encryption)
A
B
C D
Wired Ethernet
LAN
Copyright: a. umar
Tradeoffs between security and availability
•Highly available systems have redundancies and thus are harder to secure (must
protect each redundant copy and carry security contexts)
•The protection policy chosen against possible intrusion threats can be represented as
a tuple: (S, A) where S represents the security level chosen and A the availability
(see diagram on next page).
•The security S is provided at the following levels:
–Level 0: no security specified
–Level 1: Authorization and authentication of principals
–Level 2: Auditing and encryption (Privacy)
–Level 3: Non-repudiation and delegation
•Availability A can be represented in terms of replications (more replications increase
system availability):
–Level 0: No replication (i.e., only one copy of the resource is used)
–Level 1: Replication is used to increase availability. The resource is replicated for a fail-safe
operation
–Level 2: FRS (Fragmentation, Redundancy, Scattering) is used. FRS schemes split a
resource, replicate it, and scatter it around the network to achieve high availability and
intrusion tolerance
Tradeoffs between security and availability
•Highly available systems have redundancies and thus are harder to secure (must
protect each redundant copy and carry security contexts)
•The protection policy chosen against possible intrusion threats can be represented as
a tuple: (S, A) where S represents the security level chosen and A the availability
(see diagram on next page).
•The security S is provided at the following levels:
–Level 0: no security specified
–Level 1: Authorization and authentication of principals
–Level 2: Auditing and encryption (Privacy)
–Level 3: Non-repudiation and delegation
•Availability A can be represented in terms of replications (more replications increase
system availability):
–Level 0: No replication (i.e., only one copy of the resource is used)
–Level 1: Replication is used to increase availability. The resource is replicated for a fail-safe
operation
–Level 2: FRS (Fragmentation, Redundancy, Scattering) is used. FRS schemes split a
resource, replicate it, and scatter it around the network to achieve high availability and
intrusion tolerance
Copyright: a. umar
Protection Policies can be defined in terms of system security
and system availability
Security level 0
(No security)
Security level 1
(Authentication,
Authorization)
Security level 2
(Encryption,
Audit Trails)
Security level 3
(Non-repudiation,
Delegation)
Availability
Level 0
(No replication)
Availability
Level 1
(Replication
only)
Availability
Level 2
(FRS)
System Availability
System
Security
Low
Protection
High
Protection
Protection Policies can be defined in terms of system security
and system availability
Security level 0
(No security)
Security level 1
(Authentication,
Authorization)
Security level 2
(Encryption,
Audit Trails)
Security level 3
(Non-repudiation,
Delegation)
Availability
Level 0
(No replication)
Availability
Level 1
(Replication
only)
Availability
Level 2
(FRS)
System Availability
System
Security
Low
Protection
High
Protection
Copyright: a. umar
Sample Configuration
Wireless LAN1
(peer-to-peer)
Corporate
Backbone
= Wireless LAN Adapter
Wireless connection
Wired connection
Wireless LAN2
(peer-to-peer)
Access Point
as a repeater
Access
Point
Access Point
Internet
Gateway and Firewall
Corporate
ATM
Network
= ATM Switch
Public
Internet
Sample Configuration
Wireless LAN1
(peer-to-peer)
Corporate
Backbone
= Wireless LAN Adapter
Wireless connection
Wired connection
Wireless LAN2
(peer-to-peer)
Access Point
as a repeater
Access
Point
Access Point
Internet
Gateway and Firewall
Corporate
ATM
Network
= ATM Switch
Public
Internet
Copyright: a. umar
Satellite System Security
•Several security isues
•GAO report very critical
•Large satellite systems are managed by several subcontractors
with different security levels
Encryption/
Spread Spectrum
Physical security
of earth station
Satellite System Security
•Several security isues
•GAO report very critical
•Large satellite systems are managed by several subcontractors
with different security levels
Encryption/
Spread Spectrum
Physical security
of earth station
Copyright: a. umar
WAP Security
Web Server
• CGI Scripts
WAP Gateway
•Protocol Adapters
•WML Encoder
•WMLScript
Compiler
Wireless
network
with uses
WTLS
Security
WAP
Phone
Internet
uses
SSL
Security
Content
WML Browser
WML Script
WAP Security
Web Server
• CGI Scripts
WAP Gateway
•Protocol Adapters
•WML Encoder
•WMLScript
Compiler
Wireless
network
with uses
WTLS
Security
WAP
Phone
Internet
uses
SSL
Security
Content
WML Browser
WML Script
Copyright: a. umar
I-Mode security
Financial
Institution
Web
Server
with I-Mode
Content
Docomo
Wireless Network
using proprietary
protocols and
SSL
I-Mode
Phone
Dedicated
Lines
using SSL
Security
I-Mode security
Financial
Institution
Web
Server
with I-Mode
Content
Docomo
Wireless Network
using proprietary
protocols and
SSL
I-Mode
Phone
Dedicated
Lines
using SSL
Security
Copyright: a. umar
1) Develop security
Requirements based
on a conceptual model
4)Develop
countermeasures
and choose
technologies
Attack trees
2)Develop a Technology
Specific Model (e.g., M-
Services, wireless nets)
3) Conduct risk
assessment based on
attack trees
5) Re-iterate
Security Assurance Methodology
Information Flow
Control Flow
1) Develop security
Requirements based
on a conceptual model
4)Develop
countermeasures
and choose
technologies
Attack trees
2)Develop a Technology
Specific Model (e.g., M-
Services, wireless nets)
3) Conduct risk
assessment based on
attack trees
5) Re-iterate
Security Assurance Methodology
Information Flow
Control Flow
Copyright: a. umar
Levels of Security View
Applications
Middleware
Wireless
Link
•802.11 security (WEP)
•Cellular network security
•Satellite link security
•WLL and cordless link security
•SSL and TLS
•WAP security (WTLS)
•Web security (HTTPS, PICS, HTTP Headers)
•Proxy server security
•SET for transaction security
•S/MIME and PGP for secure email
•Java security
•Database security
TCP/IP
•IPSEC and VPN
Levels of Security View
Applications
Middleware
Wireless
Link
•802.11 security (WEP)
•Cellular network security
•Satellite link security
•WLL and cordless link security
•SSL and TLS
•WAP security (WTLS)
•Web security (HTTPS, PICS, HTTP Headers)
•Proxy server security
•SET for transaction security
•S/MIME and PGP for secure email
•Java security
•Database security
TCP/IP
•IPSEC and VPN
Copyright: a. umar
Web Web
ServerServer
(Customer(Customer
facingfacing
Apps)Apps)
HTML/XML
Documents
Back-end
Databases
Firewalls
Firewall
Back-end
APPs
Databases
Business
Internal Network
Wireless
Network
Wireless
gateway
HTTP
Web Web
ServerServer
(Customer(Customer
facingfacing
Apps)Apps)
HTML/XML
Documents
Back-end
Databases
Firewalls
Firewall
Back-end
APPs
Databases
Business
Internal Network
Wireless
Network
Wireless
gateway
HTTP
Copyright: a. umar
Summary
• Security principles
•Special issues in wireless security
•Security issues unique to 802.11,
satellites, cellular networks, WAP, etc.
•Security methodology
Summary
• Security principles
•Special issues in wireless security
•Security issues unique to 802.11,
satellites, cellular networks, WAP, etc.
•Security methodology
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 14
- Slides 20
- Age 429 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
35 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
38 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
34 views
14
Fertility awareness methods for women in the society
Isaiah47
31 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
30 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
31 views