Download Different Hashing Algorithms

DOMAIN 1 – ACCESS CONTROL
Access control protects the systems and resources from unauthorized access, and, usually
determines the level of authorization.
Subject: Entity requiring access to an object – user, process. (Active).
Object: Entity to which access is requested – file, process. (Passive).
Access control consists of the following primary areas:




Identification
Authentication
Authorization
Accountability
The last three of these are largely comprised of ‘logical access controls’.
Identification
Biometrics: Very sophisticated and accurate, but expensive.
Type 1 error: Rejection on authorizated individuals – false reject rate.
Type 2 error: Acceptance of invidual that should be rejected.
CER : Crossover error rate – point at which false acceptance equals false rejection –
expressed as a percentage. Important measurement of biometric system’s accuracy.
The lower the better.
Other barriers to widespread adoption of biometrics include user acceptance, enrollment
time and throughput.
Collected biometric images are stored in a corpus.
The order of effectiveness of biometric devices is:
Order of Effectiveness
Palm scan
Hand geometry
Iris scan
Retina pattern
Fingerprint
Voice verification
Facial Recognition
Signature Dynamics
Keystroke Dynamics
Authentication
The general types of authentication are:


Something a person knows.
Something a person has.
Order of Acceptance
Iris scan
Keystroke dynamics
Signature dynamics
Voice verification
Facial recognition
Fingerprint
Palm scan
Hand Geometry
Retina Pattern

Something a person is.
Strong authentication requires two of these (two-factor authentication).
Passwords:
Passwords are the most commonly used, but also considered one of the weakest. Can use
cognitive passwords instead?
One-time Passwords:
There are two types of one-time password – synchronous and asynchronous. One-time
passwords are usually generated by a token device that communicates with an
authentication service.
Synchronous – Token device synchronizes with authentication server via a time
based or event based synchronization. Token device and auth server share the same
secret key.
Asynchronous – Uses a challenge-response scheme to communication with the
authentication server.
Other authentication mechanisms:




Private key – digitally signing a message.
Passphrase – transformed into a virtual password
Memory card – holds information but does not process it. ATM card.
Smart card – capability of processing information.
Authorization
The system knows who you are (authentication) and must now decide if you can carry out
the requested actions. This is where authorization comes into play. Access criteria is the
crux or authorization:
Access criteria types can be broken up into:





Roles
Groups
Physical or logical (network) location
Time of day
Transaction type
All access criteria should default to “no access”.
Need to know principle:


Management’s job is to determine the “need to know”.
Administrator job is to configure access control and security mechanisms to fullfil the
need to know requirements.
Single Sign-on Mechanisms:
Scripting: Batch files containing logic details. Insecure. High maintenance recording and
maintaining scripts.
Kerberos:
Kerberos is a single sign-on system that uses symmetric key cryptography (DES) and end to
end encryption. Kerberos eliminates the need for transmitting passwords over the network.
In order to implement Kerberos, all software in use me be Kerberos compatible or,
“kerberized”. The components of Kerberos are:
KDC: Key distribution center. Holds user’s and services’ keys. The foundation of
kerberos is the client and server’s trust in the KDC. The KDC actually consists of a
ticket granting service and authentication server.
Principals: Entities requiring KDC services – users, apps or services. The KDC and
each principal share a secret key.
Ticket: Tickets are created by the KDC and given to a principle when that principle
needs to authenticate to another principle.
Realm: A “realm” is the set of components and principles that the KDC provides
services for.
AS: Authentication service – this is part of the KDC.
Kerberos Authentication Process:
The client trusts the KDC and the services trust the KDC due to their secret keys. An
overview of the process when a client wan’t to use a service via Kerberos is:
1. The client sends its user id and the name of the requested service to the KDC.
2. The KDC provides a session key for the client and service to use. One is encrypted
with the user secret key and the other with the service secret key.
3. The KDC generates a service ticket containing both session keys. This ticket is sent
back to the client. The user enters their password and if the password is correct, the
client converts it into the necessary key to decrypt the client session key in the
ticket.
4. The client decrypts the client portion of the ticket to get the session key and sends
the ticket on to the service. The service uses its own private key to decrypt the
session key.
5. The user and service are now authenticated to each other and communicate with
encrypted data via the session key.
Secret key: Shared between KDC and a principle.
Session key: Shared between two principles.
Kerberos weakness:
Kerberos has a number of weakness that can make it vulnerable to attack. Some of these
are:


The KDC is a single point of failure.
The secret keys are temporarily stored on user’s workstations, in memory, etc.





Session keys are decrypted and reside on user’s workstations.
Vulnerable to password guessing.
Does not protect network traffic.
When a user changes password, the KDC database needs to be updated with a new
corresponding secret key.
Replay attacks can be used against Kerberos.
Sesame:
Secure European System for Applications in a Multiuser Environment. Sesame is a single
sign-on system designed to address some of the kerberos weaknesses. It uses public key
cryptography for distribution of secret keys and supports MD5 and CRC32 hashing. Still
vulnerable to password guessing. Sesame uses the Needham-Schroeder protocol.
Thin Clients:
No local processing. Thin clients for the user to login to the network just to be able to use
the computer.
Kryptoknight:
Kryptoknight is another single sign-on protocol similar to Kerberos. The main difference is
that there is a peer-to-peer relationship among parties and the KDC.
ACCESS CONTROL MODELS
An access control model is a framework that dictates how subjects access objects. There are
three main types of access control model: mandatory access control, discretionary access
control and role-based access control.
Discretionary (DAC): The creator of a file is the ‘owner’ and can grant ownership to
others. Access control is at the discretion of the owner. Most common implementation
is through access control lists. Discretionary access control is required for the Orange
Book “C” Level.
Mandatory (MAC): Much more structured. Based on security labels and categories.
Access decisions are based on clearance level of the data and clearance level of the
user, and, classification of the object. Rules are made by management, configured by
the administrators and enforced by the operating system. Mandatory access control is
required for the Orange Book “B” Level.
Role-Based (RBAC): Continually administered set of controls by role within
organization. Access rights assigned to roles – not directly to users. Roles are tighter
controlled than groups - a user can only have one role. Can use different types of
RBAC:
Role-based: Role within organization.
Task-based: Specific task assigned to the user.
Lattice-based:
Access Control Techniques and Technologies:
Once a company decides on the access control model to use, the technologies and
techniques to implement that model need to be determined:
Role-based: Can be used with DAC – NT Groups.
Can be used with MAC – Labels assigned to roles.
Rule-based: Router or firewall rules – user cannot change.
Restricted interfaces:
 Menus and shells
 Database views
 Physically constrained interfaces.
Access Control Matrix:
Table of subjects and objects indicating access.
Capability Tables:
Specifies the access a certain subject has to specific objects.
Corresponds to a row in the access control matrix. Bound to subject.
Access Control Lists:
Bound to object. List of subjects authorized to access a specific object,
and, the level of access/authorization.
Content-dependant:
Database views are a good example – access is based on the data
content itself.
Conteaxt-dependant:
Access is based on location, time of day, previous access history, etc.
Access Control Administration:
Access control administration is either centralized, decentralized or a hybrid of the two.
Examples of centralized access control technologies include:
RADIUS: Remote Authentication Dial-In User Service. Usually used for dialup. Access
server requests user login credentials and forwards to a backend RADIUS server. Can
use callback for additional security.
TACACS: Terminal Access Controller Access Control System. There are several types
of TACACS:
o
o
o
TACACS : Combines its authentication and authorization processes.
Passwords are static.
XTACACS: Seperates authentication, authorization and accounting processes.
TACACS+: XTACACS with two-factor user authentication. Supports token
authentication.
Security Domain: A security domain is defined as a “realm of trust”. Subjects and objects
share common security policies and procedures and are managed by the same system. Also
used within operating systems and applications to protect system files or processes. Can
also be defined as a the complete set of resources available to a user.
Access Control Methods:
There are three broad categories of access control layers:



Administrative
Technical
Physical
Administrative controls:
Policies and procedures : Guidelines + standards + baselines
Personnel controls : Hiring, firing, promotions, transfers, seperation of duties,
rotation of duties, forced vacation.
Supervisory structures : Clear lines of reporting.
Awareness Training
Security Testing : Drills, penetration testing, queries to employees, interviews,
reviews.
Physical controls:






Network segregation.
Perimeter security.
Computer controls.
Work area seperation.
Data backups.
Cabling.
Logical (Technical) Controls:
System Access – See previous access control mechanisms.
Network architecture – Logical controls can provide segregation and protection of
an environment. I/P address ranges, subnets, routing between networks, etc.
Network Access – Logcal network access controls – routers, switches, NICs, bridges.
Encryption and Protocols
Control Zone – Technical and physical control. Surrounds and protects network
devices that emit electrical signals. TEMPEST related.
Auditing
Access Control Types
Each control method can also perform different functionality. The functionality types are:






Preventative
Detective
Corrective
Deterrant
Recovery
Compensating
For example:
Preventative-Administrative:

Policies and procedures, effective hiring practices, background checks, data
classification, security awareness training.
Preventative-Physical:

Biometrics, badges, swipe cards, guards, dogs, motion detectors, fences, mantraps,
locks and alarms.
Preventative-Technical:

Passwords, biometrics, smart cards, encryption, call-back systems, database views,
antivirus software, ACLs, firewalls, IDS
Accountability: Auditing capabilities ensure that users are held accountable for their
actions, verify that policies are enforced, deter improper actions and are an investigative
tool.
There are 3 main types of audit tool:



Audit reduction
Variance detection
Attack-signature detection
Audit data must be protected from unauthorized viewing and modification.
Access Control Practices:
The following tasks should be carried out regularly:




Deny access to undefined or anonymous accounts
Limit and monitor administration accounts
Suspent access after a number of failed logins
Remove accounts as soon as someone leaves an organization.
Format Access Control Models:
Bell LaPadula: The Bell LaPadula model is built on state machine concepts and focuses on
confidentiality. The objective of this model is to ensure that the initial state is always secure
and that transitions always result in a secure state. Bell LaPadula defines a secure state
through 3 multilevel properties:
Simple Security Policy: No read up – a lower level subject cannot read a higher
level object. Protecting confidentiality.
Security * (star) property: No write down – do not allow confidential information
to be written to a local level, where a lower level subject will be able to view it.
Discretionary Security Property: Uses a discretionary access control matrix to
manage exceptions.
Biba Model: The Biba model is lattice based and focuses on integrity more than
confidentiality. Biba specifies the following three axioms:
Simple Integrity Axiom: No read down. A higher level subject cannot read
information from a lower level. This prevents higher level reports and data being
corrupted by lower level (and less trustworthy) information.
Integration * (Star) Axiom: No write up. A subject cannot write data above its
security level – higher level data might be compromised by lower level, less
trustworthy data.
A subject at one integrity level cannot invoke a subject at a higher integrity level
Clark-Wilson Model: This model has emphasis on integrity – both internal and external
consistency. Clark-Wilson uses well formed transactions, seperation of duties and the
labeling of subjects and objects with programs to maintain integrity. Security properties are
partly defined through five certification rules, suggesting the check that should be
conducted so that the security policy is consistent with the application requirements.
CDI – Constrained Data Item: A data item whose integrity must be preserved.
IVPS – Initial Verification Procedures: Confirm that all CDIs are in a valid
integrity state when the IVP is run.
TP – Transformation Procedure: Manipulates the CDIs through a well-formed
transaction, which transforms a CDI from one valid integrity state to another.
UDI – Unconstrained Data Item: Data items outside of the control area such as
input information.
Any TP that takes a UDI as input must either convert the UDI into a CDI or reject the
UDI and perform no transaction at all.
Unauthorized disclosure of information:
There are several ways in which information can be inadvertently disclosed. The follow
items are related to information disclosure:
Object Reuse: Reassigning media to a subject when media might still contain some
residual information. Make sure media is cleaned. Degaussing works best. Object
reuse controls are required for TCSEC B2 and above.
Emanation: Picking up radiation emitted by devices. Can use TEMPEST technology to
block. TEMPEST is very expensive, some alternatives are:
White Noise – Uniform spectrum of random electrical signals used to disguise real
data.
Zones – Control zones.
Access Control Monitoring
Keeping track of who attempts to access specific resources, access control monitoring is an
important detective mechanism usually carried out by intrustion detection systems:
Intrusion Detection Systems (IDS):
Network Based: Monitors network, or a segment of the network (passive).
Placement of sensors is a critical part of configuring a network based IDS. Place a
sensor on the outside firewall to detect attacks and inside the firewall to detect
invasions. Another factor to consider is that the network traffic should never exceed
the IDS threshold, or the IDS may just start to drop packets.
Host-Based: Monitors a specific system.
Instrusion detection system have two main methods of operation:
Knowledge / Signature based: This type of IDS looks for known attacks and is
therefore weak vs new attacks. There are less false alarms. This type of IDS may also
fail to detect “slow” attacks extended over a long period of time.
Behaviour based / Statistical IDS: This type of IDS detects deviations from
expected behaviour of users and systems. May use expert systems. Detects new
attacks and doesn’t rely on a database of signatures to be updated, but, can cause
more false positives.
Relational Database Security
Relational datbase security is a growing area of concern. The following are areas relating to
database technology and security:
Schema: Description of the database and its tables. Usually written using a DDL.
Cardinality: Number of rows in a table.
Degree: Number of colums in a table.
Domain: The set of all allowable values an attribute can take.
Entity Integrity & Referential Integrity:
View: Virtual table defined from other tables that is used to restrict access, hide attributes
and provide content-dependant access. Views help implement least privilege and need to
know principles.
To protect against “inference attacks”, databases may have a minimum query set size and
prohibit query of “all but one” tuples. Highly secure systems may also employ context
dependant access control where the tuples a user can read are based on those already read.
Threats
The main categories of threat to access control mechanisms are:



Dictionary attack.
Brute force attack.
Spoofing at login – fake login screen to capture details.
A “trusted path” can mitigate login spoofing.
The following measures are used to compensate for internal and external access violations:





Backups
RAID
Fault tolerance
Business continuity planning
Insurance
DOMAIN 2 – TELECOMMUNICATIONS & NETWORK SECURITY
Open Systems Interconnect (OSI) model:
Developed early 1980s and introduced in 1984:
OSI Model
Application
Presentation
Session
Transport
Network
Data Link
Physical
TCP/IP Model
|
| Application
|____________
<--> Host to Host
<--> Internet Layer.
|
| Network Access Layer.
“Each protocol at a specific OSI layer communicates with a protocol that operates at the
same OSI layer on another computer. This happens through encapsulation”
The protocols, technologies and computers that operate within the OSI model are called
open systems.
Application Layer:
The application layer works closest to the user and handled message exchanges, terminal
sessions, etc. The application does not include the actual applications, but the protocols
(APIs) that support the applications.
Examples of protocols running in the application layer include:

SMTP, HTTP, LPD, FTP, WWW, Telnet, TFTP
Presentation Layer:
The presentation layer received data from the application layer and puts it into a format
that all computers using the OSI model can understand.
The presentation layer is not concerned with the meaning of data, but the correct syntax
and format. The presentation layer can often be considered a “translator”.
This layer also handles encryption and compression.

ASCII, JPEG, TIF, GIF, Encryption, Compression, MIDI, MPEG
Session Layer:
When two computers need to communication, or transfer information, a connection session
needs to be set up between them. The session layer is responsible for establishing a
connection, maintaining it during data transfer and releasing it when done.
The session layer works in 3 phases:



Connection establishment
Data Transfer
Connection release
Common protocols at the session layer are:

SSL, NFS, SQL, RPC
Transport Layer:
When two computers are going to communicate, they must first agree on how much
information each will send at a time, how to deteremine if data was lost in order to
retransmit and other parameters. The computers agree on these parameters through a
process at the transport layer, OSI layer 4.
The transport layer helps provide more reliable data transfer, error correction and flow
control. It assembles data into a stream for transmitting over the network, and handled
multiplexing if necessary. The transport layer also handles the teardown of virtual circuits
and the multiplexing of upper layer applications.

TCP, UDP, SPX
Network Layer:
The main responsibility of the network layer is to insert information into the packet’s header
so that it can be properly routed. Routing protocols build and maintain their tables at this
layer.
The protocols at this layer do not ensure packet delivery – they rely on the transport layer
for that.
Protocols operating at this level include:

IP, ICMP, RIP (Routing information protocol), OSPF (Open shortest path first), BGP
(Border gateway protocol) and Internet group management protocol (IGMP)

Most routers also run in the network layer.
Data Link Layer:
As data travels down the ISO stack it comes to a point where it needs to be translated into
LAN or WAN binary format for line transmission. This happens at the data link layer.
The data link layer is where the operating system knows what format the data frame must
be in to transmit over Token Ring, Ethernet, FDDI, ATM, etc.
Network cards bridge the data link and physical layer. The data link layer actually consists
of two sublayers:
1. Media Access Control (MAC)
2. Logical Link Control (LLC)
Protocols operating in the data link layer include:

SLIP, PPP, RARP, L2F, L2TP, ISDN ARP

Bridges operate in the data link layer.
Physical Layer:
The physical layer converts bits into voltage for transmission. This layer controls
synchronization, data rates, line noise and phsyical medium access.
Protocols operating in the physical layer include:

RS232, SONET, HSSI, X.21

Repeaters operating in the physical layer.
OSI Security Services and Mechanisms:
OSI defines 6 basic security services to secure OSI communications:
1.
2.
3.
4.
5.
6.
Authentication
Access Control
Data confidentiality
Data integrity
Non-repudiation
Logging and Monitoring
In addition, the OSI model defines 8 security mechanisms. A security mechanism is a
control that is implemented in order to provide the 6 basic security services:
1.
2.
3.
4.
5.
6.
7.
8.
Encipherment
Digital Signatures
Access Control
Data Integrity
Authentication
Traffic Padding
Routing Control
Notarization
TCP/IP


I/P is a network layer protocol and provides datagram routine services.
Two main protocols work at the transport layer, TCP and UDP.
TCP Handshake:
1. Host -------- SYN --------->
2.
<----- SYN/ACK ----->
Host B
3.
--------- ACK -------->
The TCP/IP model has 4 layers:
Application
Host to host
Internet
Network Access
The TCP/IP model layers correspond to the ISO model layers as follows:
Application
Host to Host
Internet
Network Access
Application, presentation, session.
Transport
Network
Data Link, Physical
The Host-to-host layer handles:
TCP
UDP
- Virtual Circuit, sequenced, slower, more reliable
- “Best effort”, connectionless.
Internet layer:
I/P
ARP
RARP
ICMP
- No guarantee of delivery, delivery in sequence or only once.
- I/P to MAC
- MAC to I/P
Protocol Numbers:
The I/P header contains a protocol field. Some common protocols are:
1 - ICMP
2 – IGMP
6 - TCP
17 – UDP
Data Structures:
-
Within the I/P protocol suite, when an application formats data for sending over the
network, it is a message.
-
At the transport layer, TCP works on the data and it is now a segmenti. The segment is
passed to the network layer.
-
The network layer adds addressing and routine and the bundle is now called a
datagram.
-
The datagram is passed off to the data link layer which frames the datagram with a
header & trailer. It is now called a frame.
Application Layer
Transport Layer
TCP
Message
Segment
UDP
Message
Packet
Network Layer
Data Link Layer
Datagram
Frame
Datagram
Frame
General Classes of Network Abuse:
Class A: Unauthorized access of restricted network services. Also called “login
abuse”. Refers to legitimate users accessing network services that should be restricted to
them.
Class B: Unauthorized use of a network for non-business purposes.
Class C: Eavesdropping
Class D: DOS and other disruptions
Class E: Network Intrusion. Refers to the use of unauthorized access to break into
the network from the outside. Classic cases are spoofing, piggybacking and backdoor
exploitation.
Class F: Probing. An active variation of eavesdropping.
Additional Attacks: SYN attacks, Buffer Overflow, Teardrop attack and Smurf.
Common Session Hi-jacking attacks:



IP Spoofing attacks.
TCP sequence number attacks.
Other fragmentation attacks – using fragmented packets to hide true contact.
NETWORKING
LAN Media Access Technologies

Most of the differences between LAN and WAN take place at the data link layer
“Two LANs connected by a router is an internetwork, not a bigger LAN. Each LAN has its
own addressing scheme and broadcast and communication mechanisms. If they are
connected by different data link technologies such a frame relay of X.25 then we are looking
at a WAN”
Ethernet






Usually a bus or star topology
IEEE 802.3 standard
Shared media – all devices take turns and detect collisions
Uses broadcast and collision domains
CSMA/CD access method (Carrier Sense Multiple Access with Collision Detection)
Uses coaxial or twisted pair.
Common Implementations:
10base2: ThinNet. Uses coaxial cable. Max length of 185 meters and provides up to
10mbs throughput. Uses BNC connectors.
10base5: ThickNet. Uses thicket coaxial cable. Longer cable segments and less
interference.
10baseT: Twisted-pair copper wiring. RJ45 connectors, usually in a star topology with
a hub or switch.
Fast Ethernet: Regular ethernet running at 100mbps over twister pair wiring.
Ethernet Types Table:
Type
10base2, ThinNet
10base5, ThickNet
10base-T
100base-FX, Fast
1000base-T
Cabling
Co-Axial
Co-Axial
UTP
UTP
UTP
Speed
10mbps
10mbps
10mbps
100mbps
1,000mbps
Token Ring






802.5 standard, originally developed by IBM
Signal travels in a logical ring
Each computer is connected to a hub called a Multistation Access Unit (MAU)
16mbps capacity
Active Monitor – removes frames that are continually circulating
Beaconing – attempts to work around errors.
FDDI – 802.8








Fiber Distributed Data Interface
Developed by ANSI
High speed token-passing media access technology
Speed of 100mbvps – usually used as a backbone network using fiber optics.
Fault tolerance – second counterrotating ring.
Can be used up to 100kms, so popular in MANs
CDDI (copper distributed data interface) is a version that can be used locally.
802.8 standard.
CABLING
LAN Media
Ethernet
Standard
802.3
Characteristics
* Shared media
* Broadcast & Collision Domains
* CSMA/CD
* Coaxial or twisted cable
* 10mbps – 1 gbps
Token Ring
802.5
*
*
*
*
Devices connect to center MAU
Token-passing access method
Transmission speeds of 4-16mpbs
Active monitor and beaconing
FDDI
802.8
*
*
*
*
*
Token-passing access method
Dual counter rotating ring – fault tolerance
100mbps over fiber-optic
Long distance at high speed
CDDI works over UTP
Bandwidth
Data Rate
: Size of pipe
: Amount of data
Coaxial







Copper core surrounded by shielding layer
More resistant to EMI
10base2 = ThinNet (RG58), 10base5 = ThickNet (RG11/RG8)
10base2 segments can be up to 185 meters
10base5 segments can be up to 500 meters
Can use baseband method (one channel) or broadband (multiple channel)
50ohms cable used for digital signaling and 75ohms for analog signaling and high
speed data.
Twister Paid Cable


STP = Shielded Twisted Pair
UTP = Unshielded Twisted Pair
UTP
Category
CAT 1
CAT 2
CAT 3
CAT 4
CAT 5
CAT 6
CAT 7
Characteristics
Usage
Voice Grade
Up to 4mbps
10 mbps ethernet
4mbps token
16 mpbs
100 mbps for
100-base TX and FDDI
155mbps
1gbps
Not recommended for network use.
Mainframe and mini connections.
10 base-T networks
Token ring networks
FDDI & ATM installations. New LANS
Net network installations
Net network installations
Fiber Optics




Uses a type of glass carrying light waves
Glass core surrounded by protective cladding, encased in outer jacket
Not affected by EMI, no attenuation
Very hard to tap into, so more secure.
Common Cable problems:
Noise: Caused by surrounding devices or characteristics of the environment
Attenuation: Loss of signal as it travels. The affect of attenuation increases at higher
frequencies.
Crosstalk: UTP is susceptible to crosstalk which is caused when electrical signals on
one wire spill over to another wire.
Plenum space is the space between the ceiling and the next floor. Often used for wiring
and cabling.
TYPES OF TRANSMISSION
Data transmission can happen in different ways (analog or digital), use different controlling
schemes (synchronous or asynchronous) and can only use one channel on a wire
(baseband) or several channels (broadband).
Analog Signals: Continually varying.
Modulation: Combining with carrier signal of a specific frequency.
Digial Signals: Discrete binary pulses.
Asynchronous



Two devices not synchronized in any way.
Usually used for smaller amounts of data
Usually includes start and stop deliniation
Synchronous



Transfers data as a stream of bits instead of framing it in start and stop bits.
Synchronization can be via clocking mechanisms, or a signal in the data.
Usually used for higher volumes of data.
Baseband

Transmission accomplished by applying direct current to a cable. Uses full cable for
its transmission. Ethernet is baseband.
Broadband

Divides cable into channels so that different types of data can be transmitted at the
same time. CATV is broadband. Other broadband types include T1, T3, ISDN, ATM,
DSL and wireless.
Unicast: From source to one computer.
Multicast: From source to a specific set of systems. NIC pics up packets with a specific
multicast address.
Broadcast: From source to all computers on a subnet.
Network Topology:
The physical arrangement of computers and devices is the “Network Topology”
Ring Topology



Series of devices connected by unidirectional transmission links.
Form a closed loop, no central hub
Must provide redundancy or risk single points of failure
Bus Topology



In a simple bus topology, a single cable runs the entire length of the network.
Each packet is looked at by all nodes.
Traditional ethernet uses bus topologies.
Star Topology




All nodes connect to a dedicated central hub or switch
Hub is a potential single point of failure
Less cabling used and no termination issues
Most LANs are in a physical star topology
Mesh Topology




All systems and resources are connected to each other in some way
Greater degree of complexity
Greater degree of redundancy
The internet is a good example of a partial mesh.
LAN Media Access Technologies:
Token Passing:
Only the computer the has the token can put frames onto the wire. This media access
technology is used by Token Ring & FDDI and is defined in the 802.5 standard.
Token passing networks are deterministic meaning it is possible to calculate the maximum
time that will pass before a station can transmit. This makes token ring networks ideal for
applications where delay must be predictable, such as factory automation.
CSMA (Carrier Sense Multiple Access):
There are two flavors are CSMA, CSMA/CA (Collision avoidance) and CSMA/CD (Collision
detection).
A transmission is called a “carrier”. If a computer is transmitting frames, it is performing a
carrier activity.
With CSMA/CD, computers listen to the wire for the absense of a carrier tone. If two
computers sense this absense and transmit at the same time, contention and a collision can
take place. All stations will execute a “back off” algorithm (Random retry timer).
With CSMA/CA, each computer signals the intent to transmit before they actually do so.
Collision Domains
“The more devices there are on a contention based network, the more likely collisions are
which increases latency. A collision domain is a group of resources that are competing for
the same shared communication medium”.
One subnet will be on the same broadcast and collision domain if it is not seperated by
routers or bridges.
PROTOCOLS
Address Resolution Protocol: ARP
The data link layer works with MAC addresses, not IP addresses. ARP resolves IP addresses
to MAC addresses. ARP broadcasts a frame requesing the MAC address that corresponds to
the destination IP address. The computer that has that IP address responds with its MAC
address.
“ARP table poisoning” is altering the ARP cache so that an attacker receives packets
intended for another destination.
Reverse Address Resolution Protocol: RARP
Diskless workstations know their hardware address, but not the IP address. It broadcasts
the MAC address information and the RARP server responds with an I/P address.
BOOTP is similar to RARP but provides more functionality includeing nameserver and
gateway address.
Internet Control Message Protocol: ICMP
ICMP delivers messages, reports errors, reports routing information and tests connectivity.
PING is the most common – sends out ICMP ECHO frames and receives ICMP REPLY frames
back.
NETWORKING DEVICES
Repeaters



Repeats and amplifies signal between cable segments
Works at the physical layer
Also known as line conditioners
Bridges


Uses to connect different LAN segments
Works at the data link layer and therefore works with MAC addresses.



Divides overburdened networks into smaller segments for better use of bandwidth
and traffic control
Beware of “broadcast storms” – using bridges to echo broadcast packets.
A bridge forwards data to all other network segments if the MAC address of the
destination computer is not on the local network segment.
There are three types of bridge:
Local: Connects two or more LAN segments.
Remote: Can connect two or more LANS over a long distance with
telecommunications between them.
Translator: Connects LANs of different types and protocols.
Summary of the functions of bridges:





Segment a large network into smaller, more controllable pieces
Use filtering based on MAC address
Join differenty types of network while retaining same broadcast domain
Isolate collision domains within the same broadcast domain
Some bridges translate between protocol types.
Routers vs Bridges:



Routers work at the network layer and are based on IP address. Bridges work at the
data link layer and filter frames based on MAC addresses.
Routers will not usually pass broadcast information.
Bridges will pass broadcast information.
Spanning tree algorithm is a bridge algorithm.
If source routing is used, the packets themselves have the information within them to tell
the bridge where they should go.
Hubs:
Hubs are used to connect multiple LAN devices into a concentrator. Hubs can be considered
as multiport repeaters and operate at the physical layer.
Routers:
Routers work at the network layer. A router has two or more interfaces and a routing table
to get packets to their destination. Routers can filter traffic based on access control lists
(ACLs) and fragment packets when necessary.
Routers discover information about routers and changes that take place in a network
through its routing protocols (RIP, BGP and OSPF).
The following outlines the stages that take place when a router receives a packet:
1.
2.
3.
4.
A frame is received on one of the router’s interfaces.
Destination i/p address is retrieved from the datagram
The router looks at the routing table to see which port matches the destination
If the router has no information on the destination, it sends an ICMP error to the
sending computer.
5. The router decrements the TTL. If the MTU is diferent than the destination requires,
it fragments the packet.
6. Router changes the header information on the frame so that it can go to the next
correct router.
7. Frame is sent to the router’s output queue.
Routing environments are based on autonomous systems. The autonomous systems are
connectd to each other through routers and routing protocols.
Routing takes place within an autonomous system through internal protocols like OSPF and
RIP.
Routing takes place between autonomous systems through exterior protocols like BGP.
Switches:
Switches combine the functionality of a repeater and the functionality of a bridge. Any
device connected to one port communicates to any device on another port with it’s own
virtual private link.
“A switch is a multiport bridging device and each port provides dedicated bandwidth to the
device attached to it”
Basic switches work at layer 2 and forward traffic based on MAC address. Today, there are
layer 3 and layer 4 switches with more enhanced functionality. There are referred to as
“multilayered switches”.
Virtual LANS (VLANS) are also an important part of switching networks. A switch only sends
a packet to the port where the destination MAC address is located, so offer more protection
against network sniffers.
VLAN:
VLANs (Virtual LANs) allow administrators to logically seperate and group users. VLANs also
allow administrators to apply different security practices to different groups.
Brouter:
Hybrid device combining the functionality of a bridge and a router. A brouter can bridge
multiple protocols and route packets based on some of these protocols.
Gateways:
Almost all gateways work at the application layer because they need to see a majority of
the information within a frame and not just the address and routing information that a
router or bridge requires.
A popular type of gateway is an email gateway. The mail gateway will usually convert email
into standard X.400 and pass it on to the destination mail server.
A network connecting to a backbone (Ethernet --> FDDI for example) would need a LAN
gateway.
Summary of Main Devices:
Device
Repeater
Bridge
Layer
Phsyical
Data Link
Router
Network
Brouter
Network &
Data Link
Data Link &
Higher
Application
Switch
Gateway
Functionality
Amplifies signal and extends networks
Forwards packets. Filters packets based on MAC address.
Forwards broadcast but not collision traffic.
Filters based on IP address. Seperates or connects LANs,
creating internetworks.
Bridges multiple protocols and routes some of them.
Private virtual link between devices. Allows for VLANs.
Impedes sniffing and reduces contention.
Connects different types of network. Protocol and format
translation.
PBX:
A Private Branch Exchange (PBX) is a telephone switch located on the company’s property.
A PBX can interface with several types of device and provides a number of telephone
services. Data is multiplexed onto a dedicated line connected to the telephone company’s
central office.
PBXs have the following issues:



Often have modems attached for vendor maintenance.
Come shipped with default system passwords.
Vulnerable to brute force attacks.
ATM Switches:
Most commonly used in WANs but started to be seen in LANs. Use a cell-relay technology.
FIREWALLS
Firewalls are used to restrict access from one network to another network. A firewall is a
device that supports and enforces the company’s network security policy.
Many times companies setup firewalls to construct a “DMZ” or “buffer zone” which is a
network segment located between protected and unprotected networks. Usually, two
firewalls are used to construct a DMZ:
LAN <-- firewall <--- DMZ <---- firewall <----- router <----- .o( Internet )o.
Packet Filtering:
Packet filtering firewalls use Access Control Lists to determine which packets can and cannot
pass through. The filtering is based on network layer information, the device cannot look
further into the packet itself. A packet filtering router is also called a screening router.
Packet filtering usually takes place at the network or transport layer.
Pros
Scalable
High Performance
Application Independant
Cons
Does not look into packet past the header info
Lower security relative to other options
Does not keep track of connection state
Used in first generation firstwalls.
Packet filtering firewalls are often called “first generation firewalls”.
Stateful Packer Filtering:
Stateful filtering keeps track of which packets went where until the connection is closed. To
accomplish this, the firewall maintains a state table.
A packet filtering firewall may have the rule to deny UPD on port 25, while a stateful packet
filtering firewall can say “allow those packets through if they are in response to an outgoing
request”.





Frames are analysed at all communication layers.
High degree of security without the performance hit of proxy firewalls.
Scalable and transparent to users.
Provides data for tracking connectionless protocols like UDP and RPC
Used in third generation firewall applications.
Proxy Firewalls:
A “proxy” is a middleman. A proxy firewall accepts messages entering or leaving the
network and checks it for malicious information and if ok, passes it on to the destination. A
proxy firewall breaks the communication channel – there is no direct communication to
internal computers.
Outside scanners will only see the proxy server. Packets are repackaged as they pass
through the proxy firewall. Outbound packets will only have the I/P addrss of the firewall
which means that a proxy server will be the only one with a valid I/P address- the servers
behind it can all use private address ranges.
A dual homed firewall has two NICs and forwarding turned off. There are two types of
proxies:

Application and circuit proxies.
Proxy firewalls are considered second generation firewalls and are usually used with a dualhomed host.
Application Level: Inspects entire packets and makes access decisions based on
actual content. Understands the different protocols and usually works for just one
service or protocol.
Circuit-Level: Creates a circuit between client computer and server. Makes access
decisions based on source and destination.
Pros:



Looks at information within the packet, right up to the application layer.
Better security than packet filtering
Aware of protocols, services and commands being used.
Cons:




Limited to what applications it can support
Can degrade network performance
Poor scalability
Breaks client/server model.
Dual-Homed Host Firewalls:


Single computer with seperate NICs to each network
Used to divide internal trusted network and external untrusted network



Must disable forwarding
Usually used with proxy software
Users can easily and accidentally enable forwarding.
Application level vs Circuit Level proxy firewalls:
Application Level:






Transfers a copy of each approved packet from one network to another.
Different proxy required for each service.
Hides network information from external attackers.
Hides internal computer information and addresses.
More intricate control than circuit level proxy firewalls
Reduces network performance
Circuit-Level:




Provides a circuit between the source and destination
Does not require a proxy for each service
Does not provide the detailed control that the application level proxy does.
Security for a wider range of protocols.
SOCKS proxy server characteristics:





Circuit-level proxy
Requires clients to be integrated with SOCKS client software.
Mainly used for outbound internet access and VPN
Can be resource intensive
Authentication and encryption are similar to VPN, but socks is not considered a
bidirectional VPN.
1st generation : Packet filtering firewalls.
2nd generation: application (proxy) firewalls
3rd generation: stateful packet firewalls
4th generation: dynamic filtering
5th generation: kernel proxy
FIREWALL ARCHITECTURE:
Bastion Host:
A bastion host can be thought of as the foundation for the firewall software to operate on. It
is the machine that will be accessed by all entities trying to access or leave the network.
Screened Host:
Many times a screened host is a bastion host that communicates with a border router and
the internal network. Inbound traffic is filtered by packet filtering on the router and then
sent to the screened host firewall.
Screened Subnet:
Adds another layer of security over the screened host firewall – the bastion host housing the
firewall is screened between two routers. This architecture sets up a DMZ between the two
routers.
Shoulds of firewalls:
Firewalls should:





Default to deny
Block external packets inbound with internal addresses (Spoofing)
Block outbound packets with external source addresses (Zombies)
High security firewalls should reassemble packet fragments before sending them on
to their destination.
Many firewalls will deny packets with source routing information.
Networking Services
Network Operating Systems (NOS):
Short list of some of the services that NOS systems (NT, W2K, Linux) provide that most
single user (W95, W98) systems do not:







Directory services
Internetworking, routing and WAN support
Support for dial-up users
Clustering functionality
File & print services
Management and administration tools
Fault tolerance
A redirector connects local computer to rsources of the network – the local computer may
not even be aware of this.
DNS:


Networks are split up into “zones”
DNS server is said to be authoritative for the zone it serves.
Directory Services:
A directory service is a database containing a hierarchy of users, computers, printers and
attributes of each. The directory is used mainly for lookup purposes – to allow users to
break down resources. Most directory services are built on the X.500 model or use LDAP to
access the directory database.
Intranets and Extranets:
Private I/P address ranges are:
10.0.0.0
172.16.0.0
192.168.0.0
-
10.255.255.255
172.31.255.255
192.168.255.255
Class A
16 * Class B
256 * Class C
Network Address Translation:
Network address translation forms a gateway between a network and the internet or
another network. The gateway performs transparent routing and address translation. Some
attributes of this process are:


Hides true internal I/P address information from the outside world.
The NAT device needs to remember the internal IP address and port to send the
messages back to.
Metropolitan Area Network (MAN):
A MAN is usually a backbone that connects businesses to WANS, the internet and other
businesses. A majority of today’s MANs are Synchronous Optical Network (SONET) or FDDI
rings provided by local telephone companies.
Wide Area Network (WAN):
WAN technologies are used when communication needs to take place over a larger
geographical area.
There are several technologies in the WAN arena, several of which are discussed below.
The SONET (Synchronous Optical Network) gives all the world’s carriers the ability to
interconnect.
ATM encapsulates data in fixed cells and can be used to deliver data over SONET. The fixed
size provides better performance and reduced overhead.
A quick snapshot at telecom history:





Copper lnes carrying analog information
T1 lines carrying up to 24 conversations
T3 lines carrying up to 28 T1 lines
Fiber optics and the SONET network
ATM over SONET
Types and speed of standard leased lines:
DS0 : Single 64k channel on a T1 facilities
DS1 : 1.544mbps on a T1 (2.108 on a E1 in Europe)
DS3 : 44.756mbps on a T3 facility.
Dedicated Links:


Leased line or “point to point” link.
Expensive, but secure
T-Carriers:



Dedicated lines that carry voice or data over trunk lines.
Most common are T1 @ 1.544mbps and T3 @ 45mbps
Multiplexing through TDM (Time division multiplexing)
S/WAN:


Secure WAN, initiative of RSA security who worked with firewall and protocol vendors
to build secure firewall-to-fireall connections through the internet.
S/WAN is based on VPNs that are created with IPSEC.
xDSL types
ADSL: More bandwidth down than up.
SDSL: 1.544mbps down and up. Limited to 10,000 feet from exchange.
HDSL: High-rate digitial subscriber line. 1.544mbps each way.
VDSL: Very high data rate dsl – 13 to 52mbs downstream and 1.5 to 2.3 upstream.
Limited to 1,000 – 4,500 feet from exchange.
Packet Switching vs Circuit Switching:
Circuit Switching
Constant Traffic
Fixed delays
Connection-oriented
Sensitive to loss of connection
Voice oriented
Packet Switching
Bursty Traffic
Variable delays
Connectionless
Sensitive to loss of data
Data Oriented
WAN Technologies
CSU/DSU:





Channel service unit / data service unit : required when digial equipment will be used
to connect a LAN network to a WAN network
Necessary because the frames are so different between LAN and WAN equipment.
DSU converts signals from routers, bridges, etc into signals that can be transmitted
over the telephone company’s digital lines
CSU connects the network directly to the telephone company lines.
Provides an interface for DTE and DCE devices such as the router and the carrier’s
switch.
Switching:
There are two main types of switching, circuit switching and packet switching:
Circuit Switching:




Connection oriented virtual links (ISDN, telephone call)
Traffic travels in a predictable and constant manner
Fixed delays
Usually carries voice oriented data
Packet Switching:





Packets can use many different dynamic paths to get to the same destination
Supports traffic that is bursty
Variable delays
Usually carries data-oriented information.
Internet, X.25 and Frame Relay are all packet switching networks.
Frame Relay:
Frame relay is a WAN protocol that operates at the data link layer. Frame Relay uses packet
switching technology as an alternative to expensive dedicated lines.
Companies that pay more to ensure a higher level of bandwidth availability pay a
“commited information rate” or CIR.
Virtual Circuits:
Frame relay forwards frames across virtual circuits. These can be permanent meaning they
are programming in advance, or switching means it is built when needed an then torn down.
The PVC (Permanent Virtual Circuit) works like a private line for a customer with a CIR. A
PVC is programmed to ensure bandwidth availability.
X.25
X.25 is an older WAN technology that defined how networks and devices establish and
maintain connections. X.25 is a switching technology.
Data is divided into 128 bytes and encapsulated in HDLC frames (High-level Data Link
Control).
X.25 is slower than frame relay or ATM due to heavy error checking and correction that is
not necessary on more modern networks.
ATM – Asynchronous Transfer Mode:
ATM is another switching technology that uses a cell-switching method instead of packet
switching. Like frame relay, ATM is connection-oriented. Cell switching means that data is
segmented into fixed size cells (53 bytes).
Like Frame Relay, ATM can set up PVCs and SVCs.
SMDS – Switched Multimegabit Data Service:
High speed packet switched technology used to enable customers to extend their LANs
across MANs and WANs. Protocol is connectionless and can provide bandwidth on demand.
SDLC – Synchronous Data Link Control:
Base on networks that use leased lines with permanent physical connections. SDLC is used
mainly for communication to IBM hosts within the SNA architecture.
HDLC – High Level Data Link Control:
Bit-oriented link layer protocol used for transmission over synchronous lines, HDLC is an
extension of SDLC. HDLC provides high throughput because it supports full duplex.
HSSI – High Speed Serial Interface:
Interface used to connect multiplexers and routers to high speed services like ATM and
Frame Relay.
These interfaces define the electrical and physical interfaces to be used by DTE/DCE
devices, thus it works at the physical layer. Developed by CISCO and T3Plus Networking.
Multi-Service Access:
Multi-service acess technologies combine different types of communication categories
(voice, data and video) over one transmission line.
VOIP can be affectd by latency due to internet being packet oriented switching technology
vs circuit switcing. This is referred to as “jittering”.
H.323
Standard that deals with video, audio and data packet-based transmissions where multiple
users can be involved wth the data exchange. H.323 terminals are connected to gateways
or the gateways are connected to PSTN.
Packet switching technologies include X.25, LAPB, FRAME RELAY, ATM and SMDS.
REMOTE ACCESS
Remote access covers technologies that enable remove and home users to access networks.
Dial-up and RAS:
Remote access is usually gained by connecting to a network access server (NAS). NAS acts
as a gateway and end point for a PPP connection.
ISDN:
Integrated services digital network. ISDN breaks the telephone line into different channels
and transmits data in a digital form vs the old analog method. There are 3 types of ISDN
implementation:
BRI: Basic Rate Interface : Operates over existing copper lines in the local lopp and
provides digital voice and data channels. Uses two B channels and 1 D channel.
PRI: Primary Rate Interface: 23 B channels and one D channel operating at 64k. Equivalent
to a T1.
BISDN: Broadband ISDN. Mainly used with backbones over ATM/SONET.
B channels enable data to be transferred.
D channel provides for call setup, error control, caller id and more.
ISDN is a circuit switching point-to-point protocol.
DSL – Digital Subscriber Line:


Uses existing phone lines
Have to be within a 2.5 mail radius of the provider’s equipment.
Cable Modems:



High speed internet access through coaxial and fibre lines.
Bandwidth shares between users in a local area.
Security concerns: Network sniffers on shared medium.
VPN – VIRTUAL PRIVATE NETWORKS
A virtual private network is a secure private connection through a public network or
otherwise unsecure environment. VPNs are often used to provide a connection between two
routers.
Tunneling Protocols:
VPNs use tunnelling protocols to create a virtual path across a network. There are three
main tunnelling protocols used in VPN connections: PPTP, L2TP and IPSEC
PPTP:
Point to point tunnelling protocol. Encapsulation protocol based on PPP. PPTP works at the
data link layer and encrypts and encapsulates packets.
There are a few weaknesses with PPTP. Negotiation information is exchanged in clear text
and can be easily snooped. PPTP is a Microsoft developed protocol.




Designed for client/server connectivitiy
Sets up a single point-to-point connection between two computers
Works at the data link layer
Transmits only over I/P networks
L2F:
Layer 2 Forwarding:



Created before L2TP by Cisco
Merged with PPTP to create L2TP
Provides mutual authentication, but no encryption.
L2TP:
Layer 2 Tunnelling Protocol. L2TP combines L2F with PPTP.



PPTP can only run on top if I/P. L2TP can use other protocols such as IPX and SNA
PPTP is an encryption protocol, L2TP is not. L2TP is often used in conjunction with
IPSEC for security.
L2TP supports TACACS+ and RADIUS, PPTP does not.
IPSEC:






Handles multiple connections at the same time
Provides secure authentication and encryption
Supports only IP networks
Focuses on LAN-LAN communication
Works at network layer --> Security on top of I/P
Can work in tunnel mode where both header and payload are encrypted, or transport
mode where only the payload is encrypted.
PPP:
PPP encapsulates messages and transmits them through an IP network ove a serial line. PPP
supports different authentication methods such as Password Authentication Protocol (PAP),
Challenge Handshake Authentication Protocol (CHAP) and Extensible Authentication Protocol
(EAP).
PAP, CHAP, EAP:
PAP: Least secure of the three options as credentials are sent in clear text. Also vulnerable
to reply attacks.
CHAP: Uses a challenge/response mechanism instead of sending a username and password.
Client sends host a logon request and the host returns a random “challenge” value. The
challenge is encrypted with the user password and returned to the host. The server
performs the same encryption and determines whether or not there was a match.
CHAP is not vulnerable to “man in the middle” attacks because it continues this
challenge/response activity throughout the connection.
EAP: Extensible Authentication Protocol. EAP is not a specific mechanism like PAP or CHAP
but is more of a framework to allow many different types of authentication mechanism. EAP
extends the authentication possibilities to other methods like one-time passwords, token
cards, biometrics and future mechanisms.
Network and Resource Availability:
Some general guidelines are:




Watch out for single points of failure
Use ISDN or modem backup for WANs
Use UPS’ and RAID (striping and/or mirroring)
Clustering provides for fault tolerance, load balancing and failover.
RAID types:
Raid#
Level 0
Name
Striping
Level 1
Mirroring
Level 2
Level 3
Hamming Code
Parity
Byte Level Parity
Level 4
Block Level Parity
Level 5
Interleave Parity
Level 6
Second Parity Data
Level 7
Level 10
Level 15
Level 1 + Level 0
Level 5 + Level 1
Description
Data is striped over several drives, but there is no
redundant drive. Used for performance enhancement. If one
drive fails, the whole volume is unusable.
Data is written to two drives at once. If one fails, the other
has the same data. This is an expensive option as each
drive has another whole drive with the same information.
Data is striped over all drives at bit level. This array uses 39
drives, 32 for data and 7 for parity. Not used in practice.
Data is striped over all drives, parity is held on just one
drive. If a drive fails, it can be reconstructed from the parity
drive.
Same as level 3 except data is striped in disk sector units
rather than blocks of bits or bytes.
Data is written to disk sector units across all drives. Parity
is written to all drives. There is no single point of failure
because parity is written to all drives. Uses XOR algorithm.
Similar to level 5 but with added fault tolerance – second
set of parity data written to all drives.
Variation of RAID 5 where the array functions as a single
virtual disk in the hardware.
Data is striped across multiple RAID1 pairs.
Two complete RAID5 systems are mirrored for additional
fault tolerance.
WIRELESS TECHNOLOGIES
Broadban wireless occupties band 2 to 24ghz.



IEEE 802.16 deals with wireless MANs
IEEE 802.11 deals with wireless LANs
Higher frequency can carry more data, but a shorter distance
WLANS work in the 2.4 & 5ghz unlicensed bands and there are two IEEE standards, 802.11a
and 802.11b:

802.11a is the latest standard, works in the 5ghz range and provides up to 54mbps

802.11b is in the 2.4ghz range and providers up to 11mbps
801.11 uses Wireless Application Protocol (WAP). WAP uses WML (Wireless Markup
Language) and WMLScript to present web based material. WAP has its own session and
transaction protocols and a transport layer security protocol called WTLS (Wireless
Transport Layer Security).
A WAP gateway is required to translate WAP protocols to the internet. Encrypted data from
a wireless device comes in with WTLS but must be convered into SSL or TLS by the
gateway. For a second or two, the WTLS data will be decrypted for conversion into SSL –
this is referred to as the gap in the wap.
Wireless Technology (Prep Guide):
IEEE 802.11 refers to a family of specifications for wireless LANs. The current 802.11
standard all use CSMA/CD.
802.11: Original wireless LAN standard. 1 or 2mpbs speed in the 2.4ghz band using
DSS or FHSS.
802.11b: 11mpbs (autoslows to 5.5, 2 or 1mpbs based on signal strength). Uses only
DSSS. Also known as wi-fi.
802.11a: Up to 54mbs in the 5ghz range. Uses orthogonal FDM.
802.l11g: 20mbps to 54mpbs in the 5ghz range.
802.11e: Draft standard to provide QOS features and multimedia support.
Spread Spectrum Technology:
Spread Spectrum Technology broadcasts signals over a range of frequencies. Receiving
device must know the correct frequency of the spread spectrum signal being broadcast. Two
spread spectrum technologies currently exist:
Direct-Sequence Spread Spectrum (DSSS): Redundant bit pattern for each bit to be
transmitted – spread over a wide frequency. Because it is spread over the spectrum, the
number of discrete channels in the 2.4ghz band is small.
Frequency-Hopping Spread Spectrum (FHSS): Uses a narrow band carrier that
continually changes frequency in a known pattern. Source and destination devices must be
synchronized to be on the same frequency at the same time.
Both of the above appear as line noise to a non spread-spectrum device.
AD-HOC mode: Access is Peer to peer.
Infrastructure mode: Access is via an access point (wireless hub).
Wireless Application Protocol (WAP):
Wireless application protocol is a set of technologies related to HTML but tailored to small
screens. The most noticeable is HDML: Handheld device markup language.
WAP has 5 layers: Application, session, transaction, security and transport
Application Layer:
Microbrowser, WML (Wireless Markup Language), WMLScript and Wireless Telephony
Applications (WTA)
Session Layer:
Contains the Wireless Session Protocol (WSP) which is similar to HTTP. WSP facilitates
transfer of content between WAP clients and gateway. WSP provides a connection-oriented
mode and a connectionless mode.
Transaction Layer:
Providers the Wireless Transaction Protocol (WTP). Similar functionality to TCP/TP. Reliable
request and response transactions and supports unguaranteed and guaranteed psuh
The transaction layer provides transaction services to WAP and handled acknowledgements.
Security Layer:
The security layer contains WTLS (Wireless Transport Layer Security). WTLS is based on
TLS (similar to SSL) and can be invoked in a manner similar to HTTPS. WTLS provides data
integrity, privacy, authentication and DOS protection.
Transport Layer:
The transport layer suports the Wireless Datagram Protocol (WDP) which provides an
interface to bearers of transportation. The transport layer supports CDPD, GSM, CDMA,
TDMA, SMS and Flex.
Wired Equivalent Privacy (WEP) Encyption:
WEP is an option in 802.11b. It uses a 40-bit shared key, RC4 pseudorandom number
generator and a 24 bit initialization vector. WEP works in the following manner:
1. Checksum of message computed and appended to the message.
2. Shared secret key and initialization vector are fed to the RC4 algorithm to produce a
keystream.
3. The keystream is XORed with the msg and checksum and produces ciphertext.
4. The initialization vector is appended to the ciphertext message and the message is
sent to the recipient.
5. The recipient who has the same secret key generates the same keystream with the
IV.
6. The generated keystream is XORed with the ciphertext to yield the original message.
WEP is not considered secure due to the 40-bit encryption.
DOMAIN 3 – SECURITY MANAGEMENT PRACTICES

Security management includes: Risk management, security practices and security
education.

Security management practices focuses on the continual protection of company
assets.

Management support is one of the most important pieces of a security program.
Three types of control are used to achieve managements goals:
Administrative: Policies, procedures, guidelines, awareness training, personnel
screening, system activity monitoring, change control and configuration management.
Technical: Logical access control mechanisms, password & resource management,
identification and authentication, security devices, network configuration.
Physical: Physical access control, locking systems, removing unnecessary media,
guards, environmental control, perimeter security.
Management (the information owner) creates security directives and classifies data. The
security team implements and enforces the directives.
Security Definitions:
Some commonly used security definitions are:
Vulnerability: Softrware, hardware of procedural weakness that may provide an
attacker the open door he is looking for. Absence or weakness of a safeguard.
Threat: Any potential danger to information or systems.
Risk: Likelihood of a threat agent taking advantage of a vulnerability.
Exposure: An instance of being exposed to losses from a threat agent.
Countermeasure: Hardware, software or procedure that eliminates a vulnerability,
or, reduces the risk of a threat agent being able to exploit it. Is also called a
safeguard.
Risk Management
Risk Analysis is a method of identifying risks and assessing the possible damage that could
be caused in order to justify security safeguards.
Risk management addresses 3 fundamental questions:
Identify assets – What am I trying to protect?
Identify threats – What am I trying to protect against?
Calculating risks – How much time, effort & money am I willing to spend on
adequate protection.
The following issues should be considered when assigning value to information safeguards:










Cost to acquire and develop
Cost to maintain and protect
Value to owners and users
Value to adversaries
Value of intellectual property
Price that others would pay for the asset
Cost to replace if lost
Operational and productivty affected if asset is lost.
Liability issues if assest is compromised.
Usefullness of the asset.
There are 4 basic elements to risk management:




Quantitative risk analysis
Qualitative risk analysis
Asset valuation process
Safeguard selection
Quantitative risk analysis:





Estimate value of assets to be protected.
Identify each threat and corresponding risk
Estimate loss potential of each risk
Estimate possible frequency of threat
Recognize and recommend remedial measures
Quantitive risk analysis involves the following definitions and calculations:
SLE – Single loss expectancy : Dollar amount of potential loss to an organization if
a specific threat too place.
EF – Exposure factor: Percentage of loss a realized threat could have of an asset.
Asset value * Exposure factor (EF) = SLE
ARO – Annualized rate of occurence: Estimated possibility of a specific threat
taking place in a one year timeframe.
ALE – Anualized loss expectancy:
Single loss expectancy (SLE) * Annualzed rate of occurent (ARO) = ALE
Safeguard value: (ALE before safeguard) – (ALE after safeguard) – (Annual cost of
safeguard) = Safeguard value to the company.
Residual Risk: Amount of risk remaining after a safeguard is implemented:
threats * vulnerability * asset value = total risk.
(threats *vulnerability * asset value) * control gap = residual risk.
Asset: Resouce, process, product, infrastructure and any other object that an
organization has determined should be protected.
Qualitative risk analysis:



Walk through different scenarions and rank seriousness of threats or sensititivy of
assets.
Techniques include judgement, intuition and experience.
Some methods are delphi, brainstorming, story boarding, focus groups, surveys,
questionnaires, one-on-one meetings and interviews.
Handling Risk:
Transferring
Rejecting
Reducing
Accepting
:
:
:
:
Insurance
Deny or ignore the risk.
Implementing countermeasures.
Live with the risk.
Policies, Procedures, Standards and Guidelines
Security Policy: General statement produced by senior management.
Issue specific:
System specific:
For example, email, PDA.
Approved software lists, database standards.
Standards: Specify how hardware and software are to be used. Usually mandatory.
Baseline: Minimum level of security necessary throughout the organization.
Standards are usually developed from baselines.
Guidelines: Recommended actions and operational guides. Not mandatory. Provide
direction in policy grey areas.
Procedures: Detailed step by step actions to achieve the tasks necessary for
compliance with standards. Standards as also known as “practices”.
To be effective, each of these needs high visibily, which can be helped be awareness
training, manuals, presentations, legal banners. Can also help with due care and diligence
issues.
Data Classification
The primary purpose of data classification is to indicate the level of confidentiality, integrity
and availability that is required for each type of information.
Classifications:
Commercial
Confidential
Private
Sensitive
Public
Military
Top Secret
Secret
Confidential
Sensitive but unclassified
Public
(Note: Commercial ‘confidential’ information is exempt from FOAI).
Layers of Responsibility:
Data Owner: Senior management, ultimately responsible for protection and use of
data. Determines data classification.
Data Custodian: Responsibility for maintenance and protection of data. Usually IT
department. Makes backups, performs restores, etc.
User: Any individual who routinely uses the data for work related purposes. Also
considered “consumer” of the data.
The necessary pieces that fit together for effective security management practices are:









Data classification
Operational activities
Safeguard selection
Seperation of duties
Management security responsibilities
Guidelines and procedures
Risk assessment
Policies and standards
Security awareness.
The three pillars of security awareness training are: Awareness, Training, Education.
Confidentiality
Integrity
Availability
Disclosure
Alteration
Destruction
Seperation of Duties:
“The principle of seperation of duties is that an organization should carefully seperate
duties, so that people involved with checking for inappropriate use are not also capable of
making such inappropriate use. No person should be responsible for completing a task
involving sensitive, valuable or critical information from beginning to end. Likewise, a single
person must not be responsible for approving their own work”.
Some examples of things that should be seperated are:




development / production
security / audit
account payable / accounts receivable
encryption key management / changing of keys
1. Name the 5 general procedures to implement change control:

Applying to introduce a change




Cataloging the intended change
Scheduling the change
Implementing the change
Reporting the change to appropriate parties
DOMAIN 4 – Application and System Development
“The division between software security and device security deals with providing security at
the beginning stages of software development versus providing devices that protect the
perimeter of networks”.
“If an application fails for any reason, it should resume to a safe state”.
Database Management:
“Database access control can be restricted by only allowing roles”
Database Models:
Relational Database Model: Uses attributes (columns) and tuples (rows) to contain
and organize information. Presents information in the form of tables.
Hierarchical Data Model: Combines records and fields that are related in a logical
tree structure. Used for mapping one-to-many relationships.
Distributed Data Model: Data stored in more than one database, but logically
connected.
Relational Database Components:
Most databases contain the following core functionalities:




Data Definition Language (DDL)
Data Manipulation Language (DML)
Query Language (QL)
Report Generator.
DDL defines the structure and schema of a database.
Data Dictionary: The data dictionary is a central repository of data elements and their
relationships. The Data Dictionary includes definitions of views, data sources, relationships,
tables, indexes, etc. When new tables, new views or new schema are added, the data
dictionary is updated to reflect this.
Integrity:

Can run into concurrency problems. Record locking prevents this.
Database software performs to main types of integrity services:
Semantic Integrity: Makes sure that structural and semantic rules are enforced.
Referential Integrity: No record can contain a reference to a primary key of a nonexisting record or NULL value. Database must also not contain unmatched foreign key
values.
Database Security Issues:
Two main database security issues are aggregation and inference:
Aggregation:
Aggregation is figuring out complete information you dont have access to by using
components of that information you do have access to. The combined information has a
sensitivity that is greater than the sum of the parts.
Queries could be tracked and restricted based on context-dependant classification used to
check what data the users has already accessed.
Inference:
Inference is similar to aggregation and involves the ability to derive information that is not
explicitly available from information that is available. For example, a clerk does not have
access to troop movements but does have access to food and tent deployment.
Again, context-dependant classification rules can help prevent anything that looks like
inference.
Database security looks at the contents of the file rather than the file itself as an operating
system could. This is content-dependant access control which increases processing
overhead but provides more granular control.
Polyinstantiation:
Polyinstantiation enables a relation to contain multiple tuples with the same primary key but
at different security classifications.
System Development
Security management is an important aspect of project management.
The following is a typical list of lifecycle phases:







Project initiation
Functional design, analysis and planning
System design specifications
Software development
Installation / Implementation
Operational Maintenance
Disposal.
System Design Specifications:
Informational, functional and behavioural model information goes into the software design
as requirements. What comes out of the design is data, arhcitectural and procedural design.
Installation / Implementation:

Certification is the process of reviewing and evaluating security controls and is
usually a task assigned to an outside independent reviewer.

Accreditation is the formal acceptance of the system by key management and in
implicit acceptance of risk. Once management accepts the residual risk, they should
issue a formal accreditation statement.

Verification – does the product match the specification?

Validation – Fitness or worth of a software product for its operational mission.
”Verification is doing the job right, Validation is doing the right job”
System Life Cycle Phases:

Project Initiation:
o Concept of project definition
o Proposal and initial study

Functional design analysis and planning
o Requirements uncovered and defined
o SYstem environment specifications determined

System design specifications:
o Functionality design review
o Functionality broken down
o Detailed planning put into place
o Code design

Software development:
o Developing and programming software

Installation
o Product installation and implementation
o Testing and Auditing

Maintenance Support
o Product changes, fixes and minor modifications

Revision and Replacement
o Modifying the product with revisions, or, replacing it completely.
WaterFall Model:
The steps of a typical waterfall model are:






System feasibility
Software plans and requirements
Product design
Detailed design
Code
Integration


Implementation
Operations and Maintenance
Spiral Model:


Angular dimensions represent progress made in completing the phases.
Radial dimension represents cumulative project costs.
The model states that each cycle of the spiral involves the same series of steps for each
part of the project.
Cost Estimation Models:
Basic COCOMO model estimates development effort and cost as a function of the number of
source instructions:
MM = 2.4KDSI (MM = Man months, KDSI = K developed source instructions)
TDEV = 2.5mm
Maintenance:
Maintenance phases can be divided into 3 sub-phases:
1. Request control
2. Change control
3. Release control
Change Control:
Configuration management is the process of controlling the life cycle of an application and
documenting the necessary change control activities. Configuration management is used to
manage changes and new versions of software products. BS7799 addresses configuration
management.
The following definitions are associated with Configuration Management:
Configuration Item (CI): Component whose state is to be recorded.
Version: A recorded specific state of a configuration item.
Configuration: Collection of component configuration items that comprise a configuration
item in some stage of its evolution. Can be recursive.
Building: Assembling a version of a configuration item from component configuration
items.
Build List:
Software Library:
Software Capability Maturity Model (CMM):
The Software CMM is based on the premise that the quality of a software product is a direct
function of the quality of its associated development and maintenance processors.
5 maturity levels are:
Level
Level
Level
Level
Level
1:
2:
3:
4:
5:
Initiating
Repeatable
Defined
Managed
Optimizing
:
:
:
:
:
Good people in place. Processes performed ad-hoc.
Project management processes in place.
Engineering processes and organizational support.
Product and process quantatively controlled.
Continued process improvements. Institutionalized.
The software CMM is a component that supports the concept of continuous process
improvement. This concept is embodied in the SEI process improvement IDEAL model:
Initiate
Diagnose
Establish
Action
Leverage
|
|
| = IDEAL!
|
|
Application Development Methodology
Object-Oriented Concepts:
A shared potion of an object is the interface. The private portion of an object facilitates
data hiding.
Abstraction is the capability to suppress unnecessary details so that the important, inherent
properties can be examined and reviewed.
Polymorphism: An object’s response to a message is defined by the class to which
the object belongs. Different objects can respond to the same input in different ways.
Encapsulation: Hides internal data and operations not exposed via the interface.
Polyinstantiation: Multiple distinct differences between data within objects to
discourage lower level subjects from learning information at a higher level of security.
Inheritance: Shares properties and attributes with subclasses.
Cohesion and Coupling:

Modules should be self contained and perform a single logical function with as little
external help as possible. This is cohesion and the goal for a module is to have high
cohesion.

Modules should not drastically affect the behaviour of each other. This is low
coupling.
ORBs and CORBAs:
The OMA is the Object Management Architecture. ORB manages all communication between
components and enables them to interact an a heterogenous and distributed environment.
ORB is the middleware that established the clent/server relationship between objects.
CORBA provides standard interface definitions between OMG compliant objects.
COM and DCOM:
The component object model (COM) defines how components interact and provides an
architecture for simple IPC. DCOM is a distributed model based on COM. DCOM has a library
that takes care of session handling, synchronization, buffering, fault identification and
handling, and data format translation.
OLE – Object Linking and Embedding:
OLE uses COM as its base and allows objects to be embedded within documents and for
linking different resources and objects.
The capability for one program to call another is called linking.
The capability to put a piece of data inside a foreign program or document is called
embedding.
DDE – Dynamic Data Exchange:
DDE enables different applications to share data by providing IPC. DDE is a communication
mechanism that enables direct connection between two applications.
Distributed Computing Environment (DCE):
DCE is a standard developed by the OSF – Open Software Foundation (also called “the open
group”). DCE is middleware providing RPC service, security services, directory service, time
service and distributed file support.
DCE is a laye of software that sits on top of the network layer.
** DCOM uses a globally unique identifier (GUID).
** DCE uses a universal unique identifier (UUID).
Expert Systems and Knowledge Based Systems:
Expert systems usually consist of two parts, an inference engine and a knowledge base. The
inference engine handles the user interface, external files, scheduling and programaccessing capabilities.
The knowledge engine contains data pertaining to a specific problem or domain.
ANN = Artificial Neural Network.
Malicious Code (MALWARE):
Virus: Infects applications. Main function is to reproduce. Macro viruses are easy to write
and office products are in wide use.
Worms: Reproduce on their own with no need for a host application.
Logic Bomb: Will execute certain code when a specific event happens.
Trojan Horse: Program disguised as another program.
Attacks:
SMURF: Requires an attacker, a victim and an amplifying network. ICMP ECHO packets are
sent to the broadcast address of a large network with the return address spoofed to be that
of the victim. The target network will drown the victim with responses. A counter against
the smurf attack is to disable broadcast packets at the border router.
Fraggle: Similar to SMURF but uses UDP instead of ICMP.
SYN Flood: Repeated SYN packets that will not respond to the SYN/ACK packets.
Teardrop: Send very small packets with invalid fragment offset causing the computer to
freeze or crash.
DOMAINS 5 – CRYPTOGRAPHY
A “substitution cipher” is where one character is replaced with another. “Monoalphabetic”
substitution uses only one alphabet.
The papyrus around the staff is a “scytale” cipher.
Enigma Machine: The crucial and secret part of the process (the key) was how the
operators advanced the rotors when encrypting and decrypting a message.
Cryptography Definitions:
Cryptosytem: A system that provides encryption and decryption
Key: The secret piece of a well known encryption algorithm
Keyspace: Range of values that can be used to construct a key.
Cryptography: The science of encrypting written communication.
Cryptanalaysis: The process of trying to decrypt encrypted data without the key.
Work Factor: Estimate of the effort it would take an attacker to penetrate an encryption
method.
Cryptology: Study of both cryptography and cryptanalysis.
Key Clustering: When two (or more) different keys generate the same ciphertext from the
same plain text, this is known as “key clustering”.
Goals of CryptoSystems:
Confidentiality – Unauthorized parties cannot access the information.
Authenticity – Validating the source of a message.
Integrity – Assurance that a message was not modified during transmission.
Non Repudiation – Sender cannot layer deny sending the message and the receiver
cannot deny receiving it.
Types of Ciphers:
Substitution : Uses a key to know how substitution should be carried out.
Transposition: Permutation is used. Does not replace original text with different text – text
is moved around.
Simple substitution and transposition methods are vulnerable to “frequency analysis”
Running and Concealment Ciphers:
Running Key Cipher: Does not require a key or algorithms, but steps in the physical
world. For example, references to a book. The “key” in this situation is “which book?”
Concealment Cipher: A cipher that hides the message among garbage. For example, have
each word appear every 5th word in a sentence. “Buy gold” might become “Product is a good
buy, it has ten percent gold content”.
Government Involvement with Cryptography:
 Harry Truman created the NSA in 1952.
 In 1993, government introduced the Clipper chip, based on the Skipjack algorithms.
Each chip unit has a key which encrypts a copy of each user’s session key. Each chip
also has a unique serial number and a copy of the unit key is stored in a database under
this serial number. The transmitted message contains a Law Enforcement Access Field
(LEAF) whch contains the serial number of the chip that encrypted the message. The
unit key can be retrieved from the database, used to decrypt the session key which in
turn can be used to decrypt the message.
Weaknesses in the Clipper Chip include:




SkipJack algorithm was never publicly scrutinized and tested
80 bit key is weak by current standards.
16 bit checksum can be defeated
The clipper chip ID tagged and identified every communication session.
Key Escrow:
Unit key split in two and given to two different agencies to maintain. Officer needs a court
order to request the unit key.
Methods of Encryption
Cryptographic algorithms can use either symmetric keys (secret keys) or asymmetric keys
(public keys).
Symmetric Cryptography:





Both parties use the same key for encryption and decryption
Each pair of users exchanging messages needs their own set of keys – key
management becomes a pain.
Initial key exchange needs to be out of band
Because the same keys are used for encryption and decryption, it does not
provide authentication and non-repudiation.
Fast and hard to break when a large key size is used.
The following algorithms all use Symmetric (Secret) Key Cryptography:





Data Encryption Standard (DES)
Triple DES (3DES)
Blowfish
IDEA
RC4, RC5 and RC6
Asymmetric Cryptography:
Each entity has different keys, a private key and a public key. The two keys are
mathematically related, but cannot be derived from one another.
A message can only be decrypted with the public key if it was encrypted with the private
key – provides authentication.
If confidentiality is most important, the sender encrypts with the receiver’s public key and
the message can now only be read with the receiver’s private key. This is called a secure
message format.
If authentication is most important, the sender encrypts with his own private key. The
receiver knows it came from the sender because it can be decrypted with the sender’s
public key. This is known as open message format because anyone with the sender’s
public key can read it.
For a message to be A secure and signed format, the sender should encrypt with his own
private key and then again with the receiver’s public key.
Strengths of Asymmetric cryptography:



Better key distribution than with symmetric systems.
Better scalability than symmetric systems
Can provide confidentiality, authentication and non-repudiation.
Weaknesses:

Works much slower than symmetric systems.
The following are asymmetric key algorithms:





RSA
Ecliptical Curve Cryptosystem (EC)
Diffe-Hellman
El-Gamal
Digital Signature Standard (DSS)
Stream and Block Ciphers:
There are two main types of symmetric algorithms: stream and block ciphers:
Block Cipher: The message is divided into blocks and bits and the blocks are then put
through transposition, substitution and other functions. Block ciphers use confusion and
diffusion in their methods. The key dictates what S-boxes are used and in what order.
Stream Cipher: Entire message is treated as a stream of bits or bytes. Some stram ciphers
use a “keystream generator”. The key provides randomness to the keystream that is applied
to the plaintext.
A strong stream cipher algorithm has the following characteristics:




Long periods of non-repeating patterns within keystreams.
Statisitically unpredictable
Keystreams are not linearly related to the key.
Statistically unbiased – as many 0s as 1s.
Stream ciphers are more suited to hardware encryption because they operate a bit at a
time. Block ciphers are better suited to software based encryption.
Types of Symmetric Encryption Systems
Data Encryption Standard:
DES is a block encryption algorithm using 64-bit blocks. It uses a 64 bit key: 56 bits of true
key and 8 for parity. Characters ar eput through 16 rounds of transposition and substitution.





Devised in 1972 as a derivation of the “Lucifer” system
DES Describes the DEA (Data Encryption Algorithm)
FIPS PUB 46-1 (1977) and ANSI X3.92 (1981)
64bit blocks, 56 bit key and 16 rounds of transformation
Uses confusion and diffusion for encrypting plain text.
Confusion: Conceals statistical connection between ciphertext and plain text. Uses
non-linear substitution boxes (S-Boxes)
Diffusion: Spreads the influence of a plain text character over many ciphertext
characters.
DES has 4 distinct modes of operation:
Electronic Code Book (ECB): Native encryption method for DES. Electronic codebook
literally operates like a code book. For a given block of plaintext and a given key, the same
set of ciphertext is always produced. ECB uses padding to round up to a 64 bit block
boundary. ECB is used for small amounts of data such as challenge-response or key
management. Not good for large amounts of data as patterns would eventually show.
Cipher Block Chaining (CBC) : In Cipher Block Chaining, the value of the previous block
processed is a part of the algorithm and key for the next block, so, patterns are not
revealed. This chaining effect means that a particular ciphertext block is dependant on all
the blocks that came before it, not just the current block.
Cipher Feedback Mode (CFB): Previously generated ciphertext from the last block is input
to the algorithm to generate random values. Another way of chaining blocks together, but
instead of using a value from the previous block, CFB uses the previous block in the
ciphertext and combines it with the next block. This mode is used when encrypting
individual characters is required.
Output Feedback Mode (OFB): Similar to CFB but functions like a stream cipher by
generating a random stream of bits to be combined with the plaintext to create ciphertext.
Simulates a one time pad. Ciphertext is fed back to the algorithm to form a portion of the
next input to encrypt the stream of bits.
Triple DES (3DES):
Encrypting plaintext with one DES key and then encrypting it with a second DES key is no
more secure than using a single DES key, therefore, Triple DES is used to obtain stronger
encryption:
DES-EDE2: 2 keys are used. Encrypt with 1, decrypt with 2 and then encrypt with 1
again.
DES-EEE2: 2 keys used. Encrypt with 1, encrypt with 2, encrypt with 1.
DES-EEE3: 3 keys used. Encrypt with 1, encrypt with 2, encrypt with 3. Most secure,
but requires 3 keys.
Advanced Encryption Standard (AES):
Uses Rjindael block cipher which can use 128, 192 or 256 bit keys. AES itself specifies fixed
block size of 128 bits. AES is the government standard for encrypting SBU information.
The number of rounds of transformation is a function of the key size used:
256 bit – 14 rounds.
192 bit – 12 rounds.
128 bit – 10 rounds.
TwoFish:
128 bit blocks in 16 rounds. Key lengths can be up to 256 bits.
BlowFish:
A block cipher operating on 64 bit blocks with a key length of up to 448 bits. The blocks go
through 16 rounds of crypto functions.
IDEA:
Ideas stands for International Data Encryption Algorithm. It operates on 64 bit blocks and
uses a 128 bit key. Performs 8 rounds on 16 bit sub-blocks. Each 64 bit block is divided into
16 smaller blocks and each block has 8 rounds of mathematical functions performed on it.
IDEA is harder to crack than DES for the same keysize and is used in PGP.
RC5:
Block cipher of variable block length. Key can be 0-2048 bits, blocks can be 32, 64 or 128
bits and the number of rounds can be 0 – 255. Created by Ron Rivest and patented by RSA
data.
Asymmetric Encryption Algorithms
RSA:
Defactor standard for public encryption. Invented by Ron Rivest, Adi Shamir and Leonard
Adleman. Developed at MIT. Security comes from the difficulty of factoring large numbers.
Public and private key are functions of a pair of large prime numbers. RSA is used in many
web browsers with SSL.
El-Gamal:
Based on calculating discrete logarithms in a finite field. El-gamal extended Diffie-Hellman
to apply to encryption and digital signatures.
Elliptical Curve Cryptosystem (ECC):
Provides much of the same functionality as RSA: Digital signatures, secure key distribution
and encryption. ECC is very resource efficient – ideal for smaller devices. ECC providers
higher protection with smaller keys than RSA. An ECC key of 160 bits is equivalent to a
1024-bit RSA key.
Public Key Cryptography:
Public key cryptography uses an asymmetric encryption for key encryption and secret key
encryption for data. We use an asymmetric algorithm to encrypt the secret key.
Diffie-Hellman: Used for key distribution, NOT encryption and decryption. Subjects can
exchange session keys over a non-secure medium without exposing the keys.
Session-Key: “Secret” key used for one data exchange only. Usually randomly generated
then encrypted using public cryptography.
Public Key Infrastructure (PKI):
PKI is an ISO authentication framework that uses public key cryptography and X.509
standard protocols.
PKI provides authentication, confidentiality, non-repudation and message integrity.
The PKI infrastructure contains the pieces that will identify the user, distribute and maintain
keys, distribute and maintain certificates and allow certificate recovation.
Each individual taking part in PKI needs a digital signature signed by a CA. Some wellknown Certification Authorities are Entrust and VeriSign. Revocation is handled by the
certification revocation list (CRL).
PKI is made up of the following entities and functions:










Certification Authorities
Registration Authorities
Certificate Repository
Certificate Revocation System
Key backup and recovery system
Automatic key update
Management of key histories
Cross-certification with other Cas
Time stamping
Client side software
LDAP is the standard format for accessing certification repositories. Availability and Integrity
of LDAP servers is a concern.
ISAKMP: Internet Security Association and Key Management Protocol.
IKE: ISAKMP, Secure Key Exchange Mechanism (SKEME) and Oakley, combined.
In general:



ISAKMP defined the phases for establishing a secure relationship
SKEME describes a secure exchange mechanism
Oakley defined the modes of operation needed to establish a secure
connection.
Message Integrity:
One-Way Hash:
A one-way hash takes a variable length input and produces a fixed-length output, or hash
value. A hash value is also known as a message digest. If a sender only wants a specific
person to view the hash value sent with the message, the value would be encrypted with a
key. This is referred to as the message authentication code. Basically, the MAC is a oneway hash value that is encrypted with a symmetric key.
Digital Signature:
A digital signature is an encrypted hash value. A digital signature provides authentication
because the message digest is encrypted with the sender’s private key.
Overview/review:




A message can be encrypted, providing confidentiality.
A message can be hashed, providing integrity.
A message can be digitally signed, providing authentication and integrity.
A message can be encrypted and signed, providing confidentiality,
authentication and integrity.
Digital Signature Standard – DSS:
The Federal Government requires its departments to use the DSA & SHA. SHA creates a
160-bit output which is then input to DSA which signs the message.
The DSA (Digital Signature Algorithm) can only be used for signatures, not encryption.
Different Hashing Algorithms
Good hash functions should have the following characteristics:




Computed on the entire message, not a part of it.
One-way function so that messages are not disclosed by their signatures.
Should be impossible, given a message and its hash value, to compute
another message with the same hash value.
Should be resistant to birthday attacks – should not be able to find two
messages with the same hash value (collision free).
Some common hashing algorithms include:
MD2: 128 bit hash, slower than MD4 and MD5
MD4: 128 bit hash.
MD5: 128 bit hash. More complex than MD4. Processes text in 512 bit blocks.
HAVAL: Variable length hash. Haval is a modification of the MD5 algorithm with more
protection from common attacks against MD5. Processes text in 1024 bit blocks.
SHA: 160-bit hash value. Used with DSA.
SHA-1: Updated version of SHA.
Attacks against one-way hash functions:
Birthday Attack: Using collusions to reverse engineer hash values. Finding two messages
that produce the same hash value.
One-Time Pad:
A one time pad, implemented correctly, is unbreakable as each pad is used only once. A
non-repeating set of bits are XORed with the message to produce ciphertext. The key is the
same size at the message and the sender and receiver must be perfectly in synch. This
encryption method is not practically used much.
Key Management
Key management causes one of the biggest headaches in encryption implementation. RSA
and Diffie Hellman are key exchange protocols.
General rules for keys and key management include:







Key length should be enough to provide the necessary level of protection.
Keys should be stored and transmitted by secure means.
Keys should be extremely random and use full spectrum of the keyspace
Key lifetime should correspond with the sensitivity of the data it is protecting.
The more the key is used, the shorter its lifetime should be.
The key should be backed up or escrowed in case of emergencies.
The key should be properly destroyed once its lifetime comes to an end.
Link Vs End to End Encryption
Advantages of end-to-end encryption:




Protects information from start to finish
More flexibility for the user in choosing what gets encrypted and how
Higher granularity of encryption is available because each application or user
can choose a different key.
Each hop on the network does not need to have a key to decrypt each packet.
Disadvantages of end-to-end encryption:


Headers, addresses and router information is not encrypted and therefore not
protected.
Destination needs to have same encryption mechanisms to properly decrypt
the message.
Advantages of link (lower layer) encryption:


All data is encrypted, including headers, addresses and routing information.
Users do not need to do anything to initiate it.
Disadvantages of link encryption:


Each hop must have a key, making key distribution and management more
complex.
Messages are decrypted at each hop, thus more points of vulnerability.
Email Standards
Privacy Enchanced Email (PEM):
PEM is a series of message authentication and encryption procedures developed by several
governing groups. Primary features are:




Messages are encrypted with DES in CBC mode.
Authentication is provided by MD2 or MD5
Public key management using RSA
X.509 standard for certification structure and format.
Message Security Protocol (MSP):
MSP is the military’s PEM. It was developed by the NSA and is an X.400 compatible
application layer protocol.
Pretty Good Privacy (PGP):
PGP uses RSA public key encryption for key management, IDEA for bulk encryption of data
and MD5 for authenticity. PGP does not use Certification Authorities but relies instead on a
“web of trust”.
Internet Security
“The web is not the internet. The web runs on top of the internet.”
S-HTTP:
Secure Hypertext Transport Protocol. In this protocol, the client and server agree on a
protection method and then the client sends the server its public key. The server generates
a session key, encrypts it with the client public key and sends it back. S-HTTP maintains an
option connection for the duration of the session.
SSL:
SSL is similar to S-HTTP but protect the communication channel itself instead of individual
messages. The server sends a message to the client that a secure session is required and
the client sends its public key and security requirements back to the server. The server
compares the security parameters with its own to find a match and then sends the client a
digital certificate. If the client trusts the certificate, the process continues. SSL keeps the
communication path open.
MIME: Multipurpose Internet Mail Extension:
If a message or document contains a multimedia attachment, MIME dictates how that
portion of the message should be handled.
S/MIME:
S/MIME is a standard for encrypting and digitally signing mail that contains attachments.
SET – Secure Electronic Transaction:
Security technology proposed by Visa and Mastercard for more secure online credit card
transactions. Suppliers never see the credit card information.
Cookies:
Sometimes cookies can contain login and password information that is either not encrypted
or encrypted weakly. This is a vulnerability.
Secure Shell (SSH):
SSH functions as a type of tunneling mechanism that provides terminal like access to
remote computers.
IPSEC (Internet Protocol Security):
The IPSEC protocol is a method of setting up a secure channel for protected data exchange
between two devices. IPSEC is a widely accepted standard for secure network layer
transport. It is usually used to establish VPNs.
IPSEC uses two basic protocols: Authentication Header (AH) and Enscapsulating security
Payload (ESP).
IPSEC works on one of two modes:
Tunnel Model: only the payload is encrypted.
Transport Mode: payload, routing and header information are all encrypted.
Each device has one security association (SA) for each session connection, one for
inbound and one for outbound. The SA contains the configuration that the device needs to
know about. Each device has a security parameter index that keeps track of each SA.
When a packet is received, the steps are:
1. Identify appropriate SA, secret key and algorithm.
2. Calculate hash value of the packet to authenticate source and verify data integrity.
3. Authenticate the source.
4. Identify correct cryptographic algorithm (DES or 3DES) and secret key.
5. Decrypt the message.
ISAKMP: Internet Security Associated and Key Management Protocol.
Cryptography Attacks
The following sections go over active attacks that can relate to cryptography:
Ciphertext Only Attack: Attacker has the ciphertext of several messages encrypted using
the same algorithm.
Known Plaintext Attack: Attacker has plaintext and ciphertext of one or more messages.
The goal is to discover the key used to encrypt the messages.
Chosen Plaintext Attack: Attacker has plaintext and ciphertext and can choose the
plaintext that gets encrypted.
Chosen Ciphertext Attack: Attacker can choose ciphertext to be decrypted and has access
to the decrypted plaintext.
Man-in-the-middle attack:
Intercepting public key and replacing it with your own, and then intercepting subsequent
messages intended for someone else. Using digital signatures during session-key exchange
can circumvent man in the middle attacks.
Dictionary attack:
Running dictionaries of words through one-way HASH functions to see if the hash value
matches what you have. Common method of cracking Unix passwords.
Replay attacks:
When an attacker copies a ticket, breaks the encryption and tries to impersonate the client
by resubmitting the ticket at a later time. Kerberos is particularly vulnerable to this type of
attack.
Timestamps and sequence numbers are two common counter-measures to replay
vulnerabilities.
Wireless Security
Wireless Application Security (WAP):
WAP is a set of protocols that cover layer 7 to layer 3 of the ISO model. The WAP protocol
stack contains the following:


Wireless Markup Language (WML)
Wireless Application Environment (WAE)




Wireless
Wireless
Wireless
Wireless
Session Protocol (WSP)
Transport Protocol (WTP)
Transport Layer Security Protocol (WTLS)
Datagram Protocol (WDP)
WTLS provides 3 classes of security:
Class 1: Anonymous authentication. Neither client or server is certain of the identify of the
other.
Class 2: Server authentication.
Class 3: Two-way client and server authentication.
HDML: Handheld device markup language is a simple alternative to WML.
C-HTML: Compact HTML, widely used in Japan.
Wired Equivalent Privacy:
Secret key shared between clients and access points. Must have the shared key to associate
with the access point.
WEP uses the RC4 variable key-size stream cipher encryption algorithm. RC4 was developed
in 1987 by Ronald Rivest and operates in output feedback mode.
Security of the WEB algorithm is weak, in the native 40-bit and even the 128 bit versions.
Domain 6 - Security Architecture and Models
A security model is a statement that outlines the requirements necessary to properly
support a certain security policy.
“Security is best if it is built into the foundation of operating systems and applications”
Computer Architecture
CPU: Contains ALU, Control Unit and primary storage.
Protection Rings: Operating system concept. Inner rings have most privileges. Inner rings
can directly access outer rings, but not vice versa. A typical arrangement might be:
Ring
Ring
Ring
Ring
0
1
2
3
:
:
:
:
Operating system & Kernel
Remaining parts of operating system
I/O drives and utilities
Applications and programs.
MITs MULTICS is an example of an operating system using this concept.
Operating Systems
Operating systems can be in one of several states:
Ready
: Ready to resume processing
Supervisory : Executing a highly privileged routine
Problem State: Executing an application (working on a problem)
Wait State
: Waiting for a specific event to complete or resource to become free.
An operating system implements security using many mechanisms, including:





Protection Rings
Mapping Memory
Implementing virtual machines
Working in different states
Assigning trust levels to each process
Process Vs Thread
A process is a program in execution with its own address space. Threads are pieces of code
executed within a process.
Memory Addressing Modes
Register: Addresses registers within the CPU.
Direct: Actual addresses. Usually limited to current memory page.
Absolute: Address of all primary memory space. Can hit any memory address
directly.
Indexed: Adding contents of addresses in programs instruction to that of a memory
(index) register.
Implied: Operations internal to the processor, such as clearing of a carry bit.
Indirect: The address specified in the instruction contains the address where the
actual data can be found.
Processing Methods
Some methods to improve system performance at the hardware level are:
Pipelining: Overlapping the steps of different instructions to run close to concurrently.
CISC: Complex Instruction Set Computer. In earlier technologies, the “fetch” cycle was the
slowest port. By packing instructions wtih several operations, number of fetches were
reduced.
RISC: Reduced instruction set computer. Instructions are simple and require fewer clock
cycles.
Scalar Processor: One instruction at a time.
Superscalar Processor: Enabled concurrent execute of multiple instructions in some
pipeline stage.
Very Long Instruction Word (VLIW) Processor: A single instruction specifies more than
one concurrent operation.
System (Security) Architecture
Some of the biggest questions in systems security architecture are:

Where should the protection take place? User’s end? Where the data is
stored? Restricting user activites?

At which layers should mechanisms be implemented? Hardware, kernel, o/s,
services or program layers?
“The more complex a security mechanism becomes, the less assurance it provides” ->
Functionality and Assurance Compromise.

What system mechanisms need to be trusted? How can these entities
interract in a secure manner?
Some important terms and definitions relating to system architecture are:
Trusted Computer Base: Combination of protection mechanisms within a system,
including hardware, software and firmware. Not every part of a system needs to be trusted
and therefore do not fall under the TCB.
Reference Monitor: Abstract system concept that mediates all access the subjects have to
objects. This is a concept, not a component.
Security Kernel: Hardware, firmware and software that fall under the TCB and implement
the reference monitor concept. The security kernal is the core of the TCB. The security
kernal must:



Mediate all access to objects in the system.
Be protected from modification
Be verified as correct.
Domains: Set of objects that a subject can access. Domains have to be identified,
seperated and strictly enforced.
Resource Isolation: Enables each subject and object to be uniquely identified, permissions
and rights to be assigned independantly, accountability to be enforceable and activities to
be tracked precisely.
“Security policies that prevent information from flowing from a high security level to a lower
security level are multilevel security policies.”
“The execution and memory space assigned to each process is called a protection
domain.”
Virtual Machine Monitor: Each “machine” runs at a different security level.
Security Models:
“A model is a symbolic representation of a policy. It maps the desires of the policy into a set
of rules to be followed by a computer system.”
“Security policy provides the abstract goals, the security model defines the dos and donts to
achieve those goals”
Bell-LaPadula Model:
Developed by the military in the 1970s to address leakage of classified information. Main
goal is confidentiality. A system using the Bell-LaPadula model would be classified as a
multi-level security system. The Bell-LaPadula is a state machine model, and could also be
categorized as an information flow model.
Simple Security Rule : Cannot read data at a higher level.
Star (*) Property: Cannot write data to a lower level.
Bell-LaPadula also uses a discretionary access control matrix to handle exceptions. This may
allow a trusted subject to violate the *-property, but not its intent. IE, a low-sensitivity
paragraph in a higher level document being moved to a low-sensitivity document is ok, but
might require an override of the * property.
Criticisms of Bell-LaPadula:




Only deals with confidentiality, not integrity.
Does not adress acess control management.
Does not address covert channels.
Does not adress file sharing in more modern systems.


Secure state transition is not explicitly defined.
Only addresses multi-level security policy type.
Biba Model:
The Biba model is also a state machine model and similar to Bell-LaPadula, except is
addresses data integrity rather than data confidentiality. The data integrity is characterized
by three goals:
1. Protection from modification by unauthorized users.
2. Protection from unauthorized modification by authorized users.
3. Internally and externally consistent.
The following rules of the Biba model implement these goals:
Simple Integrity Axiom: No read down.
Star (*) Integrity Axiom: No writing up.
Subjects at one level of integrity cannot invoke an object or subject at a higher level
of integrity.
Clark-Wilson Model:
The Clark-Wilson model takes a different approach to protecting integrity. Users cannot
access objects directly, but must go through programs that control their access.
“Usually in an information flow model (Bell-LaPadula and Biba), information can flow from
one level to another until a restricted operation is attempted. At this point, the system
checks an access control matrix to see if the operation has been explicity permitted”.
The Clark-Wilson model defines the following terms:
Constrained Data Item (CDI): Data item whose integrity is to be protected.
Integrity Verification Procedure (IVP): Program that verifies integrity of CDI.
Transformation Procedure (TP):
Unconstrained Data Item: Data outside of the control of the model. For example,
input data.
Information Flow Models:
Each object is assigned a security class or value. Information is constrained to flow only in
the directions permitted by the security policy.
Security Modes of Operation
The “mode of operation” defines the security conditions under which the system actually
functions:
Dedicated Security Mode: ALL users have the clearance and the “need to know” to all the
data within the system.
System-High Security Mode: All users have clearance and authorization to access the
information in the system, but not necessarily a need to know.
Compartmented Security Mode: All users have the clearance to all information on the
system but might not have need to know and formal access approvial. Users can access a
compartment of data only.
Multilevel Security Mode: Permits two or more classification levels of information to be
processed at the same time. Users do not have clearance for all of the information being
processed.
Limited Access: Minimum user clearance is “not cleared” and the maximum data
classification is “sensitive but unclassified”.
Controlled Access: Limted amount of trust placed on system hardware and software.
Trust – assurance of trust implies a much deeper knowledge of the building process, etc.
Systems Evaluation Methods
The “Orange” Book:
The US Dept of defence developed TCSEC (Trusted Computer Systems Evaluation Criteria)
to provide a graded classification for computer system security. The graded classification
hierarchy is:
A – Verified Protection
B – Mandatory Protection
C – Discretionary Protection
D – Minimal Security
The evaluation criteria involves 4 main area: Security, Polciy, Accountabilty and Assustance
and Testing, but these break down into 7 specific areas:
1. Security policy – explicit, well defined, enforced by mechanisms in the system
itself.
2. Identification – individual subjects must be uniquely identified in the system.
3. Labels – labels must be associated with individual objects.
4. Documentation – test, design and specification documentation. User guides and
manuals.
5. Accountability – audit data is captured and protected. Relies on identification.
6. Life Cycle Assurance – Software, hardware and firmware can be tested
individually to ensure that each enforces security policy.
7. Continuous Protection – Ongoing review and maintenance of the security.
Products for evaluation under TCSEC are submitted to the National Computer Security
Center (NCSC). The Trusted Products Evalation Program (TPEP) puts successfully evaluated
products on the Evaluated Product List – EPL.
TCSEC Ratings:
Division D : Minimal Protection
All systems that fail to meet the requirements of the higher divisions fall under this
category.
Division C : Discretionary Protection
C1: Discretionary Security Protection




Based on individuals and/or groups.
Identification and authorization of individual entities.
Protected execution domain for privileges processes.
Design, test and user documentation.
C2: Controlled Access Protection
 Security relevent events are audited.
 Object reuse concept must be invoked (including memory)
 Strict login procedures.
The C2 rating is the most reasonable class for commercial applications.
Division B : Mandatory Protection
Division B enforces mandatory protection by the use of security labels and the reference
monitor concept.
B1 : Labelled Security
 Each object must have a classification label and each user must have a
clearance label.
 Security labels are mandatory in class “B”
B2 : Structured Protection
 System design and implementation are subject to a more thorough review and
testing process.
 Well-defined interfaces between system layers.
 Covert stoage channels are addressed.
 Trusted path required for login and authentication.
 Seperation of operator and administrator functions.
B3 : Security Domains
 More granularity in each protection mechanism
 Code not necessary to support the security policy is excluded from the system.
 Reference monitor component must be small enough to be isolated and tested
fully.
 System fails to a secure state.
Division A : Verified Protection
Formal methods are used to ensure that all subjects and objects are controlled.
A1 : Verified Design
 Feature and architectures are not much different than B3, the difference is in
the development process.
 Assurance is higher because the formality in the way the system was designed
and built is much higher.
 Stringent change and configuration management.
Summary of Ratings:
D – Minimal Protection
C – Discretionary protection
C1 : Discretionary Security Protection
C2 : Controlled Access Protection
B – Mandatory Protection
B1 : Labelled Security
B2 : Structured Protection
B3 : Stuctured Domains
A – Verified Protection
A1 : Verified Design
The Red Book:
TNI (Trusted Network Interpretation). The red book is an interpretation of the Orango book
for networks and network components. The Red Book TNI ratings are:




None
C1 – Minimum
C2 – Fair
B2 – Good
DITSCAP
Defense Information Technology Security Certification and Accreditation Process. Has 4
phases:
1.
2.
3.
4.
Definition
Verification
Validation
Post Accreditation
NIACAP
National Information Assurance Cerficiation and Accreditation Process. Has several types of
accreditation
Side Accreditation: Applications and systems at a self-contained location.
Type Accreditation: An application or system distributed to a number of different
locations.
System Accreditation: Major application or general support system.
CIAP
Commercial Information Security Assessment Process – in development.
ITSEC – Information Technology Security Evalation Criteria
This accreditation system is used in Europe. Two main elements of a system are evaluated
by ITSEC or TCSET: Functionality and Assurance.
Two systems with the same functionality can have different assurance levels. ITSEC
seperates these two elements and rates them seperately. In ITSEC, F1 to F10 rate the
functionality and E0 through E6 rate the assurance:
ITSEC
E0
F1 + E1
F2 + E2
F3 + E3
F4 + E4
F5 + E5
F5 + E6
F6
F7
F8
F9
F10
TCSEC
D0
C1
C2
B1
B2
B3
A1
High Integrity
High Availability
Data Integrity during communication
High Confidentiality (encryption)
Networks with high demands on confidentialy and integrity.
Security products or systems are referred to as TOE – Target of Evaluation.
10 functionality classes – F
8 Assurance Levels - Q
7 correctness levels - E
CTCPEC
Canadian Truster Computer Product Evaluation Criteria
COMMON CRITERIA
Internation standard evaluation criteria, initiated by ISO in 1990 and started in 1993.
One specific set of classifications, internationally recognized. Evaluates a product against a
“protection profile” which is structured to address specific security problems.
A product is assigned an EAL – Evaluation Insurance Level – EAL1 – EAL7.
Similar to other criteria, the common criteria answers two basic questions:
1. What does it do? (funcionality)
2. How sure are you? (assurance)
The protection profile contains:





Descriptive elements
Rationale
Functional Requirements
Development Assurance Requirements
Evaluation Assurance Requirements
Certification: Technical evaluation of security components and their compliants for the
purpose of accreditation.
Accreditation: Formal acceptnace of the system’s overall adequacy by management. Based
partly on certification information.
SSE-CMM : System Security Engineering, Capability Maturity Model
Based on the premise “If you can guarantee the quality of the processes that are used by an
organization, you can guarantee the quality of the products and services generated by those
processes.”
Two dimensions are used to measure the capability of an organization to perform specific
activies. The two dimensions are domain and capability.
Domain: All the practices that collectively define security engineering.
Base practices: Related base practices are grouped into Process Areas (PAs)
Capability: Practices that indicate process management and institutionalization capability.
Generic Pratices (GPs).
The GPs represent activities that should be performed as part of BPs.
In the domain dimension, SSE-CMM defeined 11 security engineering process areas and 11
administrative process areas.
Threats:
Some threats to security models and architectures are:
Covert Channels: Information flow not controlled by the security mechanism.


Covert timing channel
Covert storage channel.
Addresses in TCSEC B2 and higher.
Back Doors: Also known as maintenance hooks / trapdoors.
Timing Issues: Also known as ‘asynchronous attack’. Deals with the timing different in the
sequence of steps a system uses to complete a task.
Time of Check vs Time of Use (TOC/TOU) – Also known as “race conditions”
Buffer Overflows: “Smashing the stack”.
Each of these can lead to a violation of the system security policy.
Recovery Procedures:
The system must recover/restart from an error in a secure state – maintenance mode:
access only by privileged users from privileged terminals.
Failsafe: Program execution terminated, system protected from compromise.
Failsoft (resilient): Non-critical processing is terminated.
Failover: Switching to duplicate (hot) backup in realtime.
Cold start: System cannot be restored to a known secure state.
Domain 6 - Security Architecture and Models
A security model is a statement that outlines the requirements necessary to properly
support a certain security policy.
“Security is best if it is built into the foundation of operating systems and applications”
Computer Architecture
CPU: Contains ALU, Control Unit and primary storage.
Protection Rings: Operating system concept. Inner rings have most privileges. Inner rings
can directly access outer rings, but not vice versa. A typical arrangement might be:
Ring
Ring
Ring
Ring
0
1
2
3
:
:
:
:
Operating system & Kernel
Remaining parts of operating system
I/O drives and utilities
Applications and programs.
MITs MULTICS is an example of an operating system using this concept.
Operating Systems
Operating systems can be in one of several states:
Ready
: Ready to resume processing
Supervisory : Executing a highly privileged routine
Problem State: Executing an application (working on a problem)
Wait State
: Waiting for a specific event to complete or resource to become free.
An operating system implements security using many mechanisms, including:





Protection Rings
Mapping Memory
Implementing virtual machines
Working in different states
Assigning trust levels to each process
Process Vs Thread
A process is a program in execution with its own address space. Threads are pieces of code
executed within a process.
Memory Addressing Modes
Register: Addresses registers within the CPU.
Direct: Actual addresses. Usually limited to current memory page.
Absolute: Address of all primary memory space. Can hit any memory address
directly.
Indexed: Adding contents of addresses in programs instruction to that of a memory
(index) register.
Implied: Operations internal to the processor, such as clearing of a carry bit.
Indirect: The address specified in the instruction contains the address where the
actual data can be found.
Processing Methods
Some methods to improve system performance at the hardware level are:
Pipelining: Overlapping the steps of different instructions to run close to concurrently.
CISC: Complex Instruction Set Computer. In earlier technologies, the “fetch” cycle was the
slowest port. By packing instructions wtih several operations, number of fetches were
reduced.
RISC: Reduced instruction set computer. Instructions are simple and require fewer clock
cycles.
Scalar Processor: One instruction at a time.
Superscalar Processor: Enabled concurrent execute of multiple instructions in some
pipeline stage.
Very Long Instruction Word (VLIW) Processor: A single instruction specifies more than
one concurrent operation.
System (Security) Architecture
Some of the biggest questions in systems security architecture are:

Where should the protection take place? User’s end? Where the data is
stored? Restricting user activites?

At which layers should mechanisms be implemented? Hardware, kernel, o/s,
services or program layers?
“The more complex a security mechanism becomes, the less assurance it provides” ->
Functionality and Assurance Compromise.

What system mechanisms need to be trusted? How can these entities
interract in a secure manner?
Some important terms and definitions relating to system architecture are:
Trusted Computer Base: Combination of protection mechanisms within a system,
including hardware, software and firmware. Not every part of a system needs to be trusted
and therefore do not fall under the TCB.
Reference Monitor: Abstract system concept that mediates all access the subjects have to
objects. This is a concept, not a component. In order for a reference monitor to be trusted:

It must be tamperproof (isolation)


It must be invoked for all access requests to an object – there must be no
path that can by bypass the reference monitory (completeness)
Must be small enough for thorough validation (verifiability)
Security Kernel: Hardware, firmware and software that fall under the TCB and implement
the reference monitor concept. The security kernal is the core of the TCB. The security
kernal must:



Mediate all access to objects in the system.
Be protected from modification
Be verified as correct.
Domains: Set of objects that a subject can access. Domains have to be identified,
seperated and strictly enforced.
Resource Isolation: Enables each subject and object to be uniquely identified, permissions
and rights to be assigned independantly, accountability to be enforceable and activities to
be tracked precisely.
“Security policies that prevent information from flowing from a high security level to a lower
security level are multilevel security policies.”
“The execution and memory space assigned to each process is called a protection
domain.”
Virtual Machine Monitor: Each “machine” runs at a different security level.
Security Models:
“A model is a symbolic representation of a policy. It maps the desires of the policy into a set
of rules to be followed by a computer system.”
“Security policy provides the abstract goals, the security model defines the dos and donts to
achieve those goals”
Bell-LaPadula Model:
Developed by the military in the 1970s to address leakage of classified information. Main
goal is confidentiality. A system using the Bell-LaPadula model would be classified as a
multi-level security system. The Bell-LaPadula is a state machine model, and could also be
categorized as an information flow model.
Simple Security Rule : Cannot read data at a higher level.
Star (*) Property: Cannot write data to a lower level. Confinement property.
Bell-LaPadula also uses a discretionary access control matrix to handle exceptions. This may
allow a trusted subject to violate the *-property, but not its intent. IE, a low-sensitivity
paragraph in a higher level document being moved to a low-sensitivity document is ok, but
might require an override of the * property.
Criticisms of Bell-LaPadula:






Only deals with confidentiality, not integrity.
Does not adress acess control management.
Does not address covert channels.
Does not adress file sharing in more modern systems.
Secure state transition is not explicitly defined.
Only addresses multi-level security policy type.
Biba Model:
The Biba model is also a state machine model and similar to Bell-LaPadula, except is
addresses data integrity rather than data confidentiality. The data integrity is characterized
by three goals:
4. Protection from modification by unauthorized users.
5. Protection from unauthorized modification by authorized users.
6. Internally and externally consistent.
The following rules of the Biba model implement these goals:
Simple Integrity Axiom: No read down.
Star (*) Integrity Axiom: No writing up.
Subjects at one level of integrity cannot invoke an object or subject at a higher level
of integrity.
Clark-Wilson Model:
The Clark-Wilson model takes a different approach to protecting integrity. Users cannot
access objects directly, but must go through programs that control their access.
“Usually in an information flow model (Bell-LaPadula and Biba), information can flow from
one level to another until a restricted operation is attempted. At this point, the system
checks an access control matrix to see if the operation has been explicity permitted”.
Unlike Biba, the Clark-Wilson model addresses all three integrity goals:



Preventing unauthorized users from making modifications.
Maintaining internal and external consistency
Preventing authorized users from making improper modifications.
The Clark-Wilson model defines the following terms:
Constrained Data Item (CDI): Data item whose integrity is to be protected.
Integrity Verification Procedure (IVP): Program that verifies integrity of CDI.
Transformation Procedure (TP):
Unconstrained Data Item: Data outside of the control of the model. For example,
input data.
Information Flow Models:
Each object is assigned a security class or value. Information is constrained to flow only in
the directions permitted by the security policy.
Security Modes of Operation
The “mode of operation” defines the security conditions under which the system actually
functions:
Dedicated Security Mode: ALL users have the clearance and the “need to know” to all the
data within the system.
System-High Security Mode: All users have clearance and authorization to access the
information in the system, but not necessarily a need to know.
Compartmented Security Mode: All users have the clearance to all information on the
system but might not have need to know and formal access approval. Users can access a
compartment of data only.
Multilevel Security Mode: Permits two or more classification levels of information to be
processed at the same time. Users do not have clearance for all of the information being
processed.
Limited Access: Minimum user clearance is “not cleared” and the maximum data
classification is “sensitive but unclassified”.
Controlled Access: Limited amount of trust placed on system hardware and software.
Trust – assurance of trust implies a much deeper knowledge of the building process, etc.
Systems Evaluation Methods
The “Orange” Book:
The US Dept of defense developed TCSEC (Trusted Computer Systems Evaluation Criteria)
to provide a graded classification for computer system security. The graded classification
hierarchy is:
A – Verified Protection
B – Mandatory Protection
C – Discretionary Protection
D – Minimal Security
The evaluation criteria involves 4 main area: Security, Policy, Accountability and Assurance
and Testing, but these break down into 7 specific areas:
8. Security policy – explicit, well defined, enforced by mechanisms in the system
itself.
9. Identification – individual subjects must be uniquely identified in the system.
10. Labels – labels must be associated with individual objects.
11. Documentation – test, design and specification documentation. User guides and
manuals.
12. Accountability – audit data is captured and protected. Relies on identification.
13. Life Cycle Assurance – Software, hardware and firmware can be tested
individually to ensure that each enforces security policy.
14. Continuous Protection – Ongoing review and maintenance of the security.
Products for evaluation under TCSEC are submitted to the National Computer Security
Center (NCSC). The Trusted Products Evaluation Program (TPEP) puts successfully
evaluated products on the Evaluated Product List – EPL.
TCSEC Ratings:
Division D : Minimal Protection
All systems that fail to meet the requirements of the higher divisions fall under this
category.
Division C : Discretionary Protection
C1: Discretionary Security Protection




Based on individuals and/or groups.
Identification and authorization of individual entities.
Protected execution domain for privileges processes.
Design, test and user documentation – life cycle assurance through security
testing.
 Documentation to include Security feature’s user guide and trusted facility
manual.
C2: Controlled Access Protection
 Security relevant events are audited.
 Object reuse concept must be invoked (including memory)
 Strict login procedures.
The C2 rating is the most reasonable class for commercial applications.
Division B : Mandatory Protection
Division B enforces mandatory protection by the use of security labels and the reference
monitor concept.
B1 : Labeled Security
 Each object must have a classification label and each user must have a
clearance label.
 Security labels are mandatory in class “B”
 Mandatory access control for a defined subset of subjects and objects.
B2 : Structured Protection
 System design and implementation are subject to a more thorough review and
testing process.
 Well-defined interfaces between system layers.
 Covert storage channels are addressed.
 Trusted path required for login and authentication.
 Separation of operator and administrator functions (trusted facility
management)
 Mandatory access control for all subjects and objects.
 Formal policy model, structured design and configuration management.
B3 : Security Domains
 More granularity in each protection mechanism
 Code not necessary to support the security policy is excluded from the system.
 Reference monitor component must be small enough to be isolated and tested
fully.
 System fails to a secure state.
Division A : Verified Protection
Formal methods are used to ensure that all subjects and objects are controlled.
A1 : Verified Design
 Feature and architectures are not much different than B3, the difference is in
the development process.
 Assurance is higher because the formality in the way the system was designed
and built is much higher.
 Stringent change and configuration management.
 Format methods of covert channel analysis.
Summary of Ratings:
D – Minimal Protection
C – Discretionary protection
C1 : Discretionary Security Protection
C2 : Controlled Access Protection
B – Mandatory Protection
B1 : Labeled Security
B2 : Structured Protection
B3 : Structured Domains
A – Verified Protection
A1 : Verified Design
The Red Book:
TNI (Trusted Network Interpretation). The red book is an interpretation of the Orange book
for networks and network components. The Red Book TNI ratings are:




DITSCAP
None
C1 – Minimum
C2 – Fair
B2 – Good
Defense Information Technology Security Certification and Accreditation Process. Has 4
phases:
5.
6.
7.
8.
Definition
Verification
Validation
Post Accreditation
NIACAP
National Information Assurance Cerficiation and Accreditation Process. Has several types of
accreditation
Side Accreditation: Applications and systems at a self-contained location.
Type Accreditation: An application or system distributed to a number of different
locations.
System Accreditation: Major application or general support system.
CIAP
Commercial Information Security Assessment Process – in development.
ITSEC – Information Technology Security Evalation Criteria
This accreditation system is used in Europe. Two main elements of a system are evaluated
by ITSEC or TCSET: Functionality and Assurance.
Two systems with the same functionality can have different assurance levels. ITSEC
seperates these two elements and rates them seperately. In ITSEC, F1 to F10 rate the
functionality and E0 through E6 rate the assurance:
ITSEC
E0
F1 + E1
F2 + E2
F3 + E3
F4 + E4
F5 + E5
F5 + E6
F6
F7
F8
F9
F10
TCSEC
D0
C1
C2
B1
B2
B3
A1
High Integrity
High Availability
Data Integrity during communication
High Confidentiality (encryption)
Networks with high demands on confidentialy and integrity.
Security products or systems are referred to as TOE – Target of Evaluation.
10 functionality classes – F
8 Assurance Levels - Q
7 correctness levels - E
The ITSEC assurance classes are:
E0 : Inadequate assurance to quality for E1.
E1 : Informal definition of TOE architectural design. TOE satisfies functional testing.
E2 : E1 + information description of detailed design. Configuration control and
approved distribution procedure.
E3 : E2 + source code and/or drawing have been evaluated.
E4 : E3 + a formal model of security policy.
E5 : E4 + close correspondence between detailed design and source code/drawings.
E6 : E5 + Formal specification of security enforcing functions. Consistency with formal
security policy model.
CTCPEC
Canadian Truster Computer Product Evaluation Criteria
COMMON CRITERIA
Internation standard evaluation criteria, initiated by ISO in 1990 and started in 1993.
One specific set of classifications, internationally recognized. Evaluates a product against a
“protection profile” which is structured to address specific security problems.
A product is assigned an EAL – Evaluation Insurance Level – EAL1 – EAL7.
Similar to other criteria, the common criteria answers two basic questions:
3. What does it do? (funcionality)
4. How sure are you? (assurance)
The protection profile contains:





Descriptive elements
Rationale
Functional Requirements
Development Assurance Requirements
Evaluation Assurance Requirements
Certification: Technical evaluation of security components and their compliants for the
purpose of accreditation.
Accreditation: Formal acceptnace of the system’s overall adequacy by management. Based
partly on certification information.
SSE-CMM : System Security Engineering, Capability Maturity Model
Based on the premise “If you can guarantee the quality of the processes that are used by an
organization, you can guarantee the quality of the products and services generated by those
processes.”
Two dimensions are used to measure the capability of an organization to perform specific
activies. The two dimensions are domain and capability.
Domain: All the practices that collectively define security engineering.
Base practices: Related base practices are grouped into Process Areas (PAs)
Capability: Practices that indicate process management and institutionalization capability.
Generic Pratices (GPs).
The GPs represent activities that should be performed as part of BPs.
In the domain dimension, SSE-CMM defeined 11 security engineering process areas and 11
administrative process areas.
Threats:
Some threats to security models and architectures are:
Covert Channels: Information flow not controlled by the security mechanism.


Covert timing channel
Covert storage channel.
Addresses in TCSEC B2 and higher.
Back Doors: Also known as maintenance hooks / trapdoors.
Timing Issues: Also known as ‘asynchronous attack’. Deals with the timing different in the
sequence of steps a system uses to complete a task.
Time of Check vs Time of Use (TOC/TOU) – Also known as “race conditions”
Buffer Overflows: “Smashing the stack”.
Each of these can lead to a violation of the system security policy.
Recovery Procedures:
The system must recover/restart from an error in a secure state – maintenance mode:
access only by privileged users from privileged terminals.
Failsafe: Program execution terminated, system protected from compromise.
Failsoft (resilient): Non-critical processing is terminated.
Failover: Switching to duplicate (hot) backup in realtime.
Cold start: System cannot be restored to a known secure state.
DOMAIN 7 – Operations Security
Operations security is concerned with triples: threat, vulnerability, asset.
Categories of Controls:



Preventative Controls
Detective Controls
Corrective (Recovery) Controls
Additional categories include:



Deterrent Controls
Application Controls
Transaction Controls
- Input Controls
- Processing Controls
- Output Controls
- Change Controls
- Test Controls
Orange Book Controls:
The Orange Book defined two types of assurance: operational assurance and life cycle
assurance.
Operational assurance requirements specified in the orange book are:





System architecture
System integrity
Covert channel analysis
Trusted facility management
Trusted recovery
Life cycle assurance requirements specific in the orange book are:




Security testing
Design specification and testing
Configuration management
Trusted distribution
Covert Channel Analysis:
Involves covert storage channels and covert timing channels.
Covert Channel Requirements:
B2 – Must perform covert channel analysis and protect against covert storage channels.
B3/A1 – Must protect against covert storage and covert timing channels. Must perform
covert channel analysis for both types.
Trusted Facility Management:
Trusted facility management is defined as the assignment of a specific individual to
administer security related functions of a system. Trusted facility management is closely
related to concepts of least privilege, need to know and seperation of duties.
B2: Systems must support seperate operator and administrator roles.
B3/A1: System must clearly identify the functions of the security administrator to perform
the security related functions.
Two-man control: Two operators review and approve the work of the other.
Dual Control: Both operators are needed to complete a sensitive task.
Trusted Recovery:
Trusted recovery ensures that security is not breached when a system crash or other
system failure (discontinuity) occurs.
Trusted recovery is required only at B3 and A1 levels.
System Recovery: The common criteria has a hierarchy of three recovery types:
1. Manual recovery : Sysadmin intervention required.
2. Automated recovery : Recovery after a single failure is automatic.
3. Automated recovery without undue loss.
Configuration / Change control management:
The primary goal of configuration management is to ensure that changes to the system do
not unintentionally diminish security.
Configuration management is a requirement for B2, B3 and A1 systems.
Five generally accepted procedures exist to implement and support the change control
process:
1.
2.
3.
4.
5.
Applying to introduce a change.
Cataloging the intended change.
Scheduling the change.
Implementing the change.
Reporting the change to the appropriate parties.
B2 or B3: Configuration management procedures must be enforced during development
and maintenance of a system.
A1 : Configuration management procedures must be enforced during the entire systems
life-cycle.
Administrative Controls:
These controls have more to do with human resources, personnel and policy than they do
with hardware or software controls.






Personnel security : Background checks, mandatory vacations, etc.
Seperation of duties.
Least privilege.
Need to know.
Change control / configuration management.
Record retention and documentation.
Operations Controls:
Operations controls embody the day-to-day procedures used to protect computer
operations. The following are the most important aspects of operations controls:
Resource protection: Hardware / software / data.
Hardware controls: Maintenance accounts, maintenance personnel, diagnostic ports,
hardware physical control.
Software controls: Anti-virus managements, software testing, software utilities, safe
software storage and backup controls.
Privileged Entity Controls: System commands, special parameters.
Media Resource Protection: Two areas: media security controls and media viability
controls.
Physical access controls
Monitoring and Auditing:
Problem identification and problem resolution are the primary goals of monitoring.
DOMAIN 8 – DISASTERY RECOVERY PLANNING AND BUSINESS
CONTINUITY PLANNING
Disaster recovery planning has the goal of minimizing the effects of a disaster.
Contingency planning deals with providing methods and procedurs for dealing with longer
term outages and disasters.
The most critical piece overall is management support.
The Business Impact Analysis (BIA) is a crucial first step in disastery recovery and
contingency planning. The goal is to see exactly how a business will be affected by different
threats.
Time-loss curves show the total impact over specific time periods.
The main goals of disaster recovery planning is to:



Improve responsiveness by the employees in different situations.
Ease confusion by providing written procedures and participation in drills
Help make logical decisions during a crisis
Disaster Recovery Planning:
A disaster recovery plan is a comprehensive statement of consistent actions to be takenb
before, during, and after a disruptive event that causes a significant loss of information
system resources.
Phases of Development:
The phases of development for a DRP/BCP program should be:







Initiation
Business impact analysis
Strategy development
Plan development
Implementation
Testing
Maintenance
The 4 primary elements of BCP are:




Scope plan initiation
Business impact Analysis – includes vulnerability assessment
Business continuity plan development
Plan approval and implementation
Scope and Plan initiation:
Steps involved in the scope and plan initiation include creating an account of the work
required, listing the resources to be used and defining the management practices to be
employed.
A BCP committee should be formed and given the responsibility to create, implement and
test the plan.
Business Impact Analysis:
The purpose of a BIA is to create a document to be used to help understand what impact a
disruptive event would have on the business.
The business impact analysis has 3 primary goals:
Criticality Prioritization: Critical business units must be identified and prioritized.
Downtime Escalation: Estimate the maximum tolerable downtime (MTD)
Resource Requirements: Identify resource requirements for the critical processes.
A business impact analysis generally takes 4 steps:
1.
2.
3.
4.
Gathering the needed assessment materials
The vulnerability assessment
Analysing the information compiled
Documenting the results and presenting recommendations to management.
Contingency Planning
There is a general 6 step approach to contingency planning:
1.
2.
3.
4.
Identify critical business functions
Identify the resources and systems that support these critical functions.
Estimate potential disasters
Select planning strategies – how to recover the critical resources and evaluate
alternatives. A distaster recovery and contingency plan usually consists of
emergency response, recovery and resumption activities.
5. Implementing strategies.
6. Testing and revisiting the plan.
Plan Approval and Implementation:
Plan approval and implementation consists of:
1. Approval by senior management.
2. Creating an awareness of the plan enterprise-wide.
3. Maintenance of the plan, including updating when needed.
(APPROVAL)
(AWARENESS)
(MAINTENANCE)
= IMPLEMENTATION!
End User Environment:
The first issue pertaining to users is how will they be notified of the disaster and who will tell
them where to go and when? A tree structure/call list is necessary for this.
Backup Alternatives:
The hardware backup procedures should address on-site and off-site strategies. There are 3
main categories of disruption:
Non-Disaster: Disruption in service from device malfunction or user error.
Disaster: Entire facility unusable for a day or longer.
Catastrophe: Major disruption that destroys the facility altogether. Requires a short
term and long term solution.
Off-site backup facility options are:
Hot-Site: Fully configured and ready to be operating within a few hours. Expensive
but the company has exclusive use.
Warm-Site: Partially configured with some equipment, but not the actual computers.
Cold-Site: Basic environment such as wiring, AC, plumbing is in place, but no
equipment. This is the least expensive option but has much longer recovery time.
Different Backup Types:
Incremental: All files changed since the last backup. Removes archive attribute.
Differential: All files changed since the last full backup. Does not remove archive
attribute.
Full: All files. Removes archive attribute.
Other backup strategies include:
Electronic Vaulting: Makes an immediate copy of a changed file or transaction and
sents it to a remote location where the original backup is stored. Moving backup tapes
off-site is also a form of electronic vaulting.
Remote Journalling: Transmitting only the journal or transaction logs to the off-site
facility and not the actual files.
Database Shadowing: Database shadowing is similar to remote journalling, but the
transactions are shadowed to multiple databases.
Disk Shadowing: Mirrored disks for redundancy.
Disk Duplexing: More than one disk controller is used. If one fails, another takes
over.
A company is not considered out of an emergency until it is back at the original site
operating under normal circumstances. The least critical systems should be moved back
first.
Disaster Recovery Testing:
Reasons for testing include:




Inform management of the recovery capabilities of the enterprise.
Verify accuracy of the recovery procedures and identify deficiencies.
Prepare and train the personnel to execute emergency duties.
Verify processing capability of the remote backup site.
Disaster recovery tests should be performed at least once a year!
The recovery team is used to get critical business functions running at the alternate site.
The salvage team is used to return the primary site to normal processing conditions.
Tests and Drills:
There are a few different types of tests and drills that can take place, each with its own pros
and cons:
Checklist Test: Copies of the DR plan and continuity plan are distributed to each
functional area for review.
Strutcured Walk-Through Test: Group comes together to walk through scenarios in
detail.
Simulation Test: DR team or groups of employees come together to simulate a
specific scenario.
Parallel Test: Done to ensure that critical systems can perform adequately at the offsite facility. The systems are moved to the alternate site and processing takes place.
Full Interruption Test: Original site is actually shut down and processing takes place
at the alternate site.
“Emergency response procedures are the prepared actions that are developed to help
people in a crisis situation better cope with the disruption. They are the first line of defense
when dealing with a crisis situation”
DOMAIN 10 – PHYSICAL SECURITY
Physical security mechanisms include site design and layout, environmental components,
emergency response readiness, training, access control, intrusion detection, power and fire
protection.
“The value of items to be protected can be deteremined by a critical path anaylsis”. The
critical path analysis lists all peices of an environment and how they interract. The CPA
should include power, data, water and sewer lines, A/C, generators and storm drains.
“The physical security domain addresses the threats, vulnerabilities and countermeasures
that can be utilized to physically protect an enterprises’ resources and sensitive
information”. These include personnel, facilities, data, equipment, support systems and
media.
There are seven major causes of physical loss:
1.
2.
3.
4.
5.
6.
7.
Temperate: Sunlight, fire, freezing, heat.
Gases: War gases, vapors, humidity, dry air, smoke, smog.
Liquids: Water and chemicals
Organisms: People, animals, viruses, bacteria
Projectiles: Meteors, cars and trucks, bullets, tornados
Movement: Collapse, shearing, shaking, earthquakes
Energy Anomalies: Surges or power failures, static, radiation, magnets.
Some common physical controls are:
Administrative:





Facility selection or construction
Facility management
Personnel controls
Training
Emergency response and procedures
Technical:







Access controls
Intrustion detection
Alarms
CCTV
HVAC
Power supply.
Fire detection




Fencing
Locks
Lighting
Facility construction
Phsyical:
“Load” : How much weight can be held by a building’s walls, floors & ceiling.
Raised floors need to be electrically grounded.
A/C Should have positive air pressure: Pushes smoke out.
Water should have positive flow: flows out of the builders, not in.
MTBF : Mean time between failure.
MTTR: Mean time to repair.
Power Supply:
There are 3 main methods to protecting against power problems: UPS, Power line
conditioners and backup sources.
Definitions:
Ground : Pathway to earth to enable excess voltage to dissipate.
Noise : Electromagnetic or frequency interference that disrupts power flow and can
cause fluctuations.
Transient Noise : Short duration of power line disruption.
Clean Power : Power that does not fluctuate.
EMI is created by the different between three wires: Hot, Neutral & ground.
RFI is created by components of an electrical system. For example, electrical cables
and flourescent lighting.
Power Excess:
Spike: Momentary high voltage.
Surge: Prolonged high voltage.
Power Loss:
Fault: Momentary power out.
Blackount: Prolonged loss of power.
Power Degradation:
Sag: Momentary low voltage.
Brownout: Prolonged supply below normal voltage.
EMI is the difference betwen the charges in the hot, neutral and ground wires:
Common Noise: Noise from radiation generated by the difference in hot and ground.
Traverse-mode Noise: Noise from radiation generated by the difference between hot
and neutral wires.
RFI is generated by components of electrical systems.
Environmental Issues:

Water, steam and gas must have proper shutoff values.
High Humidity : Corrosion.
Low Humidity : Static.
The ideal level of humidity is between 45% and 60%. A hygrometer measures humidity.
Ideal temperate for computing devices is 70 to 74%.
Fire Prevention, Detection and Suppression:
Fire detectors can be activated by:
Smoke: Photoelectric device detects change in electric current when there is a
variation in the light intensive.
Heat: Rate-of-rise temporarate sensors and fixed temperature sensors. Fixed
temperature sensors have less false positives.
Flame: Senses pulsation of flames or infrared energy associated with flames and
combustion.
Combustion Particles:
Detectors should be on and above suspended ceilings – smoke usually gathers there first.
Detectors should be installed below raised floors because there are many types of wire that
could start an electrical fire.
Detectors should be located in enclosures and air ducts.
Fire Suppression:
There are four main types of fire:
A: Common combustibles such as wood, paper, laminated. Best fought with water or soda
acid.
B: Liquid fires such as petroleum products and coolants. Best fought with Gas (Halon), CO2,
Soda Acid.
C: Electrical equipment and wires. Best fought with Gas (Halon) or CO2.
D: Combustible metals. Best fought with Dry Powder.
A fire needs heat, fuel and oxygen to burn. The different fire suppression methods do the
following:
CO2 & Soda Acid
: Remove fuel and oxygen from the fire.
Water
: Lowers temperature
Halon (or substitute) : Interferes with chemical reaction between elements.
Halon is no longer legal due to environmental issues, some replacements are:
 FM200
 NAF-S-III
 FE-13
 Inergen
 Argon
 Argonite

Halon 1211 does not require the sophisticated pressurization system needed by Halon 1301
and tends to be used in self-pressurized portable extinguishers.
Water Sprinklers
“Sensors should be in place to shut down electrical power before water sprinklers activate”
Wet Pipe: Water in pipe. At a preset temperature (165), a link melts to release the
water. Water can freeze in the pipes in colder climates.
Dry Pipe: Water is held back by a value until a specific temperature is reached, then
a time delay occurs before the water is released. This can give time for shutdown in a
false alarm, but not as fast response as wet pipe. Best in colder climates because
water cannot freeze in the pipes.
Preaction: Combination of wet and dry pipe. Water is not held in the pipes – released
into the pipes when a specific temperature is reached. The water is not then released
right away – a link in the pipes has to melt to release the water. This type is most
the one most recommended for a computer room.
Deluge: Same as dry pipe, except sprinkler heads are open. Large volume of water
releases in a short period of time. Not recommended for electrical equipment.
HVACR: Heating, Ventilation, Air Conditioning, Refridgeration.
Administrative Controls
Emergency Response and procedures:






Evacuation procedures
System shutdown
Training and drills
Integrate with disaster recovery plans
Documented procedures for different types of emergencies
Periodic equipment tests
Perimeter Security:
The first line of defense is perimeter security. Preventing access to the facility deals with :
Access control, surveillance, monitoring, intrusion detection and corrective actions.
Preset locks: Usually used on doors. Latches and deadbolts.
Cipher Locks: Keypads, combination entry, swipe cards or both.
Options on Cipher locks can include:




Door delay – alarm will trigger if door is open for too long.
Key Override – specific combination programmed for emergencies
Master Keying – enabled supervisor personnel to change access codes and
other features
Hostage Alarm – special code that does not ring alarm locally, but at the
monitoring site (police station or alarm company)
Device Locks: Locks for specific devices such as cable locks for laptops, disk drive locks,
switch control, slot locks, port controls and cable traps.
Personnel Access Controls:
A common problem is “piggybacking”.
Magnetic Cards: Can be just a strip containing information, or “smart” cards requiring a
PIN number.
Wireless Proximity readers:
User activated: Card transmits values to the reader.
System Sensing: Three main types of system sending cards:



Transponders – Card and reader both have a receiver, transmitter and
battery.
Passive Devices – Card uses power from the reader.
Field-Powered Devices – Card and reader contain a transmitter. Card has its
own power supply.
External Boundary Protection:
Fencing:
3 to 4 feet
: Deters Casual Trespassers.
6 to 7 feet
: Too high to climb easily.
8 ft + barbed wire: Deter more determined intruders.
Lighting: Critical access should be illuminated 8 feet high and 2 feet out.
Surveillance: There are three main categories of surveillance:
1. Patrol force and guards – costly, unreliable but provide judgement.
2. Dogs
3. Visual recording devices – CCTV.
Issues with guards are availability, reliability, training and cost.
Surveillance techniques are used to watch for unusual behaviours, whereas detecting
devices are used to sense changes that take place in an environment. Monitoring live events
is preventative, recording events is detective.