Explain the two dimensions guiding the integration of security services into communications architectures:
1) Node: which security service should be realized in which node?
2) Layer: which security service should be realized in which layer?
What is an Application?
Application: A piece of software that accomplishes some specific task (email, web service, word processing, data storage…)
What is an End System?
End System: one piece of equipment, anywhere in the range from personal computers to servers to mainframe computers.
For security purposes, one end system usually has one policy authority.
What is a Subnetwork?
Subnetwork: a collection of communication facilities being under control of one administrative organization (LAN, campus networks, WAN…)
For security purposes, one subnetwork usually has one policy authority.
What is an Inter-Network?
A collection of inter-connected subnetworks. In general, the subnets connected in an inter-network have different policy authorities.
What are the 4 levels at which distinct requirements for security protocol elements arise?
1) Application level
2) End System level
3) Subnetwork level
4) Link level
Describe the four levels at which distinct requirements for security protocol elements arise:
1) Application level: security protocol elements that are application dependent.
2) End System level: provision of protection on an end system to end system basis.
3) Subnetwork level: provision of protection over a subnetwork or an inter-network which is considered less secure than other parts of the network environment.
4) Link level: provision of protection internal to a subnetwork (ex: over a link which is considered less trusted than other parts of the subnetwork environment).
Why relationships between protocol layers and security protocol elements level are not one-to-one?
- Security mechanisms for fulfilling both end system and the subnetwork level requirements can be either realized in the transport and/or network layer.
- Link level requirements can be met by integrating security mechanisms or using “special functions” of either the link layer and/or the physical layer.
List the general considerations for Architectural Placement:
- Traffic mixing
- Route knowledge
- Number of protection points
- Protocol header protection
- Source/sink binding
Explain Traffic mixing, as a general consideration for Architectural Placement:
- Due to multiplexing, there is greater tendencies at lower levels to have data items from different source/destination-users and/or applications mixed in one data stream.
- A security service realized at one layer/level will treat the traffic of that layer/level in an equal manner, resulting in inadequate control over security mechanisms for users and applications.
- If a security policy demands for a more differentiated treatment, it should be better realized at a higher level.
Explain Route knowledge, as a general consideration for Architectural Placement:
- At lower levels, there tends to be more knowledge about the security characteristics of different routes and links.
- In environments, where such characteristics vary significantly, placing security at lower levels can have effectiveness and efficiency benefits.
- Appropiate security services can be selected on a subnetwork or link basis eliminating cost for security, where protection is unnecesary.
Explain Number of protection points, as a general consideration for Architectural Placement:
- Placing security at the application level requires security to be implemented in every sensitive application and every end system.
- Placing security at the link level requires security to be implemented at the end of every network link which is considered to be less trusted.
- Placing security in the middle of the architecture will tend to require security features to be installed at fewer points.
Explain Protocol header protection, as a general consideration for Architectural Placement:
- Security protection at higher levels can not protect protocol headers of lower protocol layers.
- The networking infrastucture might need to be protected as well.
Explain Source/sink binding, as a general consideration for Architectural Placement:
- Security services like data origin authentication and non-repudiation depend upon association of data with its source or sink.
- This is most efficiently achieved at higher levels, especially the application level.
Regarding the Application level, elaborate on some specific considerations:
- This level might be the only appropiate level, for example because:
- A security service is application specific (ex: access control for a networked file store)
- A security service needs to traverse application gateways (ex: integrity and/or confidentiality of email)
- Semantics of data is important (ex: for non-repudiation services)
- It is beyond the reach of a user/application programmer to integrate security at a lower level
Regarding the End system level, elaborate on some specific considerations:
- This level is appropiate when end systems are assumed to be trusted and the communication network is assumed to be untrusted.
- Further advantages of end system level security.
- Security services are transparent to applications.
- The management of security services can be more easily given in the hands of one system administrator.
Regarding the Subnetwork level, elaborate on some specific considerations:
- Even if security implemented on this level might be implemented in the same protocol layer like for the end system level, these should not be mixed up:
- In security implemented on the subnetwork level, usually the same protection is realized for all end systems of that subnetwork.
- It is common, that a subnetwork close to an end system is considered equally trusted, as there are on the same premises and administered by the same authorities.
- In most situations there are far less subnetwork gateways to be unsecured than there are end systems.
Regarding the Link level, elaborate on some specific considerations:
- If there are relatively few untrusted links, it might be sufficient and as well easier and cheaper to protect the network on the link level.
- The link level allows to make use of specific protection techniques, like spread spectrum or frequency hopping techniques.
- Traffic flow confidentially usually demands for link level protection.
Explain the 3 key characteristics of Human User Interactions:
- Some network security services involve direct interaction with a human user, the most important one being authentication.
- These interactions do not cleanly fit into any of the architectural options already presented, as the user is external to the communication facilities.
- Communications supporting authentication can be realized in one of the following manners:
- Locally
- Involving protocol elements at the application layer
- Combining the 2 previous means (example: Kerberos)
In which ways do communications supporting authentication can be realized?
- Locally
- The human user authenticates to the local end system
- The end system authenticates itself to the remote end system and advises the user identity
- The remote system has to trust the local end system
- Involving protocol elements at the application layer
- The user passes some authentication information to the local system which is securely relayed to the remote system
- Combining the 2 previous means:
- Example: Kerberos
What are the 4 benefits of integrating security services into lower network layers (instead of Applications)?
- Security
- The network itself also needs to be protected.
- Security mechanisms realised in the network elements (especially hardware) are often harder to attack for network users.
- Application Independence:
- Basic network security services need not be integrated into every single application.
- Quality of Service (QoS):
- QoS preserving scheduling of the communication subsystem can also schedule encryption of co-existing data streams.
- Example: simultaneous voice call, FTP transfers.
- Efficiency:
- Hardware support for computationally intensive encryption/decryption can be easily integrated into protocol processing.
Compare the integration into End Systems vs. Intermediate Systems:
- Integration into End Systems:
- Can be done generally either on the application or end system level.
- In some special cases also a link level protection might be appropiate (ex: when using a modem to connect to a dedicated device)
- Integration into Intermediate Systems:
- Can be done on all four levels:
- Application /”end system” level: for securing management interfaces of intermediate nodes (not for securing data traffic)
- Subnetwork /link level: for securing user data traffic
- Can be done on all four levels:
Note: an integration in both end systems and intermediate systems might be appropiate, depending on the security objectives.
What two main questions guide the integration of security services into communications architectures?
- Which security service into which node?
- Which security service into which layer?
Mention the 4 levels of the pragmatic model of networked computing that can also guide the design choices of security services into communications:
- Application level
- End System level
- Subnetwork level
- Link level
