SECURITY MANAGEMENT SYSTEM FUNCTIONAL ARCHITECTURE FOR ENTERPRISE NETWORK

Transcription

1 SECURITY MANAGEMENT SYSTEM FUNCTIONAL ARCHITECTURE FOR ENTERPRISE NETWORK Shervin Erfani Electrical and Computer Engineering University of Windsor Windsor, Ontario

2 BASIC PROBLEMS WITH SECURITY MANAGEMENT Remote attacks are easy Anonymity is easy Bad Software Bad configurations Stand-alone system implementing single security service Reliance on rigid conventional encryption techniques SECURITY MANAGEMENT SHOULD BE AN EVOLVING INTEGRATED PROCESS. 10/15/03 S. Erfani, ECE Dept., University of Windsor 2

3 FUNCTIONAL ARCHITECTURE Layer 5 Policy and Business Requirements SMIB Policy Layer 4 Layer 3 Management Management s Layer 2 Mechanism Mechanisms Layer 1 Primitive Modules Primitive Module FUNCTIONAL LAYERS OF SECURITY MANAGEMENT 10/15/03 S. Erfani, ECE Dept., University of Windsor 3

4 Layer 5 - Policy and business requirements Prevent and detect Violations Disaster Recovery Personnel Risk Policy Enterprise-wide Risk Policy Legal Views and Actions The uppermost layer dictating the enterprise security policy and business requirements function Sets the overall user/corporation security vision Expert Systems or Rule-based techniques can be used for violation detection and prevention module 10/15/03 S. Erfani, ECE Dept., University of Windsor 4

5 FUNCTIONAL LAYERS OF SECURITY MANAGEMENT Layer 4 - Management Function Control and Distribution User Interface Event Logging Monitoring Management Mechanism Management Parameter Management Recovery Provision of security services and control Event logging, both for normal and abnormal situation Administration and management of various modules in lower layers User interface management monitoring for various security services Key and (state) recovery in case of violation Interaction establishment between different security management systems through use of appropriate security management protocol(s) 10/15/03 S. Erfani, ECE Dept., University of Windsor 5

6 FUNCTIONAL LAYERS OF SECURITY MANAGEMENT Layer 3 - Function Authentication Integrity Non-repudiation Confidentiality Non-denial of Intrusion Detection Access Control Confidentiality Integrity Access Control Non-repudiation and Accountability Authentication Non-denial of 10/15/03 S. Erfani, ECE Dept., University of Windsor 6

7 FUNCTIONAL LAYERS OF SECURITY MANAGEMENT Layer 2 - Mechanism Function CBC-MAC MAA Message Auth. Code Simple Handshak Biomet Password Techniques RIPE-MAC Cond Access RSA Acc. Cont. List ElGamal Digital Signature Acc. Cont. M. Access Control Mechanism Elliptic Curve DSS Certificate X. 509 V.x DNS W3C Dsig Diffie-Hellman Preshared Key Public/Secret Key Ex./Gn. Key Exchange/Generation Encryption Public Key One-Key ECC Rabin Public-Key Encryption: RSA, ECC, Rabin, ElGamal algorithms Symmetric One-Key Encryption: DES, Triple DES, FEAL, IDEA, RC2, RC4, SKIPJACK techniques Message Authentication Code: CBC-MAC, MAA, RIPE-MAC Password techniques, Biometrics mechanisms Digital Signature: DSA mechanism Access Control: access control matrix (ACM), access control list (ACL), conditional access mechanism 10/15/03 S. Erfani, ECE Dept., University of Windsor 7

8 FUNCTIONAL LAYERS OF SECURITY MANAGEMENT Layer 1 - Primitive (Mathematical) Function Fast Exponentiation Prime Number Testing Random Number Generators Math Library Chinese Remainder Theorem Multiplicative Inverse Modular Multiplication MD4/MD5 SHA-1 RIPE-MD One-Way Hash Fundamental Modules DES/Tri-DES IDEA AES RC2/RC4/RC5 FEAL Encryption Fundamental Modules One-Way Hash (OWH): MD5, SHA-1, MDC2, MDC4, RIPE-MD methods Public Key Fundamental Modules: Fast Exponential, Pseudorandom Number Generator, Test for Primality Math Library Modules: Chinese Reminder Theorem, Multipicative Inverse, Modular Multiplication, and other operations with large numbers Encryption Fundamental Modules: DES, Triple DES, IDEA, AES, RC2/RC4/RC5, FEAL 10/15/03 S. Erfani, ECE Dept., University of Windsor 8

9 SECURITY MANAGEMENT INFORMATION BASE (SMIB) SMIB X.500 Elements for Identification X.509 Recommendation for Authentication Extended X.500 Information Base SMIB Segment A repository for normal functioning of SMS The conceptual segments of an SMIB are IDs for network secured resources, user profiles and privileges, secure associations, access control list, and security logs SMIB must work in a manager/agent relationship to support other MIBs in use 10/15/03 S. Erfani, ECE Dept., University of Windsor 9

10 SECURITY MANAGEMENT SYSTEM INTERFACES NMS Stack Host OS Protocols Policy and Business requirements Layer 5 Layer 4 Layer 3 Management Interactions Interactions Interface Interface Interface Policy Management s Interactions WAN Layer 2 Mechanism Interactions Interface Mechanisms Layer 1 Primitive Modules Interface Mathematical Modules LAN SMIB Message Interaction Protocol Interface 10/15/03 S. Erfani, ECE Dept., University of Windsor 10

11 PGP Realization: An Example Policy Levels Policy Control and Distribution Parameter Management User Interface Management Management Layer Mechanism Management Management Management Confidentiality Data, Message and Traffic Flow Integrity Data, Message and Traffic Flow Non-Repudiation s Diffie Hellman Mechanisms DSS Encryption One-Key Encryption Mechanisms Digital Signature RSA Public/Secret Key Exchange/generation Key-Exchange/Generation Mechanisms IDEA MD5 Fast Exponentiation Prime Number Testing Random Number Generators Chinese Remainder Theorem Multiplicative Inverse Modular Multiplication Fundamental Modules SMIB 10/15/03 S. Erfani, ECE Dept., University of Windsor 11

12 ROBUSTNESS ACHIEVED Many security services Many security mechanisms with different efficiencies and different levels of security Wide-range of management functions Full integration with Network Management System (NMS) policies accessible from NMS Efficient use of different security mechanisms by different security services Transparent to users and applications Easily applicable to any type of operational environment Designed and structured modularly to be used by larger customer base Flexible, expandable, and adaptive to network changes, enhancements, and new policies Adaptive to new mechanisms and new security services 10/15/03 S. Erfani, ECE Dept., University of Windsor 12