530 likes | 698 Views
Technical Class. Security Control Families. Access Control. 800-46 ( Telework ) 800-77 (IPSec) 800-113 (SSL) 800-114 (External Devices) 800-121 (Bluetooth) 800-48 (Legacy Wireless) 800-94 (IDPS) 800-97 (802.11i Wireless) 800-124 (Cell Phones/PDA) OMB M 06-16 (Remote Access).
E N D
Technical Class Security Control Families
Access Control • 800-46 (Telework) • 800-77 (IPSec) • 800-113 (SSL) • 800-114 (External Devices) • 800-121 (Bluetooth) • 800-48 (Legacy Wireless) • 800-94 (IDPS) • 800-97 (802.11i Wireless) • 800-124 (Cell Phones/PDA) • OMB M 06-16 (Remote Access)
IPSec VPNsSP 800-77 • Network Layer Security • The Need for Network Layer Security • Virtual Private Networking (VPN) • Gateway-to-Gateway Architecture • Host-to-Gateway Architecture • Host-to-Host Architecture • IPsec Fundamentals • Authentication Header (AH • Encapsulating Security Payload (ESP • Internet Key Exchange (IKE • IP Payload Compression Protocol (IPComp • Putting It All Together • ESP in a Gateway-to-Gateway Architecture • ESP and IPComp in a Host-to-Gateway Architecture • ESP and AH in a Host-to-Host Architecture
Network Layer Security • Confidentiality • Integrity • Peer Authentication • Replay Protection • Traffic Analysis • Access Control
IPSec VPNs • Gateway-to-Gateway Architecture • Host-to-Gateway Architecture • Host-to-Host Architecture
IPsec Protocols • Authentication Header (AH) • Encapsulating Security Payload (ESP) • Internet Key Exchange (IKE) • IP Payload Compression Protocol (IPComp)
SSL VPNsSP 800-113 • Virtual Private Networking (VPN) • SSL Portal VPNs • SSL Tunnel VPNs • Administering SSL VPNs • SSL VPN Architecture
SSL VPNs • SSL Portal VPNs • SSL Tunnel VPNs • Administering SSL VPNs Many of the cryptographic algorithms used in some SSL cipher suites are not FIPS-approved, and therefore are not allowed for use in SSL VPNs that are to be used in applications that must conform to FIPS 140-2.
SSL Protocol Basics • Versions of SSL and TLS • Cryptography Used in SSL Sessions • Authentication Used for Identifying SSL Servers
Knowledge Check • What is the protocol, used by IPSec that negotiates connection settings, authenticates endpoints to each other, defines the security parameters of IPsec-protected connections, negotiates secret keys, and manages, updates, and deletes IPsec-protected communication channels? • Because AH transport mode cannot alter the original IP header or create a new IP header, transport mode is generally used in which VPN architecture? • Which VPN technologies are approved for use by Federal agencies?
Audit & Accountability • 800-92 Log Mgmt • FIPS 180-3 SHA • FIPS 186-3 DSS • FIPS 198-1 HMAC
Log Management • Log Sources • Analyze Log Data • Respond to Identified Events • Manage Long-Term Log Data Storage
Log Sources • Log Generation • Log Storage and Disposal • Log Security
Analyze Log Data • Gaining an Understanding of Logs • Prioritizing Log Entries • Comparing System-Level and Infrastructure-Level Analysis • Respond to Identified Events
Manage Long-Term Log Data Storage • Choose Log Format for Data to be Archived • Archive the log Data • Verify Integrity of Transferred Logs • Store Media Securely
Integrity Standards • FIPS 186-3 Digital Signature Standard • FIPS 180-3 Secure Hash Standard • FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC)
Identification & Authentication • 800-63 (E-auth) • 800-73 • 800-76 • 800-78 • FIPS 140-2 • FIPS 201 • HSPD 12 • OMB 04-04 (E-auth) • OMB 05-24 (HSPD12) CryptoBiometricsPIV Interfaces
IA Policy & Standard • HSPD 12 (Policy) • FIPS 201-1 (Implementation) • PIV-I - Security Requirements • PIV-II - Technical Interoperability Requirements (Smartcards)
E-Authentication Guideliens • Level 1 – No Identity Proofing • Level 2 – Single-factor Authentication, Identity Proofing Requirements • Level 3 – Multi-factor Authentication • Level 4 – Multi-factor using Hard Token • OMB M-04-04 E-Authentication Guidance for Federal Agencies
System & Communications Protection • 800-32 (PKI) • 800-41 (Firewalls) • 800-52 (TLS) • 800-58 (VoIP) • 800-63 • 800-77 • 800-81 (DNSSEC) • 800-95 (Secure Web) • 800-113 • FIPS 140-2 • FIPS 197 • OMB 05-24 (PIV) • OMB 08-23 (DNS)
Firewall Technologies • Packet Filtering • Stateful Inspection • Application Firewalls • Application-Proxy Gateways • Dedicated Proxy Servers • Virtual Private Networking • Network Access Control • Unified Threat Management (UTM • Web Application Firewalls • Firewalls for Virtual Infrastructures
Knowledge Check • Name the AES-based, wireless encryption mechanism used in the 802.11i wireless specification? • In which security mode are Bluetooth devices considered “promiscuous”, and do not employ any mechanisms to prevent other Bluetooth-enabled devices from establishing connections? • Which security control requires the information system protect against an individual falsely denying having performed a particular action? • Which e-authentication level, described in the special publication 800-63, requires multifactor authentication, and the use of a hard token?
Cryptographic Services • Data integrity • Confidentiality • Identification and authentication • Non-repudiation
Symmetric Key EncryptionObjective: Confidentiality via Bulk Encryption
Asymmetric Key EncryptionObjective: Symmetric Key Exchange/Authentication
Digital SignatureObjective: Non-Repudiation (Authentication + Integrity)
PKISP 800-32 • Security Services • Non-cryptographic Security Mechanisms • Cryptographic Security Mechanisms • PKI Components • PKI Architectures
PKI Componenets • Certification Authority (CA) • Registration Authority (RA) • Repository • Archive • Public Key Certificate • Certificate Revocation Lists (Crls) • PKI Users
Key Establishment • RSA • DH (Diffie-Hellman) • Fortezza-KEA
Confidentiality/Symmetric Key Algorithms • IDEA • RC4 • 3DES-EDE • AES
Signature & Hashes • RSA • DSA • MD5 • SHA1
VoIPSP 800-58 • Overview of VoIP • Privacy and Legal Issues with VoIP • VoIP Security Issues • Quality of Service Issues • VoIP Architechtures • Solutions to the VoIPsecIssues