1 / 53

Security Control Families

Technical Class. Security Control Families. Access Control. 800-46 ( Telework ) 800-77 (IPSec) 800-113 (SSL) 800-114 (External Devices) 800-121 (Bluetooth) 800-48 (Legacy Wireless) 800-94 (IDPS) 800-97 (802.11i Wireless) 800-124 (Cell Phones/PDA) OMB M 06-16 (Remote Access).

gayle
Download Presentation

Security Control Families

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Technical Class Security Control Families

  2. Access Control • 800-46 (Telework) • 800-77 (IPSec) • 800-113 (SSL) • 800-114 (External Devices) • 800-121 (Bluetooth) • 800-48 (Legacy Wireless) • 800-94 (IDPS) • 800-97 (802.11i Wireless) • 800-124 (Cell Phones/PDA) • OMB M 06-16 (Remote Access)

  3. IPSec VPNsSP 800-77 • Network Layer Security • The Need for Network Layer Security • Virtual Private Networking (VPN) • Gateway-to-Gateway Architecture • Host-to-Gateway Architecture • Host-to-Host Architecture • IPsec Fundamentals • Authentication Header (AH • Encapsulating Security Payload (ESP • Internet Key Exchange (IKE • IP Payload Compression Protocol (IPComp • Putting It All Together • ESP in a Gateway-to-Gateway Architecture • ESP and IPComp in a Host-to-Gateway Architecture • ESP and AH in a Host-to-Host Architecture

  4. Network Layer Security • Confidentiality • Integrity • Peer Authentication • Replay Protection • Traffic Analysis • Access Control

  5. IPSec VPNs • Gateway-to-Gateway Architecture • Host-to-Gateway Architecture • Host-to-Host Architecture

  6. Gateway-to-Gateway Architecture

  7. Host-to-Gateway Architecture

  8. Host-to-Host Architecture

  9. Model Comparison

  10. IPsec Protocols • Authentication Header (AH) • Encapsulating Security Payload (ESP) • Internet Key Exchange (IKE) • IP Payload Compression Protocol (IPComp)

  11. SSL VPNsSP 800-113 • Virtual Private Networking (VPN) • SSL Portal VPNs • SSL Tunnel VPNs • Administering SSL VPNs • SSL VPN Architecture

  12. SSL VPNs • SSL Portal VPNs • SSL Tunnel VPNs • Administering SSL VPNs Many of the cryptographic algorithms used in some SSL cipher suites are not FIPS-approved, and therefore are not allowed for use in SSL VPNs that are to be used in applications that must conform to FIPS 140-2.

  13. SSL VPN Architecture

  14. SSL Protocol Basics • Versions of SSL and TLS • Cryptography Used in SSL Sessions • Authentication Used for Identifying SSL Servers

  15. Knowledge Check • What is the protocol, used by IPSec that negotiates connection settings, authenticates endpoints to each other, defines the security parameters of IPsec-protected connections, negotiates secret keys, and manages, updates, and deletes IPsec-protected communication channels? • Because AH transport mode cannot alter the original IP header or create a new IP header, transport mode is generally used in which VPN architecture? • Which VPN technologies are approved for use by Federal agencies?

  16. Private Wireless

  17. Public Wireless

  18. Wireless Protocols

  19. Cell Phone Security

  20. Bluetooth Security

  21. Audit & Accountability • 800-92 Log Mgmt • FIPS 180-3 SHA • FIPS 186-3 DSS • FIPS 198-1 HMAC

  22. Log Management • Log Sources • Analyze Log Data • Respond to Identified Events • Manage Long-Term Log Data Storage

  23. Log Sources • Log Generation • Log Storage and Disposal • Log Security

  24. Analyze Log Data • Gaining an Understanding of Logs • Prioritizing Log Entries • Comparing System-Level and Infrastructure-Level Analysis • Respond to Identified Events

  25. Manage Long-Term Log Data Storage • Choose Log Format for Data to be Archived • Archive the log Data • Verify Integrity of Transferred Logs • Store Media Securely

  26. Integrity Standards • FIPS 186-3 Digital Signature Standard • FIPS 180-3 Secure Hash Standard • FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC)

  27. Identification & Authentication • 800-63 (E-auth) • 800-73 • 800-76 • 800-78 • FIPS 140-2 • FIPS 201 • HSPD 12 • OMB 04-04 (E-auth) • OMB 05-24 (HSPD12) CryptoBiometricsPIV Interfaces

  28. Personal Identity & Verification (PIV)

  29. IA Policy & Standard • HSPD 12 (Policy) • FIPS 201-1 (Implementation) • PIV-I - Security Requirements • PIV-II - Technical Interoperability Requirements (Smartcards)

  30. E-Authentication Guideliens • Level 1 – No Identity Proofing • Level 2 – Single-factor Authentication, Identity Proofing Requirements • Level 3 – Multi-factor Authentication • Level 4 – Multi-factor using Hard Token • OMB M-04-04 E-Authentication Guidance for Federal Agencies

  31. System & Communications Protection • 800-32 (PKI) • 800-41 (Firewalls) • 800-52 (TLS) • 800-58 (VoIP) • 800-63 • 800-77 • 800-81 (DNSSEC) • 800-95 (Secure Web) • 800-113 • FIPS 140-2 • FIPS 197 • OMB 05-24 (PIV) • OMB 08-23 (DNS)

  32. Firewall Technologies • Packet Filtering • Stateful Inspection • Application Firewalls • Application-Proxy Gateways • Dedicated Proxy Servers • Virtual Private Networking • Network Access Control • Unified Threat Management (UTM • Web Application Firewalls • Firewalls for Virtual Infrastructures

  33. Knowledge Check • Name the AES-based, wireless encryption mechanism used in the 802.11i wireless specification? • In which security mode are Bluetooth devices considered “promiscuous”, and do not employ any mechanisms to prevent other Bluetooth-enabled devices from establishing connections? • Which security control requires the information system protect against an individual falsely denying having performed a particular action? • Which e-authentication level, described in the special publication 800-63, requires multifactor authentication, and the use of a hard token?

  34. Cryptographic Services • Data integrity • Confidentiality • Identification and authentication • Non-repudiation

  35. Cryptographic Security Mechanisms

  36. Symmetric Key EncryptionObjective: Confidentiality via Bulk Encryption

  37. The Problem with Symmetric Keys

  38. Asymmetric Key EncryptionObjective: Symmetric Key Exchange/Authentication

  39. Hash FunctionsObjective: Data Integrity

  40. Digital SignatureObjective: Non-Repudiation (Authentication + Integrity)

  41. PKISP 800-32 • Security Services • Non-cryptographic Security Mechanisms • Cryptographic Security Mechanisms • PKI Components • PKI Architectures

  42. PKI Componenets • Certification Authority (CA) • Registration Authority (RA) • Repository • Archive • Public Key Certificate • Certificate Revocation Lists (Crls) • PKI Users

  43. TLSSP 800-52

  44. Mapping The Security Parts of TLS to Federal Standards

  45. Key Establishment • RSA • DH (Diffie-Hellman) • Fortezza-KEA

  46. Confidentiality/Symmetric Key Algorithms • IDEA • RC4 • 3DES-EDE • AES

  47. Signature & Hashes • RSA • DSA • MD5 • SHA1

  48. VoIPSP 800-58 • Overview of VoIP • Privacy and Legal Issues with VoIP • VoIP Security Issues • Quality of Service Issues • VoIP Architechtures • Solutions to the VoIPsecIssues

  49. Overview of VoIP

More Related