7 LAYERS SECURITY

Security

Security of the OSI Model

Santosh baranwal
11089E071
B.Tech”I.T” 3rd Yr
Sec-B
9/30/2010
  ISO-International Standards Organisation

 Multinational body dedicated to worldwide agreement

on international standards

 An ISO standard that covers all aspects of network

communication is the OSI

 OSI-Open System Interconnection

 OSI is a model and not a protocol

 Vendor specific protocols close off communication

between unrelated systems

 OSI model is to open communication between

different systems without requiring changes to the
logic of the underlying hardware and software

OSI Layers
 The OSI model is built of seven ordered layers:

 Layer-1: Physical

 Layer-2: Data Link

 Layer-3: Network

 Layer-4: Transport

 Layer-5: Session

 Layer-6: Presentation

 Layer-7: Application

 The seven layers can be thought of as belonging to three sub

groups
  Network Support Layers (Layers 1-3)

 Deal with the physical aspects of moving data from

one device to another

 User Support Layers (Layers 5-7)

 Allow interoperability among unrelated software

systems

 Layer-4 ensures end to end reliable data transmission

Layer-1(Physical)
 First of three network support layers

 Concerned with physical transmission of data bits and

ensures that a bit entering at one end of the transmission
media reaches the other end

 Deals with the mechanical and electrical specifications of the

interface and transmission medium e.g. Optical, coax, RF,
twisted pair etc.

 Defines the type of encoding i.e. how 0s and 1s are changed

to signals

 Defines data rate / transmission rate i.e. defines the duration

of a bit

 Responsible for synchronisation of sender and the receiver

clocks

 Concerned with the connection of the devices to the medium

 Point-to-point configuration

 Multipoint configuration

 Physical topology

 Mesh; Star; Ring; Bus

 Transmission Mode

 Simplex; Half-Duplex; Full-Duplex

SECURITY ON (PHYSICAL LAYER)

Physically secure and mange the cable plant

– Wiring closets

– WAN connections

– CSU/DSU

Physically secure and control access to networking

equipment

– Routers

– Hubs

– Switches

Physically secure and control access to servers, mainframes

Provide redundant power and WAN connections

 LAYER 2(Data Link Layer)


 Second of three network support layers

 Divides the bit stream received from network layer into

manageable data units called frames

 Transforms the physical layer to a reliable link by adding

mechanism to detect and retransmit damaged frames

 Responsible for physical addressing of the devices

 Responsible for link-by-link flow control and error free

delivery of data

 Responsible for Media Access Control

SECURITY Framework ON(Data Link

Layer)
 VPNs protecting the links between networks

 Network Intrusion Detection Systems (NIDS)

watching traffic for attacks

 Host Intrusion Detection Systems (HIDS) protecting

connections to critical servers/hosts

 Virus scanning taking place on traffic coming in

from outside the customer’s network.

• Concerned with getting packets from source to

destination.
• The network layer must know the topology of the subnet
and choose appropriate paths through it.

• When source and destination are in different networks, the

network layer (IP) must deal with these differences.

* Key issue: what service does the network layer provide

to the transport layer (connection-oriented or
connectionless).

* The Security Framework--

Network
* Firewall performing stateful inspection of incoming and
outgoing packets

* Router Access Control Lists (ACLs) filtering packets bound

between networks

* Virus scanning of attachments at the e-mail gateways

1. The services provided by the network layer should be

independent of the subnet topology.
2. The Transport Layer should be shielded from the number,
type and topology of the subnets present.

Layer-4 (Transport)
 Responsible for Source-to-Destination delivery of the
entire message

 Uses service-point address (port address) for end-to-end

delivery

 Network layer gets each packet to correct computer,

transport layer gets the entire message to the correct
process

 Responsible for segmenting a message into transmittable

segments

 At the destination the message is correctly reassembled

  Utilises network layer to ensure reliable, sequenced data
exchange

 Transport layer can be connectionless or connection

oriented

 A connectionless transport layer treats each segment

as an independent packet

 A connection oriented transport layer makes a

connection with the transport layer at the destination
machine before delivering the packets

 After all the data is transmitted, the connection is

terminated

 Responsible for end-to-end flow control of data

 Responsible for end-to-end error control of data

 Error correction is usually achieved through

retransmission

Connection oriented Mux &

D’mux

• Connection oriented-TCP connection

• TCP socket and the TCP connection

• TCP socket is identified by 4 fields:

Source IP address

Source port number

Destination IP address

Destination port number

 Security on( Transport Layer)
Developing a mechanism which enables the
transport layer security server to resume
sessions and avoid keeping per client session
state. The TLS server encapsulates the session
state into a ticket which is forwarded to the
client for it to resume the session.
A ‘TICKET’ is defined as a cryptographically
protected data structure that is created by a
server and consumed by it to rebuild session-
specific state.
The ticket is created by the TLS server and sent
to the TLS client, when the TLS client wants to
resume a session it presents the ticket to the TLS
server. The ticket is distributed to the client
using the “NewSessionTicket” TLS handshake
message, this message is sent during the TLS
handshake before the “ChangeCipherSpec”
message, after the server has successfully
verified the client's Finished message.

Diagram views
Expected Execution
It can be done using a single system where we can open
multiple CHILDS (clients) and using the connection
program we can restrict one of the child’s from
accessing the server and then we can resume the
connection using our mechanism.

Platform Usage: C, Linux

Layer-5(Session)
  First of the three user support layers

 It is the network dialog controller

 It establishes, maintains, and synchronises the interaction

between communicating systems

 It allows the communication between two processes to

take place either in half-duplex or full-duplex

Allows a process to add checkpoints (synchronisation points)

into a stream of data

• The session layer defines how to start, control, and end

conversations (called sessions). This includes the control
and management of multiple bidirectional messages so
that the application can be notified if only some of a series
of messages are completed. This allows the presentation
layer to have a seamless view of an incoming stream of
data. The presentation layer can be presented with data if
all flows occur in some cases. For example, an automated
teller machine transaction in which you withdraw cash
from your checking account should not debit your account,
and then fail, before handing you the cash, recording the
transaction even though you did not receive money. The
session layer creates ways to imply which flows are part of
the same session and which flows must complete before
any are considered complete.

– RPC, SQL, NFS,

– NetBIOS names,

– AppleTalk ASP, DECnet

– SCP
• Accounting, conversation control

– who can talk when, and session parameter

negotiation.

• Dialogue control and seperation

– enable applications to communicate between the

source and destination

Dialogue Control
• Two-way alternate communication
– Communication partners take turns while
sending messages to avoid interrupting each
other.
– For example; Internet Relay Chat (IRC)
• Two-way simultaneous communication
– Communication partners send each other
whatever they want without waiting turns.
– Synchronization Problem

• Network File System (NFS)

• Structured Query Language (SQL)

• Remote Procedure Call (RPC)

• X-Window System

• AppleTalk Session Protocol (ASP)

• Digital Network Architecture Session Control Protocol (DNA

SCP)
 Second of the three user support layers

 Concerned with the syntax and semantics of the

information exchanged between two systems

 At sender end, changes the information from sender

dependent format into a common format

 At the receiving end, changes the information from

common format into its receiver dependent format

 Responsible for encryption and decryption of sensitive

information

 Responsible for data compression of the data to be

transmitted

The Security Framework--Application

Layer
  OS and application hardening at the system level

 Conduct security health checking to determine if security

polices for types of applications allowed to run, password
composition and length, services allowed on hosts, etc.
are being followed

 Provide vulnerability scanning to test the configuration of

applications and systems, looking for vulnerabilities,
missing patches, etc.

 Conduct penetration tests to determine if machines can be

exploited and privileged access gained

 User account management on the network

 User account management on individual systems

 User account management for specific applications,

RDBMS, etc.

 Virus scanning and updates on individual machines and

user desktops

 Role & Rules Based Access Control (RBAC)

 PKI and digital certificates

Layer-7(Application)
 Top of the three user support layers

 Enables the user, human or software, to access the network

 It provides user interfaces and support for services e.g.

electronic mail, remote file access and transfer, shared
database management and other types of distributed
information services

No headers or trailers are added by this layer

 The application layer is the seventh level of the seven
layer OSI model. It’s the “highest layer” of the OSI model.

 The book and the course are organized and broken down
by the OSI model!

 Security of the application layer is critical.

 Review the “Guard the Application Layer”
document.
 Security frame work is same as presentation
layer.