Handbook of Information Security Management:Communications Security

Previous Table of Contents Next


Protocols

A protocol is a formal set of rules that computers use to control the flow of messages between them. Networking involves such a complex variety of protocols that the International Standards Organization (ISO) defined the now-popular seven-layer communications model. The Open Systems Interconnection (OSI) model describes communication processes as a hierarchy of layers, each dependent on the layer beneath it. Each layer has a defined interface with the layer above and below. This interface is made flexible so that designers can implement various communications protocols with security features and still follow the standard. Below is a very brief summary of the layers, as depicted in the OSI model.

  The application layer is the highest level. It interfaces with users, gets information from data bases, and transfers whole files. E-mail is an application at this level.
  The presentation layer defines how applications can enter the network.
  The session layer makes the initial contact with other computers and sets up the lines of communication. This layer allows devices to be referenced by name rather than by network address.
  The transport layer defines how to address the physical locations/devices on the network, make connections between nodes, and handles the Internetworking of messages.
  The network layer defines how the small packets of data are routed and relayed between end systems on the same network or on interconnected networks.
  The data-link layer defines the protocol that computers must follow to access the network for transmitting and receiving messages. Token Ring and Ethernet operate within this layer and the physical layer, defined below.
  The physical layer defines the physical connection between the computer and the network and, for example, converts the bits into voltages or light impulses for transmission. Topology is defined here.

Bridges, routers, and gateways are “black boxes” that permit the use of different topologies and protocols within a single heterogeneous system. In general, two LANs that have the same physical layer protocol can be connected with a simple, low-cost repeater. Two LANs that speak the same data-link layer protocol can be connected with a bridge even if they differ at the physical layer. If the LANs have a common network layer protocol, they can be connected with a router. If two LANs have nothing in common they can be connected at the highest level, the application layer, with a gateway.

These black boxes have features and filters that can enhance network security under certain conditions, but the features must be understood and utilized. For example, an organization could elect to permit E-mail to pass bidirectionally by putting in place a mail gateway while preventing interactive log-in sessions and file sessions by not passing any other traffic than E-mail.

Companies should specify a set of OSI protocols for the computer network intended for acquisition and use by their organizations. This requirement should preclude the acquisition of their favorite computer networking products. Instead, when acquiring computer networking products, they are required to purchase OSI capabilities in addition to any other requirements so that multivendor interoperability becomes a built-in feature of the computing environment.

Security is of fundamental importance to the acceptance and use of open systems in a LAN/WAN environment. Part 2 of the Opens Systems Interconnection reference model (Security Architecture) is now an international standard. The standard describes a general architecture for security in OSI, defines a set of security services that may be supported within the OSI model, and outlines a number of mechanisms that can be used in providing the services. However, no protocols, formats, or minimum requirements are contained in the standard.

An organization desiring security in a product that is being purchased in accordance with this profile must specify the security services required, the placement of the services within the OSI architecture, the mechanisms to provide the services, and the management features required. Security services may be provided at one or more of the layers. The primary security services that are defined in the OSI security architecture are (1) data confidentially services to protect against unauthorized disclosure; (2) data integrity services to protect against unauthorized modification, insertion, and deletion; (3) authentication services to verify the identity of communication peer entities and the source of data; and (4) access control services to allow only authorized communication and system access.

Applications

Applications on a LAN can range from word processing to data base management systems. The most universally used application is E-mail. E-mail software provides a user interface to help construct the mail message and an engine to move the E-mail to its destination. Depending on the address, the E-mail may be routed across the office via the LAN or across the country via LAN/WAN bridges and gateways. E-mail may also be sent to other mail systems, both mainframe- and PC-based. An important security note is that on some systems it is also possible to restrict mail users from attaching files as a part of an antivirus program.

Many application systems have their own set of security features, in addition to the protection provided by the network operating system. Data base management systems, in particular, have comprehensive security controls built in to limit access to authorized users.

The WAN

A natural extension of the LAN is the wide area network or WAN. A WAN connects LANS, both locally and remotely, and thus connects remote computers together over long distances. The WAN provides the same functionality as the individual LAN, but on a larger scale where E-mail, applications, and files now move throughout an organization-wide Internet. WANs are, by default, heterogeneous networks that consist of a variety of computers, operating systems, topologies, and protocols. The most popular Internetworking devices for WANs are bridges and routers. Hybrid units called brouters which provide both bridging and routing functions are also appearing. The decision to bridge or route depends on protocols, network topology, and security requirements. Internetworking schemes often include a combination of bridges and routers.

Many organizations today support a variety of networking capabilities for different groups or divisions within their companies. These include LAN to LAN interconnection, gateways to outside company networks, and E-mail backbone capabilities. Network management and security services typically include long-haul data encryption (DES) services.


Previous Table of Contents Next



The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.