Security Control Families
Download
Report
Transcript Security Control Families
Technical Class
Security Control Families
ID
CA
PL
PM
RA
SA
AT
CM
CP
IR
MA
MP
PE
PS
SI
AC
AU
IA
SC
Class
Management
Management
Management
Management
Management
Operational
Operational
Operational
Operational
Operational
Operational
Operational
Operational
Operational
Technical
Technical
Technical
Technical
Family
Security Assessment and Authorization
Planning
Program Management
Risk Assessment
System and Services Acquisition
Awareness and Training
Configuration Management
Contingency Planning
Incident Response
Maintenance
Media Protection
Physical and Environmental Protection
Personnel Security
System and Information Integrity
Access Control
Audit and Accountability
Identification and Authentication
System and Communications Protection
# of
6
5
11
4
14/40
5
9
10
8
6
6
19
8
13/84
19
14
8
34/75
AC-2 Account Management
AC-3 Access Enforcement
Access Control
AC-4 Information Flow Enforcement
AC-5 Separation of Duties
AC-6 Least Privilege
AC-7 Unsuccessful Login Attempts
AC-8 System Use Notification
AC-10 Concurrent Session Control
AC-11 Session Lock
Permitted Actions without
AC-14 Identification or Authentication
AC-17 Remote Access
AC-18 Wireless Access
AC-19 Access Control for Mobile Devices
AC-20 Use of External Information Systems
AC-22 Publicly Accessible Content
800-46 (Telework)
800-77 (IPSec)
800-113 (SSL)
800-114 (External Devices)
800-121 (Bluetooth)
800-48 (Legacy Wireless)
800-94 (IDPS)
800-97 (802.11i Wireless)
800-124 (Cell Phones/PDA)
OMB M 06-16 (Remote
Access)
IPSec VPNs
SP 800-77
Network Layer Security
– The Need for Network Layer Security
– Virtual Private Networking (VPN)
• Gateway-to-Gateway Architecture
• Host-to-Gateway Architecture
• Host-to-Host Architecture
IPsec Fundamentals
–
–
–
–
–
Authentication Header (AH
Encapsulating Security Payload (ESP
Internet Key Exchange (IKE
IP Payload Compression Protocol (IPComp
Putting It All Together
• ESP in a Gateway-to-Gateway Architecture
• ESP and IPComp in a Host-to-Gateway Architecture
• ESP and AH in a Host-to-Host Architecture
Network Layer Security
Confidentiality
Integrity
Peer Authentication
Replay Protection
Traffic Analysis
Access Control
IPSec VPNs
– Gateway-to-Gateway Architecture
– Host-to-Gateway Architecture
– Host-to-Host Architecture
Gateway-to-Gateway Architecture
Host-to-Gateway Architecture
Host-to-Host Architecture
Model Comparison
IPsec Protocols
Authentication Header (AH)
Encapsulating Security Payload (ESP)
Internet Key Exchange (IKE)
IP Payload Compression Protocol (IPComp)
SSL VPNs
SP 800-113
Virtual Private Networking (VPN)
SSL Portal VPNs
SSL Tunnel VPNs
Administering SSL VPNs
SSL VPN Architecture
SSL VPNs
SSL Portal VPNs
SSL Tunnel VPNs
Administering SSL VPNs
Many of the cryptographic algorithms used in some SSL cipher suites are not
FIPS-approved, and therefore are not allowed for use in SSL VPNs that are to be
used in applications that must conform to FIPS 140-2.
SSL VPN Architecture
SSL Protocol Basics
Versions of SSL and TLS
Cryptography Used in SSL Sessions
Authentication Used for Identifying SSL Servers
Knowledge Check
What is the protocol, used by IPSec that negotiates
connection settings, authenticates endpoints to each
other, defines the security parameters of IPsec-protected
connections, negotiates secret keys, and manages,
updates, and deletes IPsec-protected communication
channels?
Because AH transport mode cannot alter the original IP
header or create a new IP header, transport mode is
generally used in which VPN architecture?
Which VPN technologies are approved for use by
Federal agencies?
Private Wireless
Public Wireless
Wireless Protocols
Cell Phone Security
Bluetooth Security
Audit & Accountability
AU-2 Auditable Events
AU-3 Content of Audit Records
AU-4 Audit Storage Capacity
Response to Audit
AU-5 Processing Failures
Audit Review, Analysis, and
AU-6 Reporting
Audit Reduction and Report
AU-7 Generation
AU-8 Time Stamps
Protection of Audit
AU-9 Information
AU-10 Non-repudiation
AU-11 Audit Record Retention
AU-12 Audit Generation
800-92 Log Mgmt
FIPS 180-3 SHA
FIPS 186-3 DSS
FIPS 198-1 HMAC
Log Management
Log Sources
Analyze Log Data
Respond to Identified Events
Manage Long-Term Log Data Storage
Log Sources
Log Generation
Log Storage and Disposal
Log Security
Analyze Log Data
Gaining an Understanding of Logs
Prioritizing Log Entries
Comparing System-Level and Infrastructure-Level
Analysis
Respond to Identified Events
Manage Long-Term Log Data
Storage
Choose Log Format for Data to be Archived
Archive the log Data
Verify Integrity of Transferred Logs
Store Media Securely
Integrity Standards
FIPS 186-3 Digital Signature Standard
FIPS 180-3 Secure Hash Standard
FIPS 198-1 The Keyed-Hash Message Authentication
Code (HMAC)
Identification & Authentication
IA-2
IA-3
IA-4
IA-5
IA-6
IA-7
IA-8
Identification and Authentication
(Organizational Users)
Device Identification and
Authentication
Identifier Management
Authenticator Management
Authenticator Feedback
Cryptographic Module Authentication
Identification and Authentication
(Non- Organizational Users)
800-63 (E-auth)
800-73 Crypto
800-76 Biometrics
PIV Interfaces
800-78
FIPS 140-2
FIPS 201
HSPD 12
OMB 04-04 (E-auth)
OMB 05-24 (HSPD12)
Personal Identity &
Verification (PIV)
IA Policy & Standard
HSPD 12 (Policy)
FIPS 201-1 (Implementation)
– PIV-I - Security Requirements
– PIV-II - Technical Interoperability Requirements (Smartcards)
30
E-Authentication Guideliens
Level 1 – No Identity Proofing
Level 2 – Single-factor Authentication, Identity Proofing
Requirements
Level 3 – Multi-factor Authentication
Level 4 – Multi-factor using Hard Token
OMB M-04-04 E-Authentication Guidance for Federal
Agencies
31
SC-2
SC-3
SC-4
SC-5
SC-7
SC-8
SC-9
SC-10
SC-12
SC-13
SC-14
SC-15
System & Communications
Application Partitioning
Protection
Security Function Isolation
Information in Shared Resources
Denial of Service Protection
Boundary Protection
Transmission Integrity
Transmission Confidentiality
Network Disconnect
Cryptographic Key Establishment
and Management
Use of Cryptography
Public Access Protections
Collaborative Computing Devices
800-32 (PKI)
800-41 (Firewalls)
800-52 (TLS)
800-58 (VoIP)
800-63
SC-17 Public Key Infrastructure Certificates
SC-18 Mobile Code
SC-19 Voice Over Internet Protocol
Secure Name /Address Resolution Service
SC-20 (Authoritative Source)
Secure Name /Address Resolution Service
SC-21 (Recursive or Caching Resolver)
Architecture and Provisioning for
SC-22 Name/Address Resolution Service
SC-23 Session Authenticity
SC-24 Fail in Known State
SC-28 Protection of Information at Rest
SC-32 Information System Partitioning
800-77
800-81 (DNSSEC)
800-95 (Secure Web)
800-113
FIPS 140-2
FIPS 197
OMB 05-24 (PIV)
OMB 08-23 (DNS)
Firewall Technologies
Packet Filtering
Stateful Inspection
Application Firewalls
Application-Proxy Gateways
Dedicated Proxy Servers
Virtual Private Networking
Network Access Control
Unified Threat Management (UTM
Web Application Firewalls
Firewalls for Virtual Infrastructures
Knowledge Check
Name the AES-based, wireless encryption mechanism
used in the 802.11i wireless specification?
In which security mode are Bluetooth devices considered
“promiscuous”, and do not employ any mechanisms to
prevent other Bluetooth-enabled devices from
establishing connections?
Which security control requires the information system
protect against an individual falsely denying having
performed a particular action?
Which e-authentication level, described in the special
publication 800-63, requires multifactor authentication,
and the use of a hard token?
Cryptographic Services
Data integrity
Confidentiality
Identification and authentication
Non-repudiation
Cryptographic Security Mechanisms
Symmetric Key Encryption
Objective: Confidentiality via Bulk Encryption
The Problem with Symmetric Keys
Asymmetric Key Encryption
Objective: Symmetric Key Exchange/Authentication
Hash Functions
Objective: Data Integrity
Digital Signature
Objective: Non-Repudiation (Authentication + Integrity)
PKI
SP 800-32
Security Services
Non-cryptographic Security Mechanisms
Cryptographic Security Mechanisms
PKI Components
PKI Architectures
PKI Componenets
Certification Authority (CA)
Registration Authority (RA)
Repository
Archive
Public Key Certificate
Certificate Revocation Lists (Crls)
PKI Users
TLS
SP 800-52
Mapping The Security Parts of
TLS to Federal Standards
Key Establishment
RSA
DH (Diffie-Hellman)
Fortezza-KEA
Confidentiality/Symmetric Key
Algorithms
IDEA
RC4
3DES-EDE
AES
Signature & Hashes
RSA
DSA
MD5
SHA1
VoIP
SP 800-58
Overview of VoIP
Privacy and Legal Issues with VoIP
VoIP Security Issues
Quality of Service Issues
VoIP Architechtures
Solutions to the VoIPsec Issues
Overview of VoIP
Public Facing Web Server
DNS Transaction Threats &
Security Objectives
Technical Security Controls
Key Concepts & Vocabulary
AC – Access Control
AU – Auditing & Accountability
IA – Identification & Availability
SC – System & Communication Protection