Security service (telecommunication)

Last updated

Security service is a service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers [1] as defined by ITU-T X.800 Recommendation.
X.800 and ISO 7498-2 (Information processing systems – Open systems interconnection – Basic Reference Model – Part 2: Security architecture) [2] are technically aligned. This model is widely recognized [3] [4]

ITU-T technical Commitee of the ITU

The ITU Telecommunication Standardization Sector (ITU-T) is one of the three sectors of the International Telecommunication Union (ITU); it coordinates standards for telecommunications.

International Organization for Standardization An international standard-setting body composed of representatives from national standards organizations

The International Organization for Standardization is an international standard-setting body composed of representatives from various national standards organizations.

Contents

A more general definition is in CNSS Instruction No. 4009 dated 26 April 2010 by Committee on National Security Systems of United States of America: [5]

Committee on National Security Systems

The Committee on National Security Systems (CNSS) is a United States intergovernmental organization that sets policy for the security of the US security systems.

United States federal republic in North America

The United States of America (USA), commonly known as the United States or America, is a country composed of 50 states, a federal district, five major self-governing territories, and various possessions. At 3.8 million square miles, the United States is the world's third or fourth largest country by total area and is slightly smaller than the entire continent of Europe's 3.9 million square miles. With a population of over 327 million people, the U.S. is the third most populous country. The capital is Washington, D.C., and the largest city by population is New York City. Forty-eight states and the capital's federal district are contiguous in North America between Canada and Mexico. The State of Alaska is in the northwest corner of North America, bordered by Canada to the east and across the Bering Strait from Russia to the west. The State of Hawaii is an archipelago in the mid-Pacific Ocean. The U.S. territories are scattered about the Pacific Ocean and the Caribbean Sea, stretching across nine official time zones. The extremely diverse geography, climate, and wildlife of the United States make it one of the world's 17 megadiverse countries.

A capability that supports one, or more, of the security requirements (Confidentiality, Integrity, Availability). Examples of security services are key management, access control, and authentication.

Another authoritative definition is in W3C Web service Glossary [6] adopted by NIST SP 800-95: [7]

The term web service is either

A processing or communication service that is provided by a system to give a specific kind of protection to resources, where said resources may reside with said system or reside with other systems, for example, an authentication service or a PKI-based document attribution and authentication service. A security service is a superset of AAA services. Security services typically implement portions of security policies and are implemented via security mechanisms.

Basic security terminology

Information security and Computer security are disciplines that are dealing with the requirements of Confidentiality, Integrity, Availability, the so-called CIA Triad, of information asset of an organization (company or agency) or the information managed by computers respectively.

Information security, sometimes shortened to InfoSec, is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. The information or data may take any form, e.g. electronic or physical. Information security's primary focus is the balanced protection of the confidentiality, integrity and availability of data while maintaining a focus on efficient policy implementation, all without hampering organization productivity. This is largely achieved through a multi-step risk management process that identifies assets, threat sources, vulnerabilities, potential impacts, and possible controls, followed by assessment of the effectiveness of the risk management plan.

Computer security, cybersecurity or information technology security is the protection of computer systems from theft or damage to their hardware, software or electronic data, as well as from disruption or misdirection of the services they provide.

Confidentiality involves a set of rules or a promise usually executed through confidentiality agreements that limits access or places restrictions on certain types of information.

There are threats that can attack the resources (information or devices to manage it) exploiting one or more vulnerabilities. The resources can be protected by one or more countermeasures or security controls. [8]

In computer security, a threat is a possible danger that might exploit a vulnerability to breach security and therefore cause possible harm.

An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic. Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack.

In computer security, a vulnerability is a weakness which can be exploited by a Threat Actor, such as an attacker, to perform unauthorized actions within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.

So security services implement part of the countermeasures, trying to achieve the security requirements of an organization. [3] [9]

Basic OSI terminology

In order to let different devices (computers, routers, cellular phones) to communicate data in a standardized way, communication protocols had been defined.

The ITU-T organization published a large set of protocols. The general architecture of these protocols is defined in recommendation X.200. [10]

The different means (air, cables) and ways (protocols and protocol stacks) to communicate are called a communication network.

Security requirements are applicable to the information sent over the network. The discipline dealing with security over a network is called Network security. [11]

The X.800 Recommendation: [1]

  1. provides a general description of security services and related mechanisms, which may be provided by the Reference Model; and
  2. defines the positions within the Reference Model where the services and mechanisms may be provided.

This Recommendation extends the field of application of Recommendation X.200, to cover secure communications between open systems.

According to X.200 Recommendation, in the so-called OSI Reference model there are 7 layers, each one is generically called N layer. The N+1 entity ask for transmission services to the N entity. [10]

At each level two entities (N-entity) interact by means of the (N) protocol by transmitting Protocol Data Units (PDU). Service Data Unit (SDU) is a specific unit of data that has been passed down from an OSI layer, to a lower layer, and has not yet been encapsulated into a PDU, by the lower layer. It is a set of data that is sent by a user of the services of a given layer, and is transmitted semantically unchanged to a peer service user . The PDU at any given layer, layer 'n', is the SDU of the layer below, layer 'n-1'. In effect the SDU is the 'payload' of a given PDU. That is, the process of changing a SDU to a PDU, consists of an encapsulation process, performed by the lower layer. All the data contained in the SDU becomes encapsulated within the PDU. The layer n-1 adds headers or footers, or both, to the SDU, transforming it into a PDU of layer n-1. The added headers or footers are part of the process used to make it possible to get data from a source to a destination. [10]

OSI security services description

The following are considered to be the security services which can be provided optionally within the framework of the OSI Reference Model. The authentication services require authentication information comprising locally stored information and data that is transferred (credentials) to facilitate the authentication: [1] [4]

Authentication
These services provide for the authentication of a communicating peer entity and the source of data as described below.
Peer entity authentication
This service, when provided by the (N)-layer, provides corroboration to the (N + 1)-entity that the peer entity is the claimed (N + 1)-entity.
Data origin authentication
This service, when provided by the (N)-layer, provides corroboration to an (N + 1)-entity that the source of the data is the claimed peer (N + 1)-entity.
Access control
This service provides protection against unauthorized use of resources accessible via OSI. These may be OSI or non-OSI resources accessed via OSI protocols. This protection service may be applied to various types of access to a resource (e.g., the use of a communications resource; the reading, the writing, or the deletion of an information resource; the execution of a processing resource) or to all accesses to a resource.
Data confidentiality
These services provide for the protection of data from unauthorized disclosure as described below
Connection confidentiality
This service provides for the confidentiality of all (N)-user-data on an (N)-connection
Connectionless confidentiality
This service provides for the confidentiality of all (N)-user-data in a single connectionless (N)-SDU
Selective field confidentiality
This service provides for the confidentiality of selected fields within the (N)-user-data on an (N)-connection or in a single connectionless (N)-SDU.
Traffic flow confidentiality
This service provides for the protection of the information which might be derived from observation of traffic flows.
Data integrity
These services counter active threats and may take one of the forms described below.
Connection integrity with recovery
This service provides for the integrity of all (N)-user-data on an (N)-connection and detects any modification, insertion, deletion or replay of any data within an entire SDU sequence (with recovery attempted).
Connection integrity without recovery
As for the previous one but with no recovery attempted.
Selective field connection integrity
This service provides for the integrity of selected fields within the (N)-user data of an (N)-SDU transferred over a connection and takes the form of determination of whether the selected fields have been modified, inserted, deleted or replayed.
Connectionless integrity
This service, when provided by the (N)-layer, provides integrity assurance to the requesting (N + 1)-entity. This service provides for the integrity of a single connectionless SDU and may take the form of determination of whether a received SDU has been modified. Additionally, a limited form of detection of replay may be provided.
Selective field connectionless integrity
This service provides for the integrity of selected fields within a single connectionless SDU and takes the form of determination of whether the selected fields have been modified.
Non-repudiation
This service may take one or both of two forms.
Non-repudiation with proof of origin
The recipient of data is provided with proof of the origin of data. This will protect against any attempt by the sender to falsely deny sending the data or its contents.
Non-repudiation with proof of delivery
The sender of data is provided with proof of delivery of data. This will protect against any subsequent attempt by the recipient to falsely deny receiving the data or its contents.

Specific security mechanisms

The security services may be provided by means of security mechanism: [1] [3] [4]

The table1/X.800 shows the relationships between services and mechanisms

Illustration of relationship of security services and mechanisms
ServiceMechanism
EnciphermentDigital signatureAccess controlData integrityAuthentication exchangeTraffic paddingRouting controlNotarization
Peer entity authenticationYY··Y···
Data origin authenticationYY······
Access control service··Y·····
Connection confidentialityY.····Y·
Connectionless confidentialityY·····Y·
Selective field confidentialityY·······
Traffic flow confidentialityY····YY·
Connection Integrity with recoveryY··Y····
Connection integritywithout recoveryY··Y····
Selective field connection integrityY··Y····
Connectionless integrityYY·Y····
Selective field connectionless integrityYY·Y····
Non-repudiation. Origin·Y·Y···Y
Non-repudiation. DeliveryY·Y···Y

Some of them can be applied to connection oriented protocols, other to connectionless protocols or both.

The table 2/X.800 illustrates the relationship of security services and layers: [4]

Illustration of the relationship of security services and layers
ServiceLayer
1234567*
Peer entity authentication··YY··Y
Data origin authentication··YY··Y
Access control service··YY··Y
Connection confidentialityYYYY·YY
Connectionless confidentiality·YYY·YY
Selective field confidentiality·····YY
Traffic flow confidentialityY·Y···Y
Connection Integrity with recovery···Y··Y
Connection integrity without recovery··YY··Y
Selective field connection integrity······Y
Connectionless integrity··YY··Y
Selective field connectionless integrity······Y
Non-repudiation Origin······Y
Non-repudiation. Delivery······Y

Managed security service

Managed security service (MSS) are network security services that have been outsourced to a service provider.

See also

Related Research Articles

IEEE 802.2 is the original name of the ISO/IEC 8802-2 standard which defines logical link control (LLC) as the upper portion of the data link layer of the OSI Model. The original standard developed by the Institute of Electrical and Electronics Engineers (IEEE) in collaboration with the American National Standards Institute (ANSI) was adopted by the International Organization for Standardization (ISO) in 1998, but it still remains an integral part of the family of IEEE 802 standards for local and metropolitan networks.

The Internet protocol suite is the conceptual model and set of communications protocols used in the Internet and similar computer networks. It is commonly known as TCP/IP because the foundational protocols in the suite are the Transmission Control Protocol (TCP) and the Internet Protocol (IP). It is occasionally known as the Department of Defense (DoD) model because the development of the networking method was funded by the United States Department of Defense through DARPA.

OSI model Model with 7 layers to describe communications systems

The Open Systems Interconnection model is a conceptual model that characterizes and standardizes the communication functions of a telecommunication or computing system without regard to its underlying internal structure and technology. Its goal is the interoperability of diverse communication systems with standard protocols. The model partitions a communication system into abstraction layers. The original version of the model defined seven layers.

Connectionless communication, often referred to as CL-mode communication, is a data transmission method used in packet switching networks in which each data unit is individually addressed and routed based on information carried in each unit, rather than in the setup information of a prearranged, fixed data channel as in connection-oriented communication.

Protocol data unit

In telecommunications, a protocol data unit (PDU) is a single unit of information transmitted among peer entities of a computer network. A PDU is composed of protocol specific control information and user data. In the layered architectures of communication protocol stacks, each layer implements protocols tailored to the specific type or mode of data exchange.

Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. Devices that typically support SNMP include cable modems, routers, switches, servers, workstations, printers, and more.

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts the packets of data sent over an internet protocol network. It is used in virtual private networks (VPNs).

In the seven-layer OSI model of computer networking, the network layer is layer 3. The network layer is responsible for packet forwarding including routing through intermediate routers.

In the seven-layer OSI model of computer networking, the session layer is layer 5.

In computer networking, the transport layer is a conceptual division of methods in the layered architecture of protocols in the network stack in the Internet Protocol Suite and the Open Systems Interconnection (OSI) reference model. The protocols of this layer provide host-to-host communication services for applications. It provides services such as connection-oriented communication, reliability, flow control, and multiplexing.

Virtual private network virtual network extending a single private network across a public network like the Internet, appearing to users as a private network link

A virtual private network (VPN) extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across a VPN may therefore benefit from the functionality, security, and management of the private network.

Connectionless-mode Network Service (CLNS) or simply Connectionless Network Service is an OSI Network Layer datagram service that does not require a circuit to be established before data is transmitted, and routes messages to their destinations independently of any other messages. As such it is a "best-effort" rather than a "reliable" delivery service. CLNS is not an Internet service, but provides capabilities in an OSI network environment similar to those provided by the Internet Protocol (IP) and the User Datagram Protocol (UDP).

Internet security is a branch of computer security specifically related to not only the Internet, often involving browser security and the World Wide Web, but also network security on as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet represents an insecure channel for exchanging information which leads to a high risk of intrusion or fraud, such as phishing, online viruses, trojans, worms and more.

In Open Systems Interconnection (OSI) terminology, a service data unit (SDU) is a unit of data that has been passed down from an OSI layer or sublayer to a lower layer. This unit of data (SDU) has not yet been encapsulated into a protocol data unit (PDU) by the lower layer. That SDU is then encapsulated into the lower layer's PDU and the process continues until reaching the PHY, physical, or lowest layer of the OSI stack.

The Open Systems Interconnection protocols are a family of information exchange standards developed jointly by the ISO and the ITU-T. The standardization process began in 1977.

The Signalling Connection Control Part (SCCP) is a network layer protocol that provides extended routing, flow control, segmentation, connection-orientation, and error correction facilities in Signaling System 7 telecommunications networks. SCCP relies on the services of MTP for basic routing and error detection.

Computer network collection of autonomous computers interconnected by a single technology

A computer network is a digital telecommunications network which allows nodes to share resources. In computer networks, computing devices exchange data with each other using connections between nodes. These data links are established over cable media such as wires or optic cables, or wireless media such as Wi-Fi.

802.1AE is the IEEE MAC Security standard which defines connectionless data confidentiality and integrity for media access independent protocols. It is standardized by the IEEE 802.1 working group.

In telecommunication, a communication protocol is a system of rules that allow two or more entities of a communications system to transmit information via any kind of variation of a physical quantity. The protocol defines the rules, syntax, semantics and synchronization of communication and possible error recovery methods. Protocols may be implemented by hardware, software, or a combination of both.

References

  1. 1 2 3 4 X.800 : Security architecture for Open Systems Interconnection for CCITT applications
  2. ISO 7498-2 (Information processing systems – Open systems interconnection – Basic Reference Model – Part 2: Security architecture)
  3. 1 2 3 William Stallings Crittografia e sicurezza delle reti Seconda edizione ISBN   88-386-6377-7 Traduzione Italiana a cura di Luca Salgarelli di Cryptography and Network security 4 edition Pearson 2006
  4. 1 2 3 4 Securing information and communications systems: principles, technologies, and applications Steven Furnell, Sokratis Katsikas, Javier Lopez, Artech House, 2008 - 362 pages
  5. CNSS Instruction No. 4009 dated 26 April 2010
  6. W3C Web Services Glossary
  7. NIST Special Publication 800-95 Guide to Secure Web Services
  8. Internet Engineering Task Force RFC 2828 Internet Security Glossary
  9. Network security essentials: applications and standards, William Stallings, Prentice Hall, 2007 - 413 pages
  10. 1 2 3 X.200 : Information technology - Open Systems Interconnection - Basic Reference Model: The basic model
  11. Simmonds, A; Sandilands, P; van Ekert, L (2004). "An Ontology for Network Security Attacks". Lecture Notes in Computer Science 3285: 317–323