THE OSI SECURITY ARCHITECTURE

To assess effectively the security needs of an organization and to evaluate and
choose various security products and policies, the manager responsible for computer
and network security needs some systematic way of defining the requirements
for security and characterizing the approaches to satisfying those requirements.This
is difficult enough in a centralized data processing environment; with the use of
local and wide area networks, the problems are compounded.
ITU-T4 Recommendation X.800, Security Architecture for OSI, defines such a
systematic approach.5 The OSI security architecture is useful to managers as a way of organizing the task of providing security. Furthermore, because this architecture
was developed as an international standard, computer and communications vendors
have developed security features for their products and services that relate to this
structured definition of services and mechanisms.
For our purposes, the OSI security architecture provides a useful, if abstract,
overview of many of the concepts that this book deals with.The OSI security architecture
focuses on security attacks, mechanisms, and services. These can be defined
briefly as
• Security attack: Any action that compromises the security of information
owned by an organization.
• Security mechanism: A process (or a device incorporating such a process) that
is designed to detect, prevent, or recover from a security attack.
• Security service: A processing or communication service that enhances the
security of the data processing systems and the information transfers of an
organization. The services are intended to counter security attacks, and they
make use of one or more security mechanisms to provide the service.




SECURITY ATTACKS

A useful means of classifying security attacks, used both in X.800 and RFC 2828, is
in terms of passive attacks and active attacks. A passive attack attempts to learn or
make use of information from the system but does not affect system resources. An
active attack attempts to alter system resources or affect their operation.
Passive Attacks
Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions.
The goal of the opponent is to obtain information that is being transmitted.Two types
of passive attacks are the release of message contents and traffic analysis.

The release of message contents is easily understood . A telephone
conversation, an electronic mail message, and a transferred file may contain
sensitive or confidential information.We would like to prevent an opponent from
learning the contents of these transmissions.

A second type of passive attack, traffic analysis, is subtler .
Suppose that we had a way of masking the contents of messages or other
information traffic so that opponents, even if they captured the message,
could not extract the information from the message.The common technique
for masking contents is encryption. If we had encryption protection in place,
an opponent still might be able to observe the pattern of these messages.The
opponent could determine the location and identity of communicating hosts
and could observe the frequency and length of messages being exchanged.
This information might be useful in guessing the nature of the communication
that was taking place.
Passive attacks are very difficult to detect, because they do not
involve any alteration of the data. Typically, the message traffic is sent and
received in an apparently normal fashion, and neither the sender nor the
receiver is aware that a third party has read the messages or observed the
traffic pattern. However, it is feasible to prevent the success of these
attacks, usually by means of encryption. Thus, the emphasis in dealing with
passive attacks is on prevention rather than detection.



Active Attacks

Active attacks involve some modification of the data stream or the creation
of a false stream and can be subdivided into four categories: masquerade,
replay, modification of messages, and denial of service.
A masquerade takes place when one entity pretends to be a different
entity (Figure 1.3a). A masquerade attack usually includes one of the other
forms of active attack. For example, authentication sequences can be captured
and replayed after a valid authentication sequence has taken place,
thus enabling an authorized entity with few privileges to obtain extra privileges
by impersonating an entity that has those privileges.
Replay involves the passive capture of a data unit and its subsequent
retransmission to produce an unauthorized effect (Figure 1.3b).
Modification of messages simply means that some portion of a
legitimate message is altered, or that messages are delayed or reordered,
to produce an unauthorized effect (Figure 1.3c). For example, a message
meaning “Allow John Smith to read confidential file accounts” is
modified to mean “Allow Fred Brown to read confidential file
accounts.”
The denial of service prevents or inhibits the normal use or management
of communications facilities (Figure 1.3d). This attack may have a
specific target; for example, an entity may suppress all messages directed
to a particular destination (e.g., the security audit service). Another form
of service denial is the disruption of an entire network—either by disabling
the network or by overloading it with messages so as to degrade
performance.
Active attacks present the opposite characteristics of passive attacks.
Whereas passive attacks are difficult to detect, measures are available to prevent their success. On the other hand, it is quite difficult to prevent active attacks
absolutely because of the wide variety of potential physical, software, and network
vulnerabilities. Instead, the goal is to detect active attacks and to recover from any disruption
or delays caused by them. If the detection has a deterrent effect, it also may
contribute to prevention.

COMPUTER SECURITY CONCEPTS

A Definition of Computer Security


COMPUTER SECURITY
The protection afforded to an automated information system in order to attain the
applicable objectives of preserving the integrity, availability, and confidentiality of
information system resources (includes hardware, software, firmware, information/
data, and telecommunications).




This definition introduces three key objectives that are at the heart of computer
security.
• Confidentiality: This term covers two related concepts:
Data2 confidentiality: Assures that private or confidential information is not
made available or disclosed to unauthorized individuals.
Privacy: Assures that individuals control or influence what information
related to them may be collected and stored and by whom and to whom that
information may be disclosed.
• Integrity: This term covers two related concepts:
Data integrity: Assures that information and programs are changed only in
a specified and authorized manner.
System integrity: Assures that a system performs its intended function in an
unimpaired manner, free from deliberate or inadvertent unauthorized
manipulation of the system.
• Availability: Assures that systems work promptly and service is not denied to
authorized users.



These three concepts form what is often referred to as the CIA triad (Figure 1.1).
The three concepts embody the fundamental security objectives for both data and
for information and computing services. For example, the NIST Standards for Security
Categorization of Federal Information and Information Systems (FIPS 199) lists
confidentiality, integrity, and availability as the three security objectives for information
and for information systems.

Confidentiality: Preserving authorized restrictions on information access

and disclosure, including means for protecting personal privacy and proprietary

information. A loss of confidentiality is the unauthorized disclosure of

information.

• Integrity: Guarding against improper information modification or destruction,

including ensuring information nonrepudiation and authenticity.

A loss of integrity is the unauthorized modification or destruction of

information.

• Availability: Ensuring timely and reliable access to and use of information.A loss

of availability is the disruption of access to or use of information or an information

system.

Examples

We now provide some examples of applications that illustrate the requirements just

enumerated. For these examples, we use three levels of impact on organizations or

individuals should there be a breach of security (i.e., a loss of confidentiality,

integrity, or availability).These levels are defined in FIPS 199:

• Low: The loss could be expected to have a limited adverse effect on organizational

operations, organizational assets, or individuals. A limited adverse effect

means that, for example, the loss of confidentiality, integrity, or availability

might (i) cause a degradation in mission capability to an extent and duration

that the organization is able to perform its primary functions, but the effectiveness

of the functions is noticeably reduced; (ii) result in minor damage to

organizational assets; (iii) result in minor financial loss; or (iv) result in minor

harm to individuals.

Moderate: The loss could be expected to have a serious adverse effect on

organizational operations, organizational assets, or individuals. A serious

adverse effect means that, for example, the loss might (i) cause a significant

degradation in mission capability to an extent and duration that the organization

is able to perform its primary functions, but the effectiveness of the

functions is significantly reduced; (ii) result in significant damage to organizational

assets; (iii) result in significant financial loss; or (iv) result in significant

harm to individuals that does not involve loss of life or serious,

life-threatening injuries.

• High: The loss could be expected to have a severe or catastrophic adverse

effect on organizational operations, organizational assets, or individuals. A

severe or catastrophic adverse effect means that, for example, the loss might

(i) cause a severe degradation in or loss of mission capability to an extent and

duration that the organization is not able to perform one or more of its primary

functions; (ii) result in major damage to organizational assets; (iii) result

in major financial loss; or (iv) result in severe or catastrophic harm to individuals

involving loss of life or serious, life-threatening injuries.

The Challenges of Computer Security

Computer and network security is both fascinating and complex. Some of the reasons

include:

1. Security is not as simple as it might first appear to the novice. The requirements

seem to be straightforward; indeed, most of the major requirements for

security services can be given self-explanatory, one-word labels: confidentiality,

authentication, nonrepudiation, integrity. But the mechanisms used to

meet those requirements can be quite complex, and understanding them may

involve rather subtle reasoning.

2. In developing a particular security mechanism or algorithm, one must always

consider potential attacks on those security features. In many cases, successful

attacks are designed by looking at the problem in a completely different way,

therefore exploiting an unexpected weakness in the mechanism.

3. Because of point 2, the procedures used to provide particular services are often

counterintuitive.Typically, a security mechanism is complex, and it is not obvious

from the statement of a particular requirement that such elaborate measures are

needed. It is only when the various aspects of the threat are considered that elaborate

security mechanisms make sense.

4. Having designed various security mechanisms, it is necessary to decide where to

use them.This is true both in terms of physical placement (e.g., at what points in

a network are certain security mechanisms needed) and in a logical sense [e.g., at

what layer or layers of an architecture such as TCP/IP (Transmission Control

Protocol/Internet Protocol) should mechanisms be placed).

5. Security mechanisms typically involve more than a particular algorithm or

protocol. They also require that participants be in possession of some secret

information (e.g., an encryption key), which raises questions about the creation,

distribution, and protection of that secret information. There also may

be a reliance on communications protocols whose behavior may complicate

the task of developing the security mechanism. For example, if the proper

functioning of the security mechanism requires setting time limits on the

transit time of a message from sender to receiver, then any protocol or network

that introduces variable, unpredictable delays may render such time

limits meaningless.

6. Computer and network security is essentially a battle of wits between a perpetrator

who tries to find holes and the designer or administrator who tries to close

them.The great advantage that the attacker has is that he or she need only find a

single weakness, while the designer must find and eliminate all weaknesses to

achieve perfect security.

7. There is a natural tendency on the part of users and system managers to perceive

little benefit from security investment until a security failure occurs.

8. Security requires regular, even constant, monitoring, and this is difficult in today’s

short-term, overloaded environment.

9. Security is still too often an afterthought to be incorporated into a system

after the design is complete rather than being an integral part of the design

process.

10. Many users (and even security administrators) view strong security as an

impediment to efficient and user-friendly operation of an information system

or use of information.