Final Conference in Paris WP6 – Protection Profiles Specification

Slides:



Advertisements
Similar presentations
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Advertisements

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Network Security Philadelphia UniversityAhmad Al-Ghoul Module 11 Exploring Secure Topologies  MModified by :Ahmad Al Ghoul  PPhiladelphia.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Internet Protocol Security (IPSec)
1 © J. Liebeherr, All rights reserved Virtual Private Networks.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
Understanding VPN Concepts Virtual Private Network (VPN) enables computers to –Communicate securely over insecure channels –Exchange private encrypted.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Practical IS security design in accordance with Common Criteria Security and Protection of Information 2005 František VOSEJPKA S.ICZ a.s. June 5, 2005.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Wireless Router LAN Switching and Wireless – Chapter 7.
Cryptography and Network Security
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # ) Chapter Four Windows Server 2008 Remote Desktop Services,
PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – NETWORK SECURITY M.C.A III Year II Sem.
IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.
© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.
Security fundamentals Topic 10 Securing the network perimeter.
Security Patterns for Web Services 02/03/05 Nelly A. Delessy.
Understand Network Isolation Part 2 LESSON 3.3_B Security Fundamentals.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
HardSSH Cryptographic Hardware Key Team May07-20: Steven Schulteis (Cpr E) Joseph Sloan (EE, Cpr E, Com S) Michael Ekstrand (Cpr E) Taylor Schreck (Cpr.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Securing Access to Data Using IPsec Josh Jones Cosc352.
VPN Alex Carr. Overview  Introduction  3 Main Purposes of a VPN  Equipment  Remote-Access VPN  Site-to-Site VPN  Extranet Based  Intranet Based.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Creating the Network Design Designing and Supporting Computer Networks – Chapter.
IP Security
Dr. Ir. Yeffry Handoko Putra
Security fundamentals
CSCI 465 Data Communications and Networks Lecture 26
The Common Criteria for Information Technology Security Evaluation
Virtual Private Networks
IPSec Detailed Description and VPN
Virtual Private Networks
Virtual Private Network
Microsoft Windows NT 4.0 Authentication Protocols
WEB SERVICES From Chapter 19 of Distributed Systems Concepts and Design,4th Edition, By G. Coulouris, J. Dollimore and T. Kindberg Published by Addison.
SECURING NETWORK TRAFFIC WITH IPSEC
Implementing Network Access Protection
Configuring and Troubleshooting Routing and Remote Access
Module 8: Securing Network Traffic by Using IPSec and Certificates
Virtual Private Networks (VPN)
Understand Networking Services
Virtual LANs.
IS4550 Security Policies and Implementation
Need for VPN As a business grows, it might expand to multiple shops or offices across the country and around the world. the people working in those locations.
Goals Introduce the Windows Server 2003 family of operating systems
draft-ipdvb-sec-01.txt ULE Security Requirements
IS4680 Security Auditing for Compliance
Systems Analysis and Design in a Changing World, 6th Edition
How to Mitigate the Consequences What are the Countermeasures?
An Introduction to Software Architecture
Module 8: Securing Network Traffic by Using IPSec and Certificates
IS4680 Security Auditing for Compliance
Introduction to Network Security
Cengage Learning: Computer Networking from LANs to WANs
WEB SERVICES From Chapter 19, Distributed Systems
Designing IIS Security (IIS – Internet Information Service)
Cryptography and Network Security
Lecture 36.
Lecture 36.
Presentation transcript:

Final Conference in Paris WP6 – Protection Profiles Specification Markus Engqvist and Staffan Persson atsec information security AB 2018-09-18

Security Requirements: Protection Profiles The deliverable D6.1 is the specification of security requirements for network separation in the form of Protection Profiles This deliverable consists of four parts: An Introduction document Describes the background and context for the Protection Profiles, and the connection to the CYRail project Base Protection Profile for Network Separation Mechanisms Describes the minimum security requirements of a network device that directs data transmitted over computer networks, such as for secure management and auditing functionality Protection Profile for Network Separation Mechanisms, VLAN Module Defines the minimum security requirements for a device that provides Virtual Local Area Network (VLAN) separation. It is a module for the Base Protection Profile. Protection Profile for Network Separation Mechanisms, VPN Module Defines the minimum security requirements for a device that provides Virtual Private Networks (VPNs) and/or secure communication channels over computer networks. It is a module for the Base Protection Profile.

ISO/IEC 15408 (Common Criteria) ISO/IEC 15408 is a standard for specifying security requirements and evaluating IT security products against these requirements The CC is intentionally flexible A Security Target (ST) specifies security functionality of a product A product claims compliance to an ST A Protection Profile (PP) specifies security functionality for a type of product No details regarding implementation An ST can claim compliance to a PP or multiple PPs A modular Protection Profile provides selectable sets of security functionality for a type of product An ST which claims compliance to a Base-PP can also claim compliance to one or more of its PP-Modules

Introduction Document Purpose Describe the original security problem and how the security requirements solving that problem were derived Describe the context of Protection Profiles Describe how the Protection Profile can be used in the future

Introduction Document Summary Security problems relating to interconnectivity, shared resources and the use of standard components and protocols Similar situation, problems and solutions in ICS/SCADA, automotive and aviation The MILS solution with separation offers a solution. Monitoring and secure management is also required The CYRail project is based on standards such as ISO/IEC 27000, NIST SP-800, ISA/IEC 62443, ETSI TS 102 and ISO/IEC 15408 (Common Criteria) We also provide a description of ISO 15408, what it is and how it is used Also describes the relation between ISO/IEC 15408 and ISA/IEC 62443

Protection Profiles Purpose Summary The Protection Profiles describe a network device that provides separation The Protection Profiles define the minimum necessary security functionality It is intended to be able to support a MILS architecture in critical infrastructure With Base PPs and PP Modules, users can choose their desired separation mechanism Summary The Protection Profiles are a Base PP together with PP Modules We have chosen the EAL4 assurance level (augmented with ALC_FLR.2) The next slides will summarize the different Protection Profiles

Base Protection Profile The Base PP focuses on providing common functionality that is independent of the separation functionality Secure management of security functionality Protection of the device itself Audit requirements (logging) The Base PP are written in a general way, to be able to accommodate as many products as possible while still providing the necessary security requirements The Base PP describes the separation mechanisms, and was written to be able to support the modules We define that users must also use at least one module(!)

PP Modules The PP Modules are optional packages for the Base PP They each add one separation functionality VLAN Module Traffic flow control Separating (Data link layer) traffic between interfaces via Virtual LANs This creates separate broadcast domains to devices directly connected Also supports IEEE 802.1q for tagging and aggregation Trusted Channel Module Separates traffic through cryptographic channels Cryptography also leads to confidentiality and integrity of the data We specify IPsec (Network layer), TLS or SSH (Application layer) The PP Module also points to well-established standards and guidelines for the cryptographic implementation

Applying the Protection Profile In the following slides, we have created some visual examples of how the Protection Profiles can be used We are not stating any requirements, but rather some examples regarding the situations in which the Protection Profiles can be used They will be able to solve different problems in different ways, providing different results or properties How flexible is the solution? Does it require surrounding functionality (such as a PKI)? How is it maintained? The actual usage and implementation is up to, and will depend on, the specific requirements of the customer/user The solution not only has to be secure, but also usable!

Channels: IPsec IPsec creates a Virtual Private Network, i.e. a logical connection between two remote networks. (Network tunnel) The connection is secured cryptographically, and thereby separated from untrusted networks through which the channel is transmitted Devices within the network will perceive the virtual configuration as the actual one, and behave as if on the same LAN The cryptographic tunnels supports authentication, integrity and replay protection (along with confidentiality) The tunnels will require devices on each network that support IPsec to establish the secure channel In larger configurations there is also a need for supporting functionality such as key distribution and certificate management

Channels: IPsec One use case would be to connect a trusted network of assets to a remote control center over the internet. E.g. control center and signalling networks Another use case is to encapsulate untrusted traffic travelling via a trusted network. E.g. if the network connection passes through the internal network Control Center Signalling

Channels: TLS & SSH Rather than connecting networks, TLS & SSH is used to connect applications or devices It works in a client– server model, where one unit initiates a connection For attackers located on the same network, they can observe the encrypted traffic but not access the data within These channels can travel through the cryptographic tunnels of IPsec, as the separation is performed on the application layer Application layer encryption is flexible, and offers a variety of possible uses and configurations This might lead to a higher attack surface than components behind an IPsec connection, as attackers may be able to target the devices/applications that communicate (Only the traffic is separated) Also, larger implementations require processes for certificate management

Channels: TLS & SSH TLS will most likely be used in general for applications communicating on the network. E.g. traffic from CCTV cameras, so that no one can eavesdrop or change the footage SSH will be used for management of devices, e.g. in the case of the CCTVs: a different channel from the footage, with more restrictive access controls Client-server model, example: An administrator’s client connects to a TOE server A CCTV client reports its footage to a TLS server

Virtual LANs VLANs should not be fully relied upon for security, as it offers no protection besides the separation of traffic through the device itself It will most likely be used in three main scenarios: To limit interference between services or reduce network congestion To be used routinely in combination with cryptographic separation, providing an additional means of attack surface reduction To prevent interference between untrusted services where security is not critical. I.e. we would not like internet users to be able to disturb each other, but this is not critical to operational security

Combinations We expect that the technologies will often be combined, as the different separation mechanisms provide different results While VLANs reduce the attack surface, SSH will most likely also be used for integrity and confidentiality in case an attacker could access the broadcast domain When using wireless methods of communications (without any physical protection of the cables) we anticipate that channels will always be used to mitigate the larger attack surface

Application in Railway AIRBUS has analysed the Protection Profiles and determined examples of use- cases in the railway. SSH – Administration workstation and data server IPSEC – Maintain and OCC VLAN – Movement and command- onboard zone TLS – Command-onboard and signal zone

Conclusions Earlier work packages provided input by analysing the scenarios, the security risks and appropriate security measures for the railway. We could based on that specify appropriate and applicable security requirements. The security problems as well as the security components are not unique to the railway, but a general problem to critical infrastructures. One of the main issue is separation and reduction of attack surface. We have used ISO 15408 to specify security requirements in the form of a Protection Profile for network separation. It is a generic Protection Profile, that could apply to other sectors (e.g., the car industry) and technologies (e.g., the CCTV). We have specified flexible, modular Protection Profiles (PPs) for the network separation. We have also identified other useful PPs and referred to them, such as separation kernel PPs and also other network component PPs. The modular Protection Profile is public and available to the community, so it and can be used to assist in securing communication networks in railway systems as well as other critical infrastructures. Finally, we have shown how Protection Profiles fits into the ISA/IEC 62443 standard used for the security of Industrial Automation and Control Systems (IACS) and the ETSI frameworks.