security control families technical class. access control ac-2account management ac-3access...

Security Control Families

Technical Class

ID Class Family # ofCA Management Security Assessment and Authorization 6PL Management Planning 5PM Management Program Management 11RA Management Risk Assessment 4SA Management System and Services Acquisition 14/40AT Operational Awareness and Training 5CM Operational Configuration Management 9CP Operational Contingency Planning 10IR Operational Incident Response 8MA Operational Maintenance 6MP Operational Media Protection 6PE Operational Physical and Environmental Protection 19PS Operational Personnel Security 8SI Operational System and Information Integrity 13/84AC Technical Access Control 19AU Technical Audit and Accountability 14IA Technical Identification and Authentication 8SC Technical System and Communications Protection 34/75

Access ControlAC-2 Account ManagementAC-3 Access EnforcementAC-4 Information Flow EnforcementAC-5 Separation of DutiesAC-6 Least PrivilegeAC-7 Unsuccessful Login AttemptsAC-8 System Use NotificationAC-10 Concurrent Session ControlAC-11 Session Lock

AC-14Permitted Actions without Identification or Authentication

AC-17 Remote AccessAC-18 Wireless AccessAC-19 Access Control for Mobile DevicesAC-20 Use of External Information SystemsAC-22 Publicly Accessible Content

800-46 (Telework) 800-77 (IPSec) 800-113 (SSL) 800-114 (External Devices) 800-121 (Bluetooth) 800-48 (Legacy Wireless) 800-94 (IDPS) 800-97 (802.11i Wireless) 800-124 (Cell Phones/PDA)

OMB M 06-16 (Remote Access)

IPSec VPNsSP 800-77

Network Layer Security– The Need for Network Layer Security– Virtual Private Networking (VPN)

• Gateway-to-Gateway Architecture• Host-to-Gateway Architecture• Host-to-Host Architecture

IPsec Fundamentals– Authentication Header (AH– Encapsulating Security Payload (ESP– Internet Key Exchange (IKE– IP Payload Compression Protocol (IPComp– Putting It All Together

• ESP in a Gateway-to-Gateway Architecture• ESP and IPComp in a Host-to-Gateway Architecture• ESP and AH in a Host-to-Host Architecture

Network Layer Security

Confidentiality Integrity Peer Authentication Replay Protection Traffic Analysis Access Control

IPSec VPNs

– Gateway-to-Gateway Architecture– Host-to-Gateway Architecture– Host-to-Host Architecture

Gateway-to-Gateway Architecture

Host-to-Gateway Architecture

Host-to-Host Architecture

Model Comparison

IPsec Protocols

Authentication Header (AH) Encapsulating Security Payload (ESP) Internet Key Exchange (IKE) IP Payload Compression Protocol (IPComp)

SSL VPNsSP 800-113

Virtual Private Networking (VPN) SSL Portal VPNs SSL Tunnel VPNs Administering SSL VPNs SSL VPN Architecture

SSL VPNs

SSL Portal VPNs SSL Tunnel VPNs Administering SSL VPNs

Many of the cryptographic algorithms used in some SSL cipher suites are not FIPS-approved, and therefore are not allowed for use in SSL VPNs that are to be used in applications that must conform to FIPS 140-2.

SSL VPN Architecture

SSL Protocol Basics

Versions of SSL and TLS Cryptography Used in SSL Sessions Authentication Used for Identifying SSL Servers

Knowledge Check

What is the protocol, used by IPSec that negotiates connection settings, authenticates endpoints to each other, defines the security parameters of IPsec-protected connections, negotiates secret keys, and manages, updates, and deletes IPsec-protected communication channels?

Because AH transport mode cannot alter the original IP header or create a new IP header, transport mode is generally used in which VPN architecture?

Which VPN technologies are approved for use by Federal agencies?

Private Wireless

Public Wireless

Wireless Protocols

Cell Phone Security

Bluetooth Security

Audit & Accountability

AU-2 Auditable EventsAU-3 Content of Audit RecordsAU-4 Audit Storage Capacity

AU-5Response to Audit Processing Failures

AU-6Audit Review, Analysis, and Reporting

AU-7Audit Reduction and Report Generation

AU-8 Time Stamps

AU-9Protection of Audit Information

AU-10 Non-repudiationAU-11 Audit Record RetentionAU-12 Audit Generation

800-92 Log Mgmt

FIPS 180-3 SHA FIPS 186-3 DSS FIPS 198-1 HMAC

Log Management

Log Sources Analyze Log Data Respond to Identified Events Manage Long-Term Log Data Storage

Log Sources

Log Generation Log Storage and Disposal Log Security

Analyze Log Data

Gaining an Understanding of Logs Prioritizing Log Entries Comparing System-Level and Infrastructure-Level

Analysis Respond to Identified Events

Manage Long-Term Log Data Storage

Choose Log Format for Data to be Archived Archive the log Data Verify Integrity of Transferred Logs Store Media Securely

Integrity Standards

FIPS 186-3 Digital Signature Standard FIPS 180-3 Secure Hash Standard FIPS 198-1 The Keyed-Hash Message Authentication

Code (HMAC)

Identification & Authentication

IA-2Identification and Authentication(Organizational Users)

IA-3Device Identification and Authentication

IA-4 Identifier ManagementIA-5 Authenticator ManagementIA-6 Authenticator FeedbackIA-7 Cryptographic Module Authentication

IA-8Identification and Authentication (Non- Organizational Users)

800-63 (E-auth) 800-73 800-76 800-78

FIPS 140-2 FIPS 201 HSPD 12 OMB 04-04 (E-auth) OMB 05-24

(HSPD12)

CryptoBiometricsPIV Interfaces

Personal Identity & Verification (PIV)

IA Policy & Standard

HSPD 12 (Policy) FIPS 201-1 (Implementation)

– PIV-I - Security Requirements – PIV-II - Technical Interoperability Requirements (Smartcards)

30

E-Authentication Guideliens

Level 1 – No Identity Proofing Level 2 – Single-factor Authentication, Identity Proofing

Requirements Level 3 – Multi-factor Authentication Level 4 – Multi-factor using Hard Token

OMB M-04-04 E-Authentication Guidance for Federal Agencies

31

System & Communications ProtectionSC-2 Application PartitioningSC-3 Security Function IsolationSC-4 Information in Shared ResourcesSC-5 Denial of Service ProtectionSC-7 Boundary ProtectionSC-8 Transmission IntegritySC-9 Transmission ConfidentialitySC-10 Network Disconnect

SC-12Cryptographic Key Establishment and Management

SC-13 Use of CryptographySC-14 Public Access ProtectionsSC-15 Collaborative Computing Devices

SC-17 Public Key Infrastructure CertificatesSC-18 Mobile CodeSC-19 Voice Over Internet Protocol

SC-20Secure Name /Address Resolution Service (Authoritative Source)

SC-21Secure Name /Address Resolution Service (Recursive or Caching Resolver)

SC-22Architecture and Provisioning forName/Address Resolution Service

SC-23 Session AuthenticitySC-24 Fail in Known StateSC-28 Protection of Information at RestSC-32 Information System Partitioning

800-32 (PKI) 800-41 (Firewalls) 800-52 (TLS) 800-58 (VoIP) 800-63

FIPS 140-2 FIPS 197 OMB 05-24 (PIV) OMB 08-23 (DNS)

800-77 800-81 (DNSSEC) 800-95 (Secure Web) 800-113

Firewall Technologies

Packet Filtering Stateful Inspection Application Firewalls Application-Proxy Gateways Dedicated Proxy Servers Virtual Private Networking Network Access Control Unified Threat Management (UTM Web Application Firewalls Firewalls for Virtual Infrastructures

Knowledge Check

Name the AES-based, wireless encryption mechanism used in the 802.11i wireless specification?

In which security mode are Bluetooth devices considered “promiscuous”, and do not employ any mechanisms to prevent other Bluetooth-enabled devices from establishing connections?

Which security control requires the information system protect against an individual falsely denying having performed a particular action?

Which e-authentication level, described in the special publication 800-63, requires multifactor authentication, and the use of a hard token?

Cryptographic Services

Data integrity Confidentiality Identification and authentication Non-repudiation

Cryptographic Security Mechanisms

Symmetric Key EncryptionObjective: Confidentiality via Bulk Encryption

The Problem with Symmetric Keys

Asymmetric Key EncryptionObjective: Symmetric Key Exchange/Authentication

Hash FunctionsObjective: Data Integrity

Digital SignatureObjective: Non-Repudiation (Authentication + Integrity)

PKISP 800-32

Security Services Non-cryptographic Security Mechanisms Cryptographic Security Mechanisms PKI Components PKI Architectures

PKI Componenets

Certification Authority (CA) Registration Authority (RA) Repository Archive Public Key Certificate Certificate Revocation Lists (Crls) PKI Users

TLSSP 800-52

Mapping The Security Parts of TLS to Federal Standards

Key Establishment

RSA DH (Diffie-Hellman) Fortezza-KEA

Confidentiality/Symmetric Key Algorithms

IDEA RC4 3DES-EDE AES

Signature & Hashes

RSA DSA MD5 SHA1

VoIPSP 800-58

Overview of VoIP Privacy and Legal Issues with VoIP VoIP Security Issues Quality of Service Issues VoIP Architechtures Solutions to the VoIPsec Issues

Overview of VoIP

Public Facing Web Server

DNS Transaction Threats & Security Objectives

Technical Security Controls Key Concepts & Vocabulary

AC – Access Control AU – Auditing & Accountability IA – Identification & Availability SC – System & Communication Protection