Iso 7498 2 Security Model

Aug 01, 2005  The OSI reference model for networking (ISO 7498-1) is designed around seven layers arranged in a stack. The OSI security architecture reference model (ISO 7498-2) is also designed around seven layers, reflecting a high level view of the different requirements within network security.

  1. Iso 7498 2 Security Model 24
  2. Iso 7498-2 Security Model
  3. Iso 7498 2 Security Model Youtube
  4. Iso 7498 2 Security Model Images
  5. Iso 7498 2 Security Model Youtube
  1. A) provides a general description of security services and related mechanisms, which may be provided by the Reference Model; and b) defines the positions within the Reference Model where the services and mechanisms may be provided. This part of ISO 7498 extends the field of application of ISO 7498, to cover secure communications between open.
  2. The standard is usually referred to as Open Systems Interconnection Reference Model, OSI Reference Model, or simply OSI model. It was published in 1984 by both the ISO, as standard ISO 7498, and the renamed CCITT (now called the Telecommunications Standardization Sector of the International Telecommunication Union or ITU-T) as standard X.200.
(Redirected from ISO/IEC 7498-1)
OSI model
by layer
  • IP
  • X.25LAPB

The Open Systems Interconnection model (OSI model) is a conceptual model that characterizes and standardizes the communication functions of a telecommunication or computing system without regard to its underlying internal structure and technology. Its goal is the interoperability of diverse communication systems with standard communication protocols. The model partitions a communication system into abstraction layers. The original version of the model had seven layers.

A layer serves the layer above it and is served by the layer below it. For example, a layer that provides error-free communications across a network provides the path needed by applications above it, while it calls the next lower layer to send and receive packets that constitute the contents of that path. Two instances at the same layer are visualized as connected by a horizontal connection in that layer.

The model is a product of the Open Systems Interconnection project at the International Organization for Standardization (ISO).

Communication in the OSI-Model (example with layers 3 to 5)
  • 2Definitions
  • 3Layer architecture

History[edit]

Prior to the inception of the OSI project, networking was largely either government-sponsored (ARPANET in the US, CYCLADES in France) or vendor-developed with proprietary standards, such as the System network architecture (SNA) of IBM, and DECnet of Digital Equipment Corporation. An Experimental Packet Switched system in the UK circa 1973, also identified the need for defining higher level protocols. The NCC (UK) publication 'Why Distributed Computing' which came from considerable research into future configurations for computer systems, resulted in the UK presenting the case for an international standards committee to cover this area at the ISO meeting in Sydney in March 1977.

In the late 1970s, the International Organization for Standardization (ISO) conducted a program to develop general standards and methods of networking. A similar process evolved at the International Telegraph and Telephone Consultative Committee (CCITT, from French: Comité Consultatif International Téléphonique et Télégraphique). Both bodies developed documents that defined similar networking models.

The OSI model was first defined in raw form in Washington, DC in February 1978 by Hubert Zimmermann of France and the refined standard was published by the ISO in 1984.[1]

In 1983, these two documents were merged to form a standard called The Basic Reference Model for Open Systems Interconnection. The standard is usually referred to as Open Systems Interconnection Reference Model, OSI Reference Model, or simply OSI model. It was published in 1984 by both the ISO, as standard ISO 7498, and the renamed CCITT (now called the Telecommunications Standardization Sector of the International Telecommunication Union or ITU-T) as standard X.200.

OSI had two major components, an abstract model of networking, called the Basic Reference Model or seven-layer model, and a set of specific protocols. The OSI reference model was a major advance in the teaching of network concepts. It promoted the idea of a consistent model of protocol layers, defining interoperability between network devices and software.

The concept of a seven-layer model was provided by the work of Charles Bachman at Honeywell Information Systems.[2] Various aspects of OSI design evolved from experiences with the ARPANET, NPLNET, EIN, CYCLADES network and the work in IFIP WG6.1. The new design was documented in ISO 7498 and its various addenda. In this model, a networking system was divided into layers. Within each layer, one or more entities implement its functionality. Each entity interacted directly only with the layer immediately beneath it, and provided facilities for use by the layer above it.

The OSI standards documents are available from the ITU-T as the X.200-series of recommendations.[3] Some of the protocol specifications were also available as part of the ITU-T X series. The equivalent ISO and ISO/IEC standards for the OSI model were available from ISO. Not all are free of charge.[4]

OSI was hence an industry effort, attempting to get industry participants to agree on common network standards to provide multi-vendor interoperability. It was common for large networks to support multiple network protocol suites, with many devices unable to interoperate with other devices because of a lack of common protocols. However, while OSI developed its networking standards, TCP/IP came into widespread use on multi-vendor networks for internetworking.[5]

Definitions[edit]

Communication protocols enable an entity in one host to interact with a corresponding entity at the same layer in another host. Service definitions, like the OSI Model, abstractly describe the functionality provided to an (N)-layer by an (N-1) layer, where N is one of the seven layers of protocols operating in the local host.

At each level N, two entities at the communicating devices (layer N peers) exchange protocol data units (PDUs) by means of a layer N protocol. Each PDU contains a payload, called the service data unit (SDU), along with protocol-related headers or footers.

Data processing by two communicating OSI-compatible devices proceeds as follows:

  1. The data to be transmitted is composed at the topmost layer of the transmitting device (layer N) into a protocol data unit (PDU).
  2. The PDU is passed to layer N-1, where it is known as the service data unit (SDU).
  3. At layer N-1 the SDU is concatenated with a header, a footer, or both, producing a layer N-1 PDU. It is then passed to layer N-2.
  4. The process continues until reaching the lowermost level, from which the data is transmitted to the receiving device.
  5. At the receiving device the data is passed from the lowest to the highest layer as a series of SDUs while being successively stripped from each layer's header or footer, until reaching the topmost layer, where the last of the data is consumed.

Standards documents[edit]

The OSI model was defined in ISO/IEC 7498 which consists of the following parts:

  • ISO/IEC 7498-1 The Basic Model
  • ISO 7498-2 Security Architecture
  • ISO/IEC 7498-3 Naming and addressing
  • ISO/IEC 7498-4 Management framework

Layer architecture[edit]

The recommendation X.200 describes seven layers, labeled 1 to 7. Layer 1 is the lowest layer in this model.

OSI model
LayerProtocol data unit (PDU)Function[6]
Host
layers
7ApplicationDataHigh-level APIs, including resource sharing, remote file access
6PresentationTranslation of data between a networking service and an application; including character encoding, data compression and encryption/decryption
5SessionManaging communication sessions, i.e. continuous exchange of information in the form of multiple back-and-forth transmissions between two nodes
4TransportSegment, DatagramReliable transmission of data segments between points on a network, including segmentation, acknowledgement and multiplexing
Media
layers
3NetworkPacketStructuring and managing a multi-node network, including addressing, routing and traffic control
2Data linkFrameReliable transmission of data frames between two nodes connected by a physical layer
1PhysicalSymbolTransmission and reception of raw bit streams over a physical medium

Layer 1: Physical Layer[edit]

The physical layer is responsible for the transmission and reception of unstructured raw data between a device and a physical transmission medium. It converts the digital bits into electrical, radio, or optical signals. Layer specifications define characteristics such as voltage levels, the timing of voltage changes, physical data rates, maximum transmission distances, modulation scheme, channel access method and physical connectors. This includes the layout of pins, voltages, line impedance, cable specifications, signal timing and frequency for wireless devices. Bit rate control is done at the physical layer and may define transmission mode as simplex, half duplex, and full duplex. The components of a physical layer can be described in terms of a network topology. Bluetooth, Ethernet, and USB all have specifications for a physical layer.

Layer 2: Data Link Layer[edit]

The data link layer provides node-to-node data transfer—a link between two directly connected nodes. It detects and possibly corrects errors that may occur in the physical layer.It defines the protocol to establish and terminate a connection between two physically connected devices. It also defines the protocol for flow control between them.

IEEE 802 divides the data link layer into two sublayers:[7]

  • Medium access control (MAC) layer – responsible for controlling how devices in a network gain access to a medium and permission to transmit data.
  • Logical link control (LLC) layer – responsible for identifying and encapsulating network layer protocols, and controls error checking and frame synchronization.

The MAC and LLC layers of IEEE 802 networks such as 802.3Ethernet, 802.11Wi-Fi, and 802.15.4ZigBee operate at the data link layer.

The Point-to-Point Protocol (PPP) is a data link layer protocol that can operate over several different physical layers, such as synchronous and asynchronous serial lines.

Adobe now one of the leading platforms for graphics designing it has covered all the things which are related to the graphics. Adobe Illustrator CC 2019 Free Download. In the past few years, CorelDraw was one of the top software for the logo and vector designing but the Adobe Illustrator CC 2019 has taken its place completely. Adobe illustrator fonts pack free download.

Network adapter driver windows 8.1 download full. The terms of the software license agreement included with anysoftware you download will control your use of the software. INTEL SOFTWARE LICENSE AGREEMENT (Final, License)IMPORTANT - READ BEFORE COPYING, INSTALLING OR USING.Do not copy, install, or use this software and any associated materials (collectively, the “Software”) provided under this license agreement (“Agreement”) until you have carefully read the following terms and conditions.By copying, installing, or otherwise using the Software, you agree to be bound by the terms of this Agreement.

The ITU-TG.hn standard, which provides high-speed local area networking over existing wires (power lines, phone lines and coaxial cables), includes a complete data link layer that provides both error correction and flow control by means of a selective-repeatsliding-window protocol.

Layer 3: Network Layer[edit]

The network layer provides the functional and procedural means of transferring variable length data sequences (called packets) from one node to another connected in 'different networks'. A network is a medium to which many nodes can be connected, on which every node has an address and which permits nodes connected to it to transfer messages to other nodes connected to it by merely providing the content of a message and the address of the destination node and letting the network find the way to deliver the message to the destination node, possibly routing it through intermediate nodes. If the message is too large to be transmitted from one node to another on the data link layer between those nodes, the network may implement message delivery by splitting the message into several fragments at one node, sending the fragments independently, and reassembling the fragments at another node. It may, but does not need to, report delivery errors.

Message delivery at the network layer is not necessarily guaranteed to be reliable; a network layer protocol may provide reliable message delivery, but it need not do so.

A number of layer-management protocols, a function defined in the management annex, ISO 7498/4, belong to the network layer. These include routing protocols, multicast group management, network-layer information and error, and network-layer address assignment. It is the function of the payload that makes these belong to the network layer, not the protocol that carries them.[8]

Layer 4: Transport Layer[edit]

The transport layer provides the functional and procedural means of transferring variable-length data sequences from a source to a destination host, while maintaining the quality of service functions.

The transport layer controls the reliability of a given link through flow control, segmentation/desegmentation, and error control. Some protocols are state- and connection-oriented. This means that the transport layer can keep track of the segments and re-transmit those that fail delivery. The transport layer also provides the acknowledgement of the successful data transmission and sends the next data if no errors occurred. The transport layer creates segments out of the message received from the application layer. Segmentation is the process of dividing a long message into smaller messages.

OSI defines five classes of connection-mode transport protocols ranging from class 0 (which is also known as TP0 and provides the fewest features) to class 4 (TP4, designed for less reliable networks, similar to the Internet). Class 0 contains no error recovery, and was designed for use on network layers that provide error-free connections. Class 4 is closest to TCP, although TCP contains functions, such as the graceful close, which OSI assigns to the session layer. Also, all OSI TP connection-mode protocol classes provide expedited data and preservation of record boundaries. Detailed characteristics of TP0-4 classes are shown in the following table:[9]

Feature nameTP0TP1TP2TP3TP4
Connection-oriented networkYesYesYesYesYes
Connectionless networkNoNoNoNoYes
Concatenation and separationNoYesYesYesYes
Segmentation and reassemblyYesYesYesYesYes
Error recoveryNoYesYesYesYes
Reinitiate connectionaNoYesNoYesNo
Multiplexing / demultiplexing over single virtual circuitNoNoYesYesYes
Explicit flow controlNoNoYesYesYes
Retransmission on timeoutNoNoNoNoYes
Reliable transport serviceNoYesNoYesYes
a If an excessive number of PDUs are unacknowledged.

An easy way to visualize the transport layer is to compare it with a post office, which deals with the dispatch and classification of mail and parcels sent. A post office inspects only the outer envelope of mail to determine its delivery. Higher layers may have the equivalent of double envelopes, such as cryptographic presentation services that can be read by the addressee only. Roughly speaking, tunneling protocols operate at the transport layer, such as carrying non-IP protocols such as IBM's SNA or Novell's IPX over an IP network, or end-to-end encryption with IPsec. While Generic Routing Encapsulation (GRE) might seem to be a network-layer protocol, if the encapsulation of the payload takes place only at the endpoint, GRE becomes closer to a transport protocol that uses IP headers but contains complete Layer 2 frames or Layer 3 packets to deliver to the endpoint. L2TP carries PPP frames inside transport segments.

Although not developed under the OSI Reference Model and not strictly conforming to the OSI definition of the transport layer, the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP) of the Internet Protocol Suite are commonly categorized as layer-4 protocols within OSI.

Layer 5: Session Layer[edit]

The session layer controls the dialogues (connections) between computers. It establishes, manages and terminates the connections between the local and remote application. It provides for full-duplex, half-duplex, or simplex operation, and establishes procedures for checkpointing, suspending, restarting, and terminating a session. In the OSI model, this layer is responsible for gracefully closing a session, which is handled in the Transmission Control Protocol at the transport layer in the Internet Protocol Suite. This layer is also responsible for session checkpointing and recovery, which is not usually used in the Internet Protocol Suite. The session layer is commonly implemented explicitly in application environments that use remote procedure calls.

Layer 6: Presentation Layer[edit]

The presentation layer establishes context between application-layer entities, in which the application-layer entities may use different syntax and semantics if the presentation service provides a mapping between them. If a mapping is available, presentation protocol data units are encapsulated into session protocol data units and passed down the protocol stack.

This layer provides independence from data representation by translating between application and network formats. The presentation layer transforms data into the form that the application accepts. This layer formats data to be sent across a network. It is sometimes called the syntax layer.[10] The presentation layer can include compression functions.[11] The Presentation Layer negotiates the Transfer Syntax.

The original presentation structure used the Basic Encoding Rules of Abstract Syntax Notation One (ASN.1), with capabilities such as converting an EBCDIC-coded text file to an ASCII-coded file, or serialization of objects and other data structures from and to XML. ASN.1 effectively makes an application protocol invariant with respect to syntax.

Iso 7498 2 Security Model 24

Layer 7: Application Layer[edit]

The application layer is the OSI layer closest to the end user, which means both the OSI application layer and the user interact directly with the software application. This layer interacts with software applications that implement a communicating component. Such application programs fall outside the scope of the OSI model. Application-layer functions typically include identifying communication partners, determining resource availability, and synchronizing communication. When identifying communication partners, the application layer determines the identity and availability of communication partners for an application with data to transmit. The most important distinction in the application layer is the distinction between the application-entity and the application. For example, a reservation website might have two application-entities: one using HTTP to communicate with its users, and one for a remote database protocol to record reservations. Neither of these protocols have anything to do with reservations. That logic is in the application itself. The application layer per se has no means to determine the availability of resources in the network.

Cross-layer functions[edit]

Cross-layer functions are services that are not tied to a given layer, but may affect more than one layer.[citation needed] Some orthogonal aspects, such as management and security, involve all of the layers (See ITU-T X.800 Recommendation[12]). These services are aimed at improving the CIA triad—confidentiality, integrity, and availability—of the transmitted data. Cross-layer functions are the norm, in practice, because the availability of a communication service is determined by the interaction between network design and network management protocols. Appropriate choices for both of these are needed to protect against denial of service.[citation needed]

Iso 7498-2 Security Model

Specific examples of cross-layer functions include the following:

  • Security service (telecommunication)[12] as defined by ITU-T X.800 recommendation.
  • Management functions, i.e. functions that permit to configure, instantiate, monitor, terminate the communications of two or more entities: there is a specific application-layer protocol, common management information protocol (CMIP) and its corresponding service, common management information service (CMIS), they need to interact with every layer in order to deal with their instances.
  • Multiprotocol Label Switching (MPLS), ATM, and X.25 are 3a protocols. OSI divides the Network Layer into three roles:[citation needed] 3a) Subnetwork Access, 3b) Subnetwork Dependent Convergence and 3c) Subnetwork Independent Convergence. It was designed to provide a unified>LayerOSI protocolsTCP/IP protocolsSignaling
    System 7[14]AppleTalkIPXSNAUMTSMiscellaneous examplesNo.Name7Application
    • RTSE
    • ACSE[15]
    • CMIP[16]
    6Presentation
    • ISO/IEC 8823
    • X.226

    • ISO/IEC 9576-1
    • X.236
    5Session
    • ISO/IEC 8327
    • X.225

    • ISO/IEC 9548-1
    • X.235
    Sockets(session establishment in TCP / RTP / PPTP)4Transport
    • ISO/IEC 8073
    • TP0
    • TP1
    • TP2
    • TP3
    • TP4 (X.224)
    • ISO/IEC 8602
    • X.234
    3Network
    • ISO/IEC 8208
    • X.25 (PLP)

    • ISO/IEC 8878
    • ISO/IEC 8473-1
    • CLNP X.233
    • ISO/IEC 10589
    ATP(TokenTalk / EtherTalk)
    • RRC / BMC
    2Data link
    • ISO/IEC 7666
    • X.25 (LAPB)

    • Token Bus
    • X.222
    • ISO/IEC 8802-2
    • LLC (type 1 / 2)[17]
    IEEE 802.3 framing
    Ethernet II framing
    • Q.921
    1Physical
    • X.25 (X.21bis
    • G.703)[17]
    UMTS air interfaces

    Comparison with TCP/IP model[edit]

    The design of protocols in the TCP/IP model of the Internet does not concern itself with strict hierarchical encapsulation and layering.[19]RFC 3439 contains a section entitled 'Layering considered harmful'.[20] TCP/IP does recognize four broad layers of functionality which are derived from the operating scope of their contained protocols: the scope of the software application; the host-to-host transport path; the internetworking range; and the scope of the direct links to other nodes on the local network.[21]

    Despite using a different concept for layering than the OSI model, these layers are often compared with the OSI layering scheme in the following manner:

    • The Internet application layer maps to the OSI application layer, presentation layer, and most of the session layer.
    • The TCP/IP transport layer maps to the graceful close function of the OSI session layer as well as the OSI transport layer.
    • The internet layer performs functions as those in a subset of the OSI network layer.
    • The link layer corresponds to the OSI data link layer and may include similar functions as the physical layer, as well as some protocols of the OSI's network layer.

    These comparisons are based on the original seven-layer protocol model as defined in ISO 7498, rather than refinements in the internal organization of the network layer.

    The presumably strict layering of the OSI model does not present contradictions in TCP/IP, as it is permissible that protocol usage does not follow the hierarchy implied in a layered model. Such examples exist in some routing protocols, or in the description of tunneling protocols, which provide a link layer for an application, although the tunnel host protocol might well be a transport or application layer protocol in its own right.[citation needed]

    The OSI protocol suite that was specified as part of the OSI project was considered by many as too complicated and inefficient, and to a large extent unimplementable.[22] Taking the 'forklift upgrade' approach to networking, it specified eliminating all existing networking protocols and replacing them at all layers of the stack. This made implementation difficult, and was resisted by many vendors and users with significant investments in other network technologies. In addition, the protocols included so many optional features that many vendors' implementations were not interoperable.[22]

    Although the OSI model is often still referenced, the Internet protocol suite has become the standard for networking. TCP/IP's pragmatic approach to computer networking and to independent implementations of simplified protocols made it a practical methodology.[22] Some protocols and specifications in the OSI stack remain in use, one example being IS-IS, which was specified for OSI as ISO/IEC 10589:2002 and adapted for Internet use with TCP/IP as RFC1142.

    See also[edit]

    • Common Management Information Service (CMIS)
    • GOSIP, the (U.S.) Government Open Systems Interconnection Profile
    • Protocol stacks

    Further reading[edit]

    • John Day, 'Patterns in Network Architecture: A Return to Fundamentals' (Prentice Hall 2007, ISBN978-0-13-225242-3)
    • Marshall Rose, The Open Book (Prentice-Hall, Englewood Cliffs, 1990)
    • David M. Piscitello, A. Lyman Chapin, Open Systems Networking (Addison-Wesley, Reading, 1993)
    • Andrew S. Tanenbaum, Computer Networks, 4th Edition, (Prentice-Hall, 2002) ISBN0-13-066102-3
    • Gary Dickson; Alan Lloyd (July 1992). Open Systems Interconnection/Computer Communications Standards and Gossip Explained. Prentice-Hall. ISBN978-0136401117.

    References[edit]

    1. ^'OSI The Internet That Wasn't'. IEEE Spectrum. March 2017.
    2. ^J. A. N. Lee. 'Computer Pioneers by J. A. N. Lee'. IEEE Computer Society.
    3. ^ITU-T X-Series Recommendations
    4. ^'Publicly Available Standards'. Standards.iso.org. 30 July 2010. Retrieved 11 September 2010.
    5. ^Andrew L. Russell (30 July 2013). 'OSI: The Internet That Wasn't'. IEEE Spectrum. Vol. 50 no. 8.
    6. ^'The OSI Model's Seven Layers Defined and Functions Explained'. Microsoft Support. Retrieved 28 December 2014.
    7. ^'5.2 RM description for end stations'. IEEE Std 802-2014, IEEE Standard for Local and Metropolitan Area Networks: Overview and Architecture. ieee.
    8. ^International Organization for Standardization (15 November 1989). 'ISO/IEC 7498-4:1989 -- Information technology -- Open Systems Interconnection -- Basic Reference Model: Naming and addressing'. ISO Standards Maintenance Portal. ISO Central Secretariat. Retrieved 17 August 2015.
    9. ^'ITU-T Recommendation X.224 (11/1995) ISO/IEC 8073, Open Systems Interconnection - Protocol for providing the connection-mode transport service'. ITU.
    10. ^Grigonis, Richard (2000). Computer telephony- encyclopaedia. CMP. p. 331. ISBN9781578200450.
    11. ^'ITU-T X.200 - Information technology – Open Systems Interconnection – Basic Reference Model: The basic model'.
    12. ^ ab'ITU-T Recommendation X.800 (03/91), Security architecture for Open Systems Interconnection for CCITT applications'. ITU. Retrieved 14 August 2015.
    13. ^Miao, Guowang; Song, Guocong (2014). Energy and spectrum efficient wireless network design. Cambridge University Press. ISBN1107039886.
    14. ^'ITU-T Recommendation Q.1400 (03/1993)], Architecture framework for the development of signaling and OA&M protocols using OSI concepts'. ITU. pp. 4, 7.
    15. ^ITU Rec. X.227 (ISO 8650), X.217 (ISO 8649).
    16. ^X.700 series of recommendations from the ITU-T (in particular X.711) and ISO 9596.
    17. ^ ab'Internetworking Technology Handbook - Internetworking Basics [Internetworking]'. Cisco. 15 January 2014. Retrieved 14 August 2015.
    18. ^'3GPP specification: 36.300'. 3gpp.org. Retrieved 14 August 2015.
    19. ^RFC 3439
    20. ^'RFC 3439 - Some Internet Architectural Guidelines and Philosophy'. ietf.org. Retrieved 14 August 2015.
    21. ^Walter Goralski. The Illustrated Network: How TCP/IP Works in a Modern Network(PDF). Morgan Kaufmann. p. 26. ISBN978-0123745415.
    22. ^ abcAndrew S. Tanenbaum, Computer Networks, § 1.4.4.

    External links[edit]

    Wikimedia Commons has media related to OSI model.
    • ISO/IEC standard 7498-1:1994 (PDF document inside ZIP archive) (requires HTTP cookies in order to accept licence agreement)
    • 'INFormation CHanGe Architectures and Flow Charts powered by Google App Engine'. infchg.appspot.com. The ISO OSI Reference Model, Beluga graph of data units and groups of layers. Archived from the original on 26 May 2012.CS1 maint: others (link)
    • Zimmermann, Hubert (April 1980). 'OSI Reference Model — The ISO Model of Architecture for Open Systems Interconnection'. IEEE Transactions on Communications. 28 (4): 425–432. CiteSeerX10.1.1.136.9497. doi:10.1109/TCOM.1980.1094702.
Retrieved from 'https://en.wikipedia.org/w/index.php?title=OSI_model&oldid=919342007'

Security service is a service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers[1] as defined by ITU-T X.800 Recommendation.
X.800 and ISO 7498-2 (Information processing systems – Open systems interconnection – Basic Reference Model – Part 2: Security architecture)[2] are technically aligned. This model is widely recognized [3][4]

A more general definition is in CNSS Instruction No. 4009 dated 26 April 2010 by Committee on National Security Systems of United States of America:[5]

A capability that supports one, or more, of the security requirements (Confidentiality, Integrity, Availability). Examples of security services are key management, access control, and authentication.

Another authoritative definition is in W3CWeb service Glossary [6] adopted by NIST SP 800-95:[7]

A processing or communication service that is provided by a system to give a specific kind of protection to resources, where said resources may reside with said system or reside with other systems, for example, an authentication service or a PKI-based document attribution and authentication service. A security service is a superset of AAA services. Security services typically implement portions of security policies and are implemented via security mechanisms.
  • 5Other related meanings

Basic security terminology[edit]

Information security and Computer security are disciplines that are dealing with the requirements of Confidentiality, Integrity, Availability, the so-called CIA Triad, of information asset of an organization (company or agency) or the information managed by computers respectively.

There are threats that can attack the resources (information or devices to manage it) exploiting one or more vulnerabilities. The resources can be protected by one or more countermeasures or security controls.[8]

So security services implement part of the countermeasures, trying to achieve the security requirements of an organization.[3][9]

Basic OSI terminology[edit]

In order to let different devices (computers, routers, cellular phones) to communicate data in a standardized way, communication protocols had been defined.

The ITU-T organization published a large set of protocols. The general architecture of these protocols is defined in recommendation X.200.[10]

The different means (air, cables) and ways (protocols and protocol stacks) to communicate are called a communication network.

Security requirements are applicable to the information sent over the network. The discipline dealing with security over a network is called Network security.[11]

The X.800 Recommendation:[1]

  1. provides a general description of security services and related mechanisms, which may be provided by the Reference Model; and
  2. defines the positions within the Reference Model where the services and mechanisms may be provided.

This Recommendation extends the field of application of Recommendation X.200, to cover secure communications between open systems.

Iso 7498 2 Security Model Youtube

According to X.200 Recommendation, in the so-called OSI Reference model there are 7 layers, each one is generically called N layer. The N+1 entity ask for transmission services to the N entity.[10]

At each level two entities (N-entity) interact by means of the (N) protocol by transmitting Protocol Data Units (PDU).Service Data Unit (SDU) is a specific unit of data that has been passed down from an OSI layer, to a lower layer, and has not yet been encapsulated into a PDU, by the lower layer. It is a set of data that is sent by a user of the services of a given layer, and is transmitted semantically unchanged to a peer service user .The PDU at any given layer, layer 'n', is the SDU of the layer below, layer 'n-1'. In effect the SDU is the 'payload' of a given PDU. That is, the process of changing a SDU to a PDU, consists of an encapsulation process, performed by the lower layer. All the data contained in the SDU becomes encapsulated within the PDU. The layer n-1 adds headers or footers, or both, to the SDU, transforming it into a PDU of layer n-1. The added headers or footers are part of the process used to make it possible to get data from a source to a destination.[10]

Iso 7498 2 security model youtube

OSI security services description[edit]

The following are considered to be the security services which can be provided optionally within the framework of the OSI Reference Model. The authentication services require authentication information comprising locally stored information and data that is transferred (credentials) to facilitate the authentication:[1][4]

Authentication
These services provide for the authentication of a communicating peer entity and the source of data as described below.
Peer entity authentication
This service, when provided by the (N)-layer, provides corroboration to the (N + 1)-entity that the peer entity is the claimed (N + 1)-entity.
Data origin authentication
This service, when provided by the (N)-layer, provides corroboration to an (N + 1)-entity that the source of the data is the claimed peer (N + 1)-entity.
Access control
This service provides protection against unauthorized use of resources accessible via OSI. These may be OSI or non-OSI resources accessed via OSI protocols. This protection service may be applied to various types of access to a resource (e.g., the use of a communications resource; the reading, the writing, or the deletion of an information resource; the execution of a processing resource) or to all accesses to a resource.
Data confidentiality
These services provide for the protection of data from unauthorized disclosure as described below
Connection confidentiality
This service provides for the confidentiality of all (N)-user-data on an (N)-connection
Connectionless confidentiality
This service provides for the confidentiality of all (N)-user-data in a single connectionless (N)-SDU
Selective field confidentiality
This service provides for the confidentiality of selected fields within the (N)-user-data on an (N)-connection or in a single connectionless (N)-SDU.
Traffic flow confidentiality
This service provides for the protection of the information which might be derived from observation of traffic flows.
Data integrity
These services counter active threats and may take one of the forms described below.
Connection integrity with recovery
This service provides for the integrity of all (N)-user-data on an (N)-connection and detects any modification, insertion, deletion or replay of any data within an entire SDU sequence (with recovery attempted).
Connection integrity without recovery
As for the previous one but with no recovery attempted.
Selective field connection integrity
This service provides for the integrity of selected fields within the (N)-user data of an (N)-SDU transferred over a connection and takes the form of determination of whether the selected fields have been modified, inserted, deleted or replayed.
Connectionless integrity
This service, when provided by the (N)-layer, provides integrity assurance to the requesting (N + 1)-entity. This service provides for the integrity of a single connectionless SDU and may take the form of determination of whether a received SDU has been modified. Additionally, a limited form of detection of replay may be provided.
Selective field connectionless integrity
This service provides for the integrity of selected fields within a single connectionless SDU and takes the form of determination of whether the selected fields have been modified.
Non-repudiation
This service may take one or both of two forms.
Non-repudiation with proof of origin
The recipient of data is provided with proof of the origin of data. This will protect against any attempt by the sender to falsely deny sending the data or its contents.
Non-repudiation with proof of delivery
The sender of data is provided with proof of delivery of data. This will protect against any subsequent attempt by the recipient to falsely deny receiving the data or its contents.

Iso 7498 2 Security Model Images

Specific security mechanisms[edit]

The security services may be provided by means of security mechanism:[1][3][4]

  • Encipherment
  • Authentication exchange
  • Notarization

The table1/X.800 shows the relationships between services and mechanisms

Illustration of relationship of security services and mechanisms
ServiceMechanism
EnciphermentDigital signatureAccess controlData integrityAuthentication exchangeTraffic paddingRouting controlNotarization
Peer entity authenticationYY··Y···
Data origin authenticationYY······
Access control service··Y·····
Connection confidentialityY.····Y·
Connectionless confidentialityY·····Y·
Selective field confidentialityY·······
Traffic flow confidentialityY····YY·
Connection Integrity with recoveryY··Y····
Connection integritywithout recoveryY··Y····
Selective field connection integrityY··Y····
Connectionless integrityYY·Y····
Selective field connectionless integrityYY·Y····
Non-repudiation. Origin·Y·Y···Y
Non-repudiation. DeliveryY·Y···Y

Some of them can be applied to connection oriented protocols, other to connectionless protocols or both.

The table 2/X.800 illustrates the relationship of security services and layers:[4]

Illustration of the relationship of security services and layers
ServiceLayer
1234567*
Peer entity authentication··YY··Y
Data origin authentication··YY··Y
Access control service··YY··Y
Connection confidentialityYYYY·YY
Connectionless confidentiality·YYY·YY
Selective field confidentiality·····YY
Traffic flow confidentialityY·Y···Y
Connection Integrity with recovery···Y··Y
Connection integrity without recovery··YY··Y
Selective field connection integrity······Y
Connectionless integrity··YY··Y
Selective field connectionless integrity······Y
Non-repudiation Origin······Y
Non-repudiation. Delivery······Y

Other related meanings[edit]

Managed security service[edit]

Iso 7498 2 Security Model Youtube

Managed security service (MSS) are network security services that have been outsourced to a service provider.

See also[edit]

References[edit]

Iso
  1. ^ abcdX.800 : Security architecture for Open Systems Interconnection for CCITT applications
  2. ^ISO 7498-2 (Information processing systems – Open systems interconnection – Basic Reference Model – Part 2: Security architecture)
  3. ^ abcWilliam StallingsCrittografia e sicurezza delle retiSeconda edizioneISBN88-386-6377-7Traduzione Italiana a cura di Luca Salgarellidi Cryptography and Network security 4 editionPearson2006
  4. ^ abcdSecuring information and communications systems: principles, technologies, and applicationsSteven Furnell, Sokratis Katsikas, Javier Lopez, Artech House, 2008 - 362 pages
  5. ^CNSS Instruction No. 4009 dated 26 April 2010
  6. ^W3C Web Services Glossary
  7. ^NIST Special Publication 800-95 Guide to Secure Web Services
  8. ^Internet Engineering Task Force RFC 2828 Internet Security Glossary
  9. ^Network security essentials: applications and standards, William Stallings, Prentice Hall, 2007 - 413 pages
  10. ^ abcX.200 : Information technology - Open Systems Interconnection - Basic Reference Model: The basic model
  11. ^Simmonds, A; Sandilands, P; van Ekert, L (2004). 'An Ontology for Network Security Attacks'. Lecture Notes in Computer Science 3285: 317–323

External links[edit]

Retrieved from 'https://en.wikipedia.org/w/index.php?title=Security_service_(telecommunication)&oldid=909989756'