Application Layer
The protocols at the application layer handle file transfer, virtual terminals, network management, and fulfilling networking requests of applications. A few of the protocols
that work at this layer include:
• File Transfer Protocol (FTP)
• Trivial File Transfer Protocol (TFTP)
• Simple Network Management Protocol (SNMP)
• Simple Mail Transfer Protocol (SMTP)
• Telnet
• Hypertext Transfer Protocol (HTTP)
Presentation
The services of the presentation layer handle translation into standard formats, data compression and decompression, and data encryption and decryption. No protocols work at this layer, just services. The following lists some of the presentation layer standards:
• American Standard Code for Information Interchange (ASCII)
• Extended Binary-Coded Decimal Interchange Mode (EBCDIC)
• Tagged Image File Format (TIFF)
• Joint Photographic Experts Group (JPEG)
• Motion Picture Experts Group (MPEG)
• Musical Instrument Digital Interface (MIDI)
Session
The session layer protocols set up connections between applications, maintain dialog control, and negotiate, establish, maintain, and tear down the communication channel.
Some of the protocols that work at this layer include:
• Network File System (NFS)
• NetBIOS
• Structured Query Language (SQL)
• Remote procedure call (RPC)
Transport
The protocols at the transport layer handle end-to-end transmission and segmentation into a data stream. The following protocols work at this layer:
• Transmission Control Protocol (TCP)
• User Datagram Protocol (UDP)
• Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
• Sequenced Packet Exchange (SPX)
Network
The responsibilities of the network layer protocols include internetworking service, addressing, and routing. The following lists some of the protocols that work at this layer:
• Internet Protocol (IP)
• Internet Control Message Protocol (ICMP)
• Internet Group Management Protocol (IGMP)
• Routing Information Protocol (RIP)
• Open Shortest Path First (OSPF)
• Novel Internetwork Packet Exchange (IPX)
Data Link
The protocols at the data link layer convert data into LAN or WAN frames for transmission, convert messages into bits, and define how a computer accesses a network. This layer is divided into the Logical Link Control (LLC) and the Media Access Control (MAC) sublayers. Some protocols that work at this layer include the following:
• Address Resolution Protocol (ARP)
• Reverse Address Resolution Protocol (RARP)
• Point-to-Point Protocol (PPP)
• Serial Line Internet Protocol (SLIP)
Physical
Network interface cards and drivers convert bits into electrical signals and control the physical aspects of data transmission, including optical, electrical, and mechanical requirements.
The following are some of the standard interfaces at this layer:
• High-Speed Serial Interface (HSSI)
• X.21
• EIA/TIA-232 and EIA/TIA-449
Wednesday, August 24, 2011
Tuesday, August 9, 2011
RTU and Substation automation
Remote Terminal Unit (RTU) lies between the substation and the network controlling center(NCC). Basically RTU interfaces the devices in the physical world to the SCADA. An RTU can be interfaced with the Central Station with different communication media (usually serial (RS232, RS485, RS422) or Ethernet). RTU can support standard protocols (Modbus, IEC 60870-5-101/103/104, DNP3, ICCP, etc.) to interface any third party software.
Saturday, August 6, 2011
Common Data classes
IEC 61850-7-3 defines common data classes for a wide range of well known applications. The
core common data classes are classified into the following groups:
– status information,
– measurand information
– controllable status information,
– controllable analogue information,
– status settings,
– analogue settings
– description information.
There are services to exchange these data.The services defined in IEC 61850-7-2 are called abstract services.
The four main building blocks of the Substation Automation System
core common data classes are classified into the following groups:
– status information,
– measurand information
– controllable status information,
– controllable analogue information,
– status settings,
– analogue settings
– description information.
There are services to exchange these data.The services defined in IEC 61850-7-2 are called abstract services.
The four main building blocks of the Substation Automation System
- the substation automation system specific information models(logical nodes and data)
- the information exchange methods(interface)
- the mapping to concrete communication protocols, (mapping to MMS and TCP/IP)
- the configuration of a substation IED.
Friday, August 5, 2011
Access Control Administration
Once an organization develops a security policy, supporting procedures, standards, and guidelines, it must choose the type of access control model: DAC, MAC, or role-based. After choosing a model, the organization must select and implement different access control technologies and techniques. Access control matrices, restricted interfaces, and content-dependent, context-dependent, and rule-based controls are just a few of the choices.
Centralized Access Control Administration
AAA protocol is the authentication protocol used, AAA stands for authentication, authorization, and auditing.Depending upon the protocol, there are different ways to authenticate a user in this client/server architecture. The traditional authentication protocols are Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and a newer method referred to as Extensible Authentication Protocol (EAP).
Remote Authentication Dial-In User Service (RADIUS) is a network protocol and provides client/server authentication and authorization, and audits remote users. RADIUS uses UPD. Terminal Access Controller Access Control System (TACACS) provide same functionality as RADIUS with a few differences
in some of its characteristics.TACACS uses TCP. RADIUS encrypts the user’s password only as it is being transmitted from the RADIUS client to the RADIUS server. Other information, as in the username, accounting, and authorized services, is passed in cleartext. TACACS+ encrypts all of this data between the client and server and thus does not have the vulnerabilities inherent in the RADIUS protocol.
RADIUS is the appropriate protocol when simplistic username/password authentication can take place and users only need an Accept or Deny for obtaining access, as in ISPs. TACACS+ is the better choice for environments that require more sophisticated authentication steps and tighter control over more complex authorization activities, as in corporate networks.
Diameter is another AAA protocol that provides the same type of functionality as RADIUS and TACACS+ but also provides more flexibility and capabilities to meet the new demands of today’s complex and diverse networks. RADIUS and TACACS+ are client/server protocols, which means the server portion cannot send unsolicited commands to the client portion.Diameter is a peer-based protocol that allows either end to initiate communication.
Decentralized Access Control Administration
A decentralized access control administration method gives control of access to the people closer to the resources—the people who may better understand who should and should not have access to certain files, data, and resources. But centralized Access Control Administration is recommended in implementations to maintain the privacy of the system.
Centralized Access Control Administration
AAA protocol is the authentication protocol used, AAA stands for authentication, authorization, and auditing.Depending upon the protocol, there are different ways to authenticate a user in this client/server architecture. The traditional authentication protocols are Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and a newer method referred to as Extensible Authentication Protocol (EAP).
Remote Authentication Dial-In User Service (RADIUS) is a network protocol and provides client/server authentication and authorization, and audits remote users. RADIUS uses UPD. Terminal Access Controller Access Control System (TACACS) provide same functionality as RADIUS with a few differences
in some of its characteristics.TACACS uses TCP. RADIUS encrypts the user’s password only as it is being transmitted from the RADIUS client to the RADIUS server. Other information, as in the username, accounting, and authorized services, is passed in cleartext. TACACS+ encrypts all of this data between the client and server and thus does not have the vulnerabilities inherent in the RADIUS protocol.
RADIUS is the appropriate protocol when simplistic username/password authentication can take place and users only need an Accept or Deny for obtaining access, as in ISPs. TACACS+ is the better choice for environments that require more sophisticated authentication steps and tighter control over more complex authorization activities, as in corporate networks.
Diameter is another AAA protocol that provides the same type of functionality as RADIUS and TACACS+ but also provides more flexibility and capabilities to meet the new demands of today’s complex and diverse networks. RADIUS and TACACS+ are client/server protocols, which means the server portion cannot send unsolicited commands to the client portion.Diameter is a peer-based protocol that allows either end to initiate communication.
Decentralized Access Control Administration
A decentralized access control administration method gives control of access to the people closer to the resources—the people who may better understand who should and should not have access to certain files, data, and resources. But centralized Access Control Administration is recommended in implementations to maintain the privacy of the system.
Access Control Models
The main characteristics of the three different access control models are important to understand.
Access Control Techniques
Access control techniques are used to support the access control models.
- DAC (Discretionary Access Control) Data owners decide who has access to resources, and ACLs are used to enforce the security policy.
- MAC(Mandatory Access Control) Operating systems enforce the system’s security policy through the use of security labels. Eg: security clearance,In a military environment, the classifications
could be top secret, secret, confidential, and unclassified.A commercial organization might use confidential, proprietary, corporate, and sensitive. - RBAC(Role-Based Access Control) Access decisions are based on each subject’s role and/or functional position.
Access Control Techniques
Access control techniques are used to support the access control models.
- Access control matrix Table of subjects and objects that outlines their access relationships
- ACL Bound to an object and indicates what subjects can access it
- Capability table Bound to a subject and indicates what objects that subject can access
- Content-based access Bases access decisions on the sensitivity of the data, not solely on subject identity
- Context-based access Bases access decisions on the state of the situation, not solely on identity or content sensitivity
- Restricted interface Limits the user’s environment within the system, thus limiting access to objects
- Rule-based access Restricts subjects’ access attempts by predefined rules
Thursday, August 4, 2011
Single Sign On(SSO) Technologies
If the user has to enter different User ID and User password every time he access a service like printer, file server, it becomes overhead to the user to remember all the usernames and passwords. They tend to write them down and then the security is exposed. Managing user password and renewing them is an overhead to the administrators too. If user has to remember on password only enforce more security in to that password using longer passwords with higher entropy. SSO offers one time user authentication (User ID and Password) and he is good to access all the services. One bottleneck in achieving SSO is the inadequate system interoperability of services.
- Kerberos Authentication protocol that uses a KDC (Key Distribution center) and tickets, and is based on symmetric key cryptography
- SESAME(Secure European System for Applications in a Multi-vendor Environment) Authentication protocol that uses a PAS(Privileged attribute server like KDC) and PACs(Privileged attribute certificates), and is based on symmetric and asymmetric cryptography
- Security domains Resources working under the same security policy and managed by the same group
- Thin clients Terminals that rely upon a central server for access control, processing, and storage
Subscribe to:
Posts (Atom)