Technical Class
Security Control Families
ID
CA
PL
PM
RA
SA
AT
CM
CP
IR
MA
MP
PE
PS
SI
AC
AU
IA
SC
Class
Management
Management
Management
Management
Management
Operational
Operational
Operational
Operational
Operational
Operational
Operational
Operational
Operational
Technical
Technical
Technical
Technical
Family
Security Assessment and Authorization
Planning
Program Management
Risk Assessment
System and Services Acquisition
Awareness and Training
Configuration Management
Contingency Planning
Incident Response
Maintenance
Media Protection
Physical and Environmental Protection
Personnel Security
System and Information Integrity
Access Control
Audit and Accountability
Identification and Authentication
System and Communications Protection
# of
6
5
11
4
14/40
5
9
10
8
6
6
19
8
13/84
19
14
8
34/75
AC-2 Account Management
AC-3 Access Enforcement
Access Control
AC-4 Information Flow Enforcement
AC-5 Separation of Duties
AC-6 Least Privilege
AC-7 Unsuccessful Login Attempts
AC-8 System Use Notification
AC-10 Concurrent Session Control
AC-11 Session Lock
Permitted Actions without
AC-14 Identification or Authentication
AC-17 Remote Access
AC-18 Wireless Access
AC-19 Access Control for Mobile Devices
AC-20 Use of External Information Systems
AC-22 Publicly Accessible Content









800-46 (Telework)
800-77 (IPSec)
800-113 (SSL)
800-114 (External Devices)
800-121 (Bluetooth)
800-48 (Legacy Wireless)
800-94 (IDPS)
800-97 (802.11i Wireless)
800-124 (Cell Phones/PDA)
 OMB M 06-16 (Remote
Access)
IPSec VPNs
SP 800-77
 Network Layer Security
– The Need for Network Layer Security
– Virtual Private Networking (VPN)
• Gateway-to-Gateway Architecture
• Host-to-Gateway Architecture
• Host-to-Host Architecture
 IPsec Fundamentals
–
–
–
–
–
Authentication Header (AH
Encapsulating Security Payload (ESP
Internet Key Exchange (IKE
IP Payload Compression Protocol (IPComp
Putting It All Together
• ESP in a Gateway-to-Gateway Architecture
• ESP and IPComp in a Host-to-Gateway Architecture
• ESP and AH in a Host-to-Host Architecture
Network Layer Security






Confidentiality
Integrity
Peer Authentication
Replay Protection
Traffic Analysis
Access Control
IPSec VPNs
– Gateway-to-Gateway Architecture
– Host-to-Gateway Architecture
– Host-to-Host Architecture
Gateway-to-Gateway Architecture
Host-to-Gateway Architecture
Host-to-Host Architecture
Model Comparison
IPsec Protocols




Authentication Header (AH)
Encapsulating Security Payload (ESP)
Internet Key Exchange (IKE)
IP Payload Compression Protocol (IPComp)
SSL VPNs
SP 800-113





Virtual Private Networking (VPN)
SSL Portal VPNs
SSL Tunnel VPNs
Administering SSL VPNs
SSL VPN Architecture
SSL VPNs
 SSL Portal VPNs
 SSL Tunnel VPNs
 Administering SSL VPNs
Many of the cryptographic algorithms used in some SSL cipher suites are not
FIPS-approved, and therefore are not allowed for use in SSL VPNs that are to be
used in applications that must conform to FIPS 140-2.
SSL VPN Architecture
SSL Protocol Basics
 Versions of SSL and TLS
 Cryptography Used in SSL Sessions
 Authentication Used for Identifying SSL Servers
Knowledge Check
 What is the protocol, used by IPSec that negotiates
connection settings, authenticates endpoints to each
other, defines the security parameters of IPsec-protected
connections, negotiates secret keys, and manages,
updates, and deletes IPsec-protected communication
channels?
 Because AH transport mode cannot alter the original IP
header or create a new IP header, transport mode is
generally used in which VPN architecture?
 Which VPN technologies are approved for use by
Federal agencies?
Private Wireless
Public Wireless
Wireless Protocols
Cell Phone Security
Bluetooth Security
Audit & Accountability
AU-2 Auditable Events
AU-3 Content of Audit Records
AU-4 Audit Storage Capacity
Response to Audit
AU-5 Processing Failures
Audit Review, Analysis, and
AU-6 Reporting
Audit Reduction and Report
AU-7 Generation
AU-8 Time Stamps
Protection of Audit
AU-9 Information
AU-10 Non-repudiation
AU-11 Audit Record Retention
AU-12 Audit Generation
 800-92 Log Mgmt
 FIPS 180-3 SHA
 FIPS 186-3 DSS
 FIPS 198-1 HMAC
Log Management




Log Sources
Analyze Log Data
Respond to Identified Events
Manage Long-Term Log Data Storage
Log Sources
 Log Generation
 Log Storage and Disposal
 Log Security
Analyze Log Data
 Gaining an Understanding of Logs
 Prioritizing Log Entries
 Comparing System-Level and Infrastructure-Level
Analysis
 Respond to Identified Events
Manage Long-Term Log Data
Storage




Choose Log Format for Data to be Archived
Archive the log Data
Verify Integrity of Transferred Logs
Store Media Securely
Integrity Standards
 FIPS 186-3 Digital Signature Standard
 FIPS 180-3 Secure Hash Standard
 FIPS 198-1 The Keyed-Hash Message Authentication
Code (HMAC)
Identification & Authentication
IA-2
IA-3
IA-4
IA-5
IA-6
IA-7
IA-8
Identification and Authentication
(Organizational Users)
Device Identification and
Authentication
Identifier Management
Authenticator Management
Authenticator Feedback
Cryptographic Module Authentication
Identification and Authentication
(Non- Organizational Users)




800-63 (E-auth)
800-73 Crypto
800-76 Biometrics
PIV Interfaces
800-78





FIPS 140-2
FIPS 201
HSPD 12
OMB 04-04 (E-auth)
OMB 05-24 (HSPD12)
Personal Identity &
Verification (PIV)
IA Policy & Standard
 HSPD 12 (Policy)
 FIPS 201-1 (Implementation)
– PIV-I - Security Requirements
– PIV-II - Technical Interoperability Requirements (Smartcards)
30
E-Authentication Guideliens
 Level 1 – No Identity Proofing
 Level 2 – Single-factor Authentication, Identity Proofing
Requirements
 Level 3 – Multi-factor Authentication
 Level 4 – Multi-factor using Hard Token
 OMB M-04-04 E-Authentication Guidance for Federal
Agencies
31
SC-2
SC-3
SC-4
SC-5
SC-7
SC-8
SC-9
SC-10
SC-12
SC-13
SC-14
SC-15





System & Communications
Application Partitioning
Protection
Security Function Isolation
Information in Shared Resources
Denial of Service Protection
Boundary Protection
Transmission Integrity
Transmission Confidentiality
Network Disconnect
Cryptographic Key Establishment
and Management
Use of Cryptography
Public Access Protections
Collaborative Computing Devices
800-32 (PKI)
800-41 (Firewalls)
800-52 (TLS)
800-58 (VoIP)
800-63




SC-17 Public Key Infrastructure Certificates
SC-18 Mobile Code
SC-19 Voice Over Internet Protocol
Secure Name /Address Resolution Service
SC-20 (Authoritative Source)
Secure Name /Address Resolution Service
SC-21 (Recursive or Caching Resolver)
Architecture and Provisioning for
SC-22 Name/Address Resolution Service
SC-23 Session Authenticity
SC-24 Fail in Known State
SC-28 Protection of Information at Rest
SC-32 Information System Partitioning
800-77
800-81 (DNSSEC)
800-95 (Secure Web)
800-113




FIPS 140-2
FIPS 197
OMB 05-24 (PIV)
OMB 08-23 (DNS)
Firewall Technologies










Packet Filtering
Stateful Inspection
Application Firewalls
Application-Proxy Gateways
Dedicated Proxy Servers
Virtual Private Networking
Network Access Control
Unified Threat Management (UTM
Web Application Firewalls
Firewalls for Virtual Infrastructures
Knowledge Check
 Name the AES-based, wireless encryption mechanism
used in the 802.11i wireless specification?
 In which security mode are Bluetooth devices considered
“promiscuous”, and do not employ any mechanisms to
prevent other Bluetooth-enabled devices from
establishing connections?
 Which security control requires the information system
protect against an individual falsely denying having
performed a particular action?
 Which e-authentication level, described in the special
publication 800-63, requires multifactor authentication,
and the use of a hard token?
Cryptographic Services




Data integrity
Confidentiality
Identification and authentication
Non-repudiation
Cryptographic Security Mechanisms
Symmetric Key Encryption
Objective: Confidentiality via Bulk Encryption
The Problem with Symmetric Keys
Asymmetric Key Encryption
Objective: Symmetric Key Exchange/Authentication
Hash Functions
Objective: Data Integrity
Digital Signature
Objective: Non-Repudiation (Authentication + Integrity)
PKI
SP 800-32





Security Services
Non-cryptographic Security Mechanisms
Cryptographic Security Mechanisms
PKI Components
PKI Architectures
PKI Componenets







Certification Authority (CA)
Registration Authority (RA)
Repository
Archive
Public Key Certificate
Certificate Revocation Lists (Crls)
PKI Users
TLS
SP 800-52
Mapping The Security Parts of
TLS to Federal Standards
Key Establishment
 RSA
 DH (Diffie-Hellman)
 Fortezza-KEA
Confidentiality/Symmetric Key
Algorithms




IDEA
RC4
3DES-EDE
AES
Signature & Hashes




RSA
DSA
MD5
SHA1
VoIP
SP 800-58






Overview of VoIP
Privacy and Legal Issues with VoIP
VoIP Security Issues
Quality of Service Issues
VoIP Architechtures
Solutions to the VoIPsec Issues
Overview of VoIP
Public Facing Web Server
DNS Transaction Threats &
Security Objectives
Technical Security Controls
Key Concepts & Vocabulary




AC – Access Control
AU – Auditing & Accountability
IA – Identification & Availability
SC – System & Communication Protection