1 / 9

Network and Information Security Report ICTSB/NISSG

Stefan Goeman. Network and Information Security Report ICTSB/NISSG. Background. Existing NIS-Report from 2003 The new EU Report

ovidio
Télécharger la présentation

Network and Information Security Report ICTSB/NISSG

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Stefan Goeman Network and Information Security ReportICTSB/NISSG

  2. Background • Existing NIS-Report from 2003 • The new EU Report • Communication form the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions: A strategy for a Secure Information Society –“Dialog, partnership and empowerment” • A lot of new developments in Network and Information Security

  3. My Expertise • Each member of the team has some specific expertise. In my case, this is: • ICT Industry, Telecom, ISP • Authentication protocols • Web Service Security • Identity Management • E-government  Belgium eID card • Digital Rights Management

  4. ICT Industry, Telecom and ISPs • Web Services Security (WS-Sec): E-buisiness environment is based on Web Services. Therefore security for web services is necessary (i.e. securing SOAP messages end-to-end) • The following specifications make up WS-Sec 1.1 OASIS standard: • WS-Security Core Specification 1.1 • Username Token Profile 1.1 • X.509 Token Profile 1.1 • SAML Token Profile 1.1 • Kerberos Token Profile 1.1 • Rights Expression Language (REL) Token Profile 1.1 • SOAP with Attachments (SWA) Profile 1.1 SOAP: SIMPLE Object Access Protocol

  5. ICT Industry, Telecom and ISPs • IETF is an important contributor to security standardization. • With respect to network security, following specifications are important, and included in the report: • IPsec protocol suite: (IETF IPsec work group is concluded) • RFC4301: Security architecture for the Internet Protocol. • RFC4302: Authentication Header security protocol. • RFC4303: Encapsulating Security Payload protocol. • RFC4306: The Internet Key Exchange (IKEv2) protocol. • … • TLS protocol suite: • RFC4346: The Transport Layer Security (TLS) Protocol Version 1.1 • RFC4366: Transport Layer Security (TLS) Extensions • RFC4492: ECC Cipher Suites for Transport Layer Security (TLS) • RFC4279: pre-Shared Key Ciphersuites for TLS • … • Protocols for securing the infrastructure: DNS security, ENUM security, security of routing protocols (BGP, OSPF)

  6. Identity (and Privacy) Management • Form an end-user’s point of view, identity and privacy management is (becoming) very important! • Two initiatives: Industry for a, not really standardization bodies. Rely on other standards • Liberty Alliance Project: Industry forum defining specifications in the area of identity management (single-sign-on, privacy management via pseudonyms, … ) and Identity based web services • Based on Web Services specifications: The web services specifications are more loosely coupled, but it is possible to realize identity management based on specifications like: • WS-Federation • Currently not included in the report SAML: Security Assertion Markup Language

  7. E-government • Belgium eID card • PKI-based solution: eID card contains 2 certificates. • E-government applications: • Request official documents via the Internet (birth certificate, …) • Fill in and sign your tax form. • Access to your own personal information (https://www.mijndossier.rrn.fgov.be) • Will replace the electronic health insurance card (SIS card) • … • Other applications (not related to e-government): • Secure chat boxes • Libraries • Hotel room reservation • … • Currently not yet included in the report

  8. Digital Rights Management • Currently not in scope of new NIS-Report • Many proprietary systems available (Apple iTunes, Windows Media DRM, …) and only few standards available: • OMA DRM v1 and v2 • In general DRM system all do more or less the same thing. The differences lie in details like content formats and rights expression languages OMA: Open Mobile Alliance

  9. Contributions to the report • Providing the context for security for Next Generation Networks • Evolution from SS7 based telco systems (closed systems) to VoIP (SIP-based) telco systems (more open systems) • Providing an update of section 9.4 on Network Encryption: • Updates on IPsec • Updates on TLS • Inclusion of Web Services Security

More Related