Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : 3G Handset and Network Design : Security Management

Security Management

Apr 22,2011 by alperen

small font medium font large font
image


The Certificate Authority and Registration Authority functions can be implemented on
one or more servers, which may or may not use Lightweight Directory Access Protocol
(LDAP).

There are many routine housekeeping functions implicit in PKI administration, for
example, multiple key management (users may have several key pairs for authentication,
signatures, and encryption), updating, backup (forgotten passwords), a disk
crash or virus protection, and archiving (recovering the key used by an ex-employee,
for example). Encryption keys have to be archived. Signing keys may also be archived.
PKI forms the basis for providing a virtual private network over a public access
network—the more robust the authentication and encryption, the more value the
network confers. PKI-based networks don’t have to but can use standard IP protocols.
Authentication and encryption can convert standard Internet links to provide site-to-site
privacy (router to router) or secure remote access (client to server).
Tunneling protocols can be used to wrap/encapsulate one protocol in another protocol.
The encapsulated protocol is called Point-to-Point Protocol (PPP); the encapsulating
protocol is a standard Internet protocol. The standard for site-to-site tunneling is
the IP Security (IPSec) protocol defined by the IETF.
If the network is a wireless network, this could be described as a Wireless Enterprise
Service Provision (WESP) platform providing virtual enterprise resources. It could sit
side by side with a Wireless Application Service Provision (WASP) platform, which
could provide virtual applications (downloading database management software, for
example). The WASP could sit side by side with a Wireless Internet Service Provision
(WISP) platform providing standard (nonsecure) or secure Internet access.
Downloaded applications need to be verified in terms of their source and integrity,
to make sure that they are virus-free. In the PC world, when a new virus appears, it is
detected (hopefully) by one of the several virus control specialist companies that now
exist (Sophos is one example—www.sophos.com). The virus is then shared amongst
each of the specialist antivirus companies who individually work on a counter-virus,
which is then sent to their customers. This is an effective pragmatic system, but it does
result in the need to store virus signature files on the PC, which can rapidly grow to a
memory footprint of many megabytes.

Digital cellular handset software and PDA software has traditionally been ROM
based, but the need to remotely reconfigure means that it makes more sense to have the
software more accessible (which also means more vulnerable to virus infection). However,
it is not a great idea to have to fill up a lightweight portable wireless PDA with
megabytes of antiviral signature files, because it wastes memory space in the handset/
PDA and it uses up unnecessary transmission bandwidth. The alternative is to use
digital signatures to sign any data streams sent out to the handset.
The idea of PKI is to standardize all the housekeeping needed for authentication and
encryption when applied across multiple applications carried across multiple private
and public access networks (that is, to look after enrolment procedures, certificate formats,
digital formats, and challenge/response protocols).
Challenge/response protocols can be quite time-sensitive—particularly to delay
and delay variability. The challenge will expect a response within a given number of
milliseconds. If a response is received after the timeout period, it will be invalid. This
is an important point to bear in mind when qualifying end-to-end delay and delay
parameters in a network supporting, for example, mobile commerce (m-commerce)
and micro- or macro-payment verification.
The focus for interoperable PKI standards is the PKI working group of the IETF
known as the PKI Group (PKI for X509 certificates). X509 certificates are a standardized
certificate format for describing user security profiles and access rights. PKI therefore
becomes part of the admission protocol that needs to be supported in the handset and
the network.
Areas covered by the PKI standard are shown in Figure 9.2 and are as follows:
EDI. Standards for Electronic Data Interchange.
SSL. The Secure Socket Layer protocol used within IETF to provide IP session
security.
PPTP. The Point-to-Point Tunneling Protocol.

SSL and Transport Layer Security (TLS) are used to provide the basis for secure electronic
transactions. 204

82 times read

Related news
No matching news for this article
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

admin

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.